Play interactive tour

Edit tour

Analysis Report Overworn.exe

Overview

General Information

Sample Name:	Overworn.exe
Analysis ID:	384218
MD5:	5e68ca13c917b9126ad737ac0a570d66
SHA1:	d0fd2b4757b4a0266cd548dd7307eec33ab4f9d3
SHA256:	9b7f6820091a78be8c817c46b864488a35faacb33a21c104953564e974050828
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Overworn.exe (PID: 2200 cmdline: 'C:\Users\user\Desktop\Overworn.exe' MD5: 5E68CA13C917B9126AD737AC0A570D66)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.731517060.00000000004F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Overworn.exe

Virustotal: Detection: 46%

Perma Link

Machine Learning detection for sample

Show sources

Source: Overworn.exe

Joe Sandbox ML: detected

Source: Overworn.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Overworn.exe, 00000001.00000002.731737595.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\Overworn.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00408D2A	1_2_00408D2A
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004095D4	1_2_004095D4
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00408DE0	1_2_00408DE0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00408E76	1_2_00408E76
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00408F13	1_2_00408F13
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040D3C4	1_2_0040D3C4

Source: Overworn.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Overworn.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Overworn.exe, 00000001.00000002.732187896.0000000002270000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs Overworn.exe

Source: Overworn.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Overworn.exe

File created: C:\Users\user\AppData\Local\Temp\~DFEA00A80929BD1817.TMP

Jump to behavior

Source: Overworn.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Overworn.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Overworn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Overworn.exe

Virustotal: Detection: 46%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.731517060.00000000004F0000.00000040.00000001.sdmp, type: MEMORY

Source: Overworn.exe

Static PE information: real checksum: 0x2af75 should be: 0x1db80

Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004013E8 push es; iretd	1_2_004018C0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00405C43 push es; iretd	1_2_00405C4C
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00404C46 push es; iretd	1_2_00404C60
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406446 push es; iretd	1_2_00406464
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00405C4F push es; iretd	1_2_00405CB4
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406853 push es; iretd	1_2_00406854
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040387F push es; iretd	1_2_00403880
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406403 push es; iretd	1_2_00406420
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406403 push es; iretd	1_2_004064A0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00402037 push es; iretd	1_2_00402060
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00401438 push es; iretd	1_2_004018C0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040643D push es; iretd	1_2_00406440
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004018F2 push es; iretd	1_2_004019DC
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00405CF3 push es; iretd	1_2_00405D2C
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00406487 push es; iretd	1_2_004064A0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040288C push es; iretd	1_2_004028B8
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_0040D8A2 push ss; ret	1_2_0040D8A9
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004078AD push es; iretd	1_2_00407908
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00405CB7 push es; iretd	1_2_00405CF0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407543 push es; iretd	1_2_00407554
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00404D4F push es; iretd	1_2_00404EC0
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407957 push es; iretd	1_2_00407968
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00403966 push es; iretd	1_2_00403968
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00403D6C push es; iretd	1_2_00403D78
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407171 push es; iretd	1_2_004072C8
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407171 push es; iretd	1_2_00407320
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00407171 push es; iretd	1_2_004073D8
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00404901 push es; iretd	1_2_00404904
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00402917 push es; iretd	1_2_00402918
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_00403DD7 push es; iretd	1_2_00403E64
Source: C:\Users\user\Desktop\Overworn.exe	Code function: 1_2_004019DF push es; iretd	1_2_00401ADC

Source: C:\Users\user\Desktop\Overworn.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Overworn.exe

RDTSC instruction interceptor: First address: 00000000004F32A7 second address: 00000000004F32A7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9EE48449A5h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp bx, 5F68h 0x00000022 test ebx, ebx 0x00000024 pop ecx 0x00000025 add edi, edx 0x00000027 dec ecx 0x00000028 jmp 00007F9EE484499Ah 0x0000002a cmp edx, ebx 0x0000002c cmp ecx, 00000000h 0x0000002f jne 00007F9EE4844942h 0x00000031 test ebx, 24644987h 0x00000037 test bh, ch 0x00000039 push ecx 0x0000003a cmp ecx, BD743742h 0x00000040 call 00007F9EE48449E9h 0x00000045 call 00007F9EE48449B5h 0x0000004a lfence 0x0000004d mov edx, dword ptr [7FFE0014h] 0x00000053 lfence 0x00000056 ret 0x00000057 mov esi, edx 0x00000059 pushad 0x0000005a rdtsc

Source: C:\Users\user\Desktop\Overworn.exe

Code function: 1_2_004030B7 rdtsc

1_2_004030B7

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Overworn.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Overworn.exe

Code function: 1_2_004030B7 rdtsc

1_2_004030B7

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Overworn.exe, 00000001.00000002.731802449.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery21	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Overworn.exe	46%	Virustotal		Browse
Overworn.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384218
Start date:	08.04.2021
Start time:	18:49:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Overworn.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 46.7% (good quality ratio 21.7%) Quality average: 19.5% Quality standard deviation: 22.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.575516391079876
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Overworn.exe
File size:	110592
MD5:	5e68ca13c917b9126ad737ac0a570d66
SHA1:	d0fd2b4757b4a0266cd548dd7307eec33ab4f9d3
SHA256:	9b7f6820091a78be8c817c46b864488a35faacb33a21c104953564e974050828
SHA512:	d531dc2b89622358822e849a0c8243682c3eeb7ee3a5cd8a769a6fed7ea99dc8c5d5a716a92e6dca8a8db4db6add0936d7f17050dc8c676452623dbd1f8bdd28
SSDEEP:	1536:P98REJz42DCgO72vL2M/FPVm9vr8Zy0ksPVm9vDd2Mf2v:P8E+53z8Vm9tMVmy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...%..M.................0...................@....@................

File Icon


Icon Hash:	c0c6f2e0e4fefe3f

Static PE Info

General
Entrypoint:	0x4013e8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4DA78625 [Thu Apr 14 23:41:25 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d1ed0dda3501483d16a7ad09b76f3b08

Entrypoint Preview

Instruction
push 00410EA4h
call 00007F9EE47B86A3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ah, dh
sub byte ptr [ebp+4BE18418h], bh
stosb
sbb edi, edi
push ebp
movsd
add eax, 00001988h
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ebx
push esp
dec ecx
dec ebx
dec esp
inc ebp
inc esp
dec esi
dec ecx
dec esi
inc edi
inc ebp
push edx
dec esi
inc ebp
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or eax, dword ptr [edx-259BB489h]
jc 00007F9EE47B8634h
dec ecx
scasd
mov ecx, dword ptr [ebp+1Ah]
add byte ptr [ebx-6EA6279Ch], cl
pop ds
sbb ah, dh
fstcw word ptr [edx+42h]
wait
xchg eax, esp
cmp byte ptr [esp+3AA65790h], ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
imul edi, ecx, F7870000h
add byte ptr [eax], al
add byte ptr [65764F00h], cl
jc 00007F9EE47B871Fh
imul ebp, dword ptr [esi+65h], 73h
jnc 00007F9EE47B86E5h
add byte ptr [4F000801h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x132d4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x5c3a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x108	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1277c	0x13000	False	0.413021689967	data	5.97030490248	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x14000	0x117c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x5c3a	0x6000	False	0.359659830729	data	5.26995713236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1ad92	0xea8	data
RT_ICON	0x1a4ea	0x8a8	data
RT_ICON	0x19f82	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x179da	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x16932	0x10a8	data
RT_ICON	0x164ca	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x16470	0x5a	data
RT_VERSION	0x161e0	0x290	MS Windows COFF PA-RISC object file	Guarani	Paraguay

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLineInputStr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, _adj_fdivr_m32, _adj_fdiv_r, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0474 0x04b0
InternalName	Overworn
FileVersion	1.00
CompanyName	Pana-sonic
Comments	Pana-sonic
ProductName	Pana-sonic
ProductVersion	1.00
FileDescription	Pana-sonic
OriginalFilename	Overworn.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Guarani	Paraguay

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Overworn.exe PID: 2200 Parent PID: 5624

General

Start time:	18:50:41
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\Overworn.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Overworn.exe'
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	5E68CA13C917B9126AD737AC0A570D66
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000001.00000002.731517060.00000000004F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Overworn.exe PID: 2200 Parent PID: 5624 Overworn.exeCOMMON

Executed Functions

Function 00408D2A, Relevance: 31.1, APIs: 1, Strings: 19, Instructions: 1099COMMON

Download Yara Rule

Strings

?, xrefs: 00408F6B
Y, xrefs: 00408F6E
~, xrefs: 00409496
=, xrefs: 00409508
#, xrefs: 0040923A
7, xrefs: 00409114
w, xrefs: 00409085
1, xrefs: 004092D8
w, xrefs: 004093FE
n, xrefs: 00408EEF
m, xrefs: 00409485
e, xrefs: 00408FF8
R, xrefs: 00408DC4
=, xrefs: 00409127
', xrefs: 00408EDF
L, xrefs: 00408F68
U, xrefs: 00409090
%, xrefs: 004093F1
}, xrefs: 0040919D

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #$%$'$1$7$=$=$?$L$R$U$Y$e$m$n$w$w$}$~
API String ID: 0-933857539
Opcode ID: c168e0399893294820c7fd497d7750a5ba42b3ba23d6a367d11690e8eb8ec547
Instruction ID: 81c64418a2bf5f4771754ecabc6d5ba90e3d79e4403eed572b4e3d86a6412341
Opcode Fuzzy Hash: c168e0399893294820c7fd497d7750a5ba42b3ba23d6a367d11690e8eb8ec547
Instruction Fuzzy Hash: 2262439192A30299FFB32120C5C076D6690DF07785F348F77C861F69D2EA2F89CA1697

Uniqueness

Uniqueness Score: -1.00%

Function 00408DE0, Relevance: 31.1, APIs: 1, Strings: 19, Instructions: 1078COMMON

Download Yara Rule

Strings

?, xrefs: 00408F6B
Y, xrefs: 00408F6E
~, xrefs: 00409496
=, xrefs: 00409508
#, xrefs: 0040923A
7, xrefs: 00409114
w, xrefs: 00409085
1, xrefs: 004092D8
w, xrefs: 004093FE
n, xrefs: 00408EEF
m, xrefs: 00409485
e, xrefs: 00408FF8
R, xrefs: 00408DC4
=, xrefs: 00409127
', xrefs: 00408EDF
L, xrefs: 00408F68
U, xrefs: 00409090
%, xrefs: 004093F1
}, xrefs: 0040919D

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #$%$'$1$7$=$=$?$L$R$U$Y$e$m$n$w$w$}$~
API String ID: 0-933857539
Opcode ID: cfd6d5f887f0551c4ae39693937522479b825283bc6f0a89b353dcd9246ccf87
Instruction ID: c6b57f021e7193f08dd7fa5564e5a8d53813b2b38ca0dff152795531ec911abc
Opcode Fuzzy Hash: cfd6d5f887f0551c4ae39693937522479b825283bc6f0a89b353dcd9246ccf87
Instruction Fuzzy Hash: E952329292A70299FFB32060C5C076D6640DF06785F308F37C861F69D2AB2F89CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004030B7, Relevance: 29.5, APIs: 1, Strings: 18, Instructions: 1034memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

?, xrefs: 00408F6B
Y, xrefs: 00408F6E
~, xrefs: 00409496
=, xrefs: 00409508
#, xrefs: 0040923A
7, xrefs: 00409114
w, xrefs: 00409085
1, xrefs: 004092D8
w, xrefs: 004093FE
n, xrefs: 00408EEF
m, xrefs: 00409485
e, xrefs: 00408FF8
=, xrefs: 00409127
', xrefs: 00408EDF
L, xrefs: 00408F68
U, xrefs: 00409090
%, xrefs: 004093F1
}, xrefs: 0040919D

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$%$'$1$7$=$=$?$L$U$Y$e$m$n$w$w$}$~
API String ID: 4275171209-2074554245
Opcode ID: 1b21aedd2bf843f7e084eec4bd65c08c66369497d19a3f668f457fe17e333433
Instruction ID: f45abfde0d2f2060bb57a972c7bff27dfd94d738477d60fcd2fc6c3e33ad15cf
Opcode Fuzzy Hash: 1b21aedd2bf843f7e084eec4bd65c08c66369497d19a3f668f457fe17e333433
Instruction Fuzzy Hash: BD52238292A70699FFB32160C5C076D6640DF16785F308F37C861F59D2BB2F89CA199B

Uniqueness

Uniqueness Score: -1.00%

Function 00408E76, Relevance: 29.5, APIs: 1, Strings: 18, Instructions: 1023memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

?, xrefs: 00408F6B
Y, xrefs: 00408F6E
~, xrefs: 00409496
=, xrefs: 00409508
#, xrefs: 0040923A
7, xrefs: 00409114
w, xrefs: 00409085
1, xrefs: 004092D8
w, xrefs: 004093FE
n, xrefs: 00408EEF
m, xrefs: 00409485
e, xrefs: 00408FF8
=, xrefs: 00409127
', xrefs: 00408EDF
L, xrefs: 00408F68
U, xrefs: 00409090
%, xrefs: 004093F1
}, xrefs: 0040919D

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$%$'$1$7$=$=$?$L$U$Y$e$m$n$w$w$}$~
API String ID: 4275171209-2074554245
Opcode ID: ba4bf9cfa196213ef28db3ee36ed796a3b24badaeb33552cac18c08273fe1e62
Instruction ID: 811af6bfa5ce84855a0f030f22dfdd5cdde2aefd47c2f069b49785f71e8221c1
Opcode Fuzzy Hash: ba4bf9cfa196213ef28db3ee36ed796a3b24badaeb33552cac18c08273fe1e62
Instruction Fuzzy Hash: 3742128292A70699FFB32060C5C076E6640DF16785F308F37C861F59D2AB2FC9CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00408F13, Relevance: 23.5, APIs: 1, Strings: 14, Instructions: 1028memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

Y, xrefs: 00408F6E
~, xrefs: 00409496
=, xrefs: 00409508
#, xrefs: 0040923A
7, xrefs: 00409114
w, xrefs: 00409085
1, xrefs: 004092D8
w, xrefs: 004093FE
m, xrefs: 00409485
e, xrefs: 00408FF8
=, xrefs: 00409127
U, xrefs: 00409090
%, xrefs: 004093F1
}, xrefs: 0040919D

