Protectedformyman.exe

First submission 2024-10-18 07:36:02

File details

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Mime type:	application/x-dosexec
File size:	1512.32 KB (1548616 bytes)
Compile time:	2024-10-18 04:47:04
MD5:	870025e332dfcfb4bd089bf2151388ff
SHA1:	4804d5dc6c73e109e14715ac22cd1d6caffe1772
SHA256:	1939e8b69d8f42401f74c941657a174b4647f3d21eb3cdcdff615ba9ff3ee3e1
Import Hash :	913b53759cda103df07e1be81a5e2514
Sections 3	.text .data .rsrc
Directories 3	import resource security

File features detected

Is DLL

Packers

Anti Debug

Anti VM

Signed

XOR

OSINT Enrichments

Virus Total:	30/77 VT report date: 2024-10-18 05:26:24
Malware Type 2	trojan banker
Threat Type 3	zusy convagent msil

URLs, FQDN and IP indicators 1

URL	Host (FQDN/IP)	Date Added
hXXp://185.196.11.151/kfkn/Protectedformyman.exe	185.196.11.151	2024-10-18 07:36:02

PE Sections 0 suspicious

Name	VAddress	VSize	Size	SHA1	MD5
.text	0x1000	0x161af8	1449984	f2927a3dd40a6db69c99121679c066888766b676	04086a30a925043795ddd4939b904c2b
.data	0x163000	0x3cdc	4096	1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d	620f0b67a91f7f74151bc5be745b7110
.rsrc	0x167000	0x10b18	69632	a921050966eb2817b1351d6493cd891bb311f4d6	d574ba00b7ea94993a321fb72ec52575

