Play interactive tour

Edit tour

Analysis Report ZP1H92DwTq.exe

Overview

General Information

Sample Name:	ZP1H92DwTq.exe
Analysis ID:	342865
MD5:	3421ebb45a538c5044d484703448f2a7
SHA1:	15766bfdbd612d174ee233dce4d466880728f8f3
SHA256:	8d2f6b5af6dee6568c8d9f58a3a618b47964bef00531f15063ed2e289d7e2abf
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

ZP1H92DwTq.exe (PID: 4404 cmdline: 'C:\Users\user\Desktop\ZP1H92DwTq.exe' MD5: 3421EBB45A538C5044D484703448F2A7)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: ZP1H92DwTq.exe PID: 4404	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: ZP1H92DwTq.exe PID: 4404	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: ZP1H92DwTq.exe

Virustotal: Detection: 10%

Perma Link

Compliance:

Uses 32bit PE files

Show sources

Source: ZP1H92DwTq.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe

Code function: 0_2_0040745A

0_2_0040745A

Source: ZP1H92DwTq.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: ZP1H92DwTq.exe, 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameEmbedshaver.exe vs ZP1H92DwTq.exe
Source: ZP1H92DwTq.exe, 00000000.00000002.1289452903.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs ZP1H92DwTq.exe
Source: ZP1H92DwTq.exe	Binary or memory string: OriginalFilenameEmbedshaver.exe vs ZP1H92DwTq.exe

Source: ZP1H92DwTq.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC8EC25548F2904F8.TMP

Jump to behavior

Source: ZP1H92DwTq.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ZP1H92DwTq.exe

Virustotal: Detection: 10%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: ZP1H92DwTq.exe PID: 4404, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: ZP1H92DwTq.exe PID: 4404, type: MEMORY

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_00404851 push 1C000090h; iretd	0_2_0040487A
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_004044FE push esi; iretd	0_2_004044FF
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_004092DF push 00000043h; iretd	0_2_004092E3
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_004063D8 push ds; retf	0_2_004063DB
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B32BC pushfd ; iretd	0_2_020B32BD

Source: initial sample

Static PE information: section name: .text entropy: 6.92993143866

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	RDTSC instruction interceptor: First address: 00000000020B0290 second address: 00000000020B0290 instructions:
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	RDTSC instruction interceptor: First address: 00000000020B0391 second address: 00000000020B0391 instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: ZP1H92DwTq.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	RDTSC instruction interceptor: First address: 00000000020B0290 second address: 00000000020B0290 instructions:
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	RDTSC instruction interceptor: First address: 00000000020B0391 second address: 00000000020B0391 instructions:
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	RDTSC instruction interceptor: First address: 00000000020B2B65 second address: 00000000020B2B65 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F375D0517B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d jmp 00007F375D0517D2h 0x0000001f cmp cx, cx 0x00000022 pop ecx 0x00000023 add edi, edx 0x00000025 test bh, 00000073h 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F375D05177Bh 0x0000002e push ecx 0x0000002f call 00007F375D051818h 0x00000034 call 00007F375D0517C8h 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe

Code function: 0_2_020B1A11 rdtsc

0_2_020B1A11

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: ZP1H92DwTq.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe

Code function: 0_2_020B1A11 rdtsc

0_2_020B1A11

Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B5799 mov eax, dword ptr fs:[00000030h]	0_2_020B5799
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B5793 mov eax, dword ptr fs:[00000030h]	0_2_020B5793
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B1BF8 mov eax, dword ptr fs:[00000030h]	0_2_020B1BF8
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B4800 mov eax, dword ptr fs:[00000030h]	0_2_020B4800
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B1C00 mov eax, dword ptr fs:[00000030h]	0_2_020B1C00
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B5017 mov eax, dword ptr fs:[00000030h]	0_2_020B5017
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B14A4 mov eax, dword ptr fs:[00000030h]	0_2_020B14A4
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B19B6 mov eax, dword ptr fs:[00000030h]	0_2_020B19B6
Source: C:\Users\user\Desktop\ZP1H92DwTq.exe	Code function: 0_2_020B29E0 mov eax, dword ptr fs:[00000030h]	0_2_020B29E0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Source: ZP1H92DwTq.exe, 00000000.00000002.1289038706.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ZP1H92DwTq.exe, 00000000.00000002.1289038706.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ZP1H92DwTq.exe, 00000000.00000002.1289038706.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: ZP1H92DwTq.exe, 00000000.00000002.1289038706.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery411	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Information Discovery21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
ZP1H92DwTq.exe	10%	Virustotal		Browse
ZP1H92DwTq.exe	7%	ReversingLabs	Win32.PUA.Wacapew

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	342865
Start date:	21.01.2021
Start time:	19:45:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 26s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	ZP1H92DwTq.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 40.7% (good quality ratio 18.4%) Quality average: 24.5% Quality standard deviation: 29.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.441995489867964
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ZP1H92DwTq.exe
File size:	98304
MD5:	3421ebb45a538c5044d484703448f2a7
SHA1:	15766bfdbd612d174ee233dce4d466880728f8f3
SHA256:	8d2f6b5af6dee6568c8d9f58a3a618b47964bef00531f15063ed2e289d7e2abf
SHA512:	0c3acfa2d31e81af396ebb179c38bb883430a7955ad10081facd0c7ea9066f51e00bfbb6a612262526cb588368a9b9d825f2288f617242c4490d7c22d19c7903
SSDEEP:	1536:VMmOBBPTp3C7uIaILxhhn3JbPMfIxvktHFoDZNDA87itMmO:CmAJTpSkUbaf+vktHClND7iqm
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........I....................................Rich............................PE..L.....%U.................@...@......d........P....@

File Icon


Icon Hash:	80c34adad868b0e0

Static PE Info

General
Entrypoint:	0x401364
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x55251D86 [Wed Apr 8 12:22:30 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f0b86fcdc858848465b74699359cbeef

Entrypoint Preview

Instruction
push 00402BF4h
call 00007F375C740165h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi-17h], bl
inc ecx
mov edi, 40E4F2EBh
mov ebp, 6252C9A9h
mov ch, byte ptr [ecx+000000A1h]
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edi], ah
add edx, dword ptr [edi+6D000000h]
imul esi, dword ptr [ebx+66h], 6F74726Fh
insb
imul esp, dword ptr [ebp+64h], 00h
pop es
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add dword ptr [esi-78h], edi
fld tbyte ptr [edi-4Bh]
insd
loop 00007F375C7401BEh
mov seg?, sp
aam A0h
sahf
jl 00007F375C7401CEh
test al, 20h
in eax, dx
sub eax, 4D5E8B1Eh
lodsb
mov esi, E4037676h
cmp bh, byte ptr [esi+3Ah]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov al, byte ptr [80000015h]
adc eax, 05000000h
add byte ptr [ecx+61h], bh
arpl word ptr [eax+61h], bp
add byte ptr [73000601h], cl
je 00007F375C7401E7h
imul esp, dword ptr fs:[ebp+00h], 00000119h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14934	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x1926	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x11c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13e18	0x14000	False	0.639904785156	data	6.92993143866	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x1568	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x1926	0x2000	False	0.429809570312	data	4.46208591353	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1787e	0x10a8	data
RT_ICON	0x17416	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173f4	0x22	data
RT_VERSION	0x17120	0x2d4	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

__vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Fx Studio
InternalName	Embedshaver
FileVersion	2.00
LegalTrademarks	Fx Studio
Comments	FxCam 2020.
ProductName	FxCam 2020.
ProductVersion	2.00
FileDescription	FxCam 2020.
OriginalFilename	Embedshaver.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: ZP1H92DwTq.exe PID: 4404 Parent PID: 5664

General

Start time:	19:46:09
Start date:	21/01/2021
Path:	C:\Users\user\Desktop\ZP1H92DwTq.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\ZP1H92DwTq.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	3421EBB45A538C5044D484703448F2A7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: ZP1H92DwTq.exe PID: 4404 Parent PID: 5664 ZP1H92DwTq.exeCOMMON

Executed Functions

Function 0040745A, Relevance: 1.5, APIs: 1, Instructions: 291memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1bd9de43ff861d0f86e556d4551178e78d00ae28b5a1ffa2751c886316c10483
Instruction ID: 0b1a0d1020ad4bf84e52219f511d831e0c49a4a6979d11804082c4750aacbb3e
Opcode Fuzzy Hash: 1bd9de43ff861d0f86e556d4551178e78d00ae28b5a1ffa2751c886316c10483
Instruction Fuzzy Hash: E7717961E0D652D6EA741028CAE0B7D2151AB42310F31867FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 00412DE4, Relevance: 153.1, APIs: 77, Strings: 10, Instructions: 862
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00412DE4(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				void* _v44;
				short _v52;
				void* _v68;
				long long _v76;
				signed int _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				intOrPtr _v120;
				char _v128;
				intOrPtr _v136;
				char _v144;
				intOrPtr _v152;
				char _v160;
				char* _v184;
				char _v192;
				char* _v200;
				char _v208;
				char _v212;
				char _v216;
				void* _v220;
				char _v224;
				char _v228;
				char _v232;
				long long _v240;
				signed int _v244;
				signed int _v248;
				void* _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				intOrPtr* _v276;
				signed int _v280;
				signed int _v284;
				signed int _v296;
				signed int _v300;
				intOrPtr* _v304;
				signed int _v308;
				intOrPtr* _v312;
				signed int _v316;
				char _v320;
				signed int _v324;
				intOrPtr* _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				char _v348;
				signed int _v352;
				signed int _v356;
				intOrPtr* _v360;
				signed int _v364;
				intOrPtr* _v368;
				signed int _v372;
				intOrPtr* _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				intOrPtr* _v392;
				signed int _v396;
				intOrPtr* _v400;
				signed int _v404;
				intOrPtr* _v408;
				signed int _v412;
				signed int _v416;
				void* _v444;
				intOrPtr _t418;
				signed int _t422;
				char* _t425;
				signed int _t429;
				signed int _t433;
				char* _t437;
				signed int _t441;
				signed int _t445;
				signed int _t449;
				signed int _t454;
				signed int _t458;
				char* _t462;
				signed int _t466;
				char* _t469;
				char* _t473;
				signed int _t482;
				char* _t493;
				signed int _t498;
				signed int _t506;
				signed int _t510;
				char* _t515;
				signed int _t519;
				signed int _t523;
				signed int _t527;
				char* _t536;
				signed int _t539;
				signed int _t550;
				signed int _t558;
				signed int _t562;
				signed int _t566;
				signed int _t570;
				char* _t574;
				signed int _t578;
				signed int _t585;
				signed int _t596;
				signed int _t600;
				void* _t601;
				char* _t617;
				intOrPtr _t640;
				void* _t650;
				void* _t656;
				intOrPtr _t662;
				void* _t663;
				void* _t664;
				long long* _t665;
				void* _t668;
				void* _t669;
				intOrPtr* _t671;

				 *[fs:0x0] = _t662;
				L004011C0();
				_v16 = _t662;
				_v12 = 0x401130;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_t418 =  *((intOrPtr*)( *_a4 + 4))(_a4, _t650, _t656, _t601,  *[fs:0x0], 0x4011c6);
				_push(L"01/01");
				_push("/01");
				L00401334();
				_v120 = _t418;
				_v128 = 8;
				_push( &_v128);
				_push( &_v144); // executed
				L0040133A(); // executed
				_v184 = 0x7d1;
				_v192 = 0x8002;
				_push( &_v144);
				_t422 =  &_v192;
				_push(_t422);
				L00401340();
				_v244 = _t422;
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L0040132E();
				_t663 = _t662 + 0xc;
				_t425 = _v244;
				if(_t425 != 0) {
					_push(0x46);
					L00401322();
					_v184 = _t425;
					_v192 = 3;
					L00401328();
				}
				if( *0x415010 != 0) {
					_v304 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v304 = 0x415010;
				}
				_t429 =  &_v88;
				L0040131C();
				_v244 = _t429;
				_t433 =  *((intOrPtr*)( *_v244 + 0x13c))(_v244,  &_v80, _t429,  *((intOrPtr*)( *((intOrPtr*)( *_v304)) + 0x2fc))( *_v304));
				asm("fclex");
				_v248 = _t433;
				if(_v248 >= 0) {
					_v308 = _v308 & 0x00000000;
				} else {
					_push(0x13c);
					_push(0x40380c);
					_push(_v244);
					_push(_v248);
					L00401310();
					_v308 = _t433;
				}
				if( *0x415010 != 0) {
					_v312 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v312 = 0x415010;
				}
				_t437 =  &_v92;
				L0040131C();
				_v252 = _t437;
				_t441 =  *((intOrPtr*)( *_v252 + 0x70))(_v252,  &_v224, _t437,  *((intOrPtr*)( *((intOrPtr*)( *_v312)) + 0x2fc))( *_v312));
				asm("fclex");
				_v256 = _t441;
				if(_v256 >= 0) {
					_v316 = _v316 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40380c);
					_push(_v252);
					_push(_v256);
					L00401310();
					_v316 = _t441;
				}
				if( *0x415010 != 0) {
					_v320 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v320 = 0x415010;
				}
				_t445 =  &_v96;
				L0040131C();
				_v260 = _t445;
				_t449 =  *((intOrPtr*)( *_v260 + 0x58))(_v260,  &_v100, _t445,  *((intOrPtr*)( *((intOrPtr*)( *_v320)) + 0x2fc))( *_v320));
				asm("fclex");
				_v264 = _t449;
				if(_v264 >= 0) {
					_v324 = _v324 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x40380c);
					_push(_v260);
					_push(_v264);
					L00401310();
					_v324 = _t449;
				}
				_push(0);
				_push(0);
				_push(_v100);
				_push( &_v144);
				L0040130A();
				_t664 = _t663 + 0x10;
				if( *0x415010 != 0) {
					_v328 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v328 = 0x415010;
				}
				_t454 =  &_v104;
				L0040131C();
				_v268 = _t454;
				_t458 =  *((intOrPtr*)( *_v268 + 0x110))(_v268,  &_v212, _t454,  *((intOrPtr*)( *((intOrPtr*)( *_v328)) + 0x2fc))( *_v328));
				asm("fclex");
				_v272 = _t458;
				if(_v272 >= 0) {
					_v332 = _v332 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x40380c);
					_push(_v268);
					_push(_v272);
					L00401310();
					_v332 = _t458;
				}
				if( *0x415010 != 0) {
					_v336 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v336 = 0x415010;
				}
				_t462 =  &_v108;
				L0040131C();
				_v276 = _t462;
				_t466 =  *((intOrPtr*)( *_v276 + 0x58))(_v276,  &_v112, _t462,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x2fc))( *_v336));
				asm("fclex");
				_v280 = _t466;
				if(_v280 >= 0) {
					_v340 = _v340 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x40380c);
					_push(_v276);
					_push(_v280);
					L00401310();
					_v340 = _t466;
				}
				L0040130A();
				_t665 = _t664 + 0x10;
				_v216 = _v212;
				_t469 =  &_v144;
				L00401304();
				_v232 = _t469;
				_v184 = L"flitterguldet";
				_v192 = 8;
				_t617 =  &_v84;
				L004012FE();
				_v228 = _v224;
				_v296 = _v80;
				_v80 = _v80 & 0x00000000;
				_v120 = _v296;
				_v128 = 8;
				_t473 =  &_v160;
				L00401304();
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t665 =  *0x401128;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t482 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x10,  &_v228, _t617, _t617,  &_v84, L"indmeld", 0x10,  &_v232,  &_v216, _t473, _t473,  &_v220, _t469,  &_v160, _v112, 0, 0);
				_v284 = _t482;
				if(_v284 >= 0) {
					_v344 = _v344 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x4036f0);
					_push(_a4);
					_push(_v284);
					L00401310();
					_v344 = _t482;
				}
				_v52 = _v220;
				L004012F8();
				_push( &_v112);
				_push( &_v100);
				_push( &_v108);
				_push( &_v104);
				_push( &_v96);
				_push( &_v92);
				_push( &_v88);
				_push(7);
				L004012F2();
				_push( &_v160);
				_push( &_v144);
				_t493 =  &_v128;
				_push(_t493);
				_push(3);
				L0040132E();
				_v136 = 1;
				_v144 = 2;
				_push(0x403870);
				_push(0x403878);
				L00401334();
				_v120 = _t493;
				_v128 = 8;
				_push( &_v144);
				_push(2);
				_push( &_v128);
				_push( &_v160);
				L004012EC();
				_v200 = 0x403878;
				_v208 = 0x8008;
				_push( &_v160);
				_t498 =  &_v208;
				_push(_t498);
				L00401340();
				_v244 = _t498;
				_push( &_v160);
				_push( &_v144);
				_push( &_v128);
				_push(3);
				L0040132E();
				_t668 = _t665 + 0x40;
				if(_v244 != 0) {
					if( *0x415724 != 0) {
						_v348 = 0x415724;
					} else {
						_push(0x415724);
						_push(0x40389c);
						L00401316();
						_v348 = 0x415724;
					}
					_t185 =  &_v348; // 0x415724
					_v244 =  *((intOrPtr*)( *_t185));
					_t596 =  *((intOrPtr*)( *_v244 + 0x1c))(_v244,  &_v88);
					asm("fclex");
					_v248 = _t596;
					if(_v248 >= 0) {
						_v352 = _v352 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40388c);
						_push(_v244);
						_push(_v248);
						L00401310();
						_v352 = _t596;
					}
					_v252 = _v88;
					_t600 =  *((intOrPtr*)( *_v252 + 0x50))(_v252);
					asm("fclex");
					_v256 = _t600;
					if(_v256 >= 0) {
						_v356 = _v356 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x4038ac);
						_push(_v252);
						_push(_v256);
						L00401310();
						_v356 = _t600;
					}
					L004012E6();
				}
				if( *0x415010 != 0) {
					_v360 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v360 = 0x415010;
				}
				_t506 =  &_v88;
				L0040131C();
				_v244 = _t506;
				_t510 =  *((intOrPtr*)( *_v244 + 0xb0))(_v244,  &_v92, _t506,  *((intOrPtr*)( *((intOrPtr*)( *_v360)) + 0x2fc))( *_v360));
				asm("fclex");
				_v248 = _t510;
				if(_v248 >= 0) {
					_v364 = _v364 & 0x00000000;
				} else {
					_push(0xb0);
					_push(0x40380c);
					_push(_v244);
					_push(_v248);
					L00401310();
					_v364 = _t510;
				}
				_push(0);
				_push(0);
				_push(_v92);
				_push( &_v128);
				L0040130A();
				_t669 = _t668 + 0x10;
				if( *0x415010 != 0) {
					_v368 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v368 = 0x415010;
				}
				_t515 =  &_v96;
				L0040131C();
				_v252 = _t515;
				_t519 =  *((intOrPtr*)( *_v252 + 0x70))(_v252,  &_v224, _t515,  *((intOrPtr*)( *((intOrPtr*)( *_v368)) + 0x2fc))( *_v368));
				asm("fclex");
				_v256 = _t519;
				if(_v256 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40380c);
					_push(_v252);
					_push(_v256);
					L00401310();
					_v372 = _t519;
				}
				if( *0x415010 != 0) {
					_v376 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v376 = 0x415010;
				}
				_t523 =  &_v100;
				L0040131C();
				_v260 = _t523;
				_t527 =  *((intOrPtr*)( *_v260 + 0x100))(_v260,  &_v80, _t523,  *((intOrPtr*)( *((intOrPtr*)( *_v376)) + 0x2fc))( *_v376));
				asm("fclex");
				_v264 = _t527;
				if(_v264 >= 0) {
					_v380 = _v380 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x40380c);
					_push(_v260);
					_push(_v264);
					L00401310();
					_v380 = _t527;
				}
				_v300 = _v80;
				_v80 = _v80 & 0x00000000;
				_v152 = _v300;
				_v160 = 8;
				_v200 = L"Udlud";
				_v208 = 8;
				L004012E0();
				_v184 = L"ALTFORTRENDE";
				_v192 = 8;
				L004012FE();
				_v228 = _v224;
				_v320 =  *E00401120;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t536 =  &_v128;
				L00401304();
				_t539 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _t536, _t536,  &_v228, 0x91c4c,  &_v84, 0x10,  &_v144,  &_v84,  &_v160, 0x3c25d9,  &_v240);
				_v268 = _t539;
				if(_v268 >= 0) {
					_v384 = _v384 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x4036f0);
					_push(_a4);
					_push(_v268);
					L00401310();
					_v384 = _t539;
				}
				_v76 = _v240;
				L004012F8();
				L004012F2();
				L0040132E();
				_t671 = _t669 + 0x24;
				_t550 =  *((intOrPtr*)( *_a4 + 0x298))(_a4,  &_v212, 3,  &_v128,  &_v144,  &_v160, 4,  &_v88,  &_v96,  &_v100,  &_v92);
				asm("fclex");
				_v244 = _t550;
				if(_v244 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0x298);
					_push(0x4036c0);
					_push(_a4);
					_push(_v244);
					L00401310();
					_v388 = _t550;
				}
				_v28 = _v212;
				 *((intOrPtr*)( *_a4 + 0x718))(_a4);
				if( *0x415010 != 0) {
					_v392 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v392 = 0x415010;
				}
				_t558 =  &_v88;
				L0040131C();
				_v244 = _t558;
				_v184 = 0x80020004;
				_v192 = 0xa;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t562 =  *((intOrPtr*)( *_v244 + 0x12c))(_v244, 0x10, _t558,  *((intOrPtr*)( *((intOrPtr*)( *_v392)) + 0x2fc))( *_v392));
				asm("fclex");
				_v248 = _t562;
				if(_v248 >= 0) {
					_v396 = _v396 & 0x00000000;
				} else {
					_push(0x12c);
					_push(0x40380c);
					_push(_v244);
					_push(_v248);
					L00401310();
					_v396 = _t562;
				}
				L004012E6();
				if( *0x415010 != 0) {
					_v400 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v400 = 0x415010;
				}
				_t566 =  &_v88;
				L0040131C();
				_v244 = _t566;
				_t570 =  *((intOrPtr*)( *_v244 + 0x70))(_v244,  &_v224, _t566,  *((intOrPtr*)( *((intOrPtr*)( *_v400)) + 0x2fc))( *_v400));
				asm("fclex");
				_v248 = _t570;
				if(_v248 >= 0) {
					_v404 = _v404 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40380c);
					_push(_v244);
					_push(_v248);
					L00401310();
					_v404 = _t570;
				}
				if( *0x415010 != 0) {
					_v408 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v408 = 0x415010;
				}
				_t640 =  *((intOrPtr*)( *_v408));
				_t574 =  &_v92;
				L0040131C();
				_v252 = _t574;
				_t578 =  *((intOrPtr*)( *_v252 + 0xc0))(_v252,  &_v212, _t574,  *((intOrPtr*)(_t640 + 0x2fc))( *_v408));
				asm("fclex");
				_v256 = _t578;
				if(_v256 >= 0) {
					_v412 = _v412 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x40380c);
					_push(_v252);
					_push(_v256);
					L00401310();
					_v412 = _t578;
				}
				_v184 = 0x6a53ba;
				_v192 = 3;
				_v216 = _v212;
				L004011C0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t671 = _v224;
				_t585 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, _t640, 0x28126,  &_v216, 0x10,  &_v128);
				_v260 = _t585;
				if(_v260 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x4036f0);
					_push(_a4);
					_push(_v260);
					L00401310();
					_v416 = _t585;
				}
				L00401328();
				_push( &_v92);
				_push( &_v88);
				_push(2);
				L004012F2();
				_v120 = 0x80020004;
				_v128 = 0xa;
				_push( &_v128);
				L004012DA();
				L004012D4();
				_push(0x8704a4);
				_push(0x8704a4);
				_push(0xc76ced);
				goto __eax;
			}