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$%$1$7$=$=$U$Y$e$m$w$w$}$~
API String ID: 4275171209-1480070522
Opcode ID: 86f5c9b78f19221e1630afc69865700b69c209537b794e8516a4162b9dd17be5
Instruction ID: bfdf4484538053ad63c561fe77f8ca9326904e6a51d35c2a8dbf58c9aa1f0719
Opcode Fuzzy Hash: 86f5c9b78f19221e1630afc69865700b69c209537b794e8516a4162b9dd17be5
Instruction Fuzzy Hash: EA42028292A70699FFB32060C5C076E6640DF16785F308F37C865F59D2AB2FC9CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004095D4, Relevance: 2.2, APIs: 1, Instructions: 921COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 963284d5dcb7e7700dfa1c4a363094c41c7fca294ce1c460bdec7787d7743869
Instruction ID: 560447cdf541f2b7486fd9edbbbd1d6151761df82099e6f942c2cb6c2ecd9726
Opcode Fuzzy Hash: 963284d5dcb7e7700dfa1c4a363094c41c7fca294ce1c460bdec7787d7743869
Instruction Fuzzy Hash: 0D323682D2A71699FFB32030C5C0B5D6640DF16784F318F37C865F59E2AA2F89CA159B

Uniqueness

Uniqueness Score: -1.00%

Function 004126CC, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 252
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004126CC(void* __ebx, void* __edi, void* __esi, long long __fp0, signed int _a4, intOrPtr _a20) {
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v52;
				char _v68;
				short _v72;
				char _v80;
				short _v84;
				void* _v88;
				long long _v96;
				char _v100;
				char _v104;
				char _v120;
				signed int _v124;
				signed int _v128;
				char _v136;
				char _v140;
				void* _v144;
				char _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _t144;
				signed int _t166;
				signed int _t177;
				signed int _t182;
				signed int _t188;
				char* _t191;
				char* _t193;
				intOrPtr* _t195;
				char* _t212;
				void* _t217;
				void* _t219;
				intOrPtr _t220;

				_t220 = _t219 - 0x18;
				 *[fs:0x0] = _t220;
				L00401260();
				_v28 = _t220;
				_v24 = 0x401118;
				_v20 = _a4 & 0x00000001;
				_t144 = _a4 & 0xfffffffe;
				_a4 = _t144;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401266, _t217);
				_v8 = 1;
				_v8 = 2;
				asm("fldz");
				L004012D8();
				L0040137A();
				asm("fcomp qword [0x4011a8]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t144 != 0) {
					_v8 = 3;
					_v8 = 4;
					_v128 = L"Rosenstokkesegedesm";
					_v136 = 8;
					L0040136E();
					_push(2);
					_push( &_v120);
					L00401374();
					_v96 = __fp0;
					L004013C2();
				}
				_v8 = 6;
				L00401362();
				L00401368();
				L004013B6();
				L004013C2();
				_v8 = 7;
				 *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v156,  &_v120,  &_v120);
				_v80 = _v156;
				_v8 = 8;
				_v140 = 0x3fc5;
				L0040135C();
				_v156 =  *0x4011a0;
				_v80 =  *0x401198;
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v156,  &_v104,  &_v104,  &_v140,  &_v148);
				_v100 = _v148;
				L004013AA();
				_v8 = 9;
				_v148 = 0x76e32;
				_t166 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v148, 0x67c7,  &_v140);
				_v160 = _t166;
				if(_v160 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x411530);
					_push(_a4);
					_push(_v160);
					L00401356();
					_v188 = _t166;
				}
				_v72 = _v140;
				_v8 = 0xa;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4);
				_v8 = 0xb;
				_v156 =  *0x401190;
				_v148 = 0x3ac53e;
				_v140 = 0x3fc5;
				_t177 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v140,  &_v148, 0x2802,  &_v156, 0x33164f, 0x5bf3,  &_v144);
				_v160 = _t177;
				if(_v160 >= 0) {
					_v192 = _v192 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x411530);
					_push(_a4);
					_push(_v160);
					L00401356();
					_v192 = _t177;
				}
				_v84 = _v144;
				_v8 = 0xc;
				L00401350();
				_v8 = 0xd;
				_t182 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v140, 0xffffffff);
				asm("fclex");
				_v160 = _t182;
				if(_v160 >= 0) {
					_v196 = _v196 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x411500);
					_push(_a4);
					_push(_v160);
					L00401356();
					_v196 = _t182;
				}
				_t188 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
				asm("fclex");
				_v164 = _t188;
				if(_v164 >= 0) {
					_v200 = _v200 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x411500);
					_push(_a4);
					_push(_v164);
					L00401356();
					_v200 = _t188;
				}
				_v8 = 0xe;
				_v128 = _v128 & 0x00000000;
				_v124 = _v124 & 0x00000000;
				_v136 = 6;
				L0040134A();
				while(1) {
					_v8 = 0x10;
					_v128 = 1;
					_v136 = 2;
					_push( &_v68);
					_push( &_v136);
					_t191 =  &_v120;
					_push(_t191);
					L00401344();
					_t212 = _t191;
					L0040134A();
					_v8 = 0x11;
					_v128 = 0x2ffff;
					_v136 = 0x8003;
					_push( &_v68);
					_t193 =  &_v136;
					_push(_t193);
					L0040133E();
					if(_t193 == 0) {
						break;
					}
				}
				_v8 = 0x14;
				_v128 = 0xff8ac269;
				do {
					_t212 = _t212 + 1;
				} while (_t212 != 0xffcbed21);
				_a20 = _t212 + 0x74a08d;
				_t195 = _a20();
				0x46092ad4();
				asm("lock add [eax], al");
				 *_t195 =  *_t195 + _t195;
				asm("wait");
				_push(0x412b0d);
				L004013C2();
				L004013C2();
				L004013AA();
				return _t195;
			}

0x004126cf
0x004126de
0x004126ea
0x004126f2
0x004126f5
0x00412702
0x00412708
0x0041270b
0x0041270e
0x0041271d
0x00412720
0x00412727
0x0041272e
0x00412730
0x00412735
0x0041273a
0x00412740
0x00412742
0x00412743
0x00412745
0x0041274c
0x00412753
0x0041275a
0x0041276d
0x00412772
0x00412777
0x00412778
0x0041277d
0x00412783
0x00412783
0x00412788
0x00412793
0x0041279c
0x004127a6
0x004127ae
0x004127b3
0x004127c9
0x004127d5
0x004127d8
0x004127df
0x004127f0
0x004127fb
0x00412816
0x0041282c
0x00412838
0x0041283e
0x00412843
0x0041284a
0x0041286f
0x00412875
0x00412882
0x004128a4
0x00412884
0x00412884
0x00412889
0x0041288e
0x00412891
0x00412897
0x0041289c
0x0041289c
0x004128b2
0x004128b6
0x004128c5
0x004128cb
0x004128d8
0x004128de
0x004128e8
0x00412924
0x0041292a
0x00412937
0x00412959
0x00412939
0x00412939
0x0041293e
0x00412943
0x00412946
0x0041294c
0x00412951
0x00412951
0x00412967
0x0041296b
0x00412974
0x00412979
0x0041298f
0x00412995
0x00412997
0x004129a4
0x004129c6
0x004129a6
0x004129a6
0x004129ab
0x004129b0
0x004129b3
0x004129b9
0x004129be
0x004129be
0x004129e2
0x004129e8
0x004129ea
0x004129f7
0x00412a19
0x004129f9
0x004129f9
0x004129fe
0x00412a03
0x00412a06
0x00412a0c
0x00412a11
0x00412a11
0x00412a20
0x00412a27
0x00412a2b
0x00412a2f
0x00412a42
0x00412a47
0x00412a47
0x00412a4e
0x00412a55
0x00412a62
0x00412a69
0x00412a6a
0x00412a6d
0x00412a6e
0x00412a73
0x00412a78
0x00412a7d
0x00412a84
0x00412a8b
0x00412a98
0x00412a99
0x00412a9f
0x00412aa0
0x00412aaa
0x00000000
0x00000000
0x00412aac
0x00412aae
0x00412ab5
0x00412abc
0x00412abc
0x00412abd
0x00412acb
0x00412ace
0x00412ad1
0x00412ad6
0x00412ad9
0x00412adb
0x00412adc
0x00412af7
0x00412aff
0x00412b07
0x00412b0c

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 004126EA
_CIsin.MSVBVM60(?,?,?,?,00401266), ref: 00412730
__vbaFpR8.MSVBVM60(?,?,?,?,00401266), ref: 00412735
__vbaVarDup.MSVBVM60 ref: 0041276D
#600.MSVBVM60(?,00000002), ref: 00412778
__vbaFreeVar.MSVBVM60(?,00000002), ref: 00412783
#612.MSVBVM60(?,?,?,?,?,00401266), ref: 00412793
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401266), ref: 0041279C
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401266), ref: 004127A6
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401266), ref: 004127AE
__vbaStrCopy.MSVBVM60 ref: 004127F0
__vbaFreeStr.MSVBVM60(?,00003FC5,?), ref: 0041283E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411530,000006FC,?,?,?,00003FC5,?), ref: 00412897
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411530,00000700,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 0041294C
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412974
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411500,000001B8,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 004129B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411500,000001BC), ref: 00412A0C
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412A42
__vbaVarAdd.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5), ref: 00412A6E
__vbaVarMove.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5), ref: 00412A78
__vbaVarTstLt.MSVBVM60(00008003,?,?,00000002,?), ref: 00412AA0
__vbaFreeVar.MSVBVM60(00412B0D,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412AF7
__vbaFreeVar.MSVBVM60(00412B0D,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412AFF
__vbaFreeStr.MSVBVM60(00412B0D,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412B07

Strings

Rosenstokkesegedesm, xrefs: 00412753
Kompetenceomraaders, xrefs: 004127E8

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#600#612ChkstkCopyErrorIsin
String ID: Kompetenceomraaders$Rosenstokkesegedesm
API String ID: 3051467023-1030129653
Opcode ID: aa4e6b1f7903a3eff54cea95097251b9023a92f911b789d7475e22d9d397268f
Instruction ID: a8f4e96e98107da68d114afca2c74a92ec4cf09ab844e89c66e05fb1b80bc29b
Opcode Fuzzy Hash: aa4e6b1f7903a3eff54cea95097251b9023a92f911b789d7475e22d9d397268f
Instruction Fuzzy Hash: 62C1067090021CEFEB10DFA1C949BDDBBB4FF04344F1081AAE549AB2A1DB785A99DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00408F9D, Relevance: 22.1, APIs: 1, Strings: 13, Instructions: 1053memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

~, xrefs: 00409496
=, xrefs: 00409508
#, xrefs: 0040923A
7, xrefs: 00409114
w, xrefs: 00409085
1, xrefs: 004092D8
w, xrefs: 004093FE
m, xrefs: 00409485
e, xrefs: 00408FF8
=, xrefs: 00409127
U, xrefs: 00409090
%, xrefs: 004093F1
}, xrefs: 0040919D

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$%$1$7$=$=$U$e$m$w$w$}$~
API String ID: 4275171209-4150358292
Opcode ID: 1df43b3594c36f9ecc0bd08203fd787db7799b56a0b0a3bda782f2c7cc8f1921
Instruction ID: 9b21bcedb4ee81e8aaff13c8dfff2e6490af1ba487fd4fcdeecd7b6de5733ab2
Opcode Fuzzy Hash: 1df43b3594c36f9ecc0bd08203fd787db7799b56a0b0a3bda782f2c7cc8f1921
Instruction Fuzzy Hash: 5242028292A70699FFB32060C5C076E6640DF16785F308F37C865F59D2AB2FC9CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 0040901F, Relevance: 20.5, APIs: 1, Strings: 12, Instructions: 1022COMMON

Download Yara Rule

Strings

~, xrefs: 00409496
m, xrefs: 00409485
=, xrefs: 00409508
#, xrefs: 0040923A
7, xrefs: 00409114
w, xrefs: 00409085
=, xrefs: 00409127
U, xrefs: 00409090
1, xrefs: 004092D8
w, xrefs: 004093FE
%, xrefs: 004093F1
}, xrefs: 0040919D

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: #$%$1$7$=$=$U$m$w$w$}$~
API String ID: 0-429928765
Opcode ID: f4d3c44d13201c666909da14147bd35bbf98e76bcfabc0eaae809a09dfe9e9b4
Instruction ID: 8d5add95c9814ec82452f803ff3f1f062e28cf3bd4e2370548f85d958d720faf
Opcode Fuzzy Hash: f4d3c44d13201c666909da14147bd35bbf98e76bcfabc0eaae809a09dfe9e9b4
Instruction Fuzzy Hash: BF42128292A70699FFB32060C5C076E6640DF16785F308F37C861F59D2AB2FC9CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004090FF, Relevance: 17.4, APIs: 1, Strings: 10, Instructions: 937memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

~, xrefs: 00409496
m, xrefs: 00409485
=, xrefs: 00409508
#, xrefs: 0040923A
7, xrefs: 00409114
=, xrefs: 00409127
1, xrefs: 004092D8
w, xrefs: 004093FE
%, xrefs: 004093F1
}, xrefs: 0040919D

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$%$1$7$=$=$m$w$}$~
API String ID: 4275171209-3742826455
Opcode ID: a3924918396a372cc6997aa649b638e2f8a1b51fefbf8095482d45febdff5eea
Instruction ID: 69e282d680631678734dcd7b7279eb1c935fa4325be747a360c9c2672b243052
Opcode Fuzzy Hash: a3924918396a372cc6997aa649b638e2f8a1b51fefbf8095482d45febdff5eea
Instruction Fuzzy Hash: D242128292A70699FFB22060C5C076E6640DF16785F308F37C865F59D2AB2FC9CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409148, Relevance: 14.5, APIs: 1, Strings: 8, Instructions: 1000memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

~, xrefs: 00409496
m, xrefs: 00409485
=, xrefs: 00409508
#, xrefs: 0040923A
1, xrefs: 004092D8
w, xrefs: 004093FE
%, xrefs: 004093F1
}, xrefs: 0040919D

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$%$1$=$m$w$}$~
API String ID: 4275171209-710405328
Opcode ID: 4829560407ca97b01a8285781c7d87e62f1b709248b96a130dbdbebde77a0218
Instruction ID: 1a500d702ed32cfdd4d329640aded7f5513186832c85bd36b29e90c928a91585
Opcode Fuzzy Hash: 4829560407ca97b01a8285781c7d87e62f1b709248b96a130dbdbebde77a0218
Instruction Fuzzy Hash: 7742129292A70699FFB22060C5C076E6640DF06785F308F37C861F59D2AA2FC9CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004091DA, Relevance: 12.9, APIs: 1, Strings: 7, Instructions: 945memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

~, xrefs: 00409496
m, xrefs: 00409485
=, xrefs: 00409508
#, xrefs: 0040923A
1, xrefs: 004092D8
w, xrefs: 004093FE
%, xrefs: 004093F1

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: #$%$1$=$m$w$~
API String ID: 4275171209-3815535187
Opcode ID: 41e2d6b70934fe6222ba8f0d3009836df18893237a3f89e6bd9a1e99fe0d106f
Instruction ID: fcd3f9331a8f5abd96905c5f11ddfcd0b873be3fa1d0713e65617ee84cc16349
Opcode Fuzzy Hash: 41e2d6b70934fe6222ba8f0d3009836df18893237a3f89e6bd9a1e99fe0d106f
Instruction Fuzzy Hash: 33320282E2A70699FFB32060C5C076D6640DF16785F308F37C865F59D2AB2F89CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004092FE, Relevance: 10.0, APIs: 1, Strings: 5, Instructions: 951memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