PE Resources 3

Name	Language	Sublanguage	Offset	Size	Data
RT_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x1670e8	67624	PE Resource: RT_ICON - Data ( ``QPLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKQP`asuKJKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJKJsu.WVIHMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHWV-effgjk8ONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJOOjk8fgeffghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKNMNMNMMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLNMNMNMNMNMNMNMNMMLMLLKLKLKLKLKLKLKLKLKLKLKLKLKMLNMNMMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJEDEDEDGFLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKFEEDEDEDEDEDEDEDEDGFJINMONMLLKLKLKLKLKLKLKLKLKLKFEEDEDFELKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJNMjilknmccJILKLKLKLKLKLKLKLKLKLKLKLKLKMLihmllklklklklklklkdcUTDC@?KJNMLKLKLKLKLKLKLKLKMLgflklkgfMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITSONBANMLKLKLKLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITS}\|A@NMLKLKLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHYYDCNMLKLKLKLKLKLKLKLKLKLKMLJITSA@NMLKLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITS<;B@A@A@BAHGdc~BANMLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITSJIONONNMNMMLGF=;RQJIMLLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITSHGMLLKLKLKLKNMNMA@@?ONLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKMLNMONMLLKLKLKLKLKMLJITSHGMLLKLKLKLKLKNMDCsrIHLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYBALKJIFEA@@?HGONLKLKLKLKMLJITSHGMLLKLKLKLKLKLKLKLKgfFEMLMLJIQPONKJMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZY\[@?LKMLLKLKMLJITSHGMLLKLKLKLKLKLKONA@A@NNMLJIQPQPLKNMMLMLMLMLMLMLMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYGFKJMLLKMLJITSHGMLLKLKLKLKLKLKON?>?>ONMLJIQPIHDCFEEDEDEDEDEDEDIHLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYGFLKLKMLJITSHGMLLKLKLKLKLKLKONA@@?ONMLJIQPBANMLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYIHSRQPSRjjA?ONMLJITSHGMLLKLKLKLKLKLKNMA@A@NMMLJIQP?>ONLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYBALKKJKJDCFEYXIHNMJITSHGMLLKLKLKLKLKLKNMB@A@NMMLJIQPBANMLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMMLLKQPA@A@ONJITSHGMLLKLKLKLKLKLKON@??>ONMLJIQPKJFEHGGFGFGFGFHFGFJILKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKMLHGa`@?ONJITSHGMLLKLKLKLKLKLKON@?A?ONMLJIQPPOLKMLMLMLMLMLMLMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKMLIHWVBAONJITSHGMLLKLKLKLKLKLKNMGFdcFEMLMLJIQPOOKJMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKMLIH]\A@ONJITSHGMLLKLKLKLKLKQP?>~}EDNMLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMMLMLQP@?~}@?ONJITSIHMLMLMLNMONON?>^]xwCBNMLKMLJIQPPOLKMLMLMLMLMLMLMLMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYA@LKJIIH@?ML_^HGNMJITSFEKJJIHGED@?CB{zBANMLKLKMLJIQPMLIHJIJIJIJIJIJIJIJIKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYLKUTTSZY\|\|A@ONMLJITSPOTSUT[ZlkJIKJMLLKLKMLJIQPWVSRUTTSTSTSTSTSTSUTPOKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHYXFEMLLKMLJITSJIJIMLLKLKLKMLKIQP@?ONLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYEDLKMLLKMLJITS\|\|BAKJMLLKLKLKLKMLJIRQ?=ONLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHWVZZ@?MLMLLKLKMLJISRqpGFBANMMLLKLKLKLKLKLKKJPOA@ONLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKNMNMNMNMNMNMONKJBA@?HGONLKLKLKLKLKLKLKNMNMNMNMNMNMNNMLIHBA?>DCMLNMLKLKLKLKLKLKLKLKLKLKNMONONONONONONONONONONONONONMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJKJKJKJKJKJKJLKNMONMLLKLKLKLKLKLKLKLKKJKJKJKJKJKJKJKJMLNMONNMLKLKLKLKLKLKLKLKLKLKLKLKKJKJKJKJKJKJKJKJKJKJKJKJKJKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgghikln8QQLKMMMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMMLKQQln8ikghbcdfhi9JIEDFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEEDJIhi9dfbcx{z}\|6ijfgghfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgghfgij\|6z}x{,,,,,,,,,,,,,,,,,,,,,,,,,,,VVLKRQz\|,,?=IHMMKJB@PO,,?>ONNMHFLKPOIHIH,,``GFNMGFabOOHGOOIHPP,,LKMLGFbcNMIHPOECgg,,KJNMDBwyHGLKOOA?,,WVJIMLIHB@ONLKIH,,A@POHGWWrtDBPOEClm,,QPIHONGFUTMLKJONBA,,DCLKOOHGJI?=POHG\\,,ECJIPOLKA@pqhiFEPOA@,,NMECOOONCARQeeIHMLIHVV,,ghA?LKPPJIHFMLLKONA@,,LKCBNMNNLKLKMLIHVV,,vwECEDNMNMLKMMGExz,,jkDBEDMLLKMLECHGqr,,klHGLKLKNMMLECCAXXbbHGCACAEDXX,,DCNMLKLKNMPOIHB@GEccYYA?GFNNPPPOONIH?=,,\\HGMLMLJHDBLKQPNNGFB@HGccBAHGOONNECA@BAIHNNNN@>,,B@ONHG^^vxKJA@GENMQPNMGFB@FEYXz}efA?NMNMIHDBsuVUEDNNIHVU,,QPKJJITSefIHB@FEMLQPONJHCBB@KJaa~\\CBONMLJISSijGFPOB@,,CAQP@>fgKIB@DCKJPOQPNMHFBABADCIHNMLKLKJIDCPOBA,,GENMGFaasuTSDCB@EDKJNNNMNMMLLKLKLKMLLKJIPORQRQJIGFMLPO@?,,hhFEONEClmTTKJLKMLLKKIMLNMNMNMNMMLLKLKNMONONCAVV,,B@PPCA}efGFNMLJIHQPFEBAA@CADBECEDEDDBB@DCdd,,QQKJKJSRCANMMLCBwypqmnoqz\|,,\|~CAPPB@A?NMNNB@,,DCOOECopHGLKONB@},,[\IGMLLK[[GFPOEDfg,,B@QPB@~B@POJIPO,,FEONFDklCANMNMDB,,``HFMLKJTTIHPOB@,,B@QPA@}BAPOGF^_,,GEONEDmoDCNMMLFE,,^^HGLKNM^^GFPOB@,,B@PP@>?=POHGYY,,DCONGFghYYIHONCA,,UUJHMLHGJINNECnp,,vxDBNMMLMLMLGF,,B@NNLKNMCA~,,IHLKMLKJKJ,,``GFONCB,,RQKJNNDB,,A?ONNMB@,,[[HGMLNMDCrt,,CBNMLKMLIGZZ,,y{CBNMMLLKLKKI+,SSJIMLKJLKNMCB,CAONJIQPLKNNA@,CBJI]^SSLKDB{~,fgIGCBopFEGFjk,TSJIMLBAKI]],KJJIRRB@LKTT,FENMJIB@MLQQ,GEOOB@rtECLKQQ,MLMLGF`aONLKJIWW,abGFMMKJKJKJNMECmn,?>PPMLLKMLNMCB,gg><JILKML>=,XXMLHF,,,,,,,,,,,,k}_o//////////////////////////////////////////////////////////////////////////////////////////////////OO_ +W_ +W_ +W_
RT_GROUP_ICON	LANG_NEUTRAL	SUBLANG_NEUTRAL	0x177910	20
RT_VERSION	LANG_GERMAN	SUBLANG_GERMAN	0x177924	500