0x00412df6
0x00412e02
0x00412e0a
0x00412e0d
0x00412e1a
0x00412e23
0x00412e2e
0x00412e31
0x00412e36
0x00412e3b
0x00412e40
0x00412e43
0x00412e4d
0x00412e54
0x00412e55
0x00412e5a
0x00412e64
0x00412e74
0x00412e75
0x00412e7b
0x00412e7c
0x00412e81
0x00412e8e
0x00412e92
0x00412e93
0x00412e95
0x00412e9a
0x00412e9d
0x00412ea6
0x00412ea8
0x00412eaa
0x00412eaf
0x00412eb5
0x00412ec8
0x00412ec8
0x00412ed4
0x00412ef1
0x00412ed6
0x00412ed6
0x00412edb
0x00412ee0
0x00412ee5
0x00412ee5
0x00412f15
0x00412f19
0x00412f1e
0x00412f36
0x00412f3c
0x00412f3e
0x00412f4b
0x00412f70
0x00412f4d
0x00412f4d
0x00412f52
0x00412f57
0x00412f5d
0x00412f63
0x00412f68
0x00412f68
0x00412f7e
0x00412f9b
0x00412f80
0x00412f80
0x00412f85
0x00412f8a
0x00412f8f
0x00412f8f
0x00412fbf
0x00412fc3
0x00412fc8
0x00412fe3
0x00412fe6
0x00412fe8
0x00412ff5
0x00413017
0x00412ff7
0x00412ff7
0x00412ff9
0x00412ffe
0x00413004
0x0041300a
0x0041300f
0x0041300f
0x00413025
0x00413042
0x00413027
0x00413027
0x0041302c
0x00413031
0x00413036
0x00413036
0x00413066
0x0041306a
0x0041306f
0x00413087
0x0041308a
0x0041308c
0x00413099
0x004130bb
0x0041309b
0x0041309b
0x0041309d
0x004130a2
0x004130a8
0x004130ae
0x004130b3
0x004130b3
0x004130c2
0x004130c4
0x004130c6
0x004130cf
0x004130d0
0x004130d5
0x004130df
0x004130fc
0x004130e1
0x004130e1
0x004130e6
0x004130eb
0x004130f0
0x004130f0
0x00413120
0x00413124
0x00413129
0x00413144
0x0041314a
0x0041314c
0x00413159
0x0041317e
0x0041315b
0x0041315b
0x00413160
0x00413165
0x0041316b
0x00413171
0x00413176
0x00413176
0x0041318c
0x004131a9
0x0041318e
0x0041318e
0x00413193
0x00413198
0x0041319d
0x0041319d
0x004131cd
0x004131d1
0x004131d6
0x004131ee
0x004131f1
0x004131f3
0x00413200
0x00413222
0x00413202
0x00413202
0x00413204
0x00413209
0x0041320f
0x00413215
0x0041321a
0x0041321a
0x00413237
0x0041323c
0x00413246
0x0041324d
0x00413254
0x00413259
0x0041325f
0x00413269
0x00413278
0x0041327b
0x00413286
0x0041328f
0x00413295
0x0041329f
0x004132a2
0x004132b0
0x004132b7
0x004132ce
0x004132db
0x004132dc
0x004132dd
0x004132de
0x004132f0
0x004132fd
0x00413307
0x00413308
0x00413309
0x0041330a
0x00413313
0x00413319
0x00413326
0x00413348
0x00413328
0x00413328
0x0041332d
0x00413332
0x00413335
0x0041333b
0x00413340
0x00413340
0x00413356
0x0041335d
0x00413365
0x00413369
0x0041336d
0x00413371
0x00413375
0x00413379
0x0041337d
0x0041337e
0x00413380
0x0041338e
0x00413395
0x00413396
0x00413399
0x0041339a
0x0041339c
0x004133a4
0x004133ae
0x004133b8
0x004133bd
0x004133c2
0x004133c7
0x004133ca
0x004133d7
0x004133d8
0x004133dd
0x004133e4
0x004133e5
0x004133ea
0x004133f4
0x00413404
0x00413405
0x0041340b
0x0041340c
0x00413411
0x0041341e
0x00413425
0x00413429
0x0041342a
0x0041342c
0x00413431
0x0041343d
0x0041344a
0x00413467
0x0041344c
0x0041344c
0x00413451
0x00413456
0x0041345b
0x0041345b
0x00413471
0x00413479
0x00413491
0x00413494
0x00413496
0x004134a3
0x004134c5
0x004134a5
0x004134a5
0x004134a7
0x004134ac
0x004134b2
0x004134b8
0x004134bd
0x004134bd
0x004134cf
0x004134e3
0x004134e6
0x004134e8
0x004134f5
0x00413517
0x004134f7
0x004134f7
0x004134f9
0x004134fe
0x00413504
0x0041350a
0x0041350f
0x0041350f
0x00413521
0x00413521
0x0041352d
0x0041354a
0x0041352f
0x0041352f
0x00413534
0x00413539
0x0041353e
0x0041353e
0x0041356e
0x00413572
0x00413577
0x0041358f
0x00413595
0x00413597
0x004135a4
0x004135c9
0x004135a6
0x004135a6
0x004135ab
0x004135b0
0x004135b6
0x004135bc
0x004135c1
0x004135c1
0x004135d0
0x004135d2
0x004135d4
0x004135da
0x004135db
0x004135e0
0x004135ea
0x00413607
0x004135ec
0x004135ec
0x004135f1
0x004135f6
0x004135fb
0x004135fb
0x0041362b
0x0041362f
0x00413634
0x0041364f
0x00413652
0x00413654
0x00413661
0x00413683
0x00413663
0x00413663
0x00413665
0x0041366a
0x00413670
0x00413676
0x0041367b
0x0041367b
0x00413691
0x004136ae
0x00413693
0x00413693
0x00413698
0x0041369d
0x004136a2
0x004136a2
0x004136d2
0x004136d6
0x004136db
0x004136f3
0x004136f9
0x004136fb
0x00413708
0x0041372d
0x0041370a
0x0041370a
0x0041370f
0x00413714
0x0041371a
0x00413720
0x00413725
0x00413725
0x00413737
0x0041373d
0x00413747
0x0041374d
0x00413757
0x00413761
0x00413777
0x0041377c
0x00413786
0x00413798
0x004137a3
0x004137c3
0x004137d0
0x004137dd
0x004137de
0x004137df
0x004137e0
0x004137f1
0x004137f5
0x00413803
0x00413809
0x00413816
0x00413838
0x00413818
0x00413818
0x0041381d
0x00413822
0x00413825
0x0041382b
0x00413830
0x00413830
0x00413845
0x0041384b
0x00413862
0x0041387e
0x00413883
0x00413895
0x0041389b
0x0041389d
0x004138aa
0x004138cc
0x004138ac
0x004138ac
0x004138b1
0x004138b6
0x004138b9
0x004138bf
0x004138c4
0x004138c4
0x004138da
0x004138e5
0x004138f2
0x0041390f
0x004138f4
0x004138f4
0x004138f9
0x004138fe
0x00413903
0x00413903
0x00413933
0x00413937
0x0041393c
0x00413942
0x0041394c
0x00413959
0x00413966
0x00413967
0x00413968
0x00413969
0x00413978
0x0041397e
0x00413980
0x0041398d
0x004139b2
0x0041398f
0x0041398f
0x00413994
0x00413999
0x0041399f
0x004139a5
0x004139aa
0x004139aa
0x004139bc
0x004139c8
0x004139e5
0x004139ca
0x004139ca
0x004139cf
0x004139d4
0x004139d9
0x004139d9
0x00413a09
0x00413a0d
0x00413a12
0x00413a2d
0x00413a30
0x00413a32
0x00413a3f
0x00413a61
0x00413a41
0x00413a41
0x00413a43
0x00413a48
0x00413a4e
0x00413a54
0x00413a59
0x00413a59
0x00413a6f
0x00413a8c
0x00413a71
0x00413a71
0x00413a76
0x00413a7b
0x00413a80
0x00413a80
0x00413aa6
0x00413ab0
0x00413ab4
0x00413ab9
0x00413ad4
0x00413ada
0x00413adc
0x00413ae9
0x00413b0e
0x00413aeb
0x00413aeb
0x00413af0
0x00413af5
0x00413afb
0x00413b01
0x00413b06
0x00413b06
0x00413b15
0x00413b1f
0x00413b30
0x00413b3e
0x00413b4b
0x00413b4c
0x00413b4d
0x00413b4e
0x00413b62
0x00413b6d
0x00413b73
0x00413b80
0x00413ba2
0x00413b82
0x00413b82
0x00413b87
0x00413b8c
0x00413b8f
0x00413b95
0x00413b9a
0x00413b9a
0x00413baf
0x00413bb7
0x00413bbb
0x00413bbc
0x00413bbe
0x00413bc6
0x00413bcd
0x00413bd7
0x00413bd8
0x00413be0
0x00413be5
0x00413bea
0x00413bef
0x00413bf9

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 00412E02
__vbaStrCat.MSVBVM60(/01,01/01,?,?,?,?,004011C6), ref: 00412E3B
#553.MSVBVM60(?,00000008), ref: 00412E55
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 00412E7C
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008002,?), ref: 00412E95
#568.MSVBVM60(00000046,?,?,004011C6), ref: 00412EAA
__vbaVarMove.MSVBVM60 ref: 00412EC8
__vbaNew2.MSVBVM60(00403118,00415010,?,?,004011C6), ref: 00412EE0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412F19
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,0000013C), ref: 00412F63
__vbaNew2.MSVBVM60(00403118,00415010), ref: 00412F8A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412FC3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,00000070), ref: 0041300A
__vbaNew2.MSVBVM60(00403118,00415010), ref: 00413031
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041306A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,00000058), ref: 004130AE
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004130D0
__vbaNew2.MSVBVM60(00403118,00415010,?,?,?,?,?,?,004011C6), ref: 004130EB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413124
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,00000110), ref: 00413171
__vbaNew2.MSVBVM60(00403118,00415010), ref: 00413198
__vbaObjSet.MSVBVM60(?,00000000), ref: 004131D1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,00000058), ref: 00413215
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413237
__vbaI4Var.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004011C6), ref: 00413254
__vbaStrCopy.MSVBVM60 ref: 0041327B
__vbaI4Var.MSVBVM60(?,?), ref: 004132B7
__vbaChkstk.MSVBVM60(?,?,00000000,?,?), ref: 004132CE
__vbaChkstk.MSVBVM60(?,?,?,?,indmeld,?,?,00000000,?,?), ref: 004132FD
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,004036F0,00000700), ref: 0041333B
__vbaFreeStr.MSVBVM60(00000000,00401130,004036F0,00000700), ref: 0041335D
__vbaFreeObjList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00413380
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041339C
__vbaStrCat.MSVBVM60(00403878,00403870), ref: 004133C2
#632.MSVBVM60(?,00000008,00000002,00000002,00403878,00403870), ref: 004133E5
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,00000008,00000002,00000002), ref: 0041340C
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?,00008008,?), ref: 0041342C
__vbaNew2.MSVBVM60(0040389C,00415724), ref: 00413456
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040388C,0000001C), ref: 004134B8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038AC,00000050), ref: 0041350A
__vbaFreeObj.MSVBVM60(00000000,?,004038AC,00000050), ref: 00413521
__vbaNew2.MSVBVM60(00403118,00415010), ref: 00413539
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413572
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,000000B0), ref: 004135BC
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004135DB
__vbaNew2.MSVBVM60(00403118,00415010), ref: 004135F6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041362F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,00000070), ref: 00413676
__vbaNew2.MSVBVM60(00403118,00415010), ref: 0041369D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004136D6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,00000100), ref: 00413720
__vbaVarDup.MSVBVM60(00000000,?,0040380C,00000100), ref: 00413777
__vbaStrCopy.MSVBVM60(00000000,?,0040380C,00000100), ref: 00413798
__vbaChkstk.MSVBVM60(?,?,00000008,003C25D9,?), ref: 004137D0
__vbaI4Var.MSVBVM60(?,?,00091C4C,?,?,?,00000008,003C25D9,?), ref: 004137F5
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,004036F0,00000704,?,00000008,003C25D9,?), ref: 0041382B
__vbaFreeStr.MSVBVM60(?,00000008,003C25D9,?), ref: 0041384B
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,00000008,003C25D9,?), ref: 00413862
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000008), ref: 0041387E
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,004036C0,00000298), ref: 004138BF
__vbaNew2.MSVBVM60(00403118,00415010), ref: 004138FE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413937
__vbaChkstk.MSVBVM60(?,00000000), ref: 00413959
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040380C,0000012C), ref: 004139A5
__vbaFreeObj.MSVBVM60(00000000,00000000,0040380C,0000012C), ref: 004139BC
__vbaNew2.MSVBVM60(00403118,00415010), ref: 004139D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413A0D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040380C,00000070), ref: 00413A54
__vbaNew2.MSVBVM60(00403118,00415010), ref: 00413A7B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413AB4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,000000C0), ref: 00413B01
__vbaChkstk.MSVBVM60(?), ref: 00413B3E
__vbaHresultCheckObj.MSVBVM60(00000000,00401130,004036F0,00000708,?,00028126,?,?), ref: 00413B95
__vbaVarMove.MSVBVM60(?,00028126,?,?), ref: 00413BAF
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00028126,?,?), ref: 00413BBE
#594.MSVBVM60(0000000A), ref: 00413BD8
__vbaFreeVar.MSVBVM60(0000000A), ref: 00413BE0