~, xrefs: 00409496
m, xrefs: 00409485
=, xrefs: 00409508
w, xrefs: 004093FE
%, xrefs: 004093F1

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: %$=$m$w$~
API String ID: 4275171209-1606644865
Opcode ID: bdd8dc4422a4fc624886ea160fc42555cefae7f90af37b574b9ce0b7e6e38640
Instruction ID: 47393089e71208e90000f70a4c8c87b440c3399ba17690640c487d72d42bd0c3
Opcode Fuzzy Hash: bdd8dc4422a4fc624886ea160fc42555cefae7f90af37b574b9ce0b7e6e38640
Instruction Fuzzy Hash: 1B321382D2A70699FFB32060C5C076E6640DF16785F308F37C861F59D2BA2F89CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004093DB, Relevance: 9.8, APIs: 1, Strings: 5, Instructions: 849memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

~, xrefs: 00409496
m, xrefs: 00409485
=, xrefs: 00409508
w, xrefs: 004093FE
%, xrefs: 004093F1

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: %$=$m$w$~
API String ID: 4275171209-1606644865
Opcode ID: 90bcf7632c37709c50c8287382f08c3552c13005886031bffdcfbf42e42a67bb
Instruction ID: 2c7651099be7f6cddf8a9be1f777d218f3a83a1465ff2b8fd2b9b6a7abfd5ccb
Opcode Fuzzy Hash: 90bcf7632c37709c50c8287382f08c3552c13005886031bffdcfbf42e42a67bb
Instruction Fuzzy Hash: 2F32129292A70699FFB32020C5C076E6640DF16785F318F37C861F59D2BA2F89CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004094AF, Relevance: 6.9, APIs: 1, Strings: 3, Instructions: 924COMMON

Download Yara Rule

Strings

~, xrefs: 00409496
m, xrefs: 00409485
=, xrefs: 00409508

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: =$m$~
API String ID: 0-3063502509
Opcode ID: 2c6a809fb5fcb78aba756f1a6eec9f055b06fe2a224da93304e5ee16228a8307
Instruction ID: 907763e9db56cde3a880a25408aa5e0ffa8c380f1def6f1d1f32b7f9798919fe
Opcode Fuzzy Hash: 2c6a809fb5fcb78aba756f1a6eec9f055b06fe2a224da93304e5ee16228a8307
Instruction Fuzzy Hash: 6532248192A70699FFB32060C5C076E6640DF16785F308F37C865F69D2BA2FC9CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409420, Relevance: 6.8, APIs: 1, Strings: 3, Instructions: 850memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

~, xrefs: 00409496
m, xrefs: 00409485
=, xrefs: 00409508

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: =$m$~
API String ID: 4275171209-3063502509
Opcode ID: 010487af06f32279505fc93a3b900258475da0946e2d16c1d3b1f51a57ae226c
Instruction ID: 0e4c3fd80f228d5dee1774ffd4015c40aa91096da033ecb9cc923199fb840457
Opcode Fuzzy Hash: 010487af06f32279505fc93a3b900258475da0946e2d16c1d3b1f51a57ae226c
Instruction Fuzzy Hash: 7032248192A70699FFB32020C5C076E6640DF16785F308F37C861F69D2BA2F89CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004013E8, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 610
COMMON

Download Yara Rule

C-Code - Quality: 58%

			_entry_(signed int __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __fp0, char _a1, void* _a5, intOrPtr* _a26, void* _a845990597, void* _a983979903, void* _a1171759916, intOrPtr _a1273070616, signed int _a2016350194) {
				void* _v1;
				void* _v28;
				void* _v73;
				void* _v89;
				intOrPtr* _t138;
				signed int _t140;
				signed int _t141;
				signed char _t143;
				signed int _t144;
				signed int* _t146;
				signed int _t148;
				signed int _t149;
				signed int _t150;
				signed char _t151;
				signed int _t177;
				signed int _t178;
				signed int _t180;
				signed int _t183;
				signed char _t185;
				signed char _t186;
				signed int _t187;
				intOrPtr* _t207;
				void* _t208;
				char* _t209;
				signed int _t225;
				signed int _t227;
				signed int* _t270;
				void* _t272;
				char* _t288;
				void* _t326;
				signed char _t328;
				signed int _t329;
				void* _t330;
				void* _t343;
				void* _t344;
				void* _t360;

				_t360 = __fp0;
				_t224 = __edx;
				_push("VB5!6&*"); // executed
				L004013E0(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t138 = __eax + 1;
				 *_t138 =  *_t138 + _t138;
				 *_t138 =  *_t138 + _t138;
				 *_t138 =  *_t138 + _t138;
				_a1273070616 = _a1273070616 - __ebx;
				asm("stosb");
				asm("sbb edi, edi");
				asm("movsd");
				_t140 = _t138 + __edx + 0x1988;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				_push(__ebx);
				_push(_t326);
				_t328 = _t326 - 1 + 1;
				_push(__edx);
				_t270 = __esi - 0xffffffffffffffff;
				 *_t140 =  *_t140 + _t140;
				 *_t140 =  *_t140 + _t140;
				_t183 = __ebx - 1 + __ebx - 1;
				_t328 = _t328 - 1;
				 *_t141 =  *_t141 ^ _t141;
				_t140 = _t141 |  *(__edx - 0x259bb489);
				if(_t140 < 0) {
					_t141 = _t140 + 1;
					_t183 = _t183 + _t183;
				}
				asm("scasd");
				_t207 = _a26;
				 *((intOrPtr*)(_t183 - 0x6ea6279c)) =  *((intOrPtr*)(_t183 - 0x6ea6279c)) + _t207;
				_pop(ds);
				asm("sbb ah, dh");
				asm("fnstcw word [edx+0x42]");
				asm("wait");
				_t329 = _t140;
				asm("lodsd");
				_t143 = _t328;
				asm("stosb");
				 *((intOrPtr*)(_t143 - 0x2d)) =  *((intOrPtr*)(_t143 - 0x2d)) + _t143;
				_t144 = _t183 ^  *(_t207 - 0x48ee309a);
				_t185 = _t143;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *_t144 =  *_t144 + _t144;
				 *0x65764f00 =  *0x65764f00 + _t207;
				if( *0x65764f00 >= 0) {
					if( *[gs:esi+0x65] * 0x73 < 0) {
						 *0x4f000801 =  *0x4f000801 + _t207;
						asm("sbb [ecx], eax");
						 *__edx =  *__edx + _t144;
						 *(_t270 - 0x61) =  *(_t270 - 0x61) & __edx;
						 *_t144 =  *_t144 + _t144;
						asm("insb");
						if ( *_t144 == 0) goto L6;
						 *(_t270 - 0x61) =  *(_t270 - 0x61) + _t207;
						 *_t144 =  *_t144 + _t144;
						_t224 = __edx + 1;
						_t270 = _t270 - 1;
						asm("lahf");
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 + _t144;
						if ( *_t144 <= 0) goto L7;
						 *_t144 =  *_t144 + _t144;
						 *_t144 =  *_t144 - _t144;
						 *_t144 =  *_t144 + _t144;
						asm("adc [ecx], al");
					}
					 *_t144 =  *_t144 + _t144;
					 *_t185 =  *_t185 + _t207;
					 *_t144 =  *_t144 + _t144;
					 *_t207 =  *_t207 + _t144;
					 *((intOrPtr*)(_t144 + _t144)) =  *((intOrPtr*)(_t144 + _t144)) + _t144;
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					asm("fcomp dword [esi]");
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					 *_t144 =  *_t144 + _t144;
					asm("fsubp st5, st0");
					 *_t185 =  *_t185 + _t207;
					 *((intOrPtr*)(_t144 + _t144 + 0x640b05)) =  *((intOrPtr*)(_t144 + _t144 + 0x640b05)) + _t185;
					asm("sti");
				}
				_t208 = _t207 + _t144;
				asm("sbb ebp, [ebx-0xccfcf00]");
				 *0x9009a60 =  *0x9009a60 + _t224;
				asm("sbb al, al");
				 *((intOrPtr*)(_t185 - 0x24)) =  *((intOrPtr*)(_t185 - 0x24)) + _t224;
				asm("int3");
				 *((intOrPtr*)(_t208 + 0x7a)) =  *((intOrPtr*)(_t208 + 0x7a)) + _t208;
				asm("sti");
				 *_t270 =  *_t270 + _t208;
				_t209 = _t208 + _t224;
				_t146 = _t270;
				 *((intOrPtr*)(_t209 + 0x7c)) =  *((intOrPtr*)(_t209 + 0x7c)) + _t146;
				_t148 =  *( *_t146 * 0xffffffcd) * 0xfffffffc;
				_push(ss);
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				_t272 = _t144 + _t209 - 1;
				asm("cmpsd");
				_push(es);
				asm("iretd");
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				 *_t148 =  *_t148 + _t148;
				asm("sbb eax, [eax]");
				 *_t185 =  *_t185 + _t185;
				asm("in eax, dx");
				asm("stosd");
				_t149 = 0xe1cc1f27;
				asm("das");
				while(1) {
					asm("outsb");
					asm("scasd");
					 *_t209 = _t209;
					_t186 = _t185 &  *(_t149 + 9);
					_t150 = _t149 | 0xd17990e8;
					asm("sbb byte [edi-0x66c888e8], 0x97");
					asm("cdq");
					asm("scasb");
					asm("out 0xd4, al");
					if(_t150 == 0) {
						_t344 =  <  ?  *_t186 : _t329;
						_t185 = 6;
						_t209 = 0xf4;
						_t224 = _t224 - 0x00000006 ^ _a2016350194;
						asm("xlatb");
						asm("lahf");
						_t180 = _t150 + 0x0000002d ^ _t224;
						_pop(_t329);
						 *(_t180 + 0x7e81dd59) =  *(_t180 + 0x7e81dd59) >> 0xb5;
						_t149 = _t180 | 0xe9a05454;
						continue;
					}
					L15:
					while(__eflags == 0) {
						_t343 =  <  ?  *_t186 : _t329;
						_t224 = _t224 - 0x00000006 ^ _a2016350194;
						asm("xlatb");
						__eflags = 0xf4 - _t224;
						asm("lahf");
						_t177 = _t150 + 0x0000002d ^ _t224;
						_pop(_t329);
						 *(_t177 + 0x7e81dd59) =  *(_t177 + 0x7e81dd59) >> 0xb5;
						_t178 = _t177 | 0xe9a05454;
						__eflags = 6 -  *_t178;
						asm("outsb");
						asm("scasd");
						 *0xf4 = 0xf4;
						_t186 = 0x00000006 &  *(_t178 + 9);
						_t150 = _t178 | 0xd17990e8;
						asm("sbb byte [edi-0x66c888e8], 0x97");
						asm("cdq");
						asm("scasb");
						asm("out 0xd4, al");
					}
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					_t225 =  *(_t224 - 0x62);
					asm("repne push es");
					asm("iretd");
					 *_t150 =  *_t150 + _t150;
					__eflags =  *_t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb esi, [ecx+0x326474c0]");
					asm("scasb");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					asm("aam 0x17");
					asm("lodsd");
					asm("cmpsd");
					asm("in eax, dx");
					asm("xlatb");
					_t330 = _t329 - 1;
					asm("cmc");
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *0x4D188D3B =  *0x4D188D3B & _t150;
					asm("cmc");
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *(_t186 - 0xec88a06) =  *(_t186 - 0xec88a06) & _t150;
					 *((intOrPtr*)(_t150 + 0xbfae93)) =  *((intOrPtr*)(_t150 + 0xbfae93)) - 0xf54c30;
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb eax, [eax]");
					 *_t186 =  *_t186 + _t186;
					 *_t150 =  *_t150 + _t150;
					asm("sbb ecx, [ebx-0x67a77bae]");
					_t151 = _t186;
					_t187 = _t150;
					asm("scasb");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					_t227 =  *((_t225 &  *(_t150 + 0x2c)) - 0x6c);
					__eflags = 0xf54c30 - 0x1affff;
					_t288 =  &_a1;
					asm("cmpsd");
					_push(es);
					asm("iretd");
					 *_t151 =  *_t151 + _t151;
					__eflags =  *_t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *(_t272 + 6) =  *(_t272 + 6) << 0xcf;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					__eflags =  *_t187;
					if( *_t187 < 0) {
						_push(es);
						asm("iretd");
						 *_t151 =  *_t151 + _t151;
						__eflags =  *_t151;
						asm("sbb eax, [eax]");
						 *_t187 =  *_t187 + _t187;
						 *_t151 =  *_t151 + _t151;
						asm("sbb eax, [eax]");
						 *_t187 =  *_t187 + _t187;
						 *_t151 =  *_t151 + _t151;
						asm("sbb eax, [eax]");
						 *_t187 =  *_t187 + _t187;
						 *_t151 =  *_t151 + _t151;
						asm("sbb eax, [eax]");
						 *_t187 =  *_t187 + _t187;
						_t187 = _t187 &  *(_t272 - 0x1cffa1c4);
						_push(es);
						asm("iretd");
						 *_t151 =  *_t151 + _t151;
						asm("sbb eax, [eax]");
						 *_t187 =  *_t187 + _t187;
						 *_t151 =  *_t151 + _t151;
						asm("sbb eax, [eax]");
						 *_t187 =  *_t187 + _t187;
						 *_t151 =  *_t151 + _t151;
						asm("sbb eax, [eax]");
						 *_t187 =  *_t187 + _t187;
						 *_t151 =  *_t151 + _t151;
						asm("sbb eax, [eax]");
						 *_t187 =  *_t187 + _t187;
						asm("std");
						_push(0xf54c30);
						asm("lodsd");
						_push(_t227);
						_t227 = _t187;
						_t288 =  &_a1;
						_t330 = _t330 - 1;
						asm("cmc");
						 *_t151 =  *_t151 + _t151;
						asm("sbb eax, [eax]");
					}
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb eax, [eax]");
					 *_t187 =  *_t187 + _t187;
					 *_t151 =  *_t151 + _t151;
					asm("sbb esi, [ecx-0x30f98240]");
					goto L15;
				}
			}

