Play interactive tour

Edit tour

Windows Analysis Report LzbZ4T1iV8.exe

Overview

General Information

Sample Name:	LzbZ4T1iV8.exe
Analysis ID:	458125
MD5:	41e1bc9de5f3b61639fb88143e933ff8
SHA1:	432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8
SHA256:	d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LzbZ4T1iV8.exe (PID: 3412 cmdline: 'C:\Users\user\Desktop\LzbZ4T1iV8.exe' MD5: 41E1BC9DE5F3B61639FB88143E933FF8)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUuqVZw139.bin^"}

Multi AV Scanner detection for submitted file

Show sources

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%			Perma Link
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Machine Learning detection for sample

Show sources

Source: LzbZ4T1iV8.exe

Joe Sandbox ML: detected

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUuqVZw139.bin^

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021758B1 NtAllocateVirtualMemory,		1_2_021758B1
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021758FA NtAllocateVirtualMemory,		1_2_021758FA

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404478	1_2_00404478
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404418	1_2_00404418
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404834	1_2_00404834
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004036F0	1_2_004036F0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004034F4	1_2_004034F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00403488	1_2_00403488
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004046B4	1_2_004046B4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404774	1_2_00404774
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_00404534	1_2_00404534
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004045F4	1_2_004045F4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004035B2	1_2_004035B2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004043B8	1_2_004043B8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021758B1	1_2_021758B1
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02174C19	1_2_02174C19
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_0217424C	1_2_0217424C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02173C48	1_2_02173C48
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_0217249F	1_2_0217249F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02172899	1_2_02172899
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_0217808E	1_2_0217808E
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021756A3	1_2_021756A3
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02172EA2	1_2_02172EA2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02177AD9	1_2_02177AD9
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021742C4	1_2_021742C4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021720C0	1_2_021720C0
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02172CF2	1_2_02172CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021720FE	1_2_021720FE
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02177F34	1_2_02177F34
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_0217474F	1_2_0217474F
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02171D73	1_2_02171D73
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02170567	1_2_02170567
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02171D68	1_2_02171D68
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02173FBC	1_2_02173FBC
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021743A8	1_2_021743A8
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021761C5	1_2_021761C5
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021777FF	1_2_021777FF
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021793FB	1_2_021793FB
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021793EC	1_2_021793EC

Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: LzbZ4T1iV8.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: LzbZ4T1iV8.exe, 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe, 00000001.00000002.742262419.0000000002120000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs LzbZ4T1iV8.exe
Source: LzbZ4T1iV8.exe	Binary or memory string: OriginalFilenameGYMNOSPERMAE.exe vs LzbZ4T1iV8.exe

Source: LzbZ4T1iV8.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE493499F9C12E32C.TMP

Jump to behavior

Source: LzbZ4T1iV8.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LzbZ4T1iV8.exe	Virustotal: Detection: 17%
Source: LzbZ4T1iV8.exe	ReversingLabs: Detection: 17%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_004018D2 push fs; retf	1_2_004018D4
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_0217A006 pushfd ; iretd	1_2_0217A007
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_0217662F push cs; iretd	1_2_02176630
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02176075 push 39F54C89h; retf	1_2_0217607A
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02178694 push E886E32Ah; iretd	1_2_0217869C
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02179F30 pushfd ; retf	1_2_02179F43
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02175D44 push edx; ret	1_2_02175D4A

Source: initial sample

Static PE information: section name: .text entropy: 7.08169017725

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

RDTSC instruction interceptor: First address: 0000000002177542 second address: 0000000002177542 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 00000000021774C3 second address: 0000000002177542 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push D90E6CFBh 0x00000010 call 00007FEAE0DD0522h 0x00000015 mov dword ptr [ebp+04h], eax 0x00000018 mov ebx, dword ptr [eax+3Ch] 0x0000001b add eax, ebx 0x0000001d mov ebx, dword ptr [eax+78h] 0x00000020 mov eax, dword ptr [ebp+04h] 0x00000023 add eax, ebx 0x00000025 mov ecx, dword ptr [eax+18h] 0x00000028 mov dword ptr [ebp+08h], ecx 0x0000002b mov ecx, dword ptr [eax+1Ch] 0x0000002e mov dword ptr [ebp+14h], ecx 0x00000031 mov ecx, dword ptr [eax+24h] 0x00000034 mov dword ptr [ebp+10h], ecx 0x00000037 mov esi, dword ptr [eax+20h] 0x0000003a add esi, dword ptr [ebp+04h] 0x0000003d xor ecx, ecx 0x0000003f mov edx, dword ptr [esi] 0x00000041 add edx, dword ptr [ebp+04h] 0x00000044 mov dword ptr [ebp+000001F3h], eax 0x0000004a test si, 2E1Ah 0x0000004f mov eax, ecx 0x00000051 push eax 0x00000052 mov eax, dword ptr [ebp+000001F3h] 0x00000058 mov dword ptr [ebp+000001C8h], ebx 0x0000005e mov ebx, esi 0x00000060 push ebx 0x00000061 pushad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000002177542 second address: 0000000002177542 instructions:
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 000000000217734C second address: 000000000217734C instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 inc ebx 0x00000004 inc edx 0x00000005 dec ecx 0x00000006 test ecx, ecx 0x00000008 jne 00007FEAE0DD04EEh 0x0000000a mov al, byte ptr [edx] 0x0000000c mov byte ptr [ebx], al 0x0000000e pushad 0x0000000f mov ecx, 00000009h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000002178236 second address: 0000000002178261 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esi, 6F48A402h 0x00000011 cmp dword ptr [edi+14h], esi 0x00000014 mov esi, dword ptr [ebp+000001F0h] 0x0000001a je 00007FEAE0DEEEE5h 0x0000001c mov dword ptr [ebp+00000246h], eax 0x00000022 mov eax, 3E9A0B50h 0x00000027 pushad 0x00000028 lfence 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	RDTSC instruction interceptor: First address: 0000000002177D0C second address: 0000000002177D0C instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00B1C905h 0x00000007 xor eax, AE894D5Ah 0x0000000c xor eax, 9A90F0F9h 0x00000011 add eax, CB578B5Bh 0x00000016 cpuid 0x00000018 test ch, dh 0x0000001a popad 0x0000001b call 00007FEAE0DD050Bh 0x00000020 lfence 0x00000023 mov edx, 770EC33Bh 0x00000028 sub edx, 4238A07Dh 0x0000002e xor edx, 9CFEAEA4h 0x00000034 xor edx, D7D68C0Eh 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f jmp 00007FEAE0DD05E9h 0x00000044 test ch, ah 0x00000046 ret 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a add edi, edx 0x0000004c dec dword ptr [ebp+000000F8h] 0x00000052 cmp dword ptr [ebp+000000F8h], 00000000h 0x00000059 jne 00007FEAE0DD04EAh 0x0000005b cmp edx, eax 0x0000005d call 00007FEAE0DD054Ch 0x00000062 call 00007FEAE0DD052Eh 0x00000067 lfence 0x0000006a mov edx, 770EC33Bh 0x0000006f sub edx, 4238A07Dh 0x00000075 xor edx, 9CFEAEA4h 0x0000007b xor edx, D7D68C0Eh 0x00000081 mov edx, dword ptr [edx] 0x00000083 lfence 0x00000086 jmp 00007FEAE0DD05E9h 0x0000008b test ch, ah 0x0000008d ret 0x0000008e mov esi, edx 0x00000090 pushad 0x00000091 rdtsc

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_021758B1 rdtsc

1_2_021758B1

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_021758B1 rdtsc

1_2_021758B1

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02175461 mov eax, dword ptr fs:[00000030h]	1_2_02175461
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_02172CF2 mov eax, dword ptr fs:[00000030h]	1_2_02172CF2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_021778E2 mov eax, dword ptr fs:[00000030h]	1_2_021778E2
Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe	Code function: 1_2_0217735B mov eax, dword ptr fs:[00000030h]	1_2_0217735B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: LzbZ4T1iV8.exe, 00000001.00000002.741953345.0000000000C50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\LzbZ4T1iV8.exe

Code function: 1_2_00401A45 cpuid

1_2_00401A45

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Information Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
LzbZ4T1iV8.exe	18%	Virustotal		Browse
LzbZ4T1iV8.exe	18%	ReversingLabs	Win32.Trojan.Vebzenpak
LzbZ4T1iV8.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://101.99.94.119/WEALTH_PRUuqVZw139.bin^	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUuqVZw139.bin^	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458125
Start date:	02.08.2021
Start time:	21:08:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 15s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	LzbZ4T1iV8.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 33% (good quality ratio 14%) Quality average: 21.8% Quality standard deviation: 28.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.659892921422715
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LzbZ4T1iV8.exe
File size:	114688
MD5:	41e1bc9de5f3b61639fb88143e933ff8
SHA1:	432531c5a0f7f82b8ec10e7f3fde1b51ebd3d0e8
SHA256:	d32cf33f8f64824f799ca44e9988ddc517e88db1235f93792d3ed2ddaa48e35f
SHA512:	75135a1977450f914d77247938987ee40b45443ebb187ff7b7a2b1c83f9b1f32744b0ccdefecc7df20ec4be01543bac216fc56de8fbf18448625140c1b4264fe
SSDEEP:	1536:rI3BiEocy06WRx+Hfzae+8S6JxdQC+gz6DN1QmiPYlmcy06W++eI3B:rEvBD2C6byC+g6NzlVB++
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....TU.................@..........D........P....@................

File Icon


Icon Hash:	352d25253517a525

Static PE Info

General
Entrypoint:	0x401144
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x555407E7 [Thu May 14 02:26:47 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5565993a5a9f2bfb76f28ab304be6bc1

Entrypoint Preview

Instruction
push 00406B40h
call 00007FEAE0A51025h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
or dword ptr [edi+512C9312h], ebx
inc edx
test eax, FF47123Eh
add dl, byte ptr [ebx-07h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 53h
push ebp
inc edx
dec ecx
dec esi
inc esi
inc ebp
push ebp
inc esp
inc ecx
push esp
inc ebp
add byte ptr [eax], ch
or eax, dword ptr [ebx]
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
pop edi
push ecx
xchg eax, edx
add ebp, esp
inc ebp
fiadd dword ptr [ecx-78h]
jp 00007FEAE0A50FD5h
arpl word ptr [esi-5Dh], bx
daa
push 0000005Fh
adc al, 07h
pop ds
enter 7288h, 4Dh
stosb
ret
jp 00007FEAE0A51076h
fdivr qword ptr [edi+4F3AAE67h]
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push edx
pop ecx
add byte ptr [eax], al
sub byte ptr [eax+00h], bl
add byte ptr [eax], al
or eax, dword ptr [eax]
push eax
inc ecx
dec esp
dec esp
inc edx
inc ebp
inc ecx
push edx
inc ebp
push edx
push ebx
add byte ptr [43000701h], cl
inc ebp
dec ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b74	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5b9e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x7c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13df4	0x14000	False	0.652099609375	data	7.08169017725	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5b9e	0x6000	False	0.545817057292	data	6.02928789817	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1bcf6	0xea8	data
RT_ICON	0x1b44e	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 3457162792, next used block 3459124259
RT_ICON	0x1aee6	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x1893e	0x25a8	data
RT_ICON	0x17896	0x10a8	data
RT_ICON	0x1742e	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173d4	0x5a	data
RT_VERSION	0x171e0	0x1f4	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	GYMNOSPERMAE
FileVersion	1.00
OriginalFilename	GYMNOSPERMAE.exe
ProductName	COMANAGE

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: LzbZ4T1iV8.exe PID: 3412 Parent PID: 5564

General

Start time:	21:09:06
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\LzbZ4T1iV8.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\LzbZ4T1iV8.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	41E1BC9DE5F3B61639FB88143E933FF8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: LzbZ4T1iV8.exe PID: 3412 Parent PID: 5564 LzbZ4T1iV8.exeCOMMON

Executed Functions

Function 021758B1, Relevance: 1.7, APIs: 1, Instructions: 192memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-228365FB,000005C4), ref: 02175AF4

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 67fa8bf9bbf29263685405a4552bb15cda08e2a2806587241823c5aecb29e7d2
Instruction ID: 7d34c880eb8d1e314e5784add04d2c3f56b1fa1ab2fc3f28aee35abd5516265e
Opcode Fuzzy Hash: 67fa8bf9bbf29263685405a4552bb15cda08e2a2806587241823c5aecb29e7d2
Instruction Fuzzy Hash: 627102729443959FCB30AF68C844BEEBBF6EF99320F55452EDC499B210D7708A42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021758FA, Relevance: 1.7, APIs: 1, Instructions: 190memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-228365FB,000005C4), ref: 02175AF4

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5872cc65e099e5a5aa9732bb34bd025916852d61e8fc5b8fb77ccaf855b4da11
Instruction ID: e701c97b3a4ce0249b956aa365350b22e59a4c879f86740bf32c15107e1f8f7c
Opcode Fuzzy Hash: 5872cc65e099e5a5aa9732bb34bd025916852d61e8fc5b8fb77ccaf855b4da11
Instruction Fuzzy Hash: 5E51B5757913168FCB318D5D4CA53CE73E2AB88610FA4443EDD88CB296D7B4DA4F8682

Uniqueness

Uniqueness Score: -1.00%

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Download Yara Rule

C-Code - Quality: 65%

			_entry_(void* __eax, signed int* __ebx, signed int __ecx, signed int __edx, intOrPtr* __esi) {
				void* _t3;
				signed int _t5;
				signed int _t6;
				signed int _t8;
				signed int _t10;
				intOrPtr* _t15;
				void* _t17;
				void* _t18;
				void* _t21;
				void* _t22;