Strings

/01, xrefs: 00412E36
Udlud, xrefs: 00413757
Boelgeform7, xrefs: 00413273
BUTTERPASTE, xrefs: 00413790
01/01, xrefs: 00412E31
3, xrefs: 00412EDB, 00412F85, 0041302C, 004130E6, 00413193, 00413534, 004135F1, 00413698, 004138F9, 004139CF, 00413A76
indmeld, xrefs: 004132DF
ALTFORTRENDE, xrefs: 0041377C
flitterguldet, xrefs: 0041325F
$WA, xrefs: 00413471

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List$Chkstk$CallLate$CopyMove$#553#568#594#632
String ID: $WA$/01$01/01$3$ALTFORTRENDE$BUTTERPASTE$Boelgeform7$Udlud$flitterguldet$indmeld
API String ID: 793283312-3333775138
Opcode ID: 8efa7d5908ed6e15c87d6fbfdbf06afd3ac0d1817f2440649cd4b3cc557af045
Instruction ID: 8bf53d516c3c637f1ece49dc6ffb20384539093f3d5b0170c7499b738f456384
Opcode Fuzzy Hash: 8efa7d5908ed6e15c87d6fbfdbf06afd3ac0d1817f2440649cd4b3cc557af045
Instruction Fuzzy Hash: 42820671940219EFDB20EF90CC45BDDBBB8BB48305F1084EAE509BB2A1D7795A84DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401364, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 75%

			_entry_() {
				signed char _t73;
				signed char _t74;
				intOrPtr* _t78;
				signed int _t85;
				signed char _t89;
				intOrPtr* _t90;
				signed int _t91;
				signed int _t93;
				intOrPtr* _t95;
				signed int _t102;
				signed int _t103;
				signed char _t104;
				signed int _t105;
				signed int _t106;
				signed int _t107;
				void* _t108;
				signed int _t109;
				signed char _t110;
				signed int _t111;
				void* _t112;
				signed char _t113;
				signed char _t115;
				signed int _t122;
				void* _t145;
				intOrPtr* _t146;
				void* _t147;
				intOrPtr* _t151;
				void* _t156;
				void* _t157;
				void* _t158;
				char* _t159;
				signed int _t161;
				signed int _t162;
				signed char _t163;
				signed char _t164;
				void* _t167;
				intOrPtr* _t168;
				signed int* _t169;
				signed int _t170;
				signed int* _t174;
				signed int _t176;
				signed int _t179;
				void* _t188;
				signed int _t190;
				void* _t191;
				signed int _t192;
				void* _t196;
				intOrPtr _t203;

				_push("VB5!6&*"); // executed
				L0040135E(); // executed
				 *_t73 =  *_t73 + _t73;
				 *_t73 =  *_t73 + _t73;
				 *_t73 =  *_t73 + _t73;
				 *_t73 =  *_t73 ^ _t73;
				 *_t73 =  *_t73 + _t73;
				_t74 = _t73 + 1;
				 *_t74 =  *_t74 + _t74;
				 *_t74 =  *_t74 + _t74;
				 *_t74 =  *_t74 + _t74;
				 *((intOrPtr*)(_t167 - 0x17)) =  *((intOrPtr*)(_t167 - 0x17)) + _t112;
				_pop(_t168);
				goto 0xf32bd2c7;
				asm("in al, 0x40");
				_t146 =  *((intOrPtr*)(_t145 + 0xa1));
				 *_t74 =  *_t74 + _t74;
				 *_t146 =  *_t146 + _t74;
				 *_t74 =  *_t74 + _t74;
				 *_t168 =  *_t168 + _t74;
				_t158 = _t157 +  *((intOrPtr*)(_t168 + 0x6d000000));
				_t170 =  *(_t112 + 0x66) * 0x6f74726f;
				asm("insb");
				_t192 =  *0x6252CA0D * 0;
				_pop(es);
				_t147 = _t146 + 1;
				 *_t74 =  *_t74 + _t74;
				 *_t74 =  *_t74 + _t74;
				_t113 = _t112 + _t112;
				asm("int3");
				 *_t74 =  *_t74 ^ _t74;
				_t7 = _t170 - 0x78;
				 *_t7 =  *((intOrPtr*)(_t170 - 0x78)) + _t168;
				asm("insd");
				asm("loop 0x4e");
				asm("invalid");
				asm("aam 0xa0");
				asm("sahf");
				if( *_t7 >= 0) {
					asm("in eax, dx");
					asm("a16 sub eax, 0x4d5e8b1e");
					asm("lodsb");
					_t170 = 0xe4037676;
					_t168 = _t168 - 1;
					asm("lodsd");
					_t110 = _t74;
					asm("stosb");
					 *((intOrPtr*)(_t110 - 0x2d)) =  *((intOrPtr*)(_t110 - 0x2d)) + _t110;
					_t111 = _t113 ^  *(_t147 - 0x48ee309a);
					_t113 = _t110;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					 *_t111 =  *_t111 + _t111;
					_t74 =  *0x80000015;
					asm("adc eax, 0x5000000");
					 *((intOrPtr*)(_t147 + 0x61)) =  *((intOrPtr*)(_t147 + 0x61)) + _t113;
					asm("arpl [eax+0x61], bp");
					 *0x73000601 =  *0x73000601 + _t147;
					_t203 =  *0x73000601;
					if (_t203 == 0) goto L7;
				}
				if(_t203 != 0) {
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *_t74 =  *_t74 + _t74;
					 *((intOrPtr*)(_t74 + 0x55555502)) =  *((intOrPtr*)(_t74 + 0x55555502)) + _t74;
					_t159 = _t158 +  *0x6252C9FE;
					_push(0x6252c9a9);
					_push(es);
					_push(0x6252c9a6);
					asm("insd");
					_pop(es);
					_push(0x6252c9a6);
					_push(0x6252c9a6);
					_push(0x6252c9a6);
					_t78 = (_t74 + 2 | 0x00000049) +  *(_t74 + 2 | 0x00000049);
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					_t115 = (_t113 |  *_t113) + (_t113 |  *_t113);
					asm("invalid");
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					 *_t78 =  *_t78 + _t78;
					_t174 = (_t170 ^  *_t115) - 0xffffffffffffffff;
					asm("aaa");
					_pop(ss);
					 *_t174 =  *_t174 & _t115;
					_t85 = (_t78 +  *((intOrPtr*)(_t78 + 0x33028089)) + 0x09555555 | 0x114b3c3c) - 0x00000037 + 2 ^ 0x00000040;
					_t169 = _t168 + 1;
					_t151 = _t147 - 0xfffffffffffffffe;
					_pop(es);
					 *_t159 =  *_t159;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					asm("invalid");
					 *_t85 =  *_t85 + 1;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t85 =  *_t85 + _t85;
					 *_t151 =  *_t151 + _t85;
					 *((char*)(_t85 + 0x55550280)) =  *((char*)(_t85 + 0x55550280)) + 0x55;
					_t176 =  &(_t174[0]);
					_t188 = es;
					asm("adc [eax+0x33], al");
					_t161 = _t159 + 0x00000001 ^  *(_t169 + _t176);
					_t89 = ((_t85 |  *(_t85 + 0x40)) + 0x00000001 ^ 0x3b411d35) -  *((intOrPtr*)(_t161 + 0x39));
					asm("bound edi, [ebp+0x2d3a782d]");
					 *(_t89 - 0x7dced2c5) =  *(_t89 - 0x7dced2c5) ^ _t151 + 0x00000001;
					 *(_t169 +  &(_t169[0xc])) =  *(_t169 +  &(_t169[0xc])) ^ _t89;
					_t179 = (_t176 ^  *_t169) + 2;
					_t162 = _t161 |  *(_t188 + 0x55);
					_t90 = _t89 +  *_t89;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					asm("invalid");
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *_t90 =  *_t90 + _t90;
					 *((intOrPtr*)(0)) =  *((intOrPtr*)(0)) + _t179;
					_t196 = (_t192 ^  *(_t179 + 5)) + 3;
					_t91 =  <  ?  *((void*)(_t90 + 0x40)) : _t90;
					 *(_t162 + 0x3d) =  *(_t162 + 0x3d) & _t91;
					_t163 = _t162 + 1;
					 *_t169 = _t179;
					_t190 = _t188;
					asm("das");
					asm("invalid");
					asm("lahf");
					asm("aaa");
					asm("sbb bh, [edx-0x37e5deca]");
					asm("aaa");
					asm("aaa");
					asm("int 0x37");
					_t93 = _t91 & 0x20;
					 *_t179 =  *_t179 - _t93;
					 *((intOrPtr*)(_t196 + _t169)) =  *((intOrPtr*)(_t196 + _t169)) - _t169;
					_t95 = 0x1000000 + (_t93 ^  *(_t163 + 0x66));
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					asm("invalid");
					 *_t95 =  *_t95 + 1;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					 *_t95 =  *_t95 + _t95;
					asm("adc al, 0x40");
					_t102 = _t95 + 0x45 ^ 0x0000003e;
					_t164 = _t163 ^  *_t102;
					_t122 = _t161;
					if(_t102 <= 0x30) {
						_t108 = _t102 - 0x2738982a;
						_t190 = _t190 &  *(_t108 - 0x49e4ddcb);
						asm("invalid");
						asm("aad 0x3b");
						_t109 = _t108 - 0x2d3be329;
						_t122 = (_t122 &  *[ss:edx] &  *_t164) - _t196 - _t196;
						asm("aas");
						_t179 = _t179 ^  *_t109;
						_t102 = _t109 /  *_t122;
						_t164 = _t109 %  *_t122;
						asm("sbb al, 0x11");
						asm("repe xor al, 0x1e");
						asm("adc al, 0x81");
						 *[ss:ebx] =  *[ss:ebx] & _t122;
						asm("enter 0x2638, 0x21");
						asm("wait");
						 *((intOrPtr*)(_t179 + 0x3b)) =  *((intOrPtr*)(_t179 + 0x3b)) - _t102;
					}
					asm("sbb cl, [ebp+0x33]");
					_t191 = _t190 - 1;
					_t103 = _t102 +  *_t102;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					asm("invalid");
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					 *_t103 =  *_t103 + _t103;
					_t104 = _t103 | 0x3134343e;
					_t156 = 0x38 -  *((intOrPtr*)(_t179 + 0x38));
					ds = _t191;
					asm("cmpsd");
					asm("sbb bl, ah");
					asm("in eax, dx");
					 *_t104 =  *_t104 + _t104;
					 *_t104 =  *_t104 + _t104;
					 *_t104 =  *_t104 + _t104;
					 *_t104 =  *_t104 + _t104;
					 *_t104 =  *_t104 + _t104;
					 *_t104 =  *_t104 + _t104;
					 *_t104 =  *_t104 + _t104;
					 *_t104 =  *_t104 + _t104;
					 *_t104 =  *_t104 + _t104;
					asm("cli");
					asm("adc ch, bh");
					_t105 = _t104 ^ 0x0000001f;
					asm("adc eax, 0x1a2236d7");
					asm("scasd");
					if( *((intOrPtr*)((_t164 |  *(_t191 + 0x55)) + 0x25)) < _t105) {
						asm("das");
						asm("das");
						_t106 = _t105 + 1;
						 *(_t106 + 0x10) =  *(_t106 + 0x10) ^ _t106;
						_t107 = _t106 ^  *0x1000000;
						 *_t107 =  *_t107 + _t107;
						 *_t107 =  *_t107 + _t107;
						asm("invalid");
						 *_t107 =  *_t107 + 1;
						 *_t107 =  *_t107 + _t107;
						 *_t107 =  *_t107 + _t107;
						 *_t107 =  *_t107 + _t107;
						 *_t107 =  *_t107 + _t107;
						 *_t107 =  *_t107 + _t107;
						 *_t107 =  *_t107 + _t107;
						_t105 = _t107 ^  *0x1a3b3b45;
						ds = _t156;
						asm("cmpsd");
						 *_t105 =  *_t105 + _t105;
					}
					 *_t105 =  *_t105 + _t105;
					 *_t105 =  *_t105 + _t105;
					 *_t105 =  *_t105 + _t105;
					asm("cmpsd");
					_push(0x7a);
					goto ( *((intOrPtr*)(_t169 - 0x36008596)));
				}
			}

0x00401364
0x00401369
0x0040136e
0x00401370
0x00401372
0x00401374
0x00401376
0x00401378
0x00401379
0x0040137b
0x0040137d
0x0040137f
0x00401380
0x00401381
0x00401386
0x0040138d
0x00401393
0x00401395
0x00401397
0x00401399
0x0040139b
0x004013a1
0x004013a8
0x004013a9
0x004013ad
0x004013ae
0x004013af
0x004013b1
0x004013b3
0x004013b5
0x004013b6
0x004013b8
0x004013b8
0x004013be
0x004013bf
0x004013c1
0x004013c3
0x004013c5
0x004013c6
0x004013ca
0x004013cb
0x004013d1
0x004013d2
0x004013da
0x004013db
0x004013e2
0x004013e4
0x004013e5
0x004013e8
0x004013e8
0x004013e9
0x004013eb
0x004013ed
0x004013ef
0x004013f1
0x004013f3
0x004013f5
0x004013f7
0x004013f9
0x004013fb
0x004013fd
0x004013ff
0x00401401
0x00401403
0x00401405
0x00401407
0x00401409
0x0040140b
0x0040140d
0x00401412
0x00401417
0x0040141a
0x0040141d
0x0040141d
0x00401423
0x00401423
0x00401424
0x0040149a
0x0040149c
0x0040149e
0x004014a0
0x004014a2
0x004014a4
0x004014a6
0x004014a8
0x004014aa
0x004014ac
0x004014ae
0x004014b0
0x004014b2
0x004014b4
0x004014b6
0x004014b8
0x004014ba
0x004014bc
0x004014be
0x004014c0
0x004014c2
0x004014c4
0x004014c6
0x004014cc
0x004014cf
0x004014d0
0x004014db
0x004014df
0x004014e0
0x004014e1
0x004014e2
0x004014e3
0x004014e4
0x004014e6
0x004014e8
0x004014ee
0x004014f0
0x004014f2
0x004014f4
0x004014f6
0x004014f8
0x004014fa
0x004014fc
0x004014fe
0x00401500
0x00401502
0x00401504
0x00401506
0x00401508
0x0040150a
0x0040150c
0x0040150e
0x00401510
0x00401512
0x00401514
0x00401516
0x00401518
0x0040151a
0x0040151c
0x0040151e
0x00401520
0x00401522
0x00401524
0x00401526
0x00401528
0x0040152a
0x0040152c
0x0040152e
0x00401530
0x00401532
0x00401543
0x00401549
0x0040154c
0x00401550
0x0040155c
0x00401561
0x00401567
0x00401568
0x0040156b
0x0040156e
0x00401570
0x00401572
0x00401574
0x00401577
0x00401579
0x0040157b
0x0040157d
0x0040157f
0x00401581
0x00401583
0x00401585
0x00401587
0x00401589
0x0040158b
0x0040158d
0x0040158f
0x00401591
0x00401593
0x00401595
0x00401597
0x00401599
0x0040159b
0x0040159d
0x0040159f
0x004015a1
0x004015a3
0x004015a5
0x004015ae
0x004015af
0x004015b4
0x004015b7
0x004015c0
0x004015d0
0x004015d7
0x004015df
0x004015ea
0x004015ec
0x004015f0
0x004015f2
0x004015f4
0x004015f6
0x004015f8
0x004015fa
0x004015fc
0x004015fe
0x00401600
0x00401602
0x00401604
0x00401606
0x0040160a
0x0040160c
0x0040160e
0x00401610
0x00401612
0x00401614
0x00401616
0x00401618
0x0040161a
0x0040161c
0x0040161e
0x00401620
0x00401627
0x00401628
0x0040162c
0x0040162f
0x00401632
0x0040163c
0x00401642
0x00401643
0x00401648
0x00401649
0x0040164f
0x00401655
0x00401659
0x0040165c
0x0040165e
0x00401662
0x0040166c
0x00401674
0x00401679
0x0040167b
0x0040167d
0x0040167f
0x00401681
0x00401683
0x00401685
0x00401687
0x00401689
0x0040168b
0x0040168d
0x0040168f
0x00401691
0x00401693
0x00401695
0x00401697
0x00401699
0x0040169b
0x004016a4
0x004016a6
0x004016aa
0x004016ac
0x004016af
0x004016b2
0x004016b7
0x004016c0
0x004016c4
0x004016c6
0x004016d3
0x004016d5
0x004016d6
0x004016d8
0x004016d8
0x004016da
0x004016dc
0x004016df
0x004016e1
0x004016e4
0x004016e8
0x004016eb
0x004016eb
0x004016f4
0x004016f7
0x004016fc
0x004016fe
0x00401700
0x00401702
0x00401704
0x00401706
0x0040170a
0x0040170c
0x0040170e
0x00401710
0x00401712
0x00401714
0x00401716
0x00401718
0x0040171a
0x00401720
0x00401727
0x0040172a
0x0040172c
0x00401733
0x00401738
0x00401739
0x0040173d
0x00401741
0x00401745
0x00401749
0x0040174d
0x00401751
0x00401755
0x00401759
0x00401760
0x00401763
0x00401765
0x00401767
0x0040176c
0x00401770
0x00401772
0x00401773
0x00401777
0x0040177a
0x0040177f
0x00401785
0x00401787
0x00401789
0x0040178b
0x0040178d
0x0040178f
0x00401791
0x00401793
0x00401795
0x00401797
0x0040179b
0x004017a7
0x004017a8
0x004017a9
0x004017a9
0x004017ad
0x004017b1
0x004017b5
0x004017b9
0x004017ba
0x004017bc
0x004017bc

