Play interactive tour

Edit tour

Analysis Report AAN2101002-V017..exe

Overview

General Information

Sample Name:	AAN2101002-V017..exe
Analysis ID:	337920
MD5:	ef80587c41c329e507f7ad9b24037b67
SHA1:	12eee83a37b047af4610032fb3413ff3886e2080
SHA256:	f2b2f10c3c65d8f81641b20ebbf91ca7da5ba685282b24677a4c5561758f7226
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Potential time zone aware malware

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

AAN2101002-V017..exe (PID: 1064 cmdline: 'C:\Users\user\Desktop\AAN2101002-V017..exe' MD5: EF80587C41C329E507F7AD9B24037B67)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: AAN2101002-V017..exe PID: 1064	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: AAN2101002-V017..exe PID: 1064	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: AAN2101002-V017..exe

Virustotal: Detection: 11%

Perma Link

Source: AAN2101002-V017..exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

Code function: 0_2_0040CEDB

0_2_0040CEDB

Source: AAN2101002-V017..exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: AAN2101002-V017..exe, 00000000.00000000.228543860.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamesubcasino.exe vs AAN2101002-V017..exe
Source: AAN2101002-V017..exe, 00000000.00000002.1225434392.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs AAN2101002-V017..exe
Source: AAN2101002-V017..exe	Binary or memory string: OriginalFilenamesubcasino.exe vs AAN2101002-V017..exe

Source: AAN2101002-V017..exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

File created: C:\Users\user\AppData\Local\Temp\~DF7E8BA7E2AA2205F3.TMP

Jump to behavior

Source: AAN2101002-V017..exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AAN2101002-V017..exe

Virustotal: Detection: 11%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: AAN2101002-V017..exe PID: 1064, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: AAN2101002-V017..exe PID: 1064, type: MEMORY

Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_0040F877 push cs; ret	0_2_0040F8C6
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_0040BC14 push cs; retf	0_2_0040BC32
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_0040B02B push cs; retf	0_2_0040B02E
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_0040D519 push eax; iretd	0_2_0040D51A
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_0040F70F push cs; ret	0_2_0040F8C6
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_0040F39D push edx; retf	0_2_0040F39E

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D5201	0_2_020D5201
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D7248	0_2_020D7248
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D1A9C	0_2_020D1A9C
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D2A9E	0_2_020D2A9E
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D72A6	0_2_020D72A6
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D32FD	0_2_020D32FD
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D7317	0_2_020D7317
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D2B28	0_2_020D2B28
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D2BA5	0_2_020D2BA5
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D1813	0_2_020D1813
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D6C79	0_2_020D6C79
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D2C87	0_2_020D2C87
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D2CF2	0_2_020D2CF2
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D2D7C	0_2_020D2D7C
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D5D89	0_2_020D5D89
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D61B3	0_2_020D61B3
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D71D9	0_2_020D71D9
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D2DD4	0_2_020D2DD4
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D71D7	0_2_020D71D7

Potential time zone aware malware

Show sources

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: AAN2101002-V017..exe, 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

RDTSC instruction interceptor: First address: 00000000020D37CF second address: 00000000020D37CF instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FA3A0B0F2B8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e nop 0x0000001f jmp 00007FA3A0B0F2DEh 0x00000021 cmp cx, cx 0x00000024 add edi, edx 0x00000026 cmp ecx, eax 0x00000028 dec ecx 0x00000029 test eax, D4DD871Eh 0x0000002e cmp ecx, 00000000h 0x00000031 jne 00007FA3A0B0F260h 0x00000033 test eax, E413EFD2h 0x00000038 push ecx 0x00000039 test eax, ebx 0x0000003b test dl, FFFFFFBDh 0x0000003e call 00007FA3A0B0F30Ch 0x00000043 call 00007FA3A0B0F2C8h 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

Code function: 0_2_020D7E0D rdtsc

0_2_020D7E0D

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: AAN2101002-V017..exe, 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

Code function: 0_2_020D7E0D rdtsc

0_2_020D7E0D

Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D225F mov eax, dword ptr fs:[00000030h]	0_2_020D225F
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D62B2 mov eax, dword ptr fs:[00000030h]	0_2_020D62B2
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D1F97 mov eax, dword ptr fs:[00000030h]	0_2_020D1F97
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D689A mov eax, dword ptr fs:[00000030h]	0_2_020D689A
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D24BF mov eax, dword ptr fs:[00000030h]	0_2_020D24BF
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D24D2 mov eax, dword ptr fs:[00000030h]	0_2_020D24D2
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D35C1 mov eax, dword ptr fs:[00000030h]	0_2_020D35C1
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D35C3 mov eax, dword ptr fs:[00000030h]	0_2_020D35C3
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D71D9 mov eax, dword ptr fs:[00000030h]	0_2_020D71D9
Source: C:\Users\user\Desktop\AAN2101002-V017..exe	Code function: 0_2_020D71D7 mov eax, dword ptr fs:[00000030h]	0_2_020D71D7

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: AAN2101002-V017..exe, 00000000.00000002.1225031087.0000000000C20000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\AAN2101002-V017..exe

Code function: 0_2_020D69A8 cpuid

0_2_020D69A8

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Security Software Discovery411	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery211	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
AAN2101002-V017..exe	12%	Virustotal		Browse
AAN2101002-V017..exe	0%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337920
Start date:	11.01.2021
Start time:	09:53:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	AAN2101002-V017..exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.9363946327619495
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AAN2101002-V017..exe
File size:	90112
MD5:	ef80587c41c329e507f7ad9b24037b67
SHA1:	12eee83a37b047af4610032fb3413ff3886e2080
SHA256:	f2b2f10c3c65d8f81641b20ebbf91ca7da5ba685282b24677a4c5561758f7226
SHA512:	c475248a9767dd19cd36bbe3b8d1d7a3666d38a7e2016f8a90e0b78082f795f26e8eea0157bd4073218f2841429827c467985201d8bc775d62663e393ff56f11
SSDEEP:	768:5WaHBo+s2w1BD70JbMp6puJrOJrDLwVAea904epXWHrJnNJzB84:8alZwMi6puJrnha9+elrd
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...).._.................0...0......\........@....@................

File Icon


Icon Hash:	6eeed0e4a4a4e0d2

Static PE Info

General
Entrypoint:	0x40135c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FFBA829 [Mon Jan 11 01:21:45 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2a71f44ac1c823400003a5bea275b301

Entrypoint Preview

Instruction
push 00401E98h
call 00007FA3A09A5635h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+6Fh], al
inc ebx
mov cl, 45h
jo 00007FA3A09A5647h
dec eax
lodsb
inc ebx
push es
push ebp
test dword ptr [edx], edi
movsd
push ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [eax-5Bh], cl
inc edx
add byte ptr [ebx+6Fh], ah
insb
insb
popad
bound ebp, dword ptr [edi+72h]
popad
je 00007FA3A09A56ABh
outsd
outsb
imul esi, dword ptr [ebx+74h], 00420073h
add dl, byte ptr [eax-7Dh]
add dword ptr [eax], eax
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
and dword ptr [D927E8AAh], ebp
shr bh, 1
inc esi
xchg eax, ebx
mov dh, 25h
arpl word ptr [ebp+6Ch], di
out dx, al
sub byte ptr [eax], 0000007Ch
adc al, C9h
int3
add dword ptr [esi+25A4B74Fh], ebx
mov ss, word ptr [3AC46456h]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
loopne 00007FA3A09A564Bh
add byte ptr [eax], al
fild word ptr [06000000h]
add byte ptr [edi+75h], ah
arpl word ptr [ebx+65h], bp
add byte ptr fs:[4E001001h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12dd4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x89c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x10c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12288	0x13000	False	0.386448910362	data	6.3653956273	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x14000	0x1174	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x89c	0x1000	False	0.3330078125	data	3.04800912801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x16334	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x16320	0x14	data
RT_VERSION	0x160f0	0x230	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaCyAdd, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaCyI2, __vbaStrCmp, __vbaVarTstEq, __vbaR4Str, __vbaObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarAdd, __vbaVarDup, __vbaVarLateMemCallLd, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	subcasino
FileVersion	1.00
CompanyName	Cloud Share
ProductName	BLOKMARKERINGERNE
ProductVersion	1.00
OriginalFilename	subcasino.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: AAN2101002-V017..exe PID: 1064 Parent PID: 5580