				_t15 = __esi;
				_t10 = __edx;
				_t8 = __ecx;
				_t3 = __eax;
				_push("VB5!6&*");
				do {
					_t5 = _t3 + 1 + _t8;
					asm("lock invalid");
					 *_t5 =  *_t5 + 1;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t10;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t8 =  *_t8 & _t8;
					asm("lahf");
					asm("adc dl, [ebx-0x56bdaed4]");
					asm("adc al, [ds:edi-0x1]");
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t5 =  *_t5 + _t5;
					 *_t15 =  *_t15 + _t5;
					_push(_t5);
					 *_t8 =  *_t8 + 0x53;
					_push(_t17);
					_t15 = _t15 - 1 + 1;
					_t18 = _t17 + 1;
					_push(_t18);
					_t22 = _t21 + 1;
					_t8 = _t8 - 1 + 1;
					 *_t5 =  *_t5 + _t8;
					_t6 = _t5 |  *__ebx;
					 *_t6 =  *_t6 + _t6;
					 *_t6 =  *_t6 + _t6;
					_t21 = _t22 - 1;
					 *_t6 =  *_t6 ^ _t6;
					es = _t22;
					_push(_t8);
					_t3 = _t10 +  *((intOrPtr*)(__ebx - 7)) + 2;
					_t10 = _t6;
					_t17 = _t18 + 1 + _t21 + 1;
					asm("fiadd dword [ecx-0x78]");
				} while (_t17 != 0);
				asm("arpl [esi-0x5d], bx");
				asm("daa");
				asm("adc al, 0x7");
				ds = 0x5f;
				asm("enter 0x7288, 0x4d");
				asm("stosb");
				return _t3;
			}

0x00401144
0x00401144
0x00401144
0x00401144
0x00401144
0x00401147
0x00401148
0x0040114a
0x0040114d
0x0040114f
0x00401151
0x00401153
0x00401155
0x00401157
0x0040115a
0x0040115c
0x0040115e
0x00401160
0x00401162
0x00401163
0x00401169
0x00401170
0x00401172
0x00401174
0x00401176
0x00401178
0x0040117b
0x0040117d
0x0040117e
0x00401181
0x00401185
0x00401186
0x00401187
0x00401188
0x00401189
0x0040118c
0x0040118e
0x00401190
0x00401192
0x00401194
0x00401196
0x00401198
0x0040119a
0x0040119b
0x0040119b
0x0040119e
0x0040119f
0x0040119f
0x004011a4
0x004011a7
0x004011aa
0x004011ac
0x004011ad
0x004011b1
0x004011b2

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401149

Strings

VB5!6&*, xrefs: 00401144

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: d7bcc81d966155dbd390ad17853493ca08cefffc5029d04fcfe3ee72d0e81c06
Instruction ID: 8b485ed7109c182642eefb2dac06b995e34b3465d26102f83ae08db25948a38a
Opcode Fuzzy Hash: d7bcc81d966155dbd390ad17853493ca08cefffc5029d04fcfe3ee72d0e81c06
Instruction Fuzzy Hash: EB11C2A044E3D16FD7474B748C265A57F749E4322470A01DBD6C2DE4B3C26D484B8B73

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021761C5, Relevance: 7.0, Strings: 5, Instructions: 745COMMON

Download Yara Rule

Strings

32aG, xrefs: 02174839
Mb, xrefs: 02174691
*6;R, xrefs: 0217508D
r-<W, xrefs: 02174E4D
:FKM, xrefs: 02174EEB

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *6;R$32aG$:FKM$Mb$r-<W
API String ID: 0-3219171453
Opcode ID: a699f9232bd27910b0501f095a90396e06e6984257e1c5d93ae34fe26dc0f029
Instruction ID: 55ca1f7a70d262d895ac45c1d5836f27d3dbe6c46ba9a05ea1d554d8972929d5
Opcode Fuzzy Hash: a699f9232bd27910b0501f095a90396e06e6984257e1c5d93ae34fe26dc0f029
Instruction Fuzzy Hash: B062CCB16443499FDB689F34C8957DABBB2FF98300F55812DDC899B254C7309A82CF52

Uniqueness

Uniqueness Score: -1.00%

Function 021742C4, Relevance: 6.9, Strings: 5, Instructions: 688COMMON

Download Yara Rule

Strings

32aG, xrefs: 02174839
Mb, xrefs: 02174691
*6;R, xrefs: 0217508D
r-<W, xrefs: 02174E4D
:FKM, xrefs: 02174EEB

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *6;R$32aG$:FKM$Mb$r-<W
API String ID: 0-3219171453
Opcode ID: c1bd2e7e0a848a4fa0cee31d19c122a861971be715c4dc0def1c46499622c3f3
Instruction ID: f58819cb8903abaf360c7e4789c95c56918de49abecc8bfefa91c6f93fad1f07
Opcode Fuzzy Hash: c1bd2e7e0a848a4fa0cee31d19c122a861971be715c4dc0def1c46499622c3f3
Instruction Fuzzy Hash: E6520EB26443459FDB648F38CC957DABBB2FF98300F55812DDD898B214D3709A86CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021743A8, Relevance: 6.9, Strings: 5, Instructions: 615COMMON

Download Yara Rule

Strings

32aG, xrefs: 02174839
Mb, xrefs: 02174691
*6;R, xrefs: 0217508D
r-<W, xrefs: 02174E4D
:FKM, xrefs: 02174EEB

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *6;R$32aG$:FKM$Mb$r-<W
API String ID: 0-3219171453
Opcode ID: c38d3af79132b37bbb987f4556067d2f161fa66b79d971a80a496e3ee584e20c
Instruction ID: 40e2e6cbcdcc909ea6a0050419ced7c406f234a89102799ba4a1a1d7275881f8
Opcode Fuzzy Hash: c38d3af79132b37bbb987f4556067d2f161fa66b79d971a80a496e3ee584e20c
Instruction Fuzzy Hash: F442CBB26443499FDB689F38CC857DABBB2FF98300F558129DD899B614C3705A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0217474F, Relevance: 5.5, Strings: 4, Instructions: 499COMMON

Download Yara Rule

Strings

32aG, xrefs: 02174839
*6;R, xrefs: 0217508D
r-<W, xrefs: 02174E4D
:FKM, xrefs: 02174EEB

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *6;R$32aG$:FKM$r-<W
API String ID: 0-1705079728
Opcode ID: a4ccbb180f5c1cd5baa17483a8110668fe6b89e19160924d04d54115307fc3f5
Instruction ID: 7808dc3fb9c753ea2832e7f16ca658e217b669bb7357649169c3347daacdf06c
Opcode Fuzzy Hash: a4ccbb180f5c1cd5baa17483a8110668fe6b89e19160924d04d54115307fc3f5
Instruction Fuzzy Hash: 531211B16403489FDB758E28CC947DE77B2FF98300F55812EDD898B255D7709A8ACB82

Uniqueness

Uniqueness Score: -1.00%

Function 02170567, Relevance: 5.3, Strings: 4, Instructions: 326COMMON

Download Yara Rule

Strings

kM, xrefs: 02170703
(O, xrefs: 02170965
Wl, xrefs: 02170713
2o, xrefs: 0217082C

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (O$2o$Wl$kM
API String ID: 0-1484133784
Opcode ID: 824d4821da1391edab8d4c6c767a7ebc98c5f9ccbaf85588039dd52eb2dd0ac8
Instruction ID: dbc539a7e686975c68b6dce12733c3e7f84af484280f0faac2b1dbb33c0f9138
Opcode Fuzzy Hash: 824d4821da1391edab8d4c6c767a7ebc98c5f9ccbaf85588039dd52eb2dd0ac8
Instruction Fuzzy Hash: 20C1D0719443998FCB74EF78CC997DA7BB2AF98350F46402ADC89DB254D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02172CF2, Relevance: 4.3, Strings: 3, Instructions: 599COMMON

Download Yara Rule

Strings

e^A`, xrefs: 02172E24
QJHW, xrefs: 0217325E
4BMf, xrefs: 02173540

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 4BMf$QJHW$e^A`
API String ID: 0-2942027093
Opcode ID: 170487c57239942a267363e842cf4960f6625f73dbeeeb3717271e3781965852
Instruction ID: ad5968cfcbc51638ce2c89231b2575b07a7a09e27cf39deffdc81c3440963201
Opcode Fuzzy Hash: 170487c57239942a267363e842cf4960f6625f73dbeeeb3717271e3781965852
Instruction Fuzzy Hash: 9332AB71A407499FDB64CF28CC94BDAB7F6FF89350F45422AEC999B340D730A9518B90

Uniqueness

Uniqueness Score: -1.00%

Function 02174C19, Relevance: 4.1, Strings: 3, Instructions: 313COMMON

Download Yara Rule

Strings

*6;R, xrefs: 0217508D
r-<W, xrefs: 02174E4D
:FKM, xrefs: 02174EEB

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *6;R$:FKM$r-<W
API String ID: 0-2291305708
Opcode ID: 7c13048f043ee07b9b301fa9309eeefe972d0fe220acf243265abed711c14dda
Instruction ID: 67381aee4482c71dc208d0b7e4c119ff639b7adb442489550d051c0ec7c1ca39
Opcode Fuzzy Hash: 7c13048f043ee07b9b301fa9309eeefe972d0fe220acf243265abed711c14dda
Instruction Fuzzy Hash: A6C1D1716413598FDB358E688CE47CE77A2AB98300F94813EDD8CCB255D7749E4A8B82

Uniqueness

Uniqueness Score: -1.00%

Function 02173FBC, Relevance: 2.6, Strings: 2, Instructions: 131COMMON

Download Yara Rule

Strings

[>~w, xrefs: 0217423E
}qS_, xrefs: 021740C0

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: [>~w$}qS_
API String ID: 0-3193744725
Opcode ID: dfb77924cad080c19d3ea9e1014f208a976e1dcc60844a28091b91852a58d523
Instruction ID: c66e1a21169860f7fc1d0c17912c7bfbb1a7ce62ed531ff48fc4504f3bbb5676
Opcode Fuzzy Hash: dfb77924cad080c19d3ea9e1014f208a976e1dcc60844a28091b91852a58d523
Instruction Fuzzy Hash: E9510172645748DFCB70CE69D9C87DA76F3AFA8704F94062ACD4D9B608D331AA81CB05

Uniqueness

Uniqueness Score: -1.00%

Function 004046B4, Relevance: 2.6, Strings: 2, Instructions: 87COMMON

Download Yara Rule

Strings

!1?, xrefs: 00404704
s1'e, xrefs: 004046F5

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: !1?$s1'e
API String ID: 0-1457366028
Opcode ID: 1bfde712a96b70e943bb1292d4922f4a89030cadee9e4e033252cbd36cb3d145
Instruction ID: 9c494207e074087742ac3251cd371b187106aae4e611f7481fe9174598ab8a66
Opcode Fuzzy Hash: 1bfde712a96b70e943bb1292d4922f4a89030cadee9e4e033252cbd36cb3d145
Instruction Fuzzy Hash: E3219D319493959FC36A8E35C44359ABFB5FF477147A450AEE482CA9B2C62A1483CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02172EA2, Relevance: 1.5, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

QJHW, xrefs: 0217325E

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QJHW
API String ID: 0-3797401239
Opcode ID: 85554357a3ddaf1cae18ea7b6d0e36cd7a01d9847469eb5ecbde0151bc8e2590
Instruction ID: b8b9f23b24cfb6f9b4e6e65a4172fa419532c69e9587ae1d461ac8821bb22232
Opcode Fuzzy Hash: 85554357a3ddaf1cae18ea7b6d0e36cd7a01d9847469eb5ecbde0151bc8e2590
Instruction Fuzzy Hash: 21C1BBB16443899FDB34CF28DD94BDAB7F6BF89310F05422AEC99CB240D7309A518B91

Uniqueness

Uniqueness Score: -1.00%

Function 02177F34, Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

Hs1, xrefs: 021782C4

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Hs1
API String ID: 0-1767169
Opcode ID: 87f617b86b171444e66c05e884a31d4221a0aeb6a27a65591f2e71f6dd2ec8ce
Instruction ID: 885b6df71c63e0bd457522fa650337fc5a5910eba5485c61e886277b5cc40162
Opcode Fuzzy Hash: 87f617b86b171444e66c05e884a31d4221a0aeb6a27a65591f2e71f6dd2ec8ce
Instruction Fuzzy Hash: E8A15372A447568FEB34CE38CD987EB77B2EF89340F55012ADC899B244D7309A45CB92

Uniqueness

Uniqueness Score: -1.00%

Function 021793EC, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

EA , xrefs: 021795EF

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: EA
API String ID: 0-2399277265
Opcode ID: c0ce30cd542904bf981e8a4832d7489342078a4110e4cfaf1bd6a5c890d95f96
Instruction ID: 79f0d68a7ec235c5c0acaaaeaa78f03d8de6bedcc1dc2429bc7bdaf5753daed8
Opcode Fuzzy Hash: c0ce30cd542904bf981e8a4832d7489342078a4110e4cfaf1bd6a5c890d95f96
Instruction Fuzzy Hash: 4F612372644248DFDF38DF28C9A03DA37A2EF95310F16812BCC0A8B251C7349A49CB41

Uniqueness

Uniqueness Score: -1.00%

Function 004035B2, Relevance: 1.4, Strings: 1, Instructions: 113COMMON

Download Yara Rule

Strings

1mFL, xrefs: 004035F6

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 1mFL
API String ID: 0-4036361619
Opcode ID: 3fee7e1417d5a5453e60d53df67511880af279f6922a7d35db0e668b59405452
Instruction ID: e51328b0f0d8b43e8df43ba3a5afa18cdcbf047131ab8d00f5ccb5d17461f863
Opcode Fuzzy Hash: 3fee7e1417d5a5453e60d53df67511880af279f6922a7d35db0e668b59405452
Instruction Fuzzy Hash: A531DA31E15324CBD76ECE788443147BFB4AF42A41BA095BED942CBA74CB765812DBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02177AD9, Relevance: 1.3, Strings: 1, Instructions: 88COMMON

Download Yara Rule

Strings

`, xrefs: 02177BAF

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 65a770cdf85431aaa38e4dc250f29c7a7f536ad2a89b3c29f45683021592ecf1
Instruction ID: 1c2781ff03ae34318695db489e5cc7405961a1b40526b3016b28892eb3b68c7a
Opcode Fuzzy Hash: 65a770cdf85431aaa38e4dc250f29c7a7f536ad2a89b3c29f45683021592ecf1
Instruction Fuzzy Hash: 43313772A442458BDF74DE3DCCA83DA72E36BD8310F55406F8C0ADB354DB308A828B52