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401369

Strings

VB5!6&*, xrefs: 00401364

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 9395a157d7a5376da40db32c321be19bfdf1d439960a64bd605d2c4549f454de
Instruction ID: a805932d735e92374177a217bab3dcecd8fe9d34af7d9d4891ea97012aaed563
Opcode Fuzzy Hash: 9395a157d7a5376da40db32c321be19bfdf1d439960a64bd605d2c4549f454de
Instruction Fuzzy Hash: BD41CB6244E7C58FD7038BB199666817FB5AE53218B1E41EBC4C1CF1B3D26CAC4AC762

Uniqueness

Uniqueness Score: -1.00%

Function 00407F0B, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 178
memoryCOMMON

Download Yara Rule

C-Code - Quality: 23%

			E00407F0B() {

				_push(ss);
				asm("bound esp, [edx+0x62]");
				while(1) {
					asm("bound esp, [edx+0x62]");
					asm("bound esp, [edx+0x62]");
					asm("bound esp, [edx+0x62]");
					asm("bound esp, [edx+0x62]");
					asm("bound esp, [edx+0x62]");
					asm("bound esp, [edx-0x7d]");
					while(1) {
						switch(L13) {
						}
						__eax = __eax | 0x4f0de769;
						__esp = __edi * 0x76764f0d;
					}
				}
			}

0x00407f0b
0x00407f0c
0x00407f0e
0x00407f0e
0x00407f11
0x00407f14
0x00407f17
0x00407f1a
0x00407f1d
0x00407f1f
0x00407f22
0x00000000
0x00407f23
0x00407f24
0x00407f24
0x00407f1f

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Strings

%, xrefs: 00407F58

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: %
API String ID: 4275171209-2567322570
Opcode ID: b27e04a1c59f06fc5fa7a76bbfb398c01a6946c313763fe6f2fb79f8e89efb5e
Instruction ID: 78e86968657a29df72ae532361e109d94c92b354b628c0fb1b6b1bd8a27a198d
Opcode Fuzzy Hash: b27e04a1c59f06fc5fa7a76bbfb398c01a6946c313763fe6f2fb79f8e89efb5e
Instruction Fuzzy Hash: 74316B71A0C642E5EA3850288BE063D2551AB83310F31467FDAE3B9CC58E7D69C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 004073D8, Relevance: 1.5, APIs: 1, Instructions: 293memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6051db9edc8670db0c765121db4ab47102a04564a794ab6255721b18c1d3b331
Instruction ID: df3a2db55d60e4c1486f584269fed0425a5fbff34c803c582392622094540f08
Opcode Fuzzy Hash: 6051db9edc8670db0c765121db4ab47102a04564a794ab6255721b18c1d3b331
Instruction Fuzzy Hash: EF818961E0D642D6EB341028CAE0B7D2551AB82310F31867FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 00407416, Relevance: 1.5, APIs: 1, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f51ee6ba1fcd0d705732e744900ca76c94ae5ed42069711e89474a10f2e3c24c
Instruction ID: 6d2b98499f041cdc71d0c5754ca33ea0023295ff779b92cb31dcec9180a7a9ff
Opcode Fuzzy Hash: f51ee6ba1fcd0d705732e744900ca76c94ae5ed42069711e89474a10f2e3c24c
Instruction Fuzzy Hash: 59816A61E0D652D6EA741028CAE0B7D2151AB82310F31867FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 004073BD, Relevance: 1.5, APIs: 1, Instructions: 285memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ad38de56a51d9cfe821a6252b9717dea2618c653605adc27f72c9635a9599b65
Instruction ID: 0bbb83d353a4ff38c3b5ff4804a81aa75397d92e4eed77809237f8a350981948
Opcode Fuzzy Hash: ad38de56a51d9cfe821a6252b9717dea2618c653605adc27f72c9635a9599b65
Instruction Fuzzy Hash: 45816A61E0D652D6EE741028CAE0B7D21519B82310F31867FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 0040739A, Relevance: 1.5, APIs: 1, Instructions: 284memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 38ca7d5a9208d1a5ee532a30fe49c71e163e080a5785ef52fe562d0a897bbc9e
Instruction ID: d4fcbba582e6dbe1f3e1160cd7d758ddc5a65d8be345706f84f20fe08d8e6bc6
Opcode Fuzzy Hash: 38ca7d5a9208d1a5ee532a30fe49c71e163e080a5785ef52fe562d0a897bbc9e
Instruction Fuzzy Hash: 67819A62E0D642D6EA741068CAE0B7D2151AB43310F71863BCAD3B6DC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407597, Relevance: 1.5, APIs: 1, Instructions: 281memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ee944c3c50a4d173365223630a066366e308209310c04bd4968097d0b78534f8
Instruction ID: 4a61ea2570a390ab0f84c6ff4d4a1cafeab1ac32aa166a27af1ff5328ef1dd9d
Opcode Fuzzy Hash: ee944c3c50a4d173365223630a066366e308209310c04bd4968097d0b78534f8
Instruction Fuzzy Hash: 5A717B61E0D652D6FA741028C6E0B7D2151AB82310F31863FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 00407628, Relevance: 1.5, APIs: 1, Instructions: 274memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9480f2c4da8bc1126bdf2063f0c0e20213be44306de257cbd90ad0333c6d98a2
Instruction ID: ff1e6635a8147192380000d7ff5ed0cb5f0fd0064a826a80149c0f6af470f971
Opcode Fuzzy Hash: 9480f2c4da8bc1126bdf2063f0c0e20213be44306de257cbd90ad0333c6d98a2
Instruction Fuzzy Hash: 75616861E0D652D6FA741028CAE0B3D2151AB82310F31867FDA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 004074E6, Relevance: 1.5, APIs: 1, Instructions: 273memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6ebc12b6f43a3052dfba1c483c184f7b662115f87b670e46e28f92481fcbab8e
Instruction ID: 8b06220e418f31cc4e67aeb829c43e3f486cf5498b6e304d870d9022b07677ce
Opcode Fuzzy Hash: 6ebc12b6f43a3052dfba1c483c184f7b662115f87b670e46e28f92481fcbab8e
Instruction Fuzzy Hash: 86717B61E0D652D6FA741028CAE0B7D2151AB42310F31867FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 004075C2, Relevance: 1.5, APIs: 1, Instructions: 273memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b481a6aa130e434dd3c432a1ed4e53bd8b19c46195c0a5aa84f672bc41200e98
Instruction ID: 47c65f04e0a7629c1f934b936f0ab2df4c6fa6ed2d7d8d16ae50a003d12e8489
Opcode Fuzzy Hash: b481a6aa130e434dd3c432a1ed4e53bd8b19c46195c0a5aa84f672bc41200e98
Instruction Fuzzy Hash: 30617A61E0D652D6FA741028C6E0B3D2151AB82310F31863FCA93B6CC98A7E79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 0040742D, Relevance: 1.5, APIs: 1, Instructions: 272memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 56ce6b9a954980da5f4d88ec11250f6af75dcdde1f6a84c6aba6a264ea68e066
Instruction ID: c5914be2490c3aabd524de165c87fa3e6457b43ccdfab0ef554a4cf319836306
Opcode Fuzzy Hash: 56ce6b9a954980da5f4d88ec11250f6af75dcdde1f6a84c6aba6a264ea68e066
Instruction Fuzzy Hash: CD818961E0D652D6EB741028CAE0B7D2551AB42310F31863FDAA3B6CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407444, Relevance: 1.5, APIs: 1, Instructions: 268memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7b12e0d1993e261ad1ef48c9e290227cd40cdb2dfcc84e2f17dd073a6f5b6dd9
Instruction ID: 9a0f9468bb421ec71ebb311cb3997018b19b7fe2b309c5fa31bd1849801074ed
Opcode Fuzzy Hash: 7b12e0d1993e261ad1ef48c9e290227cd40cdb2dfcc84e2f17dd073a6f5b6dd9
Instruction Fuzzy Hash: FA717A61E0D652D6FA741028CAE0B7D2151AB82310F31863FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 00407497, Relevance: 1.5, APIs: 1, Instructions: 264memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f62912ac85cd0fd0f707f817e9b6a2a8cf6e766be499463b4945f31a2c249dea
Instruction ID: f8011a3888dbad4c5fe044c9c9579e403a9ca9fa8524eba8a51d292f158109e1
Opcode Fuzzy Hash: f62912ac85cd0fd0f707f817e9b6a2a8cf6e766be499463b4945f31a2c249dea
Instruction Fuzzy Hash: 26719961E0D652D6EA341028CAE0B7D2151AB42310F31867FCAA3B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 004074CD, Relevance: 1.5, APIs: 1, Instructions: 263memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bb8371092ac8b9d5d1f03ca683a4585d4897840874edecff7cf0da0506780f26
Instruction ID: 6a498139c8f795f3808c9b7615e01be7f5ce0ece8b01d1c8089f7b0ea4201461
Opcode Fuzzy Hash: bb8371092ac8b9d5d1f03ca683a4585d4897840874edecff7cf0da0506780f26
Instruction Fuzzy Hash: BE717BA1E0D652D6FA341068CAE0B7D2151AB42310F31863FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 004074B4, Relevance: 1.5, APIs: 1, Instructions: 261memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 48333dfc79c8150dd2ed20e1b648eb530be4a1b3b5bd38806cdb51fa6c3ef4b5
Instruction ID: fe7b4b8d76fdacf029f35078c2af5c8e0370a5e5e0bc1878efcf0021a19f705b
Opcode Fuzzy Hash: 48333dfc79c8150dd2ed20e1b648eb530be4a1b3b5bd38806cdb51fa6c3ef4b5
Instruction Fuzzy Hash: 6E718B61E0C652D6FA741028CAE0B7D2151AB42310F318A3FDA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 004075EA, Relevance: 1.5, APIs: 1, Instructions: 261memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0cdc483f4afe07a0d6bac56acb3d113c51be75429c7fe8682db05f5eedc4a0e9
Instruction ID: b82468759f91fd079a1b45812ed2dfb9bd1d03fa711d1573967ffbb17e4c73a7
Opcode Fuzzy Hash: 0cdc483f4afe07a0d6bac56acb3d113c51be75429c7fe8682db05f5eedc4a0e9
Instruction Fuzzy Hash: 45716C61E0D642D6FA3411288AE0B3D2151AF86310F31867FCA93B6CC58A7D79C7759F

Uniqueness

Uniqueness Score: -1.00%

Function 0040751F, Relevance: 1.5, APIs: 1, Instructions: 258memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 93157842c87cfea5071b4cde0c27d0c24407bba00c6da1dcf2dc3c4876076982
Instruction ID: 52056dbb375becf843e042d8d41180b4986a8320b8dba84d0f2100bc7d7437a8
Opcode Fuzzy Hash: 93157842c87cfea5071b4cde0c27d0c24407bba00c6da1dcf2dc3c4876076982
Instruction Fuzzy Hash: 9C717861E0D652D6FA741028CAE0B7D2151AB82310F31867FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 00407675, Relevance: 1.5, APIs: 1, Instructions: 254memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4623351525b9ef6e45bbc5f167e82b9e72672c795c0b3a615b1703763c21383a
Instruction ID: ad7d808c99af7881d655e55607a7c85bc8f1442e04606b5e03e1d224cd119283
Opcode Fuzzy Hash: 4623351525b9ef6e45bbc5f167e82b9e72672c795c0b3a615b1703763c21383a
Instruction Fuzzy Hash: 76615861E0D652D6FA741028CAE0B3D2151AB82310F31867FDA93B6CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 004076A9, Relevance: 1.5, APIs: 1, Instructions: 254memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c0de6d0244b6899b4ddc7b6ee8a238d858e74d00230693a4c83c598535059178
Instruction ID: 281f387812176341c40c6f471093f8265d650a512645b701c85ae2c8c1933b86
Opcode Fuzzy Hash: c0de6d0244b6899b4ddc7b6ee8a238d858e74d00230693a4c83c598535059178
Instruction Fuzzy Hash: E4614961E0D652D6FA7410288AE0B7D2151AB82310F31867FDA93B6CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407657, Relevance: 1.5, APIs: 1, Instructions: 253memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f4bf8d88123d946c6ae72e4a583dca3bce15fce7ee46d7594aaae8618322940e
Instruction ID: 7943109c64187fffca27480cf8e5cae88e69b94c02b3d53bf0a192850274fb25
Opcode Fuzzy Hash: f4bf8d88123d946c6ae72e4a583dca3bce15fce7ee46d7594aaae8618322940e
Instruction Fuzzy Hash: 0E618961E0D252D6FA341028CAE0B7D2151AB82310F31863FCA93B6CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 004077B5, Relevance: 1.5, APIs: 1, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b3de43f351860d47ab020fec15ca3f5141e0a105c6f7a57b035df9f47bf7ef8
Instruction ID: 3645eca2ca1f73672aeaf11240497775d65795baf3b5510c15e3b112cc412b28
Opcode Fuzzy Hash: 5b3de43f351860d47ab020fec15ca3f5141e0a105c6f7a57b035df9f47bf7ef8
Instruction Fuzzy Hash: 4D515861E0D242D6FA341124C6E0B3D2161AB82314F31867FDA93B5CC98A7D79C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 004076D0, Relevance: 1.5, APIs: 1, Instructions: 251memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e93240eca494fa9edd6e9814b02371ff32ab63410cef9d8b3cd1b90799f11d47
Instruction ID: 84547350e25922b01a9c94cd69af0ade049eb10e094b218c83f485bc413da143
Opcode Fuzzy Hash: e93240eca494fa9edd6e9814b02371ff32ab63410cef9d8b3cd1b90799f11d47
Instruction Fuzzy Hash: B2615A61E0D252D6FA741068CAE0B7D2151AB82300F31867FDA93B5CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 004077CD, Relevance: 1.5, APIs: 1, Instructions: 251memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2fcc8afd3e0bfab134ff9789add92dad9aa1a352424785c0ce02c20086dc68be
Instruction ID: f6384bc698d3130fcac383bb1fd11f537404a7b44f67c2c156c57b7b18b8a2a6
Opcode Fuzzy Hash: 2fcc8afd3e0bfab134ff9789add92dad9aa1a352424785c0ce02c20086dc68be
Instruction Fuzzy Hash: 435146A1E0D642D6FA3410288AE0B7D2151AB82314F31867FDA93B5CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 00407AD6, Relevance: 1.5, APIs: 1, Instructions: 247memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9454dbc70c0f78a43599734ecbeb876dccc1e43c1d7957fba58c35690735ff94
Instruction ID: 5cdf0537f885110b6d44e412faff395ccc78bb2d3f8062f279e91b0d64eb80c2
Opcode Fuzzy Hash: 9454dbc70c0f78a43599734ecbeb876dccc1e43c1d7957fba58c35690735ff94
Instruction Fuzzy Hash: 48515A70A0D642D6EA3445248BE0A7D2251AF82314F31867FD6D3B5CC58E3E65C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 004076F8, Relevance: 1.5, APIs: 1, Instructions: 245memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ceca002581592d8d7c9a92839349c3d0f52bfdf3284ef3f516ff6cc3f61f7576
Instruction ID: 08264c471b6a374c1fa3036058110dcd93a616a60837e7d814b98d7653126691
Opcode Fuzzy Hash: ceca002581592d8d7c9a92839349c3d0f52bfdf3284ef3f516ff6cc3f61f7576
Instruction Fuzzy Hash: 4C5139A1E0D652D6FA7410288AE0B7D2151AB82310F31867FDA93B5CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407738, Relevance: 1.5, APIs: 1, Instructions: 245memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7e6b9cba3793e631342361c37b66c33a109c3bfcf46a5cc13ab8fbd7931de14c
Instruction ID: 2b8b7d6d736e27d18ecccf3f826949ae70950b52607db22b58baf1d08ab75127
Opcode Fuzzy Hash: 7e6b9cba3793e631342361c37b66c33a109c3bfcf46a5cc13ab8fbd7931de14c
Instruction Fuzzy Hash: 205147A1E0D242D6FA741028CAE0B3D2151AB82300F31867FDA93B5CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407B84, Relevance: 1.5, APIs: 1, Instructions: 245memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 57703d3911969cd10c454da63674d164d99ef6b7a25528fb23a795b63b684eb2
Instruction ID: a6041baf5475d01bcc403f51bed16ac240b4d4d91e9fc2d6ae314b065019952d
Opcode Fuzzy Hash: 57703d3911969cd10c454da63674d164d99ef6b7a25528fb23a795b63b684eb2
Instruction Fuzzy Hash: 2D517C70D0C542D6FA3425248AE0A7E2251AB82314F318A7FC6E3B99C4893D79C3708F

Uniqueness

Uniqueness Score: -1.00%

Function 00407956, Relevance: 1.5, APIs: 1, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3786647135d438c96ececefa2a563eb8d4ab4f5c5aa230fcc8bb29b9895326bc
Instruction ID: 382057f5b34526b219d09316d8aafd82046d9e779c1183ab831481c45c1d2320
Opcode Fuzzy Hash: 3786647135d438c96ececefa2a563eb8d4ab4f5c5aa230fcc8bb29b9895326bc
Instruction Fuzzy Hash: B661BEA0E4D242D5FA24112886E1B7D2561AF82300F30827FD9D3B48C98A7D75C7B5CF