General

Start time:	09:54:13
Start date:	11/01/2021
Path:	C:\Users\user\Desktop\AAN2101002-V017..exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\AAN2101002-V017..exe'
Imagebase:	0x400000
File size:	90112 bytes
MD5 hash:	EF80587C41C329E507F7AD9B24037B67
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: AAN2101002-V017..exe PID: 1064 Parent PID: 5580 AAN2101002-V017..exeCOMMON

Executed Functions

Function 00411074, Relevance: 144.4, APIs: 76, Strings: 6, Instructions: 921COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00411092
__vbaNew2.MSVBVM60(00402B60,00414010,?,?,?,?,004011D6), ref: 004110D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041110D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000070), ref: 00411151
#645.MSVBVM60(00000008,00000000), ref: 00411188
__vbaStrMove.MSVBVM60(00000008,00000000), ref: 00411192
__vbaFreeObj.MSVBVM60(00000008,00000000), ref: 0041119A
__vbaFreeVar.MSVBVM60(00000008,00000000), ref: 004111A2
__vbaNew2.MSVBVM60(00402B60,00414010,00000008,00000000), ref: 004111BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004111F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,00000150), ref: 0041123D
__vbaNew2.MSVBVM60(00402B60,00414010), ref: 00411264
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041129D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,00000048), ref: 004112E1
__vbaStrMove.MSVBVM60(00000000,?,004026E4,00000048), ref: 0041131F
__vbaChkstk.MSVBVM60(007922BC), ref: 0041133A
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402468,000006F8), ref: 00411390
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 004113AE
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,004011D6), ref: 004113C0
__vbaFreeVar.MSVBVM60(?,?,?,?,?,004011D6), ref: 004113CB
__vbaNew2.MSVBVM60(00402B60,00414010,?,?,?,?,?,004011D6), ref: 004113E3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041141C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,000001C0), ref: 00411469
__vbaNew2.MSVBVM60(00402B60,00414010), ref: 00411490
__vbaObjSet.MSVBVM60(?,00000000), ref: 004114C9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,00000078), ref: 00411510
__vbaChkstk.MSVBVM60(?,?), ref: 00411554
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402468,000006FC), ref: 00411595
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004115BC
__vbaNew2.MSVBVM60(00402B60,00414010,?,?,?,?,?,?,?,?,004011D6), ref: 004115D7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411610
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,00000170), ref: 0041165D
__vbaNew2.MSVBVM60(00402B60,00414010), ref: 00411684
__vbaObjSet.MSVBVM60(?,00000000), ref: 004116BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000060), ref: 00411704
__vbaNew2.MSVBVM60(00402B60,00414010), ref: 0041172B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411764
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,00000080), ref: 004117B1
__vbaNew2.MSVBVM60(00402B60,00414010), ref: 004117D8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411811
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,00000078), ref: 00411858
__vbaStrCopy.MSVBVM60(00000000,?,004026E4,00000078), ref: 00411874
__vbaChkstk.MSVBVM60(00000003,?,0081CCB9,?,?,?,?,?), ref: 00411903
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402468,00000700,?,?,?,?,?), ref: 0041194B
__vbaFreeStr.MSVBVM60(?,?,?,?,?), ref: 0041196B
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?), ref: 00411982
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 0041198D
__vbaNew2.MSVBVM60(00402B60,00414010,?,?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 004119A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004119DE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026D4,00000060), ref: 00411A25
__vbaNew2.MSVBVM60(00402B60,00414010), ref: 00411A4C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411A85
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,000001C0), ref: 00411AD2
__vbaNew2.MSVBVM60(00402B60,00414010), ref: 00411AF9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411B32
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,000000A0), ref: 00411B7C
__vbaChkstk.MSVBVM60(00000003,?), ref: 00411C06
__vbaChkstk.MSVBVM60(00005AC5,?,?,FB4CD7F0,00000003,?), ref: 00411C30
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402468,00000704), ref: 00411C7D
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00411CB1
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00411CC3
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402438,000002B4), ref: 00411CFD
__vbaNew2.MSVBVM60(00402B60,00414010,?,00000001), ref: 00411D32
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411D6B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,00000060), ref: 00411DB2
__vbaNew2.MSVBVM60(00402B60,00414010,00000000,?,004026E4,00000060), ref: 00411DD9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411E12
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,000000A0), ref: 00411E5C
__vbaStrCopy.MSVBVM60(00000000,?,004026E4,000000A0), ref: 00411E84
__vbaChkstk.MSVBVM60(?,?), ref: 00411EC4
__vbaFreeStr.MSVBVM60(?,00000003,?,?), ref: 00411EF1
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000003,?,?), ref: 00411F00
__vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 00411F12
__vbaCyI2.MSVBVM60(00000001), ref: 00411F1C
__vbaCyAdd.MSVBVM60(?,?,00000000,?,00000001), ref: 00411F29
__vbaFpCmpCy.MSVBVM60(?,?,?,?,00000000,?,00000001), ref: 00411F40

Strings

Seksualklinikken9, xrefs: 00411E7C
Holocentridae2, xrefs: 00411C41
Komparenten7, xrefs: 004112F5
Diarch4, xrefs: 004118AB
*qK, xrefs: 00411BDB
centennial, xrefs: 0041186C

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List$Chkstk$CopyMove$#645
String ID: *qK$Diarch4$Holocentridae2$Komparenten7$Seksualklinikken9$centennial
API String ID: 3649353455-958078613
Opcode ID: 9c00fe003e1af8955adf8fc0406798cc8a11766b831b22b8d00667b81b97a4ed
Instruction ID: 75b212df2ccf9013cb078b63195fb369fb85eca70f2657a2cdc29c195e97a85d
Opcode Fuzzy Hash: 9c00fe003e1af8955adf8fc0406798cc8a11766b831b22b8d00667b81b97a4ed
Instruction Fuzzy Hash: 0D92E671900218DFDB21DFA1CC49BDDBBB4BB08304F1044EAE609BB2A0DB795A85DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00412159, Relevance: 79.0, APIs: 37, Strings: 8, Instructions: 233COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00412177
__vbaStrCopy.MSVBVM60(?,?,?,?,004011D6), ref: 004121A1
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 004121AC
__vbaStrCat.MSVBVM60(00402830,VB.,?,?,?,?,004011D6), ref: 004121BB
__vbaStrMove.MSVBVM60(00402830,VB.,?,?,?,?,004011D6), ref: 004121C5
__vbaStrCat.MSVBVM60(ictureBo,00000000,00402830,VB.,?,?,?,?,004011D6), ref: 004121D0
__vbaStrMove.MSVBVM60(ictureBo,00000000,00402830,VB.,?,?,?,?,004011D6), ref: 004121DA
__vbaStrCat.MSVBVM60(00402850,00000000,ictureBo,00000000,00402830,VB.,?,?,?,?,004011D6), ref: 004121E5
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,00402438,00000218), ref: 0041223B
__vbaChkstk.MSVBVM60(00000000,00401150,00402438,00000218), ref: 00412252
__vbaChkstk.MSVBVM60(00000000,00401150,00402438,00000218), ref: 00412263
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00412282
__vbaObjVar.MSVBVM60(00000000,?,00402850,00000000,ictureBo,00000000,00402830,VB.,?,?,?,?,004011D6), ref: 0041228B
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,00402850,00000000,ictureBo,00000000,00402830,VB.,?,?,?,?,004011D6), ref: 00412295
__vbaFreeStrList.MSVBVM60(00000002,00000000,00000000,?,00000000,00000000,?,00402850,00000000,ictureBo,00000000,00402830,VB.), ref: 004122A4
__vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00402850,00000000,ictureBo,00000000,00402830,VB.,?,?,?,?,004011D6), ref: 004122AF
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,00402850,00000000,ictureBo,00000000,00402830,VB.), ref: 004122BE
__vbaNew2.MSVBVM60(00402B60,00414010,?,?,?,?,00000000,00000000,?,00402850,00000000,ictureBo,00000000,00402830,VB.), ref: 004122D9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412312
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,000001E8), ref: 0041235F
__vbaChkstk.MSVBVM60(00000000,?,004026E4,000001E8), ref: 00412388
__vbaLateMemSt.MSVBVM60(?,Left), ref: 0041239E
__vbaFreeObj.MSVBVM60(?,Left), ref: 004123A6
__vbaChkstk.MSVBVM60(?,Left), ref: 004123BC
__vbaLateMemSt.MSVBVM60(?,Top,?,Left), ref: 004123D2
__vbaChkstk.MSVBVM60(?,Top,?,Left), ref: 004123E5
__vbaLateMemSt.MSVBVM60(?,Visible,?,Top,?,Left), ref: 004123FB
__vbaLateMemCallLd.MSVBVM60(?,?,Enabled,00000000,?,Visible,?,Top,?,Left), ref: 00412419
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402850,00000000,ictureBo), ref: 00412426
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402850,00000000,ictureBo), ref: 00412435
__vbaStrCmp.MSVBVM60(004028A4,004028A4,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402850), ref: 0041244F
#546.MSVBVM60(?,004028A4,004028A4,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0041245C
__vbaVarMove.MSVBVM60(?,004028A4,004028A4,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00412467
__vbaFreeStr.MSVBVM60(004124C1,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402850,00000000), ref: 004124A3
__vbaFreeObj.MSVBVM60(004124C1,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402850,00000000), ref: 004124AB
__vbaFreeVar.MSVBVM60(004124C1,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402850,00000000), ref: 004124B3
__vbaFreeVar.MSVBVM60(004124C1,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402850,00000000), ref: 004124BB