0x004013e8
0x004013e8
0x004013e8
0x004013ed
0x004013f2
0x004013f4
0x004013f6
0x004013f8
0x004013fa
0x004013fc
0x004013fd
0x004013ff
0x00401401
0x00401405
0x0040140c
0x0040140d
0x00401410
0x00401411
0x00401416
0x00401418
0x0040141a
0x0040141c
0x0040141e
0x00401420
0x00401422
0x00401424
0x00401425
0x0040142a
0x00401430
0x00401431
0x00401433
0x00401435
0x00401437
0x00401438
0x0040143a
0x0040143c
0x00401442
0x004013c6
0x004013c7
0x004013c7
0x00401445
0x00401446
0x00401449
0x0040144f
0x00401450
0x00401452
0x00401455
0x00401456
0x0040145f
0x00401466
0x00401468
0x00401469
0x0040146c
0x0040146c
0x0040146d
0x0040146f
0x00401471
0x00401473
0x00401475
0x00401477
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401481
0x00401483
0x00401485
0x00401487
0x00401489
0x0040148b
0x0040148d
0x0040148f
0x00401497
0x00401499
0x0040149f
0x004014a7
0x004014a9
0x004014b7
0x004014b9
0x004014bc
0x004014bf
0x004014c1
0x004014c2
0x004014c4
0x004014c7
0x004014c9
0x004014cb
0x004014cc
0x004014cd
0x004014cf
0x004014d1
0x004014d3
0x004014d5
0x004014d7
0x004014d9
0x004014db
0x004014db
0x004014dc
0x004014de
0x004014e0
0x004014e2
0x004014e4
0x004014e7
0x004014e9
0x004014eb
0x004014f1
0x004014f3
0x004014f5
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401502
0x00401504
0x0040150d
0x0040150d
0x0040150e
0x00401510
0x00401516
0x0040151c
0x0040151e
0x00401521
0x00401522
0x00401525
0x00401526
0x00401528
0x0040152d
0x0040152e
0x00401535
0x0040153d
0x0040153e
0x00401540
0x00401542
0x00401544
0x00401546
0x00401548
0x0040154a
0x0040154c
0x0040154e
0x00401550
0x00401552
0x00401554
0x00401556
0x00401558
0x0040155a
0x0040155c
0x0040155e
0x00401560
0x00401562
0x00401564
0x00401566
0x00401568
0x0040156a
0x0040156c
0x0040156e
0x00401570
0x00401572
0x00401574
0x00401576
0x00401578
0x0040157a
0x0040157c
0x0040157e
0x00401580
0x00401582
0x00401584
0x00401586
0x00401588
0x0040158a
0x0040158c
0x0040158e
0x00401590
0x00401592
0x00401594
0x00401596
0x00401598
0x0040159a
0x0040159c
0x0040159e
0x004015a0
0x004015a2
0x004015a4
0x004015a6
0x004015a8
0x004015aa
0x004015ac
0x004015ae
0x004015b0
0x004015b2
0x004015b4
0x004015b6
0x004015b8
0x004015ba
0x004015bc
0x004015be
0x004015c0
0x004015c2
0x004015c4
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015ce
0x004015d0
0x004015d2
0x004015d4
0x004015d6
0x004015d8
0x004015da
0x004015dc
0x004015de
0x004015e0
0x004015e2
0x004015e4
0x004015e6
0x004015e8
0x004015ea
0x004015ec
0x004015ee
0x004015f0
0x004015f2
0x004015f4
0x004015f6
0x004015f8
0x004015fa
0x004015fc
0x004015fe
0x00401600
0x00401602
0x00401604
0x00401606
0x00401608
0x0040160a
0x0040160c
0x0040160e
0x00401610
0x00401612
0x00401614
0x00401616
0x00401618
0x0040161a
0x0040161c
0x0040161e
0x00401620
0x00401622
0x00401624
0x00401626
0x00401628
0x0040162a
0x0040162c
0x0040162e
0x00401630
0x00401632
0x00401634
0x00401636
0x00401638
0x0040163a
0x0040163c
0x0040163e
0x00401640
0x00401642
0x00401644
0x00401646
0x00401648
0x0040164a
0x0040164c
0x0040164e
0x00401650
0x00401652
0x00401654
0x00401656
0x00401658
0x0040165a
0x0040165c
0x0040165e
0x00401660
0x00401662
0x00401664
0x00401666
0x00401668
0x0040166a
0x0040166c
0x0040166e
0x00401670
0x00401672
0x00401674
0x00401676
0x00401678
0x0040167a
0x0040167c
0x0040167e
0x00401680
0x00401682
0x00401684
0x00401686
0x00401688
0x0040168a
0x0040168c
0x0040168e
0x00401690
0x00401692
0x00401694
0x00401696
0x00401698
0x0040169a
0x0040169c
0x0040169e
0x004016a0
0x004016a2
0x004016a4
0x004016a6
0x004016a8
0x004016aa
0x004016ac
0x004016ae
0x004016b0
0x004016b2
0x004016b4
0x004016b6
0x004016b8
0x004016ba
0x004016bc
0x004016be
0x004016c0
0x004016c2
0x004016c4
0x004016c6
0x004016c8
0x004016ca
0x004016cc
0x004016ce
0x004016d0
0x004016d2
0x004016d4
0x004016d6
0x004016d8
0x004016da
0x004016dc
0x004016de
0x004016e0
0x004016e2
0x004016e4
0x004016e6
0x004016e8
0x004016ea
0x004016ec
0x004016ee
0x004016f0
0x004016f2
0x004016f4
0x004016f6
0x004016f8
0x004016fa
0x004016fc
0x004016fe
0x00401700
0x00401702
0x00401704
0x00401706
0x00401708
0x0040170a
0x0040170c
0x0040170e
0x00401710
0x00401712
0x00401714
0x00401716
0x00401718
0x0040171a
0x0040171c
0x0040171e
0x00401720
0x00401722
0x00401724
0x00401726
0x00401728
0x0040172a
0x0040172c
0x0040172e
0x00401730
0x00401732
0x00401734
0x00401736
0x00401738
0x0040173a
0x0040173c
0x0040173e
0x00401740
0x00401742
0x00401744
0x00401746
0x00401748
0x0040174a
0x0040174c
0x0040174e
0x00401750
0x00401752
0x00401754
0x00401756
0x00401758
0x0040175a
0x0040175c
0x0040175e
0x00401760
0x00401762
0x00401764
0x00401766
0x00401768
0x0040176a
0x0040176c
0x0040176e
0x00401770
0x00401772
0x00401774
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177e
0x00401780
0x00401782
0x00401784
0x00401786
0x00401788
0x0040178a
0x0040178c
0x0040178e
0x00401790
0x00401792
0x00401794
0x00401796
0x00401798
0x0040179a
0x0040179c
0x0040179e
0x004017a0
0x004017a2
0x004017a4
0x004017a6
0x004017a8
0x004017aa
0x004017ac
0x004017ae
0x004017b0
0x004017b2
0x004017b4
0x004017b6
0x004017b8
0x004017ba
0x004017bc
0x004017be
0x004017c0
0x004017c2
0x004017c4
0x004017c6
0x004017c8
0x004017ca
0x004017cc
0x004017ce
0x004017d0
0x004017d2
0x004017d4
0x004017d6
0x004017d8
0x004017da
0x004017dc
0x004017de
0x004017e0
0x004017e2
0x004017e4
0x004017e6
0x004017e8
0x004017ea
0x004017ec
0x004017ee
0x004017f0
0x004017f2
0x004017f4
0x004017f6
0x004017f8
0x004017fa
0x004017fc
0x004017fe
0x00401800
0x00401802
0x00401804
0x00401806
0x00401808
0x0040180a
0x0040180c
0x0040180e
0x00401810
0x00401812
0x00401814
0x00401816
0x00401818
0x0040181a
0x0040181c
0x0040181e
0x00401820
0x00401822
0x00401824
0x00401826
0x00401828
0x0040182a
0x0040182c
0x0040182e
0x00401830
0x00401832
0x00401834
0x00401836
0x00401838
0x0040183a
0x0040183c
0x0040183e
0x00401840
0x00401842
0x00401844
0x00401846
0x00401848
0x0040184a
0x0040184c
0x0040184e
0x00401850
0x00401852
0x00401854
0x00401856
0x00401858
0x0040185a
0x0040185c
0x0040185e
0x00401860
0x00401862
0x00401864
0x00401866
0x00401868
0x0040186a
0x0040186c
0x0040186e
0x00401870
0x00401872
0x00401874
0x00401876
0x00401878
0x0040187a
0x0040187c
0x0040187e
0x00401880
0x00401882
0x00401884
0x00401886
0x00401888
0x0040188a
0x0040188c
0x0040188e
0x00401890
0x00401892
0x00401894
0x00401896
0x00401898
0x0040189a
0x0040189c
0x0040189e
0x004018a0
0x004018a2
0x004018a4
0x004018a6
0x004018a8
0x004018aa
0x004018ac
0x004018ae
0x004018b0
0x004018b2
0x004018b4
0x004018b6
0x004018b8
0x004018ba
0x004018be
0x004018bf
0x004018c0
0x004018c1
0x004018c3
0x004018c5
0x004018c7
0x004018c9
0x004018cb
0x004018cd
0x004018cf
0x004018d1
0x004018d3
0x004018d5
0x004018d7
0x004018d9
0x004018da
0x004018de
0x004018ea
0x004018f0
0x004018f2
0x004018f3
0x004018f4
0x004018f6
0x004018f9
0x004018fe
0x00401905
0x00401906
0x00401907
0x0040190a
0x0040190e
0x00401912
0x00401914
0x00401918
0x0040191e
0x00401921
0x00401922
0x00401924
0x00401925
0x0040192c
0x00000000
0x0040192c
0x00000000
0x00401969
0x0040196e
0x00401978
0x0040197e
0x0040197f
0x00401981
0x00401982
0x00401984
0x00401985
0x0040198c
0x00401950
0x00401952
0x00401953
0x00401954
0x00401956
0x00401959
0x0040195e
0x00401965
0x00401966
0x00401967
0x00401967
0x004019c9
0x004019cb
0x004019cd
0x004019cf
0x004019d1
0x004019d3
0x004019d5
0x004019d7
0x004019da
0x004019dc
0x004019dd
0x004019dd
0x004019df
0x004019e1
0x004019e3
0x004019e5
0x004019e7
0x004019e9
0x004019eb
0x004019ed
0x004019ef
0x004019f1
0x004019f3
0x004019fd
0x004019ff
0x00401a01
0x00401a03
0x00401a05
0x00401a07
0x00401a09
0x00401a0b
0x00401a0d
0x00401a0f
0x00401a11
0x00401a13
0x00401a19
0x00401a1f
0x00401a21
0x00401a23
0x00401a25
0x00401a27
0x00401a29
0x00401a2b
0x00401a2d
0x00401a2f
0x00401a31
0x00401a39
0x00401a3b
0x00401a3d
0x00401a3f
0x00401a41
0x00401a43
0x00401a45
0x00401a47
0x00401a49
0x00401a4b
0x00401a4d
0x00401a4f
0x00401a51
0x00401a52
0x00401a53
0x00401a54
0x00401a56
0x00401a57
0x00401a58
0x00401a5a
0x00401a5c
0x00401a5e
0x00401a60
0x00401a62
0x00401a64
0x00401a66
0x00401a68
0x00401a6a
0x00401a6c
0x00401a6e
0x00401a70
0x00401a77
0x00401a78
0x00401a7a
0x00401a7c
0x00401a7e
0x00401a80
0x00401a82
0x00401a84
0x00401a86
0x00401a88
0x00401a8a
0x00401a8c
0x00401a8e
0x00401a90
0x00401a96
0x00401a9c
0x00401a9e
0x00401aa0
0x00401aa2
0x00401aa4
0x00401aa6
0x00401aa8
0x00401aaa
0x00401aac
0x00401aae
0x00401ab0
0x00401ab2
0x00401ab8
0x00401ab8
0x00401ab9
0x00401abf
0x00401ac1
0x00401ac3
0x00401ac5
0x00401ac7
0x00401ac9
0x00401acb
0x00401acd
0x00401acf
0x00401ad1
0x00401ad3
0x00401ad7
0x00401ad9
0x00401ada
0x00401adb
0x00401adc
0x00401add
0x00401add
0x00401adf
0x00401ae1
0x00401ae3
0x00401ae5
0x00401ae7
0x00401ae9
0x00401aeb
0x00401aed
0x00401aef
0x00401af1
0x00401af3
0x00401af5
0x00401af9
0x00401afb
0x00401afd
0x00401aff
0x00401b01
0x00401b03
0x00401b05
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b0f
0x00401b0f
0x00401b11
0x00401b13
0x00401b14
0x00401b15
0x00401b15
0x00401b17
0x00401b19
0x00401b1b
0x00401b1d
0x00401b1f
0x00401b21
0x00401b23
0x00401b25
0x00401b27
0x00401b29
0x00401b2b
0x00401b2d
0x00401b33
0x00401b34
0x00401b35
0x00401b37
0x00401b39
0x00401b3b
0x00401b3d
0x00401b3f
0x00401b41
0x00401b43
0x00401b45
0x00401b47
0x00401b49
0x00401b4b
0x00401b4f
0x00401b50
0x00401b51
0x00401b52
0x00401b53
0x00401b55
0x00401b56
0x00401b57
0x00401b58
0x00401b5a
0x00401b5a
0x00401b5b
0x00401b5d
0x00401b5f
0x00401b61
0x00401b63
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6d
0x00401b6f
0x00000000
0x00401b6f

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013ED

Strings

VB5!6&*, xrefs: 004013E8

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: c4651329ef12b34322c3b1f748c8802ca36822e297dd2b43f37e49b45d2f1be8
Instruction ID: bbf8aac54ec6db5c6be86f4763b94f7dfaeef80c729d5dc8501b58ed0d54974b
Opcode Fuzzy Hash: c4651329ef12b34322c3b1f748c8802ca36822e297dd2b43f37e49b45d2f1be8
Instruction Fuzzy Hash: D042653105E3D08FCB178B7888B5A513FF0EE5761970A4ADBC4818F4A7C228685DEB67

Uniqueness

Uniqueness Score: -1.00%

Function 00409E89, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 599memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

Iaa, xrefs: 00409E89

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: Iaa
API String ID: 4275171209-306691089
Opcode ID: 5259ba35ade3bcf1055789f0b01422c168979b58f73e271d0e4ffba781a304ee
Instruction ID: 19c80d9dbbdc67e7609205490c35ca271bc347416a4c62a92d12021d1d7cfa81
Opcode Fuzzy Hash: 5259ba35ade3bcf1055789f0b01422c168979b58f73e271d0e4ffba781a304ee
Instruction Fuzzy Hash: 76D1249292A70689FFB26120C5C071E6650DF07744F318F77C861F59D2AB2FCACA15A7

Uniqueness

Uniqueness Score: -1.00%

Function 0040A3E6, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 357memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Strings

l, xrefs: 0040A3E6

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: l
API String ID: 4275171209-2517025534
Opcode ID: bbb745f3008dbcdec54af329e2be3ec12b99a28124086b219ee31abd5d593e51
Instruction ID: 2f6e48c4334793721ddedcb13f69be2dddc114dd637e60b1cdc5e6355e3f4cf6
Opcode Fuzzy Hash: bbb745f3008dbcdec54af329e2be3ec12b99a28124086b219ee31abd5d593e51
Instruction Fuzzy Hash: 29A10182A2A70599FFB36120C5C0B1E6250CF16785F358F37C861F58D2BA2F8ACA5597

