Create Interactive Tour

Analysis Report s3ZenAQ7m1.bin

Overview

General Information

Sample Name:	s3ZenAQ7m1.bin (renamed file extension from bin to exe)
Analysis ID:	368352
MD5:	7f5227030be3d2ef48aa652af1ec72b0
SHA1:	202e7ac1c2aaca8fbeed4ac454ca195a33c9d064
SHA256:	4dfc17406a58c6f1ce83a73ce6dd5b343d00fe77d07dfe21d28da13631bfad90
Tags:	ransomware
Infos:
Most interesting Screenshot:

Detection

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Contains functionality to inject code into remote processes

Injects a PE file into a foreign processes

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains functionality to call native functions

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops files with a non-matching file extension (content does not match file extension)

Found dropped PE file which has not been started or loaded

PE file contains executable resources (Code or Archives)

PE file contains strange resources

Sample file is different than original file name gathered from version info

Stores files to the Windows start menu directory

Uses 32bit PE files

Classification

Startup

System is w10x64

s3ZenAQ7m1.exe (PID: 6116 cmdline: 'C:\Users\user\Desktop\s3ZenAQ7m1.exe' MD5: 7F5227030BE3D2EF48AA652AF1EC72B0)

s3ZenAQ7m1.exe (PID: 4944 cmdline: C:\Users\user\Desktop\s3ZenAQ7m1 MD5: 7F5227030BE3D2EF48AA652AF1EC72B0)

cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Signature Overview

• AV Detection
• Compliance
• Networking
• System Summary
• Persistence and Installation Behavior
• Boot Survival
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: s3ZenAQ7m1.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: s3ZenAQ7m1.exe	Virustotal: Detection: 66%			Perma Link
Source: s3ZenAQ7m1.exe	ReversingLabs: Detection: 44%

Source: 1.3.s3ZenAQ7m1.exe.2167030.4.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.0.s3ZenAQ7m1.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 0.0.s3ZenAQ7m1.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.3.s3ZenAQ7m1.exe.2167018.1.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 1.3.s3ZenAQ7m1.exe.2167020.7.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 0.2.s3ZenAQ7m1.exe.400000.0.unpack	Avira: Label: TR/Dropper.Gen
Source: 1.3.s3ZenAQ7m1.exe.2167038.9.unpack	Avira: Label: TR/Patched.Ren.Gen

Source: s3ZenAQ7m1.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:	Binary string: KSLDriver.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: mpwutool.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: ADelRCP.pdbK source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\CB\ServiceUpd_Acrobat\BuildResults\bin\Release\RNAServicesUpdater\RdrServicesUpdater.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr
Source:	Binary string: msmpeng.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\DCB\CBT_Main\Acrobat\Installers\Install_MaintenanceWizard\CustomActions\IWActs\Release\IWActs.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: Updater.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp
Source:	Binary string: Updater.pdbTT source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp
Source:	Binary string: mpwutool.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\DCB\CBT_Main\Acrobat\Installers\BootStrapExe_Small\Release\Setup.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.419452591.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: msmpeng.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: ADelRCP.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\CB\ARM_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.255446423.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\CB\ServiceUpd_Acrobat\BuildResults\bin\Release\RNAServicesUpdater\RdrServicesUpdater.pdb,, source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr

Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.467382939.0000000002135000.00000004.00000001.sdmp	String found in binary or memory: http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl
Source: s3ZenAQ7m1.exe, 00000001.00000003.467382939.0000000002135000.00000004.00000001.sdmp	String found in binary or memory: http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://evcs-aia.ws.symantec.com/evcs.cer0
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://evcs-crl.ws.symantec.com/evcs.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://evcs-ocsp.ws.symantec.com04
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://hpdatapass.foggmobile.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://m-internet.taiwanmobile.com/internet/catch_price_3g.jsp
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://mbb.o2.co.uk
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://mim.t-mobile.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://ms-experience.gigsky.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.thawte.com0
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://optus.com.au/activate
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp	String found in binary or memory: http://s.symcd.com06
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://setup.vodafone.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://three.co.id
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://vmall.vibo.net.tw
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://vodafone.com.au/activate
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.10010.com
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.10086.cn/service/tariffzone/
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.3.dk
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.3broadband.ie
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.drei.at
Source: s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.lextek.com)
Source: s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.lextek.com/
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.movistar.es/particulares/oferta-combinada/fusion/opciones-tarifas/
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.nmu.edu/lte
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.pelephone.co.il
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.ptcliente.pt
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://www.symauth.com/cps0(
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://www.symauth.com/cps09
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	String found in binary or memory: http://www.symauth.com/rpa04
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.tre.se/mobiltbredband-startsida
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: http://www.truphone.com
Source: RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: http://www.winimage.com/zLibDll
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: https://buyasession.att.com/sbd/ShowLogin.action
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/cps0%
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/rpa0
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp	String found in binary or memory: https://d.symcb.com/rpa0.
Source: s3ZenAQ7m1.exe, 00000001.00000003.554610700.000000000218A000.00000004.00000001.sdmp	String found in binary or memory: https://www.autoitscript.com/site/autoit-script-editor/downloads/
Source: s3ZenAQ7m1.exe, 00000001.00000003.452983750.0000000002198000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	String found in binary or memory: https://www.tataindicom.com/msw08

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

Code function: 0_2_00407170 __vbaStrCat,__vbaStrMove,__vbaStrCopy,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaSetSystemError,__vbaSetSystemError,__vbaAryUnlock,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,#595,__vbaFreeStrList,__vbaFreeVarList,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaSetSystemError,__vbaAryUnlock,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,#595,__vbaFreeStrList,__vbaFreeVarList,__vbaRecUniToAnsi,__vbaStrToAnsi,CreateProcessA,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaStrToUnicode,__vbaFreeStr,__vbaRecDestructAnsi,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,__vbaStrMove,#595,__vbaFreeStrList,__vbaFreeVarList,GetThreadContext,__vbaSetSystemError,ReadProcessMemory,NtUnmapViewOfSection,__vbaSetSystemError,VirtualAllocEx,__vbaSetSystemError,__vbaSetSystemError,__vbaSetSystemError,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,WriteProcessMemory,__vbaAryUnlock,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,__vbaRecUniToAnsi,__vbaSetSystemError,__vbaRecAnsiToUni,__vbaAryUnlock,__vbaAryLock,__vbaGenerateBoundsError,__vbaGenerateBoundsError,WriteProcessMemory,__vbaAryUnlock,VirtualProtectEx,WriteProcessMemory,SetThreadContext,ResumeThread,__vbaRecDestructAnsi,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaFreeStr,__vbaRecDestruct,__vbaErrorOverflow,

0_2_00407170

Source: s3ZenAQ7m1.exe

Static PE information: Resource name: EXE type: PE32 executable (GUI) Intel 80386, for MS Windows

Source: s3ZenAQ7m1.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: s3ZenAQ7m1.exe, 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunExeMemory.exe vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000000.00000002.187552627.0000000002130000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameUpdater.apiD vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameIWActs.dllX vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWuTool.exeZ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.419452591.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSetup.exeF vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000000.186430746.000000000040B000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRunExeMemory.exe vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameOnix32.dll, vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebInstaller.exe6 vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameWebInstaller.exeF vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.275267467.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilename_IsIcoRes.exe< vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameADelRCP.dll\ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.569313579.0000000002134000.00000004.00000001.sdmp	Binary or memory string: System.OriginalFileName vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameKSLDriver.sysZ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMsMpEng.exeZ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamempengine.dllZ vs s3ZenAQ7m1.exe
Source: s3ZenAQ7m1.exe	Binary or memory string: OriginalFilenameRunExeMemory.exe vs s3ZenAQ7m1.exe

Source: s3ZenAQ7m1.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: s3ZenAQ7m1.exe	Binary or memory string: @*\AC:\Users\seyret\Desktop\Obfuscated Number-1\xFuajkin.vbp<"@e
Source: s3ZenAQ7m1.exe, 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp	Binary or memory string: fd%@*\AC:\Users\seyret\Desktop\Obfuscated Number-1\xFuajkin.vbp
Source: s3ZenAQ7m1.exe	Binary or memory string: @*\AC:\Users\seyret\Desktop\Obfuscated Number-1\xFuajkin.vbp

Source: classification engine

Classification label: mal64.evad.winEXE@3/20@0/0

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

File created: C:\Users\All Users\Adobe\ARM\ArmReport.ini.g1yfw9

Jump to behavior

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

File created: C:\Users\user\AppData\Local\Temp\~DF8395378865989708.TMP

Jump to behavior

Source: s3ZenAQ7m1.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

File read: C:\ProgramData\Adobe\ARM\ArmReport.ini

Jump to behavior

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: s3ZenAQ7m1.exe	Virustotal: Detection: 66%
Source: s3ZenAQ7m1.exe	ReversingLabs: Detection: 44%

Source: unknown	Process created: C:\Users\user\Desktop\s3ZenAQ7m1.exe 'C:\Users\user\Desktop\s3ZenAQ7m1.exe'
Source: unknown	Process created: C:\Users\user\Desktop\s3ZenAQ7m1.exe C:\Users\user\Desktop\s3ZenAQ7m1
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process created: C:\Users\user\Desktop\s3ZenAQ7m1.exe C:\Users\user\Desktop\s3ZenAQ7m1	Jump to behavior

Source:	Binary string: KSLDriver.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: mpwutool.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: ADelRCP.pdbK source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\CB\ServiceUpd_Acrobat\BuildResults\bin\Release\RNAServicesUpdater\RdrServicesUpdater.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr
Source:	Binary string: msmpeng.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\DCB\CBT_Main\Acrobat\Installers\Install_MaintenanceWizard\CustomActions\IWActs\Release\IWActs.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.342274168.0000000002149000.00000004.00000001.sdmp
Source:	Binary string: KSLDriver.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: Updater.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp
Source:	Binary string: Updater.pdbTT source: s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp
Source:	Binary string: mpwutool.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.500383147.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\DCB\CBT_Main\Acrobat\Installers\BootStrapExe_Small\Release\Setup.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.419452591.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: msmpeng.pdbGCTL source: s3ZenAQ7m1.exe, 00000001.00000003.532159817.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: ADelRCP.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.274937174.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\CB\ARM_Main\BuildResults\bin\Win32\Release\AdobeARMHelper.pdb source: s3ZenAQ7m1.exe, 00000001.00000003.255446423.0000000002134000.00000004.00000001.sdmp
Source:	Binary string: D:\CB\ServiceUpd_Acrobat\BuildResults\bin\Release\RNAServicesUpdater\RdrServicesUpdater.pdb,, source: s3ZenAQ7m1.exe, 00000001.00000003.325082147.0000000002134000.00000004.00000001.sdmp, RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9			Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9			Jump to dropped file

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9			Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9			Jump to dropped file

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9			Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9			Jump to dropped file

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\desktop.ini.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Desktop.ini.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\desktop.ini.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Paint.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Wordpad.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Acrobat Reader DC.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Examples.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Google Chrome.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\About Java.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Configure Java.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Visit Java.com.url.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Maintenance\Desktop.ini.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\OneDrive for Business.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\PowerPoint 2016.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\StartUp\desktop.ini.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\System Tools\Desktop.ini.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Google Chrome.lnk.g1yfw9.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Java\Get Help.url.g1yfw9.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu\Programs\Publisher 2016.lnk.g1yfw9.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\01 - File Explorer.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\03 - Documents.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\04 - Downloads.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\08 - Homegroup.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Microsoft\Windows\Start Menu Places\10 - UserProfile.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessibility\Speech Recognition.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Remote Desktop Connection.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\Character Map.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\System Tools\desktop.ini.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Fax and Scan.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Accessories\Windows Media Player.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Component Services.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Disk Cleanup.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Event Viewer.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\iSCSI Initiator.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Print Management.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\RecoveryDrive.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Resource Monitor.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\System Information.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Administrative Tools\Task Scheduler.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x64).lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\AutoIt Window Info (x86).lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x64).lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Compile Script to .exe (x86).lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\AutoIt v3 Website.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\AutoIt v3\Extras\Browse Extras.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Google Chrome.lnk.g1yfw9.g1yfw9.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Immersive Control Panel.lnk.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Check For Updates.lnk.g1yfw9.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Java\Get Help.url.g1yfw9.g1yfw9.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Microsoft Office 2016 Tools\desktop.ini.g1yfw9	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	File created: C:\Users\All Users\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Application Data\Start Menu\Programs\Publisher 2016.lnk.g1yfw9.g1yfw9.g1yfw9	Jump to behavior

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Dropped PE file which has not been started: C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9			Jump to dropped file
Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe	Dropped PE file which has not been started: C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9			Jump to dropped file

Source: s3ZenAQ7m1.exe, 00000001.00000003.475715857.0000000002134000.00000004.00000001.sdmp	Binary or memory string: doid:scsi\diskvmware__virtual_disk____2.0_\|ffeafa8af-706a-5fce-a5fb-ba54be559b87t
Source: s3ZenAQ7m1.exe, 00000001.00000003.475715857.0000000002134000.00000004.00000001.sdmp	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_en-usen

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject code into remote processes

Show sources

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

0_2_00407170

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

Memory written: C:\Users\user\Desktop\s3ZenAQ7m1.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

Process created: C:\Users\user\Desktop\s3ZenAQ7m1.exe C:\Users\user\Desktop\s3ZenAQ7m1

Jump to behavior

Source: C:\Users\user\Desktop\s3ZenAQ7m1.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Registry Run Keys / Startup Folder1	Process Injection211	Masquerading11	OS Credential Dumping	Security Software Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Software Packing1	LSASS Memory	File and Directory Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection211	Security Account Manager	System Information Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
s3ZenAQ7m1.exe	66%	Virustotal		Browse
s3ZenAQ7m1.exe	45%	ReversingLabs	Win32.Trojan.Vebzenpak
s3ZenAQ7m1.exe	100%	Avira	TR/Dropper.Gen

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Download
1.3.s3ZenAQ7m1.exe.2167030.4.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.0.s3ZenAQ7m1.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
0.0.s3ZenAQ7m1.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
1.3.s3ZenAQ7m1.exe.2167018.1.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.3.s3ZenAQ7m1.exe.2167020.7.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
0.2.s3ZenAQ7m1.exe.400000.0.unpack	100%	Avira	TR/Dropper.Gen	Download File
1.3.s3ZenAQ7m1.exe.2167038.9.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
1.1.s3ZenAQ7m1.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://optus.com.au/activate	0%	Virustotal		Browse
http://optus.com.au/activate	0%	Avira URL Cloud	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://ocsp.thawte.com0	0%	URL Reputation	safe
http://vmall.vibo.net.tw	0%	Virustotal		Browse
http://vmall.vibo.net.tw	0%	Avira URL Cloud	safe
http://vodafone.com.au/activate	0%	Avira URL Cloud	safe
http://www.pelephone.co.il	0%	Virustotal		Browse
http://www.pelephone.co.il	0%	Avira URL Cloud	safe
http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d	0%	Avira URL Cloud	safe
http://mbb.o2.co.uk	0%	Avira URL Cloud	safe
http://www.ptcliente.pt	0%	Avira URL Cloud	safe
http://www.lextek.com)	0%	Avira URL Cloud	safe
http://www.3broadband.ie	0%	Avira URL Cloud	safe
http://three.co.id	0%	Avira URL Cloud	safe
http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl	0%	Avira URL Cloud	safe
http://www.lextek.com/	0%	Avira URL Cloud	safe
http://hpdatapass.foggmobile.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.10086.cn/service/tariffzone/	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://www.10010.com	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://mim.t-mobile.com	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://www.symauth.com/cps09	s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	false		high
http://optus.com.au/activate	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://m-internet.taiwanmobile.com/internet/catch_price_3g.jsp	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://ocsp.thawte.com0	s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://vmall.vibo.net.tw	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://vodafone.com.au/activate	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.pelephone.co.il	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://buyasession.att.com/sbd/ShowLogin.action	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://www.3.dk	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
https://www.tataindicom.com/msw08	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://www.symauth.com/cps0(	s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	false		high
http://www.drei.at	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://setup.vodafone.com	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://dmd-ca-beta2/CertEnroll/dmd-ca-beta2_Microsoft%20Digital%20Media%20Authority%202005.crt0d	s3ZenAQ7m1.exe, 00000001.00000003.467382939.0000000002135000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.truphone.com	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://mbb.o2.co.uk	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ptcliente.pt	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.tre.se/mobiltbredband-startsida	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://www.winimage.com/zLibDll	RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9.1.dr	false		high
http://www.lextek.com)	s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.symauth.com/rpa04	s3ZenAQ7m1.exe, 00000001.00000003.419333323.0000000002190000.00000004.00000001.sdmp	false		high
http://www.3broadband.ie	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.nmu.edu/lte	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://www.movistar.es/particulares/oferta-combinada/fusion/opciones-tarifas/	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false		high
http://three.co.id	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://dmd-ca-beta2/CertEnroll/Microsoft%20Digital%20Media%20Authority%202005.crl	s3ZenAQ7m1.exe, 00000001.00000003.467382939.0000000002135000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://www.lextek.com/	s3ZenAQ7m1.exe, 00000001.00000003.465679726.0000000002134000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://www.autoitscript.com/site/autoit-script-editor/downloads/	s3ZenAQ7m1.exe, 00000001.00000003.554610700.000000000218A000.00000004.00000001.sdmp	false		high
http://hpdatapass.foggmobile.com	s3ZenAQ7m1.exe, 00000001.00000003.503874192.0000000002134000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	368352
Start date:	13.03.2021
Start time:	23:11:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	s3ZenAQ7m1.bin (renamed file extension from bin to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.evad.winEXE@3/20@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 100% (good quality ratio 25%) Quality average: 20.2% Quality standard deviation: 37.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found. Too many dropped files, some of them have not been restored

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Adobe\ARM\ArmReport.ini.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	1000
Entropy (8bit):	7.691899187561062
Encrypted:	false
SSDEEP:	24:ckVCbNX/YrVKpu82EOoACZwS6S+s8hO9Y/THxJRSc+q:VEbNArVK+7xfOCH5Z+q
MD5:	5E5A20047D007EBF28918F2068FF88CF
SHA1:	2C4DC7453D0089126F790213A9D55556885D53E4
SHA-256:	43A588692F674651B6825B4C8C9A99C7794A48A476E17620C2909E550BA7EC54
SHA-512:	96BF311C3853D4009B3CC275A999DA2B309B0F99A5648279F9D83E665F9E86DD2A247E4813B08612E9CB62A3ABDF451011594368A634AEEC0F1EC0C7E4AE390E
Malicious:	false
Reputation:	low
Preview:	.p..W.[c.#,....NGf..X.+.F.0..7.W....r@m...Q..z.N+.+...=.y.w...S..V...N....3.m>w.9.Z.%....c<...c........n.\h....}..Q1.imd..H\|.......O.......G1.%.mJ......#...o!./..@g....4....S..N....tuYL..m6.......D.r.B[..;oL(..J.J.1.sa.......2......;.kb.l..'.+.......5..%=/..^:.......>.iS......c..x..e/........,..U!.\|e..#.f....q.T.V^V.....J.t...M.]..F.................L........~u..."...J.....M....y.2(.M..>Vj (J.J.s/O..0WyC.L..s..\|o.=7!o......";.9OeqI..G\.......z..h....#.vq....,.6...f.x...Cr...g.3.g%..4./.V......N1...x+..u'6.. +...T...0oG.^.&.\|.S...QKi...-h..d....7..I.5.{.."...TQ..4.qL:.....71.....VC[]u.h_.E.C........ ...W.>.......5.Z..!u2....'.LH..<..bWS;R.S`.,....\......3..!.....}Y:.7........Z.yyX.......Qn.?.....A..<.M_.?...^............t....\..8e...gA.#a.0..(...>.,.,..\g.C...pX....{g.w.....(.*...0%......O.`....MIiZ....p..L.w.....v.pqtv....w.s...ps..v.t.w...v..tv............p...ts..ts.....vp.t..w.qv.t.qw..w.p.......pp.....w.ts.t.wtw......q.wt........sk...