Strings

ictureBo, xrefs: 004121CB
Add, xrefs: 00412276
Top, xrefs: 004123CA
Left, xrefs: 00412396
Visible, xrefs: 004123F3
VB., xrefs: 004121B1
Enabled, xrefs: 0041240D
tryms, xrefs: 004121F4

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$Late$Move$CallCheckHresultList$#546AddrefCopyNew2
String ID: Add$Enabled$Left$Top$VB.$Visible$ictureBo$tryms
API String ID: 2967171306-456402393
Opcode ID: 9184b79bd639bc87d37ffe960c75c9d6217926759019e9ffa5e10d7801e5aad2
Instruction ID: 837503066abf346e5ec3e9381d335fa9c2ccc3b284d408ba1b86ff14f8ab3420
Opcode Fuzzy Hash: 9184b79bd639bc87d37ffe960c75c9d6217926759019e9ffa5e10d7801e5aad2
Instruction Fuzzy Hash: 4A915E71D002189BDB10EFA1CC46BDEBB75BF08704F5041AAF905BB1E2DBB85A85CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412A7B, Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00412A96
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011D6), ref: 00412AC2
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011D6), ref: 00412ACC
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011D6), ref: 00412AD4
__vbaFreeStr.MSVBVM60(00412AF2,00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011D6), ref: 00412AEC

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#702ChkstkMove
String ID:
API String ID: 3665094559-0
Opcode ID: c3330dc212f051c618eb18c8f927183ba4f6beb42e7e6c12d9c57570c11e3a40
Instruction ID: 21d726de309a012a45451b9f7c20f7b1408ebf428443d6e1a9308dcffc12f53e
Opcode Fuzzy Hash: c3330dc212f051c618eb18c8f927183ba4f6beb42e7e6c12d9c57570c11e3a40
Instruction Fuzzy Hash: EBF0AF70804249BADB04DB86CE06FDEB7B8EB05724F70032AB021764E0DABC1E048728

Uniqueness

Uniqueness Score: -1.00%

Function 0040135C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401361

Strings

VB5!6&*, xrefs: 0040135C

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 77e9dbebaf7cddfbbf55ead661d169e21599af79f11c4b8e26f5b5b09db0a779
Instruction ID: 12a6abfa1ecb0e45bd0428a6c6ef502e7a024cf901fa5523151c66efff0b7b66
Opcode Fuzzy Hash: 77e9dbebaf7cddfbbf55ead661d169e21599af79f11c4b8e26f5b5b09db0a779
Instruction Fuzzy Hash: 84511F6144E7C18FD3138B7489651827FB0AE1336470A41EBC891CF5F3E26C5D4ACB6A

Uniqueness

Uniqueness Score: -1.00%

Function 00406B57, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 243memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Strings

nj9(, xrefs: 00406B57

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: nj9(
API String ID: 4275171209-2227975322
Opcode ID: 197c8fe187d8d6cb81906f8b2f60484d55fed52809d6c83d6310026708877162
Instruction ID: 27acfa3b027660f3f9fca9527abdf33e8b868c007b76d7c458542659b04f6f3b
Opcode Fuzzy Hash: 197c8fe187d8d6cb81906f8b2f60484d55fed52809d6c83d6310026708877162
Instruction Fuzzy Hash: 8C3147A1E6F303C9E22CA96048805B8651DA50FB906327D7B944F375C3903C3627B85F

Uniqueness

Uniqueness Score: -1.00%

Function 00406DD4, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 210memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Strings

E(__, xrefs: 00406DF7

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: E(__
API String ID: 4275171209-2099735989
Opcode ID: 03b50fed0de6e2e97d76c14e01ddb48cd2c620f803376d8cbd47e8ed1d429ad3
Instruction ID: f486b64670d29ad2663af2ecf0af52ac73898cddf2a269572a08e5736ef80a8f
Opcode Fuzzy Hash: 03b50fed0de6e2e97d76c14e01ddb48cd2c620f803376d8cbd47e8ed1d429ad3
Instruction Fuzzy Hash: 013157E2E6F303C9D32CA5A498805B9651DA10FB942326E7B980F335C3913C3613B89F

Uniqueness

Uniqueness Score: -1.00%

Function 00406C60, Relevance: 1.5, APIs: 1, Instructions: 275memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cf84f6140f9b8c0c190a4b7b7d66f787e22c4c253e0c1a30275aefa3e8c38e0d
Instruction ID: 76a705a31529ddd127759a9124ed568bdcda7af21ddf3d420cf32c452cf8018a
Opcode Fuzzy Hash: cf84f6140f9b8c0c190a4b7b7d66f787e22c4c253e0c1a30275aefa3e8c38e0d
Instruction Fuzzy Hash: 7A318AA1F6E343C9E22CA95098805F8651DA50FB902326E7B994F374C3513D3627B89F

Uniqueness

Uniqueness Score: -1.00%

Function 00406BD4, Relevance: 1.5, APIs: 1, Instructions: 252memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ee7cd314e208940c755f18b2aaea4df155362247cd11ac9c065b2e0586727ce1
Instruction ID: 493e0128da899b2ee2d4f43874dcb239439fbef49c907fd61fa54eca058c70b1
Opcode Fuzzy Hash: ee7cd314e208940c755f18b2aaea4df155362247cd11ac9c065b2e0586727ce1
Instruction Fuzzy Hash: B4416BA1E6E303C9D32CA96048844F8651DA50FB506327D7B944F375C3903C3627B99F