Uniqueness

Uniqueness Score: -1.00%

Function 00407693, Relevance: 1.5, APIs: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1879d3d528c875c72acb23689dc52bdadffc9d4e6a6ec9c90ddfb9c9c62e0f64
Instruction ID: 6147e27a0f3cbaf88d764dad8290c5886890d0b126454d17414e829408f30ab0
Opcode Fuzzy Hash: 1879d3d528c875c72acb23689dc52bdadffc9d4e6a6ec9c90ddfb9c9c62e0f64
Instruction Fuzzy Hash: D1615861E0D652D6FA741028CAE0B3D2151AB82300F31867FDA93B6CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407793, Relevance: 1.5, APIs: 1, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3579b1be2ebbccb437e7c890ee31dea42d4bfe7136cee9278b2f5a2e88c1507a
Instruction ID: 60c01c9d92398b4099212d7f1f0f754959b40ed7be8cae0117b35b4cf3f4f01b
Opcode Fuzzy Hash: 3579b1be2ebbccb437e7c890ee31dea42d4bfe7136cee9278b2f5a2e88c1507a
Instruction Fuzzy Hash: 3B5147A1E0D642D6FA3410288AE0B3D2151AF82314F31867FDA93B5CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407764, Relevance: 1.5, APIs: 1, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a717486c15766404794ff869addc3b22458881b5db4abcda4012c1f5abda969f
Instruction ID: 1d51f8b3c1226b03503b69d5491ed276f4b8ada6b0d5e5d9cea7f838c34f5565
Opcode Fuzzy Hash: a717486c15766404794ff869addc3b22458881b5db4abcda4012c1f5abda969f
Instruction Fuzzy Hash: 0E5147A1E0D642D6FA3411288AE0B7D2151AF82310F31867FDA93B5CC98A7D79C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 0040782E, Relevance: 1.5, APIs: 1, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4262151e5787d2937187f00282132fc74f5550a5e3b17c18962b2317087c6db
Instruction ID: b2954d81a4202f5e3ff9e77ec013b9b2ec63fb95646660551e889e8e8e071c4e
Opcode Fuzzy Hash: e4262151e5787d2937187f00282132fc74f5550a5e3b17c18962b2317087c6db
Instruction Fuzzy Hash: F75147A1E0D642D6FA3411288AE0B7D2151AF82314F31867FDA93B5CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407727, Relevance: 1.5, APIs: 1, Instructions: 225memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d5516e4498f5c6442fd6c763f356d5786bb24296441517bb8e7995f99730ef6b
Instruction ID: c099d0cfad3a61113b37191afba2136b5af7545fe92379b34320e7bda86c47fe
Opcode Fuzzy Hash: d5516e4498f5c6442fd6c763f356d5786bb24296441517bb8e7995f99730ef6b
Instruction Fuzzy Hash: C75137A1E0D242D6FA7410288AE0B7D2151AB82314F31867FDA93B5CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 004078F1, Relevance: 1.5, APIs: 1, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 610cefcde1d1d4dcf6151996917a54b4801876637c644355c26e6dd24a338876
Instruction ID: 1f2208c6f0be6535a4fa575ef210ff6134750993193aec8f562328f1309c17cc
Opcode Fuzzy Hash: 610cefcde1d1d4dcf6151996917a54b4801876637c644355c26e6dd24a338876
Instruction Fuzzy Hash: 43512861E0D642D6FA3410288BE0B7D2151AB82314F31867FD693B5CC98D7D69C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 00407718, Relevance: 1.5, APIs: 1, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eacaeb13b957fbf3db51e2bdee7d841ccd9237a3c00e8cdcd0542fb4ad9fcc36
Instruction ID: b93d5a90c2b8422eed9e8c3fafc29dfa9b1f3538735a151a334949d519a0caa2
Opcode Fuzzy Hash: eacaeb13b957fbf3db51e2bdee7d841ccd9237a3c00e8cdcd0542fb4ad9fcc36
Instruction Fuzzy Hash: 425149A1E0D242D6FA741028CAE0B3D2151AB82314F31867FDA93B5CC98A7D79C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 0040795A, Relevance: 1.5, APIs: 1, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf5af0ff6a9346ff11e9e634f290da8f59c17a52ddb335b42891a9a78125a4f7
Instruction ID: 72823ac8fc6c7bea5dee89859c81055183273e634f42b3d5d4f8cf3cdffe5258
Opcode Fuzzy Hash: cf5af0ff6a9346ff11e9e634f290da8f59c17a52ddb335b42891a9a78125a4f7
Instruction Fuzzy Hash: FD518AA0E4D242D5FA2401288AE1B7D2561AB82704F31867FDAD3B4CC989BD75C7B5CF

Uniqueness

Uniqueness Score: -1.00%

Function 004078A8, Relevance: 1.5, APIs: 1, Instructions: 214memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 351dc924661b7e231e41bcf39bacb0f21676f4391f07b08f081c59117988220c
Instruction ID: 872ef94807e8da8252abe2563fc18e66da2064dfacbf5dde33754c881ece3af4
Opcode Fuzzy Hash: 351dc924661b7e231e41bcf39bacb0f21676f4391f07b08f081c59117988220c
Instruction Fuzzy Hash: 675167A1E0D242D6EA3411288AE0B7D2551AF82310F31867FDAD3B5CC98E3D69C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 004079AF, Relevance: 1.5, APIs: 1, Instructions: 214memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6ab2bdfa71d1cb1871045cb20aa1488cd8eb0c9a4099e9b3b84aab539b32378d
Instruction ID: db69d52be37e64dc9558691dc2a995a4c5724ded0ce88dd07601ded56b38ea10
Opcode Fuzzy Hash: 6ab2bdfa71d1cb1871045cb20aa1488cd8eb0c9a4099e9b3b84aab539b32378d
Instruction Fuzzy Hash: 48513561A0D642D6EA341028CBE0B3D2151AB82314F31867FDAE3B5CC98E7D69C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407806, Relevance: 1.5, APIs: 1, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8345573dfa74cd0a2d5c2d2d88eeb77050e225678b2b0d7c25546830bd0f35ae
Instruction ID: a2da09184f8697b0a15ba12ce5735e6c308586bc30b51640f9efd0e19bf743ad
Opcode Fuzzy Hash: 8345573dfa74cd0a2d5c2d2d88eeb77050e225678b2b0d7c25546830bd0f35ae
Instruction Fuzzy Hash: 735146A1E0D642D6FA3410288AE0B3D2151AB82314F31867FDA93B5CC98A7D79C7749F

Uniqueness

Uniqueness Score: -1.00%

Function 00407883, Relevance: 1.5, APIs: 1, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1f40c3108f5013a992b22cd4f625833a504bd5f10bd5bdcf1f75773beae38248
Instruction ID: e85a5f4ff7a7ef81df62ea4e2801bc63451ff25bc7cd0a7696817c5cb977505f
Opcode Fuzzy Hash: 1f40c3108f5013a992b22cd4f625833a504bd5f10bd5bdcf1f75773beae38248
Instruction Fuzzy Hash: 9E5156A1E0D242D6FA3411288AE0B7D2551AB82310F31867FDAD3B5CC98A3D79C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 00407AA0, Relevance: 1.5, APIs: 1, Instructions: 208memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 23e80247db565616dae45989d6fb8b5bfa8606d8dea2990d54bdb6815895e54a
Instruction ID: c32a44b3b89eacc18a26abfa2733be64373343b9cfd70c66c67e6f5e83b92899
Opcode Fuzzy Hash: 23e80247db565616dae45989d6fb8b5bfa8606d8dea2990d54bdb6815895e54a
Instruction Fuzzy Hash: CF412661A0D642D5EA7450288BE0B3D2151AF82314F31867FDAE3B5CC98E7D69C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407865, Relevance: 1.5, APIs: 1, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e0cd580f3bee1e7eda47b004e3cf34dbac2f5786682f38ce8309eaef1ffbefa5
Instruction ID: 86f78ea74d5ecc6e8c343ca9a2818308961d4a6ade5eb419eacb98c13bd23174
Opcode Fuzzy Hash: e0cd580f3bee1e7eda47b004e3cf34dbac2f5786682f38ce8309eaef1ffbefa5
Instruction Fuzzy Hash: 59516861E0D642D6EA3411288AE0B7D2551AF86310F31877FCAD3B9CC98A3D69C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 00407A38, Relevance: 1.5, APIs: 1, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6471f6d0e54562b199a9bfddcff0b2d8c9f325f027180b9316303e6fe491b0b5
Instruction ID: 9ebba1c73b691a931457e376e826add0c750ebee07ea32221985c081f08af5eb
Opcode Fuzzy Hash: 6471f6d0e54562b199a9bfddcff0b2d8c9f325f027180b9316303e6fe491b0b5
Instruction Fuzzy Hash: 9D514561A0D642D6EA3410288BE0B3D2162AF82314F31867FDAD3B5CC98E3D65C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407CED, Relevance: 1.5, APIs: 1, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 061dcff0662b5e0eba8c593d4ae65e18da071c49f0c620b74f7fce13c562910d
Instruction ID: 7cf3016fd76eb51465110165b14bf850524d48b6c811d473220f81d64423e009
Opcode Fuzzy Hash: 061dcff0662b5e0eba8c593d4ae65e18da071c49f0c620b74f7fce13c562910d
Instruction Fuzzy Hash: D7416A70A0D602D5EA7415288BE0A3D2651EF82710F7186BFDAD3B98C58E3D69C7308F

Uniqueness

Uniqueness Score: -1.00%

Function 004079D7, Relevance: 1.5, APIs: 1, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b43665f4308db43a005b77ec55c7c535650bad0e77c6c504398c7fadc8fe508e
Instruction ID: ad19c5782376df0fe51b50993c614340a9b889cc7e421879d23c5c900755ccf5
Opcode Fuzzy Hash: b43665f4308db43a005b77ec55c7c535650bad0e77c6c504398c7fadc8fe508e
Instruction Fuzzy Hash: 44514961A0D642D6EA741028CBE0B7D2151AB82314F31867FDAD3B5CC98E3D65C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 0040792E, Relevance: 1.4, APIs: 1, Instructions: 197memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a7f86a9e3de5a80808329bb019d99e4bb06cc713f668324faed587c4e4d16b43
Instruction ID: 1989f5b93d703826bf4d3a6b786173c7abb88da5970137b08b21466007da4f51
Opcode Fuzzy Hash: a7f86a9e3de5a80808329bb019d99e4bb06cc713f668324faed587c4e4d16b43
Instruction Fuzzy Hash: AC5136A1A0D642D6EA3410288AE0B7D2151AB82314F31867FD693B5CC98E7D69C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 00407A6F, Relevance: 1.4, APIs: 1, Instructions: 195memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 76ebd3daec97b4001713fa61b9a975925adbe44535d71b94cf7bc9d8762e2529
Instruction ID: edb27af9a5485bed3ac0dfac66d58d1364041a2eb715e53de4ccf8678aa5a12a
Opcode Fuzzy Hash: 76ebd3daec97b4001713fa61b9a975925adbe44535d71b94cf7bc9d8762e2529
Instruction Fuzzy Hash: F3515770A0D642D6EA7845248BE0B3D2161AF82304F31867FC693B5CC98E3D65C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 00407BEC, Relevance: 1.4, APIs: 1, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e5931c970882b495b9b4d8373eceddcdacc68e70084d15cf70ade37fdc3596dc
Instruction ID: ad6bd9f3c4ee030b0a04af1de333a18c117d2b2222d421d11720efadac9b25e1
Opcode Fuzzy Hash: e5931c970882b495b9b4d8373eceddcdacc68e70084d15cf70ade37fdc3596dc
Instruction Fuzzy Hash: AA413461A0D642D5EA3411288BE0B3D2151AF82314F31867FDAE3B5CC98E7D69C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407B61, Relevance: 1.4, APIs: 1, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 513b0a638692f5eb3d6cc800412f250d1f1f3e83589ad2523016e55fba042f74
Instruction ID: be19f0730b59ea2b70a94810abec75bea7f23dcad7b5470152aab2909d9739f7
Opcode Fuzzy Hash: 513b0a638692f5eb3d6cc800412f250d1f1f3e83589ad2523016e55fba042f74
Instruction Fuzzy Hash: D9412461A0D642D5EA7810288BE0B3D2151AF82314F31867FDAE3B5CC98E7D69C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407C81, Relevance: 1.4, APIs: 1, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c46763f6f200cf1f6d29274c802b7014cedcab00b5c1efad7323c720ac5a9067
Instruction ID: 29da108042387806d592aa46cce37999e9a4464c3b2030926609b690c9b234af
Opcode Fuzzy Hash: c46763f6f200cf1f6d29274c802b7014cedcab00b5c1efad7323c720ac5a9067
Instruction Fuzzy Hash: 17410471A0D642D5EA7411288BE0B3D2151AF82310F71867FDAE3B58C99E7D69C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407C0D, Relevance: 1.4, APIs: 1, Instructions: 176memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6bd9b292f6413bc6e4373a9160fd893bbadf21a7e7c6f9013762920f7c9214dd
Instruction ID: 7d1f9579dfd695aa82207d5716e01aaae81fb8b6db2c0a127e3db6eee331d3d5
Opcode Fuzzy Hash: 6bd9b292f6413bc6e4373a9160fd893bbadf21a7e7c6f9013762920f7c9214dd
Instruction Fuzzy Hash: 55411561A0D652D5EA7811288BE0B3D2151AF82314F31867FDAE3B5CC98E7D65C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407CAF, Relevance: 1.4, APIs: 1, Instructions: 169memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b83782776c9dc901ccac3389f0626e398fb0c5c3cc14491c5bf8f82bf58e508
Instruction ID: f3caae8395c918d55dc3a82d77f6fa0014fde87655608aa05de6fba87ea1fab3
Opcode Fuzzy Hash: 0b83782776c9dc901ccac3389f0626e398fb0c5c3cc14491c5bf8f82bf58e508
Instruction Fuzzy Hash: B7412471A0D642E5EA7811288BE0B3D2151AF82710F31867FDAE3B58C58E3D69C7319F

Uniqueness

Uniqueness Score: -1.00%

Function 00407BCA, Relevance: 1.4, APIs: 1, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8473a79d4ef9b4655c07c368f3e8b79c70423a956329253cba8c662898c8feaf
Instruction ID: d2ca449b6b09e9f0228f7b12d08367dd6fc7040740da0ae1fbda072ead5e07fe
Opcode Fuzzy Hash: 8473a79d4ef9b4655c07c368f3e8b79c70423a956329253cba8c662898c8feaf
Instruction Fuzzy Hash: A3411471A0D642D5EA3851288BE0A3D2151AF82310F31867FDAE3B5CC98E7D69C7719F

Uniqueness

Uniqueness Score: -1.00%

Function 00407D93, Relevance: 1.4, APIs: 1, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 52f9c9b611d7a027815a01d980a39fb546de45d2052cb28b7171322403d69ef9
Instruction ID: 90a866961aa614627ce8ba4bd7acb38c35d2732d2536f249f8400628f1e8bfdf
Opcode Fuzzy Hash: 52f9c9b611d7a027815a01d980a39fb546de45d2052cb28b7171322403d69ef9
Instruction Fuzzy Hash: 95313470A0D602E5EA3811248BE0B3D2051AB82310F31867FDAD3B5CC58E7E69C7709F

Uniqueness

Uniqueness Score: -1.00%

Function 00407D37, Relevance: 1.4, APIs: 1, Instructions: 142memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b8c4e84b584bdda45d44f8092d0f72e8aaac3ef2b489d1f071eb2e82ca918408
Instruction ID: 48d04052b1ee28de9917e818649cd562e93d198ff15a333554a6975340bc1a4b
Opcode Fuzzy Hash: b8c4e84b584bdda45d44f8092d0f72e8aaac3ef2b489d1f071eb2e82ca918408
Instruction Fuzzy Hash: F4411461A0D642D5EA7811288BE0B3D2051AF82310F31867FDAD3B5CC98E7D69C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407D65, Relevance: 1.4, APIs: 1, Instructions: 137memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 981b1685ee945c57e72dde418db206d202eeee20665c4aee7643ad451b462434
Instruction ID: 682f2bf7db69bf8360c34e69180c2ace88c606d6409e229dd565a2f43a775d32
Opcode Fuzzy Hash: 981b1685ee945c57e72dde418db206d202eeee20665c4aee7643ad451b462434
Instruction Fuzzy Hash: 7531F371A0D642E5EA7811288BE0B3D2051AB82710F31867FDAD3B5CC59E7D69C7319F

Uniqueness

Uniqueness Score: -1.00%

Function 00407D4F, Relevance: 1.4, APIs: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bcf67ce8d428814c406df39b2e39aa9152b2c42f6666bae5aaccec76cd78b018
Instruction ID: cd7dc92eb8a584fa98d8f152d421c5f93096f5ba74753c4f6e38241e2d4c5ebd
Opcode Fuzzy Hash: bcf67ce8d428814c406df39b2e39aa9152b2c42f6666bae5aaccec76cd78b018
Instruction Fuzzy Hash: B2315561A0D602E5EA7410288BE0B3D2111AB82320F31867FDAD3B58C99E3D66C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407EAB, Relevance: 1.4, APIs: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aac954e0dc7264a100de1bb43daf7e850b372af350c729e8bcffd483f7842c40
Instruction ID: c0e11db40a844ef8528dfeaabcc2cecdd1d173e0d60f1deb236fd744784e6eef
Opcode Fuzzy Hash: aac954e0dc7264a100de1bb43daf7e850b372af350c729e8bcffd483f7842c40
Instruction Fuzzy Hash: 0D31F2B1A0C642D5EA3854288BE063D2151AB83324F31867FDAE3B5CC58E7E56C7715F