Name

Language

Sublanguage

Offset

Size

Data

RT_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x1670e8

67624

( ``QPLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKQP`asuKJKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJKJsu.WVIHMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHWV-effgjk8ONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJOOjk8fgeffghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKNMNMNMMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLNMNMNMNMNMNMNMNMMLMLLKLKLKLKLKLKLKLKLKLKLKLKLKMLNMNMMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJEDEDEDGFLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKFEEDEDEDEDEDEDEDEDGFJINMONMLLKLKLKLKLKLKLKLKLKLKFEEDEDFELKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJNMjilknmccJILKLKLKLKLKLKLKLKLKLKLKLKLKMLihmllklklklklklklkdcUTDC@?KJNMLKLKLKLKLKLKLKLKMLgflklkgfMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITSONBANMLKLKLKLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITS}|A@NMLKLKLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHYYDCNMLKLKLKLKLKLKLKLKLKLKMLJITSA@NMLKLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITS<;B@A@A@BAHGdc~BANMLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITSJIONONNMNMMLGF=;RQJIMLLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKLKLKLKLKLKLKLKLKMLJITSHGMLLKLKLKLKNMNMA@@?ONLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKMLNMONMLLKLKLKLKLKMLJITSHGMLLKLKLKLKLKNMDCsrIHLKLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYBALKJIFEA@@?HGONLKLKLKLKMLJITSHGMLLKLKLKLKLKLKLKLKgfFEMLMLJIQPONKJMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZY\[@?LKMLLKLKMLJITSHGMLLKLKLKLKLKLKONA@A@NNMLJIQPQPLKNMMLMLMLMLMLMLMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYGFKJMLLKMLJITSHGMLLKLKLKLKLKLKON?>?>ONMLJIQPIHDCFEEDEDEDEDEDEDIHLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYGFLKLKMLJITSHGMLLKLKLKLKLKLKONA@@?ONMLJIQPBANMLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYIHSRQPSRjjA?ONMLJITSHGMLLKLKLKLKLKLKNMA@A@NMMLJIQP?>ONLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYBALKKJKJDCFEYXIHNMJITSHGMLLKLKLKLKLKLKNMB@A@NMMLJIQPBANMLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMMLLKQPA@A@ONJITSHGMLLKLKLKLKLKLKON@??>ONMLJIQPKJFEHGGFGFGFGFHFGFJILKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKMLHGa`@?ONJITSHGMLLKLKLKLKLKLKON@?A?ONMLJIQPPOLKMLMLMLMLMLMLMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKMLIHWVBAONJITSHGMLLKLKLKLKLKLKNMGFdcFEMLMLJIQPOOKJMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMLKLKMLIH]\A@ONJITSHGMLLKLKLKLKLKQP?>~}EDNMLKMLJIQPONKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYDCNMMLMLQP@?~}@?ONJITSIHMLMLMLNMONON?