Uniqueness

Uniqueness Score: -1.00%

Function 00406A8C, Relevance: 1.5, APIs: 1, Instructions: 244memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0d4e58d9a4ae431a83c24d8d9c30427c42903f6232c23248487c48468ad6f1df
Instruction ID: bdf2586619974bcc4b460791735a31042f64fa604c966be7916cfb4e0bc2eab9
Opcode Fuzzy Hash: 0d4e58d9a4ae431a83c24d8d9c30427c42903f6232c23248487c48468ad6f1df
Instruction Fuzzy Hash: 804186A1F6E313C9D72CA66488901F4651EA50FB40632797B948F371C3903C3627B99F

Uniqueness

Uniqueness Score: -1.00%

Function 00406CED, Relevance: 1.5, APIs: 1, Instructions: 242memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 448fd3779d317bf4d090e7a3e2c4055b4e195dbe9a47da3b8fb2b697eedecdef
Instruction ID: f45c9c3d806109118b83db7a1dcf25d4564e5911fef6417d019af4f61580b3dc
Opcode Fuzzy Hash: 448fd3779d317bf4d090e7a3e2c4055b4e195dbe9a47da3b8fb2b697eedecdef
Instruction Fuzzy Hash: 0B3124A1E6F303C9E72CA5A088805B9651DA50FB941326E7B954F335C3513C3627B8AF

Uniqueness

Uniqueness Score: -1.00%

Function 00406B29, Relevance: 1.5, APIs: 1, Instructions: 230memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bff8ee8c5e2db6328f181ec32e3ef4b4f63ef088a322cfda3c74078053fab32f
Instruction ID: b66e2e079707d947db61977529a0f33adcd32607c039b5c8f26bebcd7c2da5bc
Opcode Fuzzy Hash: bff8ee8c5e2db6328f181ec32e3ef4b4f63ef088a322cfda3c74078053fab32f
Instruction Fuzzy Hash: 323146A1E6F303CAE22CA96048805F9652DA50FB946327D7B944F375C3913C3627B89F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F86, Relevance: 1.5, APIs: 1, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0b62cf456d272b663317ae09fe6cf48980174ac3acde89fd8a1329cf30552969
Instruction ID: 18ec9be322124f8d2dd1779a75b494735a0049685f64619b80de0509e31a9691
Opcode Fuzzy Hash: 0b62cf456d272b663317ae09fe6cf48980174ac3acde89fd8a1329cf30552969
Instruction Fuzzy Hash: 0B215BA1E6F343D9E71DA5A408805B8691D710FB84231AE7B950F375C3903C3613B95F

Uniqueness

Uniqueness Score: -1.00%

Function 00406C19, Relevance: 1.5, APIs: 1, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8d10147e6a8f395c62bec19880d453d8d10aa651b5df37e33383731299cf7282
Instruction ID: 44e91c9d3cfc9b68a778de3ace1c0b26e151a743a39786b5cbba2fe5f07f0795
Opcode Fuzzy Hash: 8d10147e6a8f395c62bec19880d453d8d10aa651b5df37e33383731299cf7282
Instruction Fuzzy Hash: 083134A1F6E303C9E22CA99088805F9641DA50FB945327D7B994F335C3503C3627B89F

Uniqueness

Uniqueness Score: -1.00%

Function 00406AF2, Relevance: 1.5, APIs: 1, Instructions: 211memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bae35e3ee66acf7c9638a675ff077168b83d398ddc9dcaea47c89e51730fec76
Instruction ID: dfcd96809d5b9ede78e71b319eec2e01a0e1e07ac7646d026327dcc5296eb173
Opcode Fuzzy Hash: bae35e3ee66acf7c9638a675ff077168b83d398ddc9dcaea47c89e51730fec76
Instruction Fuzzy Hash: 1D3147A2E6E313C9E72CAA5088805F8652DA50FB906327D7B944F375C3517C3627B89F

Uniqueness

Uniqueness Score: -1.00%

Function 00406B22, Relevance: 1.4, APIs: 1, Instructions: 194memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f333418530cef1f2ef0d87beaa264591a0f3d1184255764f22d3b354001e4e52
Instruction ID: 08ee33f03df434241d4a63f8e1e3bd9992be3bbdd6607a97bb1824169b8bd548
Opcode Fuzzy Hash: f333418530cef1f2ef0d87beaa264591a0f3d1184255764f22d3b354001e4e52
Instruction Fuzzy Hash: D33144A1E6F303C9E62CAA5048805F8642DA50FB946327D7B954F375C3513C3627B89F

Uniqueness

Uniqueness Score: -1.00%

Function 00406E5E, Relevance: 1.4, APIs: 1, Instructions: 193memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e9ac1dea0c9257c493187c3b5091d05e340ae4899aecc0d5be6b84445104332e
Instruction ID: 1f6e4e81fb88214ddfccd2270ec5ddd990af22a86d217a1c7545a48a6472b752
Opcode Fuzzy Hash: e9ac1dea0c9257c493187c3b5091d05e340ae4899aecc0d5be6b84445104332e
Instruction Fuzzy Hash: A82138A1F6F343C9D31CA56448805B9651DA10FB94131AE7B950F339C3503D3613B85F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D3C, Relevance: 1.4, APIs: 1, Instructions: 192memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4ebf33413bd6b53b3eaf606f5a130cf3976e0128a66c4e14f7d76d58eef2deee
Instruction ID: 8244607443a06e55651fb3c738b3e7e339f669ae4855878133c99e557e30539f
Opcode Fuzzy Hash: 4ebf33413bd6b53b3eaf606f5a130cf3976e0128a66c4e14f7d76d58eef2deee
Instruction Fuzzy Hash: 873155A1F6F303C9E72CA66088805B8651DA50FB94132AE7B950F375C3953C3623B89F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F4E, Relevance: 1.4, APIs: 1, Instructions: 191memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0c9fa52655d1c8b8d1d12123bf5402a7e6dbf7f713ed6b55423307a8cf8daf38
Instruction ID: 31c3b86c17bd986f4ea9d684f5a446ab2f7ba08f08ca1590456e876f84799ab1
Opcode Fuzzy Hash: 0c9fa52655d1c8b8d1d12123bf5402a7e6dbf7f713ed6b55423307a8cf8daf38
Instruction Fuzzy Hash: B22122A2E6F343C8E62CA5A008805F8641DA10FB94131AA7B990F379C3503D3613B86F

Uniqueness

Uniqueness Score: -1.00%

Function 00406BBB, Relevance: 1.4, APIs: 1, Instructions: 191memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7d2412c525e002ac0af839541ff88ea0e4934e17005299da5eb872e76bfd373d
Instruction ID: 395848b0bea2d5fb32674390c5d04ac70e25f2b53ebb420bcc277826057cf7ad
Opcode Fuzzy Hash: 7d2412c525e002ac0af839541ff88ea0e4934e17005299da5eb872e76bfd373d
Instruction Fuzzy Hash: C93156A1F6F303C9E32CA55088805B8641DA50FB542326D7B944F375C3913C7623B89F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D8A, Relevance: 1.4, APIs: 1, Instructions: 186memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1dd716f9a3447cdd0887cb17fe9dbb64ded7b6eb9d4496601a0cdd15df81aefb
Instruction ID: dea54a6f69f7c055147e5339cfbada557185ae329cd15021f7b26138c8fe8145
Opcode Fuzzy Hash: 1dd716f9a3447cdd0887cb17fe9dbb64ded7b6eb9d4496601a0cdd15df81aefb
Instruction Fuzzy Hash: F93157A1E6F303C9E32CA5A048805B9651DA50FB94132BE7B950F335C3513C3623B89F

Uniqueness

Uniqueness Score: -1.00%

Function 00406C51, Relevance: 1.4, APIs: 1, Instructions: 180memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9d128bd4853e478272baf7fc51ba4c3a3225a003f1d73453d23057c92a201667
Instruction ID: a094af6315ec4c015428f403d530ee968df22b4f56c42bfbff3677bca9a13689
Opcode Fuzzy Hash: 9d128bd4853e478272baf7fc51ba4c3a3225a003f1d73453d23057c92a201667
Instruction Fuzzy Hash: A73134A1F6E303CAE62CA95088805F8651DA50FB945326E7B990F375C3513C3627B8AF