Uniqueness

Uniqueness Score: -1.00%

Function 00407DD7, Relevance: 1.4, APIs: 1, Instructions: 134memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8cc04bd79101cce895a0d88dbe66f26e64702fd891d0849a63b6dda3f1b3159b
Instruction ID: 8d489b9edba09312da578552856001473428a52d3c45696e22f4a0b8ff997d79
Opcode Fuzzy Hash: 8cc04bd79101cce895a0d88dbe66f26e64702fd891d0849a63b6dda3f1b3159b
Instruction Fuzzy Hash: CF31E571A0D642D5EA7811288BE0B3D2051AB82710E31877FDAD3B5CC59E7D69C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407DC7, Relevance: 1.4, APIs: 1, Instructions: 133memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f55bf2b460465ff28de5b5c5911f2f41cb6158ef2361d787663ef4dec1e249c8
Instruction ID: 6ff8ef921be8916085f1c0fe65490ef063266ff2413622911a1554bec3cf2bbf
Opcode Fuzzy Hash: f55bf2b460465ff28de5b5c5911f2f41cb6158ef2361d787663ef4dec1e249c8
Instruction Fuzzy Hash: CF31F371A0D642D5EA7811288BE0B3D2051AB83720E31867FDAD3B5CC58E7E69C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407E10, Relevance: 1.4, APIs: 1, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 17f59b5713074c619cfbe6eb6eb4017f805e046931d4af4c5b5323480571b29b
Instruction ID: be3c916ee37417fe6c8e79287cfefc2ca3534aa17c24f92d17e6ea4e8a9edbab
Opcode Fuzzy Hash: 17f59b5713074c619cfbe6eb6eb4017f805e046931d4af4c5b5323480571b29b
Instruction Fuzzy Hash: AD313471A0D612D5EA7850288BE063D2151AB82320F31867FDAE3B58C58E7D59C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407DF3, Relevance: 1.4, APIs: 1, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ec7da58cb88ca877181f09d7d5a47a460788ba7588db9dfd507256e631c5ea21
Instruction ID: 726a4e705d2ba81295cf9ae949988eb2b24e3ed7709853c310e39f23b844dd4d
Opcode Fuzzy Hash: ec7da58cb88ca877181f09d7d5a47a460788ba7588db9dfd507256e631c5ea21
Instruction Fuzzy Hash: 10311671A0D642E5EA7810288BE073D2151AB82310F31867FDAD3B5CC58E7D65C7309F

Uniqueness

Uniqueness Score: -1.00%

Function 00407ED6, Relevance: 1.4, APIs: 1, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e81e54eabc15ff82fbc023d28c730726638870c1a96688944fafeff807ff2067
Instruction ID: 3d9b0b150ae3c94017522dbf29cf8c42f9967293ccd2812a28e292f85765f508
Opcode Fuzzy Hash: e81e54eabc15ff82fbc023d28c730726638870c1a96688944fafeff807ff2067
Instruction Fuzzy Hash: 05311571A0C642D5EA7850288BE063C2151AB83324F31467FDAE3B5CC58E7E56C7705F

Uniqueness

Uniqueness Score: -1.00%

Function 00407E53, Relevance: 1.4, APIs: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-00002753,-00000012), ref: 00407F04

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 06b0e3ce77c270af74c37ae1b6b3d790f16f76cb990160b6ff30e00eb5be142e
Instruction ID: 5c5eeffeadba2c5528cdd8e357a5a6d0ff471bdd2b5e6893ef0c9dabd10fa277
Opcode Fuzzy Hash: 06b0e3ce77c270af74c37ae1b6b3d790f16f76cb990160b6ff30e00eb5be142e
Instruction Fuzzy Hash: 31310271A0D642E5EA3810288BE063D2051AB83720F31967FDAE3B58C58E7E95C7309F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 020B14A4, Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0518946453abf77958669a2090b3fba5534ff890555d565ab8b568fb32fdc231
Instruction ID: 15cb657c3a50bc691f531bf91e8a48671414793f82093a02e49c12b7db026c6a
Opcode Fuzzy Hash: 0518946453abf77958669a2090b3fba5534ff890555d565ab8b568fb32fdc231
Instruction Fuzzy Hash: DCD1E471740702EBEB369F28CCA0BE9B3A5FF09350F544229EC9E93641D734A855EB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B5793, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8e2f0c12fc3848bce1d618bbacb00248edf734d1093a1f7e4a3a049b5448c7
Instruction ID: 4ce02f0edf1cb36cbd9f51ca256b5dbf3f563e0558b358b930869717f5b8ca84
Opcode Fuzzy Hash: cb8e2f0c12fc3848bce1d618bbacb00248edf734d1093a1f7e4a3a049b5448c7
Instruction Fuzzy Hash: 4191A6606043428EDB37CF288CD4BA9BFE19F56320F94C2E9D9A68B2D6D3718442D712

Uniqueness

Uniqueness Score: -1.00%

Function 020B5799, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4745275aca808ecdc89b45fdc115b8ae8322efdf1d85b67c437137bfef03cab
Instruction ID: 6e841de8c8c2651a74fd087eeba915313143b7db513a940a496d18db96b82f1c
Opcode Fuzzy Hash: f4745275aca808ecdc89b45fdc115b8ae8322efdf1d85b67c437137bfef03cab
Instruction Fuzzy Hash: 0151B360504342CEDB36CF688DC5BA5BFE1AF56320F88C2DAC8A58F2E6D3758446D712

Uniqueness

Uniqueness Score: -1.00%

Function 020B19B6, Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e04114523511dd1706ab1422576ced6b878ad998c66d0223bc64621f12c9d06
Instruction ID: 6f5fc8d1600d8bf858bd81930a32a50e978d047da1c088f44c9798eb0b6282a7
Opcode Fuzzy Hash: 3e04114523511dd1706ab1422576ced6b878ad998c66d0223bc64621f12c9d06
Instruction Fuzzy Hash: 16311330700311DFD76A9B68DD65FE9B3B5FF41360F558226EC6E93280EB11A884DB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B1BF8, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0de789fdd4d5888fca4581e94e3beefad6fcaf0d68abb65ecc13227a76f8813
Instruction ID: 4b2cbf45bc77f94f1e3a55589013b4ebcc3ed9029ed767ed556d8160b84e8014
Opcode Fuzzy Hash: f0de789fdd4d5888fca4581e94e3beefad6fcaf0d68abb65ecc13227a76f8813
Instruction Fuzzy Hash: 5731F070244300EFEB366F24CDA8BE9B3A2FF01350F954056EC8A6B1D1C7B4D885EA52

Uniqueness

Uniqueness Score: -1.00%

Function 020B1A11, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e62162335845d897a529cee70aa64c404dc03bec7a3b998d36b526245d25752
Instruction ID: e871918fd907f8e9c5ef6dd09f2516ceaa27ec47f3e6f767527cfe1a1d76bf00
Opcode Fuzzy Hash: 2e62162335845d897a529cee70aa64c404dc03bec7a3b998d36b526245d25752
Instruction Fuzzy Hash: 8831F771B00301DFE7765A28CC65BE9B2A5FF05320F554225EC6ED3280DB21A884AB91

Uniqueness

Uniqueness Score: -1.00%

Function 020B1C00, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4503e74aa6cb932705fee4feb0af2857b46027ea9b177ec91c0c46dddf1112a
Instruction ID: cb5b97e125fae76665b4ad7836b2ff5534d7194c566f66bf48d6e8893bad70ec
Opcode Fuzzy Hash: a4503e74aa6cb932705fee4feb0af2857b46027ea9b177ec91c0c46dddf1112a
Instruction Fuzzy Hash: 0C216A70200304EFEB366F608EE9FED7372EF41705F868046E9252B0D1D7758886DA42

Uniqueness

Uniqueness Score: -1.00%

Function 020B5017, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef60e4195699aece63e0d8f277fdf8a7caad5a70952dbd5346048c3594bef495
Instruction ID: ba189e09e4e042d1e4ae533faf80b2c5786850ed5a499b02ad727123b1c67397
Opcode Fuzzy Hash: ef60e4195699aece63e0d8f277fdf8a7caad5a70952dbd5346048c3594bef495
Instruction Fuzzy Hash: 58F030353253019FD677DA18C9D4FD97BB6AF15710FC185D5D502C7226C325EC80EA91

Uniqueness

Uniqueness Score: -1.00%

Function 020B4800, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bacf2258f38c4e30e28eee8b7ca7d1e201a0238a7e7215eb0f729d84c37bbbc2
Instruction ID: ec3bc6b6b1224230c67d8fcbbf052255ca1c42a21a60000b52c031c681421814
Opcode Fuzzy Hash: bacf2258f38c4e30e28eee8b7ca7d1e201a0238a7e7215eb0f729d84c37bbbc2
Instruction Fuzzy Hash: 35B09230611681CFCEA6CA09C1A0E8473B0FB04700F8104C0E042C7A12C364E900C900

Uniqueness

Uniqueness Score: -1.00%

Function 020B29E0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 004140A4, Relevance: 96.6, APIs: 54, Strings: 1, Instructions: 326
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E004140A4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a20) {
				intOrPtr _v0;
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v32;
				char* _v36;
				void* _v44;
				void* _v48;
				char _v52;
				void* _v64;
				char _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				char _v92;
				signed int _v96;
				char _v100;
				intOrPtr _v104;
				signed int _v108;
				signed int _v116;
				char _v124;
				void* _v128;
				intOrPtr _v132;
				char _v140;
				short _v148;
				char _v156;
				void* _v164;
				intOrPtr* _v168;
				char _v172;
				intOrPtr _v180;
				intOrPtr _v184;
				char _v188;
				char* _v196;
				char _v204;
				void* _v212;
				void* _v216;
				void* _v232;
				char _v244;
				char _v252;
				short _v256;
				intOrPtr _v260;
				signed int _v264;
				signed int _v268;
				char* _t161;
				char* _t166;
				signed short _t173;
				char* _t185;
				signed int _t187;
				short _t198;
				char* _t203;
				intOrPtr _t210;
				signed int _t219;
				char* _t220;
				void* _t223;
				void* _t227;
				void* _t262;
				void* _t263;
				void* _t264;
				void* _t265;
				void* _t267;
				intOrPtr _t268;
				void* _t269;
				char _t271;

				_t263 = __esi;
				_t262 = __edi;
				_t227 = __ebx;
				_t265 = _t267;
				_t268 = _t267 - 0xc;
				 *[fs:0x0] = _t268;
				L004011C0();
				_v16 = _t268;
				_v12 = 0x401178;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011c6, _t264);
				_v196 = _v36;
				_v204 = 0x8003;
				_push( &_v204);
				_t161 =  &_v92;
				_push(_t161);
				L00401340();
				if(_t161 == 0) {
					_v116 = _v116 & 0x00000000;
					_v124 = 2;
					_push( &_v124);
					_push(0x400);
					L00401292();
					L004012B0();
					L004012D4();
					_v104 = 0x400;
					_v196 = _v36;
					_v204 = 0x8003;
					_push( &_v204);
					_t166 =  &_v92;
					_push(_t166);
					L00401340();
					if(_t166 == 0) {
						_v116 = 1;
						_v124 = 2;
						_v196 =  &_v100;
						_v204 = 0x4008;
						_push( &_v124);
						_push(_v104);
						_push( &_v204);
						_push( &_v140);
						L004012EC();
						_push( &_v140);
						_t173 =  &_v108;
						_push(_t173);
						L00401286();
						_push(_t173);
						L0040128C();
						asm("sbb eax, eax");
						_v256 =  ~( ~_t173 + 1);
						L004012F8();
						_push( &_v140);
						_push( &_v124);
						_push(2);
						L0040132E();
						_t269 = _t268 + 0xc;
						if(_v256 == 0) {
							_v196 =  &_v100;
							_v204 = 0x4008;
							_push(_v104);
							_push( &_v204);
							_push( &_v124);
							L0040127A();
							_push( &_v124);
							L00401280();
							L004012B0();
							L004012D4();
							goto L8;
						} else {
							_v196 =  &_v100;
							_v204 = 0x4008;
							_t223 = _v104 - 1;
							if(_t223 < 0) {
								L20:
								L0040125C();
								_t271 = _t269 - 0xc;
								 *[fs:0x0] = _t271;
								L004011C0();
								_v188 = _t271;
								_v184 = 0x401188;
								_v180 = 0;
								 *((intOrPtr*)( *_v168 + 4))(_v168, _t262, _t263, _t227, 0x50,  *[fs:0x0], 0x4011c6, _t265);
								L004012E0();
								L004012FE();
								L004012E0();
								_t219 =  *((intOrPtr*)( *_v168 + 0x288))(_v168,  &_v244);
								asm("fclex");
								_v264 = _t219;
								if(_v264 >= 0) {
									_v108 = _v108 & 0x00000000;
								} else {
									_push(0x288);
									_push(0x4036c0);
									_push(_v0);
									_push(_v96);
									L00401310();
									_v108 = _t219;
								}
								_push(0);
								_push(0);
								_push(_v76);
								_t220 =  &_v92;
								_push(_t220);
								L0040130A();
								_push(_t220);
								L00401304();
								_v72 = _t220;
								L004012E6();
								L004012D4();
								_push(0x4145eb);
								L004012D4();
								L004012F8();
								L004012D4();
								return _t220;
							} else {
								_push(_t223);
								_push( &_v204);
								_push( &_v124);
								L0040127A();
								_push( &_v124);
								L00401280();
								L004012B0();
								L004012D4();
								L8:
								_v260 = _v72;
								_t185 =  &_v52;
								_push(_t185);
								L00401304();
								if(_v260 != _t185) {
									_t185 =  &_v68;
									_push(_t185);
									L00401304();
									if(_v260 == _t185) {
										_v268 = 1;
										_v264 = _v264 | 0xffffffff;
										_push(_v100);
										L00401274();
										_v32 = _t185;
										while(_v32 >= _v268) {
											_v244 =  *_a20;
											_v252 = 8;
											_v116 = 1;
											_v124 = 2;
											_v196 =  &_v100;
											_v204 = 0x4008;
											_push( &_v124);
											_push(_v32);
											_push( &_v204);
											_push( &_v140);
											L004012EC();
											_push( &_v140);
											_t198 =  &_v108;
											_push(_t198);
											L00401286();
											_push(_t198);
											L0040128C();
											_v148 = _t198;
											_v156 = 2;
											_push( &_v156);
											_push( &_v172);
											L00401268();
											_push( &_v252);
											_push( &_v172);
											_t203 =  &_v188;
											_push(_t203);
											L0040126E();
											_push(_t203);
											L00401280();
											L004012B0();
											L004012F8();
											_push( &_v188);
											_push( &_v172);
											_push( &_v156);
											_push( &_v140);
											_push( &_v124);
											_push(5);
											L0040132E();
											_t269 = _t269 + 0x18;
											_t210 = _v32 + _v264;
											if(_t210 < 0) {
												goto L20;
											} else {
												_v32 = _t210;
												continue;
											}
											goto L26;
										}
										_v132 = 0x80020004;
										_v140 = 0xa;
										_push(0x4039c0);
										_t187 = _a20;
										_push( *_t187);
										L00401334();
										_v116 = _t187;
										_v124 = 8;
										_push(1);
										_push(1);
										_push( &_v140);
										_push( &_v124);
										L00401262();
										L004012B0();
										_push( &_v140);
										_t185 =  &_v124;
										_push(_t185);
										_push(2);
										L0040132E();
									}
									goto L17;
								} else {
									L004012FE();
									L17:
									_v96 = _v96 | 0x0000ffff;
									goto L18;
								}
							}
						}
					} else {
						goto L18;
					}
				} else {
					L18:
					L004012FE();
					_v96 = _v96 & 0x00000000;
					_push(0x4144c4);
					L004012D4();
					L004012D4();
					L004012D4();
					L004012F8();
					return _t185;
				}
				L26:
			}