C:\ProgramData\Adobe\ARM\ArmReport.ini.g1yfw9.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	1134
Entropy (8bit):	4.852816346482338
Encrypted:	false
SSDEEP:	24:Q+sE+TlR/yoMlnY2I0UawHdrbJnXNYvtUvyNYFsFGPa0ZqP/THxJRSc+q:rsE6LCnY50NwTXGlUyGFsFMZqTH5Z+q
MD5:	C337A8219B2F0A2CBC128220907E0C23
SHA1:	EFAE069DE57EE8CBE918A7E31E8F59DCC149607C
SHA-256:	9A81BF89E7311CF5ACDB69CEED52D6FECFF082640B2A2805F50D124F6047BC6A
SHA-512:	012BE257E65646B9975D112C52B1E45DBF1D8582472E8CECD1F0D043EDB0DE046CBA3E21C924932F15D2091BD915E976D876269842BD649587E6E26CFA155C8D
Malicious:	false
Reputation:	low
Preview:	..[.S.E.S.S.I.O.N.].....B.I.T.S._.R.e.s.u.l.t.=.-.2.1.4.6.9.5.9.3.5.5.....S.i.g.n.a.t.u.r.e._.V.a.l.i.d.a.t.i.o.n._.E.r.r.o.r.=.2.....B.a.c.k.u.p._.B.I.T.s._.R.e.s.u.l.t.=.0.....G.e.t._.P.r.o.d.u.c.t._.M.a.n.i.f.e.s.t._.R.e.s.u.l.t.=.O.K._.B.B.....A.p.p.l.i.c.a.t.i.o.n.=.R.e.a.d.e.r.S.e.r.v.i.c.e.s.....V.e.r.s.i.o.n.=.1.9...0.1.2...2.0.0.3.5...0.....L.a.n.g.u.a.g.e.=.E.N.U.....U.s.e.r._.G.r.o.u.p.=.A.d.m.i.n.....E.l.e.v.a.t.e.d.=.0.....U.A.C._.E.n.a.b.l.e.d.=.1.....M.O.D.E.=.A.u.t.o.....S.e.s.s.i.o.n.A.p.p.l.i.c.a.t.i.o.n.=.{.2.9.1.A.A.9.1.4.-.A.9.8.7.-.4.C.E.9.-.B.D.6.3.-.A.C.0.A.9.2.D.4.3.5.E.5.}.....S.e.s.s.i.o.n.I.n.s.t.a.l.l.d.i.r.=.....S.e.s.s.i.o.n.P.r.o.d.u.c.t.C.o.d.e.=.{.2.9.1.A.A.9.1.4.-.A.9.8.7.-.1.0.3.3.-.B.D.6.3.-.A.C.0.A.9.2.D.4.3.5.E.5.}.....S.e.s.s.i.o.n.D.a.t.a.M.o.d.u.l.e.P.a.t.h.=.....S.e.s.s.i.o.n.D.a.t.a.M.o.d.u.l.e.U.s.a.g.e.=.....AJqU.I..\.D......5..pc8...e..._&...;....:.dS...P.K8.."..k.@7x...F*'Uj..#-....B...k....m..4T.V......ue..&U3.Ve......!j.J....>.(..%

C:\ProgramData\Adobe\ARM\S\436\AdobeARM.msi.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	991366
Entropy (8bit):	7.999836591239994
Encrypted:	true
SSDEEP:	24576:V8JvDZ/OitaiGjvlghi3DVRl6h2oLit2zG:VyvNmitaiGzmi3DhEnzG
MD5:	249BEEE0E66BF26CA68A1DEAEAF4B75C
SHA1:	B683ADCDE424AED135AD59E87C30AAF8008D034C
SHA-256:	373DEA19A39D439D995E48FA84C94FD4300F935CA88272383649589F8040EC3F
SHA-512:	AF790DCAF7520B0A3CA789E0096E3DC816BC73D1A425615C54D22E944D5F649422ADE8A41E0EDE66AF232976A8714FF080BB39DAA27FCA90CA57CA07361D9FB6
Malicious:	false
Reputation:	low
Preview:	.A......#....N.fV.U.+.F.0f;.7.WQ....r5m..uQ..V.\|+.+..5...t.N...f.X..E.N...T.\|>..../..l.bj...........nL_......Yyb..4.i.a...z.....{H..y".K{....\...#.7...P].J.o..HB.p.^...qe..Vh.....n..y....sV..Ju.aN........._/...AM.).x....E.tF.4c](.Y..=&..r....P..r.q..lK$.P.[...H.........6".....4.<.O..}....E#N.M.y.m\w.........T\|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..`.!N.7.`...N_....+..u.6V.i+...T..-0.G.^.&2\|.S;..Q.i..:-.Qd.. .57......:.."....`Q....#L........d1....~.?C(]..<_.E.C........h...H.3....J..5.Z..hu\....`.(H_._....b.S_R.S].x...m......3$.B.....DY1.........._.Ty-...{...Q/.F...x..<.MV.....^............Yt....$\...e.9g...a.....(6..>.,a,..ag.)#.p=.).}.A........(.*..L0.......O;`...,IWZ..}..LK=-^.J.XZ.i.....B.zc`....`...(-...;..X.?.fS.x.V.+2x.C...GC....@CQ%j..$Z`...[,.~.....k.l3S.W./....j....""G........V.......<.9.o%

C:\ProgramData\Adobe\ARM\S\436\AdobeARM.msi.g1yfw9.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	Intel;1033
Category:	dropped
Size (bytes):	991500
Entropy (8bit):	7.421487496393618
Encrypted:	false
SSDEEP:	12288:1t0Yy+QEHeSHMTuLTBn0wM67J9ji8GUrWelRRzMzzD0Ad3KYo7hAx131YKTwIiMd:1t0Yy3a/INiRoz0AhK7+xyL6A2oY0EN
MD5:	D37168DB9912AB92BD3C7A284C4EED68
SHA1:	24973FA76E788D51E20AC31EEE7835D6B20161DD
SHA-256:	4BDE4676EE4EDEB8CE682EC016A83883609724B9D0FD9955D3E88FFDF5BA9B40
SHA-512:	059AB734DD1A8BE485CA86A9BD8D5D06FE4B7937D1B1A4286ACBB441B6DD1D17E85BEE4E261769EF372C7F774B4CA2AEA79C0574A4F34598114733FF7ADC19F9
Malicious:	false
Reputation:	low
Preview:	......................>...................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-................................................................................... ...!..."...#...$.......&...'...(...)...*...+...,.../.......1...0...W...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...V...H...J.......K.......M.......O...P...Q...R...S...T...U...G...Y...X...v...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...u.......x...w.......y...z...

C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	423598
Entropy (8bit):	7.999553218788967
Encrypted:	true
SSDEEP:	12288:3ERdouok/clAZ5r7rohri7yF5tpaYKHWn:3dgkM5r7grKZYRn
MD5:	3A40FE6FD93F8776D971C75CAACF4BAA
SHA1:	F43EAF407CF14736CBB256708B43D52A1414548F
SHA-256:	D6317B4BF3AE6CB951CE35CD600742FB140CB143FEDCF93B15DE16BB73C6CE36
SHA-512:	F104CDF044095789468BC9695C4CAB0229C9EE9C90F889B18021FC7BAC0887A7CE65C463906F3448716B62AEF1756F30705601C24AA2B941BEFBF8AA73366A0D
Malicious:	false
Reputation:	low
Preview:	s......c.#..!~.N.fV.U.+.F.0...7.WQ....r5m..eQ..W.\|+.+..5.....N.......w....&...jM6`?.H.6.L.4.....m.T..^p.N..T....po..1.i.d..l...X......@....>{.b.H.=mKK.G....D..h.<Z.Q..."4....`&.~...<t...%z...,i.v.W...?.RS$(#./.J.1.s..j.....\P...;.k.....&.{.s.....5g..=.].^[o.....m.i!.g....c...x..o/..~.u.ER..;%/\|.~.#.f..".S.z.d^f...3.d.D...G....F......a........N.........~....U....z....kM..=..._(.M..3V` mJ.J.sYOK.j02y'.a..s.vo.=v!,.....c"".[O.q,..Ga......7....-....W..q..c..6..uf...gG..i.&.C..%o.].l.7..q.../_.P..+...u.,W.a....T..'0.G.^.&~\|....%oi...s.A...1.57......:.."....`Q.....>\|.......d1...eX?C4...!_.E.C........g....3.gW.n#.5...N.Y....H.(Hv._.. 8S_R.S].W...m.....3$.......DY...........i.Ty....>....Q/.\|...x..<.Mk....^.............Yt....`\..Ye..g..La..E..(\|..>.,a,..ag.C..Wp=....{.........(.*.L0J.....On`...,I.Z..}..LK=w^.J.XZ.5......B..zc?...e`...(-...;..X.?.fS...V.M2x.$...GC....@)Q%j..$Z....6,.~h.....k..3S.&./.........""G.Pn....V..A....<.C.o%

C:\ProgramData\Adobe\ARM\S\436\AdobeARMHelper.exe.g1yfw9.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	423732
Entropy (8bit):	6.330189993122203
Encrypted:	false
SSDEEP:	6144:kyYCpQcslnC3znG+xfbMgyGn7LiJdKkAtyKuskePvX2Zp7DmuXYvr6ys/pX:hYFlnCxjMyn72/KkAtydem3nM6BZ
MD5:	1FC9B39B1F6DBB618E9FD452BAD66048
SHA1:	220998CCCEC8E862E79DCD441B31128E6340968F
SHA-256:	7743C3ED80481190C91575FF6256AA7333EF9623B838F80833FAD6C554F7F36F
SHA-512:	0BDF4019E7BBA712DB50C31E40BB2FDAF05A4EAEC94251B3240C899E37367B819FFE8097E283751D95664EB9894B115FE8ECAE22EE94977B853D87EB87A9916B
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y6R..eR..eR..e[.eK..e[.e...e[.e..eu[zeZ..eu[les..eR..e...e[.e[..eL.eS..e[.eS..eRichR..e........PE..L......\.............................[............@......................................@.....................................T....@...............X..(....0..H3..0................................r..@...............x............................text.............................. ..`.rdata..............................@..@.data....^......."..................@....rsrc........@......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Adobe\ARM\S\ARM.msi.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	991366
Entropy (8bit):	7.999836591239994
Encrypted:	true
SSDEEP:	24576:V8JvDZ/OitaiGjvlghi3DVRl6h2oLit2zG:VyvNmitaiGzmi3DhEnzG
MD5:	249BEEE0E66BF26CA68A1DEAEAF4B75C
SHA1:	B683ADCDE424AED135AD59E87C30AAF8008D034C
SHA-256:	373DEA19A39D439D995E48FA84C94FD4300F935CA88272383649589F8040EC3F
SHA-512:	AF790DCAF7520B0A3CA789E0096E3DC816BC73D1A425615C54D22E944D5F649422ADE8A41E0EDE66AF232976A8714FF080BB39DAA27FCA90CA57CA07361D9FB6
Malicious:	false
Reputation:	low
Preview:	.A......#....N.fV.U.+.F.0f;.7.WQ....r5m..uQ..V.\|+.+..5...t.N...f.X..E.N...T.\|>..../..l.bj...........nL_......Yyb..4.i.a...z.....{H..y".K{....\...#.7...P].J.o..HB.p.^...qe..Vh.....n..y....sV..Ju.aN........._/...AM.).x....E.tF.4c](.Y..=&..r....P..r.q..lK$.P.[...H.........6".....4.<.O..}....E#N.M.y.m\w.........T\|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..`.!N.7.`...N_....+..u.6V.i+...T..-0.G.^.&2\|.S;..Q.i..:-.Qd.. .57......:.."....`Q....#L........d1....~.?C(]..<_.E.C........h...H.3....J..5.Z..hu\....`.(H_._....b.S_R.S].x...m......3$.B.....DY1.........._.Ty-...{...Q/.F...x..<.MV.....^............Yt....$\...e.9g...a.....(6..>.,a,..ag.)#.p=.).}.A........(.*..L0.......O;`...,IWZ..}..LK=-^.J.XZ.i.....B.zc`....`...(-...;..X.?.fS.x.V.+2x.C...GC....@CQ%j..$Z`...[,.~.....k.l3S.W./....j....""G........V.......<.9.o%

C:\ProgramData\Adobe\ARM\S\ARM.msi.g1yfw9.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	Intel;1033
Category:	dropped
Size (bytes):	991500
Entropy (8bit):	7.421487496393618
Encrypted:	false
SSDEEP:	12288:1t0Yy+QEHeSHMTuLTBn0wM67J9ji8GUrWelRRzMzzD0Ad3KYo7hAx131YKTwIiMd:1t0Yy3a/INiRoz0AhK7+xyL6A2oY0EN
MD5:	D37168DB9912AB92BD3C7A284C4EED68
SHA1:	24973FA76E788D51E20AC31EEE7835D6B20161DD
SHA-256:	4BDE4676EE4EDEB8CE682EC016A83883609724B9D0FD9955D3E88FFDF5BA9B40
SHA-512:	059AB734DD1A8BE485CA86A9BD8D5D06FE4B7937D1B1A4286ACBB441B6DD1D17E85BEE4E261769EF372C7F774B4CA2AEA79C0574A4F34598114733FF7ADC19F9
Malicious:	false
Reputation:	low
Preview:	......................>...................................8...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................-................................................................................... ...!..."...#...$.......&...'...(...)...*...+...,.../.......1...0...W...2...3...4...5...6...7...E...I...:...;...<...=...>...?...@...A...B...C...D.......F...V...H...J.......K.......M.......O...P...Q...R...S...T...U...G...Y...X...v...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...u.......x...w.......y...z...

C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest3.msi.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	14982
Entropy (8bit):	7.986033929355074
Encrypted:	false
SSDEEP:	384:zvQaPGKSgGSBKcu8SMy0hwFk1joj+4MYJXoimvIjd+q:zo/uKcChswUslVJXoim6
MD5:	4AF9DB10D2C94A96B5F2BBA3D2ACF359
SHA1:	C097D667608296B7F809924CF34434319D5C0DD3
SHA-256:	A1ECABBF739A19B6E4566DF899B2906E39F5CA5BF8A4FC7EF0AC55CD588326A9
SHA-512:	BC23CDF404159B1C8C28C557502F0781EF4F5B742C249677B8F349C3AB43B5F6BB635E31FC6B2EAC059A06F2A3D1844AC88CFCFB7AFB0A664C2EF51A9DF4639D
Malicious:	false
Reputation:	low
Preview:	.A......#....N.fV.U.+.F.0f;.7.WQ....r5m..dQ..V.\|+.+..5...O.N...f.X..E.N...T.....%...a.....C.7.'.c.F..X.L...p{)-Y.....<...:...pM.f'U....y".K{....\...#.7...P].J.o..HB.p.^...qe..Vh.....n..y....sV..Ju.aN........._/...AM.).x....E.tF.4c](.Y..=&..r....P..r.q..lK$.P.[...H.........6".....4.<.O..}....E#N.M.y.m\w.........T\|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..`.!N.7....T......+..u.6V.i+...T......^.&2\|.S;..Q.i..:-.Qd.. .57......:.."....`Q....#L........d1.".3.W....^.q.@.NgU.;t67DR.RA..^...)U..%.].l4...-]$...A....)Z"....[..9.C.}}c.E3SH\|...g..O.....r..x.+.k.~N......Zj...4.....uh.B`..\.Q..B...Nr.Zi..63'8<`U.iW..A`\|....0...\|....TO.._....$.......)#...o(.}../.VG(%.Z.y.7q..f.#D.Y...;m.$...MD\|.........[..R.}J..=.eC...Dux..5.\..@.k.Pc...n..8...N..'.*e.r...iC7...\...XZ.........KN....M.#.l1.O....uP......;\;K...O.<n ...T.F..