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB9, Relevance: 1.4, APIs: 1, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 011fa5df433aa40e5482cc9a99b8f905aec3aa4dfe65d9314b46980c4a8627b2
Instruction ID: 9aeaaf662a418ea1c1c67542b917f5cbef3095056ae21f189f7ab9914fcec37f
Opcode Fuzzy Hash: 011fa5df433aa40e5482cc9a99b8f905aec3aa4dfe65d9314b46980c4a8627b2
Instruction Fuzzy Hash: A92104A2E6F343C9E72CA5A418805F9651DA10FB94131AE7B990F375C3503D7A13B8AF

Uniqueness

Uniqueness Score: -1.00%

Function 00406DA9, Relevance: 1.4, APIs: 1, Instructions: 176memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a0debdcfe1f2769130c638d2e23678e348e214d564c191a9a1723df5498ede00
Instruction ID: 1b624300647a3d72f45927420de15471e14603325d5fefe8145aad31f35d2c58
Opcode Fuzzy Hash: a0debdcfe1f2769130c638d2e23678e348e214d564c191a9a1723df5498ede00
Instruction Fuzzy Hash: 623126A1E6F303D9E72CA56088805B8651DA50FB94132AE7B950F375C3513D3613B99F

Uniqueness

Uniqueness Score: -1.00%

Function 00406E34, Relevance: 1.4, APIs: 1, Instructions: 171memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7f8bcf31938ca77dd600d22d58d055d3931bc077e05117fd6fc526324d4bb2b9
Instruction ID: 144ecaa057f9113168e874cc4f87020c64596cf446f73ba7b345642c72f404fe
Opcode Fuzzy Hash: 7f8bcf31938ca77dd600d22d58d055d3931bc077e05117fd6fc526324d4bb2b9
Instruction Fuzzy Hash: BD3168A1F6F303C9E32CA56048805B8641DA10FB94132AE7B980F336C3503D7617B8AF

Uniqueness

Uniqueness Score: -1.00%

Function 00407015, Relevance: 1.4, APIs: 1, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81ea9170ecd5e2ff0b651b56be588e154cf4246a658539b269c569cb3b90470e
Instruction ID: 3cfe7389577bde6d28035aec1b735e78679f88189abc604dd7b810bdca8f0f42
Opcode Fuzzy Hash: 81ea9170ecd5e2ff0b651b56be588e154cf4246a658539b269c569cb3b90470e
Instruction Fuzzy Hash: BB2144A1F6F343C9E72CA5A008805B8691CA14FB84131AE7B950F379C3543C3603B8AF

Uniqueness

Uniqueness Score: -1.00%

Function 00406EA9, Relevance: 1.4, APIs: 1, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fc9fc2614dde729cebc1b0a642b7b14bed4e7cf8646fb80cff31412251dbaca7
Instruction ID: 60dc97787345ab3aa65493186fdb017b54f0de31f26f836fc52e1200483b2334
Opcode Fuzzy Hash: fc9fc2614dde729cebc1b0a642b7b14bed4e7cf8646fb80cff31412251dbaca7
Instruction Fuzzy Hash: B72134A1E6F303C9E72CA5A008805F8651DA10FB94131AE7B990F339C3503D3613B86F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F3B, Relevance: 1.4, APIs: 1, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 22823662cc3883bf002d46188d08a5426eb2b368ba1d5718fa4657b404aa9cac
Instruction ID: 8b1fb48854b9b2d7143adfe64490f0f6603c22aaaa7004dcd7e632f04b70a16d
Opcode Fuzzy Hash: 22823662cc3883bf002d46188d08a5426eb2b368ba1d5718fa4657b404aa9cac
Instruction Fuzzy Hash: 192124A2F6F343D8E72CA5A408805F9641DA10FB94131AA77990F339C3543D3617B8AF

Uniqueness

Uniqueness Score: -1.00%

Function 00406F2F, Relevance: 1.4, APIs: 1, Instructions: 149memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 0040709E

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 69efb1130e9b5fedde7cc559b2e3f58118edb7eebcfe5667ce938a391851847f
Instruction ID: e9d8d69bf889abfde2ea96d05afcdf918fa6a851d78ff9d7d71a0217084e691f
Opcode Fuzzy Hash: 69efb1130e9b5fedde7cc559b2e3f58118edb7eebcfe5667ce938a391851847f
Instruction Fuzzy Hash: 942124A1E7F343C9E72DA5A408805B9651DA10FB95131AE7B990F379C3503D3A13B8AF

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 020D6C79, Relevance: 6.5, Strings: 5, Instructions: 262COMMON

Download Yara Rule

Strings

>\, xrefs: 020D07B8
kernel32, xrefs: 020D4ADF
Msi.dll, xrefs: 020D4A99
1.!T, xrefs: 020D0893
8$\, xrefs: 020D07D0

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID: 1.!T$8$\$Msi.dll$kernel32$>\
API String ID: 0-3785409096
Opcode ID: b106a13fd0947feb1a82cfb836604605c81533a70b06f7aa41ae0e332f9f909d
Instruction ID: 5578fa2c143d1a5c24e4ee7a7ed6b4813fe957c713b4cb1caa47acbeb8b35efe
Opcode Fuzzy Hash: b106a13fd0947feb1a82cfb836604605c81533a70b06f7aa41ae0e332f9f909d
Instruction Fuzzy Hash: EE610F387093125DEF219EB89A953FC7B53CF973A0F604226DE879B1C5D361C846D682

Uniqueness

Uniqueness Score: -1.00%

Function 020D71D7, Relevance: .7, Instructions: 686COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91fc25abbccae7b93c815cd9520579368ba4630c736e35994b9ae40e06e370c5
Instruction ID: 721ab6b508ee124dce124582bc6912f09657d88c50ab18902161dd8603568977
Opcode Fuzzy Hash: 91fc25abbccae7b93c815cd9520579368ba4630c736e35994b9ae40e06e370c5
Instruction Fuzzy Hash: DE2291707453069FEF228F34CD947E9B6E2EF42360F548269ED968B2E5D3748481DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020D1A9C, Relevance: .5, Instructions: 472COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbdfd44cff935b6f4bedefc5b62735d5962d0f5c06b3d297f1649752e310825d
Instruction ID: 7a0519a8d82062035a05ccbf374649c97ff855ae81e98c1a7ac7ee93df018d62
Opcode Fuzzy Hash: fbdfd44cff935b6f4bedefc5b62735d5962d0f5c06b3d297f1649752e310825d
Instruction Fuzzy Hash: 1AE1797034530A6FFF214E64CD95BEA36A3EF86350FA04128FE49972D1D3B988C5EA41

Uniqueness

Uniqueness Score: -1.00%

Function 020D32FD, Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75e6054702dbb748c8f432d29cfd63f0270bcc052b20183d8a60f4647297648f
Instruction ID: bf844b0097048876e75abb88b4bf5c7b315e1e3f11a395d5e103e6460e9949c6
Opcode Fuzzy Hash: 75e6054702dbb748c8f432d29cfd63f0270bcc052b20183d8a60f4647297648f
Instruction Fuzzy Hash: C4E1A9703493466FEF224F74CD657E97A62EF42350F60822DEE869B1C2C3B98485DB42

Uniqueness

Uniqueness Score: -1.00%

Function 020D5201, Relevance: .5, Instructions: 456COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6e8aa94ef2b3798e3efe4b45d5df90da13c8c1b7e72022dfb88da8d8454ba644
Instruction ID: a38ff51a96da296839fc491365bfdc6f81f83b29dbcf384e96ef182bf616b042
Opcode Fuzzy Hash: 6e8aa94ef2b3798e3efe4b45d5df90da13c8c1b7e72022dfb88da8d8454ba644
Instruction Fuzzy Hash: 58D1B974345306AFFF224E24CD95BFD3AA2EF46350FA04129EE469B1D1D3B98885EB41

Uniqueness

Uniqueness Score: -1.00%

Function 020D5D89, Relevance: .4, Instructions: 430COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956ac61fc207acfc65f15c2cbd152b1c7d52b89d5fd13eadeb0ee46c80d1d2ee
Instruction ID: a9461a04a513e29ca6b8baa7402783da4736d667704c6e056748b3dab5e26702
Opcode Fuzzy Hash: 956ac61fc207acfc65f15c2cbd152b1c7d52b89d5fd13eadeb0ee46c80d1d2ee
Instruction Fuzzy Hash: 11D125B034530AAFFF264F64CD95BE93AA3FF46350FA04128EE49961D1D3B98484EB41

Uniqueness

Uniqueness Score: -1.00%

Function 020D1813, Relevance: .4, Instructions: 427COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76475204386ffa9e82264e5e1954655c39cb78573af8ffe1b6681cf522caaa72
Instruction ID: b6ed232853a0d00ea3182424b8bcb37a14bb74c1c6ed44ed105c5e5c1673864f
Opcode Fuzzy Hash: 76475204386ffa9e82264e5e1954655c39cb78573af8ffe1b6681cf522caaa72
Instruction Fuzzy Hash: 24D1447034130AAFFF215E64CD95BEA36A3FF86750FA04128EE49972D0D7B98485EB41

Uniqueness

Uniqueness Score: -1.00%

Function 020D2A9E, Relevance: .4, Instructions: 380COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2b26a6109fca9db74a024ff9ae04315e2711a123760ec9dea13c684a7f093de
Instruction ID: 31d8c8a5723bbc4b9cc5b91ee7d6a2dadd5765cd0759586eb062845f3f1b79ff
Opcode Fuzzy Hash: f2b26a6109fca9db74a024ff9ae04315e2711a123760ec9dea13c684a7f093de
Instruction Fuzzy Hash: 09B178703413066FFF224F64CD95BE976A2FF46350F604128EE4AAB2D1D3B98885DB41

Uniqueness

Uniqueness Score: -1.00%

Function 020D61B3, Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19554e3a2409e1389894a2456d7f1f345af7728bf0cf6220f5bfb45f68f1464a
Instruction ID: 67928615a493283f8c48f1ac1c993b439611e36723cbe1ce522cfb0a0b590a76
Opcode Fuzzy Hash: 19554e3a2409e1389894a2456d7f1f345af7728bf0cf6220f5bfb45f68f1464a
Instruction Fuzzy Hash: 13B1477034530AAFFF224F64CD95BE936A2FF46350FA04128EE45972D1D3B99484AB45

Uniqueness

Uniqueness Score: -1.00%

Function 020D2B28, Relevance: .4, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e5246dc9981e014e61a715fc2f762bf08e6e704e40e43eb108f4b0cc9efad26
Instruction ID: 2e49ccc5ecdf9378dbe73835aed087652f5b37a65be354f28d61b4daf766cced
Opcode Fuzzy Hash: 5e5246dc9981e014e61a715fc2f762bf08e6e704e40e43eb108f4b0cc9efad26
Instruction Fuzzy Hash: AEB1787034530A6FFF224F64CD957E97AA2FF46350F608128EE469B1D1D3B98889EB41

Uniqueness

Uniqueness Score: -1.00%

Function 020D2BA5, Relevance: .3, Instructions: 319COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2d4dac079640818b17a7127c7764041f632853d429f80a8fba0632bcd2e5323
Instruction ID: f79511fcbb4cd125a7c01e50c204a24c6471e8f802391f69ad42b6ea1d6deafa
Opcode Fuzzy Hash: e2d4dac079640818b17a7127c7764041f632853d429f80a8fba0632bcd2e5323
Instruction Fuzzy Hash: EBA1667034530A6FEF624F64CD957F976A2FF46350F604128EE469B1D1D3B988C8AB42

Uniqueness

Uniqueness Score: -1.00%

Function 020D2C87, Relevance: .3, Instructions: 271COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e49a5b876767ecc810d45effa5229d7154417c3116f1fd80d99bc7f39ff2c5d
Instruction ID: fb0e85d13424ecff561f51fd547faab63e23d70fb0b8f37c47223cd0cb6b5d1f
Opcode Fuzzy Hash: 7e49a5b876767ecc810d45effa5229d7154417c3116f1fd80d99bc7f39ff2c5d
Instruction Fuzzy Hash: 1781377034530A6FEF624E64CD957F976A2FF06350F604129ED469B1D1C3B988C8DB82

Uniqueness

Uniqueness Score: -1.00%

Function 0040CEDB, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8e058aa6ced06d752f9edc1332de5abbc0e464b8f21f8dff5542be4b5f9d5b2
Instruction ID: e34ade2f3b08dfe565a079878b575897782dc057dc8e5bdff66821495dc8b307
Opcode Fuzzy Hash: c8e058aa6ced06d752f9edc1332de5abbc0e464b8f21f8dff5542be4b5f9d5b2
Instruction Fuzzy Hash: C3118B2948E3C29BCB578B7CD4E96C77FA4AC0723031E10EED8C45F053C226649ADB96

Uniqueness

Uniqueness Score: -1.00%

Function 020D2CF2, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a5d40efab3cb9600cf37322788f9e78847f64814618a5a7a0f13c78f2fe5fd7
Instruction ID: 69ce25287161fb806ea3295a50bb606891621c1e5ef53f5a42ccb342f52c76a1
Opcode Fuzzy Hash: 3a5d40efab3cb9600cf37322788f9e78847f64814618a5a7a0f13c78f2fe5fd7
Instruction Fuzzy Hash: 9781377034530A6FEF724E64CD957F97662FF06350F604129ED469A1D0C3BA88C8EB82

Uniqueness

Uniqueness Score: -1.00%

Function 020D1F97, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc980e916b3270ea959cc56999ec39c733042629c33a92f53397dfacae237cc7
Instruction ID: 7b59a6284849acf39653519b8773b34bb53ca98c56ca553e4b19ba418f78ea71
Opcode Fuzzy Hash: bc980e916b3270ea959cc56999ec39c733042629c33a92f53397dfacae237cc7
Instruction Fuzzy Hash: F1712871742702EFEB18AF28CD95BEAB3E1FF05350F584229EC9583242DB35A854DB90

Uniqueness

Uniqueness Score: -1.00%

Function 020D2D7C, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c9a101ec13403a70a6cb83f52948d930d65a8a86f0f57796bba9acf2a9e7110
Instruction ID: 47f02415cb0172627946de72e30402a8a5fbe2d77092286313c52124a5c55f07
Opcode Fuzzy Hash: 1c9a101ec13403a70a6cb83f52948d930d65a8a86f0f57796bba9acf2a9e7110
Instruction Fuzzy Hash: E961477434530A6FEF721E64DD95BFD3662EF06750FA04129FD469A1D0C3B688C4AB42

Uniqueness

Uniqueness Score: -1.00%

Function 020D2DD4, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18987d17e0aec3e10d4c640c8f685ae469016964104ca97eee44ea1e8ecc8a30
Instruction ID: fcde13364fd893db70216adb5e18b7713ef32d9a5b41272235b790530e215ead
Opcode Fuzzy Hash: 18987d17e0aec3e10d4c640c8f685ae469016964104ca97eee44ea1e8ecc8a30
Instruction Fuzzy Hash: E161777434530A6EEF725E64DD957F93662EF06350FA04125FE869A1D0C3BA88C8EB42

Uniqueness

Uniqueness Score: -1.00%

Function 020D71D9, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaaf7c5e1507a643409db5743fcb5717e23f87428b52494f7bbf61b5a2fc7ecf
Instruction ID: c3c0b6adf4a988b55d7d321c3b1c5b1a4b4e95937b2bbbd35e0d8980ccb7987b
Opcode Fuzzy Hash: eaaf7c5e1507a643409db5743fcb5717e23f87428b52494f7bbf61b5a2fc7ecf
Instruction Fuzzy Hash: A4610870A483428FDB26CF7888947A5FAD29F13370F948299C9A68B2E6D365C441D763

Uniqueness

Uniqueness Score: -1.00%

Function 020D69A8, Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fa457709d0abe5bd15626b7c695fc2161fe1431a9b43bf1037646f5f063c052
Instruction ID: f019b69f0577a3e33596f639f597d69ade44b3f4a59f665bd2dbe2bab7dd6079
Opcode Fuzzy Hash: 9fa457709d0abe5bd15626b7c695fc2161fe1431a9b43bf1037646f5f063c052
Instruction Fuzzy Hash: 945162745473029FFB212568BA653FF21EE9F023A4F900239DD8343548E767D4C5E952

Uniqueness

Uniqueness Score: -1.00%

Function 020D7248, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f253c498a251c9032a962eb9ab33f6c3aaa38883fea9500808fdaee3638a2c
Instruction ID: 33810eaa0d72394c9eb07f829ffb23bd96e8eaf668d5fa3df086b11a5a2c8f12
Opcode Fuzzy Hash: b1f253c498a251c9032a962eb9ab33f6c3aaa38883fea9500808fdaee3638a2c
Instruction Fuzzy Hash: 6F511B70A443428FDF268A3888947A5FAD19F13370F58C399C9A68F2F6D361C441D763

Uniqueness

Uniqueness Score: -1.00%

Function 020D72A6, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 733ec28411d632b2e4b5b9363890f21b41c208e589dfcb37a2208b656712ad25
Instruction ID: aaf55b5c2c4fbc273bc472e7b99662ba54e543d0c4c07bbda0da8d297635aef0
Opcode Fuzzy Hash: 733ec28411d632b2e4b5b9363890f21b41c208e589dfcb37a2208b656712ad25
Instruction Fuzzy Hash: C5512A309453428EDF338A7889947A5FAC28F13330F54C399C9A64F2EAD3618482D763

Uniqueness

Uniqueness Score: -1.00%

Function 020D7317, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72bd2db415b9eded696ab80e777ab210821e44bdd22771d5fe2d6f359440119a
Instruction ID: 50c3a91ab92afd135ad29ed44bbf228444c37b2b9cc045bc36c14cef4fa78480
Opcode Fuzzy Hash: 72bd2db415b9eded696ab80e777ab210821e44bdd22771d5fe2d6f359440119a
Instruction Fuzzy Hash: 37412870A593428EDF734A7889947A5FAC1CF13370F58C39AC9A68E1EBD3618482D753

Uniqueness

Uniqueness Score: -1.00%

Function 020D24BF, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f08ee65165818321bc42810cca3be8b066807e6b69855ebcb285d8daaaee7a67
Instruction ID: 62f37143ed0018270ec9274446617001997bbc2a301a8b3603a40d7ba2a37f15
Opcode Fuzzy Hash: f08ee65165818321bc42810cca3be8b066807e6b69855ebcb285d8daaaee7a67
Instruction Fuzzy Hash: 5C4137742463029FF7256F28CD99BE9B3A6EF11394F5081A5FD469B1D2C7B0D880DE12

Uniqueness

Uniqueness Score: -1.00%

Function 020D225F, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406d6a22be5a4f85bf2d179c8c7c5b793d68bc8610ec4ca4303dcc7b2e1e8e1e
Instruction ID: 70505633753f32a862c695411daafed5d2da14d5212f4c83c78406a3398c0864
Opcode Fuzzy Hash: 406d6a22be5a4f85bf2d179c8c7c5b793d68bc8610ec4ca4303dcc7b2e1e8e1e
Instruction Fuzzy Hash: E03168317457129FDB68AA28CD55BF973A1FF463A0F144225EC4AE3282CB24EC459B80

Uniqueness

Uniqueness Score: -1.00%

Function 020D7E0D, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a657e1a29f404c0149f676294219ce4514ee0b684a5c0cd80fbef370580497f2
Instruction ID: 0926638dc0cef7ccdffa8629136894935b9204cb42d4371f70d1452ff96ca37c
Opcode Fuzzy Hash: a657e1a29f404c0149f676294219ce4514ee0b684a5c0cd80fbef370580497f2
Instruction Fuzzy Hash: 6D31283060BB02CDEFA55A248A553FEA791AF16350F59C216DD428B0E5C321DC8BE683

Uniqueness

Uniqueness Score: -1.00%

Function 020D24D2, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9810e88b75af93e601d7ba4c159a9cff39e898328f816b0b47d1f9c2851984
Instruction ID: 8bbe90d05079894ac183b382fabdffa653cb338531206f618d230df910012dba
Opcode Fuzzy Hash: 2e9810e88b75af93e601d7ba4c159a9cff39e898328f816b0b47d1f9c2851984
Instruction Fuzzy Hash: D721F8383963019EEF326B68CD55BF8B7A1DF16761F508191ED066B1D2C361C844E943

Uniqueness

Uniqueness Score: -1.00%

Function 020D35C3, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d19cdd41c3d3d4569545cd418ba8d0410ee03f120d8f596fe9dea05b482dbf3
Instruction ID: c0d025317daa4cfc64e2123bacfa2abfa418bd3ef350223bd9eda9c9911d7223
Opcode Fuzzy Hash: 6d19cdd41c3d3d4569545cd418ba8d0410ee03f120d8f596fe9dea05b482dbf3
Instruction Fuzzy Hash: 58E0EC3E3A48634A9D62D9ACDBA66E8B710D7BBAD37105941D107FF5C6C221DC0A42C3

Uniqueness

Uniqueness Score: -1.00%

Function 020D689A, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a339b185670622c181757489fa15783f40b109f8fbf4126b3b79f9632629911
Instruction ID: 8bd063e08001e9a6c9269a95f7e792bb20c4dceb0d60a143088105e473b9fef8
Opcode Fuzzy Hash: 3a339b185670622c181757489fa15783f40b109f8fbf4126b3b79f9632629911
Instruction Fuzzy Hash: 15F06D743023418FCB19DB14D2E8F6AB3F9BF58310F128565E806CBA26E732E840EE10

Uniqueness

Uniqueness Score: -1.00%

Function 020D35C1, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6753a47d3cb188252ebc80bdd6055bd2c29e98fcb235b9a6b57b3b3ddbd77b46
Instruction ID: 9e030d63d785b212e16fdb43ba2b3600db49d5e10cb8bcf88a3536e9e0721ec7
Opcode Fuzzy Hash: 6753a47d3cb188252ebc80bdd6055bd2c29e98fcb235b9a6b57b3b3ddbd77b46
Instruction Fuzzy Hash: E3C04CB62856809BEE11DA0CC491B487361E745685B4504D1F5039B755C264ED45CB45

Uniqueness

Uniqueness Score: -1.00%

Function 020D62B2, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1225496373.00000000020D0000.00000040.00000001.sdmp, Offset: 020D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c6b24f09a0d39e9b7aca4003352cc0e6366210294d2b4de60ed39a2b5124dc
Instruction ID: c6baa4756ca6003317c9422a938df73848126be34136545e243a6e19c528852f
Opcode Fuzzy Hash: 34c6b24f09a0d39e9b7aca4003352cc0e6366210294d2b4de60ed39a2b5124dc
Instruction Fuzzy Hash: 2CB09230652B40CFCE99CE08C190F5073B4B714A00B4118DAF8018BA12C226E800CB00

Uniqueness

Uniqueness Score: -1.00%

Function 00412B05, Relevance: 33.2, APIs: 22, Instructions: 168COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00412B22
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00412B3A
__vbaNew2.MSVBVM60(00402B60,00414010,?,?,?,?,004011D6), ref: 00412B52
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412B8B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004026E4,000001C0), ref: 00412BD8
#561.MSVBVM60(00000003), ref: 00412C00
__vbaFreeObj.MSVBVM60(00000003), ref: 00412C1B
__vbaFreeVar.MSVBVM60(00000003), ref: 00412C23
#714.MSVBVM60(?,00000005,00000000,00000003), ref: 00412C51
__vbaVarTstEq.MSVBVM60(00008002,?,?,00000005,00000000,00000003), ref: 00412C75
__vbaFreeVarList.MSVBVM60(00000002,00000005,?,00008002,?,?,00000005,00000000,00000003), ref: 00412C8B
__vbaR4Str.MSVBVM60(00402914), ref: 00412CA7
#610.MSVBVM60(?,00402914), ref: 00412CBF
#610.MSVBVM60(?,?,00402914), ref: 00412CC8
__vbaVarAdd.MSVBVM60(?,00000002,?,00000001,00000001), ref: 00412CF4
#662.MSVBVM60(?,0040291C,?,00000000,?,00000002,?,00000001,00000001), ref: 00412D07
__vbaVarTstEq.MSVBVM60(00008002,?,?,0040291C,?,00000000,?,00000002,?,00000001,00000001), ref: 00412D2B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00008002,?,?,0040291C,?,00000000,?,00000002,?,00000001,00000001), ref: 00412D49
#546.MSVBVM60(?,?,?,?,?,00402914), ref: 00412D60
__vbaVarMove.MSVBVM60(?,?,?,?,?,00402914), ref: 00412D6B
__vbaFreeVar.MSVBVM60(00412DB3,00000003), ref: 00412DA5
__vbaFreeVar.MSVBVM60(00412DB3,00000003), ref: 00412DAD

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#610List$#546#561#662#714CheckChkstkHresultMoveNew2
String ID:
API String ID: 3512411045-0
Opcode ID: f72c1bf4a872743b840eaf83387d7ec6e3593f2d93460e852ebab84e2b2b2fb9
Instruction ID: 5773b8d82972f5691ef1758c5f0e6f42d2e60a8124b3223a4f0b7953539bed06
Opcode Fuzzy Hash: f72c1bf4a872743b840eaf83387d7ec6e3593f2d93460e852ebab84e2b2b2fb9
Instruction Fuzzy Hash: 65610B75900218EADB10DFA1CD45FDEB7BCBF08704F1041ABA505F7191DB78AA498F69

Uniqueness

Uniqueness Score: -1.00%

Function 004127F6, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00412812
__vbaStrCopy.MSVBVM60(?,?,?,?,004011D6), ref: 0041283C
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00412847
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00412852
__vbaHresultCheckObj.MSVBVM60(00000000,00401188,00402438,000000B0), ref: 00412884
__vbaNew2.MSVBVM60(00402B60,00414010), ref: 004128B7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004128E4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004026E4,00000158), ref: 00412919
__vbaNew2.MSVBVM60(004027B0,0041433C), ref: 0041293A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004027A0,0000004C), ref: 00412987
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402900,00000024), ref: 004129D0
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004129EE
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,004011D6), ref: 00412A00
__vbaFreeVar.MSVBVM60(00412A4E), ref: 00412A38
__vbaFreeVar.MSVBVM60(00412A4E), ref: 00412A40
__vbaFreeStr.MSVBVM60(00412A4E), ref: 00412A48

Strings

<CA, xrefs: 0041294B
DOMNENAVNENES, xrefs: 004129A5

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ListNew2$ChkstkCopy
String ID: <CA$DOMNENAVNENES
API String ID: 4201096553-3117400353
Opcode ID: a269f75ec010d0bb9d7013d1e9aff2ca6b65b234771a3c4a6c1aaead6edba027
Instruction ID: 37a442c6173ad72638a9ea8c128ef31cbf78e55ee9f9e4cceb3c55ca1f1c80ac
Opcode Fuzzy Hash: a269f75ec010d0bb9d7013d1e9aff2ca6b65b234771a3c4a6c1aaead6edba027
Instruction Fuzzy Hash: 3F61E6B1A00208EFDB10EF95CA49BDDBBB4BF08705F10806AE505BB2A1D7B85995DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004124E0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 004124FC
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00412526
__vbaVarDup.MSVBVM60 ref: 0041253E
#562.MSVBVM60(?), ref: 00412547
__vbaFreeVar.MSVBVM60(?), ref: 0041255F
__vbaNew2.MSVBVM60(004027B0,0041433C,?), ref: 00412583
__vbaHresultCheckObj.MSVBVM60(00000000,?,004027A0,00000014,?,?,?,?,?,?,?,?), ref: 004125C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004027C0,00000058,?,?,?,?,?,?,?,?), ref: 00412602
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00412620
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00412628
__vbaFreeVar.MSVBVM60(0041265F,?), ref: 00412651
__vbaFreeStr.MSVBVM60(0041265F,?), ref: 00412659

Strings

<CA, xrefs: 00412598

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#562ChkstkMoveNew2
String ID: <CA
API String ID: 2183228509-146778150
Opcode ID: e7b915a41fd8d12b5b94c5ff4623e30c4c85cf6542f7746ea731dba78d34c9eb
Instruction ID: 03e207423d25549a8c2b5c8c2c04cbc93aab452932d5f17d288bfa6ac8f5ea0e
Opcode Fuzzy Hash: e7b915a41fd8d12b5b94c5ff4623e30c4c85cf6542f7746ea731dba78d34c9eb
Instruction Fuzzy Hash: 2341C47590024DAFDB10EFE5CA85BDDBBB5AF08704F20402AE805BB2A1D7785A95CF48

Uniqueness

Uniqueness Score: -1.00%

Function 00412686, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 94COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 004126A2
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 004126CC
#669.MSVBVM60(?,?,?,?,004011D6), ref: 004126D1
__vbaStrMove.MSVBVM60(?,?,?,?,004011D6), ref: 004126DB
__vbaStrCmp.MSVBVM60(pointoptllingers,00000000,?,?,?,?,004011D6), ref: 004126E6
__vbaFreeStr.MSVBVM60(pointoptllingers,00000000,?,?,?,?,004011D6), ref: 004126F9
__vbaNew2.MSVBVM60(004027B0,0041433C,pointoptllingers,00000000,?,?,?,?,004011D6), ref: 0041271D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004027A0,0000001C), ref: 00412761
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D0,00000050), ref: 00412798
__vbaFreeObj.MSVBVM60(00000000,?,004028D0,00000050), ref: 004127A9
__vbaFreeVar.MSVBVM60(004127CF,pointoptllingers,00000000,?,?,?,?,004011D6), ref: 004127C9

Strings

pointoptllingers, xrefs: 004126E1
<CA, xrefs: 00412732

Memory Dump Source

Source File: 00000000.00000002.1224082503.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1224063338.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1224147451.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1224187797.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#669ChkstkMoveNew2
String ID: <CA$pointoptllingers
API String ID: 256872743-2660778481
Opcode ID: 11909a9ba46ff8efa56666af7983bb2ff0cc94674072d2880ce4c1b03429e641
Instruction ID: 59c80258f7745ebf6ba8d4a08065e11361bfd257401526917124f5ab657dc1a8
Opcode Fuzzy Hash: 11909a9ba46ff8efa56666af7983bb2ff0cc94674072d2880ce4c1b03429e641
Instruction Fuzzy Hash: 6031F575900208EFDB00EFA5DA85BDEBBB4BF08704F10802AF411BB2E1DBB85955CB59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report AAN2101002-V017..exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: AAN2101002-V017..exe PID: 1064 Parent PID: 5580

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: AAN2101002-V017..exe PID: 1064 Parent PID: 5580 AAN2101002-V017..exeCOMMON

Executed Functions

Function 00411074, Relevance: 144.4, APIs: 76, Strings: 6, Instructions: 921COMMON

Function 00412159, Relevance: 79.0, APIs: 37, Strings: 8, Instructions: 233COMMON