0x004140a4
0x004140a4
0x004140a4
0x004140a5
0x004140a7
0x004140b6
0x004140c2
0x004140ca
0x004140cd
0x004140d4
0x004140e3
0x004140e9
0x004140ef
0x004140ff
0x00414100
0x00414103
0x00414104
0x0041410e
0x00414115
0x00414119
0x00414123
0x00414124
0x00414129
0x00414133
0x0041413b
0x00414140
0x0041414a
0x00414150
0x00414160
0x00414161
0x00414164
0x00414165
0x0041416f
0x00414176
0x0041417d
0x00414187
0x0041418d
0x0041419a
0x0041419b
0x004141a4
0x004141ab
0x004141ac
0x004141b7
0x004141b8
0x004141bb
0x004141bc
0x004141c1
0x004141c2
0x004141ca
0x004141cf
0x004141d9
0x004141e4
0x004141e8
0x004141e9
0x004141eb
0x004141f0
0x004141fc
0x0041424e
0x00414254
0x0041425e
0x00414267
0x0041426b
0x0041426c
0x00414274
0x00414275
0x0041427f
0x00414287
0x00000000
0x004141fe
0x00414201
0x00414207
0x00414214
0x00414217
0x004144ed
0x004144ed
0x004144f5
0x00414504
0x0041450e
0x00414516
0x00414519
0x00414520
0x0041452f
0x00414538
0x00414543
0x0041454e
0x0041455f
0x00414565
0x00414567
0x0041456e
0x0041458a
0x00414570
0x00414570
0x00414575
0x0041457a
0x0041457d
0x00414580
0x00414585
0x00414585
0x0041458e
0x00414590
0x00414592
0x00414595
0x00414598
0x00414599
0x004145a1
0x004145a2
0x004145a7
0x004145ad
0x004145b5
0x004145ba
0x004145d5
0x004145dd
0x004145e5
0x004145ea
0x0041421d
0x0041421d
0x00414224
0x00414228
0x00414229
0x00414231
0x00414232
0x0041423c
0x00414244
0x0041428c
0x0041428f
0x00414295
0x00414298
0x00414299
0x004142a4
0x004142b6
0x004142b9
0x004142ba
0x004142c5
0x004142cb
0x004142d5
0x004142dc
0x004142df
0x004142e4
0x004142fb
0x0041430f
0x00414315
0x0041431f
0x00414326
0x00414330
0x00414336
0x00414343
0x00414344
0x0041434d
0x00414354
0x00414355
0x00414360
0x00414361
0x00414364
0x00414365
0x0041436a
0x0041436b
0x00414370
0x00414377
0x00414387
0x0041438e
0x0041438f
0x0041439a
0x004143a1
0x004143a2
0x004143a8
0x004143a9
0x004143ae
0x004143af
0x004143b9
0x004143c1
0x004143cc
0x004143d3
0x004143da
0x004143e1
0x004143e5
0x004143e6
0x004143e8
0x004143ed
0x004142ec
0x004142f2
0x00000000
0x004142f8
0x004142f8
0x00000000
0x004142f8
0x00000000
0x004142f2
0x004143f5
0x004143fc
0x00414406
0x0041440b
0x0041440e
0x00414410
0x00414415
0x00414418
0x0041441f
0x00414421
0x00414429
0x0041442d
0x0041442e
0x00414438
0x00414443
0x00414444
0x00414447
0x00414448
0x0041444a
0x0041444f
0x00000000
0x004142a6
0x004142ac
0x00414452
0x00414452
0x00000000
0x00414452
0x004142a4
0x00414217
0x00414171
0x00000000
0x00414171
0x00414110
0x00414457
0x0041445f
0x00414464
0x00414469
0x004144a6
0x004144ae
0x004144b6
0x004144be
0x004144c3
0x004144c3
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 004140C2
__vbaVarTstNe.MSVBVM60(?,00008003), ref: 00414104
#606.MSVBVM60(00000400,00000002,?,00008003), ref: 00414129
__vbaStrMove.MSVBVM60(00000400,00000002,?,00008003), ref: 00414133
__vbaFreeVar.MSVBVM60(00000400,00000002,?,00008003), ref: 0041413B
__vbaVarTstNe.MSVBVM60(?,00008003,00000400,00000002,?,00008003), ref: 00414165
__vbaStrCopy.MSVBVM60(?,?,?,?,00004008,?), ref: 0041445F
__vbaFreeVar.MSVBVM60(004144C4,?,?,?,?,00004008,?), ref: 004144A6
__vbaFreeVar.MSVBVM60(004144C4,?,?,?,?,00004008,?), ref: 004144AE
__vbaFreeVar.MSVBVM60(004144C4,?,?,?,?,00004008,?), ref: 004144B6
__vbaFreeStr.MSVBVM60(004144C4,?,?,?,?,00004008,?), ref: 004144BE

Strings

EA, xrefs: 004145D2

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#606ChkstkCopyMove
String ID: EA
API String ID: 1087245605-1759796954
Opcode ID: fe0b661e1d099cd5f1bb6bdb3ad050d5633cf473e4ccbf88e4fc4e860c6dceef
Instruction ID: 3007a47499540c1aa361dc2bc57413a622dea20d5e9cffbe67f0e8b0f7d3b45e
Opcode Fuzzy Hash: fe0b661e1d099cd5f1bb6bdb3ad050d5633cf473e4ccbf88e4fc4e860c6dceef
Instruction Fuzzy Hash: 01D1B77190021D9ADB51EFA1CC85BDEBBB8BF04304F5041AAF509F71A1DB789A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00413DAB, Relevance: 49.2, APIs: 25, Strings: 3, Instructions: 187
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00413DAB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				char _v40;
				char _v44;
				char _v48;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v104;
				char _v112;
				char* _v120;
				intOrPtr _v128;
				void* _v180;
				char _v184;
				signed int _v188;
				short _v192;
				signed int _v212;
				signed int _v216;
				signed int _t92;
				signed int _t96;
				signed int _t104;
				signed int _t108;
				void* _t138;
				void* _t140;
				intOrPtr _t141;

				_t141 = _t140 - 0x14;
				 *[fs:0x0] = _t141;
				L004011C0();
				_v24 = _t141;
				_v20 = 0x401150;
				_v16 = 0;
				_v12 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011c6, _t138);
				L004012B6();
				L004012AA();
				L004012B0();
				L004012AA();
				L004012B0();
				_v184 = 1;
				_t92 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v184,  &_v44,  &_v48,  &_v40,  &_v180, 1, 1, 1);
				_v188 = _t92;
				if(_v188 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x4036f0);
					_push(_a4);
					_push(_v188);
					L00401310();
					_v212 = _t92;
				}
				_v192 = _v180;
				_push( &_v48);
				_push( &_v44);
				_push(2);
				L004012C8();
				_t96 = _v192;
				if(_t96 == 0) {
					L004012AA();
					L004012B0();
					L004012AA();
					L004012B0();
					_v184 = 1;
					_t104 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v184,  &_v44,  &_v48,  &_v40,  &_v180, 1, 1);
					_v188 = _t104;
					if(_v188 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x6fc);
						_push(0x4036f0);
						_push(_a4);
						_push(_v188);
						L00401310();
						_v216 = _t104;
					}
					_v192 = _v180;
					_push( &_v48);
					_push( &_v44);
					_push(2);
					L004012C8();
					_t108 = _v192;
					if(_t108 == 0) {
						goto L15;
					} else {
						_push(_v40);
						_push(L"\\MSINFO32.EXE");
						L00401334();
						L004012B0();
						_push(_t108);
						_push(0x403954);
						L004012A4();
						asm("sbb eax, eax");
						_v188 =  ~( ~( ~_t108));
						L004012F8();
						_t96 = _v188;
						if(_t96 == 0) {
							L15:
							_v104 = 0x80020004;
							_v112 = 0xa;
							_v88 = 0x80020004;
							_v96 = 0xa;
							_v72 = 0x80020004;
							_v80 = 0xa;
							_v120 = L"System Information Is Unavailable At This Time";
							_v128 = 8;
							L004012E0();
							_push( &_v112);
							_push( &_v96);
							_push( &_v80);
							_push(0);
							_t74 =  &_v64; // 0x403954
							L0040129E();
							_push( &_v112);
							_push( &_v96);
							_push( &_v80);
							_t78 =  &_v64; // 0x403954
							_t96 = _t78;
							_push(_t96);
							_push(4);
							L0040132E();
						} else {
							_push(_v40);
							_push(L"\\MSINFO32.EXE");
							L00401334();
							L004012B0();
							goto L14;
						}
					}
				} else {
					L14:
				}
				L00401298();
				_push(0x414085);
				L004012F8();
				return _t96;
			}

0x00413dae
0x00413dbd
0x00413dc9
0x00413dd1
0x00413dd4
0x00413ddb
0x00413de2
0x00413df1
0x00413df6
0x00413dfd
0x00413e07
0x00413e0e
0x00413e18
0x00413e1d
0x00413e49
0x00413e4f
0x00413e5c
0x00413e7e
0x00413e5e
0x00413e5e
0x00413e63
0x00413e68
0x00413e6b
0x00413e71
0x00413e76
0x00413e76
0x00413e8c
0x00413e96
0x00413e9a
0x00413e9b
0x00413e9d
0x00413ea5
0x00413eae
0x00413eb7
0x00413ec1
0x00413ec8
0x00413ed2
0x00413ed7
0x00413f03
0x00413f09
0x00413f16
0x00413f38
0x00413f18
0x00413f18
0x00413f1d
0x00413f22
0x00413f25
0x00413f2b
0x00413f30
0x00413f30
0x00413f46
0x00413f50
0x00413f54
0x00413f55
0x00413f57
0x00413f5f
0x00413f68
0x00000000
0x00413f6a
0x00413f6a
0x00413f6d
0x00413f72
0x00413f7c
0x00413f81
0x00413f82
0x00413f87
0x00413f8e
0x00413f94
0x00413f9e
0x00413fa3
0x00413fac
0x00413fcf
0x00413fcf
0x00413fd6
0x00413fdd
0x00413fe4
0x00413feb
0x00413ff2
0x00413ff9
0x00414000
0x0041400d
0x00414015
0x00414019
0x0041401d
0x0041401e
0x00414020
0x00414024
0x0041402c
0x00414030
0x00414034
0x00414035
0x00414035
0x00414038
0x00414039
0x0041403b
0x00413fae
0x00413fae
0x00413fb1
0x00413fb6
0x00413fc0
0x00000000
0x00413fc9
0x00413fac
0x00413eb0
0x00413fcd
0x00413fcd
0x00414043
0x00414048
0x0041407f
0x00414084

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 00413DC9
__vbaOnError.MSVBVM60(00000001,?,?,?,?,004011C6), ref: 00413DF6
__vbaStrI2.MSVBVM60(00000001,00000001,?,?,?,?,004011C6), ref: 00413DFD
__vbaStrMove.MSVBVM60(00000001,00000001,?,?,?,?,004011C6), ref: 00413E07
__vbaStrI2.MSVBVM60(00000001,00000001,00000001,?,?,?,?,004011C6), ref: 00413E0E
__vbaStrMove.MSVBVM60(00000001,00000001,00000001,?,?,?,?,004011C6), ref: 00413E18
__vbaHresultCheckObj.MSVBVM60(?,00000000,004036F0,000006FC), ref: 00413E71
__vbaFreeStrList.MSVBVM60(00000002,?,00000001), ref: 00413E9D
__vbaStrI2.MSVBVM60(00000001,?,?,004011C6), ref: 00413EB7
__vbaStrMove.MSVBVM60(00000001,?,?,004011C6), ref: 00413EC1
__vbaStrI2.MSVBVM60(00000001,00000001,?,?,004011C6), ref: 00413EC8
__vbaStrMove.MSVBVM60(00000001,00000001,?,?,004011C6), ref: 00413ED2
__vbaHresultCheckObj.MSVBVM60(?,00000000,004036F0,000006FC), ref: 00413F2B
__vbaFreeStrList.MSVBVM60(00000002,00000001,?), ref: 00413F57
__vbaStrCat.MSVBVM60(\MSINFO32.EXE,00000001,?,00000001,00000001,?,?,004011C6), ref: 00413F72
__vbaStrMove.MSVBVM60(\MSINFO32.EXE,00000001,?,00000001,00000001,?,?,004011C6), ref: 00413F7C
__vbaStrCmp.MSVBVM60(00403954,00000000,\MSINFO32.EXE,00000001,?,00000001,00000001,?,?,004011C6), ref: 00413F87
__vbaFreeStr.MSVBVM60(00403954,00000000,\MSINFO32.EXE,00000001,?,00000001,00000001,?,?,004011C6), ref: 00413F9E
__vbaStrCat.MSVBVM60(\MSINFO32.EXE,00000001,00403954,00000000,\MSINFO32.EXE,00000001,?,00000001,00000001,?,?,004011C6), ref: 00413FB6
__vbaStrMove.MSVBVM60(\MSINFO32.EXE,00000001,00403954,00000000,\MSINFO32.EXE,00000001,?,00000001,00000001,?,?,004011C6), ref: 00413FC0
__vbaVarDup.MSVBVM60 ref: 0041400D
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 00414024
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 0041403B
__vbaExitProc.MSVBVM60(?,?,?,?,?,?,00000001,00000001,?,?,004011C6), ref: 00414043
__vbaFreeStr.MSVBVM60(00414085,?,?,?,?,?,?,00000001,00000001,?,?,004011C6), ref: 0041407F

Strings

T9@, xrefs: 0041400A, 00414020, 00414035, 00414023, 00414038
\MSINFO32.EXE, xrefs: 00413F6D, 00413FB1
System Information Is Unavailable At This Time, xrefs: 00413FF9

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$List$CheckHresult$#595ChkstkErrorExitProc
String ID: System Information Is Unavailable At This Time$T9@$\MSINFO32.EXE
API String ID: 1135645036-4069373068
Opcode ID: e0d69ef69d89629be1dbc52910a032697340f63891a98f39b4eddaacf262a702
Instruction ID: e5db40893b645620d7d6ec25a7eec47d490506bc965ce369c45ea4765c0d1890
Opcode Fuzzy Hash: e0d69ef69d89629be1dbc52910a032697340f63891a98f39b4eddaacf262a702
Instruction Fuzzy Hash: 68714F71D40208ABDB11EF91C841FDEB7B9AF08704F1081ABF509F61A1DB799A85CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0040332D, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 71
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040332D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a40, void* _a44) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				void* _v60;
				intOrPtr _v68;
				char _v72;
				char _v88;
				signed int _v92;
				signed int _v104;
				signed int _t42;
				char* _t43;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_a4 = _a4 - 0xffff;
				_t61 = _t60 - 0xc;
				 *[fs:0x0] = _t61;
				L004011C0();
				_v16 = _t61;
				_v12 = 0x401188;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x4011c6, _t58);
				L004012E0();
				L004012FE();
				L004012E0();
				_t42 =  *((intOrPtr*)( *_a4 + 0x288))(_a4,  &_v72);
				asm("fclex");
				_v92 = _t42;
				if(_v92 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x288);
					_push(0x4036c0);
					_push(_a4);
					_push(_v92);
					L00401310();
					_v104 = _t42;
				}
				_push(0);
				_push(0);
				_push(_v72);
				_t43 =  &_v88;
				_push(_t43);
				L0040130A();
				_push(_t43);
				L00401304();
				_v68 = _t43;
				L004012E6();
				L004012D4();
				_push(0x4145eb);
				L004012D4();
				L004012F8();
				L004012D4();
				return _t43;
			}

0x0040332d
0x004144f5
0x00414504
0x0041450e
0x00414516
0x00414519
0x00414520
0x0041452f
0x00414538
0x00414543
0x0041454e
0x0041455f
0x00414565
0x00414567
0x0041456e
0x0041458a
0x00414570
0x00414570
0x00414575
0x0041457a
0x0041457d
0x00414580
0x00414585
0x00414585
0x0041458e
0x00414590
0x00414592
0x00414595
0x00414598
0x00414599
0x004145a1
0x004145a2
0x004145a7
0x004145ad
0x004145b5
0x004145ba
0x004145d5
0x004145dd
0x004145e5
0x004145ea

APIs

__vbaChkstk.MSVBVM60(00000000,004011C6,?,?,?,?,?,004011C6), ref: 0041450E
__vbaVarDup.MSVBVM60(?,?,?,00000000,004011C6), ref: 00414538
__vbaStrCopy.MSVBVM60(?,?,?,00000000,004011C6), ref: 00414543
__vbaVarDup.MSVBVM60(?,?,?,00000000,004011C6), ref: 0041454E
__vbaHresultCheckObj.MSVBVM60(00000000,00401188,004036C0,00000288), ref: 00414580
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00414599
__vbaI4Var.MSVBVM60(00000000,?,?,00000000,004011C6), ref: 004145A2
__vbaFreeObj.MSVBVM60(00000000,?,?,00000000,004011C6), ref: 004145AD
__vbaFreeVar.MSVBVM60(00000000,?,?,00000000,004011C6), ref: 004145B5
__vbaFreeVar.MSVBVM60(004145EB,00000000,?,?,00000000,004011C6), ref: 004145D5
__vbaFreeStr.MSVBVM60(004145EB,00000000,?,?,00000000,004011C6), ref: 004145DD
__vbaFreeVar.MSVBVM60(004145EB,00000000,?,?,00000000,004011C6), ref: 004145E5

Strings

EA, xrefs: 004145D2

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CallCheckChkstkCopyHresultLate
String ID: EA
API String ID: 2821350654-1759796954
Opcode ID: 6b1a6d036071fc1ac29c6f8b47e8d11fc54a4f29ae1c525ab143ed9ebdb8afca
Instruction ID: 209164bfe196c107f15b50c01db9fe546db9937cfcb171cff6527127351945b8
Opcode Fuzzy Hash: 6b1a6d036071fc1ac29c6f8b47e8d11fc54a4f29ae1c525ab143ed9ebdb8afca
Instruction Fuzzy Hash: 8B212830900249ABCB00EFA1C946BDDBBB5AF14748F50857AF505BB1E1DB78AA46CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00414614, Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00414614(void* __ebx, void* __edi, void* __esi, void* __eflags, char __fp0, intOrPtr* _a4, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v48;
				void* _v52;
				char _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _t43;
				signed int _t49;
				char* _t55;
				void* _t61;
				void* _t63;
				intOrPtr _t64;

				_t64 = _t63 - 0xc;
				 *[fs:0x0] = _t64;
				L004011C0();
				_v16 = _t64;
				_v12 = 0x4011a0;
				_v8 = 0;
				_t43 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x4011c6, _t61);
				_t55 =  &_v48;
				L004012E0();
				asm("fld1");
				_push(_t55);
				_push(_t55);
				_v48 = __fp0;
				L00401250();
				L00401256();
				asm("fcomp qword [0x401198]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x415724 != 0) {
						_v84 = 0x415724;
					} else {
						_push(0x415724);
						_push(0x40389c);
						L00401316();
						_v84 = 0x415724;
					}
					_t11 =  &_v84; // 0x415724
					_v60 =  *((intOrPtr*)( *_t11));
					_t49 =  *((intOrPtr*)( *_v60 + 0x1c))(_v60,  &_v52);
					asm("fclex");
					_v64 = _t49;
					if(_v64 >= 0) {
						_t22 =  &_v88;
						 *_t22 = _v88 & 0x00000000;
						__eflags =  *_t22;
					} else {
						_push(0x1c);
						_push(0x40388c);
						_push(_v60);
						_push(_v64);
						L00401310();
						_v88 = _t49;
					}
					_v68 = _v52;
					_t43 =  *((intOrPtr*)( *_v68 + 0x64))(_v68, 1,  &_v56);
					asm("fclex");
					_v72 = _t43;
					if(_v72 >= 0) {
						_t35 =  &_v92;
						 *_t35 = _v92 & 0x00000000;
						__eflags =  *_t35;
					} else {
						_push(0x64);
						_push(0x4038ac);
						_push(_v68);
						_push(_v72);
						L00401310();
						_v92 = _t43;
					}
					L004012E6();
				}
				asm("wait");
				_push(0x414743);
				L004012D4();
				return _t43;
			}