Uniqueness

Uniqueness Score: -1.00%

Function 021793FB, Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dae8fa44948922320d5ac18f2368c2e176cff65814b20500da1bc15e53ba2e01
Instruction ID: 12a56710c09a1d00423f466c048789b21daf9fa968a584f02a5cad15f0db2efd
Opcode Fuzzy Hash: dae8fa44948922320d5ac18f2368c2e176cff65814b20500da1bc15e53ba2e01
Instruction Fuzzy Hash: A2C1D7717853168FCB318D6D48B538D73E2AB88610F94407BDC48CB696EB74EA4F8682

Uniqueness

Uniqueness Score: -1.00%

Function 02172899, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff5e567d02f799ac561c9efe7b6023d0d67b15310a7bd3db5f504b1bb7ad9bdd
Instruction ID: 033233eb9a6c4566cdcb79ac7b6a503952f8ff3c6f3ef816979c8ab54335da38
Opcode Fuzzy Hash: ff5e567d02f799ac561c9efe7b6023d0d67b15310a7bd3db5f504b1bb7ad9bdd
Instruction Fuzzy Hash: 72B10272A442989FCB749F35CC44BEE7BF2AF99310F55442EEC49AB240D7308A42CB52

Uniqueness

Uniqueness Score: -1.00%

Function 0217808E, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee4e82fb92b3b9b3e381aa79e011c230e0aeec61d585fcefdf23aed04b2d078f
Instruction ID: 787655440af21cb208fd435eac0d93fb9e4a5680b3d647fb151521045432a84c
Opcode Fuzzy Hash: ee4e82fb92b3b9b3e381aa79e011c230e0aeec61d585fcefdf23aed04b2d078f
Instruction Fuzzy Hash: C17117717813268FDB318D6D4CE53CAB3E1AB88600F94003ADD48CB646E774EE4EC686

Uniqueness

Uniqueness Score: -1.00%

Function 00404478, Relevance: .2, Instructions: 215
COMMONCrypto

Download Yara Rule

C-Code - Quality: 56%

			E00404478() {
				signed char _t95;
				signed int _t96;
				signed int _t99;
				signed int _t100;
				signed int _t104;
				signed int _t105;
				void* _t106;
				signed int _t108;
				signed int _t110;
				void* _t111;
				signed int _t112;
				signed int _t113;
				signed int* _t114;
				signed int _t115;
				signed int _t116;
				void* _t117;
				signed int _t118;
				signed int _t120;
				void* _t121;
				signed int _t123;
				signed int _t125;
				void* _t127;
				signed int _t129;
				signed int _t130;
				signed int _t131;
				signed int _t135;
				signed int _t136;
				void* _t138;
				void* _t139;
				signed int _t140;
				signed int _t141;

				L0:
				while(1) {
					L0:
					_t96 = _t95 & 0x00000085;
					 *(_t127 - 0x63ce7c1f) =  *(_t127 - 0x63ce7c1f) ^ _t104;
					 *((char*)(_t108 - 0x600564cf)) =  *((char*)(_t108 - 0x600564cf)) + 1;
					 *(_t117 - 0x4dce6e0e) =  *(_t117 - 0x4dce6e0e) ^ _t136;
					_t7 = _t96 - 0x4d7ab2cf;
					_t105 =  *_t7;
					 *_t7 = _t104;
					 *(_t96 - 0x7d) =  *(_t96 - 0x7d) ^ _t108;
					 *(_t136 - 0x62) =  *(_t136 - 0x62) ^ _t96;
					_t118 = _t117 - 1;
					 *(_t108 - 0x64) =  *(_t108 - 0x64) ^ _t96;
					_t129 = _t127 - 1 + 1;
					 *(_t136 - 0x66) =  *(_t136 - 0x66) ^ _t105;
					 *(_t108 - 0x67) =  *(_t108 - 0x67) ^ _t105;
					 *(_t136 + 1 - 0x69) =  *(_t136 + 1 - 0x69) ^ _t118;
					_pop(_t138);
					 *(_t108 + 1 - 0x6b) =  *(_t108 + 1 - 0x6b) ^ _t118;
					_pop(_t110);
					 *_t110 =  *_t110 ^ _t96;
					 *_t129 =  *_t129 ^ _t140;
					if( *_t129 >= 0) {
						break;
					}
					L2:
					 *_t123 =  *_t123 ^ _t123;
					_t138 = _t138 +  *_t105;
					 *(_t96 + _t123 * 2) =  *(_t96 + _t123 * 2) ^ _t140;
					_t96 = _t96 - 0x31;
					_t129 = _t129 + 1;
					 *_t110 =  *_t110 + _t129;
					if( *_t110 > 0) {
						L1:
						continue;
					}
					L3:
					 *(_t129 - 0x64) =  *(_t129 - 0x64) ^ 0x00000071;
					break;
				}
				L4:
				 *(_t96 - 0xf) =  *(_t96 - 0xf) ^ _t110;
				_t139 = _t140;
				 *(_t123 + _t123 * 8 - 0x1741cebe) =  *(_t123 + _t123 * 8 - 0x1741cebe) ^ _t129;
				 *(_t110 + 0xffffffffeda034d0) =  *(_t110 + 0xffffffffeda034d0) ^ _t140;
				_t125 = _t123 + 2;
				 *(_t110 - 0x4ecebf1a) =  *(_t110 - 0x4ecebf1a) ^ _t125;
				asm("loope 0x5f");
				 *(_t96 - 8) =  *(_t96 - 8) ^ _t110;
				_pop(_t111);
				 *(_t105 - 0xe) =  *(_t105 - 0xe) ^ _t96;
				 *(_t96 + 0x63 + _t125 * 4) =  *(_t96 + 0x63 + _t125 * 4) ^ _t125;
				 *_t96 =  *_t96 ^ _t105;
				asm("sbb [eax+0x31], esp");
				_t106 = _t105 + 1;
				_t112 = _t96 + 1;
				 *0x71 =  *0x71 ^ _t112;
				_t113 = _t112 |  *(_t139 + 0x31);
				es = es;
				_t99 = _t111 - 1;
				 *_t129 =  *_t129 ^ _t99;
				es = 0x71;
				_t100 = _t99 - 1;
				 *_t100 =  *_t100 ^ _t113;
				_t57 = _t106 + 0x31;
				 *_t57 =  *(_t106 + 0x31) | _t113;
				if( *_t57 >= 0) {
					 *[es:edx] =  *[es:edx] ^ _t140;
					_t130 = _t129 -  *_t113;
					asm("adc [edi+0x7], ecx");
					 *(_t139 - 0x58) =  *(_t139 - 0x58) ^ _t125;
					 *[gs:ebp-0x63] =  *[gs:ebp-0x63] ^ 0x00000071;
					_push(_t113);
					 *(_t125 + 0x59 + _t113 * 4) =  *(_t125 + 0x59 + _t113 * 4) ^ _t100;
					 *(_t106 - 0x45cea106) =  *(_t106 - 0x45cea106) ^ _t130;
					asm("out 0x42, eax");
					 *0xFFFFFFFFA031455F =  *0xFFFFFFFFA031455F ^ _t140;
					asm("out dx, eax");
					_t141 = _t140 + 1;
					 *0xFFFFFFFFB431415A =  *0xFFFFFFFFB431415A ^ _t125;
					asm("loop 0x5e");
					 *(_t125 - 4) =  *(_t125 - 4) ^ _t113;
					 *_t100 =  *_t100 ^ _t113;
					if( *_t100 >= 0) {
						_push(_t100);
						 *0x23311f47 =  *0x23311f47 ^ 0x00000071;
						_push(cs);
						_t131 = _t130 -  *_t113;
						_t120 = 0x00000071 &  *_t113;
						 *_t131 =  *_t131 ^ _t120;
						 *(_t120 - 0x55) =  *(_t120 - 0x55) ^ _t125;
						asm("pushad");
						 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t120;
						asm("outsb");
						 *(_t120 - 0x74) =  *(_t120 - 0x74) ^ 0x00000008;
						 *(_t125 - 5) =  *(_t125 - 5) ^ _t113;
						_t121 = _t141;
						 *(_t131 - 0x5ecea11e) =  *(_t131 - 0x5ecea11e) ^ _t131;
						asm("in al, dx");
						 *(_t121 + 1 - 0x40cebb12) =  *(_t121 + 1 - 0x40cebb12) ^ _t141;
						while(1) {
							asm("out dx, al");
							asm("sti");
							_t113 = _t113 ^ _t131;
							asm("into");
							asm("into");
							asm("into");
							 *_t113 =  *_t113 ^ _t131;
							 *_t113 =  *_t113 ^ _t131;
							asm("stc");
						}
					}
					 *0x000000D4 =  *0x000000D4 ^ _t141;
					 *(_t130 - 1 + 0x67) =  *(_t130 - 1 + 0x67) ^ _t141;
					 *(_t100 + 0x5043149) =  *(_t100 + 0x5043149) ^ _t100;
					_t114 = _t113 - 1;
					 *0x49050431 =  *0x49050431 ^ _t100;
					_pop(es);
					 *(_t100 - 1 + 0x71) =  *(_t100 - 1 + 0x71) ^ 0x49050431;
					 *_t114 =  *_t114 ^ 0x49050431;
					 *_t114 =  *_t114 ^ 0x49050431;
					asm("into");
					asm("into");
					_t115 = 0x49050431;
					asm("into");
					asm("into");
					asm("jecxz 0xffffffd0");
					asm("into");
					asm("into");
					asm("fcmovne st0, st6");
					asm("into");
					asm("into");
					asm("into");
					asm("into");
					L9:
					asm("into");
					asm("into");
					asm("into");
					 *_t115 =  *_t115 ^ 0x49050431;
					 *_t115 =  *_t115 ^ 0x49050431;
					asm("stc");
					asm("out dx, al");
					asm("cli");
					_t115 = _t115 ^ 0x49050431;
					goto L9;
				}
				 *_t113 =  *_t113 ^ _t129;
				 *_t113 =  *_t113 ^ _t129;
				_t135 = _t129 ^ _t113;
				asm("into");
				asm("into");
				_t116 = _t135;
				asm("into");
				asm("into");
				asm("jecxz 0xffffffd0");
				asm("into");
				asm("into");
				asm("fcmovne st0, st6");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				L6:
				asm("into");
				asm("into");
				asm("into");
				 *_t116 =  *_t116 ^ _t135;
				 *_t116 =  *_t116 ^ _t135;
				asm("stc");
				asm("out dx, al");
				asm("cli");
				_t116 = _t116 ^ _t135;
				goto L6;
			}

0x00404478
0x00404478
0x00404478
0x00404478
0x0040447b
0x00404481
0x00404487
0x0040448d
0x0040448d
0x0040448d
0x00404493
0x00404497
0x0040449a
0x0040449b
0x0040449e
0x0040449f
0x004044a3
0x004044a7
0x004044aa
0x004044ab
0x004044ae
0x004044af
0x004044b3
0x004044b5
0x00000000
0x00000000
0x004044b7
0x004044b7
0x004044b9
0x004044bb
0x004044be
0x004044c0
0x004044c2
0x004044c4
0x00404471
0x00000000
0x00404471
0x004044c6
0x004044c6
0x00000000
0x004044c6
0x004044ca
0x004044cb
0x004044ce
0x004044cf
0x004044d7
0x004044de
0x004044df
0x004044e5
0x004044e7
0x004044ea
0x004044eb
0x004044ef
0x004044f3
0x004044f5
0x004044f8
0x004044fa
0x004044fb
0x004044fd
0x00404501
0x00404502
0x00404503
0x00404505
0x00404506
0x00404507
0x00404509
0x00404509
0x0040450c
0x0040457e
0x00404582
0x00404584
0x00404587
0x0040458a
0x0040458e
0x0040458f
0x00404593
0x00404599
0x0040459b
0x004045a1
0x004045a2
0x004045a3
0x004045a9
0x004045ab
0x004045af
0x004045b1
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac
0x004046ad
0x004045b3
0x004045b7
0x004045bf
0x004045c6
0x004045c7
0x004045c9
0x004045cb
0x004045cf
0x004045d1
0x004045d5
0x004045d6
0x004045d7
0x004045d9
0x004045da
0x004045db
0x004045dd
0x004045de
0x004045df
0x004045e1
0x004045e2
0x004045e3
0x004045e4
0x004045e5
0x004045e5
0x004045e6
0x004045e7
0x004045e8
0x004045ea
0x004045ec
0x004045ed
0x004045ee
0x004045ef
0x00000000
0x004045ef
0x0040450f
0x00404511
0x00404513
0x00404515
0x00404516
0x00404517
0x00404519
0x0040451a
0x0040451b
0x0040451d
0x0040451e
0x0040451f
0x00404521
0x00404522
0x00404523
0x00404524
0x00404525
0x00404525
0x00404526
0x00404527
0x00404528
0x0040452a
0x0040452c
0x0040452d
0x0040452e
0x0040452f
0x00000000

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f65299eca22b9a82dff30c83b80ecc6ba9fb1558f2ee11b3c0650a2d90bd0a1
Instruction ID: c77f8f89eeb79534b6064d62ed68bbe023f511f221c89346013e17e9c9d46e12
Opcode Fuzzy Hash: 9f65299eca22b9a82dff30c83b80ecc6ba9fb1558f2ee11b3c0650a2d90bd0a1
Instruction Fuzzy Hash: FE712E76808266DFD31DCE31804756ABBB1FF82708B6194AED583CA8B1D7362842DF84