Uniqueness

Uniqueness Score: -1.00%

Function 00409542, Relevance: 2.1, APIs: 1, Instructions: 879memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 274455a15da1c8e6f3abbead98b6e72cd47c960c859b256631ed5fa335d98912
Instruction ID: 6d77cac55267de9f484642b68c74b17ba8ce3c5754c96756d13b5aa6284933e2
Opcode Fuzzy Hash: 274455a15da1c8e6f3abbead98b6e72cd47c960c859b256631ed5fa335d98912
Instruction Fuzzy Hash: E0221381E2A70699FFB32020C5C076E6640DF16785F318F37C865F59D2BA2F89CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004096F2, Relevance: 2.1, APIs: 1, Instructions: 872
COMMON

Download Yara Rule

C-Code - Quality: 36%

			E004096F2(intOrPtr* __eax, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				intOrPtr* _t86;
				intOrPtr* _t87;
				signed int _t90;
				signed int _t91;
				void* _t92;
				void* _t93;
				intOrPtr _t94;
				intOrPtr _t95;
				void* _t433;
				void* _t434;
				void* _t435;
				void* _t436;

				_t433 = __fp0;
				_t86 = __eax;
				if(__eflags < 0) {
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					asm("sbb ebx, [ebx]");
					_t90 = 0x5aa3d0;
					asm("punpcklwd xmm1, xmm2");
					asm("fabs");
					asm("paddsb mm1, mm7");
					asm("psubw xmm1, xmm1");
					asm("fld1");
					asm("ffree st3");
				} else {
					_t1 = __eax;
					__eax = __edx;
					__edx = _t1;
					_t2 = __eax;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
					__eax = _t1;
					__edx = _t2;
					__eax = _t2;
					__edx = _t1;
				}
				_t91 = _t90 ^ 0x00ed7dbf;
				asm("fxam");
				asm("wait");
				asm("paddusw mm1, mm7");
				asm("wait");
				asm("fninit");
				asm("pcmpgtw mm1, mm3");
				asm("f2xm1");
				asm("pcmpeqw xmm7, xmm6");
				asm("psraw mm6, mm3");
				asm("movq xmm4, xmm7");
				asm("pmullw mm1, mm5");
				asm("pmullw xmm1, xmm2");
				asm("frndint");
				asm("psubusb xmm6, xmm0");
				asm("psubd xmm0, xmm5");
				_t92 = _t91 - 0x1025457;
				asm("ftst");
				asm("fsubrp st4, st0");
				asm("wait");
				asm("paddsb mm7, mm2");
				asm("pand mm1, mm2");
				asm("pmulhw mm0, mm1");
				asm("fxch st0, st1");
				asm("fscale");
				asm("psrlw mm3, 0xbb");
				asm("packssdw xmm5, xmm4");
				_t93 = _t92 - 0xc87c71;
				asm("fclex");
				asm("fcom st0, st6");
				asm("psraw mm1, mm4");
				asm("fldlg2");
				asm("fucom st1");
				asm("f2xm1");
				asm("packuswb mm4, mm4");
				asm("paddb xmm6, xmm6");
				_t434 = _t433 + st0;
				asm("fdivp st0, st0");
				do {
					asm("fdivrp st5, st0");
					asm("lfence");
					asm("fxch st0, st1");
					asm("paddw xmm6, xmm5");
					asm("punpckldq xmm1, xmm2");
					asm("fabs");
					asm("por xmm2, xmm7");
					asm("fsincos");
					asm("fchs");
					asm("fldl2e");
					asm("f2xm1");
					asm("pcmpeqw xmm7, xmm6");
					asm("psraw mm6, mm3");
					_t434 = _t434 - st6;
					asm("wait");
					asm("fclex");
					asm("fldz");
					_t86 = _t86 - 1;
					asm("frndint");
					asm("psubusb xmm6, xmm0");
					asm("psubd xmm0, xmm5");
					asm("fsin");
					asm("fsubr st5, st0");
					asm("psllq mm4, 0x2f");
					asm("wait");
					asm("fclex");
					asm("fdivr st1, st0");
					asm("packssdw mm3, mm0");
					_t95 =  *_t86;
					asm("fxch st0, st1");
					asm("fscale");
					asm("psrlw mm3, 0xbb");
					asm("packssdw xmm5, xmm4");
					asm("fucom st1");
					asm("psubb xmm7, xmm7");
					asm("fldlg2");
					asm("psubsb xmm2, xmm0");
					asm("psrad xmm4, xmm6");
					asm("wait");
					asm("fninit");
				} while (_t93 != _t95);
				asm("packuswb mm4, mm4");
				asm("paddb xmm6, xmm6");
				_t435 = _t434 + st0;
				asm("fdivp st0, st0");
				asm("pause");
				asm("f2xm1");
				asm("fxch st0, st1");
				asm("paddw xmm6, xmm5");
				asm("punpckldq xmm1, xmm2");
				asm("fabs");
				asm("fprem");
				asm("fyl2x");
				asm("psllw xmm6, 0x23");
				asm("f2xm1");
				asm("pcmpeqw xmm7, xmm6");
				asm("psraw mm6, mm3");
				_t436 = _t435 - st6;
				asm("wait");
				asm("fclex");
				asm("fldz");
				asm("pxor mm1, mm6");
				asm("fdecstp");
				asm("fst st3");
				asm("ffree st1");
				asm("fsubr st5, st0");
				asm("psllq mm4, 0x2f");
				asm("wait");
				asm("fclex");
				asm("fdivr st1, st0");
				asm("packssdw mm3, mm0");
				asm("fyl2xp1");
				asm("paddsw mm7, mm2");
				asm("fldl2t");
				asm("fscale");
				asm("fucom st1");
				asm("psubb xmm7, xmm7");
				asm("fldlg2");
				asm("psubsb xmm2, xmm0");
				asm("psrad xmm4, xmm6");
				asm("wait");
				asm("fninit");
				asm("fabs");
				asm("fldpi");
				asm("fpatan");
				asm("fcos");
				asm("fabs");
				asm("fldl2e");
				asm("fsqrt");
				asm("wait");
				asm("packuswb xmm7, xmm2");
				asm("pcmpgtb mm0, mm0");
				asm("ftst");
				asm("wait");
				asm("fninit");
				asm("mfence");
				asm("faddp st4, st0");
				asm("fptan");
				_t87 = _t86 + 0x10cc;
				asm("punpckhbw xmm0, xmm7");
				asm("psllw xmm1, 0x6d");
				asm("fclex");
				asm("pcmpgtw xmm2, xmm1");
				asm("fscale");
				asm("fsubr st7, st0");
				asm("fldln2");
				asm("fyl2x");
				asm("fldpi");
				asm("fldln2");
				asm("movq mm6, mm5");
				asm("fldl2e");
				asm("ffree st2");
				asm("punpckldq mm3, mm0");
				asm("emms");
				asm("psubsw mm7, mm2");
				asm("fpatan");
				asm("fxam");
				asm("fldln2");
				_t94 =  *_t87;
				asm("pmulhw xmm7, xmm7");
				asm("fprem");
				asm("pmulhw mm2, mm0");
				asm("psllw mm3, 0xe6");
				asm("pcmpgtw xmm7, xmm0");
				asm("pcmpeqb mm2, mm4");
				asm("fprem1");
			}

0x004096f2
0x004096f2
0x004096f5
0x00409689
0x0040968b
0x0040968d
0x0040968f
0x00409691
0x00409693
0x00409695
0x00409697
0x00409699
0x0040969b
0x0040969d
0x0040969f
0x004096a1
0x004096a3
0x004096a5
0x004096a7
0x004096a9
0x004096ab
0x004096ad
0x004096af
0x004096b1
0x004096b3
0x004096b5
0x004096b7
0x004096b9
0x004096bb
0x004096cb
0x004096df
0x004096e3
0x004096e5
0x004096e8
0x004096ec
0x004096ee
0x004096f7
0x004096f7
0x004096f7
0x004096f7
0x004096f8
0x004096f8
0x004096f8
0x004096f9
0x004096f9
0x004096fa
0x004096fa
0x004096fb
0x004096fb
0x004096fc
0x004096fc
0x004096fd
0x004096fd
0x004096fe
0x004096fe
0x004096ff
0x004096ff
0x00409700
0x00409700
0x00409701
0x00409701
0x00409702
0x00409702
0x00409703
0x00409703
0x00409704
0x00409704
0x00409705
0x00409705
0x00409706
0x00409706
0x00409707
0x00409707
0x00409708
0x00409708
0x00409709
0x00409709
0x0040970a
0x0040970a
0x0040970b
0x0040970b
0x0040970c
0x0040970c
0x0040970d
0x0040970d
0x0040970e
0x0040970e
0x0040970f
0x0040970f
0x00409710
0x00409710
0x00409711
0x00409711
0x00409712
0x00409712
0x00409713
0x00409713
0x00409714
0x00409714
0x00409715
0x00409715
0x00409716
0x00409716
0x00409717
0x00409717
0x00409718
0x00409718
0x00409719
0x00409719
0x0040971a
0x0040971a
0x0040971b
0x0040971b
0x0040971c
0x0040971c
0x0040971d
0x0040971d
0x0040971e
0x0040971e
0x0040971f
0x0040971f
0x00409720
0x00409720
0x00409721
0x00409721
0x00409722
0x00409722
0x00409723
0x00409723
0x00409724
0x00409724
0x00409725
0x00409725
0x00409726
0x00409726
0x00409727
0x00409727
0x00409728
0x00409728
0x00409729
0x00409729
0x0040972a
0x0040972a
0x0040972b
0x0040972b
0x0040972c
0x0040972c
0x0040972d
0x0040972d
0x0040972e
0x0040972e
0x0040972f
0x0040972f
0x00409730
0x00409730
0x00409731
0x00409731
0x00409732
0x00409732
0x00409733
0x00409733
0x00409734
0x00409734
0x00409735
0x00409735
0x00409736
0x00409736
0x00409737
0x00409737
0x00409738
0x00409738
0x00409739
0x00409739
0x0040973a
0x0040973a
0x0040973b
0x0040973b
0x0040973c
0x0040973c
0x0040973d
0x0040973d
0x0040973e
0x0040973e
0x0040973f
0x0040973f
0x00409740
0x00409740
0x00409741
0x00409741
0x00409742
0x00409742
0x00409743
0x00409743
0x00409744
0x00409744
0x00409745
0x00409745
0x00409746
0x00409746
0x00409747
0x00409747
0x00409747
0x00409766
0x00409772
0x00409774
0x00409775
0x00409778
0x00409779
0x0040977b
0x0040977e
0x00409780
0x00409784
0x00409802
0x00409806
0x00409809
0x0040980d
0x0040980f
0x00409813
0x00409877
0x00409897
0x00409899
0x0040989b
0x0040989c
0x0040989f
0x004098a2
0x004098a5
0x004098a7
0x004098a9
0x004098ad
0x0040990f
0x00409933
0x00409935
0x00409937
0x0040993a
0x0040993c
0x0040993e
0x00409940
0x00409943
0x00409947
0x00409949
0x004099c1
0x004099c7
0x004099c9
0x004099cc
0x004099ce
0x004099d2
0x004099d6
0x00409a61
0x00409a65
0x00409a67
0x00409a69
0x00409a6b
0x00409a6d
0x00409a71
0x00409a74
0x00409a76
0x00409a77
0x00409a79
0x00409ad8
0x00409af3
0x00409af5
0x00409af9
0x00409afd
0x00409aff
0x00409b01
0x00409b05
0x00409b06
0x00409b08
0x00409b0a
0x00409b77
0x00409b89
0x00409b8b
0x00409b8d
0x00409b91
0x00409b95
0x00409b97
0x00409b9b
0x00409b9d
0x00409ba1
0x00409ba5
0x00409ba6
0x00409c11
0x00409c27
0x00409c2a
0x00409c2e
0x00409c30
0x00409c32
0x00409c34
0x00409cb0
0x00409cb2
0x00409cb6
0x00409cba
0x00409cbc
0x00409cc0
0x00409cc2
0x00409d41
0x00409d43
0x00409d47
0x00409d4a
0x00409d4c
0x00409d4d
0x00409d4f
0x00409d51
0x00409d54
0x00409d56
0x00409d58
0x00409ddb
0x00409ddd
0x00409de1
0x00409de2
0x00409de4
0x00409de6
0x00409de9
0x00409deb
0x00409dee
0x00409df0
0x00409e6d
0x00409e6f
0x00409e73
0x00409e75
0x00409e79
0x00409e7d
0x00409e7e
0x00409e80
0x00409e82
0x00409e84
0x00409f06
0x00409f08
0x00409f0a
0x00409f0c
0x00409f0e
0x00409f0f
0x00409f91
0x00409f94
0x00409f96
0x00409f97
0x00409f99
0x00409f9c
0x00409f9e
0x0040a013
0x0040a018
0x0040a01c
0x0040a021
0x0040a023
0x0040a027
0x0040a029
0x0040a02b
0x0040a02d
0x0040a02f
0x0040a031
0x0040a0b2
0x0040a0b5
0x0040a0b7
0x0040a0b9
0x0040a0bc
0x0040a0be
0x0040a0c1
0x0040a0c3
0x0040a0c5
0x0040a129
0x0040a145
0x0040a149
0x0040a14b
0x0040a14e
0x0040a152
0x0040a156
0x0040a159