C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrManifest3.msi.g1yfw9.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	0
Category:	dropped
Size (bytes):	15116
Entropy (8bit):	6.149066524437746
Encrypted:	false
SSDEEP:	192:GL9W4ol8lRAi75wKVsw2uaSZscF8Bd1LgV5+a9sgfxIZHo3DLhxMt+q:khoGYiWZwDZsHLgqDgf2hqJI+q
MD5:	39D8BC08F25B79ACE155FF6FD999FC2F
SHA1:	12EDD19808F31EE370910DB5B08426299746FD75
SHA-256:	8BE05B8697E54F91E3A5E270AF0D66F420F241CA8DF470A19ECF395557F047ED
SHA-512:	1F56BF6232FA510F5A0D1CB5372DBE9FC6E2FA73CE6BA05B9178E8626AE6F5D611C56070E05AE24531B4ECFB6157B3145FCC23834909BD48658117E0FBFC5B80
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	177846
Entropy (8bit):	7.9990067622525975
Encrypted:	true
SSDEEP:	3072:NuSW8yPyUk30w6CwsRYbryC5+vshmLg1nymhf64SOvmugO4ft:NuSGKIw6vsRceC5+vVLg1nXhtSq74ft
MD5:	2C185067778B734C64A708D3DA7F9D0F
SHA1:	0480C0A01FE4D864BA7C482EEF1A51487C316185
SHA-256:	1A2726BBC068124BB157C5CFA36F4FCFA9E02B683D5FB3F4D08E47ECBA90165C
SHA-512:	7D02B76ED7A5A08F311ADCC32E05ECAB2CA608A737A453563D5866A49FAEE06627FF792A5D5BE69260C060D5DCAB67B83CEA6E05C65A967E5E7B61340DEC1CAA
Malicious:	false
Reputation:	low
Preview:	s......c.#..!~.N.fV.U.+.F.0...7.WQ....r5m..eQ..W.\|+.+..5...\.N.......w....&...jM6`?.H.6.L.4.....m.T..^p.N..T....po..1.i.d..3".....O.p....=Q....9.9'i........Pm.V..j...$..4Z..rI.C.9.<.>..&....u....+. ..\}}Eh...s...'...L@_7.{...2.........q.....+r.s......5g..=-C.^.~..:..Lm..i!.g.+..b...x.ln/..~.u.5.;1/\|TH.#.f.".C.z.d^`...3.b.D...G....F.....Lf...............~....m....J....kM..<.._(......` mJ.J.sYOKVh0.g'.q..s..vo.w!......`"Z.[O.q,..Ga......7.E..m....#.v.....6..uf.x..gC..i.&.C..%o.].L.7..w...N_...+..u..W.a/...T..'0.G.^.&.\|.3...0z...U..A...1.57.....:.."....`Q...J.(n.......d1...e.?C4}..!_.E.C.......mg....3...nC.5....NY^....H.(Hv._..".!:>.0]._..,o......&.......DY.......=....i.Ty....>....Q/.\|...x..<.Mk....^.............Yt....`\..Ye..g..La..E..(\|..>.,a,..ag.C..Wp=....{.........(.*.L0J.....On`...,I.Z..}..LK=w^.J.XZ.5......B..zc?...e`...(-...;..X.?.fS...V.M2x.$...GC....@)Q%j..$Z....6,.~h.....k..3S.&./.........""G.Pn....V..A....<.C.o%

C:\ProgramData\Adobe\ARM\{291AA914-A987-4CE9-BD63-AC0A92D435E5}\RdrServicesUpdater2_1901220035.exe.g1yfw9.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	177980
Entropy (8bit):	6.667386381176696
Encrypted:	false
SSDEEP:	3072:i16mNB3sJ2xp+MHsSVSol3cUAYuBwp0yOvbXWTBfgQcVE0dvdCohMA:iPNSYxp+M/KvTWTBVcVE5qMA
MD5:	455CEA8BA20AD9A31EFF1DA5A226A5DA
SHA1:	B9924BDC0446CE2722741B75A12F42C91CB18E4A
SHA-256:	188092834BC98778F86314B479451366926403DBACB1E7E5EF412799EF1CB7A2
SHA-512:	D16CAB44399208EB7C670C4CDC1F09D2F822D254026349520E32ACC87FBBA1A8727502AA7AA6783A1B4EB6CCDE3ACEB711D74BE2F3C8D9FCE9F258B962D86006
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I^;..?U..?U..?U..m...?U..m...?U.Kn...?U..m...?U..m...?U....?U....?U......?U..?T..?U....?U..m...?U..?...?U....?U.Rich.?U.................PE..L.....]............................py............@.................................\|B....@.................................$........P..0R..............0...........0...8...............................@............................................text...#........................... ..`.rdata..`...........................@..@.data........@....... ..............@....rsrc...0R...P...T...,..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	244416646
Entropy (8bit):	7.999999354586816
Encrypted:	true
SSDEEP:	3145728:wN6sGnTpc1W8uhhDWslXo5RteOR7dxoSxVnwKxeZI/4hT3hTexywJ5uiIX5bJRi3:q6sKm1W8oDWslY5n5dxHMZqE4DDImxtn
MD5:	24C5C064A92962E58DF01240589CD560
SHA1:	47A14D9C5930759C43FD094AEA15A16FD0C7314E
SHA-256:	2F882C65245DD54ECE873E9285C601728311D08F29414E8BBFF6DC335EB8A3D5
SHA-512:	334C659D2EF81C61EEB9E2B6DB6159D0C5C8D2CC0DB3EEFA82342BDBC54238D536457D9D644E504F5F1392705EBBA14D50DCA7076A1EDBC288C1C0B551076EB3
Malicious:	false
Reputation:	low
Preview:	.A......#....N.fV.U.+.F.0f;.7.WQ....r.m..^Q..V.\|+.+..5...O.N...f.X..E.N...T..>..../.l.cj...........ny\..D...j}b..1.i.d...\|....O..T.h.WGn.5.l..J....\.x.P....!n.....Mg......,S...i.Yt.Y..m...q.~..n.r-.(...0L.1.J..1Z.......{....K.`~.;@......'B.r.....b..5...=..^..........i.3g.7..cI..xR+o/.Y..Uu..m\w.........T\|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..o.].L.7.....N_....+..u.6V.a+...T..'0.G.^.&>\|.S6..Q.i..5-.Ad..1.57......:.."....`Q....4L........d1....e.?C4]..!_.E.C........I...j.3....n..5.Z..Nu\....H.(Hv._...b8S_R.S].W...m.....3$.......DY...........i.Ty....>....Q/.\|...x..<.Mk....^.............Yt....`\..Ye..g..La..E..(\|..>.,a,..ag.C..Wp=....{.........(..L0J.....On`...,I.Z..}..LK=w^.J.XZ.5......B..zc?...e`...(-...;..X.?.fS...V.M2x.$...GC....@)Q%j..$Z....6,.~h.....k..3S.&./.........""G.Pn....V..A....<.C.o%

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901220034.msp.g1yfw9.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	Composite Document File V2 Document, Can't read SAT
Category:	dropped
Size (bytes):	71827456
Entropy (8bit):	7.9905540073984165
Encrypted:	true
SSDEEP:	1572864:bWdolzI0VkoqvxI9Fw2Ltl32DJi+Sx+melo1h6HbbZ:bW8LzpEi+qqbZ
MD5:	721F94A7AF6D5665E7FD49EF08574C47
SHA1:	29BA0C211F5C72A53789E3B05CCC7D8B11334B37
SHA-256:	EDFFC55E95E68BD1076E6E1A964551CDF2D2A1D74607097A5C052C26F04BD3D7
SHA-512:	EF1C07FD6D973A59291FF9A0489D59788F19D1BB1E56178F1D4AE84A93127393535951A17846E5342027017B97668797DF2088EC8BE7EA0A8338EAC70500E35B
Malicious:	false
Reputation:	low
Preview:	......................>...................;............................................................................................................................................................{......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRead.msi.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	2793094
Entropy (8bit):	7.999934177292409
Encrypted:	true
SSDEEP:
MD5:	93597FF5F8EC906FEB063DC9338CC7B4
SHA1:	357D4B070B56407A9934506F3C52537D02762E68
SHA-256:	A6A7EC804371957F78AE38FD7474FCD74B90114F1B811A754A78B1B5795386E6
SHA-512:	4EF66F5C8A8DB1F729F88B1F7FF55ADCBB58A284BD2F17E763FACDBDCFB372D0545065EC73982D39BC111CAADC390254D4332CC1F7ED8D72681B8790D4A0F0E6
Malicious:	false
Reputation:	low
Preview:	.A......#....N.fV.U.+.F.0f;.7.WQ....r5m..NQ..V.\|+.+..5...t.N...f.X..E.N...T..>..../...l.bj...........nL_......Yyb.\4.i.a...z.....{H..y.h..On..l.FC....\..P.b..!.....Mg......q^..<.i..z.Y/..m......~...r.R(.P0L...JVX.1.a......4....K.=..;r....P..r.q..lK$.P.[...H.........6".....4.<.O..}....E#N.M.y.m\w.........T\|...6.=...?,.fI.....l<.N....].f...P+NMp<L.@A..(% ..N........nh@k.%.>O.........).-.....P.X....1......^2.[}.."....F>-)..i.....n....&.9=.W..2. P..cT..0....by.H.4.`.K......)...^..`.!N.7.....N_....+..u.6V.q+...T..-0.G.^.&2\|.S;..Q.i..:-.Bd.. .57......:.."....`Q....#L........d1....~.?C(]..<_.E.C........h...H.3....H..5.Z..`u\....`.(H_._....b.S_R.S].z...m....3$.$.....DY1.........._.Ty-.......Q/.F...x..<.MV.....^............Yt....&\...e.7g...a.....(5..>.,a,..agSC..q=.9..{]........(.*..L0+......O;`...,IYZ..}..LK=-^.J.XZ.i.....B.zc`....`...(-...;..X.?.fS.x.V.+2x.C...GC....@CQ%j..$Z`...[,.~.....k.l3S.U./........""G.Pn...V..9...<.9.o%

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	175114177
Entropy (8bit):	7.999998925759809
Encrypted:	true
SSDEEP:
MD5:	B3812EE37714C294174FD2B2ED8F0258
SHA1:	703810A035C0DD482A1FEAEB1AF18BD05C9CCA01
SHA-256:	9EB7D3CCC5B4125FC7D74617DCB31EAC03A4109AB2CB73E2BE22F82FA9CFA5F0
SHA-512:	81ED18662C037AB1681F49B9F09A34B51544A12700031A4F29B9B49E7BA72F1DC65AE179AA1F4150AF282831051586B484A8688FF310089C0085C0C325E9100A
Malicious:	false
Reputation:	low
Preview:	s.....c.$....N.gV.U.+.G.0...7.SQ..r.m..+.....\|+.`............f.#...N.k.. >......I.l.r._...s/L.Y..n.y.........j1.i%p<.H\|...$..O..).A..Gn...Q..J..$./<.P...t#.......e....)L..S.....Zt.Y.\.nD...-.F....r.dc..;0L./.I.J.1.[..]......^.K.$.+8.j.."..#./r.......5.E.;_..^".c.......{o..g.~.ue...x.Q.)......t...bT.z...#.e....C../V.....:+...D...+.r..F......e.56......[.........:w(...n..J..f.lG .>..I".M....HAJ.Jj.gEm.j0.ev.R..s...e.=v!.....`"Z.<..s...#...b....[.....U~..`.A2'.......%DT.'..".B.(.....!.[....8.3+..N8. .#+....sW$.ON.l....f..u.....L.g....L+..j.k.t".....r......:.."....S..`xY?y..... r....T.yq.mD..m.................(.Pl....o..5....nu......!.A$.`&..=v.......4....We....?..Xo...'<q.i.......&..6J........Q/.\|....x..x. E.\|.......O.....>...Y....`...5.....eS.......(.W.>..j,...!ZO....K..g./H.y...Z.w.z...0T.....O.&....M-a8.....k. 'M.+.#.v>.Y.=....B..~cN..E`...LA......6sY..'...V..3x. ..^.Kc...-P.D...%Z..7.6,.~.U.....nq^.B.L.j......."S..\N....&r.2.....<.U.o!

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	742
Entropy (8bit):	7.5490936735624405
Encrypted:	false
SSDEEP:
MD5:	DB38E130D9960D1BC0B79CD5626CFC72
SHA1:	493C8FDF7B5F96CA86CCFF509131D8591F13B0ED
SHA-256:	1B457017C172E592DCC7F71DDAE8A5355CABCBA7AE2F651DDBEE1CCBAD3E1DA2
SHA-512:	BE4C58F69F600283AFCCE842BF0B421FA38D9F448F41DC50168388040A71DC47F94E5E83FA1CB3ABE0DEAD9AB966A392F0F0BCD16F39766C3F1D43CB303665A4
Malicious:	false
Reputation:	low
Preview:	.....;4I..U%...d#L\|.....l.......}{..X.G..O{.8}.V........f;d...]..9.......8.fL6U5.J.9.........z.....9...9=....S..J<.R5N..PV.. ...e...B..mD..F..`....v...z.H.)...8...gM....{....y..6.c.^s...GC....T....X.h.....fP..`.`...Y?.......Z.a&.....A8.6....?..r..z.\...7FR.;{W.x.c.r....D.G..!.C.....K...s.N.o......V~....L....i.P.NtL......N7n..m.;8.l..5.$O........=......S.t@.............Mx\.i..M.).~..#-gG.G.Hsea.@..S..[..Y..\E..\......J.p.qe#[...mK..)..........1.....\/...i..........r.I.V.*.yVb.f.f....).du..#)..._<.\|.K..#.~.....m.t...V.y...{$C......kN...8=.JO.%.T.C..j..WUKx.K.....w.....v.pqtv....w.s...ps..v.t.w...v..tv............p...ts..ts.....vp.t..w.qv.t.qw..w.p.......pp.....w.ts.t.wtw......q.wt........sk...

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.g1yfw9.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	876
Entropy (8bit):	4.628585969096136
Encrypted:	false
SSDEEP:
MD5:	BBDAAD0C6A4BC3E281618D8E35CEFC11
SHA1:	0689E67A316B4111A574BE31DE1FBD1BD1926C87
SHA-256:	458372710E387F4A0ECF1446A0AD8D7FF9B51AB3C51E7619356A70C27E4B2E8F
SHA-512:	B6DD7FC60C4F6566C0C373EE5829BB3BCFBD4667B2AA407D3AD0976EE2973A3708BA6F22AC94D4724F242551C60E8E9B2FB63709893F2EB0D23587E80B5A34B9
Malicious:	false
Reputation:	low
Preview:	;*************************************************************..;Adobe Installer External Configuration File: Abcpy.ini..;***********************************************************....;***********************************************************..;Main Section..;The (Product) key is a required key..;***********************************************************..[MAIN]..Product=Adobe Acrobat Reader DC......;***********************************************************..;OEM Installation Options..;*************************************************************..[OEM Install]..INSTALLDIR=...b:....c.N7BY..#(.6.C.........B...j.G....n..6.P..>wZ....<."Kv.\....c?$T#.V).&..........0T.......C-q.t..y..h.V.n...<...."D....w.....v.pqtv....w.s...ps..v.t.w...v..tv............p...ts..ts.....vp.t..w.qv.t.qw..w.p.......pp.....w.ts.t.wtw......q.wt........sk...

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	465014
Entropy (8bit):	7.999587188788213
Encrypted:	true
SSDEEP:
MD5:	2B3E0305E17F3726DE1D54A9E3F6888F
SHA1:	7DE15ADBA7305F873CF38E5E2E0AF85B2E7E084C
SHA-256:	E4BAEACE261F31B0720A41AF7FAA729A5ACFC742F1C44937001F0900D83E3879
SHA-512:	461B01754BA8564125B632C4935070037D9E87712DBFB71E25DFCF42E6C6F835F6157727244F779EC1C987CA9B6CA6567DB170A0C16EC2110A66DA125AE6207A
Malicious:	false
Reputation:	low
Preview:	s......c.#..!~.N.fV.U.+.F.0...7.WQ....r5m..eQ..W.\|+.+..5...D.N.......w....&...jM6`?.H.6.L.4.....m.T..^p.N..T....po..1.i.d....ke.xR...zyk<.0`.`j.B.b...c8..O.:1#q..S$..6@...=.U.H_.Z..p.}b....m#.T.pHR.gu...\|..$0.a._8.;......>b..f'}(S".(d/8w..k.....'.+r.s....\.5+..=2...[..........h.k...c.G.x..o/...~.u.ER..;!o\|T..#.d..'.B.z.d^c...3.d}C...G._:.F......u...............~....}.......1.kM?.;.E.^(.M..3V` m..JWnYOK.j02y'.d.s..vo.=v!,.....`"Z.[O.q,..Ga.a....7....-......v%....6..uf.x..gC..i.&.C..%A.8.8.7.....^_...+...u.6V.a+...T...0.'.,.GJ..S...Q....5}+.A...1.57......:..".....%.....&........d1.'..e.?C4]..!_.E.C.X........y..j!6....n7.5.Z..Nu\......(.v._...b8S_R.S].W...m.....3$.......DY...........i.Ty....>....Q/.\|...x..<.Mk....^.............Yt....`\..Ye..g..La..E..(\|..>.,a,..ag.C..Wp=....{.........(..L0J.....On`...,I.Z..}..LK=w^.J.XZ.5......B..zc?...e`...(-...;..X.?.fS...V.M2x.$...GC....@)Q%j..$Z....6,.~h.....k..3S.&./.........""G.Pn....V..A....<.C.o%

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.g1yfw9 Download File
Process:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
File Type:	data
Category:	dropped
Size (bytes):	348
Entropy (8bit):	6.668673391714458
Encrypted:	false
SSDEEP:
MD5:	842C2D5B8F6D5E04CF9A46A7438A4B4B
SHA1:	5205C1E8AD122DA03855F500E7CFED232BDAAD77
SHA-256:	8F4082747B9E07928228BC825F46890E2E7EAD4D71829606256ACDC53B538C1E
SHA-512:	EBFEF611B266F7378F828B07D852C67D5D1F1925194E56057ED3AB31F7835204DD27CFE8E1A9D7AB6F461586550C22F5E080244C60F59445F54224DA71921E9F
Malicious:	false
Preview:	e..vek...u]...'{.......K.=...E.3$...xe,.-l.q%..O.o..E.5.\| \|..,U.;...D.....qQDu,...$.a.Xi1.,./......k.c..f.....X>.P..p......k...a.......h......K/....sY....L.,...=...Hs...>.. .dP....?Ba...]Z....F......H.w.....v.pqtv....w.s...ps..v.t.w...v..tv............p...ts..ts.....vp.t..w.qv.t.qw..w.p.......pp.....w.ts.t.wtw......q.wt........sk...