Uniqueness

Uniqueness Score: -1.00%

Function 021720C0, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650febdcf880b9c245aa026e973163baf7db3240ad6dd05db0038afe6945b6e9
Instruction ID: ad2ef0031b357433936c3ab138e80255495e8004c12fb0e89405f6aeedc482cb
Opcode Fuzzy Hash: 650febdcf880b9c245aa026e973163baf7db3240ad6dd05db0038afe6945b6e9
Instruction Fuzzy Hash: F64155726453848FD760AE398C446CEBBF3EFC5310F56452DD88997611D7308986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02173C48, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53f9bd77e0a6e9a955be5b1f6648dd74f9d5815262c25bd5b7447fa5c3969aea
Instruction ID: 6d1373f79ad79501a25b405342b58e1439bbea48c148c08539b0dfde328c53c0
Opcode Fuzzy Hash: 53f9bd77e0a6e9a955be5b1f6648dd74f9d5815262c25bd5b7447fa5c3969aea
Instruction Fuzzy Hash: 065101B25043149FC728DF34C998BDA7BB1FF59354F52429AD84ACB261C3709985CF81

Uniqueness

Uniqueness Score: -1.00%

Function 02171D73, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c397070440e4808c17d85ff7c332e0259cd275e35519ce53bf5fe84c654c0cc
Instruction ID: aed750929d21a64605b03b9eafdf5f822b04d5b999c5934dc85edf3c06e3e448
Opcode Fuzzy Hash: 1c397070440e4808c17d85ff7c332e0259cd275e35519ce53bf5fe84c654c0cc
Instruction Fuzzy Hash: 0F519EB1A452989FDF34DE25CC94BDE77A2EF98340F41812DEC8E9B250D3315A81CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02171D68, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da446d63c0bed132502653a9eee706f8fbf3a576b1a4d9125308b1ace72cff7
Instruction ID: 368f80792fb18deba7db21821d3534f720360a15e49950302d0ff12dd62e3921
Opcode Fuzzy Hash: 1da446d63c0bed132502653a9eee706f8fbf3a576b1a4d9125308b1ace72cff7
Instruction Fuzzy Hash: 52518D71A452889FDF38CE25CC94BDE7BA2EF98340F41812DEC8E9B250D7315A81CB15

Uniqueness

Uniqueness Score: -1.00%

Function 021720FE, Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ccd7155b5873c85180d8f6cb266ca4e4fb238cfd6d761d3f8dc82a9582b16558
Instruction ID: 0c95747d59bfa8f79e301a7059dff20d4482ec58edf0495c5a192d46979c88df
Opcode Fuzzy Hash: ccd7155b5873c85180d8f6cb266ca4e4fb238cfd6d761d3f8dc82a9582b16558
Instruction Fuzzy Hash: 844178716057808FD761AE398C452CEBBF2EFD5700F9A451DCC8597616DB34C982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 0217249F, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffc76f934875bc779eb90de0f7329f73a55d09b035e0615219cf5e303cef9555
Instruction ID: 57b75558ff456e5b5df62a6fe752bb96282148a90008b57de59a2f3a326bd8ff
Opcode Fuzzy Hash: ffc76f934875bc779eb90de0f7329f73a55d09b035e0615219cf5e303cef9555
Instruction Fuzzy Hash: 1541B4B3A002998FDF709F68CD497CB37B6AFA9310F594125DC58EB200D7349A81CB90

Uniqueness

Uniqueness Score: -1.00%

Function 004036F0, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92f4902af1ba25c1a360153ebc9b7bea9a01cfd40523aab50f5bb0272d5bddf1
Instruction ID: 0853584255e33ec8a281578f766be75d63c13879190126ec692b198d1075f8ce
Opcode Fuzzy Hash: 92f4902af1ba25c1a360153ebc9b7bea9a01cfd40523aab50f5bb0272d5bddf1
Instruction Fuzzy Hash: FE314872A0AB698FC32ECE35910725ABFA2FE4171535195AFD153CA879C7366802CBC4

Uniqueness

Uniqueness Score: -1.00%

Function 00404834, Relevance: .1, Instructions: 94
COMMONCrypto

Download Yara Rule

C-Code - Quality: 54%

			E00404834() {
				signed char _t46;
				signed char _t47;
				signed char _t49;
				signed char _t51;
				signed int _t54;
				signed int _t55;
				signed int _t56;
				void* _t57;
				void* _t58;
				signed int _t59;
				void* _t62;
				signed int _t63;
				void* _t64;
				signed int _t67;
				signed int _t68;
				signed int _t69;
				signed int _t75;

				_t47 = _t49;
				_t57 =  *_t54;
				asm("sahf");
				 *((char*)(_t57 - 0x610362cf)) =  *((char*)(_t57 - 0x610362cf)) + 1;
				 *(_t62 - 0x42ce6c09) =  *(_t62 - 0x42ce6c09) ^ _t68;
				_t69 = _t47 - 0x49784fcf;
				 *(_t68 + _t47 * 4 - 0x4e) =  *(_t68 + _t47 * 4 - 0x4e) ^ _t54;
				 *(_t47 - 0x7d) =  *(_t47 - 0x7d) ^ _t54;
				 *(_t68 - 0x62) =  *(_t68 - 0x62) ^ _t47;
				_t58 = _t57 - 1;
				 *(_t54 - 0x64) =  *(_t54 - 0x64) ^ _t47;
				 *(_t58 - 0x65) =  *(_t58 - 0x65) ^ _t46;
				_t59 = _t58 + 1;
				 *(_t64 - 1 + 1 - 0x67) =  *(_t64 - 1 + 1 - 0x67) ^ _t59;
				_pop(_t63);
				 *(_t59 - 0x6c) =  *(_t59 - 0x6c) ^ _t59;
				_pop(_t51);
				 *(_t63 - 0x6e) =  *(_t63 - 0x6e) ^ _t68;
				_push(_t63);
				 *(_t51 - 0x6f) =  *(_t51 - 0x6f) ^ _t68;
				_push(_t51);
				 *(_t63 + 0x6f + _t68 * 4) =  *(_t63 + 0x6f + _t68 * 4) ^ _t69;
				 *(_t51 - 0x56) =  *(_t51 - 0x56) ^ _t69;
				_t67 =  *_t54 * 0x2f;
				 *(_t63 + 0x31) =  *(_t63 + 0x31) & _t51;
				 *_t63 =  *_t63 ^ _t67;
				 *_t67 =  *_t67 ^ _t67;
				asm("sbb eax, 0x7d36313b");
				 *_t63 =  *_t63 ^ _t47;
				if( *_t63 <= 0) {
					L6:
					 *_t54 =  *_t54 ^ _t67;
					 *_t54 =  *_t54 ^ _t67;
					asm("into");
					asm("into");
					asm("into");
					_t55 = _t67;
					asm("into");
					asm("into");
					asm("jecxz 0xffffffd0");
					asm("into");
					asm("into");
					asm("fcmovne st0, st6");
					asm("into");
					asm("into");
					asm("into");
					asm("into");
					L7:
					asm("into");
					L8:
					asm("into");
					asm("into");
					 *_t55 =  *_t55 ^ _t67;
					L9:
					 *_t55 =  *_t55 ^ _t67;
					_t56 = _t55 ^ _t63;
					L10:
					asm("out dx, al");
					asm("sti");
					_t55 = _t56 ^ _t67;
					L11:
					goto L8;
				}
				asm("insb");
				asm("wait");
				_push(0x6c835831);
				 *_t54 =  *_t54 ^ _t47;
				 *_t63 =  *_t63 | _t54;
				 *(_t54 + 0x787a316a) =  *(_t54 + 0x787a316a) ^ _t54;
				_t55 = _t54 + 1;
				 *_t47 =  *_t47 ^ 0xad7a3171;
				_t75 =  *_t47;
				if(_t75 > 0) {
					goto L7;
				}
				asm("adc [esi], ch");
				if(_t75 > 0) {
					goto L9;
				}
				asm("adc [esi], ch");
				if(_t75 > 0) {
					goto L10;
				}
				asm("adc [esi], ch");
				if(_t75 > 0) {
					goto L11;
				}
				_pop(ss);
				asm("adc eax, 0x1f01316b");
				 *0xad7a3171 =  *0xad7a3171 ^ _t47;
				 *(_t63 + 0x31) =  *(_t63 + 0x31) + _t47;
				_t47 = _t47 | 0x0000000a;
				goto L6;
			}

0x00404834
0x00404836
0x00404838
0x00404839
0x0040483f
0x00404845
0x0040484b
0x0040484f
0x00404853
0x00404856
0x00404857
0x0040485b
0x0040485e
0x0040485f
0x00404862
0x00404863
0x00404866
0x00404867
0x0040486a
0x0040486b
0x0040486e
0x0040486f
0x00404873
0x00404876
0x0040487c
0x00404883
0x00404887
0x00404889
0x00404893
0x0040489a
0x004048cd
0x004048d0
0x004048d2
0x004048d4
0x004048d5
0x004048d6
0x004048d7
0x004048d9
0x004048da
0x004048db
0x004048dd
0x004048de
0x004048df
0x004048e1
0x004048e2
0x004048e3
0x004048e4
0x004048e5
0x004048e5
0x004048e6
0x004048e6
0x004048e7
0x004048e8
0x004048e9
0x004048e9
0x004048eb
0x004048ed
0x004048ed
0x004048ee
0x004048ef
0x004048f1
0x00000000
0x004048f1
0x0040489c
0x0040489d
0x0040489e
0x004048a3
0x004048a5
0x004048a7
0x004048ae
0x004048af
0x004048af
0x004048b1
0x00000000
0x00000000
0x004048b4
0x004048b6
0x00000000
0x00000000
0x004048b8
0x004048ba
0x00000000
0x00000000
0x004048bc
0x004048be
0x00000000
0x00000000
0x004048c0
0x004048c1
0x004048c7
0x004048c9
0x004048cc
0x00000000

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a810e7b188d540b6655b6621e4a4606116585e5ce81ea93e1e33dadc8f2261f
Instruction ID: b63c9ef4bed44071b917e39e7812cb4e3057ca1ce486d16529b29c9f3e00a0d2
Opcode Fuzzy Hash: 0a810e7b188d540b6655b6621e4a4606116585e5ce81ea93e1e33dadc8f2261f
Instruction Fuzzy Hash: 4931783A8097E68FC72EDF75841714BBF62FE8270836898AED483DA472D3350851CB85

Uniqueness

Uniqueness Score: -1.00%

Function 00404534, Relevance: .1, Instructions: 86
COMMONCrypto

Download Yara Rule

C-Code - Quality: 49%

			E00404534() {
				signed char _t60;
				signed int _t61;
				signed int _t65;
				void* _t69;
				signed int _t71;
				signed int _t72;
				signed int* _t73;
				signed int _t74;
				signed char _t75;
				signed int _t76;
				void* _t77;
				signed int _t79;
				signed int _t81;
				signed int _t82;
				signed int _t83;
				signed int _t84;
				signed int _t85;
				signed int _t89;
				signed int _t90;
				signed int _t91;

				_t79 = _t90;
				_t82 = _t71;
				_t61 = _t60 & 0x00000085;
				 *(_t79 - 0x62ce7c1f) =  *(_t79 - 0x62ce7c1f) ^ _t65;
				asm("cld");
				asm("sahf");
				 *(_t82 - 0x5cce6505) =  *(_t82 - 0x5cce6505) ^ _t75;
				fs =  *((intOrPtr*)(_t82 - 0x4878b1cf));
				 *(_t75 - 0x7e) =  *(_t75 - 0x7e) ^ _t71;
				_t83 = _t82 + 1;
				 *(_t79 + 0x31) =  *(_t79 + 0x31) | 0x00000042;
				asm("sahf");
				 *(_t83 - 0x63) =  *(_t83 - 0x63) ^ 0x30;
				 *(_t75 - 0x65) =  *(_t75 - 0x65) ^ 0x30;
				 *(_t83 - 0x6a) =  *(_t83 - 0x6a) ^ _t75;
				_pop(_t81);
				 *(_t75 - 0x6c) =  *(_t75 - 0x6c) ^ _t75;
				_pop(_t69);
				 *(_t81 - 0x6e) =  *(_t81 - 0x6e) ^ _t89;
				_push(_t81);
				 *(_t83 - 0x5c) =  *(_t83 - 0x5c) ^ _t83;
				 *[fs:edi] =  *[fs:edi] ^ _t89;
				ss = _t61;
				 *_t81 =  *_t81 ^ _t81;
				_t72 = _t71 +  *_t61;
				 *(_t69 + _t61) =  *(_t69 + _t61) ^ _t81;
				 *[es:edx] =  *[es:edx] ^ _t90;
				_t84 = _t83 -  *_t72;
				asm("adc [edi+0x7], ecx");
				 *(_t89 - 0x58) =  *(_t89 - 0x58) ^ _t81;
				 *[gs:ebp-0x63] =  *[gs:ebp-0x63] ^ _t75;
				_push(_t72);
				 *(_t81 + 0x59 + _t72 * 4) =  *(_t81 + 0x59 + _t72 * 4) ^ _t61;
				 *(_t69 - 0x45cea106) =  *(_t69 - 0x45cea106) ^ _t84;
				asm("out 0x42, eax");
				 *(_t75 - 0x5fcebb12) =  *(_t75 - 0x5fcebb12) ^ _t90;
				asm("out dx, eax");
				_t91 = _t90 + 1;
				 *(_t75 - 0x4bcebf17) =  *(_t75 - 0x4bcebf17) ^ _t81;
				asm("loop 0x5e");
				 *(_t81 - 4) =  *(_t81 - 4) ^ _t72;
				 *_t61 =  *_t61 ^ _t72;
				if( *_t61 >= 0) {
					_push(_t61);
					 *0x23311f47 =  *0x23311f47 ^ _t75;
					_push(cs);
					_t85 = _t84 -  *_t72;
					_t76 = _t75 &  *_t72;
					 *_t85 =  *_t85 ^ _t76;
					 *(_t76 - 0x55) =  *(_t76 - 0x55) ^ _t81;
					asm("pushad");
					 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t76;
					asm("outsb");
					 *(_t76 - 0x74) =  *(_t76 - 0x74) ^ 0x00000008;
					 *(_t81 - 5) =  *(_t81 - 5) ^ _t72;
					_t77 = _t91;
					 *(_t85 - 0x5ecea11e) =  *(_t85 - 0x5ecea11e) ^ _t85;
					asm("in al, dx");
					 *(_t77 + 1 - 0x40cebb12) =  *(_t77 + 1 - 0x40cebb12) ^ _t91;
					while(1) {
						asm("out dx, al");
						asm("sti");
						_t72 = _t72 ^ _t85;
						asm("into");
						asm("into");
						asm("into");
						 *_t72 =  *_t72 ^ _t85;
						 *_t72 =  *_t72 ^ _t85;
						asm("stc");
					}
				}
				 *(_t75 + 0x63) =  *(_t75 + 0x63) ^ _t91;
				 *(_t84 - 1 + 0x67) =  *(_t84 - 1 + 0x67) ^ _t91;
				 *(_t61 + 0x5043149) =  *(_t61 + 0x5043149) ^ _t61;
				_t73 = _t72 - 1;
				 *0x49050431 =  *0x49050431 ^ _t61;
				_pop(es);
				 *(_t61 - 1 + 0x71) =  *(_t61 - 1 + 0x71) ^ 0x49050431;
				 *_t73 =  *_t73 ^ 0x49050431;
				 *_t73 =  *_t73 ^ 0x49050431;
				asm("into");
				asm("into");
				_t74 = 0x49050431;
				asm("into");
				asm("into");
				asm("jecxz 0xffffffd0");
				asm("into");
				asm("into");
				asm("fcmovne st0, st6");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				L3:
				asm("into");
				asm("into");
				asm("into");
				 *_t74 =  *_t74 ^ 0x49050431;
				 *_t74 =  *_t74 ^ 0x49050431;
				asm("stc");
				asm("out dx, al");
				asm("cli");
				_t74 = _t74 ^ 0x49050431;
				goto L3;
			}