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 970b2fed8d12dfe07cb8b175f4e5ad386aca3a3b13da52a5949e7dfc5aa9d079
Instruction ID: 079221ec3d8470b4abaf58efcdc4ae0dc09d90b5256b78ed9bfcdc923427f7e3
Opcode Fuzzy Hash: 970b2fed8d12dfe07cb8b175f4e5ad386aca3a3b13da52a5949e7dfc5aa9d079
Instruction Fuzzy Hash: 28222382E2A70699FFB22020C5C076E6650DF16785F318F37C861F59D2BA2F89CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409819, Relevance: 2.0, APIs: 1, Instructions: 798memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fcffb19288e1118e2de273efa260f58f4dd4e4c4d8459d62ae5d7e079acf7a27
Instruction ID: 2ea0dc63416db0b994bb0c6e30ef39c3eecef4ad283b2394cf022304335ed70d
Opcode Fuzzy Hash: fcffb19288e1118e2de273efa260f58f4dd4e4c4d8459d62ae5d7e079acf7a27
Instruction Fuzzy Hash: F5123482E2A70699FFB22020C5C076E6650DF16785F318F37C865F58D2BA2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 004098B3, Relevance: 2.0, APIs: 1, Instructions: 785memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4b201412f80b27b42b2f364a705117e1509d93d93a9b705304340081d8243595
Instruction ID: 09497742d9a8d790a351fe45377a4739afb4d85d67f154f052cda189eb667ad8
Opcode Fuzzy Hash: 4b201412f80b27b42b2f364a705117e1509d93d93a9b705304340081d8243595
Instruction Fuzzy Hash: FB123481E2A70699FFB22020C5C076E6650CF16785F318F37C865F58D2BA2F89CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409789, Relevance: 2.0, APIs: 1, Instructions: 774memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 894cc975a1f93f66ff256c681abddb8ab6874d4cacb5fd445dc21859e27a34b7
Instruction ID: 94cffa42a6e6b70612d46a612bd648fa074f01eecc98088a5a8b0a57abdaadfb
Opcode Fuzzy Hash: 894cc975a1f93f66ff256c681abddb8ab6874d4cacb5fd445dc21859e27a34b7
Instruction Fuzzy Hash: BC123482E2A70699FFB22020C5C076E6650DF16785F318F37C861F58D2BA2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409B0F, Relevance: 2.0, APIs: 1, Instructions: 705memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8b6f117e42e3ebfc38ad8157d6ad2b4343b5e24d1f8cce3446cdb442dbb0e3ce
Instruction ID: 40cd13199c75c624867f74cfaf9e1ac295ac30586c5546c378dfaa77dd7b252c
Opcode Fuzzy Hash: 8b6f117e42e3ebfc38ad8157d6ad2b4343b5e24d1f8cce3446cdb442dbb0e3ce
Instruction Fuzzy Hash: 64F12591E2A70699FFB32020C5C075E6650CF16784F318F37C865F59D2AA2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409D5E, Relevance: 1.9, APIs: 1, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79b90ea3531cba5a9e246177302600d8da53ed40870a59ab96597616e5df2ef9
Instruction ID: d96ac0033cc500d0d2ce7ab2d5a48f8eb8dbc01ea155afb953cb9c4b830154a2
Opcode Fuzzy Hash: 79b90ea3531cba5a9e246177302600d8da53ed40870a59ab96597616e5df2ef9
Instruction Fuzzy Hash: BB02064996A70545FFB62620C5C0B1E6A40CF02B44FB08EBBCA52F64D7A63F8DC9159F

Uniqueness

Uniqueness Score: -1.00%

Function 00409C39, Relevance: 1.9, APIs: 1, Instructions: 673memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: da145ade21824e0478ce76036d0a88f1103ca245d6c2e08ab3a2a359dd0245f8
Instruction ID: 5879b2bab6744a630d2170eab77ec5534966c7cbc97e31812ae331a975ae1686
Opcode Fuzzy Hash: da145ade21824e0478ce76036d0a88f1103ca245d6c2e08ab3a2a359dd0245f8
Instruction Fuzzy Hash: 6BF1349192A70689FFB22020C5C076E6650DF16784F318F37C865F59D2AB2FCACA15A7

Uniqueness

Uniqueness Score: -1.00%

Function 00409BAB, Relevance: 1.9, APIs: 1, Instructions: 621COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e61bf4b5d0a634c5c1013ef3e47e1afb53c700cc691bd3ebe835da614cd58d
Instruction ID: 26e09d5ad539c7043f919969f13fb8bd11687967d779adb77a62855a08603077
Opcode Fuzzy Hash: c8e61bf4b5d0a634c5c1013ef3e47e1afb53c700cc691bd3ebe835da614cd58d
Instruction Fuzzy Hash: 59F1229292A70689FFB32020C5C076E6690DF16784F318F37C865F59D2AA2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409CC9, Relevance: 1.8, APIs: 1, Instructions: 578memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cea29c66a3fa728b58f6f749ac568093ab5e0ffd3e9cb110707f75d01b2fb39f
Instruction ID: 5c5cbca8c8ac1204c2cfbae9f28c7b95eb01bc6dfb513cf4d8cf205030e32510
Opcode Fuzzy Hash: cea29c66a3fa728b58f6f749ac568093ab5e0ffd3e9cb110707f75d01b2fb39f
Instruction Fuzzy Hash: 39E14591D2A70699FFB26020C5C071E6650DF06784F318F7BC861F58D2AB2FC9CA15A7

Uniqueness

Uniqueness Score: -1.00%

Function 00409DF6, Relevance: 1.8, APIs: 1, Instructions: 574
memoryCOMMON

Download Yara Rule

C-Code - Quality: 36%

			E00409DF6(void* __eax, void* __ebx, signed int __ecx, void* __fp0) {
				intOrPtr* _t6;
				intOrPtr _t9;
				signed int _t11;
				signed int _t12;
				void* _t20;
				void* _t249;

				_t249 = __fp0;
				ds =  *((intOrPtr*)(_t20 + 9));
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				asm("fucom st1");
				asm("psubb xmm7, xmm7");
				asm("fldlg2");
				asm("psubsb xmm2, xmm0");
				asm("psrad xmm4, xmm6");
				asm("wait");
				asm("fninit");
				asm("fabs");
				asm("fldpi");
				asm("fpatan");
				_t11 = __ecx ^ 0x00001a56;
				asm("fcos");
				asm("fabs");
				asm("fldl2e");
				asm("fsqrt");
				asm("wait");
				asm("packuswb xmm7, xmm2");
				_t12 = _t11 ^ 0x000008fa;
				asm("pcmpgtb mm0, mm0");
				asm("ftst");
				asm("wait");
				asm("fninit");
				asm("mfence");
				asm("faddp st4, st0");
				asm("fptan");
				_t6 = __eax + _t12;
				asm("punpckhbw xmm0, xmm7");
				asm("psllw xmm1, 0x6d");
				asm("fclex");
				asm("pcmpgtw xmm2, xmm1");
				asm("fscale");
				asm("fsubr st7, st0");
				asm("fldln2");
				asm("fyl2x");
				asm("fldpi");
				asm("fldln2");
				asm("movq mm6, mm5");
				asm("fldl2e");
				asm("ffree st2");
				asm("punpckldq mm3, mm0");
				asm("emms");
				asm("psubsw mm7, mm2");
				asm("fpatan");
				asm("fxam");
				asm("fldln2");
				_t9 =  *_t6;
				asm("pmulhw xmm7, xmm7");
				asm("fprem");
				asm("pmulhw mm2, mm0");
				asm("psllw mm3, 0xe6");
				asm("pcmpgtw xmm7, xmm0");
				asm("pcmpeqb mm2, mm4");
				asm("fprem1");
			}

0x00409df6
0x00409df6
0x00409df9
0x00409dfb
0x00409dfd
0x00409dff
0x00409e01
0x00409e03
0x00409e05
0x00409e07
0x00409e09
0x00409e0b
0x00409e0d
0x00409e0f
0x00409e11
0x00409e13
0x00409e15
0x00409e17
0x00409e19
0x00409e1b
0x00409e1d
0x00409e1f
0x00409e21
0x00409e23
0x00409e25
0x00409e27
0x00409e29
0x00409e2b
0x00409e2d
0x00409e2f
0x00409e31
0x00409e33
0x00409e35
0x00409e37
0x00409e39
0x00409e3b
0x00409e3d
0x00409e3f
0x00409e41
0x00409e43
0x00409e45
0x00409e47
0x00409e49
0x00409e6d
0x00409e6f
0x00409e73
0x00409e75
0x00409e79
0x00409e7d
0x00409e7e
0x00409e80
0x00409e82
0x00409e84
0x00409ee6
0x00409f06
0x00409f08
0x00409f0a
0x00409f0c
0x00409f0e
0x00409f0f
0x00409f6a
0x00409f91
0x00409f94
0x00409f96
0x00409f97
0x00409f99
0x00409f9c
0x00409f9e
0x0040a013
0x0040a018
0x0040a01c
0x0040a021
0x0040a023
0x0040a027
0x0040a029
0x0040a02b
0x0040a02d
0x0040a02f
0x0040a031
0x0040a0b2
0x0040a0b5
0x0040a0b7
0x0040a0b9
0x0040a0bc
0x0040a0be
0x0040a0c1
0x0040a0c3
0x0040a0c5
0x0040a129
0x0040a145
0x0040a149
0x0040a14b
0x0040a14e
0x0040a152
0x0040a156
0x0040a159

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9a19c151b45f1d8a9af7139e9b77d7a30e8624a3f32d72209e35f1a1fa757dcd
Instruction ID: 691a45986f0c78f110546b06d7e6527e22a23d67eda14d6f7804bb773fb7c54e
Opcode Fuzzy Hash: 9a19c151b45f1d8a9af7139e9b77d7a30e8624a3f32d72209e35f1a1fa757dcd
Instruction Fuzzy Hash: 3AE1339192A70689FFB22120C5C071E6650CF07B44F318F7BC861F59D2AB2FCACA15A7

Uniqueness

Uniqueness Score: -1.00%

Function 00409F15, Relevance: 1.8, APIs: 1, Instructions: 537memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c0a67c00ec94c0e9a34a5b49b4db7a8bed844f755ee591eca91d4727593948fe
Instruction ID: 883f8460e9062eb26ff186d7284956311b17214636dbaf94f8582ff7633c6ded
Opcode Fuzzy Hash: c0a67c00ec94c0e9a34a5b49b4db7a8bed844f755ee591eca91d4727593948fe
Instruction Fuzzy Hash: B6D1358192A70689FFB26120C5C071D6650CF07744F358F77C865F69D2AB2FCACA1597

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0CA, Relevance: 1.8, APIs: 1, Instructions: 529memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9608449c6dd8d1166a67615bbeaab7d1711bad874053b6e5ba1a328b4ff9b86b
Instruction ID: 11602d992f87ed82559ec752310a1b09460c0e77279f71e3e83198e176ae0ae1
Opcode Fuzzy Hash: 9608449c6dd8d1166a67615bbeaab7d1711bad874053b6e5ba1a328b4ff9b86b
Instruction Fuzzy Hash: F9C1248292A70599FFB36120C5C0B1E6250CF06744F358F77C861F69D2AB2FC9CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 0040A15D, Relevance: 1.8, APIs: 1, Instructions: 516
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A15D(void* __eax, void* __ebx, void* __fp0) {
				signed char _t48;
				void* _t50;
				void* _t243;

				_t243 = __fp0;
				_t50 = __ebx;
				_t48 = (__eax - 0x00000001 | 0x000000f0) & 0;
			}

0x0040a15d
0x0040a15d
0x0040a1b3

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f121156b720836bd2b01d9cfdadfc92c06fe4e438cf3c4e5b5cf30dbb5a0fd5a
Instruction ID: c0aa745a7ce5f0f2f729ceb244d203142f31e86bb3343417f9e083f5772c0e2f
Opcode Fuzzy Hash: f121156b720836bd2b01d9cfdadfc92c06fe4e438cf3c4e5b5cf30dbb5a0fd5a
Instruction Fuzzy Hash: 67B1438292A30699FFB36120C5C0B5E6650CF06744F358F77C861F58D2AA2FCACA15A7

Uniqueness

Uniqueness Score: -1.00%

Function 0040A27E, Relevance: 1.7, APIs: 1, Instructions: 479memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6d81742638f2ac492c05cd797511b5f7b9adac0d579139502d314faf3cc693a1
Instruction ID: b4d3e97db8aec70683e2e560439f8d8bb0eb4bb436edc43005d0789602dadaf1
Opcode Fuzzy Hash: 6d81742638f2ac492c05cd797511b5f7b9adac0d579139502d314faf3cc693a1
Instruction Fuzzy Hash: F5A1158292A70599FFB36120C5C071E2650CB06785F358F37C861F59D2BA2FCACA5597

Uniqueness

Uniqueness Score: -1.00%

Function 0040A319, Relevance: 1.7, APIs: 1, Instructions: 459memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9111ff7a2c0a4f6f4e7991024627e59a220f1f3b9eb771305e850e401f22f8c4
Instruction ID: 7f0142f46330a7e5d2f4362a58813cdf04d56194f8de137cc873a811f4683adc
Opcode Fuzzy Hash: 9111ff7a2c0a4f6f4e7991024627e59a220f1f3b9eb771305e850e401f22f8c4
Instruction Fuzzy Hash: ADA1238292A70599FFB36120C5C0B1E2250CF16785F358F37C861F68D2BA2FCACA5597

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1EB, Relevance: 1.7, APIs: 1, Instructions: 453memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d005e3705ccd8e074ede189288488ad256a7f242c26f266d849b3e3d75f06406
Instruction ID: af1699d4d0a511c053606754a85d4501ce5b4b58754e857463c8d7759f5f54e4
Opcode Fuzzy Hash: d005e3705ccd8e074ede189288488ad256a7f242c26f266d849b3e3d75f06406
Instruction Fuzzy Hash: 72B1228292A30599FFB36120C5C071E6650CB02745F358F7BC861F68D2BA2F8ACA55A7

Uniqueness

Uniqueness Score: -1.00%

Function 0040A478, Relevance: 1.6, APIs: 1, Instructions: 340memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040A498

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 785f917f04df104ccc9af0c7fb1e54d8bf087ca50eb3378f628946278d6ff926
Instruction ID: 380f2235b0643383bc1f6017c9e072682ead7fcb4086ac250c130005a05233f9
Opcode Fuzzy Hash: 785f917f04df104ccc9af0c7fb1e54d8bf087ca50eb3378f628946278d6ff926
Instruction Fuzzy Hash: 1991029292A70599FFB36120C5C0B1D2250CF12785F358F37C861F58D2BA2F8ACA15A7

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040D3C4, Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

(3--, xrefs: 0040D57F

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: (3--
API String ID: 0-119145886
Opcode ID: 28ca7a8d72bfa13e9bdbe1f9d4d738e20c96fdc3ce249cd5fdd23aec513e0f06
Instruction ID: 0fabafc3c264203dba848b1731a397970b71309c2313a161f7ef4a6879d69325
Opcode Fuzzy Hash: 28ca7a8d72bfa13e9bdbe1f9d4d738e20c96fdc3ce249cd5fdd23aec513e0f06
Instruction Fuzzy Hash: 55416C7241E7D18FC7035F74C8A56807FB0EF5B204B1A05DAC4D09F4A7D63A6596CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00412C94, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00412C94(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v36;
				char _v48;
				void* _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v116;
				signed int _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _t79;
				signed int _t80;
				char* _t85;
				signed int _t90;
				signed int _t96;
				signed int _t101;
				intOrPtr _t105;
				intOrPtr _t117;
				void* _t119;
				signed int _t122;
				long long _t124;
				char _t125;

				_t124 = __fp0;
				_push(0x401266);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t117;
				_push(0x74);
				L00401260();
				_v12 = _t117;
				_v8 = 0x4011e8;
				_push(5);
				_push(0x411760);
				_t79 =  &_v48;
				_push(_t79);
				L0040132C();
				_v96 = _v96 & 0x00000000;
				if(_v96 >= 2) {
					L00401326();
					_v116 = _t79;
				} else {
					_v116 = _v116 & 0x00000000;
				}
				_t80 = _v96;
				asm("fld1");
				 *((long long*)(_v36 + _t80 * 8)) = _t124;
				_v96 = 1;
				_t119 = _v96 - 2;
				if(_t119 >= 0) {
					L00401326();
					_v120 = _t80;
				} else {
					_v120 = _v120 & 0x00000000;
				}
				_t105 = _v36;
				_t125 =  *0x4011e0;
				 *((long long*)(_t105 + _v96 * 8)) = _t125;
				_v92 =  &_v48;
				_push( &_v92);
				asm("fld1");
				_push(_t105);
				_push(_t105);
				_v56 = _t125;
				L00401320();
				L0040137A();
				asm("fcomp qword [0x4011d8]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t119 != 0) {
					if( *0x41433c != 0) {
						_v124 = 0x41433c;
					} else {
						_push(0x41433c);
						_push(0x411718);
						L00401338();
						_v124 = 0x41433c;
					}
					_t28 =  &_v124; // 0x41433c
					_v96 =  *((intOrPtr*)( *_t28));
					_t96 =  *((intOrPtr*)( *_v96 + 0x1c))(_v96,  &_v56);
					asm("fclex");
					_v100 = _t96;
					if(_v100 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411708);
						_push(_v96);
						_push(_v100);
						L00401356();
						_v128 = _t96;
					}
					_v104 = _v56;
					_v64 = 0x80020004;
					_v72 = 0xa;
					L00401260();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t101 =  *((intOrPtr*)( *_v104 + 0x60))(_v104, L"Magterobringen", 0x10);
					asm("fclex");
					_v108 = _t101;
					_t122 = _v108;
					if(_t122 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x411728);
						_push(_v104);
						_push(_v108);
						L00401356();
						_v132 = _t101;
					}
					L00401332();
				}
				asm("fldz");
				L004012C6();
				L0040137A();
				asm("fcomp qword [0x4011d8]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t122 != 0) {
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					L00401260();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401260();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t90 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10);
					asm("fclex");
					_v96 = _t90;
					if(_v96 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x411500);
						_push(_a4);
						_push(_v96);
						L00401356();
						_v136 = _t90;
					}
				}
				_v24 = 0x7131b;
				asm("wait");
				_push(0x412ecc);
				_v92 =  &_v48;
				_t85 =  &_v92;
				_push(_t85);
				_push(0);
				L0040131A();
				return _t85;
			}

0x00412c94
0x00412c99
0x00412ca4
0x00412ca5
0x00412cac
0x00412caf
0x00412cb7
0x00412cba
0x00412cc1
0x00412cc3
0x00412cc8
0x00412ccb
0x00412ccc
0x00412cd1
0x00412cd9
0x00412ce1
0x00412ce6
0x00412cdb
0x00412cdb
0x00412cdb
0x00412ce9
0x00412cef
0x00412cf1
0x00412cf4
0x00412cfb
0x00412cff
0x00412d07
0x00412d0c
0x00412d01
0x00412d01
0x00412d01
0x00412d12
0x00412d15
0x00412d1b
0x00412d21
0x00412d27
0x00412d28
0x00412d2a
0x00412d2b
0x00412d2c
0x00412d2f
0x00412d34
0x00412d39
0x00412d3f
0x00412d41
0x00412d42
0x00412d4f
0x00412d69
0x00412d51
0x00412d51
0x00412d56
0x00412d5b
0x00412d60
0x00412d60
0x00412d70
0x00412d75
0x00412d84
0x00412d87
0x00412d89
0x00412d90
0x00412da9
0x00412d92
0x00412d92
0x00412d94
0x00412d99
0x00412d9c
0x00412d9f
0x00412da4
0x00412da4
0x00412db0
0x00412db3
0x00412dba
0x00412dc4
0x00412dce
0x00412dcf
0x00412dd0
0x00412dd1
0x00412ddf
0x00412de2
0x00412de4
0x00412de7
0x00412deb
0x00412e04
0x00412ded
0x00412ded
0x00412def
0x00412df4
0x00412df7
0x00412dfa
0x00412dff
0x00412dff
0x00412e0b
0x00412e0b
0x00412e10
0x00412e12
0x00412e17
0x00412e1c
0x00412e22
0x00412e24
0x00412e25
0x00412e27
0x00412e2e
0x00412e35
0x00412e3c
0x00412e46
0x00412e50
0x00412e51
0x00412e52
0x00412e53
0x00412e57
0x00412e61
0x00412e62
0x00412e63
0x00412e64
0x00412e6d
0x00412e73
0x00412e75
0x00412e7c
0x00412e9b
0x00412e7e
0x00412e7e
0x00412e83
0x00412e88
0x00412e8b
0x00412e8e
0x00412e93
0x00412e93
0x00412e7c
0x00412ea2
0x00412ea9
0x00412eaa
0x00412ebd
0x00412ec0
0x00412ec3
0x00412ec4
0x00412ec6
0x00412ecb

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 00412CAF
__vbaAryConstruct2.MSVBVM60(?,00411760,00000005,?,?,?,?,00401266), ref: 00412CCC
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411760,00000005), ref: 00412CE1
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411760,00000005), ref: 00412D07
#684.MSVBVM60(?,?,?), ref: 00412D2F
__vbaFpR8.MSVBVM60(?,?,?), ref: 00412D34
__vbaNew2.MSVBVM60(00411718,0041433C,?,?,?), ref: 00412D5B
__vbaHresultCheckObj.MSVBVM60(00000000,00000002,00411708,0000001C,?,?,?,?,?,?,?), ref: 00412D9F
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?), ref: 00412DC4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411728,00000060,?,?,?,?,?,?,?), ref: 00412DFA
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 00412E0B
_CIcos.MSVBVM60(?,?,?), ref: 00412E12
__vbaFpR8.MSVBVM60(?,?,?), ref: 00412E17
__vbaChkstk.MSVBVM60(?,?,?), ref: 00412E46
__vbaChkstk.MSVBVM60(?,?,?), ref: 00412E57
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411500,000002B0), ref: 00412E8E
__vbaAryDestruct.MSVBVM60(00000000,?,00412ECC,?,?,?), ref: 00412EC6

Strings

Magterobringen, xrefs: 00412DD2
<CA, xrefs: 00412D70

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckHresult$BoundsErrorGenerate$#684Construct2DestructFreeIcosNew2
String ID: <CA$Magterobringen
API String ID: 2333708068-3107163244
Opcode ID: 0c67fb3b35f2eeb34368dc517fda169989df38904b6448e09c5a36b45ce4672d
Instruction ID: 838801caf741acdddd009fa0721a6587f0201aae65c446e482b9667fe6b88255
Opcode Fuzzy Hash: 0c67fb3b35f2eeb34368dc517fda169989df38904b6448e09c5a36b45ce4672d
Instruction Fuzzy Hash: 62612870D00208EFEB10EFE5CA45BDDBBB1BF08705F20406AE915BB2A1C7B919959F18

Uniqueness

Uniqueness Score: -1.00%

Function 00412534, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00412534(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, char* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				signed int _v32;
				char _v48;
				short _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char* _v80;
				char _v88;
				short _v92;
				short _t45;
				intOrPtr* _t46;
				signed int _t48;
				char* _t52;
				char* _t53;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401260();
				_v16 = _t71;
				_v12 = 0x401108;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x401266, _t68);
				_v64 = 0x80020004;
				_v72 = 0xa;
				_t45 =  &_v72;
				_push(_t45);
				L004013C8();
				_v52 = _t45;
				L004013C2();
				_t46 = _a8;
				_push( *_t46);
				_push(0x4116c0);
				L004013BC();
				if(_t46 != 0) {
					_v80 = _a8;
					_v88 = 0x4008;
					_push(0);
					_t48 =  &_v88;
					_push(_t48);
					L004013B0();
					L004013B6();
					_push(_t48);
					_push(0x4116c0);
					L004013BC();
					asm("sbb eax, eax");
					_v92 =  ~( ~_t48 + 1);
					L004013AA();
					_t52 = _v92;
					if(_t52 == 0) {
						_t53 = _a8;
						_push( *_t53);
						_push(_v52);
						_push(0xffffffff);
						_push(1);
						L004013A4();
						while(1) {
							_push(_v52);
							L0040139E();
							_t52 = _t53;
							if(_t52 != 0) {
								break;
							}
							_push(_v52);
							_push( &_v28);
							L00401398();
							_v80 =  &_v28;
							_v88 = 0x4008;
							_push(0x10);
							L00401260();
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_push(1);
							_push("Add");
							_t53 =  &_v48;
							_push(_t53);
							L0040138C();
							_push(_t53);
							L00401392();
							_t71 = _t71 + 0x1c;
						}
						_push(_v52);
						L00401386();
						L00401380();
						_v32 = _v32 | 0x0000ffff;
					} else {
						_v32 = _v32 & 0x00000000;
					}
				} else {
					_v32 = _v32 & 0x00000000;
				}
				_push(0x4126a3);
				L004013AA();
				L004013C2();
				return _t52;
			}

0x00412537
0x00412546
0x00412550
0x00412558
0x0041255b
0x00412562
0x00412571
0x00412574
0x0041257b
0x00412582
0x00412585
0x00412586
0x0041258b
0x00412592
0x00412597
0x0041259a
0x0041259c
0x004125a1
0x004125a8
0x004125b7
0x004125ba
0x004125c1
0x004125c3
0x004125c6
0x004125c7
0x004125d1
0x004125d6
0x004125d7
0x004125dc
0x004125e3
0x004125e8
0x004125ef
0x004125f4
0x004125fa
0x00412603
0x00412606
0x00412608
0x0041260b
0x0041260d
0x0041260f
0x00412614
0x00412614
0x00412617
0x0041261c
0x00412621
0x00000000
0x00000000
0x00412623
0x00412629
0x0041262a
0x00412632
0x00412635
0x0041263c
0x0041263f
0x00412649
0x0041264a
0x0041264b
0x0041264c
0x0041264d
0x0041264f
0x00412654
0x00412657
0x00412658
0x0041265d
0x0041265e
0x00412663
0x00412663
0x00412668
0x0041266b
0x00412670
0x00412675
0x004125fc
0x004125fc
0x004125fc
0x004125aa
0x004125aa
0x004125aa
0x0041267a
0x00412695
0x0041269d
0x004126a2

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 00412550
#648.MSVBVM60(0000000A), ref: 00412586
__vbaFreeVar.MSVBVM60(0000000A), ref: 00412592
__vbaStrCmp.MSVBVM60(004116C0,?,0000000A), ref: 004125A1
#645.MSVBVM60(?,00000000,004116C0,?,0000000A), ref: 004125C7
__vbaStrMove.MSVBVM60(?,00000000,004116C0,?,0000000A), ref: 004125D1
__vbaStrCmp.MSVBVM60(004116C0,00000000,?,00000000,004116C0,?,0000000A), ref: 004125DC
__vbaFreeStr.MSVBVM60(004116C0,00000000,?,00000000,004116C0,?,0000000A), ref: 004125EF
__vbaFreeStr.MSVBVM60(004126A3,?,?,00000001,000000FF,?,?,004116C0,00000000,?,00000000,004116C0,?,0000000A), ref: 00412695
__vbaFreeVar.MSVBVM60(004126A3,?,?,00000001,000000FF,?,?,004116C0,00000000,?,00000000,004116C0,?,0000000A), ref: 0041269D

Strings

Add, xrefs: 0041264F

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#645#648ChkstkMove
String ID: Add
API String ID: 4182468812-3310826759
Opcode ID: 4a8ce3e337da7effdc89d1a1f7226c3adedcdf4df28f4426e7b5d00b7768170a
Instruction ID: 2f7a8ec390981ce2fc1a5f752a66701b1e18ac98f96810866cfcac29d66a4181
Opcode Fuzzy Hash: 4a8ce3e337da7effdc89d1a1f7226c3adedcdf4df28f4426e7b5d00b7768170a
Instruction Fuzzy Hash: D0413E71D10208AADF10EFE5C946BDE7BB4AF05704F10802AF901FB5E1DBBC9A558B59

Uniqueness

Uniqueness Score: -1.00%

Function 00413115, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00413115(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				short _v28;
				short _v32;
				char _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				void* _v52;
				signed int _v56;
				signed int _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				void* _t53;
				signed int _t59;
				signed int _t64;
				short _t65;
				signed int _t68;
				void* _t74;
				void* _t76;
				intOrPtr* _t77;

				_t77 = _t76 - 0xc;
				 *[fs:0x0] = _t77;
				L00401260();
				_v16 = _t77;
				_v12 = 0x401248;
				_v8 = 0;
				_t53 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401266, _t74);
				_push(0x4117ac);
				L004012FC();
				asm("fcomp qword [0x4011e0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					L004012F6();
					_v52 =  *0x40123c;
					_v56 =  *0x401238;
					 *_t77 =  *0x401234;
					 *_t77 =  *0x401230;
					_t68 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, __ecx, __ecx, __ecx, __ecx, _t53);
					asm("fclex");
					_v44 = _t68;
					if(_v44 >= 0) {
						_t15 =  &_v68;
						 *_t15 = _v68 & 0x00000000;
						__eflags =  *_t15;
					} else {
						_push(0x2c8);
						_push(0x411500);
						_push(_a4);
						_push(_v44);
						L00401356();
						_v68 = _t68;
					}
				}
				if( *0x41433c != 0) {
					_v72 = 0x41433c;
				} else {
					_push(0x41433c);
					_push(0x411718);
					L00401338();
					_v72 = 0x41433c;
				}
				_t19 =  &_v72; // 0x41433c
				_v44 =  *((intOrPtr*)( *_t19));
				_t59 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
				asm("fclex");
				_v48 = _t59;
				if(_v48 >= 0) {
					_t30 =  &_v76;
					 *_t30 = _v76 & 0x00000000;
					__eflags =  *_t30;
				} else {
					_push(0x14);
					_push(0x411708);
					_push(_v44);
					_push(_v48);
					L00401356();
					_v76 = _t59;
				}
				_v52 = _v36;
				_t64 =  *((intOrPtr*)( *_v52 + 0x120))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t64;
				if(_v56 >= 0) {
					_t43 =  &_v80;
					 *_t43 = _v80 & 0x00000000;
					__eflags =  *_t43;
				} else {
					_push(0x120);
					_push(0x4117b0);
					_push(_v52);
					_push(_v56);
					L00401356();
					_v80 = _t64;
				}
				_t65 = _v40;
				_v32 = _t65;
				L00401332();
				_v28 = 0xf6;
				asm("wait");
				_push(0x4132a5);
				return _t65;
			}