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.889119918577074
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	s3ZenAQ7m1.exe
File size:	102400
MD5:	7f5227030be3d2ef48aa652af1ec72b0
SHA1:	202e7ac1c2aaca8fbeed4ac454ca195a33c9d064
SHA256:	4dfc17406a58c6f1ce83a73ce6dd5b343d00fe77d07dfe21d28da13631bfad90
SHA512:	4603b758416dac60cb322aae6f3566711b6a4a9b657f6448861553b45b1c737fd3180d2b0bc169ef193a2372e89aba14a4d27a25e0a5eb440ed6c4afafe5f55c
SSDEEP:	1536:juwI7JIu1l2tHeRtnKT5lv1jZR+rpwNy1CqKvbBnNooElc3Q:j3I7l1l2ReyTXX1q4Du7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......].......................p...............Rich............................PE..L.....L`..........................................@

File Icon


Icon Hash:	38f6c6e6f8f4f060

Static PE Info

General
Entrypoint:	0x4015ec
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x604C949E [Sat Mar 13 10:31:58 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	65155a2944ad0beb18aa3e4f1d3900f5

Entrypoint Preview

Instruction
push 00401CB0h
call 00007FDAA4DD8223h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+1FDE625Ah], ah
cmpsd
push es
inc edi
lahf
mov gs, word ptr [eax+32h]
lahf
adc ebx, dword ptr [edi]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+46h], bh
jne 00007FDAA4DD8293h
push 0000006Bh
imul ebp, dword ptr [esi+00h], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add byte ptr [esi+edi*2], al
lds ecx, fword ptr [esi+55h]
mov al, 44h
mov word ptr [ebp-2DE994E0h], cs
das
inc esi
sal ebp, cl
and byte ptr [eax+1Dh], FFFFFFD4h
add eax, dword ptr [ebp-4Fh]
sbb dl, byte ptr [edx]
out dx, al
int3
call far 33ADh : 4F3ADDC0h
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov byte ptr [eax+eax], al
add byte ptr [ebx+00000004h], al
verw word ptr [ebx+ebp*2+41h]
inc ebp
inc edi
jns 00007FDAA4DD828Bh
outsb
push ax
js 00007FDAA4DD82ACh
push esp
jnbe 00007FDAA4DD8274h
add byte ptr [00000119h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7e94	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xb000	0xe8bc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x160	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x7508	0x8000	False	0.408599853516	data	5.16788060997	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x9000	0x102c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xb000	0xe8bc	0xf000	False	0.511100260417	data	6.35043315796	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
EXE	0xb8bc	0xe000	PE32 executable (GUI) Intel 80386, for MS Windows	English	United States
RT_ICON	0xb5d4	0x2e8	data
RT_ICON	0xb4ac	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xb488	0x24	data
RT_VERSION	0xb170	0x318	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaAryMove, __vbaFreeVar, __vbaLenBstr, __vbaStrVarMove, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaRecDestruct, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarIndexLoad, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaCyI2, __vbaAryConstruct2, DllFunctionCall, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaVarCat, __vbaI2Var, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, __vbaPowerR8, _adj_fdiv_r, __vbaI4Var, __vbaAryLock, __vbaVarAdd, __vbaStrToAnsi, __vbaVarMod, __vbaFpI4, __vbaRecDestructAnsi, _CIatan, __vbaAryCopy, __vbaStrMove, _allmul, _CItan, __vbaAryUnlock, __vbaVarForNext, _CIexp, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	iiUVwFRu
InternalName	RunExeMemory
FileVersion	3.02.0032
CompanyName	GMIUlmH
LegalTrademarks	AvvuzkdkOpbr
Comments	SqYAQxDQf
ProductName	xpNrVFB
ProductVersion	3.02.0032
FileDescription	sQjvjgaspM
OriginalFilename	RunExeMemory.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

• s3ZenAQ7m1.exe
• s3ZenAQ7m1.exe

Click to jump to process

Memory Usage

• s3ZenAQ7m1.exe
• s3ZenAQ7m1.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• s3ZenAQ7m1.exe
• s3ZenAQ7m1.exe

Click to jump to process

System Behavior

Analysis Process: s3ZenAQ7m1.exe PID: 6116 Parent PID: 5812

Function Logs

General

Start time:	23:11:51
Start date:	13/03/2021
Path:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\s3ZenAQ7m1.exe'
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	7F5227030BE3D2EF48AA652AF1EC72B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Show Windows behavior

File Activities

File Deleted

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Key Opened

Key Value Queried

Show Windows behavior

Mutex Activities

Mutex Created

Show Windows behavior

Process Activities

Process Created

Process Information Set

Process Terminated

Show Windows behavior

Thread Activities

Thread Execution Resumed

Thread Delayed

Thread Information Set

Show Windows behavior

Memory Activities

Memory Read

Memory Written

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Windows UI Activities

Window Created

Window UI Enumerated

Message Posted to Windows UI

Window UIs Event Hook Set

Show Windows behavior

LPC Port Activities

Chronological Activities

Analysis Process: s3ZenAQ7m1.exe PID: 4944 Parent PID: 6116

Function Logs

General

Start time:	23:11:51
Start date:	13/03/2021
Path:	C:\Users\user\Desktop\s3ZenAQ7m1.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\s3ZenAQ7m1
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	7F5227030BE3D2EF48AA652AF1EC72B0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Reputation:	low

Show Windows behavior

File Activities

File Opened

File Created

File Deleted

File Moved

File Written

File Read

File Attributes Queried

Other File Operations

Show Windows behavior

Section Activities

Sections loaded by Windows

Sections loaded by Program

Show Windows behavior

Registry Activities

Memory Activities

Memory Allocated

Memory Protection Changed

Memory Usage Statistics

Show Windows behavior

System Activities

Show Windows behavior

Timing Activities

User Timer set

Show Windows behavior

Windows UI Activities

Window Created

Message Posted to Windows UI

Show Windows behavior

LPC Port Activities

Chronological Activities

Disassembly

Code Analysis

Analysis Process: s3ZenAQ7m1.exe PID: 6116 Parent PID: 5812 s3ZenAQ7m1.exeCOMMON

Executed Functions

Function 00407170, Relevance: 195.1, APIs: 93, Strings: 18, Instructions: 820COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(00000000,660E6C30,660E6A76), ref: 004072BB
__vbaAryLock.MSVBVM60(?), ref: 004072CE
__vbaGenerateBoundsError.MSVBVM60 ref: 004072F0
__vbaGenerateBoundsError.MSVBVM60 ref: 00407300
__vbaSetSystemError.MSVBVM60(?,?,00000040), ref: 00407326
__vbaAryUnlock.MSVBVM60(?), ref: 0040732F
__vbaStrMove.MSVBVM60(1B2B44F03D503E26E4EE082A6A3319ED5A2B3BCA1E1D59), ref: 0040735C
__vbaStrMove.MSVBVM60(lBEH), ref: 00407375
__vbaStrMove.MSVBVM60(00000000), ref: 00407385
__vbaStrMove.MSVBVM60(EJgnuZ), ref: 0040739E
__vbaStrMove.MSVBVM60(00000000), ref: 004073AE
__vbaStrMove.MSVBVM60(00000000), ref: 004073BE
__vbaStrMove.MSVBVM60(3E7ED082145E120B235629131A2E04), ref: 004073D2
__vbaStrMove.MSVBVM60(UxCPM), ref: 004073EB
__vbaStrMove.MSVBVM60(00000000), ref: 004073FB
__vbaStrMove.MSVBVM60(YngPy), ref: 00407414
__vbaStrMove.MSVBVM60(00000000), ref: 00407424
__vbaStrMove.MSVBVM60(00000000), ref: 00407434
#595.MSVBVM60(?,00000010,?,?,?), ref: 004074AB
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407507
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0040752B
__vbaAryLock.MSVBVM60(?,00000000), ref: 00407548
__vbaGenerateBoundsError.MSVBVM60 ref: 0040756D
__vbaGenerateBoundsError.MSVBVM60 ref: 0040757D
__vbaSetSystemError.MSVBVM60(?,?,000000F8), ref: 004075A0
__vbaAryUnlock.MSVBVM60(?), ref: 004075A9
__vbaStrMove.MSVBVM60(2C559A0AA43D1005C9D2341946332CCA461834D2301A45), ref: 004075D7
__vbaStrMove.MSVBVM60(GaF), ref: 004075F0
__vbaStrMove.MSVBVM60(00000000), ref: 00407600
__vbaStrMove.MSVBVM60(IiiJR), ref: 00407619
__vbaStrMove.MSVBVM60(00000000), ref: 00407629
__vbaStrMove.MSVBVM60(00000000), ref: 00407639
__vbaStrMove.MSVBVM60(8768812445710A3A0559260B0B280B), ref: 0040764D
__vbaStrMove.MSVBVM60(BSCZIT), ref: 00407666
__vbaStrMove.MSVBVM60(00000000), ref: 00407676
__vbaStrMove.MSVBVM60(vVv), ref: 0040768F
__vbaStrMove.MSVBVM60(00000000), ref: 0040769F
__vbaStrMove.MSVBVM60(00000000), ref: 004076AF
#595.MSVBVM60(?,00000010,?,?,?), ref: 00407726
__vbaFreeStrList.MSVBVM60(0000000C,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00407782
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 004077A6
__vbaRecDestructAnsi.MSVBVM60(00403D80,?,00407E62), ref: 00407E19
__vbaFreeStr.MSVBVM60 ref: 00407E28
__vbaFreeStr.MSVBVM60 ref: 00407E2D
__vbaFreeStr.MSVBVM60 ref: 00407E35
__vbaFreeStr.MSVBVM60 ref: 00407E3D
__vbaFreeStr.MSVBVM60 ref: 00407E45
__vbaFreeStr.MSVBVM60 ref: 00407E4D
__vbaRecDestruct.MSVBVM60(00403D80,00000044), ref: 00407E5B

Strings

IiiJR, xrefs: 00407608
2C50AC1BAD85D747FBD50404D547F8221AFA2210562915072418FBD444, xrefs: 00407874
EJgnuZ, xrefs: 0040738D
1B2B44F03D503E26E4EE082A6A3319ED5A2B3BCA1E1D59, xrefs: 00407344
MZ, xrefs: 00407335
D, xrefs: 004077D3
vVv, xrefs: 0040767E
GaF, xrefs: 004075DF
UxCPM, xrefs: 004073DA
2C559A0AA43D1005C9D2341946332CCA461834D2301A45, xrefs: 004075BF
BSCZIT, xrefs: 00407655
UVgDyc, xrefs: 00407894
3E7ED082145E120B235629131A2E04, xrefs: 004073C0
lBEH, xrefs: 00407364
8768812445710A3A0559260B0B280B, xrefs: 0040763B
YngPy, xrefs: 00407403
PE, xrefs: 004075AF
Vhy, xrefs: 004078BD

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$Error$BoundsGenerateList$#595DestructLockSystemUnlock$AnsiCopy
String ID: 1B2B44F03D503E26E4EE082A6A3319ED5A2B3BCA1E1D59$2C50AC1BAD85D747FBD50404D547F8221AFA2210562915072418FBD444$2C559A0AA43D1005C9D2341946332CCA461834D2301A45$3E7ED082145E120B235629131A2E04$8768812445710A3A0559260B0B280B$BSCZIT$D$EJgnuZ$GaF$IiiJR$MZ$PE$UVgDyc$UxCPM$Vhy$YngPy$lBEH$vVv
API String ID: 2849353991-476126404
Opcode ID: 76bcecbb046eb3ad2a0fb648c7daa3b3d36430b67704f34c9399dd77634a3ee5
Instruction ID: 099449512aeb439720a6fc2b306f32c175a9bca5b93ea3143f22acc4763425a7
Opcode Fuzzy Hash: 76bcecbb046eb3ad2a0fb648c7daa3b3d36430b67704f34c9399dd77634a3ee5
Instruction Fuzzy Hash: 8872EFF1D002289BCB25DF64CC84ADEB7B9AB48304F5085EEE609B7250DA746F85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00405A90, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 209COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00405B18
__vbaStrCopy.MSVBVM60 ref: 00405B20
__vbaLenBstr.MSVBVM60(?), ref: 00405B2C
__vbaLenBstr.MSVBVM60(?), ref: 00405B4F
__vbaLenBstr.MSVBVM60(?), ref: 00405B5F
__vbaLenBstr.MSVBVM60(?), ref: 00405B76
#681.MSVBVM60(?,?,00000003,00000003), ref: 00405BAB
__vbaI4Var.MSVBVM60(?,?), ref: 00405BED
#632.MSVBVM60(?,00004008,00000000), ref: 00405BFF
#632.MSVBVM60(?,?,?,?), ref: 00405C42
__vbaStrVarVal.MSVBVM60(?,?), ref: 00405C53
#516.MSVBVM60(00000000), ref: 00405C56
__vbaStrVarVal.MSVBVM60(?,?), ref: 00405C6D
#516.MSVBVM60(00000000), ref: 00405C70
#608.MSVBVM60(?,?), ref: 00405C89
__vbaVarCat.MSVBVM60(?,?,00000008), ref: 00405CA4
__vbaStrVarMove.MSVBVM60(00000000), ref: 00405CAB
__vbaStrMove.MSVBVM60 ref: 00405CB6
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00405CC6
__vbaFreeVarList.MSVBVM60(0000000A,0000000B,00000003,00000003,?,00000002,?,00000002,?,?,?), ref: 00405D05
__vbaFreeStr.MSVBVM60(00405D95), ref: 00405D8D
__vbaFreeStr.MSVBVM60 ref: 00405D92
__vbaErrorOverflow.MSVBVM60 ref: 00405DAB

Strings

niLMtNS, xrefs: 004069A7
QwF, xrefs: 0040698A
o, xrefs: 00406405

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BstrFree$#516#632CopyListMove$#608#681ErrorOverflow
String ID: QwF$niLMtNS$o
API String ID: 505741399-2904503189
Opcode ID: 8c1a01a2b5e7c4bcc9e1b513638f54cf946dfc436b967feffc213f5223f38271
Instruction ID: afe4b6194a3380cabf1ce22c4c145a1da1c7a7f42cb0ca369920840fae9e31c9
Opcode Fuzzy Hash: 8c1a01a2b5e7c4bcc9e1b513638f54cf946dfc436b967feffc213f5223f38271
Instruction Fuzzy Hash: DE81A5B2D00219DFDB15DFA5DD84FDEBBB8BB48300F0081AAE51AB7250E6745A49CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00406C01, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 154COMMON

Download Yara Rule

APIs

__vbaStrMove.MSVBVM60(CFB724), ref: 00406C77
__vbaStrMove.MSVBVM60(wRF), ref: 00406C87

Part of subcall function 00405DC0: __vbaChkstk.MSVBVM60(00000000,004013E6), ref: 00405DDE
Part of subcall function 00405DC0: __vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948,00000000,004013E6), ref: 00405E0B
Part of subcall function 00405DC0: __vbaStrCopy.MSVBVM60 ref: 00405E17
Part of subcall function 00405DC0: __vbaAryConstruct2.MSVBVM60(?,00402E34,00000002), ref: 00405E28
Part of subcall function 00405DC0: __vbaOnError.MSVBVM60(000000FF), ref: 00405E37
Part of subcall function 00405DC0: #717.MSVBVM60(?,00004008,00000080,00000000), ref: 00405E69
Part of subcall function 00405DC0: __vbaVar2Vec.MSVBVM60(?,?), ref: 00405E7A
Part of subcall function 00405DC0: __vbaAryMove.MSVBVM60(?,?), ref: 00405E8B
Part of subcall function 00405DC0: __vbaFreeVar.MSVBVM60 ref: 00405E94
Part of subcall function 00405DC0: __vbaVarForInit.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 00405F04

__vbaStrMove.MSVBVM60(00000000), ref: 00406C94
__vbaStrMove.MSVBVM60(QJFQ), ref: 00406CA4

Part of subcall function 00405A90: __vbaStrCopy.MSVBVM60 ref: 00405B18
Part of subcall function 00405A90: __vbaStrCopy.MSVBVM60 ref: 00405B20
Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B2C
Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B4F
Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B5F
Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B76
Part of subcall function 00405A90: #681.MSVBVM60(?,?,00000003,00000003), ref: 00405BAB
Part of subcall function 00405A90: __vbaI4Var.MSVBVM60(?,?), ref: 00405BED

__vbaStrMove.MSVBVM60(00000000), ref: 00406CB1

Part of subcall function 004066E0: __vbaStrCopy.MSVBVM60(?,660E6C30,660E0EBE), ref: 00406732
Part of subcall function 004066E0: __vbaLenBstr.MSVBVM60(?), ref: 0040673C
Part of subcall function 004066E0: #632.MSVBVM60(?,?,?,?), ref: 004067A0
Part of subcall function 004066E0: __vbaStrVarVal.MSVBVM60(?,?), ref: 004067AE
Part of subcall function 004066E0: #516.MSVBVM60(00000000), ref: 004067B5

__vbaErrorOverflow.MSVBVM60 ref: 00406C01

Part of subcall function 004066E0: __vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948), ref: 0040656F
Part of subcall function 004066E0: __vbaLenBstr.MSVBVM60(?), ref: 00406579
Part of subcall function 004066E0: #537.MSVBVM60(00000026), ref: 004065A9
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065B0
Part of subcall function 004066E0: #537.MSVBVM60(00000048,00000000), ref: 004065B5
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065BC
Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(00000000), ref: 004065BF
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065CA
Part of subcall function 004066E0: #631.MSVBVM60(?,?,?,00000000), ref: 004065D6
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065E1
Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(00000000), ref: 004065E4
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065EF
Part of subcall function 004066E0: #581.MSVBVM60(00000000), ref: 004065F2
Part of subcall function 004066E0: __vbaFpI4.MSVBVM60 ref: 004065F8
Part of subcall function 004066E0: #537.MSVBVM60(00000000), ref: 004065FF
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 00406606
Part of subcall function 004066E0: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040661E
Part of subcall function 004066E0: __vbaFreeVar.MSVBVM60 ref: 0040662A
Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(?,?), ref: 00406638

__vbaStrMove.MSVBVM60(00000000), ref: 00406CBE
__vbaNew2.MSVBVM60(00403518,00409584), ref: 00406CD2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403508,00000038,?,?,?,?,?), ref: 00406D3E
__vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?), ref: 00406D4C
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?), ref: 00406D5A
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?,?,?,?,?), ref: 00406D7A
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?), ref: 00406D8A
__vbaAryCopy.MSVBVM60(?,?), ref: 00406D9B
__vbaFreeStr.MSVBVM60(00406E14), ref: 00406E01
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00406E0D

Strings

QJFQ, xrefs: 00406C99
CFB724, xrefs: 00406C3E
wRF, xrefs: 00406C7C

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Copy$BstrFree$#537List$ErrorVar2$#516#581#631#632#681#717CheckChkstkConstruct2DestructHresultInitNew2Overflow
String ID: CFB724$QJFQ$wRF
API String ID: 1766937285-169090389
Opcode ID: d778b7cd5b4b8b28017b51fa3faae1dad924b9591277092ce3115ee916503277
Instruction ID: 0d22c63b821632034c5087a3f616cc0919ef05cafb2105a151a16de8dd7b83b3
Opcode Fuzzy Hash: d778b7cd5b4b8b28017b51fa3faae1dad924b9591277092ce3115ee916503277
Instruction Fuzzy Hash: 0B5106B1D10218ABCB04EFE5D985ADEBBB8FF48700F10812AF506B7294DB746A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00406C10, Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 144COMMON

Download Yara Rule

APIs

Part of subcall function 004066E0: __vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948), ref: 0040656F
Part of subcall function 004066E0: __vbaLenBstr.MSVBVM60(?), ref: 00406579
Part of subcall function 004066E0: #537.MSVBVM60(00000026), ref: 004065A9
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065B0
Part of subcall function 004066E0: #537.MSVBVM60(00000048,00000000), ref: 004065B5
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065BC
Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(00000000), ref: 004065BF
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065CA
Part of subcall function 004066E0: #631.MSVBVM60(?,?,?,00000000), ref: 004065D6
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065E1
Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(00000000), ref: 004065E4
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 004065EF
Part of subcall function 004066E0: #581.MSVBVM60(00000000), ref: 004065F2
Part of subcall function 004066E0: __vbaFpI4.MSVBVM60 ref: 004065F8
Part of subcall function 004066E0: #537.MSVBVM60(00000000), ref: 004065FF
Part of subcall function 004066E0: __vbaStrMove.MSVBVM60 ref: 00406606
Part of subcall function 004066E0: __vbaFreeStrList.MSVBVM60(00000005,?,?,?,?,?), ref: 0040661E
Part of subcall function 004066E0: __vbaFreeVar.MSVBVM60 ref: 0040662A
Part of subcall function 004066E0: __vbaStrCat.MSVBVM60(?,?), ref: 00406638

__vbaStrMove.MSVBVM60(CFB724), ref: 00406C77
__vbaStrMove.MSVBVM60(wRF), ref: 00406C87

Part of subcall function 00405DC0: __vbaChkstk.MSVBVM60(00000000,004013E6), ref: 00405DDE
Part of subcall function 00405DC0: __vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948,00000000,004013E6), ref: 00405E0B
Part of subcall function 00405DC0: __vbaStrCopy.MSVBVM60 ref: 00405E17
Part of subcall function 00405DC0: __vbaAryConstruct2.MSVBVM60(?,00402E34,00000002), ref: 00405E28
Part of subcall function 00405DC0: __vbaOnError.MSVBVM60(000000FF), ref: 00405E37
Part of subcall function 00405DC0: #717.MSVBVM60(?,00004008,00000080,00000000), ref: 00405E69
Part of subcall function 00405DC0: __vbaVar2Vec.MSVBVM60(?,?), ref: 00405E7A
Part of subcall function 00405DC0: __vbaAryMove.MSVBVM60(?,?), ref: 00405E8B
Part of subcall function 00405DC0: __vbaFreeVar.MSVBVM60 ref: 00405E94
Part of subcall function 00405DC0: __vbaVarForInit.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 00405F04

__vbaStrMove.MSVBVM60(00000000), ref: 00406C94
__vbaStrMove.MSVBVM60(QJFQ), ref: 00406CA4

Part of subcall function 00405A90: __vbaStrCopy.MSVBVM60 ref: 00405B18
Part of subcall function 00405A90: __vbaStrCopy.MSVBVM60 ref: 00405B20
Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B2C
Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B4F
Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B5F
Part of subcall function 00405A90: __vbaLenBstr.MSVBVM60(?), ref: 00405B76
Part of subcall function 00405A90: #681.MSVBVM60(?,?,00000003,00000003), ref: 00405BAB
Part of subcall function 00405A90: __vbaI4Var.MSVBVM60(?,?), ref: 00405BED

__vbaStrMove.MSVBVM60(00000000), ref: 00406CB1

Part of subcall function 004066E0: __vbaStrCopy.MSVBVM60(?,660E6C30,660E0EBE), ref: 00406732
Part of subcall function 004066E0: __vbaLenBstr.MSVBVM60(?), ref: 0040673C
Part of subcall function 004066E0: #632.MSVBVM60(?,?,?,?), ref: 004067A0
Part of subcall function 004066E0: __vbaStrVarVal.MSVBVM60(?,?), ref: 004067AE
Part of subcall function 004066E0: #516.MSVBVM60(00000000), ref: 004067B5

__vbaStrMove.MSVBVM60(00000000), ref: 00406CBE
__vbaNew2.MSVBVM60(00403518,00409584), ref: 00406CD2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403508,00000038,?,?,?,?,?), ref: 00406D3E
__vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?), ref: 00406D4C
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?), ref: 00406D5A
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?,?,?,?,?,?), ref: 00406D7A
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?), ref: 00406D8A
__vbaAryCopy.MSVBVM60(?,?), ref: 00406D9B
__vbaFreeStr.MSVBVM60(00406E14), ref: 00406E01
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00406E0D

Strings

QJFQ, xrefs: 00406C99
CFB724, xrefs: 00406C3E
wRF, xrefs: 00406C7C

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Copy$BstrFree$#537List$Var2$#516#581#631#632#681#717CheckChkstkConstruct2DestructErrorHresultInitNew2
String ID: CFB724$QJFQ$wRF
API String ID: 916492069-169090389
Opcode ID: 644c323d8087a445c575ec87d5d103c560cf325dc4108926bfc6b715c5bce791
Instruction ID: 5e8495b79b113b5c2d9223d720655d8d2097712990354c8e0691a1ce84517e07
Opcode Fuzzy Hash: 644c323d8087a445c575ec87d5d103c560cf325dc4108926bfc6b715c5bce791
Instruction Fuzzy Hash: ED5117B1D10218ABCB04EFE5D985ADEBBB8FF48700F10812AF506B7294DB746A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004015EC, Relevance: 1.6, APIs: 1, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 40%

			_entry_(signed int __eax, intOrPtr* __ebx, signed char __ecx, void* __edi, signed int __esi, char _a1, intOrPtr _a42, intOrPtr _a50, intOrPtr _a54, signed int _a58, intOrPtr _a64, signed int _a70, signed int _a101, signed int _a120) {
				char _v1;
				intOrPtr _v79;
				intOrPtr _v770282720;
				signed char _t305;
				signed char _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				intOrPtr* _t309;
				intOrPtr* _t310;
				signed int _t322;
				signed char _t323;
				signed char _t324;
				signed char _t325;
				intOrPtr* _t327;
				signed int _t328;
				signed int _t329;
				signed int _t330;
				intOrPtr* _t333;
				intOrPtr* _t334;
				intOrPtr* _t336;
				intOrPtr* _t337;
				intOrPtr* _t338;
				intOrPtr* _t339;
				intOrPtr* _t340;
				intOrPtr* _t341;
				intOrPtr* _t343;
				signed char _t345;
				signed char _t346;
				void* _t347;
				void* _t348;
				intOrPtr* _t351;
				void* _t352;
				intOrPtr* _t354;
				intOrPtr* _t355;
				intOrPtr* _t356;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int _t366;
				void* _t368;
				signed int _t369;
				signed int _t373;
				signed char _t375;
				intOrPtr* _t377;
				intOrPtr* _t382;
				signed char _t383;
				signed int _t384;
				signed char _t386;
				signed char _t387;
				signed int _t395;
				signed int _t402;
				intOrPtr* _t403;
				signed char* _t404;
				signed int _t407;
				char* _t409;
				signed int _t410;
				signed int _t416;
				void* _t422;
				void* _t424;
				intOrPtr _t425;
				intOrPtr* _t431;
				intOrPtr _t443;
				signed char _t445;
				void* _t447;
				intOrPtr _t449;
				void* _t452;
				intOrPtr _t454;
				void* _t456;
				void* _t461;
				intOrPtr _t466;
				intOrPtr _t467;
				void* _t468;
				void* _t473;
				void* _t488;
				intOrPtr _t497;
				void* _t515;
				void* _t518;
				void* _t519;
				void* _t526;
				void* _t530;

				_t406 = __esi;
				_t386 = __ecx;
				_t379 = __ebx;
				L004015E4(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t305 = __eax + 1;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *((intOrPtr*)(__ebx + 0x1fde625a)) =  *((intOrPtr*)(__ebx + 0x1fde625a)) + _t305;
				_t395 = 0x401cb0;
				asm("invalid");
				_pop(ds);
				asm("cmpsd");
				_push(es);
				_t402 = __edi + 1;
				asm("lahf");
				gs =  *((intOrPtr*)(_t305 + 0x32));
				asm("lahf");
				asm("adc ebx, [edi]");
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *__ecx =  *__ecx + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				_t4 = _t305 + 0x46;
				 *_t4 =  *((intOrPtr*)(_t305 + 0x46)) + __ebx;
				if( *_t4 == 0) {
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					_t379 = __ebx + __ebx;
					asm("int3");
					 *_t305 =  *_t305 ^ _t305;
					 *((intOrPtr*)(__esi + _t402 * 2)) =  *((intOrPtr*)(__esi + _t402 * 2)) + _t305;
					asm("repne lds ecx, [esi+0x55]");
					_v770282720 = cs;
					asm("das");
					_t406 = __esi + 1;
					 *0x00000061 =  *0x00000061 & 0x000000d4;
					_t305 = 0x44 + _v79;
					asm("sbb dl, [edx]");
					asm("out dx, al");
					asm("int3");
					0x33ad(0x6b);
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
					 *_t305 =  *_t305 + 0x44;
				}
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *(_t305 + _t305) = _t305;
				 *((intOrPtr*)(_t379 + 4)) =  *((intOrPtr*)(_t379 + 4)) + _t305;
				asm("verw word [ebx+ebp*2+0x41]");
				_t409 =  &_a1;
				_t403 = _t402 + 1;
				_t431 = _t403;
				if(_t431 >= 0) {
					L8:
					_t305 = _t305 +  *_t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + _t305;
					 *((intOrPtr*)(_t305 + 0x800000)) =  *((intOrPtr*)(_t305 + 0x800000)) + _t305;
					 *_t305 =  *_t305 + _t305;
					 *((char*)(_t305 + 0x8000)) =  *((char*)(_t305 + 0x8000));
					L9:
					 *_t305 =  *_t305;
				} else {
					asm("outsb");
					_push(_t305);
					if(_t431 >= 0) {
						_push(_t416);
						if(_t431 <= 0) {
							 *0x42000119 =  *0x42000119 + _t386;
							 *_t395 =  *_t395 + _t305;
							 *_t379 =  *_t379 + _t416;
							 *((intOrPtr*)(_t416 + _t406 * 2)) =  *((intOrPtr*)(_t416 + _t406 * 2)) + _t386;
							 *_t406 =  *_t406 + _t395;
							_t375 = _t305;
							 *_t375 =  *_t375 + _t375;
							 *_t386 =  *_t386 + _t375;
							 *_t395 =  *_t395 + _t375;
							 *_t375 =  *_t375 + _t375;
							 *_t375 =  *_t375 & _t395;
							 *_t375 =  *_t375 + _t375;
							 *_t375 =  *_t375 + _t375;
							_t377 = _t375 + _t386 +  *((intOrPtr*)(_t375 + _t386));
							 *_t406 =  *_t406 + _t377;
							 *_t377 =  *_t377 + _t377;
							 *_t377 =  *_t377 + _t395;
							asm("adc [eax], dl");
							 *_t377 =  *_t377 + _t377;
							 *_t377 =  *_t377 + _t377;
							 *_t377 =  *_t377 + _t386;
							 *_t377 =  *_t377 + _t377;
							 *_t406 =  *_t406 + _t386;
							_t305 = _t377 +  *_t377;
							 *_t305 =  *_t305 + _t386;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
						}
						 *_t305 =  *_t305 + _t305;
						_t305 = _t305 + 1;
						 *_t305 =  *_t305 + _t305;
						 *_t386 =  *_t386 + _t305;
						 *(_t305 + _t305) =  *(_t305 + _t305) + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t395 =  *_t395;
						goto L8;
					}
				}
				 *((intOrPtr*)(_t305 - 0x7fff8000)) =  *((intOrPtr*)(_t305 - 0x7fff8000)) + _t305;
				 *_t305 =  *_t305;
				 *((char*)(_t305 - 0x3f3fff80)) =  *((char*)(_t305 - 0x3f3fff80)) + 0xc0;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + _t305;
				 *_t305 =  *_t305 + 1;
				 *_t305 =  *_t305 + _t305;
				asm("invalid");
				_t379 = _t379 + _t379 + _t379 + _t379;
				while(1) {
					L11:
					 *_t305 =  *_t305 + 1;
					 *_t305 =  *_t305 + _t305;
					 *_t305 =  *_t305 + 1;
					 *_t305 =  *_t305 + 1;
					asm("invalid");
					 *_t305 =  *_t305 + _t305;
					asm("invalid");
					while(1) {
						asm("invalid");
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						if( *_t305 > 0) {
							break;
						}
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						_t31 = _t403 - 0x79;
						 *_t31 =  *((intOrPtr*)(_t403 - 0x79)) + _t395;
						if( *_t31 > 0) {
							L22:
							if (_t445 > 0) goto L23;
							 *_t306 =  *_t306 + _t306;
							 *_t306 =  *_t306 + _t306;
							_pop(es);
							 *_t306 = _t409;
							_t53 = _t403 + 0x77;
							_t54 = _t406;
							_t406 =  *_t53;
							 *_t53 = _t54;
							if ( *((char*)(_t306 - 0x7e)) - 0x28 > 0) goto L24;
							 *_t306 =  *_t306 + _t306;
							 *_t306 =  *_t306 + _t306;
							_t447 =  *_t306;
							if(_t447 < 0) {
								 *(_t306 + 0x77778788) = _t387;
								if(_t452 > 0) {
									if (_t468 > 0) goto L99;
									if(_t468 > 0) {
										 *_t306 =  *_t306 + _t306;
										goto L100;
									} else {
										if(_t468 < 0) {
											L100:
											 *((intOrPtr*)(_t403 + 0x7f)) =  *((intOrPtr*)(_t403 + 0x7f)) + _t395;
											_push( *((intOrPtr*)(_t306 + 0x7f)));
											_t373 = _t306 /  *_t306;
											 *_t373 =  *_t373 + _t373;
											 *_t373 =  *_t373 + _t373;
											L101:
											 *_t373 =  *_t373 + _t373;
											 *_t373 =  *_t373 + _t373;
											 *_t373 =  *_t373 + _t373;
											 *_t403 =  *_t403 + _t373;
											if( *_t403 > 0) {
												goto L101;
											}
											_t305 = _t373 /  *_t373;
											_t395 = _t373 %  *_t373;
											L104:
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											if( *_t305 <= 0) {
												 *_t305 =  *_t305 + _t305;
												 *_t305 =  *_t305 + _t305;
												 *_t305 =  *_t305 + _t305;
												 *_t305 =  *_t305 + _t305;
												 *_t305 =  *_t305 + _t305;
												asm("invalid");
												asm("invalid");
												asm("invalid");
												_t403 = _t403 + _t403;
												asm("invalid");
												 *((intOrPtr*)(_t403 - 1)) =  *((intOrPtr*)(_t403 - 1)) + _t379;
												asm("lock add [edi], bh");
												_t306 = _t305 + 1;
												 *_t403 =  *_t403 + _t379;
												 *_t306 =  *_t306 + 1;
												 *_t403 =  *_t403 + _t379;
												asm("cld");
												 *_t306 =  *_t306 + _t306;
												asm("aas");
												asm("clc");
												 *_t306 =  *_t306 + _t306;
												_pop(ds);
												asm("clc");
												 *_t306 =  *_t306 + _t306;
												_pop(ds);
												asm("clc");
												 *_t306 =  *_t306 + _t306;
												goto L111;
											}
										} else {
											 *(_t306 - 0xf707778) = _t386;
										}
									}
								} else {
									if (_t452 < 0) goto L42;
									 *_t306 =  *_t306 + _t306;
									 *_t306 =  *_t306 + _t306;
									_t64 = _t306 + 0x22;
									 *_t64 =  *((intOrPtr*)(_t306 + 0x22)) + _t379;
									_t454 =  *_t64;
									if(_t454 < 0) {
										L55:
										 *_t395 =  *_t395 & 0x00000028;
										_t461 =  *_t395;
										_t73 = _t403 + 0x77;
										_t74 = _t406;
										_t406 =  *_t73;
										 *_t73 = _t74;
									} else {
										_t386 = _t387 &  *(_t306 - 0x78d7dd7e);
										 *_t395 =  *_t395 & 0x00000028;
										_t456 =  *_t395;
										_t67 = _t403 + 0x77;
										_t68 = _t406;
										_t406 =  *_t67;
										 *_t67 = _t68;
										L46:
										if(_t456 > 0) {
											L77:
											goto L78;
										} else {
											if(_t456 > 0) {
												L78:
												_push( *((intOrPtr*)(_t306 + 0x77)));
											} else {
												if(_t456 < 0) {
													asm("lock add [eax], al");
													if(_t468 < 0) {
														goto L46;
													} else {
														goto L77;
													}
												} else {
													 *_t306 =  *_t306 + _t306;
													 *_t306 =  *_t306 + _t306;
													_pop(es);
													 *(_t395 + 0x22888822) = _t306;
													 *_t395 = _t306;
													 *((intOrPtr*)(_t403 + 0x77777777)) =  *((intOrPtr*)(_t403 + 0x77777777)) - _t306;
													 *_t306 =  *_t306 + _t306;
													 *_t403 =  *_t403 + _t306;
													_pop(es);
													 *_t395 = _t306;
													L54:
													_t387 = _t386 &  *(_t305 - 0x78d7dd7e);
													goto L55;
												}
											}
										}
									}
								}
							} else {
								 *(_t306 - 0x78d777d8) = _t387;
								if (_t447 > 0) goto L62;
								if(_t447 > 0) {
									 *(_t306 + 0x77ff8888) = _t387;
									goto L63;
								} else {
									if(_t447 > 0) {
										L63:
										 *(_t306 - 0x77880078) = _t387;
										asm("invalid");
										if(_t466 > 0) {
											if(_t473 < 0) {
												L111:
												 *_t403 =  *_t403 + _t379;
												asm("clc");
												 *_t306 =  *_t306 + _t306;
												_pop(ds);
												asm("lock add [eax], al");
												goto L112;
											} else {
												if(_t473 > 0) {
													L112:
													 *_t403 =  *_t403 + _t387;
													asm("lock add [eax], al");
													asm("invalid");
													 *_t306 =  *_t306 + _t306;
													 *_t403 =  *_t403 + _t387;
													asm("lock add [eax], al");
													asm("pavgb mm0, [eax]");
													 *_t403 =  *_t403 + _t306;
													asm("loopne 0x2");
													 *_t403 =  *_t403 + _t306;
													asm("loopne 0x2");
													 *_t403 =  *_t403 + _t306;
													asm("loopne 0x2");
													 *_t403 =  *_t403 + _t306;
													asm("rol byte [eax], 0x0");
													_t307 = _t306 + _t306;
													 *_t307 =  *_t307 + _t307;
													_t308 = _t307 + _t307;
													 *_t308 =  *_t308 + _t308;
													_t309 = _t308 + _t308;
													 *_t309 =  *_t309 + _t309;
													_t305 = _t309 +  *((intOrPtr*)(_t309 - 0x7ff90000));
													 *_t305 =  *_t305 + _t305;
													_pop(ds);
													 *_t305 =  *_t305;
													_t488 =  *_t305;
												} else {
													 *(_t403 + 0x70f7) = _t386;
												}
											}
										} else {
											if (_t466 < 0) goto L65;
											_t89 = _t306 - 0x78;
											 *_t89 =  *((intOrPtr*)(_t306 - 0x78)) + _t379;
											_t467 =  *_t89;
										}
									} else {
										if(_t447 < 0) {
											 *_t306 =  *_t306 + _t306;
											 *_t306 =  *_t306 + _t306;
											_t85 = _t306 - 0x78;
											 *_t85 =  *((intOrPtr*)(_t306 - 0x78)) + _t379;
											_t466 =  *_t85;
										} else {
											 *_t306 =  *_t306 + _t306;
											 *_t306 =  *_t306 + _t306;
											_t56 = _t306 + 0x22;
											 *_t56 =  *((intOrPtr*)(_t306 + 0x22)) + _t379;
											_t449 =  *_t56;
										}
									}
								}
							}
						} else {
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							_t33 = _t403 - 0x78;
							 *_t33 =  *((intOrPtr*)(_t403 - 0x78)) + _t395;
							_t35 = _t403 + 0x77;
							_t36 = _t406;
							_t406 =  *_t35;
							 *_t35 = _t36;
							if ( *_t33 < 0) goto L15;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							if( *_t305 > 0) {
								goto L9;
							} else {
								 *(_t403 + 0x707777) = _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *((intOrPtr*)(_t403 - 0x78)) =  *((intOrPtr*)(_t403 - 0x78)) + _t395;
								 *(_t305 + 0x70777787) = _t386;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								_t41 = _t403 - 0x78;
								 *_t41 =  *((intOrPtr*)(_t403 - 0x78)) + _t395;
								if( *_t41 < 0) {
									goto L11;
								} else {
									 *(_t403 + 0x707777) = _t305;
									 *_t305 =  *_t305 + _t305;
									 *_t305 =  *_t305 + _t305;
									_pop(es);
									if( *_t305 > 0) {
										continue;
									} else {
										_t44 = _t409;
										_t409 =  *_t305;
										 *_t305 = _t44;
										 *(_t305 + 0x77777787) = _t386;
										 *_t305 =  *_t305 + _t305;
										 *_t305 =  *_t305 + _t305;
										 *_t403 =  *_t403 + _t305;
										_t443 =  *_t403;
										 *(_t305 - 0x77dddd8e) = _t386;
										_t47 = _t403 + 0x77;
										_t48 = _t406;
										_t406 =  *_t47;
										 *_t47 = _t48;
										break;
									}
								}
							}
						}
						L114:
						if(_t488 > 0) {
							goto L104;
						}
						 *_t387 =  *_t387 + _t305;
						 *((intOrPtr*)(_t305 - 0x3f00f900)) =  *((intOrPtr*)(_t305 - 0x3f00f900)) + 1;
						 *_t403 =  *_t403 + _t379;
						_push(_t305);
						 *((intOrPtr*)(_t403 - 1)) =  *((intOrPtr*)(_t403 - 1)) + _t379;
						 *_t387 =  *_t387 + 1;
						asm("invalid");
						_t404 = _t403 + 1;
						asm("invalid");
						 *_t305 =  *_t305 - _t305;
						 *_t305 =  *_t305 + _t305;
						asm("adc [eax], al");
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 & _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						while(1) {
							L116:
							 *(_t305 + _t305) =  *(_t305 + _t305) + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							asm("rol byte [eax], 0x0");
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + _t305;
							 *((intOrPtr*)(_t305 + 0x800000)) =  *((intOrPtr*)(_t305 + 0x800000)) + _t305;
							 *_t305 =  *_t305 + _t305;
							 *((char*)(_t305 + 0x8000)) =  *((char*)(_t305 + 0x8000));
							 *_t305 =  *_t305 + 0x80;
							 *((intOrPtr*)(_t305 - 0x7fffff80)) =  *((intOrPtr*)(_t305 - 0x7fffff80)) + _t305;
							 *((char*)(_t305 - 0x3f3f4000)) =  *((char*)(_t305 - 0x3f3f4000));
							 *_t305 =  *_t305 + _t305;
							 *_t305 =  *_t305 + 1;
							 *_t305 =  *_t305 + _t305;
							_t379 = _t379 + _t379 + _t379 + _t379;
							 *_t305 =  *_t305 + 1;
							 *_t305 =  *_t305 + 1;
							 *_t305 =  *_t305 + _t305;
							while(1) {
								 *_t305 =  *_t305 + 1;
								 *_t305 =  *_t305 + 1;
								asm("invalid");
								 *_t305 =  *_t305 + _t305;
								asm("invalid");
								 *_t305 =  *_t305 + 1;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *_t404 = _t395;
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *(_t305 + 0x77) = _t387;
								 *((intOrPtr*)(_t305 + 0x778828)) =  *((intOrPtr*)(_t305 + 0x778828)) + _t387;
								 *_t305 =  *_t305 + _t305;
								if( *_t305 < 0) {
									goto L116;
								}
								_t387 = _t387 &  *_t305;
								if(_t387 > 0) {
									L131:
									 *((intOrPtr*)(_t305 - 0x7ffffffd)) =  *((intOrPtr*)(_t305 - 0x7ffffffd)) + _t305;
									_t305 = _t305 +  *_t305;
									goto L132;
								} else {
									 *_t305 =  *_t305 + _t305;
									if( *_t305 < 0) {
										L123:
										_t167 = _t404 - 9;
										 *_t167 =  *((intOrPtr*)(_t404 - 9)) + _t379;
										_t497 =  *_t167;
										if(_t497 < 0) {
											goto L134;
										} else {
											if (_t497 > 0) goto L125;
											if (_t497 > 0) goto L126;
											goto L126;
											while(_t497 >= 0) {
												_push( *_t404);
												 *_t305 =  *_t305 + _t305;
												if( *_t305 > 0) {
													continue;
												} else {
													_push( *_t404);
													 *_t305 =  *_t305 + _t305;
													 *_t305 =  *_t305 + _t305;
													if( *_t305 <= 0) {
														 *_t305 =  *_t305 + _t305;
														 *_t305 =  *_t305 + _t305;
														 *_t404 =  *_t404 - 1;
														 *_t305 =  *_t305 + _t305;
														asm("cld");
														_pop(es);
														 *_t305 =  *_t305 + _t305;
														asm("lock pop es");
														 *_t305 =  *_t305 + _t305;
														asm("rol byte [edi], 0x0");
														_t305 =  &(( &(( &((_t305 + _t305)[ *(_t305 + _t305)]))[ &((_t305 + _t305)[ *(_t305 + _t305)])]))[( &((_t305 + _t305)[ *(_t305 + _t305)]))[ &((_t305 + _t305)[ *(_t305 + _t305)])]]);
														goto L131;
													}
												}
												goto L136;
											}
											continue;
											L126:
											_push( *((intOrPtr*)(_t305 - 0x78)));
										}
									} else {
										 *_t305 =  *_t305 - _t387;
										if( *_t305 > 0) {
											L132:
											 *((intOrPtr*)(_t305 - 0x7fffffff)) =  *((intOrPtr*)(_t305 - 0x7fffffff)) + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											_t310 = _t305 +  *_t305;
											 *_t310 =  *_t310 + _t310;
											asm("sldt word [eax]");
											 *_t404 =  *_t404 >> 0;
											_t305 = _t310 + _t395;
											 *_t305 =  *_t305 + 1;
											 *((intOrPtr*)(_t305 + 0x726f4600)) =  *((intOrPtr*)(_t305 + 0x726f4600)) + _t305;
											asm("insd");
											 *_t305 =  *_t305 ^ _t305;
											 *[es:edi] =  *[es:edi] + _t305;
											 *0x2d =  *0x2d + _t395;
											_t379 = 1;
											 *_t305 =  *_t305 + _t305;
											if( *_t305 >= 0) {
												 *_t305 =  *_t305 + _t305;
												_push(0x46000001);
												L134:
												 *_t305 =  *_t305 + _t305;
												_t406 = _t406 + 1;
												_t379 = _t379 + _t379;
											}
											 *(_t305 + _t305) =  *(_t305 + _t305) + 1;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											 *_t305 =  *_t305 + _t305;
											_t305 = _t305 & 0x00000040;
											 *_t305 =  *_t305 + _t305;
											asm("invalid");
										} else {
											 *_t404 =  *_t404 + _t305;
											 *_t305 = _t387;
											 *(_t305 + 0x7007077) = _t387;
											 *_t395 =  *_t395 & 0x00000082;
											_t404[0x70] = _t404[0x70] - _t395;
											 *_t404 =  *_t404 + _t305;
											 *_t305 = _t387;
											 *_t305 =  *_t305 - 0x77;
											if ( *_t305 > 0) goto L122;
											_pop(es);
											 *(_t395 + 0x77f7ff2f) = _t305;
											 *((intOrPtr*)(_t305 - 0x78)) =  *((intOrPtr*)(_t305 - 0x78)) + _t379;
											asm("invalid");
											goto L123;
										}
									}
								}
								L136:
								asm("invalid");
								asm("invalid");
								asm("invalid");
								 *_t305 =  *_t305 + _t305;
								 *_t305 =  *_t305 + _t305;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + _t379;
								asm("adc al, 0x81");
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x8004025 =  *0x8004025 + 0x8004026;
								 *0x08004040 =  *((intOrPtr*)(0x8004040)) + _t379;
								 *0x8004025 =  *0x8004025 + _t395;
								 *0x8004025 =  *0x8004025 + 0x8004027;
								asm("repne lds ecx, [esi+0x55]");
								_v770282720 = cs;
								asm("das");
								_t407 = _t406 + 1;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x8004025;
								 *0x8004025 =  *0x8004025 + 0x44;
								asm("adc [eax], al");
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								asm("loope 0x6");
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x1000804A =  *((intOrPtr*)(0x1000804a)) + _t387;
								 *_t387 =  *_t387 + 0x44;
								 *_t395 =  *_t395 + 0x44;
								_a64 = _a64 + 0x45;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								_t382 = _t379 + _t379;
								asm("invalid");
								asm("invalid");
								asm("invalid");
								 *0x8004025 =  *0x8004025 + 1;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + _t382;
								 *((intOrPtr*)(0x8004025 + _t395 * 4)) =  *((intOrPtr*)(0x8004025 + _t395 * 4)) + _t387;
								 *((intOrPtr*)(0x1000804a)) =  *((intOrPtr*)(0x1000804a)) + _t387;
								 *0x8004025 =  *0x8004025 + 0x44;
								asm("in al, 0x1b");
								 *_t387 =  *_t387 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x48;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *((intOrPtr*)(_t387 + _t407 * 8 - 0x4b)) =  *((intOrPtr*)(_t387 + _t407 * 8 - 0x4b)) + _t387;
								asm("sbb eax, [eax]");
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								 *_t404 =  *_t404 + _t387;
								asm("bound eax, [eax]");
								asm("o16 add [ebp], dh");
								if ( *_t404 >= 0) goto L137;
								asm("arpl [eax], ax");
								asm("popad");
								 *0x100080AF =  *((intOrPtr*)(0x100080af)) + _t395;
								 *0x1000806A =  *((intOrPtr*)(0x1000806a)) + 0x8c;
								 *_t407 =  *_t407 + _t387;
								if ( *_t407 != 0) goto L138;
								asm("insd");
								 *_t395 =  *_t395 + 0x8c;
								 *[gs:ecx] =  *[gs:ecx] + 0x44;
								 *((intOrPtr*)(0x1000804a)) =  *((intOrPtr*)(0x1000804a)) + 0x44;
								_t321 = 0;
								 *0x8004025 =  *0x8004025 + 0x44;
								asm("invalid");
								asm("invalid");
								asm("invalid");
								asm("invalid");
								 *0x8004025 =  *0x8004025 + 0x44;
								 *0x8004025 =  *0x8004025 + 0x44;
								if( *0x8004025 >= 0) {
									_t321 = 1;
									 *((intOrPtr*)(0x8004025 + 0x40 + _t395 * 4)) =  *((intOrPtr*)(0x8004025 + 0x40 + _t395 * 4)) + _t387;
									 *_t387 =  *_t387 + _t382;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *((intOrPtr*)(_t416 + _t382 + 0x40)) =  *((intOrPtr*)(_t416 + _t382 + 0x40)) + _t387;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *((intOrPtr*)(_t416 + _t382 + 0x40)) =  *((intOrPtr*)(_t416 + _t382 + 0x40)) + _t387;
									 *_t404 =  *_t404 + _t387;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *0x8004025 =  *0x8004025 + _t395;
									 *0x8004025 =  *0x8004025 + 0x44;
									 *_t387 =  *_t387 + _t395;
								}
								asm("adc [eax], eax");
								 *_t321 =  *_t321 + _t321;
								asm("adc al, [eax]");
								 *_t321 =  *_t321 + _t321;
								asm("adc eax, [eax]");
								 *_t321 =  *_t321 + _t321;
								asm("adc al, 0x0");
								 *_t321 =  *_t321 + _t321;
								asm("adc eax, 0x16000000");
								 *_t321 =  *_t321 + _t321;
								 *_t404 =  *_t404 + _t395;
								 *_t321 =  *_t321 + _t321;
								 *_t321 =  *_t321 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *_t387 =  *_t387 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *_t395 =  *_t395 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *_t382 =  *_t382 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *((intOrPtr*)(_t321 + _t321)) =  *((intOrPtr*)(_t321 + _t321)) + _t382;
								 *_t321 =  *_t321 + _t321;
								asm("sbb eax, 0x1e000000");
								 *_t321 =  *_t321 + _t321;
								 *_t404 =  *_t404 + _t382;
								 *_t321 =  *_t321 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *_t387 =  *_t387 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *_t395 =  *_t395 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *_t382 =  *_t382 + _t321;
								 *_t321 =  *_t321 + _t321;
								 *((intOrPtr*)(_t321 + _t321)) =  *((intOrPtr*)(_t321 + _t321)) + _t321;
								 *_t321 =  *_t321 + _t321;
								_t322 = _t321 & 0x26000000;
								 *_t322 =  *_t322 + _t322;
								 *_t404 =  *_t404 + _t322;
								 *_t322 =  *_t322 + _t322;
								 *((intOrPtr*)(_t407 + 0x42)) =  *((intOrPtr*)(_t407 + 0x42)) + _t395;
								_t323 = _t322 ^ 0x2a1ff021;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t407 =  *_t407 + _t382;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								 *_t323 =  *_t323 + _t323;
								_t324 = _t323 |  *_t323;
								 *(_t324 + _t324) =  *(_t324 + _t324) | _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 + _t324;
								 *_t324 =  *_t324 & _t324;
								_t325 = _t324 + _t395;
								 *_t325 =  *_t325 ^ _t325;
								_t383 = _t382 + _t382;
								asm("invalid");
								 *_t325 =  *_t325 | _t325;
								 *_t325 =  *_t325 + _t325;
								 *_t325 =  *_t325 + _t325;
								 *_t325 =  *_t325 + _t325;
								 *_t325 =  *_t325 + _t325;
								 *_t325 =  *_t325 + _t325;
								goto 0x58401cfd;
								asm("sbb eax, [eax]");
								 *_t383 =  *_t383 & _t383;
								_t327 = _t325 + 1 + _t383;
								asm("adc eax, 0x780040");
								 *_t327 =  *_t327 + _t327;
								 *_t327 =  *_t327 + _t327;
								_t328 =  *0xa1000000;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *_t328 =  *_t328 + _t328;
								 *((intOrPtr*)(_t395 + 0x75)) =  *((intOrPtr*)(_t395 + 0x75)) + _t395;
								asm("outsb");
								_t410 =  &_a1;
								if(_t410 < 0) {
									L146:
									 *((intOrPtr*)(_t328 + _t328 + 0x73)) =  *((intOrPtr*)(_t328 + _t328 + 0x73)) + _t383;
									 *_t410 =  *_t410 + _t328;
									 *[gs:ecx] =  *[gs:ecx] + _t383;
									goto L148;
								} else {
									_t410 =  &_v1;
									asm("gs insd");
									asm("outsd");
									if(_t410 < 0) {
										L153:
										 *((intOrPtr*)(_t328 + _t328 + 0x61)) =  *((intOrPtr*)(_t328 + _t328 + 0x61)) + _t395;
										asm("popad");
										 *((intOrPtr*)(_t328 + _t328 + 0x4c)) =  *((intOrPtr*)(_t328 + _t328 + 0x4c)) + _t383;
										 *_t404 =  *_t404 + _t387;
										goto L155;
									} else {
										 *((intOrPtr*)(_t395 + 0x75)) =  *((intOrPtr*)(_t395 + 0x75)) + _t395;
										asm("outsb");
										_a120 = _a120 & _t328;
										asm("arpl [gs:ebp+0x74], si");
										asm("popad");
										asm("bound ebp, [ebp+0x20]");
										asm("o16 jb 0x72");
										asm("insd");
										_t237 =  &_a101;
										 *_t237 = _a101 & _t387;
										asm("insd");
										asm("outsd");
										if( *_t237 >= 0) {
											 *_t328 =  *_t328 + _t328;
											_t515 =  *_t328;
											if(_t515 < 0) {
												L148:
												 *_t387 =  *_t387 + _t383;
												_t518 =  *_t387;
												if (_t518 < 0) goto L150;
												 *[gs:eax+eax+0x5c] =  *[gs:eax+eax+0x5c] + _t395;
												 *_t387 =  *_t387 + _t328;
												_t519 =  *_t387;
												if (_t519 < 0) goto L151;
												if (_t519 < 0) goto L152;
												 *_t387 =  *_t387 + _t328;
												goto L153;
											} else {
												if(_t515 == 0) {
													_push(0x6b);
													_t410 =  *_t407 * 0x10000;
													_t366 = _t328 +  *_t328 & 0x00000040;
													 *_t366 =  *_t366 + _t366;
													asm("invalid");
													asm("invalid");
													asm("invalid");
													asm("invalid");
													 *_t366 =  *_t366 + _t366;
													 *_t366 =  *_t366 + _t366;
													_t368 = _t366 - 1 + 1;
													 *((intOrPtr*)(_t368 + _t395 * 4)) =  *((intOrPtr*)(_t368 + _t395 * 4)) + _t383;
													_t369 = _t368 + 1;
													 *_t383 =  *_t383 + _t395;
													 *_t369 =  *_t369 + _t369;
													 *((intOrPtr*)(_t410 + _t383 + 0x40)) =  *((intOrPtr*)(_t410 + _t383 + 0x40)) + _t395;
													 *_t369 =  *_t369 + _t369;
													 *_t369 =  *_t369 + _t369;
													 *_t369 =  *_t369 + _t369;
													 *_t369 =  *_t369 + _t369;
													 *_t369 =  *_t369 + _t369;
													_t328 = _t416;
													_t416 = _t369;
													asm("sbb eax, 0x5c0040");
													goto L146;
												}
											}
											L155:
											asm("outsd");
											 *_t383 =  *_t383 + _t328;
											asm("popad");
											 *((intOrPtr*)(_t328 + _t328 + 0x5c)) =  *((intOrPtr*)(_t328 + _t328 + 0x5c)) + _t387;
											 *_t410 =  *_t410 + _t387;
											_t328 =  *_t328 * 0x720063;
										}
									}
								}
								asm("outsd");
								 *_t383 =  *_t383 + _t395;
								asm("outsd");
								 *_t407 =  *_t407 + _t328;
								if ( *_t407 == 0) goto L157;
								 *_t404 =  *_t404 + _t395;
								_t329 =  *_t328 * 0x64006e;
								asm("outsd");
								 *_t404 =  *_t404 + _t395;
								if ( *_t404 >= 0) goto L158;
								 *_t410 =  *_t410 + _t329;
								_t526 =  *_t410;
								if (_t526 < 0) goto L159;
								if (_t526 < 0) goto L160;
								asm("insb");
								 *_t404 =  *_t404 + _t387;
								if ( *_t404 < 0) goto L161;
								 *[gs:edx] =  *[gs:edx] + _t395;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								 *_t329 =  *_t329 + _t329;
								_t330 = _t329 & 0x00000040;
								 *_t330 =  *_t330 + _t330;
								_t384 = _t383 + _t383;
								asm("invalid");
								 *_t330 =  *_t330 + 1;
								 *_t330 =  *_t330 + _t330;
								_t333 = (_t330 + _t387 & 0x90180040) + 1;
								 *((intOrPtr*)(_t333 + _t333)) =  *((intOrPtr*)(_t333 + _t333)) + _t387;
								 *_t333 =  *_t333 + _t333;
								asm("fcomp dword [esi]");
								_t334 = _t333 + 1;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								 *_t334 =  *_t334 + _t334;
								_t336 = _t334 + _t384 + 1;
								 *_t387 =  *_t387 + _t336;
								 *_t336 =  *_t336 + _t336;
								 *((intOrPtr*)(_t336 + _t407)) =  *((intOrPtr*)(_t336 + _t407)) + _t384;
								_t337 = _t336 + 1;
								 *_t337 =  *_t337 + _t337;
								 *_t337 =  *_t337 + _t337;
								 *_t337 =  *_t337 + _t387;
								ds = ds;
								_t338 = _t337 + 1;
								 *_t387 =  *_t387 + _t338;
								 *_t338 =  *_t338 + _t338;
								 *_t338 =  *_t338 + _t395;
								_pop(ds);
								_t339 = _t338 + 1;
								 *_t339 =  *_t339 + _t339;
								 *_t339 =  *_t339 + _t339;
								_t404[_t384] = _t404[_t384] + _t387;
								_t340 = _t339 + 1;
								 *_t387 =  *_t387 + _t340;
								 *_t340 =  *_t340 + _t340;
								 *_t340 =  *_t340 + _t395;
								_pop(ds);
								_t341 = _t340 + 1;
								 *_t384 =  *_t384 + _t341;
								_t404[0x6c006801] = _t404[0x6c006801] + _t395;
								 *_t341 =  *_t341 + _t384;
								_pop(ds);
								 *((intOrPtr*)(_t387 + _t384 * 4)) =  *((intOrPtr*)(_t387 + _t384 * 4)) + _t384;
								_t343 = _t341 + 2;
								 *_t343 =  *_t343 + _t343;
								 *_t343 =  *_t343 + _t343;
								_t345 = _t343 + _t387 &  *(_t410 + _t343 + _t387 + 0x57);
								 *_t387 =  *_t387 + _t387;
								asm("outsb");
								 *((intOrPtr*)(_t345 + _t345 + 0x6f)) =  *((intOrPtr*)(_t345 + _t345 + 0x6f)) + _t345;
								 *_t404 =  *_t404 + _t395;
								if ( *_t404 >= 0) goto L162;
								 *_t410 =  *_t410 + _t345;
								_t530 =  *_t410;
								if (_t530 < 0) goto L163;
								if (_t530 < 0) goto L164;
								asm("insb");
								 *_t404 =  *_t404 + _t387;
								if ( *_t404 < 0) goto L165;
								 *[gs:edx] =  *[gs:edx] + _t395;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 + _t345;
								 *_t345 =  *_t345 ^ _t345;
								_pop(_t422);
								 *_t345 =  *_t345 ^ _t345;
								_t346 = _t345 + 1;
								 *_t404 =  *_t404 + _t384;
								 *((intOrPtr*)(_t346 + _t346)) =  *((intOrPtr*)(_t346 + _t346)) + _t395;
								 *_t346 =  *_t346 + _t346;
								asm("insb");
								 *_t346 =  *_t346 ^ _t346;
								asm("invalid");
								asm("invalid");
								 *_t346 =  *_t346 + _t346;
								 *_t346 =  *_t346 + _t346;
								 *_t346 =  *_t346 + _t346;
								 *_t346 =  *_t346 + _t346;
								_pop(ds);
								_t347 = _t346 + 1;
								 *((intOrPtr*)(_t347 + 3)) =  *((intOrPtr*)(_t347 + 3)) + _t395;
								_t424 = _t422 + 2;
								_t348 = _t347 + 0x40307c;
								asm("invalid");
								asm("invalid");
								asm("loopne 0x21");
								_pop(ds);
								_pop(ds);
								_pop(ds);
								_t351 = _t348 + 3;
								 *_t351 =  *_t351 + _t351;
								 *_t351 =  *_t351 + _t351;
								 *_t351 =  *_t351 + _t395 + _t384;
								_pop(ds);
								_t352 = _t351 + 1;
								 *((intOrPtr*)(_t352 + 0x1e)) =  *((intOrPtr*)(_t352 + 0x1e)) + _t352;
								asm("adc eax, 0x15d80040");
								_t354 = _t352 + 2;
								asm("adc eax, 0x40");
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								 *_t354 =  *_t354 + _t354;
								asm("fcomp dword [edi]");
								_t355 = _t354 + 1;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								 *_t355 =  *_t355 + _t355;
								_pop(ds);
								_t356 = _t355 + 1;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *_t356 =  *_t356 + _t356;
								 *((intOrPtr*)(_t387 + _t387 + _t355 + 0x3304246c)) =  *((intOrPtr*)(_t387 + _t387 + _t355 + 0x3304246c)) + _t356;
								 *_t356 =  *_t356 + _t356;
								asm("stosd");
								 *((intOrPtr*)(_t356 - 1)) =  *((intOrPtr*)(_t356 - 1)) + _t356 - 1;
								_a70 = _a70 - 0x33;
								_t425 = _t424 - 0xc;
								 *[fs:0x0] = _t425;
								_a50 = _t425 - 0x1c;
								_a54 = 0x401398;
								_t359 = _a70;
								_a58 = _t359 & 0x00000001;
								_t360 = _t359 & 0xfffffffe;
								_a70 = _t360;
								 *((intOrPtr*)( *_t360 + 4))(_t360, _t404, _t407, _t384,  *[fs:0x0], 0x4013e6, _t410);
								E00403480();
								__imp____vbaSetSystemError();
								_a58 = 0;
								_t362 = _a70;
								 *((intOrPtr*)( *_t362 + 8))(_t362);
								 *[fs:0x0] = _a42;
								return _a58;
							}
						}
					}
					if(_t443 > 0) {
						goto L54;
					} else {
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						 *_t305 =  *_t305 + _t305;
						_pop(es);
						 *_t305 = _t386;
						_t306 = _t305 &  *_t395;
						_t387 = _t386 &  *_t306;
						_t445 = _t387;
						_t49 = _t403 + 0x77;
						_t50 = _t406;
						_t406 =  *_t49;
						 *_t49 = _t50;
						goto L22;
					}
					goto L114;
				}
			}

0x004015ec
0x004015ec
0x004015ec
0x004015f1
0x004015f6
0x004015f8
0x004015fa
0x004015fc
0x004015fe
0x00401600
0x00401601
0x00401603
0x00401605
0x00401607
0x00401609
0x0040160a
0x0040160c
0x0040160d
0x0040160e
0x0040160f
0x00401610
0x00401611
0x00401614
0x00401615
0x00401617
0x00401619
0x0040161b
0x0040161d
0x0040161f
0x00401621
0x00401623
0x00401625
0x00401627
0x00401627
0x0040162a
0x00401635
0x00401637
0x00401639
0x0040163b
0x0040163d
0x0040163e
0x00401640
0x00401643
0x00401649
0x0040164f
0x00401650
0x00401653
0x00401657
0x0040165a
0x0040165c
0x0040165d
0x0040165e
0x00401665
0x00401666
0x00401668
0x0040166e
0x0040166f
0x00401675
0x00401677
0x00401679
0x0040167b
0x0040167d
0x0040167f
0x00401681
0x00401683
0x00401685
0x00401687
0x00401689
0x0040168b
0x0040168b
0x0040168d
0x0040168f
0x00401691
0x00401693
0x00401695
0x00401698
0x0040169e
0x004016a3
0x004016a4
0x004016a4
0x004016a5
0x00401700
0x00401700
0x00401702
0x00401704
0x00401706
0x00401708
0x0040170a
0x0040170c
0x0040170e
0x00401710
0x00401712
0x00401714
0x00401716
0x00401718
0x0040171e
0x00401720
0x00401723
0x00401723
0x004016a7
0x004016a7
0x004016a8
0x004016aa
0x004016ac
0x004016ad
0x004016af
0x004016b5
0x004016b7
0x004016bc
0x004016c0
0x004016c2
0x004016c4
0x004016c6
0x004016c8
0x004016ca
0x004016cc
0x004016ce
0x004016d0
0x004016d4
0x004016d6
0x004016d8
0x004016da
0x004016dc
0x004016de
0x004016e0
0x004016e2
0x004016e4
0x004016e6
0x004016e8
0x004016ea
0x004016ec
0x004016ee
0x004016f0
0x004016f0
0x004016f1
0x004016f3
0x004016f4
0x004016f6
0x004016f8
0x004016fb
0x004016fd
0x004016ff
0x00000000
0x004016ff
0x004016aa
0x00401726
0x0040172c
0x0040172f
0x00401736
0x0040173a
0x0040173c
0x0040173e
0x00401740
0x00401742
0x00401743
0x00401743
0x00401743
0x00401745
0x00401747
0x00401749
0x0040174b
0x0040174d
0x0040174f
0x00401750
0x00401750
0x00401752
0x00401754
0x00401756
0x00401758
0x0040175a
0x0040175c
0x0040175e
0x00401760
0x00401762
0x00401764
0x00401766
0x00401768
0x0040176a
0x0040176c
0x00000000
0x00000000
0x0040176e
0x00401770
0x00401772
0x00401774
0x00401776
0x00401778
0x0040177a
0x0040177a
0x0040177d
0x004017ef
0x004017ef
0x004017f1
0x004017f3
0x004017f5
0x004017fa
0x004017fc
0x004017fc
0x004017fc
0x004017fc
0x004017ff
0x00401801
0x00401803
0x00401803
0x00401805
0x00401829
0x0040182e
0x004018a9
0x004018aa
0x00401922
0x00000000
0x004018ab
0x004018ab
0x00401924
0x00401924
0x00401927
0x0040192a
0x0040192d
0x0040192f
0x00401930
0x00401930
0x00401931
0x00401933
0x00401935
0x00401937
0x00000000
0x00000000
0x00401939
0x00401939
0x0040193c
0x0040193c
0x0040193e
0x00401940
0x00401942
0x00401944
0x00401946
0x00401948
0x0040194a
0x0040194c
0x0040194e
0x0040194f
0x00401951
0x00401953
0x00401955
0x00401957
0x00401959
0x0040195b
0x0040195d
0x00401960
0x00401963
0x00401965
0x00401967
0x00401969
0x0040196b
0x0040196c
0x0040196e
0x0040196f
0x00401970
0x00401972
0x00401973
0x00401974
0x00401976
0x00401977
0x00401978
0x00000000
0x00401978
0x004018ac
0x004018ac
0x004018ac
0x004018ab
0x00401830
0x00401830
0x00401831
0x00401832
0x00401834
0x00401834
0x00401834
0x00401835
0x00401859
0x00401859
0x00401859
0x0040185c
0x0040185c
0x0040185c
0x0040185c
0x00401837
0x00401837
0x00401839
0x00401839
0x0040183c
0x0040183c
0x0040183c
0x0040183c
0x0040183e
0x0040183e
0x00000000
0x00000000
0x0040183f
0x0040183f
0x004018b7
0x004018b7
0x00401840
0x00401840
0x004018b1
0x004018b4
0x00000000
0x00000000
0x00000000
0x00000000
0x00401841
0x00401841
0x00401842
0x00401844
0x00401845
0x00401849
0x0040184b
0x00401851
0x00401853
0x00401854
0x00401855
0x00401857
0x00401857
0x00000000
0x00401857
0x00401840
0x0040183f
0x0040183e
0x00401835
0x00401807
0x00401807
0x0040180d
0x0040180e
0x00401886
0x00000000
0x0040180f
0x0040180f
0x00401887
0x00401887
0x0040188d
0x0040188f
0x00401908
0x00401979
0x00401979
0x0040197b
0x0040197c
0x0040197e
0x0040197f
0x00000000
0x00401909
0x00401909
0x00401981
0x00401981
0x00401983
0x00401986
0x00401988
0x00401989
0x0040198b
0x0040198e
0x00401991
0x00401993
0x00401995
0x00401997
0x00401999
0x0040199b
0x0040199d
0x0040199f
0x004019a2
0x004019a4
0x004019a6
0x004019a8
0x004019aa
0x004019ac
0x004019ae
0x004019b4
0x004019b6
0x004019b7
0x004019b7
0x0040190a
0x0040190a
0x0040190a
0x00401909
0x00401891
0x00401891
0x00401893
0x00401893
0x00401893
0x00401893
0x00401810
0x00401810
0x00401881
0x00401882
0x00401883
0x00401883
0x00401883
0x00401811
0x00401811
0x00401812
0x00401814
0x00401814
0x00401814
0x00401814
0x00401810
0x0040180f
0x0040180e
0x0040177f
0x0040177f
0x00401781
0x00401783
0x00401785
0x00401787
0x00401789
0x00401789
0x0040178c
0x0040178c
0x0040178c
0x0040178c
0x0040178f
0x00401791
0x00401793
0x00401795
0x00401797
0x00401799
0x00000000
0x0040179b
0x0040179b
0x004017a1
0x004017a3
0x004017a5
0x004017a7
0x004017aa
0x004017b0
0x004017b2
0x004017b4
0x004017b6
0x004017b6
0x004017b9
0x00000000
0x004017bb
0x004017bb
0x004017c1
0x004017c3
0x004017c5
0x004017c6
0x00000000
0x004017c8
0x004017c8
0x004017c8
0x004017c8
0x004017ca
0x004017d0
0x004017d2
0x004017d4
0x004017d4
0x004017d6
0x004017dc
0x004017dc
0x004017dc
0x004017dc
0x00000000
0x004017dc
0x004017c6
0x004017b9
0x00401799
0x004019ba
0x004019ba
0x00000000
0x00000000
0x004019bc
0x004019be
0x004019c4
0x004019c6
0x004019c8
0x004019cb
0x004019cd
0x004019cf
0x004019d1
0x004019d3
0x004019d5
0x004019d7
0x004019d9
0x004019db
0x004019dd
0x004019df
0x004019e0
0x004019e0
0x004019e0
0x004019e3
0x004019e5
0x004019e7
0x004019ea
0x004019ec
0x004019ee
0x004019f0
0x004019f2
0x004019f4
0x004019f6
0x004019f8
0x004019fa
0x004019fc
0x004019fe
0x00401a00
0x00401a06
0x00401a08
0x00401a0f
0x00401a12
0x00401a18
0x00401a1f
0x00401a21
0x00401a25
0x00401a27
0x00401a29
0x00401a2b
0x00401a2d
0x00401a2f
0x00401a2f
0x00401a31
0x00401a33
0x00401a35
0x00401a37
0x00401a39
0x00401a3b
0x00401a3d
0x00401a3f
0x00401a41
0x00401a43
0x00401a45
0x00401a47
0x00401a4a
0x00401a4c
0x00401a4e
0x00401a54
0x00401a5a
0x00401a5c
0x00000000
0x00000000
0x00401a5e
0x00401a60
0x00401ad2
0x00401ad2
0x00401ad8
0x00000000
0x00401a62
0x00401a62
0x00401a64
0x00401a8e
0x00401a9a
0x00401a9a
0x00401a9a
0x00401a9d
0x00000000
0x00401aa1
0x00401aa1
0x00401aa3
0x00401aa3
0x00401aa5
0x00401aa7
0x00401aaa
0x00401aac
0x00000000
0x00401aae
0x00401aae
0x00401ab1
0x00401ab3
0x00401ab5
0x00401ab7
0x00401ab9
0x00401abb
0x00401abd
0x00401abf
0x00401ac0
0x00401ac1
0x00401ac3
0x00401ac5
0x00401ac7
0x00401ad0
0x00000000
0x00401ad0
0x00401ab5
0x00000000
0x00401aac
0x00000000
0x00401aa4
0x00401aa4
0x00401aa4
0x00401a66
0x00401a66
0x00401a68
0x00401ada
0x00401ada
0x00401ae0
0x00401ae2
0x00401ae4
0x00401ae6
0x00401ae8
0x00401aea
0x00401aec
0x00401aee
0x00401af0
0x00401af3
0x00401af6
0x00401af8
0x00401afa
0x00401b01
0x00401b02
0x00401b04
0x00401b07
0x00401b0d
0x00401b0f
0x00401b11
0x00401b13
0x00401b15
0x00401b17
0x00401b17
0x00401b19
0x00401b1a
0x00401b1a
0x00401b1b
0x00401b1e
0x00401b20
0x00401b22
0x00401b24
0x00401b2a
0x00401b2c
0x00401a6a
0x00401a6a
0x00401a6c
0x00401a6e
0x00401a74
0x00401a77
0x00401a7a
0x00401a7c
0x00401a7e
0x00401a81
0x00401a83
0x00401a84
0x00401a8a
0x00401a8d
0x00000000
0x00401a8d
0x00401a68
0x00401a64
0x00401b2e
0x00401b2e
0x00401b30
0x00401b32
0x00401b34
0x00401b36
0x00401b3f
0x00401b41
0x00401b43
0x00401b45
0x00401b47
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b57
0x00401b5a
0x00401b5e
0x00401b64
0x00401b6a
0x00401b6b
0x00401b6c
0x00401b6e
0x00401b70
0x00401b72
0x00401b74
0x00401b76
0x00401b78
0x00401b7a
0x00401b7c
0x00401b7e
0x00401b80
0x00401b82
0x00401b84
0x00401b86
0x00401b88
0x00401b8a
0x00401b8c
0x00401b8e
0x00401b90
0x00401b92
0x00401b94
0x00401b96
0x00401b98
0x00401b9a
0x00401b9c
0x00401b9e
0x00401ba3
0x00401ba7
0x00401ba9
0x00401bab
0x00401baf
0x00401bb1
0x00401bb3
0x00401bb5
0x00401bb7
0x00401bb9
0x00401bbb
0x00401bbd
0x00401bbf
0x00401bc3
0x00401bc7
0x00401bca
0x00401bcc
0x00401bcf
0x00401bd1
0x00401bd3
0x00401bd5
0x00401bd7
0x00401bdd
0x00401be7
0x00401be9
0x00401beb
0x00401bed
0x00401bef
0x00401bf1
0x00401bf3
0x00401bf6
0x00401bf8
0x00401bfc
0x00401bfe
0x00401c00
0x00401c01
0x00401c05
0x00401c09
0x00401c0c
0x00401c0e
0x00401c0f
0x00401c12
0x00401c15
0x00401c18
0x00401c1e
0x00401c20
0x00401c22
0x00401c24
0x00401c26
0x00401c28
0x00401c2a
0x00401c2c
0x00401c2e
0x00401c2f
0x00401c33
0x00401c35
0x00401c37
0x00401c3b
0x00401c3d
0x00401c3f
0x00401c41
0x00401c43
0x00401c45
0x00401c47
0x00401c4b
0x00401c4d
0x00401c4f
0x00401c51
0x00401c53
0x00401c53
0x00401c54
0x00401c56
0x00401c58
0x00401c5a
0x00401c5c
0x00401c5e
0x00401c60
0x00401c62
0x00401c64
0x00401c69
0x00401c6b
0x00401c6d
0x00401c6f
0x00401c71
0x00401c73
0x00401c75
0x00401c77
0x00401c79
0x00401c7b
0x00401c7d
0x00401c7f
0x00401c82
0x00401c84
0x00401c89
0x00401c8b
0x00401c8d
0x00401c8f
0x00401c91
0x00401c93
0x00401c95
0x00401c97
0x00401c99
0x00401c9b
0x00401c9d
0x00401c9f
0x00401ca2
0x00401ca4
0x00401ca9
0x00401cab
0x00401cad
0x00401caf
0x00401cb2
0x00401cb7
0x00401cb9
0x00401cbb
0x00401cbd
0x00401cbf
0x00401cc1
0x00401cc3
0x00401cc6
0x00401cc8
0x00401cca
0x00401ccc
0x00401cce
0x00401cd0
0x00401cd2
0x00401cd4
0x00401cd7
0x00401cd9
0x00401cdb
0x00401cdd
0x00401cdf
0x00401ce1
0x00401ce4
0x00401ce6
0x00401ce8
0x00401cea
0x00401cec
0x00401cee
0x00401cf0
0x00401cf2
0x00401cf4
0x00401cf6
0x00401cf8
0x00401cfd
0x00401d00
0x00401d03
0x00401d05
0x00401d0a
0x00401d0e
0x00401d10
0x00401d15
0x00401d17
0x00401d19
0x00401d1b
0x00401d1d
0x00401d1f
0x00401d21
0x00401d23
0x00401d25
0x00401d27
0x00401d2a
0x00401d2b
0x00401d2c
0x00401d93
0x00401d93
0x00401d97
0x00401d98
0x00000000
0x00401d2e
0x00401d2e
0x00401d2f
0x00401d31
0x00401d32
0x00401dad
0x00401dad
0x00401db0
0x00401db1
0x00401db5
0x00000000
0x00401d34
0x00401d34
0x00401d37
0x00401d38
0x00401d3b
0x00401d3f
0x00401d40
0x00401d44
0x00401d47
0x00401d48
0x00401d48
0x00401d4b
0x00401d4c
0x00401d4d
0x00401d4f
0x00401d4f
0x00401d51
0x00401d99
0x00401d99
0x00401d99
0x00401d9c
0x00401d9e
0x00401da3
0x00401da3
0x00401da6
0x00401da8
0x00401dab
0x00000000
0x00401d53
0x00401d53
0x00401d55
0x00401d57
0x00401d60
0x00401d66
0x00401d68
0x00401d6a
0x00401d6c
0x00401d6e
0x00401d70
0x00401d72
0x00401d75
0x00401d77
0x00401d7a
0x00401d7b
0x00401d7d
0x00401d7f
0x00401d86
0x00401d88
0x00401d8a
0x00401d8c
0x00401d8e
0x00401d90
0x00401d90
0x00401d91
0x00000000
0x00401d91
0x00401d53
0x00401db6
0x00401db6
0x00401db7
0x00401dba
0x00401dbb
0x00401dbf
0x00401dc2
0x00401dc2
0x00401d4d
0x00401d32
0x00401dc8
0x00401dc9
0x00401dcc
0x00401dcd
0x00401dd0
0x00401dd3
0x00401dd6
0x00401ddc
0x00401ddd
0x00401de0
0x00401de3
0x00401de3
0x00401de6
0x00401de8
0x00401dea
0x00401deb
0x00401dee
0x00401df0
0x00401df4
0x00401df6
0x00401df8
0x00401dfa
0x00401dfc
0x00401dfe
0x00401e00
0x00401e02
0x00401e04
0x00401e06
0x00401e08
0x00401e0a
0x00401e0c
0x00401e0e
0x00401e10
0x00401e12
0x00401e14
0x00401e16
0x00401e18
0x00401e1a
0x00401e1c
0x00401e1e
0x00401e20
0x00401e22
0x00401e24
0x00401e26
0x00401e28
0x00401e2a
0x00401e2c
0x00401e2e
0x00401e30
0x00401e32
0x00401e34
0x00401e36
0x00401e38
0x00401e3a
0x00401e3c
0x00401e3e
0x00401e40
0x00401e42
0x00401e44
0x00401e46
0x00401e48
0x00401e4a
0x00401e4c
0x00401e4e
0x00401e50
0x00401e52
0x00401e54
0x00401e56
0x00401e58
0x00401e5a
0x00401e5c
0x00401e5e
0x00401e60
0x00401e62
0x00401e64
0x00401e6a
0x00401e6f
0x00401e71
0x00401e73
0x00401e75
0x00401e7e
0x00401e7f
0x00401e82
0x00401e84
0x00401e86
0x00401e87
0x00401e89
0x00401e8b
0x00401e8d
0x00401e8f
0x00401e91
0x00401e96
0x00401e97
0x00401e99
0x00401e9b
0x00401e9e
0x00401e9f
0x00401ea1
0x00401ea3
0x00401ea5
0x00401ea6
0x00401ea7
0x00401ea9
0x00401eab
0x00401ead
0x00401eae
0x00401eaf
0x00401eb1
0x00401eb3
0x00401eb6
0x00401eb7
0x00401eb9
0x00401ebb
0x00401ebd
0x00401ebe
0x00401ebf
0x00401ec1
0x00401ec7
0x00401ec9
0x00401ecb
0x00401ece
0x00401ecf
0x00401ed1
0x00401ed5
0x00401ed9
0x00401edc
0x00401edd
0x00401ee1
0x00401ee4
0x00401ee7
0x00401ee7
0x00401eea
0x00401eec
0x00401eee
0x00401eef
0x00401ef2
0x00401ef4
0x00401ef8
0x00401efa
0x00401efc
0x00401efe
0x00401f00
0x00401f02
0x00401f04
0x00401f06
0x00401f09
0x00401f0c
0x00401f0d
0x00401f10
0x00401f11
0x00401f13
0x00401f16
0x00401f18
0x00401f19
0x00401f1c
0x00401f1e
0x00401f20
0x00401f22
0x00401f24
0x00401f26
0x00401f29
0x00401f2a
0x00401f2b
0x00401f2e
0x00401f2f
0x00401f34
0x00401f36
0x00401f38
0x00401f39
0x00401f3d
0x00401f41
0x00401f42
0x00401f43
0x00401f45
0x00401f47
0x00401f49
0x00401f4a
0x00401f4b
0x00401f51
0x00401f56
0x00401f59
0x00401f5e
0x00401f60
0x00401f62
0x00401f64
0x00401f66
0x00401f68
0x00401f6a
0x00401f6c
0x00401f6e
0x00401f70
0x00401f72
0x00401f74
0x00401f76
0x00401f77
0x00401f79
0x00401f7b
0x00401f7d
0x00401f7f
0x00401f81
0x00401f83
0x00401f85
0x00401f87
0x00401f89
0x00401f8b
0x00401f8d
0x00401f8f
0x00401f91
0x00401f93
0x00401f95
0x00401f97
0x00401f99
0x00401f9b
0x00401f9d
0x00401f9f
0x00401fa1
0x00401fa3
0x00401fa5
0x00401fa7
0x00401fa9
0x00401fab
0x00401fad
0x00401faf
0x00401fb1
0x00401fb3
0x00401fb5
0x00401fb9
0x00401fba
0x00401fbb
0x00401fbd
0x00401fbf
0x00401fc1
0x00401fc3
0x00401fc5
0x00401fc7
0x00401fc9
0x00401fcb
0x00401fcd
0x00401fcf
0x00401fd1
0x00401fd3
0x00401fd5
0x00401fd7
0x00401fdd
0x00401fe1
0x00401fe3
0x00401fe5
0x00406b93
0x00406ba2
0x00406baf
0x00406bb2
0x00406bb9
0x00406bc1
0x00406bc4
0x00406bca
0x00406bcd
0x00406bd0
0x00406bd5
0x00406bdb
0x00406be2
0x00406be8
0x00406bf3
0x00406bfe
0x00406bfe
0x00401a2f
0x004019e0
0x004017de
0x00000000
0x004017e0
0x004017e0
0x004017e1
0x004017e3
0x004017e5
0x004017e6
0x004017e8
0x004017ea
0x004017ea
0x004017ec
0x004017ec
0x004017ec
0x004017ec
0x00000000
0x004017ec
0x00000000
0x004017de

APIs

#100.MSVBVM60(00401CB0), ref: 004015F1

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID:
API String ID: 1341478452-0
Opcode ID: 3c79f1d63829109156ca65ed2c1a82142431f912301f6e4aaa7c85b59915ed51
Instruction ID: 33eae2e466de30a24540706282549c015ee9e410deb3e1ff04bd6b7cc593eab2
Opcode Fuzzy Hash: 3c79f1d63829109156ca65ed2c1a82142431f912301f6e4aaa7c85b59915ed51
Instruction Fuzzy Hash: 975163A590E7C18FC3138BB09C696907FB0AE23254B0E46DBC4D1CF1F3E258185AC726

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040755D, Relevance: 57.9, APIs: 26, Strings: 7, Instructions: 171
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040755D(void* __ebx, void* __ecx, void* __edi) {
				void* _t312;
				void* _t313;
				void* _t435;

				_t435 = __edi;
				_t313 = __ecx;
				_t312 = __ebx;
				_pop(ds);
			}

0x0040755d
0x0040755d
0x0040755d
0x0040755d

APIs

__vbaGenerateBoundsError.MSVBVM60 ref: 0040756D
__vbaSetSystemError.MSVBVM60(?,?,000000F8), ref: 004075A0
__vbaAryUnlock.MSVBVM60(?), ref: 004075A9
__vbaStrMove.MSVBVM60(2C559A0AA43D1005C9D2341946332CCA461834D2301A45), ref: 004075D7
__vbaStrMove.MSVBVM60(GaF), ref: 004075F0
__vbaStrMove.MSVBVM60(00000000), ref: 00407600
__vbaStrMove.MSVBVM60(IiiJR), ref: 00407619
__vbaStrMove.MSVBVM60(00000000), ref: 00407629
__vbaStrMove.MSVBVM60(00000000), ref: 00407639
__vbaStrMove.MSVBVM60(8768812445710A3A0559260B0B280B), ref: 0040764D
__vbaStrMove.MSVBVM60(BSCZIT), ref: 00407666
__vbaStrMove.MSVBVM60(00000000), ref: 00407676
__vbaStrMove.MSVBVM60(vVv), ref: 0040768F
__vbaStrMove.MSVBVM60(00000000), ref: 0040769F
__vbaStrMove.MSVBVM60(00000000), ref: 004076AF

Strings

2C559A0AA43D1005C9D2341946332CCA461834D2301A45, xrefs: 004075BF
IiiJR, xrefs: 00407608
BSCZIT, xrefs: 00407655
8768812445710A3A0559260B0B280B, xrefs: 0040763B
PE, xrefs: 004075AF
vVv, xrefs: 0040767E
GaF, xrefs: 004075DF

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Error$BoundsGenerateSystemUnlock
String ID: 2C559A0AA43D1005C9D2341946332CCA461834D2301A45$8768812445710A3A0559260B0B280B$BSCZIT$GaF$IiiJR$PE$vVv
API String ID: 3067703738-732138114
Opcode ID: 570256536680db9460fc461fe7e03156a7606e9ec7c93b0f9f863553c18f9f03
Instruction ID: 1f950ad63f7518035fdc7379bf84a23baee0e5bd73e1a649290c7ec19ad5e4b7
Opcode Fuzzy Hash: 570256536680db9460fc461fe7e03156a7606e9ec7c93b0f9f863553c18f9f03
Instruction Fuzzy Hash: D271E5F1D001289BCB24DB50DC94ADEB778EF48300F5085EAA70A73195DA746F89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00406F00, Relevance: 33.4, APIs: 16, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000007,00000000,660CC33A,?,00000000), ref: 00406F6F
__vbaVarMove.MSVBVM60 ref: 00406FA0
__vbaVarMove.MSVBVM60 ref: 00406FCC
__vbaVarMove.MSVBVM60 ref: 00406FE8
__vbaVarMove.MSVBVM60 ref: 0040700E
__vbaVarMove.MSVBVM60 ref: 00407033
__vbaVarMove.MSVBVM60 ref: 0040705C
__vbaVarMove.MSVBVM60 ref: 00407085
__vbaVarMove.MSVBVM60 ref: 004070AE
#601.MSVBVM60(?,?), ref: 004070B8
__vbaErase.MSVBVM60(00000000,?), ref: 004070C3
__vbaVarMove.MSVBVM60 ref: 004070CF

Part of subcall function 00406E90: __vbaPowerR8.MSVBVM60(00000000,40000000,?,?,?,?,004070DC,?,0000001D), ref: 00406EBA
Part of subcall function 00406E90: __vbaFpI4.MSVBVM60(?,?,?,?,?,?,004070DC,?,0000001D), ref: 00406EE2

__vbaVarIndexLoad.MSVBVM60(?,?,00000001), ref: 00407102
__vbaI4Var.MSVBVM60(00000000), ref: 0040710C
__vbaFreeVar.MSVBVM60 ref: 00407118
__vbaFreeVar.MSVBVM60(00407145), ref: 0040713E

Strings

, xrefs: 00406FED
@, xrefs: 00407035
@, xrefs: 0040708A

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$#601EraseIndexLoadPowerRedim
String ID: $@$@
API String ID: 1180441480-3743272326
Opcode ID: 426bf9d5200cef7faec0a97437813a9aad631a84fab71374e6951b93d665a577
Instruction ID: 1eaf6484d2191e39fe9b5a62486ba86ac5c75a8fb0601f41840204c753b0b239
Opcode Fuzzy Hash: 426bf9d5200cef7faec0a97437813a9aad631a84fab71374e6951b93d665a577
Instruction Fuzzy Hash: 9A71E2B0D002189FEB18DFA9D998F9DFBB4FF44300F0181AAD51AAB261D774AA45CF51

Uniqueness

Uniqueness Score: -1.00%

Function 00405DC0, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(00000000,004013E6), ref: 00405DDE
__vbaStrCopy.MSVBVM60(660E6A9B,?,660E1948,00000000,004013E6), ref: 00405E0B
__vbaStrCopy.MSVBVM60 ref: 00405E17
__vbaAryConstruct2.MSVBVM60(?,00402E34,00000002), ref: 00405E28
__vbaOnError.MSVBVM60(000000FF), ref: 00405E37
#717.MSVBVM60(?,00004008,00000080,00000000), ref: 00405E69
__vbaVar2Vec.MSVBVM60(?,?), ref: 00405E7A
__vbaAryMove.MSVBVM60(?,?), ref: 00405E8B
__vbaFreeVar.MSVBVM60 ref: 00405E94
__vbaVarForInit.MSVBVM60(?,?,?,00000002,00000002,00000002), ref: 00405F04
__vbaI4Var.MSVBVM60(?), ref: 00405F20

Strings

/, xrefs: 00405F15

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Copy$#717ChkstkConstruct2ErrorFreeInitMoveVar2
String ID: /
API String ID: 1582012848-2043925204
Opcode ID: 275715ee9b72550f7ce788d4dbee899db6f7053439f2e97fa1232a52deb63d51
Instruction ID: 3b40b447ad9e69bb096a1d3f86a4aa1dc761d61eab73f4dcac7a8685b1a9836d
Opcode Fuzzy Hash: 275715ee9b72550f7ce788d4dbee899db6f7053439f2e97fa1232a52deb63d51
Instruction Fuzzy Hash: 34412CB1800219DFDB10DF94CE49BDEBBB4FB48304F1080A9E646B6691D7781A88CF65

Uniqueness

Uniqueness Score: -1.00%

Function 004066E0, Relevance: 10.6, APIs: 7, Instructions: 139COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,660E6C30,660E0EBE), ref: 00406732
__vbaLenBstr.MSVBVM60(?), ref: 0040673C
#632.MSVBVM60(?,?,?,?), ref: 004067A0
__vbaStrVarVal.MSVBVM60(?,?), ref: 004067AE
#516.MSVBVM60(00000000), ref: 004067B5
__vbaFreeStr.MSVBVM60(0040686B), ref: 00406864
__vbaErrorOverflow.MSVBVM60 ref: 00406881

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#516#632BstrCopyErrorFreeOverflow
String ID:
API String ID: 218249059-0
Opcode ID: 539886d0a48c4e722a1580980c863d91db8bac2050bd20f1ff28d7d441d40b02
Instruction ID: 2f5de9cf91024ff676a6c33e4378e34fddb06081d7d363696ceab573f79d547b
Opcode Fuzzy Hash: 539886d0a48c4e722a1580980c863d91db8bac2050bd20f1ff28d7d441d40b02
Instruction Fuzzy Hash: 4E51D4B1C01218AFDB10DFAADA85A9DFBF8FF58300F10816AE445B7660D7785945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 00406DA8, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00406DB5
__vbaFreeStrList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00406DD9
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00406DE9
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00406DF7

Memory Dump Source

Source File: 00000000.00000002.187370632.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.187366833.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.187376517.0000000000409000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.187380014.000000000040B000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$DestructFreeList
String ID:
API String ID: 177195230-0
Opcode ID: ee16a6bb8f5b265717399fbced6e7f78dcf89f82ccf50147ce55649fa50e2af8
Instruction ID: f106c9d0d75eab5dad0c2b89877099a8dd59c1bc4e00f4db17bf94ca04e45a52
Opcode Fuzzy Hash: ee16a6bb8f5b265717399fbced6e7f78dcf89f82ccf50147ce55649fa50e2af8
Instruction Fuzzy Hash: 7DF0E7B2800118EACB0ADBD0DE88EEEB77DAF48700F14811AF606A6494D7702B49CB64

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report s3ZenAQ7m1.bin

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: s3ZenAQ7m1.exe PID: 6116 Parent PID: 5812

General

File Activities

File Opened

File Created

File Deleted

File Attributes Queried