0x00404534
0x00404536
0x00404538
0x0040453b
0x00404541
0x00404542
0x00404543
0x00404549
0x0040454f
0x00404554
0x00404555
0x00404559
0x0040455b
0x0040455f
0x00404563
0x00404566
0x00404567
0x0040456a
0x0040456b
0x0040456e
0x0040456f
0x00404572
0x00404576
0x00404577
0x00404579
0x0040457b
0x0040457e
0x00404582
0x00404584
0x00404587
0x0040458a
0x0040458e
0x0040458f
0x00404593
0x00404599
0x0040459b
0x004045a1
0x004045a2
0x004045a3
0x004045a9
0x004045ab
0x004045af
0x004045b1
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac
0x004046ad
0x004045b3
0x004045b7
0x004045bf
0x004045c6
0x004045c7
0x004045c9
0x004045cb
0x004045cf
0x004045d1
0x004045d5
0x004045d6
0x004045d7
0x004045d9
0x004045da
0x004045db
0x004045dd
0x004045de
0x004045df
0x004045e1
0x004045e2
0x004045e3
0x004045e4
0x004045e5
0x004045e5
0x004045e6
0x004045e7
0x004045e8
0x004045ea
0x004045ec
0x004045ed
0x004045ee
0x004045ef
0x00000000

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbce78682df96a69405bf8bb06e62915dc3f52b46b9547227fd86a761be4da9e
Instruction ID: 492cc0e88484bc2eb32296d1d8666a68a8cd0ae7e48927794cd3683613c57e7a
Opcode Fuzzy Hash: fbce78682df96a69405bf8bb06e62915dc3f52b46b9547227fd86a761be4da9e
Instruction Fuzzy Hash: 71212E769082169FD31ECE35844315AFBB1FB82714B6698AEA587CA870D3362855CF81

Uniqueness

Uniqueness Score: -1.00%

Function 00404774, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6527d3bd9cf96cbfc9340a2233270e638b15bbced1ae82cfcbccd358eb0412
Instruction ID: b3b8e9129dff1eaee09833095d04a0f630a9c2d74e5ad944ca89d653bc830cab
Opcode Fuzzy Hash: 3d6527d3bd9cf96cbfc9340a2233270e638b15bbced1ae82cfcbccd358eb0412
Instruction Fuzzy Hash: 822157368092A6CBD729DF35C14318ABFB1FF867047A694AED493DE972C3365412CB80

Uniqueness

Uniqueness Score: -1.00%

Function 004034F4, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52b6f446d2ab04d6d566957f1b5468cc45f73a1a75f0f8e2bc7648aac9cf9c66
Instruction ID: 01d0d03b1fc583df2d770caf2a7331536ec90feea5ca9f7378c7811fc0865ecf
Opcode Fuzzy Hash: 52b6f446d2ab04d6d566957f1b5468cc45f73a1a75f0f8e2bc7648aac9cf9c66
Instruction Fuzzy Hash: 8D21FF719193A5CFC31FCE38844B146BF60AF47600B6492AED992CF671DB762812DBC2

Uniqueness

Uniqueness Score: -1.00%

Function 004045F4, Relevance: .1, Instructions: 54
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E004045F4() {
				signed int _t40;
				void* _t45;
				signed int _t48;
				signed int _t49;
				signed char _t50;
				signed int _t51;
				void* _t52;
				signed int _t55;
				void* _t56;
				signed int _t57;
				signed int _t58;
				void* _t59;
				signed int _t60;

				_t50 =  *_t49;
				 *_t49 =  *_t49 ^ 0x0000009a;
				asm("std");
				asm("sahf");
				 *((_t40 & 0xe19f3182) - 0x44ce6a09) =  *((_t40 & 0xe19f3182) - 0x44ce6a09) ^ _t50;
				 *(_t48 - 0x7e) =  *(_t48 - 0x7e) ^ _t49;
				_t55 = _t59 + 1;
				 *(_t49 + _t56 + 0x43) =  *(_t49 + _t56 + 0x43) | 0x5f31489f;
				asm("popfd");
				_t60 = _t59 + 1;
				 *0xFFFFFFFFFFFFFFC9 =  *0xFFFFFFFFFFFFFFC9 ^ _t48;
				 *(_t56 + 0x5c + _t50 * 4) =  *(_t56 + 0x5c + _t50 * 4) ^ _t50;
				 *0xFFFFFFFFFFFFFFC7 =  *0xFFFFFFFFFFFFFFC7 ^ _t50;
				_pop(_t45);
				 *(_t48 + 0x54 + _t50 * 4) =  *(_t48 + 0x54 + _t50 * 4) ^ _t58;
				 *(_t45 - 0x52) =  *(_t45 - 0x52) ^ _t58;
				_push(_t45);
				 *0x23311f47 =  *0x23311f47 ^ _t50;
				_push(cs);
				_t57 = _t56 -  *_t49;
				_t51 = _t50 &  *_t49;
				 *_t57 =  *_t57 ^ _t51;
				 *(_t51 - 0x55) =  *(_t51 - 0x55) ^ _t55;
				asm("pushad");
				 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t51;
				asm("outsb");
				 *(_t51 - 0x74) =  *(_t51 - 0x74) ^ 0x00000008;
				 *(_t55 - 5) =  *(_t55 - 5) ^ _t49;
				_t52 = _t60;
				 *(_t57 - 0x5ecea11e) =  *(_t57 - 0x5ecea11e) ^ _t57;
				asm("in al, dx");
				 *(_t52 + 1 - 0x40cebb12) =  *(_t52 + 1 - 0x40cebb12) ^ _t60;
				while(1) {
					asm("out dx, al");
					asm("sti");
					_t49 = _t49 ^ _t57;
					asm("into");
					asm("into");
					asm("into");
					 *_t49 =  *_t49 ^ _t57;
					 *_t49 =  *_t49 ^ _t57;
					asm("stc");
				}
			}

0x004045f6
0x004045fe
0x00404601
0x00404602
0x00404603
0x0040460f
0x00404614
0x00404615
0x0040461d
0x0040461e
0x0040461f
0x00404623
0x00404627
0x0040462a
0x0040462b
0x0040462f
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32886bd4ee89150967b70ad91ce70132d53662dece5cb41ac6226894c50a70a1
Instruction ID: aabb920f0300946228b0ab0126a5f6cf6712f7f522ef10366341ad8d90cf45de
Opcode Fuzzy Hash: 32886bd4ee89150967b70ad91ce70132d53662dece5cb41ac6226894c50a70a1
Instruction Fuzzy Hash: F61145728096818FC31DCF35C50756ABFB2FE8270836591AED592CA475C33A2A22DF41

Uniqueness

Uniqueness Score: -1.00%

Function 0217424C, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bc658e5d7c891cb8a701ec3c4bd3a1fe47edee5c0666e2c2296f3a0dcaab00f
Instruction ID: c5b6299498b9a6f43237210389bd647cac3479d810ddc642b939b47bf2751649
Opcode Fuzzy Hash: 0bc658e5d7c891cb8a701ec3c4bd3a1fe47edee5c0666e2c2296f3a0dcaab00f
Instruction Fuzzy Hash: B3113471554300EFCB6CAE75DDA17EB76F0AF08350F41050DEECAA6261C3344681CB22

Uniqueness

Uniqueness Score: -1.00%

Function 021756A3, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f762e1bd03d1d3f89c6d3d01f6c99a94c83b804086fba0b6e130d321891ba0e
Instruction ID: f81a64790a14c8ac7ccb8deb905b357fcb2374ee1e37ede06b0f1599f921d888
Opcode Fuzzy Hash: 2f762e1bd03d1d3f89c6d3d01f6c99a94c83b804086fba0b6e130d321891ba0e
Instruction Fuzzy Hash: 9411E272A243A49FDB608E7489C47EBB7A5FF59300F464859DC99AB200D3711E80CB92

Uniqueness

Uniqueness Score: -1.00%

Function 00404418, Relevance: .0, Instructions: 47
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00404418() {
				signed int _t113;
				signed char _t114;
				signed int _t115;
				signed int _t118;
				signed int _t119;
				signed int _t123;
				void* _t124;
				signed char _t126;
				signed int _t127;
				void* _t131;
				signed int _t132;
				signed int _t133;
				signed int* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed char _t138;
				signed int _t139;
				signed int _t140;
				void* _t141;
				signed int _t143;
				signed int _t145;
				signed int _t149;
				signed int _t151;
				signed int _t152;
				signed int _t153;
				signed int _t157;
				signed int _t158;
				signed int _t159;
				void* _t161;
				void* _t162;
				signed int _t163;
				signed int _t164;
				signed int _t165;