>^]xwCBNMLKMLJIQPPOLKMLMLMLMLMLMLMLMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYA@LKJIIH@?ML_^HGNMJITSFEKJJIHGED@?CB{zBANMLKLKMLJIQPMLIHJIJIJIJIJIJIJIJIKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYLKUTTSZY||A@ONMLJITSPOTSUT[ZlkJIKJMLLKLKMLJIQPWVSRUTTSTSTSTSTSTSUTPOKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHYXFEMLLKMLJITSJIJIMLLKLKLKMLKIQP@?ONLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHZYEDLKMLLKMLJITS||BAKJMLLKLKLKLKMLJIRQ?=ONLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLIHWVZZ@?MLMLLKLKMLJISRqpGFBANMMLLKLKLKLKLKLKKJPOA@ONLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKNMNMNMNMNMNMONKJBA@?HGONLKLKLKLKLKLKLKNMNMNMNMNMNMNNMLIHBA?>DCMLNMLKLKLKLKLKLKLKLKLKLKNMONONONONONONONONONONONONONMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJKJKJKJKJKJKJLKNMONMLLKLKLKLKLKLKLKLKKJKJKJKJKJKJKJKJMLNMONNMLKLKLKLKLKLKLKLKLKLKLKLKKJKJKJKJKJKJKJKJKJKJKJKJKJKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKMLLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgfghjkm8POKJLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKLKKJPOkm8hjfgghikln8QQLKMMMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMLMMLKQQln8ikghbcdfhi9JIEDFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEFEEDJIhi9dfbcx{z}|6ijfgghfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgfgghfgij|6z}x{,,,,,,,,,,,,,,,,,,,,,,,,,,,VVLKRQz|,,?=IHMMKJB@PO,,?>ONNMHFLKPOIHIH,,``GFNMGFabOOHGOOIHPP,,LKMLGFbcNMIHPOECgg,,KJNMDBwyHGLKOOA?,,WVJIMLIHB@ONLKIH,,A@POHGWWrtDBPOEClm,,QPIHONGFUTMLKJONBA,,DCLKOOHGJI?=POHG\\,,ECJIPOLKA@pqhiFEPOA@,,NMECOOONCARQeeIHMLIHVV,,ghA?LKPPJIHFMLLKONA@,,LKCBNMNNLKLKMLIHVV,,vwECEDNMNMLKMMGExz,,jkDBEDMLLKMLECHGqr,,klHGLKLKNMMLECCAXXbbHGCACAEDXX,,DCNMLKLKNMPOIHB@GEccYYA?GFNNPPPOONIH?=,,\\HGMLMLJHDBLKQPNNGFB@HGccBAHGOONNECA@BAIHNNNN@>,,B@ONHG^^vxKJA@GENMQPNMGFB@FEYXz}efA?NMNMIHDBsuVUEDNNIHVU,,QPKJJITSefIHB@FEMLQPONJHCBB@KJaa~\\CBONMLJISSijGFPOB@,,CAQP@>fgKIB@DCKJPOQPNMHFBABADCIHNMLKLKJIDCPOBA,,GENMGFaasuTSDCB@EDKJNNNMNMMLLKLKLKMLLKJIPORQRQJIGFMLPO@?,,hhFEONEClmTTKJLKMLLKKIMLNMNMNMNMMLLKLKNMONONCAVV,,B@PPCA}efGFNMLJIHQPFEBAA@CADBECEDEDDBB@DCdd,,QQKJKJSRCANMMLCBwypqmnoqz|,,|~CAPPB@A?NMNNB@,,DCOOECopHGLKONB@},,[\IGMLLK[[GFPOEDfg,,B@QPB@~B@POJIPO,,FEONFDklCANMNMDB,,``HFMLKJTTIHPOB@,,B@QPA@}BAPOGF^_,,GEONEDmoDCNMMLFE,,^^HGLKNM^^GFPOB@,,B@PP@>?=POHGYY,,DCONGFghYYIHONCA,,UUJHMLHGJINNECnp,,vxDBNMMLMLMLGF,,B@NNLKNMCA~,,IHLKMLKJKJ,,``GFONCB,,RQKJNNDB,,A?ONNMB@,,[[HGMLNMDCrt,,CBNMLKMLIGZZ,,y{CBNMMLLKLKKI+,SSJIMLKJLKNMCB,CAONJIQPLKNNA@,CBJI]^SSLKDB{~,fgIGCBopFEGFjk,TSJIMLBAKI]],KJJIRRB@LKTT,FENMJIB@MLQQ,GEOOB@rtECLKQQ,MLMLGF`aONLKJIWW,abGFMMKJKJKJNMECmn,?>PPMLLKMLNMCB,gg><JILKML>=,XXMLHF,,,,,,,,,,,,k}_o//////////////////////////////////////////////////////////////////////////////////////////////////OO_
+W_
+W_
+W_

RT_GROUP_ICON

LANG_NEUTRAL

SUBLANG_NEUTRAL

0x177910

RT_VERSION

LANG_GERMAN

SUBLANG_GERMAN

0x177924

500

Meta infos 6

InternalName:	acvm7qw909e
ProductVersion:	1.00
Translation:	0x0407 0x04b0
ProductName:	Careva_Meraq
OriginalFilename:	acvm7qw909e.exe
FileVersion:	1.00

Anti debug functions 1

Virtual Box

File signature

MD5	SHA1	Block size	Virtual Address
3d47c89a47044da3390b363b6279af73	ffd2cbd80c7f50149c443fb0a289be61fce3bb9d	20808	1527808

Strings analysis - File found

Autogen
C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Library
USER32.dll
KERNEL32.dll
MSVBVM60.DLL
VB5!6&VB6DE.DLL
VBA6.DLL

Strings analysis - Possible URLs found 14

http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
http://ocsp.digicert.com0C
http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
http://ocsp.digicert.com0A
http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
http://ocsp.digicert.com0\
http://www.digicert.com/CPS0
http://ocsp.digicert.com0X

Import functions

KERNEL32.DLL 2 MSVBVM60.DLL 97

Function	Address	Souspicious	Anti Debug
GetProcAddress	0x401000
GetModuleHandleW	0x401004

Function	Address	Souspicious	Anti Debug
__vbaVarSub	0x40100c
None	0x401010
__vbaStrI2	0x401014
_CIcos	0x401018
_adj_fptan	0x40101c
__vbaVarMove	0x401020
__vbaVarVargNofree	0x401024
__vbaFreeVar	0x401028
__vbaStrVarMove	0x40102c
__vbaLenBstr	0x401030
__vbaFreeVarList	0x401034
None	0x401038
_adj_fdiv_m64	0x40103c
None	0x401040
__vbaNextEachVar	0x401044
__vbaFreeObjList	0x401048
_adj_fprem1	0x40104c
None	0x401050
__vbaStrCat	0x401054
__vbaSetSystemError	0x401058
__vbaHresultCheckObj	0x40105c
_adj_fdiv_m32	0x401060
__vbaAryVar	0x401064
__vbaAryDestruct	0x401068
None	0x40106c
__vbaObjSet	0x401070
_adj_fdiv_m16i	0x401074
__vbaObjSetAddref	0x401078
_adj_fdivr_m16i	0x40107c
__vbaRefVarAry	0x401080
__vbaBoolVarNull	0x401084
_CIsin	0x401088
__vbaErase	0x40108c
__vbaVargVarMove	0x401090
__vbaVarZero	0x401094
__vbaVarCmpGt	0x401098
None	0x40109c
__vbaChkstk	0x4010a0
None	0x4010a4
None	0x4010a8
EVENT_SINK_AddRef	0x4010ac
None	0x4010b0
__vbaVarTstEq	0x4010b4
None	0x4010b8
DllFunctionCall	0x4010bc
__vbaVarOr	0x4010c0
__vbaRedimPreserve	0x4010c4
_adj_fpatan	0x4010c8
__vbaRedim	0x4010cc
EVENT_SINK_Release	0x4010d0
__vbaNew	0x4010d4
None	0x4010d8
_CIsqrt	0x4010dc
EVENT_SINK_QueryInterface	0x4010e0
__vbaExceptHandler	0x4010e4
__vbaStrToUnicode	0x4010e8
None	0x4010ec
_adj_fprem	0x4010f0
_adj_fdivr_m64	0x4010f4
None	0x4010f8
__vbaFPException	0x4010fc
None	0x401100
__vbaStrVarVal	0x401104
__vbaUbound	0x401108
__vbaVarCat	0x40110c
None	0x401110
_CIlog	0x401114
__vbaNew2	0x401118
_adj_fdiv_m32i	0x40111c
_adj_fdivr_m32i	0x401120
__vbaStrCopy	0x401124
__vbaI4Str	0x401128
__vbaFreeStrList	0x40112c
_adj_fdivr_m32	0x401130
_adj_fdiv_r	0x401134
None	0x401138
__vbaI4Var	0x40113c
__vbaAryLock	0x401140
__vbaVarAdd	0x401144
__vbaVarDup	0x401148
__vbaStrToAnsi	0x40114c
None	0x401150
__vbaVarLateMemCallLd	0x401154
__vbaVarCopy	0x401158
_CIatan	0x40115c
__vbaStrMove	0x401160
__vbaCastObj	0x401164
__vbaAryCopy	0x401168
__vbaStrVarCopy	0x40116c
__vbaForEachVar	0x401170
_allmul	0x401174
_CItan	0x401178
None	0x40117c
__vbaAryUnlock	0x401180
_CIexp	0x401184
__vbaFreeObj	0x401188
__vbaFreeStr	0x40118c