0x00414617
0x00414626
0x00414630
0x00414638
0x0041463b
0x00414642
0x00414651
0x00414657
0x0041465a
0x0041465f
0x00414661
0x00414662
0x00414663
0x00414666
0x0041466b
0x00414670
0x00414676
0x00414678
0x00414679
0x00414686
0x004146a0
0x00414688
0x00414688
0x0041468d
0x00414692
0x00414697
0x00414697
0x004146a7
0x004146ac
0x004146bb
0x004146be
0x004146c0
0x004146c7
0x004146e0
0x004146e0
0x004146e0
0x004146c9
0x004146c9
0x004146cb
0x004146d0
0x004146d3
0x004146d6
0x004146db
0x004146db
0x004146e7
0x004146f8
0x004146fb
0x004146fd
0x00414704
0x0041471d
0x0041471d
0x0041471d
0x00414706
0x00414706
0x00414708
0x0041470d
0x00414710
0x00414713
0x00414718
0x00414718
0x00414724
0x00414724
0x00414729
0x0041472a
0x0041473d
0x00414742

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 00414630
__vbaVarDup.MSVBVM60(?,?,?,?,004011C6), ref: 0041465A
#587.MSVBVM60(?,?,?,?,?,?,004011C6), ref: 00414666
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,004011C6), ref: 0041466B
__vbaNew2.MSVBVM60(0040389C,00415724,?,?,?,?,?,?,004011C6), ref: 00414692
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040388C,0000001C), ref: 004146D6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038AC,00000064), ref: 00414713
__vbaFreeObj.MSVBVM60(00000000,?,004038AC,00000064), ref: 00414724
__vbaFreeVar.MSVBVM60(00414743,?,?,?,?,?,?,004011C6), ref: 0041473D

Strings

CGA, xrefs: 0041473A
$WA, xrefs: 004146A7

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#587ChkstkNew2
String ID: $WA$CGA
API String ID: 2072753356-837363827
Opcode ID: 9bf540b61106af713f3514077b28c65ef6d0aa45f215ac4b1eef2d7c4a1577e3
Instruction ID: 6fc4ee8651b9dc11f8d45d73e8cb2289fc9a62c8b48380212508cfaf7081a9cc
Opcode Fuzzy Hash: 9bf540b61106af713f3514077b28c65ef6d0aa45f215ac4b1eef2d7c4a1577e3
Instruction Fuzzy Hash: 4C312470900248EFDB04EF95E986BDDBBB4FF48749F10806AF101BB2A1C7B85985CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004147C2, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 88
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004147C2(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, signed int* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v60;
				short _v64;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				char* _t50;
				signed int _t54;
				signed int _t58;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t72 = _t71 - 0xc;
				 *[fs:0x0] = _t72;
				L004011C0();
				_v16 = _t72;
				_v12 = 0x4011b0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4011c6, _t69);
				L004012E0();
				 *_a36 =  *_a36 & 0x00000000;
				if( *0x415010 != 0) {
					_v88 = 0x415010;
				} else {
					_push(0x415010);
					_push("3");
					L00401316();
					_v88 = 0x415010;
				}
				_t50 =  &_v60;
				L0040131C();
				_v68 = _t50;
				_t54 =  *((intOrPtr*)( *_v68 + 0x110))(_v68,  &_v64, _t50,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x2fc))( *_v88));
				asm("fclex");
				_v72 = _t54;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x110);
					_push(0x40380c);
					_push(_v68);
					_push(_v72);
					L00401310();
					_v92 = _t54;
				}
				_t58 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _v64);
				asm("fclex");
				_v76 = _t58;
				if(_v76 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x64);
					_push(0x4036c0);
					_push(_a4);
					_push(_v76);
					L00401310();
					_v96 = _t58;
				}
				L004012E6();
				_push(0x4148ff);
				L004012D4();
				return _t58;
			}

0x004147c5
0x004147d4
0x004147de
0x004147e6
0x004147e9
0x004147f0
0x004147ff
0x00414808
0x00414810
0x0041481a
0x00414834
0x0041481c
0x0041481c
0x00414821
0x00414826
0x0041482b
0x0041482b
0x0041484f
0x00414853
0x00414858
0x00414867
0x0041486d
0x0041486f
0x00414876
0x00414892
0x00414878
0x00414878
0x0041487d
0x00414882
0x00414885
0x00414888
0x0041488d
0x0041488d
0x004148a3
0x004148a6
0x004148a8
0x004148af
0x004148c8
0x004148b1
0x004148b1
0x004148b3
0x004148b8
0x004148bb
0x004148be
0x004148c3
0x004148c3
0x004148cf
0x004148d4
0x004148f9
0x004148fe

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 004147DE
__vbaVarDup.MSVBVM60(?,?,?,?,004011C6), ref: 00414808
__vbaNew2.MSVBVM60(00403118,00415010,?,?,?,?,004011C6), ref: 00414826
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414853
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040380C,00000110), ref: 00414888
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,004036C0,00000064), ref: 004148BE
__vbaFreeObj.MSVBVM60 ref: 004148CF
__vbaFreeVar.MSVBVM60(004148FF), ref: 004148F9

Strings

3, xrefs: 00414821

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID: 3
API String ID: 304406766-1842515611
Opcode ID: 432fc09a1f7c669d774837cca0c85090bec0f4dd7eba6ca1197fe68914a8fade
Instruction ID: 66f524079ec1721b36e651dcbe763b4d8bd592d2cab26ff2b668221cf74ea0a8
Opcode Fuzzy Hash: 432fc09a1f7c669d774837cca0c85090bec0f4dd7eba6ca1197fe68914a8fade
Instruction Fuzzy Hash: 73311774900248EFCB00EFD4C985BDDBBB4BF48749F10446AF505BB2A0C7799986CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00413CE4, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00413CE4(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr* _v28;
				signed int _v32;
				char _v40;
				signed int _v44;
				char* _t24;
				signed int _t27;
				intOrPtr _t35;

				_push(0x4011c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t35;
				_push(0x18);
				L004011C0();
				_v12 = _t35;
				_v8 = 0x401140;
				if( *0x415724 != 0) {
					_v40 = 0x415724;
				} else {
					_push(0x415724);
					_push(0x40389c);
					L00401316();
					_v40 = 0x415724;
				}
				_t5 =  &_v40; // 0x415724
				_v28 =  *((intOrPtr*)( *_t5));
				_t24 =  &_v24;
				L004012BC();
				_t27 =  *((intOrPtr*)( *_v28 + 0x10))(_v28, _t24, _t24, _a4);
				asm("fclex");
				_v32 = _t27;
				if(_v32 >= 0) {
					_v44 = _v44 & 0x00000000;
				} else {
					_push(0x10);
					_push(0x40388c);
					_push(_v28);
					_push(_v32);
					L00401310();
					_v44 = _t27;
				}
				L004012E6();
				_push(0x413d98);
				return _t27;
			}

0x00413ce9
0x00413cf4
0x00413cf5
0x00413cfc
0x00413cff
0x00413d07
0x00413d0a
0x00413d18
0x00413d32
0x00413d1a
0x00413d1a
0x00413d1f
0x00413d24
0x00413d29
0x00413d29
0x00413d39
0x00413d3e
0x00413d44
0x00413d48
0x00413d56
0x00413d59
0x00413d5b
0x00413d62
0x00413d7b
0x00413d64
0x00413d64
0x00413d66
0x00413d6b
0x00413d6e
0x00413d71
0x00413d76
0x00413d76
0x00413d82
0x00413d87
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011C6), ref: 00413CFF
__vbaNew2.MSVBVM60(0040389C,00415724,?,?,?,?,004011C6), ref: 00413D24
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,?,?,004011C6), ref: 00413D48
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040388C,00000010,?,?,?,?,?,?,004011C6), ref: 00413D71
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,004011C6), ref: 00413D82

Strings

$WA, xrefs: 00413D39

Memory Dump Source

Source File: 00000000.00000002.1287941045.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287926601.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287983468.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287998410.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AddrefCheckChkstkFreeHresultNew2
String ID: $WA
API String ID: 3149954519-874810811
Opcode ID: fbddbf8620e1cace00de8b1133e1a6c1806005fb1986f90e5e856a12fbf75d37
Instruction ID: 78ccf834b9270547da9532586713842eeea25a4d79967f6bdf211201409155f9
Opcode Fuzzy Hash: fbddbf8620e1cace00de8b1133e1a6c1806005fb1986f90e5e856a12fbf75d37
Instruction Fuzzy Hash: B7112E70900609EFDB00DF91D946BEEBFF8EB08749F10446AF100B71A0C37D5A859B69

Uniqueness

Uniqueness Score: -1.00%

Function 020B5116, Relevance: 6.6, Strings: 5, Instructions: 393COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: 092eada5d65875002a3ea628cfd9650c99d609e74d61e1ea9d9f87789b37badf
Instruction ID: 05c30867ac25ec8f642b4bd5f64e226908ffd4d37a06e4f18e3048b3e949eb31
Opcode Fuzzy Hash: 092eada5d65875002a3ea628cfd9650c99d609e74d61e1ea9d9f87789b37badf
Instruction Fuzzy Hash: 02D16770740305AFFF331F24CD95BEA3AA6EF46794F544128ED85A72C0D3B99884EA41

Uniqueness

Uniqueness Score: -1.00%

Function 020B4B0E, Relevance: 6.6, Strings: 5, Instructions: 346COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: 057bd022b55e3f1684ce589ee93f7f0fb0c3bf3f849029f1cbeddbd508236c1a
Instruction ID: db3b809870aa6d8da0bfbcac12e752daeef9899d5fa6926a6472d9d8c0119ded
Opcode Fuzzy Hash: 057bd022b55e3f1684ce589ee93f7f0fb0c3bf3f849029f1cbeddbd508236c1a
Instruction Fuzzy Hash: 87C12270740305AFEF325F24CD95BEA36B2EF48794F154128EE89AB2D0D3B59884EB51

Uniqueness

Uniqueness Score: -1.00%

Function 020B4CAB, Relevance: 6.5, Strings: 5, Instructions: 296COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: 03a13620400af14da750f89cb630d076e713c9408a02f57edf2cf08acffa7c25
Instruction ID: 581ba617fa1f744fb0b3df91d010c53fb89600555fe85d3314021203664c116d
Opcode Fuzzy Hash: 03a13620400af14da750f89cb630d076e713c9408a02f57edf2cf08acffa7c25
Instruction Fuzzy Hash: 2CA112B0340305AFFB321F24CD95BEA36B6EF49794F154128EE84AB1D0D3B99884EB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B4A97, Relevance: 6.5, Strings: 5, Instructions: 295COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: 34b4022a93cfa622a9e7042f3e0d70028e5de1a9f57b222a2a388189a160b207
Instruction ID: 0da42ef5670b26fbfbca8b897e42d5cd804ec7d82dd5f7ab135a7c77cf9485d4
Opcode Fuzzy Hash: 34b4022a93cfa622a9e7042f3e0d70028e5de1a9f57b222a2a388189a160b207
Instruction Fuzzy Hash: 25A12270340305AFFB321F24CD95BEA36B2EF49798F154128EE85AB1D0D3B99884EB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B216A, Relevance: 6.5, Strings: 5, Instructions: 275COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: 5f0658bf0f27feced2688d07415d07f1ce405716be9025df955ab0f55be10404
Instruction ID: e7a4ad3ac4ed7e8554349dd1414945356d45b78157de531568fc35852ea7c92b
Opcode Fuzzy Hash: 5f0658bf0f27feced2688d07415d07f1ce405716be9025df955ab0f55be10404
Instruction Fuzzy Hash: 9B912270340305AFEF321F24CD99BEA36B6EF45788F158128ED84AB1D0C7B99884EB51

Uniqueness

Uniqueness Score: -1.00%

Function 020B21C5, Relevance: 6.5, Strings: 5, Instructions: 254COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: f762ff705b8e8a5d919a4ae04969c66ca8d420ebbf822dbf172060ef7ffa9789
Instruction ID: 1f28cc2425d408cd13f05471bc5b8d1dd4bc2d788dc9aa12b3ad4ad5968d11ce
Opcode Fuzzy Hash: f762ff705b8e8a5d919a4ae04969c66ca8d420ebbf822dbf172060ef7ffa9789
Instruction Fuzzy Hash: 7F811470340305AFEF362F24CD95BEA36B2EF49794F554128ED84AB1D0C7B99884EB51

Uniqueness

Uniqueness Score: -1.00%

Function 020B2223, Relevance: 6.5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: 743b6eb79984aa8b2ad6ddbf162e8815e9903540925b7a1169e592d82ccf9b36
Instruction ID: f56f7265d313df550c009702bdaef3dafa37f07d62ff7eef534eef60e0f23bf9
Opcode Fuzzy Hash: 743b6eb79984aa8b2ad6ddbf162e8815e9903540925b7a1169e592d82ccf9b36
Instruction Fuzzy Hash: 48811370340305AFEF361F24CD95BEA36B2EF49788F558128ED85AB1D0D7B99884EB41

Uniqueness

Uniqueness Score: -1.00%

Function 020B2279, Relevance: 6.5, Strings: 5, Instructions: 215COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: 16cf2af44e31fa1781d50699ecd4902abdddb9224464d908096d041d4fbcb704
Instruction ID: fa35fffd40965fbd36cfc4d17fcafca0787f336fad62a99601b4dc4511827ba9
Opcode Fuzzy Hash: 16cf2af44e31fa1781d50699ecd4902abdddb9224464d908096d041d4fbcb704
Instruction Fuzzy Hash: F9710370240305AFEF765F20CD95BEA36B2FF49784F504128ED85AB1D0D7B99884EB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B22DA, Relevance: 6.4, Strings: 5, Instructions: 196COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: 6f73ce1c0c86ec3fbf08df030fa0659fe22f58d64910120bee81761b88d87449
Instruction ID: b75d8361132477ecc3f5eedfaeb6f121b16e7dae2bf278313f71dfd90b235905
Opcode Fuzzy Hash: 6f73ce1c0c86ec3fbf08df030fa0659fe22f58d64910120bee81761b88d87449
Instruction Fuzzy Hash: 7061E370340305AFFF761F20DD95BEA3666EF48788F544024ED85AA5D0D7BA98C8EB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B23A9, Relevance: 6.4, Strings: 5, Instructions: 156COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: b180939b1cc8bb85db05bbce29060380b784085835821e6ad0963a8d126b7f7f
Instruction ID: 9c01aad81fe8804c8ddda57dc11c1f259d36e3b8688a44b0cd4b567570052d26
Opcode Fuzzy Hash: b180939b1cc8bb85db05bbce29060380b784085835821e6ad0963a8d126b7f7f
Instruction Fuzzy Hash: D151E570340304AFEF771F20DD95BE93666EF48784F554025FE85AA1E0D7B65888EA41

Uniqueness

Uniqueness Score: -1.00%

Function 020B2419, Relevance: 6.4, Strings: 5, Instructions: 132COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: 772912fedee70b4fe32da949c692976d474288ce2499fae7a6f5cae820c6ccaa
Instruction ID: 78708f714880f8c1ed257bfcbb285d0c598af2c87b5b0aad6c9876cf0c62a444
Opcode Fuzzy Hash: 772912fedee70b4fe32da949c692976d474288ce2499fae7a6f5cae820c6ccaa
Instruction Fuzzy Hash: 5741D3B0640304AFEF7B1F60DE95BEA3666FF48748F544025EE846A1E0D7B65884EB81

Uniqueness

Uniqueness Score: -1.00%

Function 020B4B06, Relevance: 6.3, Strings: 5, Instructions: 63COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F
jjj, xrefs: 020B2459

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u_j$E)$9
API String ID: 0-2665357256
Opcode ID: f5e8ff97728ec10f29432df612ffaf7f3b0d7d8ca4efb0494abd099ca52f9f85
Instruction ID: 95c13fdbec9439d356604557af3a0cdba465ebf688c87d2d79276574ccf91a63
Opcode Fuzzy Hash: f5e8ff97728ec10f29432df612ffaf7f3b0d7d8ca4efb0494abd099ca52f9f85
Instruction Fuzzy Hash: 9821AC75900315DFCF66CF18C5A0AE937B0EF48721B56856AEC4A9B352D331EE40EB51

Uniqueness

Uniqueness Score: -1.00%

Function 020B2480, Relevance: 5.1, Strings: 4, Instructions: 109COMMON

Download Yara Rule

Strings

9, xrefs: 020B26BA
u_j, xrefs: 020B2664
j@h, xrefs: 020B24E6
E), xrefs: 020B253F

Memory Dump Source

Source File: 00000000.00000002.1289480513.00000000020B0000.00000040.00000001.sdmp, Offset: 020B0000, based on PE: false

Similarity

API ID:
String ID: j@h$u_j$E)$9
API String ID: 0-1297280831
Opcode ID: aa0d0f6e8e882c06dab6e35748554ff366690d8f7ac27d39569bed2043059708
Instruction ID: f966db9d8453a084b8c5e640751a49f308f9cf0831d8d47d26b8c2a1ecd26e88
Opcode Fuzzy Hash: aa0d0f6e8e882c06dab6e35748554ff366690d8f7ac27d39569bed2043059708
Instruction Fuzzy Hash: E7310870600304AFEF7B2F60DE94BEE3666FF48398F454025ED94660A0D77648D4EA81

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report ZP1H92DwTq.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: ZP1H92DwTq.exe PID: 4404 Parent PID: 5664

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: ZP1H92DwTq.exe PID: 4404 Parent PID: 5664 ZP1H92DwTq.exeCOMMON

Executed Functions

Function 0040745A, Relevance: 1.5, APIs: 1, Instructions: 291memoryCOMMON

Function 00412DE4, Relevance: 153.1, APIs: 77, Strings: 10, Instructions: 862COMMON

Function 00401364, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178COMMON

Function 00407F0B, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 178memoryCOMMON

Function 004073D8, Relevance: 1.5, APIs: 1, Instructions: 293memoryCOMMON

Function 00412DE4, Relevance: 153.1, APIs: 77, Strings: 10, Instructions: 862
COMMON

Function 00401364, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
COMMON

Function 00407F0B, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 178
memoryCOMMON