				asm("in eax, 0x40");
				 *(_t143 - 4) =  *(_t143 - 4) ^ _t126;
				_pop(_t137);
				 *(_t158 - 0xb) =  *(_t158 - 0xb) ^ _t113;
				_push(_t158);
				 *(_t137 - 0x73) =  *(_t137 - 0x73) ^ _t123;
				_push(_t113);
				 *(_t158 - 0x79) =  *(_t158 - 0x79) ^ _t137;
				asm("insd");
				 *(_t143 - 0x7f) =  *(_t143 - 0x7f) ^ _t158;
				_push(0x7f760b31);
				 *(_t113 + 0x60) =  *(_t113 + 0x60) ^ _t163;
				_t164 = _t163 - 1;
				 *(_t123 + 0x68) =  *(_t123 + 0x68) ^ _t158;
				_t114 =  *0x4a090831;
				 *_t114 =  *_t114 ^ _t126;
				 *(_t137 + 0x31) =  *(_t137 + 0x31) | _t126;
				_t127 = _t126 |  *_t123;
				_t159 = _t158 - 1;
				 *(_t137 + 0x73) =  *(_t137 + 0x73) ^ 0xb63147ea;
				 *_t127 =  *_t127 ^ 0xb63147ea;
				 *_t127 =  *_t127 ^ 0xb63147ea;
				_t149 = 0xffffffffb63147eb ^ _t127;
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("jecxz 0xffffffd0");
				asm("into");
				asm("into");
				asm("fcmovne st0, st6");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				 *0xb63147ea =  *0xb63147ea ^ 0xb63147ea;
				 *0xb63147ea =  *0xb63147ea ^ 0xb63147ea;
				asm("stc");
				_t138 = _t137 >> 1;
				do {
					_t115 = _t114 & 0x00000085;
					 *(_t149 - 0x63ce7c1f) =  *(_t149 - 0x63ce7c1f) ^ _t123;
					 *0xFFFFFFFF9FFA9B31 =  *((char*)(0xffffffff9ffa9b31)) + 1;
					 *(_t138 - 0x4dce6e0e) =  *(_t138 - 0x4dce6e0e) ^ _t159;
					_t25 = _t115 - 0x4d7ab2cf;
					_t26 = _t123;
					_t123 =  *_t25;
					 *_t25 = _t26;
					 *(_t115 - 0x7d) =  *(_t115 - 0x7d) ^ 0;
					 *(_t159 - 0x62) =  *(_t159 - 0x62) ^ _t115;
					_t139 = _t138 - 1;
					 *0xFFFFFFFFFFFFFF9C =  *0xFFFFFFFFFFFFFF9C ^ _t115;
					_t151 = _t149 - 1 + 1;
					 *(_t159 - 0x66) =  *(_t159 - 0x66) ^ _t123;
					 *0xFFFFFFFFFFFFFF99 =  *0xFFFFFFFFFFFFFF99 ^ _t123;
					 *(_t159 + 1 - 0x69) =  *(_t159 + 1 - 0x69) ^ _t139;
					_pop(_t161);
					 *0xFFFFFFFFFFFFFF96 =  *0xFFFFFFFFFFFFFF96 ^ _t139;
					_pop(0);
					 *0x00000000 =  *0x00000000 ^ _t115;
					_t138 = 0x71;
					 *_t151 =  *_t151 ^ _t164;
					if( *_t151 >= 0) {
						L5:
						 *(_t115 - 0xf) =  *(_t115 - 0xf) ^ 0;
						_t162 = _t164;
						 *(_t143 + _t143 * 8 - 0x1741cebe) =  *(_t143 + _t143 * 8 - 0x1741cebe) ^ _t151;
						 *(0 + _t138 * 8 - 0x125fceb8) =  *(0 + _t138 * 8 - 0x125fceb8) ^ _t164;
						_t145 = _t143 + 2;
						 *0xFFFFFFFFB13140E6 =  *0xFFFFFFFFB13140E6 ^ _t145;
						asm("loope 0x5f");
						 *(_t115 - 8) =  *(_t115 - 8) ^ 0;
						_pop(_t131);
						 *(_t123 - 0xe) =  *(_t123 - 0xe) ^ _t115;
						 *(_t115 + 0x63 + _t145 * 4) =  *(_t115 + 0x63 + _t145 * 4) ^ _t145;
						 *_t115 =  *_t115 ^ _t123;
						asm("sbb [eax+0x31], esp");
						_t124 = _t123 + 1;
						_t132 = _t115 + 1;
						 *_t138 =  *_t138 ^ _t132;
						_t133 = _t132 |  *(_t162 + 0x31);
						es = es;
						_t118 = _t131 - 1;
						 *_t151 =  *_t151 ^ _t118;
						es = _t138;
						_t119 = _t118 - 1;
						 *_t119 =  *_t119 ^ _t133;
						_t75 = _t124 + 0x31;
						 *_t75 =  *(_t124 + 0x31) | _t133;
						if( *_t75 >= 0) {
							 *[es:edx] =  *[es:edx] ^ _t164;
							_t152 = _t151 -  *_t133;
							asm("adc [edi+0x7], ecx");
							 *(_t162 - 0x58) =  *(_t162 - 0x58) ^ _t145;
							 *[gs:ebp-0x63] =  *[gs:ebp-0x63] ^ _t138;
							_push(_t133);
							 *(_t145 + 0x59 + _t133 * 4) =  *(_t145 + 0x59 + _t133 * 4) ^ _t119;
							 *(_t124 - 0x45cea106) =  *(_t124 - 0x45cea106) ^ _t152;
							asm("out 0x42, eax");
							 *(_t138 - 0x5fcebb12) =  *(_t138 - 0x5fcebb12) ^ _t164;
							asm("out dx, eax");
							_t165 = _t164 + 1;
							 *(_t138 - 0x4bcebf17) =  *(_t138 - 0x4bcebf17) ^ _t145;
							asm("loop 0x5e");
							 *(_t145 - 4) =  *(_t145 - 4) ^ _t133;
							 *_t119 =  *_t119 ^ _t133;
							if( *_t119 >= 0) {
								_push(_t119);
								 *0x23311f47 =  *0x23311f47 ^ _t138;
								_push(cs);
								_t153 = _t152 -  *_t133;
								_t140 = _t138 &  *_t133;
								 *_t153 =  *_t153 ^ _t140;
								 *(_t140 - 0x55) =  *(_t140 - 0x55) ^ _t145;
								asm("pushad");
								 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t140;
								asm("outsb");
								 *(_t140 - 0x74) =  *(_t140 - 0x74) ^ 0x00000008;
								 *(_t145 - 5) =  *(_t145 - 5) ^ _t133;
								_t141 = _t165;
								 *(_t153 - 0x5ecea11e) =  *(_t153 - 0x5ecea11e) ^ _t153;
								asm("in al, dx");
								 *(_t141 + 1 - 0x40cebb12) =  *(_t141 + 1 - 0x40cebb12) ^ _t165;
								while(1) {
									asm("out dx, al");
									asm("sti");
									_t133 = _t133 ^ _t153;
									asm("into");
									asm("into");
									asm("into");
									 *_t133 =  *_t133 ^ _t153;
									 *_t133 =  *_t133 ^ _t153;
									asm("stc");
								}
							}
							 *(_t138 + 0x63) =  *(_t138 + 0x63) ^ _t165;
							 *(_t152 - 1 + 0x67) =  *(_t152 - 1 + 0x67) ^ _t165;
							 *(_t119 + 0x5043149) =  *(_t119 + 0x5043149) ^ _t119;
							_t134 = _t133 - 1;
							 *0x49050431 =  *0x49050431 ^ _t119;
							_pop(es);
							 *(_t119 - 1 + 0x71) =  *(_t119 - 1 + 0x71) ^ 0x49050431;
							 *_t134 =  *_t134 ^ 0x49050431;
							 *_t134 =  *_t134 ^ 0x49050431;
							asm("into");
							asm("into");
							_t135 = 0x49050431;
							asm("into");
							asm("into");
							asm("jecxz 0xffffffd0");
							asm("into");
							asm("into");
							asm("fcmovne st0, st6");
							asm("into");
							asm("into");
							asm("into");
							asm("into");
							L10:
							asm("into");
							asm("into");
							asm("into");
							 *_t135 =  *_t135 ^ 0x49050431;
							 *_t135 =  *_t135 ^ 0x49050431;
							asm("stc");
							asm("out dx, al");
							asm("cli");
							_t135 = _t135 ^ 0x49050431;
							goto L10;
						}
						 *_t133 =  *_t133 ^ _t151;
						 *_t133 =  *_t133 ^ _t151;
						_t157 = _t151 ^ _t133;
						asm("into");
						asm("into");
						_t136 = _t157;
						asm("into");
						asm("into");
						asm("jecxz 0xffffffd0");
						asm("into");
						asm("into");
						asm("fcmovne st0, st6");
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						L7:
						asm("into");
						asm("into");
						asm("into");
						 *_t136 =  *_t136 ^ _t157;
						 *_t136 =  *_t136 ^ _t157;
						asm("stc");
						asm("out dx, al");
						asm("cli");
						_t136 = _t136 ^ _t157;
						goto L7;
					}
					 *_t143 =  *_t143 ^ _t143;
					_t159 = _t161 +  *_t123;
					 *(_t115 + _t143 * 2) =  *(_t115 + _t143 * 2) ^ _t164;
					_t114 = _t115 - 0x31;
					_t149 = _t151 + 1;
					 *0x00000000 =  *0x00000000 + _t149;
				} while ( *0x00000000 > 0);
				 *(_t149 - 0x64) =  *(_t149 - 0x64) ^ 0x00000071;
				goto L5;
			}

0x0040441d
0x0040441f
0x00404422
0x00404423
0x00404426
0x00404427
0x0040442a
0x0040442b
0x0040442e
0x0040442f
0x00404432
0x00404437
0x0040443a
0x0040443b
0x0040443e
0x00404443
0x00404445
0x00404448
0x0040444a
0x0040444b
0x0040444f
0x00404451
0x00404453
0x00404455
0x00404456
0x00404459
0x0040445a
0x0040445b
0x0040445d
0x0040445e
0x0040445f
0x00404461
0x00404462
0x00404463
0x00404464
0x00404465
0x00404466
0x00404467
0x00404468
0x0040446a
0x0040446c
0x0040446d
0x00404471
0x00404478
0x0040447b
0x00404481
0x00404487
0x0040448d
0x0040448d
0x0040448d
0x0040448d
0x00404493
0x00404497
0x0040449a
0x0040449b
0x0040449e
0x0040449f
0x004044a3
0x004044a7
0x004044aa
0x004044ab
0x004044ae
0x004044af
0x004044b1
0x004044b3
0x004044b5
0x004044ca
0x004044cb
0x004044ce
0x004044cf
0x004044d7
0x004044de
0x004044df
0x004044e5
0x004044e7
0x004044ea
0x004044eb
0x004044ef
0x004044f3
0x004044f5
0x004044f8
0x004044fa
0x004044fb
0x004044fd
0x00404501
0x00404502
0x00404503
0x00404505
0x00404506
0x00404507
0x00404509
0x00404509
0x0040450c
0x0040457e
0x00404582
0x00404584
0x00404587
0x0040458a
0x0040458e
0x0040458f
0x00404593
0x00404599
0x0040459b
0x004045a1
0x004045a2
0x004045a3
0x004045a9
0x004045ab
0x004045af
0x004045b1
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac
0x004046ad
0x004045b3
0x004045b7
0x004045bf
0x004045c6
0x004045c7
0x004045c9
0x004045cb
0x004045cf
0x004045d1
0x004045d5
0x004045d6
0x004045d7
0x004045d9
0x004045da
0x004045db
0x004045dd
0x004045de
0x004045df
0x004045e1
0x004045e2
0x004045e3
0x004045e4
0x004045e5
0x004045e5
0x004045e6
0x004045e7
0x004045e8
0x004045ea
0x004045ec
0x004045ed
0x004045ee
0x004045ef
0x00000000
0x004045ef
0x0040450f
0x00404511
0x00404513
0x00404515
0x00404516
0x00404517
0x00404519
0x0040451a
0x0040451b
0x0040451d
0x0040451e
0x0040451f
0x00404521
0x00404522
0x00404523
0x00404524
0x00404525
0x00404525
0x00404526
0x00404527
0x00404528
0x0040452a
0x0040452c
0x0040452d
0x0040452e
0x0040452f
0x00000000
0x0040452f
0x004044b7
0x004044b9
0x004044bb
0x004044be
0x004044c0
0x004044c2
0x004044c2
0x004044c6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb7b6897244144aff69002ab45a0ea7b779438a3f08da38c9fb079f5040dc58
Instruction ID: 20ba99a5fdbafcb62747c3c0ac12857291a6189e0b89fc51e86d7affe50c3ad5
Opcode Fuzzy Hash: 9eb7b6897244144aff69002ab45a0ea7b779438a3f08da38c9fb079f5040dc58
Instruction Fuzzy Hash: D6011435909269DB974E9E30880356BBF79FB42B007A5A1AEE443CA872C7714C51EBC5

Uniqueness

Uniqueness Score: -1.00%

Function 00403488, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd11c7806e473280b2e1364934d2a2a555de9e4f82fa697673b409e972ad3f30
Instruction ID: e09b04d84017201cf6c13bf51e59447eb05d7ea3989e20c2e4fac1b98139d0dd
Opcode Fuzzy Hash: cd11c7806e473280b2e1364934d2a2a555de9e4f82fa697673b409e972ad3f30
Instruction Fuzzy Hash: 2CF03731C01624CFC72ECE388403546BFB5FF0AB08B61A6AED453DBAB4DA351952CB84

Uniqueness

Uniqueness Score: -1.00%

Function 021778E2, Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca26edffe930dc24ed32630ce92a6cd263fc4c7ef7f3e2df176ac6ab2e2de9b3
Instruction ID: b46b54ea0c297a1289bd0a24f60d42424c155b581e3ea2f47adfe754b361f1a2
Opcode Fuzzy Hash: ca26edffe930dc24ed32630ce92a6cd263fc4c7ef7f3e2df176ac6ab2e2de9b3
Instruction Fuzzy Hash: D7015276255744CFD728CF14DC84AEAB3B6BFE9760F16402AD8159B3A1D3309A01CA00

Uniqueness

Uniqueness Score: -1.00%

Function 021777FF, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a48377fcf880c8ce04b48c8cce440495a3b4493b9ed801bf94a0c6e4b0524f9e
Instruction ID: f1642b4d69d6c86adeace4d03d69d200df67159bef3e22ccf7dd9946ee4ea4e8
Opcode Fuzzy Hash: a48377fcf880c8ce04b48c8cce440495a3b4493b9ed801bf94a0c6e4b0524f9e
Instruction Fuzzy Hash: 0301783554838D8ECF749EB4C8956EBB372EF2AB44F970064C95E8B211E3700682C716

Uniqueness

Uniqueness Score: -1.00%

Function 004043B8, Relevance: .0, Instructions: 34
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E004043B8() {
				signed int _t144;
				signed int _t147;
				signed char _t148;
				signed int _t149;
				signed int _t152;
				signed int _t153;
				signed char _t157;
				signed int _t158;
				signed int _t159;
				void* _t160;
				signed char _t162;
				signed char _t163;
				signed int _t164;
				void* _t168;
				signed int _t169;
				signed int _t170;
				signed int* _t171;
				signed int _t172;
				signed int _t173;
				signed int _t174;
				signed int _t175;
				signed int _t176;
				signed char _t177;
				signed int _t178;
				signed int _t179;
				void* _t180;
				signed int _t182;
				signed int _t183;
				signed int _t185;
				void* _t187;
				signed int _t188;
				signed int _t191;
				signed int _t193;
				signed int _t194;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				signed int _t203;
				void* _t205;
				void* _t206;
				signed int _t207;
				signed int _t208;
				signed int _t209;

				_t158 = _t157 & 0x00000084;
				 *(_t187 - 0x63ce7d20) =  *(_t187 - 0x63ce7d20) ^ _t158;
				 *((char*)(_t144 - 0x600365cf)) =  *((char*)(_t144 - 0x600365cf)) + 1;
				 *(_t144 + _t182 * 8 - 0x46cce67) =  *(_t144 + _t182 * 8 - 0x46cce67) ^ _t174;
				_t183 = _t144;
				 *(_t183 - 0xcce7a07) =  *(_t183 - 0xcce7a07) ^ _t158;
				asm("sti");
				asm("stc");
				asm("cli");
				asm("sti");
				_t159 = _t158 ^ _t183;
				asm("cld");
				asm("loope 0x33");
				asm("invalid");
				_t175 = _t182 %  *_t162;
				asm("popfd");
				_t147 =  *((intOrPtr*)(_t162 + _t187 + 0x31a383b8));
				asm("cdq");
				_t188 = _t187;
				 *_t188 =  *_t188 ^ _t175;
				_pop(_t202);
				 *_t162 =  *_t162 + _t188;
				 *_t175 =  *_t175 & _t162;
				 *[cs:ebx+esi*2] =  *[cs:ebx+esi*2] ^ _t207;
				asm("adc [ecx], esi");
				asm("adc ebx, [edi+0x19]");
				 *(_t175 - 0x59) =  *(_t175 - 0x59) ^ _t183;
				 *(_t162 - 0x64) =  *(_t162 - 0x64) ^ _t159;
				_pop(_t163);
				 *(_t147 + 0x41 + _t188 * 8) =  *(_t147 + 0x41 + _t188 * 8) ^ _t163;
				 *(_t159 - 0x5cceb802) =  *(_t159 - 0x5cceb802) ^ _t183;
				asm("in eax, 0x40");
				 *(_t183 - 4) =  *(_t183 - 4) ^ _t163;
				_pop(_t176);
				 *(_t202 - 0xb) =  *(_t202 - 0xb) ^ _t147;
				_push(_t202);
				 *(_t176 - 0x73) =  *(_t176 - 0x73) ^ _t159;
				_push(_t147);
				 *(_t202 - 0x79) =  *(_t202 - 0x79) ^ _t176;
				asm("insd");
				 *(_t183 - 0x7f) =  *(_t183 - 0x7f) ^ _t202;
				_push(0x7f760b31);
				 *(_t147 + 0x60) =  *(_t147 + 0x60) ^ _t207;
				_t208 = _t207 - 1;
				 *(_t159 + 0x68) =  *(_t159 + 0x68) ^ _t202;
				_t148 =  *0x4a090831;
				 *_t148 =  *_t148 ^ _t163;
				 *(_t176 + 0x31) =  *(_t176 + 0x31) | _t163;
				_t164 = _t163 |  *_t159;
				_t203 = _t202 - 1;
				 *(_t176 + 0x73) =  *(_t176 + 0x73) ^ 0xb63147ea;
				 *_t164 =  *_t164 ^ 0xb63147ea;
				 *_t164 =  *_t164 ^ 0xb63147ea;
				_t191 = 0xffffffffb63147eb ^ _t164;
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("jecxz 0xffffffd0");
				asm("into");
				asm("into");
				asm("fcmovne st0, st6");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				asm("into");
				 *0xb63147ea =  *0xb63147ea ^ 0xb63147ea;
				 *0xb63147ea =  *0xb63147ea ^ 0xb63147ea;
				asm("stc");
				_t177 = _t176 >> 1;
				do {
					_t149 = _t148 & 0x00000085;
					 *(_t191 - 0x63ce7c1f) =  *(_t191 - 0x63ce7c1f) ^ _t159;
					 *0xFFFFFFFF9FFA9B31 =  *((char*)(0xffffffff9ffa9b31)) + 1;
					 *(_t177 - 0x4dce6e0e) =  *(_t177 - 0x4dce6e0e) ^ _t203;
					_t56 = _t149 - 0x4d7ab2cf;
					_t57 = _t159;
					_t159 =  *_t56;
					 *_t56 = _t57;
					 *(_t149 - 0x7d) =  *(_t149 - 0x7d) ^ 0;
					 *(_t203 - 0x62) =  *(_t203 - 0x62) ^ _t149;
					_t178 = _t177 - 1;
					 *0xFFFFFFFFFFFFFF9C =  *0xFFFFFFFFFFFFFF9C ^ _t149;
					_t193 = _t191 - 1 + 1;
					 *(_t203 - 0x66) =  *(_t203 - 0x66) ^ _t159;
					 *0xFFFFFFFFFFFFFF99 =  *0xFFFFFFFFFFFFFF99 ^ _t159;
					 *(_t203 + 1 - 0x69) =  *(_t203 + 1 - 0x69) ^ _t178;
					_pop(_t205);
					 *0xFFFFFFFFFFFFFF96 =  *0xFFFFFFFFFFFFFF96 ^ _t178;
					_pop(0);
					 *0x00000000 =  *0x00000000 ^ _t149;
					_t177 = 0x71;
					 *_t193 =  *_t193 ^ _t208;
					if( *_t193 >= 0) {
						L6:
						 *(_t149 - 0xf) =  *(_t149 - 0xf) ^ 0;
						_t206 = _t208;
						 *(_t183 + _t183 * 8 - 0x1741cebe) =  *(_t183 + _t183 * 8 - 0x1741cebe) ^ _t193;
						 *(0 + _t177 * 8 - 0x125fceb8) =  *(0 + _t177 * 8 - 0x125fceb8) ^ _t208;
						_t185 = _t183 + 2;
						 *0xFFFFFFFFB13140E6 =  *0xFFFFFFFFB13140E6 ^ _t185;
						asm("loope 0x5f");
						 *(_t149 - 8) =  *(_t149 - 8) ^ 0;
						_pop(_t168);
						 *(_t159 - 0xe) =  *(_t159 - 0xe) ^ _t149;
						 *(_t149 + 0x63 + _t185 * 4) =  *(_t149 + 0x63 + _t185 * 4) ^ _t185;
						 *_t149 =  *_t149 ^ _t159;
						asm("sbb [eax+0x31], esp");
						_t160 = _t159 + 1;
						_t169 = _t149 + 1;
						 *_t177 =  *_t177 ^ _t169;
						_t170 = _t169 |  *(_t206 + 0x31);
						es = es;
						_t152 = _t168 - 1;
						 *_t193 =  *_t193 ^ _t152;
						es = _t177;
						_t153 = _t152 - 1;
						 *_t153 =  *_t153 ^ _t170;
						_t106 = _t160 + 0x31;
						 *_t106 =  *(_t160 + 0x31) | _t170;
						if( *_t106 >= 0) {
							 *[es:edx] =  *[es:edx] ^ _t208;
							_t194 = _t193 -  *_t170;
							asm("adc [edi+0x7], ecx");
							 *(_t206 - 0x58) =  *(_t206 - 0x58) ^ _t185;
							 *[gs:ebp-0x63] =  *[gs:ebp-0x63] ^ _t177;
							_push(_t170);
							 *(_t185 + 0x59 + _t170 * 4) =  *(_t185 + 0x59 + _t170 * 4) ^ _t153;
							 *(_t160 - 0x45cea106) =  *(_t160 - 0x45cea106) ^ _t194;
							asm("out 0x42, eax");
							 *(_t177 - 0x5fcebb12) =  *(_t177 - 0x5fcebb12) ^ _t208;
							asm("out dx, eax");
							_t209 = _t208 + 1;
							 *(_t177 - 0x4bcebf17) =  *(_t177 - 0x4bcebf17) ^ _t185;
							asm("loop 0x5e");
							 *(_t185 - 4) =  *(_t185 - 4) ^ _t170;
							 *_t153 =  *_t153 ^ _t170;
							if( *_t153 >= 0) {
								_push(_t153);
								 *0x23311f47 =  *0x23311f47 ^ _t177;
								_push(cs);
								_t195 = _t194 -  *_t170;
								_t179 = _t177 &  *_t170;
								 *_t195 =  *_t195 ^ _t179;
								 *(_t179 - 0x55) =  *(_t179 - 0x55) ^ _t185;
								asm("pushad");
								 *0xFFFFFFFFFFFFFFA5 =  *0xFFFFFFFFFFFFFFA5 ^ _t179;
								asm("outsb");
								 *(_t179 - 0x74) =  *(_t179 - 0x74) ^ 0x00000008;
								 *(_t185 - 5) =  *(_t185 - 5) ^ _t170;
								_t180 = _t209;
								 *(_t195 - 0x5ecea11e) =  *(_t195 - 0x5ecea11e) ^ _t195;
								asm("in al, dx");
								 *(_t180 + 1 - 0x40cebb12) =  *(_t180 + 1 - 0x40cebb12) ^ _t209;
								while(1) {
									asm("out dx, al");
									asm("sti");
									_t170 = _t170 ^ _t195;
									asm("into");
									asm("into");
									asm("into");
									 *_t170 =  *_t170 ^ _t195;
									 *_t170 =  *_t170 ^ _t195;
									asm("stc");
								}
							}
							 *(_t177 + 0x63) =  *(_t177 + 0x63) ^ _t209;
							 *(_t194 - 1 + 0x67) =  *(_t194 - 1 + 0x67) ^ _t209;
							 *(_t153 + 0x5043149) =  *(_t153 + 0x5043149) ^ _t153;
							_t171 = _t170 - 1;
							 *0x49050431 =  *0x49050431 ^ _t153;
							_pop(es);
							 *(_t153 - 1 + 0x71) =  *(_t153 - 1 + 0x71) ^ 0x49050431;
							 *_t171 =  *_t171 ^ 0x49050431;
							 *_t171 =  *_t171 ^ 0x49050431;
							asm("into");
							asm("into");
							_t172 = 0x49050431;
							asm("into");
							asm("into");
							asm("jecxz 0xffffffd0");
							asm("into");
							asm("into");
							asm("fcmovne st0, st6");
							asm("into");
							asm("into");
							asm("into");
							asm("into");
							L11:
							asm("into");
							asm("into");
							asm("into");
							 *_t172 =  *_t172 ^ 0x49050431;
							 *_t172 =  *_t172 ^ 0x49050431;
							asm("stc");
							asm("out dx, al");
							asm("cli");
							_t172 = _t172 ^ 0x49050431;
							goto L11;
						}
						 *_t170 =  *_t170 ^ _t193;
						 *_t170 =  *_t170 ^ _t193;
						_t199 = _t193 ^ _t170;
						asm("into");
						asm("into");
						_t173 = _t199;
						asm("into");
						asm("into");
						asm("jecxz 0xffffffd0");
						asm("into");
						asm("into");
						asm("fcmovne st0, st6");
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						L8:
						asm("into");
						asm("into");
						asm("into");
						 *_t173 =  *_t173 ^ _t199;
						 *_t173 =  *_t173 ^ _t199;
						asm("stc");
						asm("out dx, al");
						asm("cli");
						_t173 = _t173 ^ _t199;
						goto L8;
					}
					 *_t183 =  *_t183 ^ _t183;
					_t203 = _t205 +  *_t159;
					 *(_t149 + _t183 * 2) =  *(_t149 + _t183 * 2) ^ _t208;
					_t148 = _t149 - 0x31;
					_t191 = _t193 + 1;
					 *0x00000000 =  *0x00000000 + _t191;
				} while ( *0x00000000 > 0);
				 *(_t191 - 0x64) =  *(_t191 - 0x64) ^ 0x00000071;
				goto L6;
			}

0x004043b8
0x004043bb
0x004043c1
0x004043c7
0x004043ce
0x004043cf
0x004043d5
0x004043d6
0x004043d9
0x004043da
0x004043db
0x004043dd
0x004043de
0x004043e0
0x004043e2
0x004043e4
0x004043e5
0x004043ed
0x004043ee
0x004043ef
0x004043f1
0x004043f2
0x004043f4
0x004043f6
0x004043fa
0x004043fc
0x004043ff
0x00404402
0x00404406
0x00404407
0x0040440b
0x0040441d
0x0040441f
0x00404422
0x00404423
0x00404426
0x00404427
0x0040442a
0x0040442b
0x0040442e
0x0040442f
0x00404432
0x00404437
0x0040443a
0x0040443b
0x0040443e
0x00404443
0x00404445
0x00404448
0x0040444a
0x0040444b
0x0040444f
0x00404451
0x00404453
0x00404455
0x00404456
0x00404459
0x0040445a
0x0040445b
0x0040445d
0x0040445e
0x0040445f
0x00404461
0x00404462
0x00404463
0x00404464
0x00404465
0x00404466
0x00404467
0x00404468
0x0040446a
0x0040446c
0x0040446d
0x00404471
0x00404478
0x0040447b
0x00404481
0x00404487
0x0040448d
0x0040448d
0x0040448d
0x0040448d
0x00404493
0x00404497
0x0040449a
0x0040449b
0x0040449e
0x0040449f
0x004044a3
0x004044a7
0x004044aa
0x004044ab
0x004044ae
0x004044af
0x004044b1
0x004044b3
0x004044b5
0x004044ca
0x004044cb
0x004044ce
0x004044cf
0x004044d7
0x004044de
0x004044df
0x004044e5
0x004044e7
0x004044ea
0x004044eb
0x004044ef
0x004044f3
0x004044f5
0x004044f8
0x004044fa
0x004044fb
0x004044fd
0x00404501
0x00404502
0x00404503
0x00404505
0x00404506
0x00404507
0x00404509
0x00404509
0x0040450c
0x0040457e
0x00404582
0x00404584
0x00404587
0x0040458a
0x0040458e
0x0040458f
0x00404593
0x00404599
0x0040459b
0x004045a1
0x004045a2
0x004045a3
0x004045a9
0x004045ab
0x004045af
0x004045b1
0x00404632
0x00404633
0x00404639
0x0040463a
0x0040463e
0x00404647
0x0040464b
0x0040464e
0x0040464f
0x00404652
0x00404653
0x00404657
0x0040465a
0x0040465b
0x00404661
0x00404663
0x004046ad
0x004046ad
0x004046ae
0x004046af
0x004046a5
0x004046a6
0x004046a7
0x004046a8
0x004046aa
0x004046ac
0x004046ac
0x004046ad
0x004045b3
0x004045b7
0x004045bf
0x004045c6
0x004045c7
0x004045c9
0x004045cb
0x004045cf
0x004045d1
0x004045d5
0x004045d6
0x004045d7
0x004045d9
0x004045da
0x004045db
0x004045dd
0x004045de
0x004045df
0x004045e1
0x004045e2
0x004045e3
0x004045e4
0x004045e5
0x004045e5
0x004045e6
0x004045e7
0x004045e8
0x004045ea
0x004045ec
0x004045ed
0x004045ee
0x004045ef
0x00000000
0x004045ef
0x0040450f
0x00404511
0x00404513
0x00404515
0x00404516
0x00404517
0x00404519
0x0040451a
0x0040451b
0x0040451d
0x0040451e
0x0040451f
0x00404521
0x00404522
0x00404523
0x00404524
0x00404525
0x00404525
0x00404526
0x00404527
0x00404528
0x0040452a
0x0040452c
0x0040452d
0x0040452e
0x0040452f
0x00000000
0x0040452f
0x004044b7
0x004044b9
0x004044bb
0x004044be
0x004044c0
0x004044c2
0x004044c2
0x004044c6
0x00000000

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05514a68aad8e87db288e7a52d1de5969151983ecbd06ed3abdb85b23ba438b7
Instruction ID: dea5de2ffa6901299b53b1d380770115796fa35f42719ab0690045e455ef80aa
Opcode Fuzzy Hash: 05514a68aad8e87db288e7a52d1de5969151983ecbd06ed3abdb85b23ba438b7
Instruction Fuzzy Hash: 85F0C232408766CFC35FCF71C455563BF72BE8671871405AED082CE1A2D7725106CB84

Uniqueness

Uniqueness Score: -1.00%

Function 00401A45, Relevance: .0, Instructions: 28
COMMON

Download Yara Rule

C-Code - Quality: 33%

			E00401A45(signed int* __eax, signed int __ebx, intOrPtr* __ecx, void* __edx, signed int __edi, signed int __esi) {
				void* _t15;
				void* _t16;
				signed int _t20;
				signed int _t22;
				signed int _t29;
				signed int _t31;
				void* _t43;
				signed int _t48;
				signed int _t50;
				signed int _t59;
				signed int _t60;
				signed int _t71;
				void* _t72;

				L0:
				while(1) {
					L0:
					_t55 = __esi;
					_t48 = __edi;
					_push(ss);
					asm("sbb [eax], bl");
					asm("sbb [eax], bl");
					_push(ss);
					asm("sbb [ebp+0x65f5cb], bh");
					asm("adc [eax], al");
					asm("adc [esi], ch");
					 *__eax = __eax +  *__eax;
					 *__eax = __eax +  *__eax;
					 *__eax = __eax +  *__eax;
					 *__ecx =  *__ecx + __eax;
					asm("cpuid");
					_t29 = 0x0000000e ^ __esi;
					asm("into");
					asm("into");
					asm("into");
					asm("into");
					asm("sbb [eax+ebx], dl");
					asm("lfs edx, [ebx+0x71babca0]");
					_t22 = __ebx |  *__eax;
					_push(ss);
					_push(ss);
					asm("sbb cl, bh");
					asm("retf");
					asm("cmpsb");
					if(_t22 < 0) {
						break;
					}
					L2:
					asm("adc [eax], dl");
					 *__edi =  *__edi + _t29;
					asm("adc [eax], dl");
					 *[cs:eax] =  *[cs:eax] + __eax;
					_push(ds);
					if( *[cs:eax] >= 0) {
						L1:
						_t29 = _t29 ^ __esi;
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						_t22 = _t22 ^  *(_t29 - 0x58);
						asm("retf");
						 *__esi = ss;
						continue;
					} else {
						L3:
						_t43 = 0xb1;
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						_t60 = _t59 ^  *(__eax - 0x5b391358);
						_push(ss);
						asm("sbb [eax+ebx], dl");
						_t31 = (_t29 ^ __esi) +  *__esi;
						_push(cs);
						asm("sbb [eax], bl");
						_push(ss);
						_push(ss);
						asm("sbb [esi], ecx");
						_t15 = 0x5c;
						_t71 =  *(__esi + 0x64) * 0x65;
						if(_t71 >= 0) {
							L20:
							if(__eflags > 0) {
								L21:
								asm("adc al, 0x14");
								goto L22;
							}
							goto L23;
						} else {
							L4:
							if(_t71 == 0) {
								L5:
								asm("adc [eax], al");
								asm("adc [eax], dl");
								asm("adc [ecx], al");
								L6:
								_t22 = 0xb6;
								_t43 = 0xb0;
								_t31 = _t31 ^ __esi;
								asm("into");
								asm("into");
								asm("into");
								asm("into");
							}
							L7:
							asm("repne in eax, dx");
							asm("retf");
							asm("invalid");
							asm("adc al, 0x14");
							asm("adc al, 0x14");
							asm("sbb [esi], dl");
							asm("sbb [esi], dl");
							asm("sbb [eax+ebx], dl");
							asm("adc al, 0xd8");
							asm("invalid");
							_t72 = _t43;
							_t55 = ss;
							asm("insd");
							_push(_t31);
							if(_t72 > 0) {
								L30:
								asm("adc al, 0x16");
								goto L31;
							} else {
								L8:
								if(_t72 >= 0) {
									L28:
									_t15 = 0x1614161d;
									L29:
									asm("sbb eax, 0x71161416");
									goto L30;
								} else {
									L9:
									if(_t72 >= 0) {
										goto L30;
									} else {
										L10:
										if(_t72 != 0) {
											L31:
											_push(ss);
											if(__eflags >= 0) {
												goto L13;
											}
											L32:
											asm("invalid");
											L33:
											asm("std");
											asm("out 0xfe, eax");
											_t15 = _t15 - 1;
											__eflags = _t55 + 1;
											_push(0x6b);
											_push(0x1f7f7f64);
										} else {
											L11:
											if(_t72 >= 0) {
												L12:
												L13:
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("out dx, al");
												asm("out dx, al");
												asm("invalid");
												return _t15;
											}
											L15:
											asm("adc al, 0x14");
											asm("adc al, 0x14");
											asm("adc al, 0x14");
											asm("adc al, 0x8c");
											asm("invalid");
											asm("out 0xfe, al");
											_t55 = _t55 + 1;
											__eflags = _t55;
											_pop(_t48);
											_push(0x68);
											if(__eflags > 0) {
												L36:
												asm("retf");
												asm("out 0x4d, eax");
												__eflags = _t48 - 1 + 1;
												asm("insb");
												_push(0x6b);
												_push(0x4ea01765);
												L37:
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("invalid");
												asm("out dx, eax");
												asm("out dx, eax");
												asm("out dx, eax");
												asm("out dx, eax");
												goto L37;
											}
											L16:
											if(__eflags >= 0) {
												L35:
												asm("invalid");
												goto L36;
											}
											L17:
											if(__eflags < 0) {
												L18:
												if(__eflags != 0) {
													L22:
													asm("adc al, 0x14");
													asm("adc al, 0x14");
													asm("adc al, 0x2");
													asm("stc");
													_t43 = 0x98;
													asm("invalid");
													 *((char*)(_t60 + 0x48)) =  *((char*)(_t60 + 0x48)) - 1;
													_t48 = _t48 + 1;
													asm("insb");
													_t60 =  *(_t15 + 0x64) * 0x7f;
													__eflags = _t60;
												} else {
													L19:
													asm("into");
													asm("into");
													asm("into");
													asm("into");
													asm("into");
													_t20 =  *0x33b04eb1 ^ _t60;
													__eflags = _t20;
													asm("invalid");
													asm("out dx, al");
													asm("invalid");
													return _t20;
												}
												L23:
												if(__eflags > 0) {
													L38:
													__eflags = _t31 + 1;
													L39:
													_t16 = _t15 - 0x3d;
													__eflags = _t16 - 0x495c662c;
													_t50 = _t48;
													__eflags = _t50;
													L40:
													_t60 = _t60 - 1;
													_t16 = _t16 - 1;
													_t50 = _t50 + 2;
													asm("insb");
													_t22 = 0x1a;
													asm("sbb cl, [esi+0x1c]");
													asm("into");
													asm("into");
													asm("into");
													asm("into");
													asm("invalid");
													asm("out dx, eax");
													asm("out dx, eax");
													asm("out dx, eax");
													goto L40;
												}
												L24:
												if (__eflags > 0) goto L38;
												L25:
												if(__eflags >= 0) {
													goto L38;
												}
												L26:
												_push(ds);
												L27:
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("into");
												asm("invalid");
												asm("out dx, eax");
												asm("out dx, eax");
												asm("rol dh, 0xc6");
												asm("sti");
												goto L28;
											}
										}
									}
								}
							}
						}
						L34:
						asm("rdpmc");
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						asm("into");
						__eflags = 0;
						asm("invalid");
						asm("out dx, eax");
						asm("out dx, eax");
						asm("out dx, eax");
						asm("out dx, eax");
						return _t15;
					}
					L41:
				}
				L14:
				return __eax;
				goto L41;
			}

0x00401a45
0x00401a45
0x00401a45
0x00401a45
0x00401a45
0x00401a45
0x00401a46
0x00401a51
0x00401a53
0x00401a54
0x00401a5a
0x00401a5c
0x00401a5e
0x00401a60
0x00401a62
0x00401a64
0x00401a66
0x00401a6a
0x00401a6c
0x00401a6d
0x00401a6e
0x00401a6f
0x00401a76
0x00401a79
0x00401a80
0x00401a82
0x00401a83
0x00401a84
0x00401a86
0x00401a87
0x00401a88
0x00000000
0x00000000
0x00401a8c
0x00401a8c
0x00401a8e
0x00401a90
0x00401a92
0x00401a95
0x00401a96
0x00401a38
0x00401a3a
0x00401a3c
0x00401a3d
0x00401a3e
0x00401a3f
0x00401a40
0x00401a43
0x00401a44
0x00000000
0x00401a98
0x00401a98
0x00401a98
0x00401a9c
0x00401a9d
0x00401a9e
0x00401a9f
0x00401aa0
0x00401aa6
0x00401aa7
0x00401aaa
0x00401aae
0x00401aaf
0x00401ab1
0x00401ab2
0x00401ab3
0x00401ab5
0x00401ab8
0x00401abc
0x00401b38
0x00401b38
0x00401b3a
0x00401b3a
0x00000000
0x00401b3a
0x00000000
0x00401abe
0x00401abe
0x00401abe
0x00401ac0
0x00401ac0
0x00401ac2
0x00401ac4
0x00401ac6
0x00401ac6
0x00401ac8
0x00401aca
0x00401acc
0x00401acd
0x00401ace
0x00401acf
0x00401acf
0x00401ad0
0x00401ad2
0x00401ad4
0x00401ad5
0x00401ad7
0x00401ad9
0x00401adb
0x00401add
0x00401ae0
0x00401ae3
0x00401ae5
0x00401ae7
0x00401ae8
0x00401ae9
0x00401aea
0x00401aeb
0x00401b6d
0x00401b6d
0x00000000
0x00401aee
0x00401aee
0x00401aee
0x00401b6a
0x00401b6a
0x00401b6b
0x00401b6b
0x00000000
0x00401af0
0x00401af0
0x00401af0
0x00000000
0x00401af2
0x00401af2
0x00401af2
0x00401b6e
0x00401b6e
0x00401b6f
0x00000000
0x00000000
0x00401b71
0x00401b71
0x00401b73
0x00401b77
0x00401b78
0x00401b7b
0x00401b7c
0x00401b7e
0x00401b80
0x00401af4
0x00401af4
0x00401af4
0x00401af6
0x00401afb
0x00401afb
0x00401afc
0x00401afd
0x00401afe
0x00401aff
0x00401b02
0x00401b03
0x00401b04
0x00000000
0x00401b04
0x00401b0c
0x00401b0c
0x00401b0e
0x00401b10
0x00401b12
0x00401b14
0x00401b16
0x00401b19
0x00401b19
0x00401b1a
0x00401b1b
0x00401b1d
0x00401b9f
0x00401b9f
0x00401baa
0x00401bae
0x00401baf
0x00401bb0
0x00401bb2
0x00401bb5
0x00401bbc
0x00401bbd
0x00401bbe
0x00401bbf
0x00401bc2
0x00401bc4
0x00401bc5
0x00401bc6
0x00401bc7
0x00000000
0x00401bc7
0x00401b20
0x00401b20
0x00401b9e
0x00401b9e
0x00000000
0x00401b9e
0x00401b22
0x00401b22
0x00401b24
0x00401b24
0x00401b3c
0x00401b3c
0x00401b3e
0x00401b40
0x00401b42
0x00401b43
0x00401b46
0x00401b48
0x00401b4b
0x00401b4c
0x00401b4d
0x00401b4d
0x00401b26
0x00401b26
0x00401b2b
0x00401b2c
0x00401b2d
0x00401b2e
0x00401b2f
0x00401b30
0x00401b30
0x00401b32
0x00401b34
0x00401b35
0x00401b37
0x00401b37
0x00401b50
0x00401b50
0x00401bd1
0x00401bd1
0x00401bd2
0x00401bd2
0x00401bd4
0x00401bdb
0x00401bdb
0x00401bdc
0x00401bdc
0x00401bde
0x00401be0
0x00401be1
0x00401be5
0x00401be7
0x00401bec
0x00401bed
0x00401bee
0x00401bef
0x00401bf2
0x00401bf4
0x00401bf5
0x00401bf6
0x00000000
0x00401bf6
0x00401b52
0x00401b52
0x00401b53
0x00401b53
0x00000000
0x00000000
0x00401b54
0x00401b54
0x00401b55
0x00401b5b
0x00401b5c
0x00401b5d
0x00401b5e
0x00401b5f
0x00401b62
0x00401b64
0x00401b65
0x00401b66
0x00401b69
0x00000000
0x00401b69
0x00401b22
0x00401af2
0x00401af0
0x00401aee
0x00401aeb
0x00401b89
0x00401b89
0x00401b8b
0x00401b8c
0x00401b8d
0x00401b8e
0x00401b8f
0x00401b90
0x00401b92
0x00401b94
0x00401b95
0x00401b96
0x00401b97
0x00401b98
0x00401b98
0x00000000
0x00401a96
0x00401b06
0x00401b06
0x00000000

Memory Dump Source

Source File: 00000001.00000002.741049233.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.741034895.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.741144145.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.741169709.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4669046f0acb8ce6cab0f471fba06bce818e793e1f435ecedf7697c49e4b61dc
Instruction ID: d61846ff54463e24e37a54d55ea69811b0bd50a73b9e1972fcaa09d854266b6b
Opcode Fuzzy Hash: 4669046f0acb8ce6cab0f471fba06bce818e793e1f435ecedf7697c49e4b61dc
Instruction Fuzzy Hash: F6F0392880E3C19FC3238B704C626803F765D93554B4960CFC4C18F173EA29591CC3A1

Uniqueness

Uniqueness Score: -1.00%

Function 02175461, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0217735B, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.742386259.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report LzbZ4T1iV8.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: LzbZ4T1iV8.exe PID: 3412 Parent PID: 5564

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: LzbZ4T1iV8.exe PID: 3412 Parent PID: 5564 LzbZ4T1iV8.exeCOMMON

Executed Functions

Function 021758B1, Relevance: 1.7, APIs: 1, Instructions: 192memorynativeCOMMON

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60
COMMON

Function 00404478, Relevance: .2, Instructions: 215
COMMONCrypto

Function 00404834, Relevance: .1, Instructions: 94
COMMONCrypto

Function 00404534, Relevance: .1, Instructions: 86
COMMONCrypto

Function 004045F4, Relevance: .1, Instructions: 54
COMMONCrypto

Function 00404418, Relevance: .0, Instructions: 47
COMMONCrypto

Function 004043B8, Relevance: .0, Instructions: 34
COMMONCrypto

Function 00401A45, Relevance: .0, Instructions: 28
COMMON