0x00413118
0x00413127
0x00413131
0x00413139
0x0041313c
0x00413143
0x00413152
0x00413155
0x0041315a
0x0041315f
0x00413165
0x00413167
0x00413168
0x00413170
0x0041317d
0x00413187
0x00413191
0x0041319b
0x004131a8
0x004131ae
0x004131b0
0x004131b7
0x004131d3
0x004131d3
0x004131d3
0x004131b9
0x004131b9
0x004131be
0x004131c3
0x004131c6
0x004131c9
0x004131ce
0x004131ce
0x004131b7
0x004131de
0x004131f8
0x004131e0
0x004131e0
0x004131e5
0x004131ea
0x004131ef
0x004131ef
0x004131ff
0x00413204
0x00413213
0x00413216
0x00413218
0x0041321f
0x00413238
0x00413238
0x00413238
0x00413221
0x00413221
0x00413223
0x00413228
0x0041322b
0x0041322e
0x00413233
0x00413233
0x0041323f
0x0041324e
0x00413254
0x00413256
0x0041325d
0x00413279
0x00413279
0x00413279
0x0041325f
0x0041325f
0x00413264
0x00413269
0x0041326c
0x0041326f
0x00413274
0x00413274
0x0041327d
0x00413281
0x00413288
0x0041328d
0x00413293
0x00413294
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 00413131
__vbaR8Str.MSVBVM60(004117AC,?,?,?,?,00401266), ref: 0041315A
__vbaFpI4.MSVBVM60(004117AC,?,?,?,?,00401266), ref: 00413170
__vbaHresultCheckObj.MSVBVM60(00000000,00401248,00411500,000002C8), ref: 004131C9
__vbaNew2.MSVBVM60(00411718,0041433C,004117AC,?,?,?,?,00401266), ref: 004131EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411708,00000014), ref: 0041322E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004117B0,00000120), ref: 0041326F
__vbaFreeObj.MSVBVM60 ref: 00413288

Strings

<CA, xrefs: 004131FF

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2
String ID: <CA
API String ID: 1616694062-146778150
Opcode ID: adf8f71de7880ca1c25ee4d2c51e93782765b2dd105e3bff168da96698baa242
Instruction ID: 9bd13c123b0824ac038890693a420d98daa47a2e4d9dd22ce5388f380e7374e1
Opcode Fuzzy Hash: adf8f71de7880ca1c25ee4d2c51e93782765b2dd105e3bff168da96698baa242
Instruction Fuzzy Hash: 87411475A00208EFCB00AFA5C949BDDBFB4FF08705F1080AAF501B62A0C7785A959F69

Uniqueness

Uniqueness Score: -1.00%

Function 00412B2C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00412B2C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				signed int _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _t44;
				signed int _t50;
				signed int _t56;
				intOrPtr _t64;

				_push(0x401266);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t64;
				_push(0x30);
				L00401260();
				_v12 = _t64;
				_v8 = 0x4011c8;
				L004012DE();
				L0040137A();
				asm("fcomp qword [0x4011b8]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_t56 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0x30ef);
					asm("fclex");
					_v36 = _t56;
					if(_v36 >= 0) {
						_t11 =  &_v56;
						 *_t11 = _v56 & 0x00000000;
						__eflags =  *_t11;
					} else {
						_push(0x254);
						_push(0x411500);
						_push(_a4);
						_push(_v36);
						L00401356();
						_v56 = _t56;
					}
				}
				_t44 = 0;
				if(0 != 0) {
					if( *0x41433c != 0) {
						_v60 = 0x41433c;
					} else {
						_push(0x41433c);
						_push(0x411718);
						L00401338();
						_v60 = 0x41433c;
					}
					_t15 =  &_v60; // 0x41433c
					_v36 =  *((intOrPtr*)( *_t15));
					_t50 =  *((intOrPtr*)( *_v36 + 0x1c))(_v36,  &_v32);
					asm("fclex");
					_v40 = _t50;
					if(_v40 >= 0) {
						_t26 =  &_v64;
						 *_t26 = _v64 & 0x00000000;
						__eflags =  *_t26;
					} else {
						_push(0x1c);
						_push(0x411708);
						_push(_v36);
						_push(_v40);
						L00401356();
						_v64 = _t50;
					}
					_v44 = _v32;
					_t44 =  *((intOrPtr*)( *_v44 + 0x50))(_v44);
					asm("fclex");
					_v48 = _t44;
					if(_v48 >= 0) {
						_t38 =  &_v68;
						 *_t38 = _v68 & 0x00000000;
						__eflags =  *_t38;
					} else {
						_push(0x50);
						_push(0x411728);
						_push(_v44);
						_push(_v48);
						L00401356();
						_v68 = _t44;
					}
					L00401332();
				}
				_v28 =  *0x4011b0;
				asm("wait");
				_push(0x412c79);
				return _t44;
			}

0x00412b31
0x00412b3c
0x00412b3d
0x00412b44
0x00412b47
0x00412b4f
0x00412b52
0x00412b5f
0x00412b64
0x00412b69
0x00412b6f
0x00412b71
0x00412b72
0x00412b81
0x00412b87
0x00412b89
0x00412b90
0x00412bac
0x00412bac
0x00412bac
0x00412b92
0x00412b92
0x00412b97
0x00412b9c
0x00412b9f
0x00412ba2
0x00412ba7
0x00412ba7
0x00412b90
0x00412bb0
0x00412bb4
0x00412bc1
0x00412bdb
0x00412bc3
0x00412bc3
0x00412bc8
0x00412bcd
0x00412bd2
0x00412bd2
0x00412be2
0x00412be7
0x00412bf6
0x00412bf9
0x00412bfb
0x00412c02
0x00412c1b
0x00412c1b
0x00412c1b
0x00412c04
0x00412c04
0x00412c06
0x00412c0b
0x00412c0e
0x00412c11
0x00412c16
0x00412c16
0x00412c22
0x00412c2d
0x00412c30
0x00412c32
0x00412c39
0x00412c52
0x00412c52
0x00412c52
0x00412c3b
0x00412c3b
0x00412c3d
0x00412c42
0x00412c45
0x00412c48
0x00412c4d
0x00412c4d
0x00412c59
0x00412c59
0x00412c64
0x00412c67
0x00412c68
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 00412B47
_CIsqrt.MSVBVM60(?,?,?,?,00401266), ref: 00412B5F
__vbaFpR8.MSVBVM60(?,?,?,?,00401266), ref: 00412B64
__vbaHresultCheckObj.MSVBVM60(?,?,00411500,00000254,?,?,?,?,00401266), ref: 00412BA2
__vbaNew2.MSVBVM60(00411718,0041433C,?,?,?,?,00401266), ref: 00412BCD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411708,0000001C,?,?,?,?,?,?,?,?,?,?,?,00401266), ref: 00412C11
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411728,00000050,?,?,?,?,?,?,?,?,?,?,?,00401266), ref: 00412C48
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401266), ref: 00412C59

Strings

<CA, xrefs: 00412BE2

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeIsqrtNew2
String ID: <CA
API String ID: 987039556-146778150
Opcode ID: c9ed30305bec827d025ba72ebfe81d0c26fa04f48c47926e76bd9d4c0b239fcb
Instruction ID: 8384e09064b8e91a0dc0e76dcd32e80ce0fff0b6924eb41ca4782bb6edde852b
Opcode Fuzzy Hash: c9ed30305bec827d025ba72ebfe81d0c26fa04f48c47926e76bd9d4c0b239fcb
Instruction Fuzzy Hash: 43412671A00208EFDF00AF95CA46BDDBBB4FB08755F10406AF601B62A1D7B95895DF6C

Uniqueness

Uniqueness Score: -1.00%

Function 00412EE7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00412EE7(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				char* _v100;
				intOrPtr _v108;
				char* _t30;
				void* _t43;
				void* _t45;
				intOrPtr _t46;

				_t46 = _t45 - 0xc;
				 *[fs:0x0] = _t46;
				L00401260();
				_v16 = _t46;
				_v12 = 0x4011f8;
				_v8 = 0;
				_t30 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401266, _t43);
				_push(0x41177c);
				L00401314();
				if(_t30 != 2) {
					_v84 = 0x80020004;
					_v92 = 0xa;
					_v68 = 0x80020004;
					_v76 = 0xa;
					_v52 = 0x80020004;
					_v60 = 0xa;
					_v100 = L"HEPATATROPHY";
					_v108 = 8;
					L0040136E();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_push(0);
					_push( &_v44);
					L0040130E();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_t30 =  &_v44;
					_push(_t30);
					_push(4);
					L00401308();
				}
				_push(0x4117a4);
				L00401302();
				if(_t30 == 0x61) {
					_v28 = 0x32bb;
				}
				_push(0x412fe7);
				return _t30;
			}

0x00412eea
0x00412ef9
0x00412f05
0x00412f0d
0x00412f10
0x00412f17
0x00412f26
0x00412f29
0x00412f2e
0x00412f36
0x00412f38
0x00412f3f
0x00412f46
0x00412f4d
0x00412f54
0x00412f5b
0x00412f62
0x00412f69
0x00412f76
0x00412f7e
0x00412f82
0x00412f86
0x00412f87
0x00412f8c
0x00412f8d
0x00412f95
0x00412f99
0x00412f9d
0x00412f9e
0x00412fa1
0x00412fa2
0x00412fa4
0x00412fa9
0x00412fac
0x00412fb1
0x00412fba
0x00412fbe
0x00412fbe
0x00412fc4
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 00412F05
__vbaLenBstrB.MSVBVM60(0041177C,?,?,?,?,00401266), ref: 00412F2E
__vbaVarDup.MSVBVM60 ref: 00412F76
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 00412F8D
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 00412FA4
#516.MSVBVM60(004117A4,0041177C,?,?,?,?,00401266), ref: 00412FB1

Strings

HEPATATROPHY, xrefs: 00412F62

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#516#595BstrChkstkFreeList
String ID: HEPATATROPHY
API String ID: 3121728414-4183309565
Opcode ID: 9c1733f315996f76fe6ccec5a6bc585353bc67b9e8d9ab492c0a0a3dc47eec29
Instruction ID: 487aaffccf355c4a74574aa4ad6f5526c27250570529ca35b039fe9979bcc9ce
Opcode Fuzzy Hash: 9c1733f315996f76fe6ccec5a6bc585353bc67b9e8d9ab492c0a0a3dc47eec29
Instruction Fuzzy Hash: 9521E9B1940248ABDB01DFD4C985FDEBBB8FF04704F54406AF501BA291D7B89585CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413010, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00413010(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v24;
				char _v32;
				char _v40;
				signed int _v60;
				signed int _v68;
				void* _t20;
				char* _t21;
				signed int _t24;
				intOrPtr* _t35;

				_push(__ecx);
				_push(__ecx);
				_push(0x401266);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t35;
				_t20 = 0x30;
				L00401260();
				_v12 = _t35;
				_v8 = 0x401220;
				_push(0x4117ac);
				L004012FC();
				asm("fcomp qword [0x4011e0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					L004012F6();
					 *_t35 =  *0x401214;
					 *_t35 =  *0x401210;
					 *_t35 =  *0x40120c;
					 *_t35 =  *0x401208;
					_t24 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, __ecx, __ecx, __ecx, __ecx, _t20);
					asm("fclex");
					_v60 = _t24;
					if(_v60 >= 0) {
						_t11 =  &_v68;
						 *_t11 = _v68 & 0x00000000;
						__eflags =  *_t11;
					} else {
						_push(0x2c8);
						_push(0x411500);
						_push(_a4);
						_push(_v60);
						L00401356();
						_v68 = _t24;
					}
				}
				_v32 = 2;
				_v40 = 2;
				_t21 =  &_v40;
				_push(_t21);
				L004012F0();
				L004013B6();
				L004013C2();
				asm("wait");
				_push(0x413102);
				L004013AA();
				return _t21;
			}

0x00413013
0x00413014
0x00413015
0x00413020
0x00413021
0x0041302a
0x0041302b
0x00413033
0x00413036
0x0041303d
0x00413042
0x00413047
0x0041304d
0x0041304f
0x00413050
0x00413058
0x00413065
0x0041306f
0x00413079
0x00413083
0x00413090
0x00413096
0x00413098
0x0041309f
0x004130bb
0x004130bb
0x004130bb
0x004130a1
0x004130a1
0x004130a6
0x004130ab
0x004130ae
0x004130b1
0x004130b6
0x004130b6
0x0041309f
0x004130bf
0x004130c6
0x004130cd
0x004130d0
0x004130d1
0x004130db
0x004130e3
0x004130e8
0x004130e9
0x004130fc
0x00413101

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 0041302B
__vbaR8Str.MSVBVM60(004117AC,?,?,?,?,00401266), ref: 00413042
__vbaFpI4.MSVBVM60(004117AC,?,?,?,?,00401266), ref: 00413058
__vbaHresultCheckObj.MSVBVM60(?,?,00411500,000002C8,?,?,?,?,00000000,004117AC,?,?,?,?,00401266), ref: 004130B1
#536.MSVBVM60(?,004117AC,?,?,?,?,00401266), ref: 004130D1
__vbaStrMove.MSVBVM60(?,004117AC,?,?,?,?,00401266), ref: 004130DB
__vbaFreeVar.MSVBVM60(?,004117AC,?,?,?,?,00401266), ref: 004130E3
__vbaFreeStr.MSVBVM60(00413102,?,004117AC,?,?,?,?,00401266), ref: 004130FC

Memory Dump Source

Source File: 00000001.00000002.730882620.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.730869844.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.730924447.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.730945326.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536CheckChkstkHresultMove
String ID:
API String ID: 2640481455-0
Opcode ID: 84dc03e88f4acace8c38d44062f0b1168cfc497af8e5749c08cffacca138b795
Instruction ID: f3e0ac1973346f7d922c21e1534a686a1b74f9983050a44390b4437ddc9e41d1
Opcode Fuzzy Hash: 84dc03e88f4acace8c38d44062f0b1168cfc497af8e5749c08cffacca138b795
Instruction Fuzzy Hash: D32157B0900208EFDB00AF91C94ABAEBFB8EB08741F1045AEF141B61B1C7781A949B5D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Overworn.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Overworn.exe PID: 2200 Parent PID: 5624

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Overworn.exe PID: 2200 Parent PID: 5624 Overworn.exeCOMMON

Executed Functions

Function 00408D2A, Relevance: 31.1, APIs: 1, Strings: 19, Instructions: 1099COMMON

Function 00408DE0, Relevance: 31.1, APIs: 1, Strings: 19, Instructions: 1078COMMON

Function 004030B7, Relevance: 29.5, APIs: 1, Strings: 18, Instructions: 1034memoryCOMMON

Function 00408E76, Relevance: 29.5, APIs: 1, Strings: 18, Instructions: 1023memoryCOMMON

Function 004126CC, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 252
COMMON

Function 004013E8, Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 610
COMMON

Function 004096F2, Relevance: 2.1, APIs: 1, Instructions: 872
COMMON

Function 00409DF6, Relevance: 1.8, APIs: 1, Instructions: 574
memoryCOMMON

Function 0040A15D, Relevance: 1.8, APIs: 1, Instructions: 516
COMMON

Function 00412C94, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174
COMMON

Function 00412534, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 108
COMMON

Function 00413115, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 116
COMMON

Function 00412B2C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98
COMMON

Function 00412EE7, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
COMMON

Function 00413010, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON