Play interactive tour

Edit tour

Analysis Report gedanken.exe

Overview

General Information

Sample Name:	gedanken.exe
Analysis ID:	384219
MD5:	e2342da4c7a6ff102679cd487954dc5f
SHA1:	a5aec8579ab17e7378c5cff51eb321d55f2e3532
SHA256:	dc51b75c62afc72ad319d361366d01901a237343fe8dafc568fc0f38d9bc7f3a
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains an invalid checksum

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

gedanken.exe (PID: 6880 cmdline: 'C:\Users\user\Desktop\gedanken.exe' MD5: E2342DA4C7A6FF102679CD487954DC5F)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: gedanken.exe PID: 6880	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: gedanken.exe PID: 6880	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: gedanken.exe	Virustotal: Detection: 52%			Perma Link
Source: gedanken.exe	ReversingLabs: Detection: 50%

Machine Learning detection for sample

Show sources

Source: gedanken.exe

Joe Sandbox ML: detected

Source: gedanken.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\gedanken.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00465802		0_2_00465802
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00461A9C		0_2_00461A9C

Source: gedanken.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: gedanken.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: gedanken.exe, 00000000.00000002.1169390599.0000000002260000.00000002.00000001.sdmp

Binary or memory string: OriginalFilenameuser32j% vs gedanken.exe

Source: gedanken.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\gedanken.exe

File created: C:\Users\user\AppData\Local\Temp\~DFBBC711B87778BA89.TMP

Jump to behavior

Source: gedanken.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\gedanken.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\gedanken.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: gedanken.exe	Virustotal: Detection: 52%
Source: gedanken.exe	ReversingLabs: Detection: 50%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: gedanken.exe PID: 6880, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: gedanken.exe PID: 6880, type: MEMORY

Source: gedanken.exe

Static PE information: real checksum: 0x29cba should be: 0x275ed

Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_0040BE5C push 7600FFCEh; iretd	0_2_0040BE61
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_004030E1 push ss; iretd	0_2_0040314C
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_0040249C push edi; retf	0_2_0040249D
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_0040314D push ss; iretd	0_2_0040314C
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_0040475D push ss; retf	0_2_004047C4
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_004047C8 push ss; retf	0_2_004047C4
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00464CDA push ecx; retf	0_2_00464CEA
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462CA0 push ecx; retf	0_2_00462CA1
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00466554 pushfd ; iretd	0_2_00466555
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00466A14 push edi; ret	0_2_00466A23

Source: C:\Users\user\Desktop\gedanken.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462C4F	0_2_00462C4F
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_0046581C	0_2_0046581C
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462CFC	0_2_00462CFC
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462CBE	0_2_00462CBE
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462D3F	0_2_00462D3F
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462DD6	0_2_00462DD6
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462D80	0_2_00462D80
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462A65	0_2_00462A65
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00461670	0_2_00461670
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462E13	0_2_00462E13
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462ACB	0_2_00462ACB
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462B08	0_2_00462B08
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462B88	0_2_00462B88
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462BB6	0_2_00462BB6

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: gedanken.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\gedanken.exe

RDTSC instruction interceptor: First address: 0000000000463681 second address: 0000000000463681 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FDEBC8E5224h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test bl, bl 0x0000001f cmp bl, al 0x00000021 pop ecx 0x00000022 cmp edx, ecx 0x00000024 test al, dl 0x00000026 add edi, edx 0x00000028 jmp 00007FDEBC8E521Ah 0x0000002a cmp al, B6h 0x0000002c dec ecx 0x0000002d cmp dx, 0C52h 0x00000032 cmp ecx, 00000000h 0x00000035 jne 00007FDEBC8E51CAh 0x00000037 push ecx 0x00000038 call 00007FDEBC8E525Eh 0x0000003d call 00007FDEBC8E5234h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc

Source: C:\Users\user\Desktop\gedanken.exe

Code function: 0_2_0040946F rdtsc

0_2_0040946F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: gedanken.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\gedanken.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\gedanken.exe

Code function: 0_2_0040946F rdtsc

0_2_0040946F

Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_004620C0 mov eax, dword ptr fs:[00000030h]	0_2_004620C0
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_004634DA mov eax, dword ptr fs:[00000030h]	0_2_004634DA
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_004620BE mov eax, dword ptr fs:[00000030h]	0_2_004620BE
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00465A03 mov eax, dword ptr fs:[00000030h]	0_2_00465A03
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00461A8E mov eax, dword ptr fs:[00000030h]	0_2_00461A8E
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00466356 mov eax, dword ptr fs:[00000030h]	0_2_00466356
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_0046635B mov eax, dword ptr fs:[00000030h]	0_2_0046635B
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462358 mov eax, dword ptr fs:[00000030h]	0_2_00462358
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_0046233D mov eax, dword ptr fs:[00000030h]	0_2_0046233D
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_00462396 mov eax, dword ptr fs:[00000030h]	0_2_00462396
Source: C:\Users\user\Desktop\gedanken.exe	Code function: 0_2_004623B7 mov eax, dword ptr fs:[00000030h]	0_2_004623B7

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: gedanken.exe, 00000000.00000002.1169278487.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: gedanken.exe, 00000000.00000002.1169278487.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: gedanken.exe, 00000000.00000002.1169278487.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: gedanken.exe, 00000000.00000002.1169278487.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\gedanken.exe

Code function: 0_2_004612AC cpuid

0_2_004612AC

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery411	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
gedanken.exe	53%	Virustotal		Browse
gedanken.exe	50%	ReversingLabs	Win32.Trojan.GuLoader
gedanken.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384219
Start date:	08.04.2021
Start time:	18:50:52
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	gedanken.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 32.8% (good quality ratio 16.5%) Quality average: 24.8% Quality standard deviation: 27.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.658586008613306
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	gedanken.exe
File size:	110592
MD5:	e2342da4c7a6ff102679cd487954dc5f
SHA1:	a5aec8579ab17e7378c5cff51eb321d55f2e3532
SHA256:	dc51b75c62afc72ad319d361366d01901a237343fe8dafc568fc0f38d9bc7f3a
SHA512:	23cf2857f305792f8318760ff36f2f3dc940598850afa4410136c0c3abec58df2c7eaceb463ab64d45b101bc4f4c9c1aa8d737e46876e8120ef244621ec77803
SSDEEP:	1536:4yPqW0672Qw+Q7jlNmY/2vL2M/FPVm9v6hRK1ZPVm9vDd2Mf2v:Viw73Yfxv8Vm2A1FVmy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...i.rY.................0...................@....@................

File Icon


Icon Hash:	c0c6f2e0e4fefe3f

Static PE Info

General
Entrypoint:	0x4013e8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5972E969 [Sat Jul 22 05:58:01 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d1ed0dda3501483d16a7ad09b76f3b08

Entrypoint Preview

Instruction
push 00411514h
call 00007FDEBC9AD553h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], al
pushf
sar dword ptr [esi+1Ah], cl
aad 44h
xchg byte ptr [eax-7Dh], cl
dec cx
dec esi
outsd
test byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
jne 00007FDEBC9AD5CEh
popad
insb
jns 00007FDEBC9AD5D2h
je 00007FDEBC9AD5D7h
jnc 00007FDEBC9AD5D6h
jc 00007FDEBC9AD5C7h
jc 00007FDEBC9AD5D5h
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or edx, dword ptr [eax+61079236h]
lea edi, dword ptr [esi-217365B3h]
je 00007FDEBC9AD5E0h
insd
push ds
in eax, 84h
fisttp dword ptr [esi]
sbb dword ptr [esi-01h], esp
cli
inc esp
test al, 32h
sti
shl dword ptr [eax], cl
out dx, eax
push ebp
imul edi, dword ptr [edx], 9933AD4Fh
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13934	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x5c3a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x108	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12ddc	0x13000	False	0.42867238898	data	6.08030531578	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x14000	0x117c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x5c3a	0x6000	False	0.359700520833	data	5.27049873079	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1ad92	0xea8	data
RT_ICON	0x1a4ea	0x8a8	data
RT_ICON	0x19f82	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x179da	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x16932	0x10a8	data
RT_ICON	0x164ca	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x16470	0x5a	data
RT_VERSION	0x161e0	0x290	MS Windows COFF PA-RISC object file	Guarani	Paraguay

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaLineInputStr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, _adj_fdivr_m32, _adj_fdiv_r, __vbaLateMemCall, __vbaVarAdd, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0474 0x04b0
InternalName	gedanken
FileVersion	1.00
CompanyName	Pana-sonic
Comments	Pana-sonic
ProductName	Pana-sonic
ProductVersion	1.00
FileDescription	Pana-sonic
OriginalFilename	gedanken.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Guarani	Paraguay

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: gedanken.exe PID: 6880 Parent PID: 5912

General

Start time:	18:51:37
Start date:	08/04/2021
Path:	C:\Users\user\Desktop\gedanken.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\gedanken.exe'
Imagebase:	0x400000
File size:	110592 bytes
MD5 hash:	E2342DA4C7A6FF102679CD487954DC5F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: gedanken.exe PID: 6880 Parent PID: 5912 gedanken.exeCOMMON

Executed Functions

Function 0040946F, Relevance: 23.5, APIs: 1, Strings: 14, Instructions: 1044
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040946F(intOrPtr* __eax, signed char __ebx, signed int* __ecx, void* __edx, void* __esi, void* __fp0) {
				intOrPtr* _t9;
				intOrPtr* _t12;
				signed char _t13;
				intOrPtr* _t14;
				intOrPtr* _t15;
				signed int* _t16;
				long long* _t18;
				void* _t32;

				L0:
				while(1) {
					L0:
					_t32 = __fp0;
					_t16 = __ecx;
					_t13 = __ebx;
					_t9 = __eax;
					asm("arpl [eax-0x52], di");
					while(1) {
						L3:
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						if( *_t13 < 0) {
							break;
						}
						L1:
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						asm("cli");
						 *(_t13 + 0x34) =  *(_t13 + 0x34) & _t13;
						 *_t9 =  *_t9 + _t9;
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						 *_t9 =  *_t9 + _t9;
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						 *_t9 =  *_t9 + _t9;
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						 *_t9 =  *_t9 + _t9;
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						asm("scasd");
						asm("stc");
						asm("invalid");
						asm("lds eax, [ecx]");
						asm("int3");
						asm("insd");
						asm("les ebx, [0x1b0000]");
						 *_t13 =  *_t13 + _t13;
						 *_t9 =  *_t9 + _t9;
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						 *_t9 =  *_t9 + _t9;
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						 *_t9 =  *_t9 + _t9;
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						asm("wait");
						asm("loop 0xfffffffe");
						_t18 = 0x7f16df51;
						_t32 = _t32 +  *_t18;
						asm("sbb eax, 0x1b0000");
						 *_t13 =  *_t13 + _t13;
						L2:
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						 *_t9 =  *_t9 + _t9;
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
						 *_t9 =  *_t9 + _t9;
						asm("sbb eax, [eax]");
						 *_t13 =  *_t13 + _t13;
					}
					L4:
					asm("stosd");
					asm("salc");
					asm("wait");
					asm("loop 0xffffffe8");
					asm("a16 add eax, 0x5c2e6fd");
					asm("cld");
					asm("a16 das");
					asm("fs insd");
					asm("iretd");
					 *_t16 =  *_t16 | 0x1558d6e7;
					asm("aam 0x88");
					asm("cli");
					_t14 = _t13 + _t13;
					asm("das");
					_t12 = _t9 + 0xe5d067fd;
					_push(ss);
					if (_t12 > 0) goto L5;
					L5:
					 *_t14 =  *_t14 + _t14;
					 *_t12 =  *_t12 + _t12;
					asm("sbb eax, [eax]");
					 *_t14 =  *_t14 + _t14;
					 *_t12 =  *_t12 + _t12;
					asm("sbb eax, [eax]");
					 *_t14 =  *_t14 + _t14;
					 *_t12 =  *_t12 + _t12;
					asm("sbb eax, [eax]");
					 *_t14 =  *_t14 + _t14;
					 *_t12 =  *_t12 + _t12;
					asm("sbb ecx, [edi-0x43]");
					asm("lds ecx, [esi+0x63]");
				}
				asm("loopne 0x6d");
				asm("movsd");
				asm("invalid");
				asm("stosb");
				_t15 = _t14 + 1;
				asm("loopne 0x64");
				asm("fdivr dword [edx]");
				asm("invalid");
				asm("out dx, al");
				asm("in eax, 0x0");
				 *_t15 =  *_t15 + _t15;
				 *_t12 =  *_t12 + _t12;
				asm("sbb eax, [eax]");
				 *_t15 =  *_t15 + _t15;
				 *_t12 =  *_t12 + _t12;
				asm("sbb eax, [eax]");
				 *_t15 =  *_t15 + _t15;
				 *_t12 =  *_t12 + _t12;
				asm("sbb eax, [eax]");
				 *_t15 =  *_t15 + _t15;
				 *_t12 =  *_t12 + _t12;
				asm("sbb esp, ebx");
				return _t12;
			}

0x0040946f
0x0040946f
0x0040946f
0x0040946f
0x0040946f
0x0040946f
0x0040946f
0x00409470
0x00409421
0x00409421
0x00409421
0x00409423
0x00409425
0x00000000
0x00000000
0x004093b8
0x004093b8
0x004093ba
0x004093be
0x004093bf
0x004093c7
0x004093c9
0x004093cb
0x004093cd
0x004093cf
0x004093d1
0x004093d3
0x004093d5
0x004093d7
0x004093d9
0x004093db
0x004093dd
0x004093df
0x004093e0
0x004093e1
0x004093e3
0x004093e5
0x004093e6
0x004093e7
0x004093ed
0x004093ef
0x004093f1
0x004093f3
0x004093f5
0x004093f7
0x004093f9
0x004093fb
0x004093fd
0x004093ff
0x00409401
0x00409402
0x00409407
0x00409408
0x0040940c
0x00409411
0x00409412
0x00409412
0x00409414
0x00409416
0x00409418
0x0040941a
0x0040941c
0x0040941e
0x00409420
0x00409420
0x00409427
0x00409427
0x00409428
0x00409429
0x0040942a
0x0040942e
0x00409435
0x00409436
0x00409438
0x0040943b
0x0040943c
0x00409442
0x00409444
0x00409445
0x00409447
0x00409448
0x0040944d
0x0040944e
0x00409450
0x00409450
0x00409452
0x00409454
0x00409456
0x00409458
0x0040945a
0x0040945c
0x0040945e
0x00409460
0x00409462
0x00409464
0x00409466
0x0040946e
0x0040946e
0x00409478
0x0040947a
0x0040947b
0x0040947d
0x0040947e
0x0040947f
0x00409481
0x00409483
0x00409484
0x00409485
0x00409487
0x00409489
0x0040948b
0x0040948d
0x0040948f
0x00409491
0x00409493
0x00409495
0x00409497
0x00409499
0x0040949b
0x0040949d
0x0040949f

Strings

', xrefs: 004098A1
-, xrefs: 00409AFD
q, xrefs: 004098B1
(, xrefs: 0040952B
`, xrefs: 0040952E
6, xrefs: 00409818
M, xrefs: 00409A5F
>, xrefs: 00409795
,, xrefs: 00409B95
_, xrefs: 004098BF
s, xrefs: 00409798
s, xrefs: 00409C26
y, xrefs: 004098AE
R, xrefs: 00409A71

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: '$($,$-$6$>$M$R$_$`$q$s$s$y
API String ID: 0-4145893608
Opcode ID: 11b1819a6c4fa988a922c1683a564fddcbf9f7d866bc6f3cabb9ff429c12f7c2
Instruction ID: a18b77964f209845ea14ebb0d83ad12a38e055ad21f5235eb2838a9c878442a0
Opcode Fuzzy Hash: 11b1819a6c4fa988a922c1683a564fddcbf9f7d866bc6f3cabb9ff429c12f7c2
Instruction Fuzzy Hash: C452DE82E2A70689FF722060C5D076D5680DF16385F318F3BD861F59E2FA1F8ACA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00412D2C, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 254
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00412D2C(void* __ebx, void* __edi, void* __esi, long long __fp0, signed int _a4, intOrPtr _a20) {
				void* _v3;
				char _v8;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v52;
				char _v68;
				short _v72;
				char _v80;
				short _v84;
				void* _v88;
				long long _v96;
				char _v100;
				char _v104;
				char _v120;
				signed int _v124;
				signed int _v128;
				char _v136;
				char _v140;
				void* _v144;
				char _v148;
				char _v156;
				signed int _v160;
				signed int _v164;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _t144;
				signed int _t166;
				signed int _t177;
				signed int _t182;
				signed int _t188;
				char* _t191;
				char* _t193;
				intOrPtr* _t195;
				char* _t212;
				void* _t218;
				void* _t221;
				intOrPtr _t222;

				_t222 = _t221 - 0x18;
				 *[fs:0x0] = _t222;
				L00401260();
				_v28 = _t222;
				_v24 = 0x401118;
				_v20 = _a4 & 0x00000001;
				_t144 = _a4 & 0xfffffffe;
				_a4 = _t144;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401266, _t218);
				_v8 = 1;
				_v8 = 2;
				asm("fldz");
				L004012D8();
				L0040137A();
				asm("fcomp qword [0x4011a8]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t144 != 0) {
					_v8 = 3;
					_v8 = 4;
					_v128 = L"Rosenstokkesegedesm";
					_v136 = 8;
					L0040136E();
					_push(2);
					_push( &_v120);
					L00401374();
					_v96 = __fp0;
					L004013C2();
				}
				_v8 = 6;
				L00401362();
				L00401368();
				L004013B6();
				L004013C2();
				_v8 = 7;
				 *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v156,  &_v120,  &_v120);
				_v80 = _v156;
				_v8 = 8;
				_v140 = 0x3fc5;
				L0040135C();
				_v156 =  *0x4011a0;
				_v80 =  *0x401198;
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v156,  &_v104,  &_v104,  &_v140,  &_v148);
				_v100 = _v148;
				L004013AA();
				_v8 = 9;
				_v148 = 0x76e32;
				_t166 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v148, 0x67c7,  &_v140);
				_v160 = _t166;
				if(_v160 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x411ba8);
					_push(_a4);
					_push(_v160);
					L00401356();
					_v188 = _t166;
				}
				_v72 = _v140;
				_v8 = 0xa;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4);
				_v8 = 0xb;
				_v156 =  *0x401190;
				_v148 = 0x3ac53e;
				_v140 = 0x3fc5;
				_t177 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v140,  &_v148, 0x2802,  &_v156, 0x33164f, 0x5bf3,  &_v144);
				_v160 = _t177;
				if(_v160 >= 0) {
					_v192 = _v192 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x411ba8);
					_push(_a4);
					_push(_v160);
					L00401356();
					_v192 = _t177;
				}
				_v84 = _v144;
				_v8 = 0xc;
				L00401350();
				_v8 = 0xd;
				_t182 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v140, 0xffffffff);
				asm("fclex");
				_v160 = _t182;
				if(_v160 >= 0) {
					_v196 = _v196 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x411b78);
					_push(_a4);
					_push(_v160);
					L00401356();
					_v196 = _t182;
				}
				_t188 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
				asm("fclex");
				_v164 = _t188;
				if(_v164 >= 0) {
					_v200 = _v200 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x411b78);
					_push(_a4);
					_push(_v164);
					L00401356();
					_v200 = _t188;
				}
				_v8 = 0xe;
				_v128 = _v128 & 0x00000000;
				_v124 = _v124 & 0x00000000;
				_v136 = 6;
				L0040134A();
				while(1) {
					_v8 = 0x10;
					_v128 = 1;
					_v136 = 2;
					_push( &_v68);
					_push( &_v136);
					_t191 =  &_v120;
					_push(_t191);
					L00401344();
					_t212 = _t191;
					L0040134A();
					_v8 = 0x11;
					_v128 = 0x2ffff;
					_v136 = 0x8003;
					_push( &_v68);
					_t193 =  &_v136;
					_push(_t193);
					L0040133E();
					if(_t193 == 0) {
						break;
					}
				}
				_v8 = 0x14;
				_v128 = 0xff8ac304;
				do {
					_t212 = _t212 + 1;
				} while (_t212 != 0xffcbf41c);
				_a20 = _t212 + 0x74a08d;
				_t195 = _a20();
				asm("loop 0x0");
				asm("lock add [eax], al");
				 *_t195 =  *_t195 + _t195;
				asm("wait");
				_push(0x41316d);
				L004013C2();
				L004013C2();
				L004013AA();
				return _t195;
			}

0x00412d2f
0x00412d3e
0x00412d4a
0x00412d52
0x00412d55
0x00412d62
0x00412d68
0x00412d6b
0x00412d6e
0x00412d7d
0x00412d80
0x00412d87
0x00412d8e
0x00412d90
0x00412d95
0x00412d9a
0x00412da0
0x00412da2
0x00412da3
0x00412da5
0x00412dac
0x00412db3
0x00412dba
0x00412dcd
0x00412dd2
0x00412dd7
0x00412dd8
0x00412ddd
0x00412de3
0x00412de3
0x00412de8
0x00412df3
0x00412dfc
0x00412e06
0x00412e0e
0x00412e13
0x00412e29
0x00412e35
0x00412e38
0x00412e3f
0x00412e50
0x00412e5b
0x00412e76
0x00412e8c
0x00412e98
0x00412e9e
0x00412ea3
0x00412eaa
0x00412ecf
0x00412ed5
0x00412ee2
0x00412f04
0x00412ee4
0x00412ee4
0x00412ee9
0x00412eee
0x00412ef1
0x00412ef7
0x00412efc
0x00412efc
0x00412f12
0x00412f16
0x00412f25
0x00412f2b
0x00412f38
0x00412f3e
0x00412f48
0x00412f84
0x00412f8a
0x00412f97
0x00412fb9
0x00412f99
0x00412f99
0x00412f9e
0x00412fa3
0x00412fa6
0x00412fac
0x00412fb1
0x00412fb1
0x00412fc7
0x00412fcb
0x00412fd4
0x00412fd9
0x00412fef
0x00412ff5
0x00412ff7
0x00413004
0x00413026
0x00413006
0x00413006
0x0041300b
0x00413010
0x00413013
0x00413019
0x0041301e
0x0041301e
0x00413042
0x00413048
0x0041304a
0x00413057
0x00413079
0x00413059
0x00413059
0x0041305e
0x00413063
0x00413066
0x0041306c
0x00413071
0x00413071
0x00413080
0x00413087
0x0041308b
0x0041308f
0x004130a2
0x004130a7
0x004130a7
0x004130ae
0x004130b5
0x004130c2
0x004130c9
0x004130ca
0x004130cd
0x004130ce
0x004130d3
0x004130d8
0x004130dd
0x004130e4
0x004130eb
0x004130f8
0x004130f9
0x004130ff
0x00413100
0x0041310a
0x00000000
0x00000000
0x0041310c
0x0041310e
0x00413115
0x0041311c
0x0041311c
0x0041311d
0x0041312b
0x0041312e
0x00413131
0x00413136
0x00413139
0x0041313b
0x0041313c
0x00413157
0x0041315f
0x00413167
0x0041316c

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 00412D4A
_CIsin.MSVBVM60(?,?,?,?,00401266), ref: 00412D90
__vbaFpR8.MSVBVM60(?,?,?,?,00401266), ref: 00412D95
__vbaVarDup.MSVBVM60 ref: 00412DCD
#600.MSVBVM60(?,00000002), ref: 00412DD8
__vbaFreeVar.MSVBVM60(?,00000002), ref: 00412DE3
#612.MSVBVM60(?,?,?,?,?,00401266), ref: 00412DF3
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401266), ref: 00412DFC
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401266), ref: 00412E06
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401266), ref: 00412E0E
__vbaStrCopy.MSVBVM60 ref: 00412E50
__vbaFreeStr.MSVBVM60(?,00003FC5,?), ref: 00412E9E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411BA8,000006FC,?,?,?,00003FC5,?), ref: 00412EF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411BA8,00000700,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412FAC
__vbaOnError.MSVBVM60(000000FF,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00412FD4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411B78,000001B8,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00413019
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411B78,000001BC), ref: 0041306C
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 004130A2
__vbaVarAdd.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5), ref: 004130CE
__vbaVarMove.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5), ref: 004130D8
__vbaVarTstLt.MSVBVM60(00008003,?,?,00000002,?), ref: 00413100
__vbaFreeVar.MSVBVM60(0041316D,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00413157
__vbaFreeVar.MSVBVM60(0041316D,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 0041315F
__vbaFreeStr.MSVBVM60(0041316D,?,?,?,?,?,?,?,?,?,?,?,?,00003FC5,?), ref: 00413167

Strings

Rosenstokkesegedesm, xrefs: 00412DB3
Kompetenceomraaders, xrefs: 00412E48

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#600#612ChkstkCopyErrorIsin
String ID: Kompetenceomraaders$Rosenstokkesegedesm
API String ID: 3051467023-1030129653
Opcode ID: 63cbedf992d03b7a64aabb1b043d6f35112c01ae89cb6b9507d072abc0d992a9
Instruction ID: 6e0795648c935e405e00042c2a5d2baf3af388e56e9b1523c915bd49969c908d
Opcode Fuzzy Hash: 63cbedf992d03b7a64aabb1b043d6f35112c01ae89cb6b9507d072abc0d992a9
Instruction Fuzzy Hash: CDC1F570900218EFDB10DFA1C949BDDBBB4FF08305F1081AAE549AB2A1DB785A89DF54

Uniqueness

Uniqueness Score: -1.00%

Function 004094A0, Relevance: 25.0, APIs: 1, Strings: 15, Instructions: 1020memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Strings

', xrefs: 004098A1
-, xrefs: 00409AFD
q, xrefs: 004098B1
(, xrefs: 0040952B
`, xrefs: 0040952E
6, xrefs: 00409818
M, xrefs: 00409A5F
>, xrefs: 00409795
k, xrefs: 004094BC
,, xrefs: 00409B95
_, xrefs: 004098BF
s, xrefs: 00409798
s, xrefs: 00409C26
y, xrefs: 004098AE
R, xrefs: 00409A71

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: '$($,$-$6$>$M$R$_$`$k$q$s$s$y
API String ID: 4275171209-3351427548
Opcode ID: 70f736ee8b5cf97b91320f4b01034a67eaebe6cee065bcb40cd37f974441f3e4
Instruction ID: 8070abf42ccd81415c99a47191e86aed640bde98d7f18be18dced3a9451c095a
Opcode Fuzzy Hash: 70f736ee8b5cf97b91320f4b01034a67eaebe6cee065bcb40cd37f974441f3e4
Instruction Fuzzy Hash: B652CE82E2A70689FF722060C5D075D5680DF16385F318F3BD861F59E2FA1F89CA1597

Uniqueness

Uniqueness Score: -1.00%

Function 0040947E, Relevance: 23.5, APIs: 1, Strings: 14, Instructions: 1043
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E0040947E(intOrPtr* __eax, void* __ebx) {
				intOrPtr* _t3;

				_t3 = __ebx + 1;
				asm("loopne 0x64");
				asm("fdivr dword [edx]");
				asm("invalid");
				asm("out dx, al");
				asm("in eax, 0x0");
				 *_t3 =  *_t3 + _t3;
				 *__eax =  *__eax + __eax;
				asm("sbb eax, [eax]");
				 *_t3 =  *_t3 + _t3;
				 *__eax =  *__eax + __eax;
				asm("sbb eax, [eax]");
				 *_t3 =  *_t3 + _t3;
				 *__eax =  *__eax + __eax;
				asm("sbb eax, [eax]");
				 *_t3 =  *_t3 + _t3;
				 *__eax =  *__eax + __eax;
				asm("sbb esp, ebx");
				return __eax;
			}

0x0040947e
0x0040947f
0x00409481
0x00409483
0x00409484
0x00409485
0x00409487
0x00409489
0x0040948b
0x0040948d
0x0040948f
0x00409491
0x00409493
0x00409495
0x00409497
0x00409499
0x0040949b
0x0040949d
0x0040949f

Strings

', xrefs: 004098A1
-, xrefs: 00409AFD
q, xrefs: 004098B1
(, xrefs: 0040952B
`, xrefs: 0040952E
6, xrefs: 00409818
M, xrefs: 00409A5F
>, xrefs: 00409795
,, xrefs: 00409B95
_, xrefs: 004098BF
s, xrefs: 00409798
s, xrefs: 00409C26
y, xrefs: 004098AE
R, xrefs: 00409A71

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: '$($,$-$6$>$M$R$_$`$q$s$s$y
API String ID: 0-4145893608
Opcode ID: fc67a786dac2e1fc05dd490e8abf4759566818b5ce05f94e0cdbf85f1c9427f2
Instruction ID: cda425560342a461e10c02dc2a0cbe08054543376a3735454b5f7ee3dbeb1c3c
Opcode Fuzzy Hash: fc67a786dac2e1fc05dd490e8abf4759566818b5ce05f94e0cdbf85f1c9427f2
Instruction Fuzzy Hash: E052DE82E2A70689FF722060C5C075D5680DF16785F318F37D861F59E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004094D6, Relevance: 20.5, APIs: 1, Strings: 12, Instructions: 1045memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Strings

', xrefs: 004098A1
-, xrefs: 00409AFD
q, xrefs: 004098B1
s, xrefs: 00409798
s, xrefs: 00409C26
6, xrefs: 00409818
y, xrefs: 004098AE
M, xrefs: 00409A5F
>, xrefs: 00409795
,, xrefs: 00409B95
R, xrefs: 00409A71
_, xrefs: 004098BF

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: '$,$-$6$>$M$R$_$q$s$s$y
API String ID: 4275171209-1462123025
Opcode ID: 7ad9b3eaf8c552b526f80f75b92b231bcfe9265319be9e290509e3e264e768c4
Instruction ID: 4ee31a807b9977d3089ff5105604e1dec00027bd026c41673cb911856c6002fb
Opcode Fuzzy Hash: 7ad9b3eaf8c552b526f80f75b92b231bcfe9265319be9e290509e3e264e768c4
Instruction Fuzzy Hash: F252DE82E2A70689FF722060C5D075D5680DF16385F318F3BD861F19E2FA1F8ACA1597

Uniqueness

Uniqueness Score: -1.00%

Function 00409568, Relevance: 20.5, APIs: 1, Strings: 12, Instructions: 1012COMMON

Download Yara Rule

Strings

', xrefs: 004098A1
-, xrefs: 00409AFD
q, xrefs: 004098B1
s, xrefs: 00409798
s, xrefs: 00409C26
6, xrefs: 00409818
y, xrefs: 004098AE
M, xrefs: 00409A5F
>, xrefs: 00409795
,, xrefs: 00409B95
R, xrefs: 00409A71
_, xrefs: 004098BF

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: '$,$-$6$>$M$R$_$q$s$s$y
API String ID: 0-1462123025
Opcode ID: 375e2212cea899eb47f46831d8ef235446e0625a41f3dc04c9f4d0456d7a95fd
Instruction ID: 4e90da74df49cca5ac571f4e71451351577c93477325bd363f231041bb1d5465
Opcode Fuzzy Hash: 375e2212cea899eb47f46831d8ef235446e0625a41f3dc04c9f4d0456d7a95fd
Instruction Fuzzy Hash: 3752CD82E2A70689FF722060C5C075D5680DF16785F318F3BD861F59E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004095F6, Relevance: 20.5, APIs: 1, Strings: 12, Instructions: 988memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Strings

', xrefs: 004098A1
-, xrefs: 00409AFD
q, xrefs: 004098B1
s, xrefs: 00409798
s, xrefs: 00409C26
6, xrefs: 00409818
y, xrefs: 004098AE
M, xrefs: 00409A5F
>, xrefs: 00409795
,, xrefs: 00409B95
R, xrefs: 00409A71
_, xrefs: 004098BF

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: '$,$-$6$>$M$R$_$q$s$s$y
API String ID: 4275171209-1462123025
Opcode ID: 6d2a2b251eca50f8ac473971cd03499db72e31879be3bd1b7eba3f5638187804
Instruction ID: 941aaf96b3e030253b9c180a08a41381c33e4a8d0b6b6ca5b87b0e2d9c1b6a70
Opcode Fuzzy Hash: 6d2a2b251eca50f8ac473971cd03499db72e31879be3bd1b7eba3f5638187804
Instruction Fuzzy Hash: C142DD82E2A70689FF722060C5C075D5680DF16785F318F3BD861F19E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409726, Relevance: 20.5, APIs: 1, Strings: 12, Instructions: 970COMMON

Download Yara Rule

Strings

', xrefs: 004098A1
-, xrefs: 00409AFD
q, xrefs: 004098B1
s, xrefs: 00409798
s, xrefs: 00409C26
6, xrefs: 00409818
y, xrefs: 004098AE
M, xrefs: 00409A5F
>, xrefs: 00409795
,, xrefs: 00409B95
R, xrefs: 00409A71
_, xrefs: 004098BF

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: '$,$-$6$>$M$R$_$q$s$s$y
API String ID: 0-1462123025
Opcode ID: f93a4c70dd725c11b3348ae095b0c01637c4c7d7798aa97a116fa641cccac258
Instruction ID: b13ad4c9357671e313d8b885f16beb7f496db334869d079c6b185213af83e79c
Opcode Fuzzy Hash: f93a4c70dd725c11b3348ae095b0c01637c4c7d7798aa97a116fa641cccac258
Instruction Fuzzy Hash: 1B42DD82E2A70689FF722060C5D076D5680DF16785F318F37D861F19E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409846, Relevance: 17.5, APIs: 1, Strings: 10, Instructions: 1003COMMON

Download Yara Rule

Strings

', xrefs: 004098A1
-, xrefs: 00409AFD
q, xrefs: 004098B1
s, xrefs: 00409C26
6, xrefs: 00409818
y, xrefs: 004098AE
M, xrefs: 00409A5F
,, xrefs: 00409B95
R, xrefs: 00409A71
_, xrefs: 004098BF

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: '$,$-$6$M$R$_$q$s$y
API String ID: 0-3531045938
Opcode ID: ad4d4f6506ec951a196ffda5898557fada5ebfa042f603581e511011690f7eaa
Instruction ID: 484a4291aec9e368871cb8bc866ef8535608e8b534f613a9413d4c2e2f020b7b
Opcode Fuzzy Hash: ad4d4f6506ec951a196ffda5898557fada5ebfa042f603581e511011690f7eaa
Instruction Fuzzy Hash: 9D42CC82E2A70689FF722060C5D076D5680DF16785F318F37D821F19E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004098DB, Relevance: 10.0, APIs: 1, Strings: 5, Instructions: 963memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Strings

-, xrefs: 00409AFD
s, xrefs: 00409C26
M, xrefs: 00409A5F
,, xrefs: 00409B95
R, xrefs: 00409A71

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ,$-$M$R$s
API String ID: 4275171209-357075366
Opcode ID: d6430b925c323b8654d3b40f38746c438ba862d49645e47e7cc29d0e3dda9220
Instruction ID: 4d0472e18298cd9fdb47f279dcff92dccb07345fdf12c6f0680e04b8b02f2c9c
Opcode Fuzzy Hash: d6430b925c323b8654d3b40f38746c438ba862d49645e47e7cc29d0e3dda9220
Instruction Fuzzy Hash: 1232CD82E2A70689FFB22060C5D075D5690DF16785F318F37D821F19E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 0040996D, Relevance: 9.9, APIs: 1, Strings: 5, Instructions: 948memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Strings

-, xrefs: 00409AFD
s, xrefs: 00409C26
M, xrefs: 00409A5F
,, xrefs: 00409B95
R, xrefs: 00409A71

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ,$-$M$R$s
API String ID: 4275171209-357075366
Opcode ID: 9482283d77f55bd447aaffad015cafa456fea3d074bb89eff37530f5df0fce8c
Instruction ID: 2062dac5ee170b022439c7dd408dd1f8d61d8e1e860eea6bf4512cd5221cb8e1
Opcode Fuzzy Hash: 9482283d77f55bd447aaffad015cafa456fea3d074bb89eff37530f5df0fce8c
Instruction Fuzzy Hash: 4B32DC82E2A70689FFB22060C5D075D5690DF16785F318F37D821F19E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004099FF, Relevance: 9.9, APIs: 1, Strings: 5, Instructions: 924memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Strings

-, xrefs: 00409AFD
s, xrefs: 00409C26
M, xrefs: 00409A5F
,, xrefs: 00409B95
R, xrefs: 00409A71

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ,$-$M$R$s
API String ID: 4275171209-357075366
Opcode ID: 4a9116f3bbf6360036905262898042074fcf47c5504c7fa01061dfae155bed81
Instruction ID: 7b37206297a63cf4bc2a10a20efa543accbda940d643181d44a0b1993e4d35e2
Opcode Fuzzy Hash: 4a9116f3bbf6360036905262898042074fcf47c5504c7fa01061dfae155bed81
Instruction Fuzzy Hash: 9032DC82E2A70689FFB22060C5C075D5690DF16781F318F37D821F59E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409ADA, Relevance: 6.8, APIs: 1, Strings: 3, Instructions: 826memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Strings

-, xrefs: 00409AFD
s, xrefs: 00409C26
,, xrefs: 00409B95

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ,$-$s
API String ID: 4275171209-3845265890
Opcode ID: 527d3d290c84947d45fc26316e08d6c059536b31f1ab3b08a2013429cc3b5594
Instruction ID: bfa44eb2cb4963830848109ec2598fdae6b3674084fa1e7c0680eb8eade34887
Opcode Fuzzy Hash: 527d3d290c84947d45fc26316e08d6c059536b31f1ab3b08a2013429cc3b5594
Instruction Fuzzy Hash: DD32CB82E2A70689FFB22060C5C075D5690DF16785F318F37D821F59E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409B24, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 826memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Strings

s, xrefs: 00409C26
,, xrefs: 00409B95

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ,$s
API String ID: 4275171209-4143097782
Opcode ID: 454350be68b82a05f33e4bc8a9853aaadf72ee8b67f151a8ec0361b3462b2284
Instruction ID: 57fb08bef35ca5ee94306643b3a9ef07a2bb73cf013bc06f107f2b1662aae1b3
Opcode Fuzzy Hash: 454350be68b82a05f33e4bc8a9853aaadf72ee8b67f151a8ec0361b3462b2284
Instruction Fuzzy Hash: E332DC82E2A70689FF722120C5D075D5690DF26781F318F3BD821F55E2FA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409BB7, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 832memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Strings

s, xrefs: 00409C26

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: s
API String ID: 4275171209-453955339
Opcode ID: 1c4ed4338c63d34b99ae2781b332cbb01ed30c4e6f3f6eb11004d32660644c8c
Instruction ID: 5c285f139071c7ff0ac2aecd5d9a436639e3c4cd7ae86dcf6e1632ab7c19413d
Opcode Fuzzy Hash: 1c4ed4338c63d34b99ae2781b332cbb01ed30c4e6f3f6eb11004d32660644c8c
Instruction Fuzzy Hash: 3022CB82E2A70689FF722060C5C075D5690DF26785F31CF37D821F55E2BA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 004013E8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 58%

			_entry_() {
				signed char _t33;
				intOrPtr* _t34;
				signed int _t35;
				signed int _t36;
				signed int _t38;
				intOrPtr* _t40;
				intOrPtr* _t41;
				signed char _t44;
				signed char _t45;
				signed char _t47;
				signed char _t48;
				signed int _t49;
				signed int _t53;
				signed int _t54;
				void* _t57;
				void* _t58;
				void* _t59;
				signed int _t61;
				void* _t62;
				intOrPtr* _t63;
				void* _t68;
				void* _t72;
				void* _t77;

				_push("VB5!6&*"); // executed
				L004013E0(); // executed
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 + _t33;
				 *_t33 =  *_t33 ^ _t33;
				 *_t33 =  *_t33 + _t33;
				_t34 = _t33 + 1;
				 *_t34 =  *_t34 + _t34;
				 *_t34 =  *_t34 + _t34;
				 *_t34 =  *_t34 + _t34;
				 *_t49 =  *_t49 + _t34;
				_t35 = _t34 +  *((intOrPtr*)(_t57 - 0x64));
				 *(_t57 + 0x1a) =  *(_t57 + 0x1a) >> _t45;
				asm("aad 0x44");
				_t4 = _t35 - 0x7d;
				 *_t4 = _t45;
				_t47 =  *_t4 - 1;
				_t58 = _t57 - 1;
				asm("outsd");
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t47 =  *_t47 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35;
				 *_t35 =  *_t35 + _t35;
				_t68 =  *_t35;
				if(_t68 != 0) {
					L9:
					 *_t35 =  *_t35 + 1;
					_t44 = _t44 + _t47;
					L10:
					asm("std");
					 *_t35 =  *_t35 + _t35;
					 *_t47 =  *_t47 + _t47;
					_t72 =  *_t47;
					L11:
					 *((intOrPtr*)(_t54 + 0x61)) =  *((intOrPtr*)(_t54 + 0x61)) + _t49;
					asm("a16 outsd");
					asm("outsb");
					L12:
					asm("gs outsb");
					L13:
					asm("outsb");
					if (_t72 >= 0) goto L14;
					L14:
					_t35 = _t35 | 0x45000e01;
					asm("outsb");
					_push(0x73736465);
					_t61 =  *(_t54 + 0x6c) * 0x65;
					asm("outsb");
					if(_t61 >= 0) {
						L19:
						asm("movsd");
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						 *_t35 =  *_t35 + _t35;
						_pop(_t62);
						asm("out dx, al");
						 *_t35 =  *_t35 + 0x63;
						_t36 = _t35;
						_pop(_t59);
						 *_t36 =  *_t36 + _t49;
						asm("pushad");
						asm("invalid");
						asm("stosb");
						 *((intOrPtr*)(_t59 + 2)) =  *((intOrPtr*)(_t59 + 2)) + _t44;
						asm("cmpsb");
						 *((intOrPtr*)(_t54 + 0x1d00c6d8)) =  *((intOrPtr*)(_t54 + 0x1d00c6d8)) + _t49;
						asm("repe add [ebp-0x6e], ch");
						asm("cdq");
						 *((intOrPtr*)((_t36 & 0x1185009a) - 0x4ff7ac7)) =  *((intOrPtr*)((_t36 & 0x1185009a) - 0x4ff7ac7)) + _t49;
						asm("clc");
						_t38 = _t54;
						_t48 = _t47 + _t38;
						asm("rcr dword [eax+eax-0x76], 0xf4");
						asm("verr word [edx]");
						 *((intOrPtr*)(_t62 + 0x1b005e7e)) =  *((intOrPtr*)(_t62 + 0x1b005e7e)) + _t49;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t38 =  *_t38 + _t38;
						asm("sbb eax, [eax]");
						asm("das");
						_t40 = _t38 + _t48 + 0x7f16;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t40 =  *_t40 + _t40;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t40 =  *_t40 + _t40;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						 *_t40 =  *_t40 + _t40;
						asm("sbb eax, [eax]");
						 *_t44 =  *_t44 + _t44;
						_pop(ss);
						asm("loop 0x52");
						asm("out 0xeb, eax");
						asm("repne pop esi");
						asm("invalid");
						asm("sbb bl, [eax+0x74]");
						_pop(_t41);
						if(_t77 == 0) {
							 *_t44 =  *_t44 + _t44;
							 *_t41 =  *_t41 + _t41;
							L28:
							asm("sbb eax, [eax]");
							 *_t44 =  *_t44 + _t44;
							 *_t41 =  *_t41 + _t41;
							asm("sbb edx, [ecx-0x18aff314]");
							goto L28;
						}
						asm("sbb eax, 0x287eb6c2");
						while(1) {
							asm("out 0x5f, al");
							_t44 = _t44 |  *(_t44 - 0x6d);
							asm("ror byte [edi], 1");
							_t48 = _t48 &  *(_t44 - 0x4904bd1f);
							 *0x9a7eb06c =  *0x9a7eb06c << 0xe4;
							asm("sbb [ebx-0x348a5126], edi");
							asm("outsb");
							asm("lock jmp 0x60a65944");
						}
					}
					 *_t47 =  *_t47 + _t44;
					 *_t35 =  *_t35 + _t35;
					 *_t47 =  *_t47 + _t35;
					_t53 = 0xa5;
					 *_t35 =  *_t35 + _t35;
					asm("insb");
					if ( *_t35 == 0) goto L16;
					 *((intOrPtr*)(_t58 + 0x420000a5)) =  *((intOrPtr*)(_t58 + 0x420000a5)) + _t47;
					L17:
					asm("movsd");
					 *_t35 =  *_t35 + _t35;
					_t49 = _t53 + 1;
					_t63 = _t61 - 1;
					asm("scasb");
					asm("movsd");
					 *_t35 =  *_t35 + _t35;
					 *_t35 =  *_t35 + _t35;
					 *_t35 =  *_t35 + _t35;
					if ( *_t35 <= 0) goto L18;
					 *_t35 =  *_t35 + _t35;
					 *_t35 =  *_t35 - _t35;
					 *_t35 =  *_t35 + _t35;
					asm("adc [ecx], al");
					 *_t35 =  *_t35 + _t35;
					asm("aaa");
					 *_t35 =  *_t35 + _t35;
					 *_t47 =  *_t47 + _t35;
					 *((intOrPtr*)(_t35 + _t35)) =  *((intOrPtr*)(_t35 + _t35)) + _t35;
					 *_t35 =  *_t35 + _t35;
					 *_t35 =  *_t35 + _t35;
					_t77 =  *_t63 - _t35;
					goto L19;
				}
				asm("popad");
				asm("insb");
				if(_t68 >= 0) {
					goto L11;
				}
				if(_t68 == 0) {
					goto L12;
				}
				if(_t68 >= 0) {
					goto L13;
				}
				if(_t68 < 0) {
					goto L10;
				}
				if(_t68 < 0) {
					goto L14;
				}
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				_t44 = _t44 + _t44;
				asm("int3");
				 *_t35 =  *_t35 ^ _t35;
				_t53 = _t49 |  *(_t35 + 0x61079236);
				_t54 = _t58 - 0x217365b3;
				if(_t53 == 0) {
					goto L17;
				}
				asm("insd");
				_push(ds);
				asm("in eax, 0x84");
				asm("fisttp dword [esi]");
				asm("sbb [esi-0x1], esp");
				asm("cli");
				asm("sti");
				 *_t35 =  *_t35 << _t47;
				asm("out dx, eax");
				_push(_t61);
				_t54 =  *_t53 * 0x9933ad4f;
				asm("iretw");
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				 *_t35 =  *_t35 + _t35;
				asm("invalid");
				goto L9;
			}

0x004013e8
0x004013ed
0x004013f2
0x004013f4
0x004013f6
0x004013f8
0x004013fa
0x004013fc
0x004013fd
0x004013ff
0x00401401
0x00401403
0x00401404
0x00401407
0x0040140a
0x0040140c
0x0040140c
0x0040140f
0x00401411
0x00401412
0x00401415
0x00401417
0x00401419
0x0040141b
0x0040141d
0x0040141f
0x00401422
0x00401422
0x00401424
0x00401492
0x00401492
0x00401494
0x00401496
0x00401496
0x00401497
0x00401499
0x00401499
0x0040149b
0x0040149b
0x0040149e
0x004014a1
0x004014a2
0x004014a2
0x004014a3
0x004014a3
0x004014a4
0x004014a6
0x004014a6
0x004014ab
0x004014ac
0x004014b1
0x004014b5
0x004014b6
0x004014ee
0x004014ee
0x004014ef
0x004014f1
0x004014f3
0x004014f5
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401502
0x00401503
0x00401506
0x00401507
0x00401508
0x0040150a
0x0040150d
0x0040150f
0x00401510
0x00401513
0x00401514
0x0040151f
0x00401523
0x00401524
0x0040152a
0x0040152b
0x0040152c
0x0040152e
0x00401533
0x0040153c
0x00401542
0x00401544
0x00401546
0x00401548
0x0040154a
0x0040154c
0x0040154e
0x00401550
0x00401552
0x00401554
0x00401556
0x00401558
0x0040155a
0x0040155c
0x0040155e
0x00401560
0x00401562
0x00401564
0x00401566
0x00401568
0x0040156a
0x0040156c
0x0040156e
0x00401570
0x00401572
0x00401574
0x00401576
0x00401578
0x0040157a
0x0040157c
0x0040157e
0x00401580
0x00401582
0x00401584
0x00401586
0x00401588
0x0040158a
0x0040158c
0x0040158e
0x00401590
0x00401592
0x00401594
0x00401596
0x00401598
0x0040159a
0x0040159c
0x0040159e
0x004015a0
0x004015a2
0x004015a4
0x004015a6
0x004015a8
0x004015aa
0x004015ac
0x004015ae
0x004015b0
0x004015b2
0x004015b4
0x004015b6
0x004015b8
0x004015ba
0x004015bc
0x004015be
0x004015c0
0x004015c2
0x004015c4
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015ce
0x004015d0
0x004015d2
0x004015d4
0x004015d6
0x004015d8
0x004015da
0x004015dc
0x004015de
0x004015e0
0x004015e2
0x004015e4
0x004015e6
0x004015e8
0x004015ea
0x004015ec
0x004015ee
0x004015f0
0x004015f2
0x004015f4
0x004015f6
0x004015f8
0x004015fa
0x004015fc
0x004015fe
0x00401600
0x00401602
0x00401604
0x00401606
0x00401608
0x0040160a
0x0040160c
0x0040160e
0x00401610
0x00401612
0x00401614
0x00401616
0x00401618
0x0040161a
0x0040161c
0x0040161e
0x00401620
0x00401622
0x00401624
0x00401626
0x00401628
0x0040162a
0x0040162c
0x0040162e
0x00401630
0x00401632
0x00401634
0x00401636
0x00401638
0x0040163a
0x0040163c
0x0040163e
0x00401640
0x00401642
0x00401644
0x00401646
0x00401648
0x0040164a
0x0040164c
0x0040164e
0x00401650
0x00401652
0x00401654
0x00401656
0x00401658
0x0040165a
0x0040165c
0x0040165e
0x00401660
0x00401662
0x00401664
0x00401666
0x00401668
0x0040166a
0x0040166c
0x0040166e
0x00401670
0x00401672
0x00401674
0x00401676
0x00401678
0x0040167a
0x0040167c
0x0040167e
0x00401680
0x00401682
0x00401684
0x00401686
0x00401688
0x0040168a
0x0040168c
0x0040168e
0x00401690
0x00401692
0x00401694
0x00401696
0x00401698
0x0040169a
0x0040169c
0x0040169e
0x004016a0
0x004016a2
0x004016a4
0x004016a6
0x004016a8
0x004016aa
0x004016ac
0x004016ae
0x004016b0
0x004016b2
0x004016b4
0x004016b6
0x004016b8
0x004016ba
0x004016bc
0x004016be
0x004016c0
0x004016c2
0x004016c4
0x004016c6
0x004016c8
0x004016ca
0x004016cc
0x004016ce
0x004016d0
0x004016d2
0x004016d4
0x004016d6
0x004016d8
0x004016da
0x004016dc
0x004016de
0x004016e0
0x004016e2
0x004016e4
0x004016e6
0x004016e8
0x004016ea
0x004016ec
0x004016ee
0x004016f0
0x004016f2
0x004016f4
0x004016f6
0x004016f8
0x004016fa
0x004016fc
0x004016fe
0x00401700
0x00401702
0x00401704
0x00401706
0x00401708
0x0040170a
0x0040170c
0x0040170e
0x00401710
0x00401712
0x00401714
0x00401716
0x00401718
0x0040171a
0x0040171c
0x0040171e
0x00401720
0x00401722
0x00401724
0x00401726
0x00401728
0x0040172a
0x0040172c
0x0040172e
0x00401730
0x00401732
0x00401734
0x00401736
0x00401738
0x0040173a
0x0040173c
0x0040173e
0x00401740
0x00401742
0x00401744
0x00401746
0x00401748
0x0040174a
0x0040174c
0x0040174e
0x00401750
0x00401752
0x00401754
0x00401756
0x00401758
0x0040175a
0x0040175c
0x0040175e
0x00401760
0x00401762
0x00401764
0x00401766
0x00401768
0x0040176a
0x0040176c
0x0040176e
0x00401770
0x00401772
0x00401774
0x00401776
0x00401778
0x0040177a
0x0040177c
0x0040177e
0x00401780
0x00401782
0x00401784
0x00401786
0x00401788
0x0040178a
0x0040178c
0x0040178e
0x00401790
0x00401792
0x00401794
0x00401796
0x00401798
0x0040179a
0x0040179c
0x0040179e
0x004017a0
0x004017a2
0x004017a4
0x004017a6
0x004017a8
0x004017aa
0x004017ac
0x004017ae
0x004017b0
0x004017b2
0x004017b4
0x004017b6
0x004017b8
0x004017ba
0x004017bc
0x004017be
0x004017c0
0x004017c2
0x004017c4
0x004017c6
0x004017c8
0x004017ca
0x004017cc
0x004017ce
0x004017d0
0x004017d2
0x004017d4
0x004017d6
0x004017d8
0x004017da
0x004017dc
0x004017de
0x004017e0
0x004017e2
0x004017e4
0x004017e6
0x004017e8
0x004017ea
0x004017ec
0x004017ee
0x004017f0
0x004017f2
0x004017f4
0x004017f6
0x004017f8
0x004017fa
0x004017fc
0x004017fe
0x00401800
0x00401802
0x00401804
0x00401806
0x00401808
0x0040180a
0x0040180c
0x0040180e
0x00401810
0x00401812
0x00401814
0x00401816
0x00401818
0x0040181a
0x0040181c
0x0040181e
0x00401820
0x00401822
0x00401824
0x00401826
0x00401828
0x0040182a
0x0040182c
0x0040182e
0x00401830
0x00401832
0x00401834
0x00401836
0x00401838
0x0040183a
0x0040183c
0x0040183e
0x00401840
0x00401842
0x00401844
0x00401846
0x00401848
0x0040184a
0x0040184c
0x0040184e
0x00401850
0x00401852
0x00401854
0x00401856
0x00401858
0x0040185a
0x0040185c
0x0040185e
0x00401860
0x00401862
0x00401864
0x00401866
0x00401868
0x0040186a
0x0040186c
0x0040186e
0x00401870
0x00401872
0x00401874
0x00401876
0x00401878
0x0040187a
0x0040187b
0x0040187d
0x0040187f
0x00401881
0x00401883
0x00401885
0x00401887
0x00401889
0x0040188b
0x0040188d
0x0040188f
0x00401891
0x00401893
0x00401895
0x00401897
0x00401899
0x0040189b
0x0040189d
0x0040189f
0x004018a1
0x004018a3
0x004018a5
0x004018a7
0x004018a9
0x004018ab
0x004018ad
0x004018af
0x004018b1
0x004018b3
0x004018b5
0x004018b7
0x004018b9
0x004018bf
0x004018c0
0x004018c5
0x004018c7
0x004018c9
0x004018cb
0x004018cd
0x004018cf
0x004018d1
0x004018d3
0x004018d5
0x004018d7
0x004018d9
0x004018db
0x004018dc
0x004018de
0x004018e0
0x004018e2
0x004018e4
0x004018e5
0x004018e6
0x00401967
0x00401969
0x0040196b
0x0040196b
0x0040196d
0x0040196f
0x00401971
0x00000000
0x00401971
0x004018ec
0x004018f5
0x004018f5
0x004018f7
0x004018fa
0x004018fc
0x00401902
0x00401909
0x0040190f
0x00401913
0x00401913
0x004018f5
0x004014b8
0x004014ba
0x004014bd
0x004014bf
0x004014c1
0x004014c3
0x004014c4
0x004014c6
0x004014c8
0x004014c8
0x004014c9
0x004014cb
0x004014cc
0x004014cd
0x004014ce
0x004014cf
0x004014d1
0x004014d3
0x004014d5
0x004014d7
0x004014d9
0x004014db
0x004014dd
0x004014df
0x004014e1
0x004014e2
0x004014e4
0x004014e6
0x004014e9
0x004014eb
0x004014ed
0x00000000
0x004014ed
0x00401427
0x00401428
0x00401429
0x00000000
0x00000000
0x0040142b
0x00000000
0x00000000
0x0040142d
0x00000000
0x00000000
0x0040142f
0x00000000
0x00000000
0x00401431
0x00000000
0x00000000
0x00401433
0x00401435
0x00401437
0x00401439
0x0040143a
0x0040143c
0x00401442
0x00401448
0x00000000
0x00000000
0x0040144a
0x0040144b
0x0040144c
0x0040144e
0x00401450
0x00401453
0x00401457
0x00401458
0x0040145a
0x0040145b
0x0040145c
0x00401462
0x00401464
0x0040146a
0x0040146b
0x00401471
0x00401473
0x00401475
0x00401477
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401481
0x00401483
0x00401485
0x00401487
0x00401489
0x0040148b
0x0040148d
0x0040148f
0x00401491
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013ED

Strings

VB5!6&*, xrefs: 004013E8

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: c2c8d2fc90f12c717685a310b307f54f7855e5b8f047309b1b8f8b320738ab71
Instruction ID: 49acb2967c5242cd7b2c400e4dcb0e42d3756d26738c9bf167708667e1d18e20
Opcode Fuzzy Hash: c2c8d2fc90f12c717685a310b307f54f7855e5b8f047309b1b8f8b320738ab71
Instruction Fuzzy Hash: C0310C6144E7C15FD3139B704A222A13FB1AE1371470A41EBC4C1EF4F3D26E190AC76A

Uniqueness

Uniqueness Score: -1.00%

Function 00409C43, Relevance: 2.1, APIs: 1, Instructions: 857memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1334dba879229e2218a06f0d30216ded02688d6ccc4b7b7efd8e8097fab1b99c
Instruction ID: 76acd7462cbc86e86481b1a12f868999ad8a1f4db0d9452319c105c96795569f
Opcode Fuzzy Hash: 1334dba879229e2218a06f0d30216ded02688d6ccc4b7b7efd8e8097fab1b99c
Instruction Fuzzy Hash: 2522CC81E2A70699FFB22060C5C075D5690DF26781F31CF37D821F19E2BA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409DFC, Relevance: 2.1, APIs: 1, Instructions: 855
COMMON

Download Yara Rule

C-Code - Quality: 81%

			E00409DFC(void* __eax, void* __ebx, void* __ecx, signed char __edx, void* __edi, void* __esi, signed int __fp0) {
				signed int* _t8;
				void* _t11;
				signed char _t19;
				void* _t20;
				void* _t21;
				signed int* _t22;

				_t142 = __fp0;
				_t21 = __esi;
				_t20 = __edi;
				_t19 = __edx;
				_t10 = __ebx;
				_t8 = __eax + 0x7e7e1b09;
				_t22 = _t8;
				if(_t22 <= 0) {
					L42:
					asm("fst st2");
					L43:
					asm("wait");
					asm("fcos");
					L44:
					goto ( *(_t21 + 0xf));
					L45:
					asm("pmulhw mm7, mm0");
				}
				if(_t22 <= 0) {
					goto L43;
				}
				if(_t22 <= 0) {
					goto L44;
				}
				if(_t22 <= 0) {
					goto L45;
				}
				if(_t22 <= 0) {
					asm("clc");
					asm("fpatan");
					goto L47;
				} else {
					if(_t22 <= 0) {
						L47:
						asm("repe jmp 0x5c");
						goto L48;
					} else {
						if(_t22 <= 0) {
							L48:
						} else {
							if(_t22 <= 0) {
								_t142 = __fp0 / st0;
								goto L50;
							} else {
								if(_t22 <= 0) {
									L50:
									_pop(_t21);
									 *_t8 =  *_t8 ^ _t19;
									goto L51;
								} else {
									if(_t22 <= 0) {
										L51:
										 *_t8 =  *_t8 ^ _t19;
										goto L52;
									} else {
										if(_t22 <= 0) {
											L52:
											 *_t8 =  *_t8 ^ _t19;
											goto L53;
										} else {
											if(_t22 <= 0) {
												L53:
												 *_t8 =  *_t8 ^ _t19;
												goto L54;
											} else {
												if(_t22 <= 0) {
													L54:
													 *_t8 =  *_t8 ^ _t19;
													goto L55;
												} else {
													if(_t22 <= 0) {
														L55:
														 *_t8 =  *_t8 ^ _t19;
														goto L56;
													} else {
														if(_t22 <= 0) {
															L56:
															 *_t8 =  *_t8 ^ _t19;
															goto L57;
														} else {
															if(_t22 <= 0) {
																L57:
																 *_t8 =  *_t8 ^ _t19;
																goto L58;
															} else {
																if(_t22 <= 0) {
																	L58:
																	 *_t8 =  *_t8 ^ _t19;
																	goto L59;
																} else {
																	if(_t22 <= 0) {
																		L59:
																		 *_t8 =  *_t8 ^ _t19;
																		goto L60;
																	} else {
																		if(_t22 <= 0) {
																			L60:
																			 *_t8 =  *_t8 ^ _t19;
																			goto L61;
																		} else {
																			if(_t22 <= 0) {
																				L61:
																				 *_t8 =  *_t8 ^ _t19;
																				goto L62;
																			} else {
																				if(_t22 <= 0) {
																					L62:
																					 *_t8 =  *_t8 ^ _t19;
																					goto L63;
																				} else {
																					if(_t22 <= 0) {
																						L63:
																						 *_t8 =  *_t8 ^ _t19;
																						goto L64;
																					} else {
																						if(_t22 <= 0) {
																							L64:
																							 *_t8 =  *_t8 ^ _t19;
																							goto L65;
																						} else {
																							if(_t22 <= 0) {
																								L65:
																								 *_t8 =  *_t8 ^ _t19;
																								goto L66;
																							} else {
																								if(_t22 <= 0) {
																									L66:
																									 *_t8 =  *_t8 ^ _t19;
																									goto L67;
																								} else {
																									if(_t22 <= 0) {
																										L67:
																										 *_t8 =  *_t8 ^ _t19;
																										goto L68;
																									} else {
																										if(_t22 <= 0) {
																											L68:
																											 *_t8 =  *_t8 ^ _t19;
																											goto L69;
																										} else {
																											if(_t22 <= 0) {
																												L69:
																												 *_t8 =  *_t8 ^ _t19;
																												goto L70;
																											} else {
																												if(_t22 <= 0) {
																													L70:
																													 *_t8 =  *_t8 ^ _t19;
																													goto L71;
																												} else {
																													if(_t22 <= 0) {
																														L71:
																														 *_t8 =  *_t8 ^ _t19;
																														goto L72;
																													} else {
																														if(_t22 <= 0) {
																															L72:
																															 *_t8 =  *_t8 ^ _t19;
																															goto L73;
																														} else {
																															if(_t22 <= 0) {
																																L73:
																																 *_t8 =  *_t8 ^ _t19;
																																goto L74;
																															} else {
																																if(_t22 <= 0) {
																																	L74:
																																	 *_t8 =  *_t8 ^ _t19;
																																	goto L75;
																																} else {
																																	if(_t22 <= 0) {
																																		L75:
																																		 *_t8 =  *_t8 ^ _t19;
																																		goto L76;
																																	} else {
																																		if(_t22 <= 0) {
																																			L76:
																																			 *_t8 =  *_t8 ^ _t19;
																																			goto L77;
																																		} else {
																																			if(_t22 <= 0) {
																																				L77:
																																				 *_t8 =  *_t8 ^ _t19;
																																				goto L78;
																																			} else {
																																				if(_t22 <= 0) {
																																					L78:
																																					 *_t8 =  *_t8 ^ _t19;
																																					goto L79;
																																				} else {
																																					if(_t22 <= 0) {
																																						L79:
																																						 *_t8 =  *_t8 ^ _t19;
																																						goto L80;
																																					} else {
																																						if(_t22 <= 0) {
																																							L80:
																																							 *_t8 =  *_t8 ^ _t19;
																																							goto L81;
																																						} else {
																																							if(_t22 <= 0) {
																																								L81:
																																								 *_t8 =  *_t8 ^ _t19;
																																							} else {
																																								if(_t22 > 0) {
																																									_t10 = __ebx - 0x1076d76;
																																									asm("punpckldq mm6, mm2");
																																									asm("fdecstp");
																																									asm("fprem");
																																									asm("f2xm1");
																																									asm("packssdw mm5, mm7");
																																									goto L42;
																																								}
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
							 *_t8 =  *_t8 ^ _t19;
						}
					}
				}
				_t11 = _t10 + 0x106427e;
				asm("lfence");
				asm("fclex");
				asm("pcmpgtw mm4, mm2");
				asm("ffree st2");
				asm("fxch st0, st1");
				asm("por xmm7, xmm1");
				asm("psubsb xmm7, xmm3");
				asm("pcmpeqb xmm2, xmm1");
				asm("psrld mm6, 0x15");
				asm("pmaddwd xmm1, xmm1");
				asm("fldpi");
				asm("fldln2");
				asm("fcom st0, st2");
				asm("psubsw xmm2, xmm0");
				asm("psubsw mm2, mm0");
				 *(_t21 + 0xf) =  *(_t21 + 0xf) << 1;
				goto L88;
				asm("pcmpgtb mm3, mm5");
				st1 = _t142;
				 *(_t21 + 0xf) =  *(_t21 + 0xf) << 1;
				asm("pcmpeqw mm6, mm6");
			}

0x00409dfc
0x00409dfc
0x00409dfc
0x00409dfc
0x00409dfc
0x00409dfc
0x00409dfc
0x00409e01
0x00409e81
0x00409e81
0x00409e83
0x00409e83
0x00409e84
0x00409e85
0x00409e85
0x00409e87
0x00409e87
0x00409e87
0x00409e03
0x00000000
0x00000000
0x00409e05
0x00000000
0x00000000
0x00409e07
0x00000000
0x00000000
0x00409e09
0x00409e89
0x00409e8a
0x00000000
0x00409e0b
0x00409e0b
0x00409e8b
0x00409e8b
0x00000000
0x00409e0d
0x00409e0d
0x00409e8d
0x00409e0f
0x00409e0f
0x00409e8f
0x00000000
0x00409e11
0x00409e11
0x00409e91
0x00409e91
0x00409e92
0x00000000
0x00409e13
0x00409e13
0x00409e93
0x00409e93
0x00000000
0x00409e15
0x00409e15
0x00409e95
0x00409e95
0x00000000
0x00409e17
0x00409e17
0x00409e97
0x00409e97
0x00000000
0x00409e19
0x00409e19
0x00409e99
0x00409e99
0x00000000
0x00409e1b
0x00409e1b
0x00409e9b
0x00409e9b
0x00000000
0x00409e1d
0x00409e1d
0x00409e9d
0x00409e9d
0x00000000
0x00409e1f
0x00409e1f
0x00409e9f
0x00409e9f
0x00000000
0x00409e21
0x00409e21
0x00409ea1
0x00409ea1
0x00000000
0x00409e23
0x00409e23
0x00409ea3
0x00409ea3
0x00000000
0x00409e25
0x00409e25
0x00409ea5
0x00409ea5
0x00000000
0x00409e27
0x00409e27
0x00409ea7
0x00409ea7
0x00000000
0x00409e29
0x00409e29
0x00409ea9
0x00409ea9
0x00000000
0x00409e2b
0x00409e2b
0x00409eab
0x00409eab
0x00000000
0x00409e2d
0x00409e2d
0x00409ead
0x00409ead
0x00000000
0x00409e2f
0x00409e2f
0x00409eaf
0x00409eaf
0x00000000
0x00409e31
0x00409e31
0x00409eb1
0x00409eb1
0x00000000
0x00409e33
0x00409e33
0x00409eb3
0x00409eb3
0x00000000
0x00409e35
0x00409e35
0x00409eb5
0x00409eb5
0x00000000
0x00409e37
0x00409e37
0x00409eb7
0x00409eb7
0x00000000
0x00409e39
0x00409e39
0x00409eb9
0x00409eb9
0x00000000
0x00409e3b
0x00409e3b
0x00409ebb
0x00409ebb
0x00000000
0x00409e3d
0x00409e3d
0x00409ebd
0x00409ebd
0x00000000
0x00409e3f
0x00409e3f
0x00409ebf
0x00409ebf
0x00000000
0x00409e41
0x00409e41
0x00409ec1
0x00409ec1
0x00000000
0x00409e43
0x00409e43
0x00409ec3
0x00409ec3
0x00000000
0x00409e45
0x00409e45
0x00409ec5
0x00409ec5
0x00000000
0x00409e47
0x00409e47
0x00409ec7
0x00409ec7
0x00000000
0x00409e49
0x00409e49
0x00409ec9
0x00409ec9
0x00000000
0x00409e4b
0x00409e4b
0x00409ecb
0x00409ecb
0x00000000
0x00409e4d
0x00409e4d
0x00409ecd
0x00409ecd
0x00000000
0x00409e4f
0x00409e4f
0x00409ecf
0x00409ecf
0x00409e51
0x00409e51
0x00409e61
0x00409e75
0x00409e78
0x00409e7a
0x00409e7c
0x00409e7e
0x00000000
0x00409e7e
0x00409e51
0x00409e4f
0x00409e4d
0x00409e4b
0x00409e49
0x00409e47
0x00409e45
0x00409e43
0x00409e41
0x00409e3f
0x00409e3d
0x00409e3b
0x00409e39
0x00409e37
0x00409e35
0x00409e33
0x00409e31
0x00409e2f
0x00409e2d
0x00409e2b
0x00409e29
0x00409e27
0x00409e25
0x00409e23
0x00409e21
0x00409e1f
0x00409e1d
0x00409e1b
0x00409e19
0x00409e17
0x00409e15
0x00409e13
0x00409e11
0x00409ed1
0x00409ed3
0x00409ed5
0x00409ed7
0x00409ed9
0x00409edb
0x00409edd
0x00409edf
0x00409ee1
0x00409ee3
0x00409ee5
0x00409ee5
0x00409e0d
0x00409e0b
0x00409ef3
0x00409f0b
0x00409f0e
0x00409f10
0x00409f13
0x00409f15
0x00409f17
0x00409f93
0x00409f97
0x00409f9b
0x00409f9f
0x00409fa3
0x00409fa5
0x0040a029
0x0040a02b
0x0040a02c
0x0040a02e
0x0040a02e
0x0040a030
0x0040a032
0x0040a034
0x0040a036

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c88101218cdb46c8029b27298660f77eecc4efd0d1d06764c4de0dff05bc2f4a
Instruction ID: 0f29a55e8d57e09adadc80c84e8e0523ba6fc81ebbf306603f23917a367af77c
Opcode Fuzzy Hash: c88101218cdb46c8029b27298660f77eecc4efd0d1d06764c4de0dff05bc2f4a
Instruction Fuzzy Hash: CF22DE81D2A70649FF726160C6C176E5640CB12381F308F3BD825F55E3AA2F8DCA159B

Uniqueness

Uniqueness Score: -1.00%

Function 00409FA9, Relevance: 2.1, APIs: 1, Instructions: 815
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00409FA9(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, signed long long __fp0) {
				signed char _t7;
				intOrPtr* _t8;
				void* _t9;
				void* _t93;
				void* _t98;
				void* _t99;
				signed char _t101;
				signed char _t112;
				signed long long _t167;

				_t167 = __fp0;
				_t99 = __esi;
				_t98 = __edi;
				_t9 = __ebx;
				_t7 = __eax - 1;
				_t101 = _t7;
				asm("adc ebp, [edx]");
				if(_t101 >= 0) {
					L44:
					asm("psubsw mm2, mm0");
					goto L45;
				} else {
					if(_t101 >= 0) {
						L45:
						 *(_t99 + 0xf) =  *(_t99 + 0xf) << 1;
						asm("pcmpgtb xmm3, xmm5");
						goto L47;
					} else {
						if(_t101 >= 0) {
							L47:
							asm("pcmpgtb mm3, mm5");
							goto L48;
						} else {
							if(_t101 >= 0) {
								L48:
								st1 = _t167;
								goto L49;
							} else {
								if(_t101 >= 0) {
									L49:
									 *(_t99 + 0xf) =  *(_t99 + 0xf) << 1;
									goto L50;
								} else {
									if(_t101 >= 0) {
										L50:
										asm("pcmpeqw mm6, mm6");
										goto L51;
									} else {
										if(_t101 < 0) {
											if(_t101 >= 0) {
												asm("loopne 0xffffffdb");
												goto L54;
											} else {
												if(_t101 >= 0) {
													L54:
													asm("stc");
													asm("pxor xmm0, xmm5");
													goto L55;
												} else {
													if(_t101 >= 0) {
														L55:
														asm("pxor mm0, mm5");
														goto L56;
													} else {
														if(_t101 >= 0) {
															L56:
															asm("invalid");
															goto L57;
														} else {
															if(_t101 >= 0) {
																L57:
																_push(_t98);
																goto L89;
															} else {
																if(_t101 >= 0) {
																	_t7 = _t7 & 0x000000f3;
																	_t112 = _t7;
																	goto L59;
																} else {
																	if(_t101 >= 0) {
																		L59:
																		if(_t112 < 0) {
																			goto L60;
																		}
																	} else {
																		if(_t101 >= 0) {
																			L60:
																			goto L61;
																		} else {
																			if(_t101 >= 0) {
																				L61:
																				goto L62;
																			} else {
																				if(_t101 >= 0) {
																					L62:
																					goto L63;
																				} else {
																					if(_t101 >= 0) {
																						L63:
																						goto L64;
																					} else {
																						if(_t101 >= 0) {
																							L64:
																							goto L65;
																						} else {
																							if(_t101 >= 0) {
																								L65:
																								goto L66;
																							} else {
																								if(_t101 >= 0) {
																									L66:
																									goto L67;
																								} else {
																									if(_t101 >= 0) {
																										L67:
																										goto L68;
																									} else {
																										if(_t101 >= 0) {
																											L68:
																											goto L69;
																										} else {
																											if(_t101 >= 0) {
																												L69:
																												goto L70;
																											} else {
																												if(_t101 >= 0) {
																													L70:
																													goto L71;
																												} else {
																													if(_t101 >= 0) {
																														L71:
																														goto L72;
																													} else {
																														if(_t101 >= 0) {
																															L72:
																															goto L73;
																														} else {
																															if(_t101 >= 0) {
																																L73:
																																goto L74;
																															} else {
																																if(_t101 >= 0) {
																																	L74:
																																	goto L75;
																																} else {
																																	if(_t101 >= 0) {
																																		L75:
																																		goto L76;
																																	} else {
																																		if(_t101 >= 0) {
																																			L76:
																																			goto L77;
																																		} else {
																																			if(_t101 >= 0) {
																																				L77:
																																				goto L78;
																																			} else {
																																				if(_t101 >= 0) {
																																					L78:
																																					goto L79;
																																				} else {
																																					if(_t101 >= 0) {
																																						L79:
																																						goto L80;
																																					} else {
																																						if(_t101 >= 0) {
																																							L80:
																																							goto L81;
																																						} else {
																																							if(_t101 >= 0) {
																																								L81:
																																								goto L82;
																																							} else {
																																								if(_t101 >= 0) {
																																									L82:
																																									goto L83;
																																								} else {
																																									if(_t101 >= 0) {
																																										L83:
																																										goto L84;
																																									} else {
																																										if(_t101 >= 0) {
																																											L84:
																																											goto L85;
																																										} else {
																																											if(_t101 >= 0) {
																																												L85:
																																												goto L86;
																																											} else {
																																												if(_t101 >= 0) {
																																													L86:
																																													goto L87;
																																												} else {
																																													if(_t101 >= 0) {
																																														L87:
																																														goto L88;
																																													} else {
																																														if(_t101 >= 0) {
																																															L88:
																																															_pop(_t9);
																																														} else {
																																															asm("fcom st0, st2");
																																															asm("psubsw xmm2, xmm0");
																																															goto L44;
																																														}
																																													}
																																												}
																																											}
																																										}
																																									}
																																								}
																																							}
																																						}
																																					}
																																				}
																																			}
																																		}
																																	}
																																}
																															}
																														}
																													}
																												}
																											}
																										}
																									}
																								}
																							}
																						}
																					}
																				}
																			}
																		}
																		L89:
																	}
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				asm("sti");
				_t8 = _t7 +  *((intOrPtr*)(_t9 - 0x47ee608));
				 *_t8 = _t8;
				 *_t8 =  *_t8 + _t8;
				_t7 = _t8 - 1;
				asm("fucom st1");
				asm("ftst");
				asm("fptan");
				asm("fsincos");
				asm("fst st7");
				asm("psubsw xmm2, xmm4");
				asm("wait");
				asm("fninit");
				asm("lfence");
				asm("pcmpgtw xmm7, xmm1");
				asm("pause");
				asm("fst st3");
				asm("pmaddwd mm6, mm0");
				_t167 = _t167 * st2;
				asm("wait");
				asm("fcos");
				_t93 =  *_t7;
				asm("paddw xmm0, xmm1");
				asm("punpckldq mm3, mm5");
				asm("lfence");
				asm("fclex");
				asm("pcmpgtw mm4, mm2");
				asm("ffree st2");
				asm("fxch st0, st1");
				if(_t9 != _t93) {
					goto L89;
				}
				asm("psubsb xmm7, xmm3");
				asm("pcmpeqb xmm2, xmm1");
				asm("psrld mm6, 0x15");
				asm("pmaddwd xmm1, xmm1");
				asm("fldpi");
				asm("fldln2");
				asm("fsubp st6, st0");
				asm("fcom st0, st2");
				asm("psubsw xmm2, xmm0");
				asm("pcmpgtb xmm3, xmm5");
				asm("fnop");
				asm("pcmpeqw xmm6, xmm6");
				asm("fchs");
				asm("fst st4");
				asm("fucom st1");
				asm("ftst");
				asm("fptan");
				asm("fsincos");
				asm("fst st7");
				asm("psubsw xmm2, xmm4");
				asm("wait");
				asm("fninit");
				asm("lfence");
				asm("fxtract");
				asm("pause");
				asm("fst st3");
				asm("pmaddwd mm6, mm0");
				asm("wait");
				asm("fcos");
				asm("paddw xmm0, xmm1");
				asm("punpckldq mm3, mm5");
				asm("lfence");
				asm("fclex");
				asm("pcmpgtw mm4, mm2");
				asm("ffree st2");
				asm("fxch st0, st1");
			}

0x00409fa9
0x00409fa9
0x00409fa9
0x00409fa9
0x00409fa9
0x00409fa9
0x00409fab
0x00409fad
0x0040a02c
0x0040a02c
0x00000000
0x00409faf
0x00409faf
0x0040a02e
0x0040a02e
0x0040a02f
0x00000000
0x00409fb1
0x00409fb1
0x0040a030
0x0040a030
0x00000000
0x00409fb3
0x00409fb3
0x0040a032
0x0040a032
0x00000000
0x00409fb5
0x00409fb5
0x0040a034
0x0040a034
0x00000000
0x00409fb7
0x00409fb7
0x0040a036
0x0040a036
0x00000000
0x00409fb9
0x00409fb9
0x00409fbb
0x0040a03a
0x00000000
0x00409fbd
0x00409fbd
0x0040a03c
0x0040a03c
0x0040a03d
0x00000000
0x00409fbf
0x00409fbf
0x0040a03e
0x0040a03e
0x00000000
0x00409fc1
0x00409fc1
0x0040a040
0x0040a040
0x00000000
0x00409fc3
0x00409fc3
0x0040a042
0x0040a042
0x00000000
0x00409fc5
0x00409fc5
0x0040a044
0x0040a044
0x00000000
0x00409fc7
0x00409fc7
0x0040a046
0x0040a046
0x00000000
0x00000000
0x00409fc9
0x00409fc9
0x0040a048
0x00000000
0x00409fcb
0x00409fcb
0x0040a04a
0x00000000
0x00409fcd
0x00409fcd
0x0040a04c
0x00000000
0x00409fcf
0x00409fcf
0x0040a04e
0x00000000
0x00409fd1
0x00409fd1
0x0040a050
0x00000000
0x00409fd3
0x00409fd3
0x0040a052
0x00000000
0x00409fd5
0x00409fd5
0x0040a054
0x00000000
0x00409fd7
0x00409fd7
0x0040a056
0x00000000
0x00409fd9
0x00409fd9
0x0040a058
0x00000000
0x00409fdb
0x00409fdb
0x0040a05a
0x00000000
0x00409fdd
0x00409fdd
0x0040a05c
0x00000000
0x00409fdf
0x00409fdf
0x0040a05e
0x00000000
0x00409fe1
0x00409fe1
0x0040a060
0x00000000
0x00409fe3
0x00409fe3
0x0040a062
0x00000000
0x00409fe5
0x00409fe5
0x0040a064
0x00000000
0x00409fe7
0x00409fe7
0x0040a066
0x00000000
0x00409fe9
0x00409fe9
0x0040a068
0x00000000
0x00409feb
0x00409feb
0x0040a06a
0x00000000
0x00409fed
0x00409fed
0x0040a06c
0x00000000
0x00409fef
0x00409fef
0x0040a06e
0x00000000
0x00409ff1
0x00409ff1
0x0040a070
0x00000000
0x00409ff3
0x00409ff3
0x0040a072
0x00000000
0x00409ff5
0x00409ff5
0x0040a074
0x00000000
0x00409ff7
0x00409ff7
0x0040a076
0x00000000
0x00409ff9
0x00409ff9
0x0040a078
0x00000000
0x00409ffb
0x00409ffb
0x0040a07a
0x00000000
0x00409ffd
0x00409ffd
0x0040a07c
0x00000000
0x00409fff
0x00409fff
0x0040a07e
0x00000000
0x0040a001
0x0040a001
0x0040a080
0x0040a099
0x0040a003
0x0040a029
0x0040a02b
0x00000000
0x0040a02b
0x0040a001
0x00409fff
0x00409ffd
0x00409ffb
0x00409ff9
0x00409ff7
0x00409ff5
0x00409ff3
0x00409ff1
0x00409fef
0x00409fed
0x00409feb
0x00409fe9
0x00409fe7
0x00409fe5
0x00409fe3
0x00409fe1
0x00409fdf
0x00409fdd
0x00409fdb
0x00409fd9
0x00409fd7
0x00409fd5
0x00409fd3
0x00409fd1
0x00409fcf
0x00409fcd
0x00409fcb
0x0040a09a
0x0040a0a2
0x00409fc7
0x00409fc5
0x00409fc3
0x00409fc1
0x00409fbf
0x00409fbd
0x00409fbb
0x00409fb9
0x00409fb7
0x00409fb5
0x00409fb3
0x00409fb1
0x00409faf
0x0040a0a3
0x0040a0a4
0x0040a0aa
0x0040a0ac
0x0040a0b3
0x0040a0b4
0x0040a0b6
0x0040a0b8
0x0040a0ba
0x0040a0bc
0x0040a0be
0x0040a0c2
0x0040a0c3
0x0040a0c5
0x0040a0c8
0x0040a14d
0x0040a14f
0x0040a151
0x0040a154
0x0040a156
0x0040a157
0x0040a1b9
0x0040a1d2
0x0040a1d6
0x0040a1da
0x0040a1dd
0x0040a1df
0x0040a1e2
0x0040a1e4
0x0040a244
0x00000000
0x00000000
0x0040a262
0x0040a266
0x0040a26a
0x0040a26e
0x0040a272
0x0040a274
0x0040a276
0x0040a2ef
0x0040a2f1
0x0040a2f5
0x0040a2f9
0x0040a2fb
0x0040a2ff
0x0040a37c
0x0040a380
0x0040a382
0x0040a384
0x0040a386
0x0040a388
0x0040a38a
0x0040a38e
0x0040a38f
0x0040a391
0x0040a412
0x0040a414
0x0040a416
0x0040a418
0x0040a41d
0x0040a41e
0x0040a49a
0x0040a49e
0x0040a4a2
0x0040a4a5
0x0040a4a7
0x0040a4aa
0x0040a4ac

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c24a82cc8f128034905da9d1a14cdd1abb78df4ce89c9bb91339971e6fb96886
Instruction ID: f988c4b6a89c7a4e25f654bf9a4ea808e799f2362255dc4b1250047cb05b34fd
Opcode Fuzzy Hash: c24a82cc8f128034905da9d1a14cdd1abb78df4ce89c9bb91339971e6fb96886
Instruction Fuzzy Hash: 1322DE45E2AB0949FF722031C5D076D5680DF26395F30CF3BD821F55E2AA2F8ADA158B

Uniqueness

Uniqueness Score: -1.00%

Function 00409CD6, Relevance: 2.0, APIs: 1, Instructions: 795memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c4cff2ddf0a58651a4822f1f6781a3a85387b74f4c81c66f8fdd1cba23464ba9
Instruction ID: 24c4c18bec9daa6ac09a4c9884af3666ed2ced965d47d7b6ce31c7c1ae9fffa7
Opcode Fuzzy Hash: c4cff2ddf0a58651a4822f1f6781a3a85387b74f4c81c66f8fdd1cba23464ba9
Instruction Fuzzy Hash: 0D22CA82E2A70689FFB22020C5C075D5680DF26381F31CF3BD821F15E2BA1F86CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409D6A, Relevance: 2.0, APIs: 1, Instructions: 753memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8b86d07ae1c06d254b30c664b89d72401b20558d360533424b8798af5d634acd
Instruction ID: fc7db7ca746ffffbd33e260fc0f7028f1a0d2850fc664a3a11ed3db137ec5449
Opcode Fuzzy Hash: 8b86d07ae1c06d254b30c664b89d72401b20558d360533424b8798af5d634acd
Instruction Fuzzy Hash: 9622CC82E2A70699FFB22060C5D075D5680DF26385F31CF37D821F55E2BA1F86CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 0040A15B, Relevance: 2.0, APIs: 1, Instructions: 705memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b4f759bef5d99f44f0269ab6a610a601e7520ca06f842b1b45439736dd0590a3
Instruction ID: c5d52c71d285d7f38d0e0322b824f4b3209a477309d22a529c4476aa8a35cbed
Opcode Fuzzy Hash: b4f759bef5d99f44f0269ab6a610a601e7520ca06f842b1b45439736dd0590a3
Instruction Fuzzy Hash: 0E02CD82E2A70659FFB22020C5D076D5681DF22785F318F3BD821F55E2FA1F86CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 00409F66, Relevance: 1.9, APIs: 1, Instructions: 682
memoryCOMMON

Download Yara Rule

C-Code - Quality: 31%

			E00409F66(void* __eax, void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0) {
				void* _t6;
				void* _t8;
				void* _t16;
				void* _t17;
				void* _t91;

				_t91 = __fp0;
				_t17 = __esi;
				_t16 = __edi;
				_t8 = __ebx;
				_t6 = __eax;
				asm("psubsb xmm7, xmm3");
				asm("pcmpeqb xmm2, xmm1");
				asm("psrld mm6, 0x15");
				asm("pmaddwd xmm1, xmm1");
				asm("fldpi");
				asm("fldln2");
				asm("fcom st0, st2");
				asm("psubsw xmm2, xmm0");
				asm("psubsw mm2, mm0");
				 *(__esi + 0xf) =  *(__esi + 0xf) << 1;
				goto L5;
				asm("pcmpgtb mm3, mm5");
				st1 = _t91;
				 *(_t17 + 0xf) =  *(_t17 + 0xf) << 1;
				asm("pcmpeqw mm6, mm6");
			}

0x00409f66
0x00409f66
0x00409f66
0x00409f66
0x00409f66
0x00409f93
0x00409f97
0x00409f9b
0x00409f9f
0x00409fa3
0x00409fa5
0x0040a029
0x0040a02b
0x0040a02c
0x0040a02e
0x0040a02e
0x0040a030
0x0040a032
0x0040a034
0x0040a036

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 23b5c0f1dd0f9631a19c64cc4a0ee9a17d9be06f89ca909e53f33275e810c9f0
Instruction ID: 5359fdc84d4b744352bcfc7e03e6e31afcbf834797b14611bdd0dbc1c4af7f09
Opcode Fuzzy Hash: 23b5c0f1dd0f9631a19c64cc4a0ee9a17d9be06f89ca909e53f33275e810c9f0
Instruction Fuzzy Hash: 3112CC82E2A70659FFB22120C5D076D5681DF22385F31CF3BD821F55E2BA1F86CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 0040A0CF, Relevance: 1.9, APIs: 1, Instructions: 673memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 828d96899c8fb93e6f75639c161bed21ec6d26c7f2c597b7255687547ba0bd4c
Instruction ID: 4b0e5764b12041c471ace4b672ff79992c0e6540fa131e75a45c2d07ce70b4f1
Opcode Fuzzy Hash: 828d96899c8fb93e6f75639c161bed21ec6d26c7f2c597b7255687547ba0bd4c
Instruction Fuzzy Hash: 8B02DC82E2A70659FFB22120C5D076D5681CF22785F318F3BD821F55E2FA1F86CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 0040A423, Relevance: 1.9, APIs: 1, Instructions: 632
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E0040A423(void* __eax, void* __ebx, void* __ecx) {

				 *((intOrPtr*)(__ecx - 0x7e7e7e7f)) =  *((intOrPtr*)(__ecx - 0x7e7e7e7f)) + 0x81818181;
				 *((intOrPtr*)(__ecx - 0x7e7e7e7f)) =  *((intOrPtr*)(__ecx - 0x7e7e7e7f)) + 0x81818181;
				 *((intOrPtr*)(__ecx - 0x7e7e7e7f)) =  *((intOrPtr*)(__ecx - 0x7e7e7e7f)) + 0x81818181;
				 *((intOrPtr*)(__ecx - 0x7e7e7e7f)) =  *((intOrPtr*)(__ecx - 0x7e7e7e7f)) + 0x81818181;
				 *((intOrPtr*)(__ecx - 0x7e7e7e7f)) =  *((intOrPtr*)(__ecx - 0x7e7e7e7f)) + 0x81818181;
				 *((intOrPtr*)(__ecx - 0x7e7e7e7f)) =  *((intOrPtr*)(__ecx - 0x7e7e7e7f)) + 0x81818181;
				 *((intOrPtr*)(__ecx - 0x7e7e7e7f)) =  *((intOrPtr*)(__ecx - 0x7e7e7e7f)) + 0x81818181;
				 *((intOrPtr*)(__ecx - 0x7e7e7e7f)) =  *((intOrPtr*)(__ecx - 0x7e7e7e7f)) + 0x83818181;
				asm("paddw xmm0, xmm1");
				asm("punpckldq mm3, mm5");
				asm("lfence");
				asm("fclex");
				asm("pcmpgtw mm4, mm2");
				asm("ffree st2");
				asm("fxch st0, st1");
			}

0x0040a42b
0x0040a435
0x0040a43f
0x0040a449
0x0040a453
0x0040a45d
0x0040a467
0x0040a471
0x0040a49a
0x0040a49e
0x0040a4a2
0x0040a4a5
0x0040a4a7
0x0040a4aa
0x0040a4ac

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8146c469db8c507e191913a36bc7115f9afdac1c41a664b598ef4040eeb27472
Instruction ID: 1c3d67e694948b8a72ba111b4ead65858069e447c8bfb07b854f18268708a77f
Opcode Fuzzy Hash: 8146c469db8c507e191913a36bc7115f9afdac1c41a664b598ef4040eeb27472
Instruction Fuzzy Hash: 47F1EC41E2A74649FFB22120C5C075D6690DF12385F358F3BD821F54E2FA2F89CA1A9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A27B, Relevance: 1.9, APIs: 1, Instructions: 626memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 46f44b5fd815069df1f74c2de674c0a6ad9f60e00621423a1f84f59240bb698f
Instruction ID: b6e5b6f1b221124763ffb114dc2f91baff64c8cec3873f9fc689405086c603c5
Opcode Fuzzy Hash: 46f44b5fd815069df1f74c2de674c0a6ad9f60e00621423a1f84f59240bb698f
Instruction Fuzzy Hash: 7EF1DD82E2A70659FFB22030C5D076D5681CF22785F318F3BD821F55E2BA1F86CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 0040A1E8, Relevance: 1.9, APIs: 1, Instructions: 624
COMMON

Download Yara Rule

C-Code - Quality: 32%

			E0040A1E8(signed int __eax, void* __ebx, signed int __ecx, signed long long __fp0) {
				signed int _t4;
				intOrPtr* _t5;
				void* _t6;
				void* _t8;
				signed long long _t68;

				_t68 = __fp0;
				_t6 = __ebx;
				_t4 = __eax;
				asm("outsd");
				asm("wait");
				 *[es:ecx] =  *[es:ecx] | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *__ecx =  *__ecx | __ecx;
				 *(__ebx - 0x34c6a408) =  *(__ebx - 0x34c6a408) | __eax;
				while(_t6 != _t8) {
					asm("sti");
					_t5 = _t4 +  *((intOrPtr*)(_t6 - 0x47ee608));
					 *_t5 = _t5;
					 *_t5 =  *_t5 + _t5;
					_t4 = _t5 - 1;
					asm("fucom st1");
					asm("ftst");
					asm("fptan");
					asm("fsincos");
					asm("fst st7");
					asm("psubsw xmm2, xmm4");
					asm("wait");
					asm("fninit");
					asm("lfence");
					asm("pcmpgtw xmm7, xmm1");
					asm("pause");
					asm("fst st3");
					asm("pmaddwd mm6, mm0");
					_t68 = _t68 * st2;
					asm("wait");
					asm("fcos");
					_t8 =  *_t4;
					asm("paddw xmm0, xmm1");
					asm("punpckldq mm3, mm5");
					asm("lfence");
					asm("fclex");
					asm("pcmpgtw mm4, mm2");
					asm("ffree st2");
					asm("fxch st0, st1");
				}
				asm("psubsb xmm7, xmm3");
				asm("pcmpeqb xmm2, xmm1");
				asm("psrld mm6, 0x15");
				asm("pmaddwd xmm1, xmm1");
				asm("fldpi");
				asm("fldln2");
				asm("fsubp st6, st0");
				asm("fcom st0, st2");
				asm("psubsw xmm2, xmm0");
				asm("pcmpgtb xmm3, xmm5");
				asm("fnop");
				asm("pcmpeqw xmm6, xmm6");
				asm("fchs");
				asm("fst st4");
				asm("fucom st1");
				asm("ftst");
				asm("fptan");
				asm("fsincos");
				asm("fst st7");
				asm("psubsw xmm2, xmm4");
				asm("wait");
				asm("fninit");
				asm("lfence");
				asm("fxtract");
				asm("pause");
				asm("fst st3");
				asm("pmaddwd mm6, mm0");
				asm("wait");
				asm("fcos");
				asm("paddw xmm0, xmm1");
				asm("punpckldq mm3, mm5");
				asm("lfence");
				asm("fclex");
				asm("pcmpgtw mm4, mm2");
				asm("ffree st2");
				asm("fxch st0, st1");
			}

0x0040a1e8
0x0040a1e8
0x0040a1e8
0x0040a1e8
0x0040a1e9
0x0040a1ea
0x0040a1ee
0x0040a1f0
0x0040a1f2
0x0040a1f4
0x0040a1f6
0x0040a1f8
0x0040a1fa
0x0040a1fc
0x0040a1fe
0x0040a200
0x0040a202
0x0040a204
0x0040a206
0x0040a208
0x0040a20a
0x0040a20c
0x0040a20e
0x0040a210
0x0040a212
0x0040a214
0x0040a216
0x0040a218
0x0040a21a
0x0040a21c
0x0040a21e
0x0040a220
0x0040a222
0x0040a224
0x0040a226
0x0040a228
0x0040a22a
0x0040a22c
0x0040a22e
0x0040a230
0x0040a232
0x0040a234
0x0040a236
0x0040a238
0x0040a23a
0x0040a23c
0x0040a23e
0x0040a23f
0x0040a0a3
0x0040a0a4
0x0040a0aa
0x0040a0ac
0x0040a0b3
0x0040a0b4
0x0040a0b6
0x0040a0b8
0x0040a0ba
0x0040a0bc
0x0040a0be
0x0040a0c2
0x0040a0c3
0x0040a0c5
0x0040a0c8
0x0040a14d
0x0040a14f
0x0040a151
0x0040a154
0x0040a156
0x0040a157
0x0040a1b9
0x0040a1d2
0x0040a1d6
0x0040a1da
0x0040a1dd
0x0040a1df
0x0040a1e2
0x0040a1e4
0x0040a1e4
0x0040a262
0x0040a266
0x0040a26a
0x0040a26e
0x0040a272
0x0040a274
0x0040a276
0x0040a2ef
0x0040a2f1
0x0040a2f5
0x0040a2f9
0x0040a2fb
0x0040a2ff
0x0040a37c
0x0040a380
0x0040a382
0x0040a384
0x0040a386
0x0040a388
0x0040a38a
0x0040a38e
0x0040a38f
0x0040a391
0x0040a412
0x0040a414
0x0040a416
0x0040a418
0x0040a41d
0x0040a41e
0x0040a49a
0x0040a49e
0x0040a4a2
0x0040a4a5
0x0040a4a7
0x0040a4aa
0x0040a4ac

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59536ecbb2560866f18f90f3f57163c46ab9150b7a6c04ca79ad1a497c4518f3
Instruction ID: 3de42cd5f97c46170961614c7a47d51d7163ca9ec4b934d79d7ccd89b4781922
Opcode Fuzzy Hash: 59536ecbb2560866f18f90f3f57163c46ab9150b7a6c04ca79ad1a497c4518f3
Instruction Fuzzy Hash: BF02CC81E2A70659FFB22030C5D076D5681DF22785F318F3BD821F55E2BA1F8ACA1997

Uniqueness

Uniqueness Score: -1.00%

Function 0040A543, Relevance: 1.8, APIs: 1, Instructions: 583memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d59313d1d21ed537aa35fa7e1fd3e2e88e2dc1a43ecd4b97aded775f583bee47
Instruction ID: 992cb49bd4f4bf028cc48047464cd1a2b1b52fbabfb1de4ab8d6caf540fbbaf1
Opcode Fuzzy Hash: d59313d1d21ed537aa35fa7e1fd3e2e88e2dc1a43ecd4b97aded775f583bee47
Instruction Fuzzy Hash: 48E1CE81E2A70659FFB22120C5C0B6D5681CF16785F31CF37D821F59E2BA1F89CA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A306, Relevance: 1.8, APIs: 1, Instructions: 583memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 784266c28f6ab53531e7cb114401211164ff92b3da41a57c4b60f0dfc14fd275
Instruction ID: 6c72d7b94a0c0b4edd31de94fd08f9131803061b2f4dae181d65338ffe6f393c
Opcode Fuzzy Hash: 784266c28f6ab53531e7cb114401211164ff92b3da41a57c4b60f0dfc14fd275
Instruction Fuzzy Hash: 35F1DD82E2A70659FFB22020C5D076D5681CF12785F31CF37D821F59E2BA1F86CA1997

Uniqueness

Uniqueness Score: -1.00%

Function 0040A396, Relevance: 1.8, APIs: 1, Instructions: 569memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c6c2b2d8d0fb75253fc053deeb5cb6c90f74b09d6c6b5c37603537975c181121
Instruction ID: a73a2b1bef892327f7b22bc74135daba1b96ded26dc28cdf5bf83ff3b1bd431f
Opcode Fuzzy Hash: c6c2b2d8d0fb75253fc053deeb5cb6c90f74b09d6c6b5c37603537975c181121
Instruction Fuzzy Hash: 8BF1CD82E2A70659FFB22020C5D076D5681CF16785F31CF37D821F59E2BA1F86CA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A6FB, Relevance: 1.8, APIs: 1, Instructions: 530memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e11243124690c75f60758952c9dd0153ac05c7d664c057d43cef3b05a85fae28
Instruction ID: 44323abe20582bc47322dfe885dbb610e2c849c468c3e65c4f485360b3bbfcd5
Opcode Fuzzy Hash: e11243124690c75f60758952c9dd0153ac05c7d664c057d43cef3b05a85fae28
Instruction Fuzzy Hash: 7FD1AC81E2A70659FFB32020C5C0BAD5281CF16785F358F37D811F59E2BA1F86CA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A4B4, Relevance: 1.8, APIs: 1, Instructions: 528memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2756ebad6a589f50addedbc10c6bb08f1f353dfb91fda8f0b61f0c83ac6c7b7b
Instruction ID: cf7a79755d34dc51b67021dd142b245252483c9f640ea1b53e240f31593d833b
Opcode Fuzzy Hash: 2756ebad6a589f50addedbc10c6bb08f1f353dfb91fda8f0b61f0c83ac6c7b7b
Instruction Fuzzy Hash: 9AE1BB81E2A74649FFB22120C5D076D5690CF16785F31CF3BD821F58E2BA1F89CA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A5D3, Relevance: 1.8, APIs: 1, Instructions: 522
memoryCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040A5D3() {

				goto L2;
			}

0x0040a641

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 083d777a096fe71af5dc952e42006ef04fa15367bb362cd23f4201a1a64d4269
Instruction ID: b7fdca77fbd286ee420c95d1e84e73b74998f7f2f3f66c69575f5773e689865b
Opcode Fuzzy Hash: 083d777a096fe71af5dc952e42006ef04fa15367bb362cd23f4201a1a64d4269
Instruction Fuzzy Hash: 76D1CD81E2A70659FFB22020C5C0B6D5281CF16785F31CF37D821F59E2BA1F89CA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A669, Relevance: 1.7, APIs: 1, Instructions: 497
COMMON

Download Yara Rule

C-Code - Quality: 16%

			E0040A669() {

				_push(ss);
				asm("fisttp dword [eax]");
				goto L2;
			}

0x0040a669
0x0040a66a
0x0040a6bc

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdeb70b73615bc01bdab255dfb53978bd27814980429a1d1d5a05d5bb503b9ad
Instruction ID: cbd4a71223bb3d000257f98414b6aa0b7e253bde9b839fbef2a2c97ed9f09cc1
Opcode Fuzzy Hash: fdeb70b73615bc01bdab255dfb53978bd27814980429a1d1d5a05d5bb503b9ad
Instruction Fuzzy Hash: 48D1CE81E2A70659FFB22020C5C0B6D5691CF12785F31CF37D821F58E2BA1F85CA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A8B8, Relevance: 1.7, APIs: 1, Instructions: 476memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5288ec92a2a2631bab4d9443e8f963381060e10a9d66761bfdd1bc79d36e6c94
Instruction ID: 27217cc01fb132fb0f1309d3882d61f42eac8ff0ebbd7b1c1938f2355b8d3196
Opcode Fuzzy Hash: 5288ec92a2a2631bab4d9443e8f963381060e10a9d66761bfdd1bc79d36e6c94
Instruction Fuzzy Hash: 74B1BF81E2A70659FFB22060C9C075D5281CF12785F31CF37D811F58E2BA1F86CA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A9E8, Relevance: 1.7, APIs: 1, Instructions: 476memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 27e6dd741ad75a865ce0e76d6f16971da93ca4076f63e9e7aa01ff5e06e63bc4
Instruction ID: 750a84d6179c896b467ffd3726d9702573b073488590d0942f70357d761dc58e
Opcode Fuzzy Hash: 27e6dd741ad75a865ce0e76d6f16971da93ca4076f63e9e7aa01ff5e06e63bc4
Instruction Fuzzy Hash: 69B1BF81E2A70659FF722160C9D075D5680CF12785F31CF37D811F58E2BA2F8ACA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A791, Relevance: 1.7, APIs: 1, Instructions: 448memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 986799dd11d0c3011776e77a7317f836da5ca981b31366a86f71c3eabf45a753
Instruction ID: 410713bd3f63d685f53261c04dda6b4b665cecd663abbd4b955480d4d88c535c
Opcode Fuzzy Hash: 986799dd11d0c3011776e77a7317f836da5ca981b31366a86f71c3eabf45a753
Instruction Fuzzy Hash: 2AC1BE81E2A74659FFB22120C9C075D5281CF12785F35CF3BD811F58E2BA2F86CA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040A952, Relevance: 1.7, APIs: 1, Instructions: 416memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 02e1286f06f48cf1dee0d8b355d549ad54ec91534c0d0f9cbe554cf91102bbd9
Instruction ID: 835e77b194cacb023758752595c5816b087ffd0a3f662796e3ff4a6a0bdd5899
Opcode Fuzzy Hash: 02e1286f06f48cf1dee0d8b355d549ad54ec91534c0d0f9cbe554cf91102bbd9
Instruction Fuzzy Hash: D5B1AD81E2A70659FFB22120C9C075D5680CF12785F31CF37D821F58E2BA1F8ACA199B

Uniqueness

Uniqueness Score: -1.00%

Function 0040AA76, Relevance: 1.7, APIs: 1, Instructions: 404memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040), ref: 0040AAD6

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e777f20f98e95c66a8c205c4e30fc3aeaac0cb18043942cc09929a5a5486c17a
Instruction ID: 84fedf86e6f0cfac5041565b0ccc66b038a5c600d7ca95892e8a3b58ea210019
Opcode Fuzzy Hash: e777f20f98e95c66a8c205c4e30fc3aeaac0cb18043942cc09929a5a5486c17a
Instruction Fuzzy Hash: C6B1E141E6A70689EF726060CAC175D5280CF96781F34CF37D811F14E2BA6F86DA99CB

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00461670, Relevance: 6.7, Strings: 5, Instructions: 401COMMON

Download Yara Rule

Strings

xK}S, xrefs: 00462A97
?;U, xrefs: 00462A45
?;U, xrefs: 00462A4A
8j, xrefs: 00462AF6
xK}S, xrefs: 00462A92

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8j$?;U$?;U$xK}S$xK}S
API String ID: 0-3896343357
Opcode ID: b1a7411691cf5c8dee971845165a6d62fdc7115d31b4f4181fa2154b6a0b4553
Instruction ID: 94a6d6477f7245d694defeb0179fdc07c7c5fba65071585da0e32b803023184b
Opcode Fuzzy Hash: b1a7411691cf5c8dee971845165a6d62fdc7115d31b4f4181fa2154b6a0b4553
Instruction Fuzzy Hash: 54D14870300706BFFF205E14CD86BEA2662EF51794F24422AFE459A2D0E3BD98C5970B

Uniqueness

Uniqueness Score: -1.00%

Function 0046581C, Relevance: 6.6, Strings: 5, Instructions: 387COMMON

Download Yara Rule

Strings

xK}S, xrefs: 00462A97
?;U, xrefs: 00462A45
?;U, xrefs: 00462A4A
8j, xrefs: 00462AF6
xK}S, xrefs: 00462A92

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8j$?;U$?;U$xK}S$xK}S
API String ID: 0-3896343357
Opcode ID: 9f949f3fc1ea64606b72b591ac719071c71b0f251c9ba7280e2a3639437c9d2a
Instruction ID: 2c9738df96136b7486dfc7db34904717473c75cb7a6c669570e9aca058cb6454
Opcode Fuzzy Hash: 9f949f3fc1ea64606b72b591ac719071c71b0f251c9ba7280e2a3639437c9d2a
Instruction Fuzzy Hash: 5BC12670340746BFEF305E14CD86BEA3662EF51794F20422AFE45AA1D0E7BD9885970B

Uniqueness

Uniqueness Score: -1.00%

Function 00462A65, Relevance: 4.1, Strings: 3, Instructions: 336COMMON

Download Yara Rule

Strings

xK}S, xrefs: 00462A97
8j, xrefs: 00462AF6
xK}S, xrefs: 00462A92

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8j$xK}S$xK}S
API String ID: 0-2784461370
Opcode ID: 8ba39712fbcb990a933f553606022ca7fed5199437472258eb9755f272032cfe
Instruction ID: 45211c83583d974a941a51da8f9e8cdbd9d07fa1d7f29f43b55986b4b7861e18
Opcode Fuzzy Hash: 8ba39712fbcb990a933f553606022ca7fed5199437472258eb9755f272032cfe
Instruction Fuzzy Hash: 39B149B0340706BFFB215E14CD86BE93662EF11794F24422AFE459B2D0E3BD9885970B

Uniqueness

Uniqueness Score: -1.00%

Function 00462ACB, Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

8j, xrefs: 00462AF6

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8j
API String ID: 0-3949049002
Opcode ID: 06eb51cab2283ef036787f4391d6708377a05ee289c825c4620ccb72001a2346
Instruction ID: 1eecab1f2af5d1722038d6c1a460adfc9bcedde8a68542ac5acdbe064ca623d9
Opcode Fuzzy Hash: 06eb51cab2283ef036787f4391d6708377a05ee289c825c4620ccb72001a2346
Instruction Fuzzy Hash: 8CB17BB1300706BFEF215E24CD95BE936A2EF12794F24422AFD45961C0E7FD9885970B

Uniqueness

Uniqueness Score: -1.00%

Function 004612AC, Relevance: 1.4, Strings: 1, Instructions: 195COMMON

Download Yara Rule

Strings

!`, xrefs: 004613D4

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: !`
API String ID: 0-2163500612
Opcode ID: 298c9f6b70ff84a32451a91d5acca9a43495b1da1c653bfb7a61d8f81d32347e
Instruction ID: fafe68265e60365760f08da783ca3631d7778bbd46154d9e85f75072cfdf4e1b
Opcode Fuzzy Hash: 298c9f6b70ff84a32451a91d5acca9a43495b1da1c653bfb7a61d8f81d32347e
Instruction Fuzzy Hash: 2051BC73948341ABEB211A76CC12BDA3BA1EF02344F4C415FFCC15A1A1F62A4982E61F

Uniqueness

Uniqueness Score: -1.00%

Function 00461A8E, Relevance: .4, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4849a8278d5499626f4d9e26af6861b6f6a075270e6b81d44aa95da82260141a
Instruction ID: f7a9616a03a66624ef3ec091fd9d7191fef0c6b63057251d5b7958c82fc6d391
Opcode Fuzzy Hash: 4849a8278d5499626f4d9e26af6861b6f6a075270e6b81d44aa95da82260141a
Instruction Fuzzy Hash: 88E17B71340B07EFD7149E28CD91BE673A5BF06350F64422AEC9993241E73CA88AC797

Uniqueness

Uniqueness Score: -1.00%

Function 00461A9C, Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e138d3f2486a4bb7d03c0a3b55c85d22ba4ddb2fb7c46d245355d1762d9e6eb1
Instruction ID: 0fbef52a2059fecf4dffefca43f594120dde0e52484384d3c4e3639bcff1ef1a
Opcode Fuzzy Hash: e138d3f2486a4bb7d03c0a3b55c85d22ba4ddb2fb7c46d245355d1762d9e6eb1
Instruction Fuzzy Hash: D9B16B72700706EBD7148E28CD91BD6B3A5FF15344F58822AEC99C3251F73DA899CB86

Uniqueness

Uniqueness Score: -1.00%

Function 00462B08, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10b5745a951add5570a2e6edebede5ba615436a2f05645028c4d255547b3d2a1
Instruction ID: 50d7d871c6473c3aa719cf6a0c42c92b1f9f6ca1bcf1e04642886bc928c84b16
Opcode Fuzzy Hash: 10b5745a951add5570a2e6edebede5ba615436a2f05645028c4d255547b3d2a1
Instruction Fuzzy Hash: 079137B0340706BFEF215E14CD86BE936A2EF12394F24422AFD45962D0E7BD98C5974B

Uniqueness

Uniqueness Score: -1.00%

Function 00462B88, Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61586e7af6abec8f518124bdee56a3d93ed4726ad0585ae19f3b56a1c70f42d6
Instruction ID: ad4c2c5faf7e68e891a18866df6179c0df336526f44b5f2a8fac9174de0c685e
Opcode Fuzzy Hash: 61586e7af6abec8f518124bdee56a3d93ed4726ad0585ae19f3b56a1c70f42d6
Instruction Fuzzy Hash: 999157B0340706BFEF215E14CD867E936A2EF11394F24422AFD45962D0E7BD98C5974A

Uniqueness

Uniqueness Score: -1.00%

Function 00462BB6, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27dabe951be95e7b23cffda2149d9871a5fada0d9156d034e9a431e486d960ac
Instruction ID: 5aff701406d80bb6cb4a5e73bd1d0d537cb5a276a9746586780dca26339900d1
Opcode Fuzzy Hash: 27dabe951be95e7b23cffda2149d9871a5fada0d9156d034e9a431e486d960ac
Instruction Fuzzy Hash: BB8168B0340707BFEF215E14CD967E936A2EF12394F20422AFD85962D0E7BD98C5974A

Uniqueness

Uniqueness Score: -1.00%

Function 00462C4F, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383c557ca6243806c6d899195aea87f58529a6983141c09ca5b9415b88d11054
Instruction ID: 28aff9947da2b0c4f284a80f5cf5e6932b8a8510682dc2fc67080fd493209693
Opcode Fuzzy Hash: 383c557ca6243806c6d899195aea87f58529a6983141c09ca5b9415b88d11054
Instruction Fuzzy Hash: C77156B024070ABFFF215E14CD91BE93662EF12398F20422AFD81961D0E7FD99C5960A

Uniqueness

Uniqueness Score: -1.00%

Function 00462CFC, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8032948dcb69e60e5a07eee8748565725bcbbfec027d201258807bc85e1a633
Instruction ID: 20c13663ce1abf7db8921258e73f44cf6be54988b147fe72ce7ba80ea13eb679
Opcode Fuzzy Hash: f8032948dcb69e60e5a07eee8748565725bcbbfec027d201258807bc85e1a633
Instruction Fuzzy Hash: E161247034074ABFFF315E14CD92BE93662EF12394F24422AFE85951D0E7AD8DC5960A

Uniqueness

Uniqueness Score: -1.00%

Function 00462CBE, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e1a5b02403db7073ff33a7034c77cfb096b21700a742ad215f669f26a4f61c9
Instruction ID: c94612f245b8fff4103e91976badbd4582def607bcf60187b04cd617582f5c5e
Opcode Fuzzy Hash: 3e1a5b02403db7073ff33a7034c77cfb096b21700a742ad215f669f26a4f61c9
Instruction Fuzzy Hash: 8261277034074ABFFF365E10CD927E93662EF12394F24422AFD81951D0E7AD8DC5960A

Uniqueness

Uniqueness Score: -1.00%

Function 00462D3F, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0bb4c0566aa1d576154f53c875bc440316a63e8a4f29918cfef97debf5cf2f6
Instruction ID: fedcf6943619d4220e7f37b4d338f5c33cc5d59e2603b2855e193dbd94c28619
Opcode Fuzzy Hash: a0bb4c0566aa1d576154f53c875bc440316a63e8a4f29918cfef97debf5cf2f6
Instruction Fuzzy Hash: 1151347034074ABFFF315E10CD92BE93662EF12394F24422AFE81951D0E7AD8DC5960A

Uniqueness

Uniqueness Score: -1.00%

Function 00462D80, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6001a55e336ed104692fb7821895731a778b0982d9b0b0fb3fc00306c934743
Instruction ID: 1cf0d6f80379bf8a51768bf2673df7fa2dda926c1776c9932b1507dff501af99
Opcode Fuzzy Hash: f6001a55e336ed104692fb7821895731a778b0982d9b0b0fb3fc00306c934743
Instruction Fuzzy Hash: F151457034074ABFEF355E14CD917E93662EF12398F24422AFE81951D0E7BD8CC5960A

Uniqueness

Uniqueness Score: -1.00%

Function 00462DD6, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f1cfe50744de15f92401711e51c43670cb9681282b980c395fcaf49ea0e4142
Instruction ID: 5ba84649f1103f4a1054d8e3ea8f13c376cdcac816dee75620a16dfaacf8a919
Opcode Fuzzy Hash: 3f1cfe50744de15f92401711e51c43670cb9681282b980c395fcaf49ea0e4142
Instruction Fuzzy Hash: 085138B0340706BFEF255D14CD957E93662EF06398F24422AFD41951D0E7BE8DC9A60B

Uniqueness

Uniqueness Score: -1.00%

Function 004620C0, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2f75ef7f3d5416458901835374317946daa1714e1273691369f468a5d82f42f
Instruction ID: b0f40b473d3d72ea11dfac23ddaf7fe54e8e504ed47f55fb1d788d9238ea2ff3
Opcode Fuzzy Hash: a2f75ef7f3d5416458901835374317946daa1714e1273691369f468a5d82f42f
Instruction Fuzzy Hash: 8C414872248B02BBCB154A28CE11BD637E4BF03354F54426FECD597282EB5CD84AD75A

Uniqueness

Uniqueness Score: -1.00%

Function 00462E13, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3310146ab22c5cdf7b4abb696896443198a811e52b904d19e928d66e055bfc60
Instruction ID: 8f5dfcf32b2193103ed4d6be0b04cf8c3783d6793efa0b7033811cd113ee9749
Opcode Fuzzy Hash: 3310146ab22c5cdf7b4abb696896443198a811e52b904d19e928d66e055bfc60
Instruction Fuzzy Hash: EF415770200746BFEF255E14CE917E93262EF02398F24422AFD45951D0E7BE8DC5A60B

Uniqueness

Uniqueness Score: -1.00%

Function 00465802, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7b17c17c0f45b208cd25ab969dd25e2c32085fe01e0c2505968e8e80a83594
Instruction ID: d56700c61429a340da53d0a8a9ef6c76686dffe63ef136a0c87ccbe346f2d57b
Opcode Fuzzy Hash: cf7b17c17c0f45b208cd25ab969dd25e2c32085fe01e0c2505968e8e80a83594
Instruction Fuzzy Hash: BD3157D3609B42EACB2020B7D5407DA07F0C6223A5F09201FECE2C5959FB2E9C0EE10B

Uniqueness

Uniqueness Score: -1.00%

Function 004620BE, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d748a40514f2681c887222ba8a78d6eeb39a8b208b3de35d5c27e809221b29ee
Instruction ID: ea62c7e50038982d7347afb9513aedc5e1840512232ce4e07980d53472b8413c
Opcode Fuzzy Hash: d748a40514f2681c887222ba8a78d6eeb39a8b208b3de35d5c27e809221b29ee
Instruction Fuzzy Hash: FE412671344B06BBDB145E18CE50BE63398BF02364F60422BEC95A7281EB5CD88B975B

Uniqueness

Uniqueness Score: -1.00%

Function 0046233D, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12a2e217218c27a2277e76993807bcab69e3af1b97e1c51cac848391fd2edc98
Instruction ID: 665f69bb6bff4dfec913714bc744eabd1c5eb0cb849f8d6d59f8b3ecb4a4e49f
Opcode Fuzzy Hash: 12a2e217218c27a2277e76993807bcab69e3af1b97e1c51cac848391fd2edc98
Instruction Fuzzy Hash: F6413870644B01FEE7246F25CD59BE932A5AF10354F61402BFC435B1A2E7ACD9C19B1B

Uniqueness

Uniqueness Score: -1.00%

Function 00462358, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f8eb5f028a09b8c167e6383d85f874f3e4782c94d03c87f6bf20b3616790f25
Instruction ID: ac1068ef0877522d72c8514a8eb5fff346c75fcc166307d8a93d6e1cac0afcbd
Opcode Fuzzy Hash: 0f8eb5f028a09b8c167e6383d85f874f3e4782c94d03c87f6bf20b3616790f25
Instruction Fuzzy Hash: 8521F930744B05FEEB246F658EA5BF92295AB14314FA0402BFD076B1D1EBACD881961B

Uniqueness

Uniqueness Score: -1.00%

Function 00462396, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a78817613d2c2a36f8dd399bd6d0a65f779f3652e4af0e70bfa03fcee16bed1
Instruction ID: a1645c52cbaaeb538e6232c77d31d8b3e0eeacb94082d91ee77e8f17cbb13b4f
Opcode Fuzzy Hash: 7a78817613d2c2a36f8dd399bd6d0a65f779f3652e4af0e70bfa03fcee16bed1
Instruction Fuzzy Hash: B0210B70750705FEFB246F658EA6BF92295AB10704F60802BFD075A092F7ECC985961B

Uniqueness

Uniqueness Score: -1.00%

Function 004623B7, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca592fe0c0e782cfc5c2ae8aaeef0462a6cf1f63a77fe6aa6df2251a3a9a41e0
Instruction ID: 0994f266ceefed036cee53edccd54863a694d89789d932cc972ad92eaf887108
Opcode Fuzzy Hash: ca592fe0c0e782cfc5c2ae8aaeef0462a6cf1f63a77fe6aa6df2251a3a9a41e0
Instruction Fuzzy Hash: 2921EB70754701FEE7246F658E95BE922956B04714F60802BFD035B091F7A8C985961B

Uniqueness

Uniqueness Score: -1.00%

Function 0046635B, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f61a3d41bd14c186405d1429a10d75f5c27d7775a5a10b0cb3721f90b43a9892
Instruction ID: dc3375b999594c0be357671420b98ef51f8db84c411a98fc6cec63f68bf70afb
Opcode Fuzzy Hash: f61a3d41bd14c186405d1429a10d75f5c27d7775a5a10b0cb3721f90b43a9892
Instruction Fuzzy Hash: 9EF01D713106408EC729CE18C5C5F5A33A6AF96B50F52866EEC11C77A5D735E884C61A

Uniqueness

Uniqueness Score: -1.00%

Function 00466356, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aee15cb80fc53561b020737fff8a4227f415fb480f386f3ca92a442c6020dac7
Instruction ID: ab700f32d4592cc09d4d92f79b6e9884bc9bd3643bf88f6140f9af4b7ef9c7d7
Opcode Fuzzy Hash: aee15cb80fc53561b020737fff8a4227f415fb480f386f3ca92a442c6020dac7
Instruction Fuzzy Hash: 92F03071310601CFC729CE18C5C1F4A33A6AF96B60F12475EEC118B3A1D735E880CA56

Uniqueness

Uniqueness Score: -1.00%

Function 004634DA, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69190b5898aaf784f4e043f6b58b32385431edef70202112e52c30ac09e71402
Instruction ID: 732e3c5769f013e054707769a930a1a75ccf47a0693c246afdfe271541423886
Opcode Fuzzy Hash: 69190b5898aaf784f4e043f6b58b32385431edef70202112e52c30ac09e71402
Instruction Fuzzy Hash: 14C04C76B515848FFB45CE08D591B8477A5BB52A84BD94494E402DB611D328ED04C700

Uniqueness

Uniqueness Score: -1.00%

Function 00465A03, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1168805441.0000000000460000.00000040.00000001.sdmp, Offset: 00460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69845fc8603e024b4bf4de092e82d4f8a263401f2544aa4fd140c62b9eeb5718
Instruction ID: cb61f85d8212667da27b4cc79341768361af0bfcde562174510db87db1c86138
Opcode Fuzzy Hash: 69845fc8603e024b4bf4de092e82d4f8a263401f2544aa4fd140c62b9eeb5718
Instruction Fuzzy Hash: 24B09231722940CFCE99CE08C1C0E8073B5B700700F4104C1E00187B12C228E904CA02

Uniqueness

Uniqueness Score: -1.00%

Function 004132F4, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E004132F4(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v36;
				char _v48;
				void* _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				char _v92;
				signed int _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v116;
				signed int _v120;
				char _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _t79;
				signed int _t80;
				char* _t85;
				signed int _t90;
				signed int _t96;
				signed int _t101;
				intOrPtr _t105;
				intOrPtr _t117;
				void* _t119;
				signed int _t122;
				long long _t124;
				char _t125;

				_t124 = __fp0;
				_push(0x401266);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t117;
				_push(0x74);
				L00401260();
				_v12 = _t117;
				_v8 = 0x4011e8;
				_push(5);
				_push(0x411dcc);
				_t79 =  &_v48;
				_push(_t79);
				L0040132C();
				_v96 = _v96 & 0x00000000;
				if(_v96 >= 2) {
					L00401326();
					_v116 = _t79;
				} else {
					_v116 = _v116 & 0x00000000;
				}
				_t80 = _v96;
				asm("fld1");
				 *((long long*)(_v36 + _t80 * 8)) = _t124;
				_v96 = 1;
				_t119 = _v96 - 2;
				if(_t119 >= 0) {
					L00401326();
					_v120 = _t80;
				} else {
					_v120 = _v120 & 0x00000000;
				}
				_t105 = _v36;
				_t125 =  *0x4011e0;
				 *((long long*)(_t105 + _v96 * 8)) = _t125;
				_v92 =  &_v48;
				_push( &_v92);
				asm("fld1");
				_push(_t105);
				_push(_t105);
				_v56 = _t125;
				L00401320();
				L0040137A();
				asm("fcomp qword [0x4011d8]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t119 != 0) {
					if( *0x41433c != 0) {
						_v124 = 0x41433c;
					} else {
						_push(0x41433c);
						_push(0x411d84);
						L00401338();
						_v124 = 0x41433c;
					}
					_t28 =  &_v124; // 0x41433c
					_v96 =  *((intOrPtr*)( *_t28));
					_t96 =  *((intOrPtr*)( *_v96 + 0x1c))(_v96,  &_v56);
					asm("fclex");
					_v100 = _t96;
					if(_v100 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x411d74);
						_push(_v96);
						_push(_v100);
						L00401356();
						_v128 = _t96;
					}
					_v104 = _v56;
					_v64 = 0x80020004;
					_v72 = 0xa;
					L00401260();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t101 =  *((intOrPtr*)( *_v104 + 0x60))(_v104, L"Magterobringen", 0x10);
					asm("fclex");
					_v108 = _t101;
					_t122 = _v108;
					if(_t122 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x411d94);
						_push(_v104);
						_push(_v108);
						L00401356();
						_v132 = _t101;
					}
					L00401332();
				}
				asm("fldz");
				L004012C6();
				L0040137A();
				asm("fcomp qword [0x4011d8]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t122 != 0) {
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					L00401260();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401260();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t90 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10);
					asm("fclex");
					_v96 = _t90;
					if(_v96 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x411b78);
						_push(_a4);
						_push(_v96);
						L00401356();
						_v136 = _t90;
					}
				}
				_v24 = 0x7131b;
				asm("wait");
				_push(0x41352c);
				_v92 =  &_v48;
				_t85 =  &_v92;
				_push(_t85);
				_push(0);
				L0040131A();
				return _t85;
			}

0x004132f4
0x004132f9
0x00413304
0x00413305
0x0041330c
0x0041330f
0x00413317
0x0041331a
0x00413321
0x00413323
0x00413328
0x0041332b
0x0041332c
0x00413331
0x00413339
0x00413341
0x00413346
0x0041333b
0x0041333b
0x0041333b
0x00413349
0x0041334f
0x00413351
0x00413354
0x0041335b
0x0041335f
0x00413367
0x0041336c
0x00413361
0x00413361
0x00413361
0x00413372
0x00413375
0x0041337b
0x00413381
0x00413387
0x00413388
0x0041338a
0x0041338b
0x0041338c
0x0041338f
0x00413394
0x00413399
0x0041339f
0x004133a1
0x004133a2
0x004133af
0x004133c9
0x004133b1
0x004133b1
0x004133b6
0x004133bb
0x004133c0
0x004133c0
0x004133d0
0x004133d5
0x004133e4
0x004133e7
0x004133e9
0x004133f0
0x00413409
0x004133f2
0x004133f2
0x004133f4
0x004133f9
0x004133fc
0x004133ff
0x00413404
0x00413404
0x00413410
0x00413413
0x0041341a
0x00413424
0x0041342e
0x0041342f
0x00413430
0x00413431
0x0041343f
0x00413442
0x00413444
0x00413447
0x0041344b
0x00413464
0x0041344d
0x0041344d
0x0041344f
0x00413454
0x00413457
0x0041345a
0x0041345f
0x0041345f
0x0041346b
0x0041346b
0x00413470
0x00413472
0x00413477
0x0041347c
0x00413482
0x00413484
0x00413485
0x00413487
0x0041348e
0x00413495
0x0041349c
0x004134a6
0x004134b0
0x004134b1
0x004134b2
0x004134b3
0x004134b7
0x004134c1
0x004134c2
0x004134c3
0x004134c4
0x004134cd
0x004134d3
0x004134d5
0x004134dc
0x004134fb
0x004134de
0x004134de
0x004134e3
0x004134e8
0x004134eb
0x004134ee
0x004134f3
0x004134f3
0x004134dc
0x00413502
0x00413509
0x0041350a
0x0041351d
0x00413520
0x00413523
0x00413524
0x00413526
0x0041352b

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 0041330F
__vbaAryConstruct2.MSVBVM60(?,00411DCC,00000005,?,?,?,?,00401266), ref: 0041332C
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411DCC,00000005), ref: 00413341
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00411DCC,00000005), ref: 00413367
#684.MSVBVM60(?,?,?), ref: 0041338F
__vbaFpR8.MSVBVM60(?,?,?), ref: 00413394
__vbaNew2.MSVBVM60(00411D84,0041433C,?,?,?), ref: 004133BB
__vbaHresultCheckObj.MSVBVM60(00000000,00000002,00411D74,0000001C,?,?,?,?,?,?,?), ref: 004133FF
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?), ref: 00413424
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411D94,00000060,?,?,?,?,?,?,?), ref: 0041345A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?), ref: 0041346B
_CIcos.MSVBVM60(?,?,?), ref: 00413472
__vbaFpR8.MSVBVM60(?,?,?), ref: 00413477
__vbaChkstk.MSVBVM60(?,?,?), ref: 004134A6
__vbaChkstk.MSVBVM60(?,?,?), ref: 004134B7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411B78,000002B0), ref: 004134EE
__vbaAryDestruct.MSVBVM60(00000000,?,0041352C,?,?,?), ref: 00413526

Strings

Magterobringen, xrefs: 00413432
<CA, xrefs: 004133D0

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckHresult$BoundsErrorGenerate$#684Construct2DestructFreeIcosNew2
String ID: <CA$Magterobringen
API String ID: 2333708068-3107163244
Opcode ID: b7a524943c7e5d4e32b2b1b0a44585782b24745dd351e6a73ea6a04265c091b8
Instruction ID: 99acc9dcc8dc0eac377d12fb86edda2d8db1bfeec312ec4101716de84b82603f
Opcode Fuzzy Hash: b7a524943c7e5d4e32b2b1b0a44585782b24745dd351e6a73ea6a04265c091b8
Instruction Fuzzy Hash: D8612570D0060CEBDB11EFE5C946BDDBBB5BF08705F20406AE911BB2A1C7B95A859F08

Uniqueness

Uniqueness Score: -1.00%

Function 00412B94, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00412B94(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, char* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				signed int _v32;
				char _v48;
				short _v52;
				void* _v56;
				intOrPtr _v64;
				char _v72;
				char* _v80;
				char _v88;
				short _v92;
				short _t45;
				intOrPtr* _t46;
				signed int _t48;
				char* _t52;
				char* _t53;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401260();
				_v16 = _t71;
				_v12 = E00401108;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x401266, _t68);
				_v64 = 0x80020004;
				_v72 = 0xa;
				_t45 =  &_v72;
				_push(_t45);
				L004013C8();
				_v52 = _t45;
				L004013C2();
				_t46 = _a8;
				_push( *_t46);
				_push(0x411d2c);
				L004013BC();
				if(_t46 != 0) {
					_v80 = _a8;
					_v88 = 0x4008;
					_push(0);
					_t48 =  &_v88;
					_push(_t48);
					L004013B0();
					L004013B6();
					_push(_t48);
					_push(0x411d2c);
					L004013BC();
					asm("sbb eax, eax");
					_v92 =  ~( ~_t48 + 1);
					L004013AA();
					_t52 = _v92;
					if(_t52 == 0) {
						_t53 = _a8;
						_push( *_t53);
						_push(_v52);
						_push(0xffffffff);
						_push(1);
						L004013A4();
						while(1) {
							_push(_v52);
							L0040139E();
							_t52 = _t53;
							if(_t52 != 0) {
								break;
							}
							_push(_v52);
							_push( &_v28);
							L00401398();
							_v80 =  &_v28;
							_v88 = 0x4008;
							_push(0x10);
							L00401260();
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_push(1);
							_push("Add");
							_t53 =  &_v48;
							_push(_t53);
							L0040138C();
							_push(_t53);
							L00401392();
							_t71 = _t71 + 0x1c;
						}
						_push(_v52);
						L00401386();
						L00401380();
						_v32 = _v32 | 0x0000ffff;
					} else {
						_v32 = _v32 & 0x00000000;
					}
				} else {
					_v32 = _v32 & 0x00000000;
				}
				_push(0x412d03);
				L004013AA();
				L004013C2();
				return _t52;
			}

0x00412b97
0x00412ba6
0x00412bb0
0x00412bb8
0x00412bbb
0x00412bc2
0x00412bd1
0x00412bd4
0x00412bdb
0x00412be2
0x00412be5
0x00412be6
0x00412beb
0x00412bf2
0x00412bf7
0x00412bfa
0x00412bfc
0x00412c01
0x00412c08
0x00412c17
0x00412c1a
0x00412c21
0x00412c23
0x00412c26
0x00412c27
0x00412c31
0x00412c36
0x00412c37
0x00412c3c
0x00412c43
0x00412c48
0x00412c4f
0x00412c54
0x00412c5a
0x00412c63
0x00412c66
0x00412c68
0x00412c6b
0x00412c6d
0x00412c6f
0x00412c74
0x00412c74
0x00412c77
0x00412c7c
0x00412c81
0x00000000
0x00000000
0x00412c83
0x00412c89
0x00412c8a
0x00412c92
0x00412c95
0x00412c9c
0x00412c9f
0x00412ca9
0x00412caa
0x00412cab
0x00412cac
0x00412cad
0x00412caf
0x00412cb4
0x00412cb7
0x00412cb8
0x00412cbd
0x00412cbe
0x00412cc3
0x00412cc3
0x00412cc8
0x00412ccb
0x00412cd0
0x00412cd5
0x00412c5c
0x00412c5c
0x00412c5c
0x00412c0a
0x00412c0a
0x00412c0a
0x00412cda
0x00412cf5
0x00412cfd
0x00412d02

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 00412BB0
#648.MSVBVM60(0000000A), ref: 00412BE6
__vbaFreeVar.MSVBVM60(0000000A), ref: 00412BF2
__vbaStrCmp.MSVBVM60(00411D2C,?,0000000A), ref: 00412C01
#645.MSVBVM60(?,00000000,00411D2C,?,0000000A), ref: 00412C27
__vbaStrMove.MSVBVM60(?,00000000,00411D2C,?,0000000A), ref: 00412C31
__vbaStrCmp.MSVBVM60(00411D2C,00000000,?,00000000,00411D2C,?,0000000A), ref: 00412C3C
__vbaFreeStr.MSVBVM60(00411D2C,00000000,?,00000000,00411D2C,?,0000000A), ref: 00412C4F
__vbaFreeStr.MSVBVM60(00412D03,?,?,00000001,000000FF,?,?,00411D2C,00000000,?,00000000,00411D2C,?,0000000A), ref: 00412CF5
__vbaFreeVar.MSVBVM60(00412D03,?,?,00000001,000000FF,?,?,00411D2C,00000000,?,00000000,00411D2C,?,0000000A), ref: 00412CFD

Strings

Add, xrefs: 00412CAF

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#645#648ChkstkMove
String ID: Add
API String ID: 4182468812-3310826759
Opcode ID: 64509dcc8a90914e5a8273ca3190c8644db0434c28d74e4b017e7305aced4966
Instruction ID: f3c6c9a0b12bbd90ceebc1b0fbc645e1706d30ebfdfb5af8dcc3bcdde0995473
Opcode Fuzzy Hash: 64509dcc8a90914e5a8273ca3190c8644db0434c28d74e4b017e7305aced4966
Instruction Fuzzy Hash: 1C413F71D10208AADB10EFE5C946BDEBBB4AF04704F10412AFA01FB5E1EB7C95558B59

Uniqueness

Uniqueness Score: -1.00%

Function 00413775, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00413775(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				short _v28;
				short _v32;
				char _v36;
				void* _v40;
				signed int _v44;
				signed int _v48;
				void* _v52;
				signed int _v56;
				signed int _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				void* _t53;
				signed int _t59;
				signed int _t64;
				short _t65;
				signed int _t68;
				void* _t74;
				void* _t76;
				intOrPtr* _t77;

				_t77 = _t76 - 0xc;
				 *[fs:0x0] = _t77;
				L00401260();
				_v16 = _t77;
				_v12 = 0x401248;
				_v8 = 0;
				_t53 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401266, _t74);
				_push(0x411e18);
				L004012FC();
				asm("fcomp qword [0x4011e0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					L004012F6();
					_v52 =  *0x40123c;
					_v56 =  *0x401238;
					 *_t77 =  *0x401234;
					 *_t77 =  *0x401230;
					_t68 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, __ecx, __ecx, __ecx, __ecx, _t53);
					asm("fclex");
					_v44 = _t68;
					if(_v44 >= 0) {
						_t15 =  &_v68;
						 *_t15 = _v68 & 0x00000000;
						__eflags =  *_t15;
					} else {
						_push(0x2c8);
						_push(0x411b78);
						_push(_a4);
						_push(_v44);
						L00401356();
						_v68 = _t68;
					}
				}
				if( *0x41433c != 0) {
					_v72 = 0x41433c;
				} else {
					_push(0x41433c);
					_push(0x411d84);
					L00401338();
					_v72 = 0x41433c;
				}
				_t19 =  &_v72; // 0x41433c
				_v44 =  *((intOrPtr*)( *_t19));
				_t59 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
				asm("fclex");
				_v48 = _t59;
				if(_v48 >= 0) {
					_t30 =  &_v76;
					 *_t30 = _v76 & 0x00000000;
					__eflags =  *_t30;
				} else {
					_push(0x14);
					_push(0x411d74);
					_push(_v44);
					_push(_v48);
					L00401356();
					_v76 = _t59;
				}
				_v52 = _v36;
				_t64 =  *((intOrPtr*)( *_v52 + 0x120))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t64;
				if(_v56 >= 0) {
					_t43 =  &_v80;
					 *_t43 = _v80 & 0x00000000;
					__eflags =  *_t43;
				} else {
					_push(0x120);
					_push(0x411e1c);
					_push(_v52);
					_push(_v56);
					L00401356();
					_v80 = _t64;
				}
				_t65 = _v40;
				_v32 = _t65;
				L00401332();
				_v28 = 0xf6;
				asm("wait");
				_push(0x413905);
				return _t65;
			}

0x00413778
0x00413787
0x00413791
0x00413799
0x0041379c
0x004137a3
0x004137b2
0x004137b5
0x004137ba
0x004137bf
0x004137c5
0x004137c7
0x004137c8
0x004137d0
0x004137dd
0x004137e7
0x004137f1
0x004137fb
0x00413808
0x0041380e
0x00413810
0x00413817
0x00413833
0x00413833
0x00413833
0x00413819
0x00413819
0x0041381e
0x00413823
0x00413826
0x00413829
0x0041382e
0x0041382e
0x00413817
0x0041383e
0x00413858
0x00413840
0x00413840
0x00413845
0x0041384a
0x0041384f
0x0041384f
0x0041385f
0x00413864
0x00413873
0x00413876
0x00413878
0x0041387f
0x00413898
0x00413898
0x00413898
0x00413881
0x00413881
0x00413883
0x00413888
0x0041388b
0x0041388e
0x00413893
0x00413893
0x0041389f
0x004138ae
0x004138b4
0x004138b6
0x004138bd
0x004138d9
0x004138d9
0x004138d9
0x004138bf
0x004138bf
0x004138c4
0x004138c9
0x004138cc
0x004138cf
0x004138d4
0x004138d4
0x004138dd
0x004138e1
0x004138e8
0x004138ed
0x004138f3
0x004138f4
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 00413791
__vbaR8Str.MSVBVM60(00411E18,?,?,?,?,00401266), ref: 004137BA
__vbaFpI4.MSVBVM60(00411E18,?,?,?,?,00401266), ref: 004137D0
__vbaHresultCheckObj.MSVBVM60(00000000,00401248,00411B78,000002C8), ref: 00413829
__vbaNew2.MSVBVM60(00411D84,0041433C,00411E18,?,?,?,?,00401266), ref: 0041384A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411D74,00000014), ref: 0041388E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E1C,00000120), ref: 004138CF
__vbaFreeObj.MSVBVM60 ref: 004138E8

Strings

<CA, xrefs: 0041385F

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2
String ID: <CA
API String ID: 1616694062-146778150
Opcode ID: 4f280201837d95ad95d113a57d6f37a8ffda251e8d7392a71ae6bdeb0bb625ed
Instruction ID: 91ac60f867d391809d120d0333bf077e822ad6b7fc80a053ccac3b3905142597
Opcode Fuzzy Hash: 4f280201837d95ad95d113a57d6f37a8ffda251e8d7392a71ae6bdeb0bb625ed
Instruction Fuzzy Hash: 4B410171A10208EFCB00AFA5CA49BDDBBF4FF08705F1040AAF501B62A0C77899959F69

Uniqueness

Uniqueness Score: -1.00%

Function 0041318C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E0041318C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				void* _v32;
				signed int _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				signed int _v56;
				char _v60;
				signed int _v64;
				signed int _v68;
				signed int _t44;
				signed int _t50;
				signed int _t56;
				intOrPtr _t64;

				_push(0x401266);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t64;
				_push(0x30);
				L00401260();
				_v12 = _t64;
				_v8 = 0x4011c8;
				L004012DE();
				L0040137A();
				asm("fcomp qword [0x4011b8]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_t56 =  *((intOrPtr*)( *_a4 + 0x254))(_a4, 0x30ef);
					asm("fclex");
					_v36 = _t56;
					if(_v36 >= 0) {
						_t11 =  &_v56;
						 *_t11 = _v56 & 0x00000000;
						__eflags =  *_t11;
					} else {
						_push(0x254);
						_push(0x411b78);
						_push(_a4);
						_push(_v36);
						L00401356();
						_v56 = _t56;
					}
				}
				_t44 = 0;
				if(0 != 0) {
					if( *0x41433c != 0) {
						_v60 = 0x41433c;
					} else {
						_push(0x41433c);
						_push(0x411d84);
						L00401338();
						_v60 = 0x41433c;
					}
					_t15 =  &_v60; // 0x41433c
					_v36 =  *((intOrPtr*)( *_t15));
					_t50 =  *((intOrPtr*)( *_v36 + 0x1c))(_v36,  &_v32);
					asm("fclex");
					_v40 = _t50;
					if(_v40 >= 0) {
						_t26 =  &_v64;
						 *_t26 = _v64 & 0x00000000;
						__eflags =  *_t26;
					} else {
						_push(0x1c);
						_push(0x411d74);
						_push(_v36);
						_push(_v40);
						L00401356();
						_v64 = _t50;
					}
					_v44 = _v32;
					_t44 =  *((intOrPtr*)( *_v44 + 0x50))(_v44);
					asm("fclex");
					_v48 = _t44;
					if(_v48 >= 0) {
						_t38 =  &_v68;
						 *_t38 = _v68 & 0x00000000;
						__eflags =  *_t38;
					} else {
						_push(0x50);
						_push(0x411d94);
						_push(_v44);
						_push(_v48);
						L00401356();
						_v68 = _t44;
					}
					L00401332();
				}
				_v28 =  *0x4011b0;
				asm("wait");
				_push(0x4132d9);
				return _t44;
			}

0x00413191
0x0041319c
0x0041319d
0x004131a4
0x004131a7
0x004131af
0x004131b2
0x004131bf
0x004131c4
0x004131c9
0x004131cf
0x004131d1
0x004131d2
0x004131e1
0x004131e7
0x004131e9
0x004131f0
0x0041320c
0x0041320c
0x0041320c
0x004131f2
0x004131f2
0x004131f7
0x004131fc
0x004131ff
0x00413202
0x00413207
0x00413207
0x004131f0
0x00413210
0x00413214
0x00413221
0x0041323b
0x00413223
0x00413223
0x00413228
0x0041322d
0x00413232
0x00413232
0x00413242
0x00413247
0x00413256
0x00413259
0x0041325b
0x00413262
0x0041327b
0x0041327b
0x0041327b
0x00413264
0x00413264
0x00413266
0x0041326b
0x0041326e
0x00413271
0x00413276
0x00413276
0x00413282
0x0041328d
0x00413290
0x00413292
0x00413299
0x004132b2
0x004132b2
0x004132b2
0x0041329b
0x0041329b
0x0041329d
0x004132a2
0x004132a5
0x004132a8
0x004132ad
0x004132ad
0x004132b9
0x004132b9
0x004132c4
0x004132c7
0x004132c8
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 004131A7
_CIsqrt.MSVBVM60(?,?,?,?,00401266), ref: 004131BF
__vbaFpR8.MSVBVM60(?,?,?,?,00401266), ref: 004131C4
__vbaHresultCheckObj.MSVBVM60(?,?,00411B78,00000254,?,?,?,?,00401266), ref: 00413202
__vbaNew2.MSVBVM60(00411D84,0041433C,?,?,?,?,00401266), ref: 0041322D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411D74,0000001C,?,?,?,?,?,?,?,?,?,?,?,00401266), ref: 00413271
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411D94,00000050,?,?,?,?,?,?,?,?,?,?,?,00401266), ref: 004132A8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401266), ref: 004132B9

Strings

<CA, xrefs: 00413242

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeIsqrtNew2
String ID: <CA
API String ID: 987039556-146778150
Opcode ID: 7985daff6537f65bccafbb02a90a620334c2eb6ae68c2492e550410b97f31a26
Instruction ID: b85958ae076c696ec4dffaa75b73db012c90946d5ef724da14da95a8003e265d
Opcode Fuzzy Hash: 7985daff6537f65bccafbb02a90a620334c2eb6ae68c2492e550410b97f31a26
Instruction Fuzzy Hash: 4B410771A40608EFDF00AFA5D94ABDDBBB4FB08715F1040AAF501B62A1D7795984DF2C

Uniqueness

Uniqueness Score: -1.00%

Function 00413547, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00413547(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				char* _v100;
				intOrPtr _v108;
				char* _t30;
				void* _t43;
				void* _t45;
				intOrPtr _t46;

				_t46 = _t45 - 0xc;
				 *[fs:0x0] = _t46;
				L00401260();
				_v16 = _t46;
				_v12 = 0x4011f8;
				_v8 = 0;
				_t30 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401266, _t43);
				_push(0x411de8);
				L00401314();
				if(_t30 != 2) {
					_v84 = 0x80020004;
					_v92 = 0xa;
					_v68 = 0x80020004;
					_v76 = 0xa;
					_v52 = 0x80020004;
					_v60 = 0xa;
					_v100 = L"HEPATATROPHY";
					_v108 = 8;
					L0040136E();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_push(0);
					_push( &_v44);
					L0040130E();
					_push( &_v92);
					_push( &_v76);
					_push( &_v60);
					_t30 =  &_v44;
					_push(_t30);
					_push(4);
					L00401308();
				}
				_push(0x411e10);
				L00401302();
				if(_t30 == 0x61) {
					_v28 = 0x32bb;
				}
				_push(0x413647);
				return _t30;
			}

0x0041354a
0x00413559
0x00413565
0x0041356d
0x00413570
0x00413577
0x00413586
0x00413589
0x0041358e
0x00413596
0x00413598
0x0041359f
0x004135a6
0x004135ad
0x004135b4
0x004135bb
0x004135c2
0x004135c9
0x004135d6
0x004135de
0x004135e2
0x004135e6
0x004135e7
0x004135ec
0x004135ed
0x004135f5
0x004135f9
0x004135fd
0x004135fe
0x00413601
0x00413602
0x00413604
0x00413609
0x0041360c
0x00413611
0x0041361a
0x0041361e
0x0041361e
0x00413624
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 00413565
__vbaLenBstrB.MSVBVM60(00411DE8,?,?,?,?,00401266), ref: 0041358E
__vbaVarDup.MSVBVM60 ref: 004135D6
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 004135ED
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 00413604
#516.MSVBVM60(00411E10,00411DE8,?,?,?,?,00401266), ref: 00413611

Strings

HEPATATROPHY, xrefs: 004135C2

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#516#595BstrChkstkFreeList
String ID: HEPATATROPHY
API String ID: 3121728414-4183309565
Opcode ID: c5152f8a8b1b6c8ee5cec0452e3af3dc094e0fa8b8d6a2e88ed6a76e1eb7fc40
Instruction ID: 00adb207a02d1473b06d70203a5a30d3ca617f1577dd52c080abed4368ab8e5d
Opcode Fuzzy Hash: c5152f8a8b1b6c8ee5cec0452e3af3dc094e0fa8b8d6a2e88ed6a76e1eb7fc40
Instruction Fuzzy Hash: 1A21E9B1900248EBDB11DFD4C886BDEBBB8FF04704F54402AE501BA291D7789685CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00413670, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00413670(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				void* _v24;
				char _v32;
				char _v40;
				signed int _v60;
				signed int _v68;
				void* _t20;
				char* _t21;
				signed int _t24;
				intOrPtr* _t35;

				_push(__ecx);
				_push(__ecx);
				_push(0x401266);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t35;
				_t20 = 0x30;
				L00401260();
				_v12 = _t35;
				_v8 = 0x401220;
				_push(0x411e18);
				L004012FC();
				asm("fcomp qword [0x4011e0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					L004012F6();
					 *_t35 =  *0x401214;
					 *_t35 =  *0x401210;
					 *_t35 =  *0x40120c;
					 *_t35 =  *0x401208;
					_t24 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, __ecx, __ecx, __ecx, __ecx, _t20);
					asm("fclex");
					_v60 = _t24;
					if(_v60 >= 0) {
						_t11 =  &_v68;
						 *_t11 = _v68 & 0x00000000;
						__eflags =  *_t11;
					} else {
						_push(0x2c8);
						_push(0x411b78);
						_push(_a4);
						_push(_v60);
						L00401356();
						_v68 = _t24;
					}
				}
				_v32 = 2;
				_v40 = 2;
				_t21 =  &_v40;
				_push(_t21);
				L004012F0();
				L004013B6();
				L004013C2();
				asm("wait");
				_push(0x413762);
				L004013AA();
				return _t21;
			}

0x00413673
0x00413674
0x00413675
0x00413680
0x00413681
0x0041368a
0x0041368b
0x00413693
0x00413696
0x0041369d
0x004136a2
0x004136a7
0x004136ad
0x004136af
0x004136b0
0x004136b8
0x004136c5
0x004136cf
0x004136d9
0x004136e3
0x004136f0
0x004136f6
0x004136f8
0x004136ff
0x0041371b
0x0041371b
0x0041371b
0x00413701
0x00413701
0x00413706
0x0041370b
0x0041370e
0x00413711
0x00413716
0x00413716
0x004136ff
0x0041371f
0x00413726
0x0041372d
0x00413730
0x00413731
0x0041373b
0x00413743
0x00413748
0x00413749
0x0041375c
0x00413761

APIs

__vbaChkstk.MSVBVM60(?,00401266), ref: 0041368B
__vbaR8Str.MSVBVM60(00411E18,?,?,?,?,00401266), ref: 004136A2
__vbaFpI4.MSVBVM60(00411E18,?,?,?,?,00401266), ref: 004136B8
__vbaHresultCheckObj.MSVBVM60(?,?,00411B78,000002C8,?,?,?,?,00000000,00411E18,?,?,?,?,00401266), ref: 00413711
#536.MSVBVM60(?,00411E18,?,?,?,?,00401266), ref: 00413731
__vbaStrMove.MSVBVM60(?,00411E18,?,?,?,?,00401266), ref: 0041373B
__vbaFreeVar.MSVBVM60(?,00411E18,?,?,?,?,00401266), ref: 00413743
__vbaFreeStr.MSVBVM60(00413762,?,00411E18,?,?,?,?,00401266), ref: 0041375C

Memory Dump Source

Source File: 00000000.00000002.1168725154.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1168692524.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1168775449.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1168781846.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536CheckChkstkHresultMove
String ID:
API String ID: 2640481455-0
Opcode ID: 86e084480fc773c146371a5250870227f2fefa522688d3afc0232228b6051a9d
Instruction ID: dde46d2a03f639868d807a4ca7631bd745445d6339ec343d2d543c1958b87105
Opcode Fuzzy Hash: 86e084480fc773c146371a5250870227f2fefa522688d3afc0232228b6051a9d
Instruction Fuzzy Hash: 202139B1901208EFDB00AF91C94ABAEBBB4EB04745F1085AEF141B61F1D7785A509B59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report gedanken.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: gedanken.exe PID: 6880 Parent PID: 5912

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: gedanken.exe PID: 6880 Parent PID: 5912 gedanken.exeCOMMON

Executed Functions

Function 0040946F, Relevance: 23.5, APIs: 1, Strings: 14, Instructions: 1044COMMON

Function 00412D2C, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 254COMMON

Function 004094A0, Relevance: 25.0, APIs: 1, Strings: 15, Instructions: 1020memoryCOMMON

Function 0040947E, Relevance: 23.5, APIs: 1, Strings: 14, Instructions: 1043COMMON

Function 0040946F, Relevance: 23.5, APIs: 1, Strings: 14, Instructions: 1044
COMMON

Function 00412D2C, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 254
COMMON

Function 0040947E, Relevance: 23.5, APIs: 1, Strings: 14, Instructions: 1043
COMMON

Function 004013E8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123
COMMON

Function 00409DFC, Relevance: 2.1, APIs: 1, Instructions: 855
COMMON

Function 00409FA9, Relevance: 2.1, APIs: 1, Instructions: 815
COMMON

Function 00409F66, Relevance: 1.9, APIs: 1, Instructions: 682
memoryCOMMON

Function 0040A423, Relevance: 1.9, APIs: 1, Instructions: 632
COMMON

Function 0040A1E8, Relevance: 1.9, APIs: 1, Instructions: 624
COMMON

Function 0040A5D3, Relevance: 1.8, APIs: 1, Instructions: 522
memoryCOMMON

Function 0040A669, Relevance: 1.7, APIs: 1, Instructions: 497
COMMON

Function 004132F4, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 174
COMMON

Function 00412B94, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 108
COMMON

Function 00413775, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 116
COMMON

Function 0041318C, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98
COMMON

Function 00413547, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 64
COMMON

Function 00413670, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON