Play interactive tour

Edit tour

Analysis Report RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Overview

General Information

Sample Name:	RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe
Analysis ID:	338980
MD5:	1c51c113cc153b0fc117d86059aef45b
SHA1:	5d75bc8f01d6fa59cff423286e9d85c70ab117e9
SHA256:	358404c3eb767a7f3c698236e15ed705baeef754594bac47bdb8aaf34f26fb19
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe (PID: 5404 cmdline: 'C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe' MD5: 1C51C113CC153B0FC117D86059AEF45B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe PID: 5404	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe PID: 5404	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Virustotal: Detection: 15%

Perma Link

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Process Stats: CPU usage > 98%

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe, 00000000.00000002.1261466111.0000000002260000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe, 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSkosnuderne1.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Binary or memory string: OriginalFilenameSkosnuderne1.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

File created: C:\Users\user\AppData\Local\Temp\~DF4DAC590565EC7CD6.TMP

Jump to behavior

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Virustotal: Detection: 15%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe PID: 5404, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe PID: 5404, type: MEMORY

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_004071E9 push esp; iretd	0_2_004071EA
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_00402246 push es; ret	0_2_0040224E
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_00404EAF push ebp; ret	0_2_00404EB0
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02296600 pushad ; ret	0_2_0229663B

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02292E31	0_2_02292E31
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02297604	0_2_02297604
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02291E19	0_2_02291E19
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02292E6F	0_2_02292E6F
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02292EBF	0_2_02292EBF
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02291E92	0_2_02291E92
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02292F31	0_2_02292F31
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02291F15	0_2_02291F15
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02292FA6	0_2_02292FA6
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02291FD5	0_2_02291FD5
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02292037	0_2_02292037
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_0229300B	0_2_0229300B
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02293082	0_2_02293082
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02292CF1	0_2_02292CF1
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02291D3A	0_2_02291D3A
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02292D6E	0_2_02292D6E
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02291D53	0_2_02291D53
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02291DAF	0_2_02291DAF
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022975A7	0_2_022975A7
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022941BE	0_2_022941BE
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022975B5	0_2_022975B5
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02292DD1	0_2_02292DD1
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022939D5	0_2_022939D5

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

RDTSC instruction interceptor: First address: 0000000002296E67 second address: 0000000002296E67 instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	RDTSC instruction interceptor: First address: 0000000002296E67 second address: 0000000002296E67 instructions:
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	RDTSC instruction interceptor: First address: 00000000022939B8 second address: 00000000022939B8 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F4E20AB4188h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ecx, edx 0x0000001f pop ecx 0x00000020 cmp edx, 4B27F30Eh 0x00000026 add edi, edx 0x00000028 dec ecx 0x00000029 cmp ecx, 00000000h 0x0000002c jne 00007F4E20AB4125h 0x0000002e test eax, ebx 0x00000030 push ecx 0x00000031 jmp 00007F4E20AB41C4h 0x00000033 call 00007F4E20AB41EFh 0x00000038 call 00007F4E20AB4198h 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Code function: 0_2_0229222F rdtsc

0_2_0229222F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Code function: 0_2_0229222F rdtsc

0_2_0229222F

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02297604 mov eax, dword ptr fs:[00000030h]	0_2_02297604
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022926AA mov eax, dword ptr fs:[00000030h]	0_2_022926AA
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022926D9 mov eax, dword ptr fs:[00000030h]	0_2_022926D9
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02293776 mov eax, dword ptr fs:[00000030h]	0_2_02293776
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02296B81 mov eax, dword ptr fs:[00000030h]	0_2_02296B81
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02296B9C mov eax, dword ptr fs:[00000030h]	0_2_02296B9C
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02296B9E mov eax, dword ptr fs:[00000030h]	0_2_02296B9E
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022923CB mov eax, dword ptr fs:[00000030h]	0_2_022923CB
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022964BD mov eax, dword ptr fs:[00000030h]	0_2_022964BD
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022964BF mov eax, dword ptr fs:[00000030h]	0_2_022964BF
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_02291D3A mov eax, dword ptr fs:[00000030h]	0_2_02291D3A
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022975A7 mov eax, dword ptr fs:[00000030h]	0_2_022975A7
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	Code function: 0_2_022975B5 mov eax, dword ptr fs:[00000030h]	0_2_022975B5

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe, 00000000.00000002.1261124181.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe, 00000000.00000002.1261124181.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe, 00000000.00000002.1261124181.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe, 00000000.00000002.1261124181.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe, 00000000.00000002.1261124181.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Code function: 0_2_02296B9C cpuid

0_2_02296B9C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery511	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	16%	Virustotal		Browse
RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe	7%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338980
Start date:	13.01.2021
Start time:	08:44:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 6.1% (good quality ratio 1.7%) Quality average: 15.4% Quality standard deviation: 26.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.927959719120462
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe
File size:	81920
MD5:	1c51c113cc153b0fc117d86059aef45b
SHA1:	5d75bc8f01d6fa59cff423286e9d85c70ab117e9
SHA256:	358404c3eb767a7f3c698236e15ed705baeef754594bac47bdb8aaf34f26fb19
SHA512:	156dbe490041097ca0cd2d3f5dd0a88f6d30b412a2ff41fae4f16dfbefa79f10f2f210d0b54709e280a633c0370dd6d71cab4e722c632d0cecf0ddad057eda38
SSDEEP:	768:8ravqjz1jk8o9EqI26lZm06YTbaTvy/7AoVSWfpguqOE1yC6VQWfF:8rCqejEqIxy06YvGvyPVSWfveyJlN
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L..../._.....................0............... ....@................

File Icon


Icon Hash:	6eeed0e4a4a4e0d2

Static PE Info

General
Entrypoint:	0x40121c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FFE2FD8 [Tue Jan 12 23:25:12 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f08e2fa188bfdb85d74117a6c20b7544

Entrypoint Preview

Instruction
push 00401CECh
call 00007F4E20C2C045h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
imul ebp, dword ptr [ebp+0B249EBFh], 41h
xchg eax, edx
mov bh, ACh
leave
dec eax
jno 00007F4E20C2C0A9h
jecxz 00007F4E20C2C052h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [esi+42h], dl
push esp
imul ebp, dword ptr [ebp+55h], 4449524Eh
inc ecx
inc edx
dec esp
inc ebp
dec esi
inc ebp
push ebx
push ebx
add byte ptr [ebp+00h], cl
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
and ebp, edi
mov ecx, 9EB193E3h
jle 00007F4E20C2C097h
scasb
das
jl 00007F4E20C2C054h
mov bl, F8h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11544	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x898	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xcc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10958	0x11000	False	0.40380859375	data	6.38071654209	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0x1160	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x898	0x1000	False	0.330078125	data	3.02964460996	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x14330	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1431c	0x14	data
RT_VERSION	0x140f0	0x22c	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, _adj_fpatan, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarAdd, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Skosnuderne1
FileVersion	1.00
CompanyName	Web Share.
ProductName	glasering
ProductVersion	1.00
OriginalFilename	Skosnuderne1.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe PID: 5404 Parent PID: 5584

General

Start time:	08:45:16
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe'
Imagebase:	0x400000
File size:	81920 bytes
MD5 hash:	1C51C113CC153B0FC117D86059AEF45B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe PID: 5404 Parent PID: 5584 RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exeCOMMON

Executed Functions

Function 00406ACA, Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Strings

Iw==, xrefs: 00406B17
====, xrefs: 00406B1C
====, xrefs: 00406B2B
====, xrefs: 00406B26
====, xrefs: 00406B21

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ====$====$====$====$Iw==
API String ID: 4275171209-1378605431
Opcode ID: 10858c9009b75a3dc8705d70d20c82b288898c3cdf06911cd9f4d734dd8e5503
Instruction ID: 3ea4904d6758a3be47684c5326da66eecc15b53dbe1d56520fea106fd6a9dc00
Opcode Fuzzy Hash: 10858c9009b75a3dc8705d70d20c82b288898c3cdf06911cd9f4d734dd8e5503
Instruction Fuzzy Hash: FBE0BFDAC2F196D6D9B80A1004A04782029984AB143331C27D487FB981853EDD736D0F

Uniqueness

Uniqueness Score: -1.00%

Function 0040121C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 77%

			_entry_(signed int __eax, void* __ecx, void* __edx, signed int __edi, void* __esi, void* __fp0) {
				intOrPtr* _t36;
				signed char _t38;
				intOrPtr* _t41;
				intOrPtr* _t51;
				intOrPtr* _t54;
				signed int _t56;
				void* _t61;
				signed int _t63;
				signed int _t66;
				signed int _t67;
				signed int _t69;
				void* _t70;

				_t70 = __fp0;
				_t57 = __esi;
				_t56 = __edi;
				_push("VB5!6&*"); // executed
				L00401216(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t36 = __eax + 1;
				 *_t36 =  *_t36 + _t36;
				 *_t36 =  *_t36 + _t36;
				 *_t36 =  *_t36 + _t36;
				_t51 = __ecx + __ecx;
				_t54 = _t36;
				_t45 = 0xac;
				_t67 =  *(_t61 + 0xb249ebf) * 0x41;
				_pop(_t63);
				_t38 = __edx - 1;
				if(_t38 >= 0) {
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					__eflags =  *_t38;
					goto L7;
				} else {
					asm("jecxz 0x2");
					 *_t38 =  *_t38 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *_t51 =  *_t51 + _t38;
					 *_t38 =  *_t38 + _t38;
					 *((intOrPtr*)(__esi + 0x42)) =  *((intOrPtr*)(__esi + 0x42)) + _t54;
					_push(_t67);
					_t54 = _t54 + 1;
					_t67 = _t67 - 1;
					_t57 = __esi - 1;
					_t66 = 2 +  *(_t63 + 0x55) * 0x4449524e;
					_push(0xac);
					_push(0xac);
					 *_t66 =  *_t66 + _t51 + 1;
					 *_t38 =  *_t38 + _t38;
					_t45 = 0x158;
					asm("int3");
					 *_t38 =  *_t38 ^ _t38;
					_t63 = _t66 & __edi;
					_t69 = _t63;
					_t51 = 0x9eb193e3;
					if(_t69 <= 0) {
						L7:
						 *_t38 =  *_t38 + _t38;
						 *_t38 =  *_t38 + _t38;
						 *_t38 =  *_t38 + _t38;
						 *_t56 =  *_t56 + _t45;
						_t41 = (_t38 |  *_t38) + _t51 + 0x9000000;
						_t7 = _t45 + 0x6e;
						 *_t7 =  *((intOrPtr*)(_t45 + 0x6e)) + _t54;
						__eflags =  *_t7;
						if(__eflags == 0) {
							asm("popad");
							asm("popad");
							if(__eflags < 0) {
								 *0x53000501 =  *0x53000501 + _t51;
								__eflags =  *0x53000501;
								L11:
								 *0x52505300 =  *0x52505300 + _t41;
								__eflags =  *0x52505300;
								L12:
								_push(_t45);
								_push(_t41);
								_push(_t54);
								_t51 = _t51 - 1;
								_t56 = _t56 + 1;
								 *_t51 =  *_t51 + _t45;
								 *_t41 =  *_t41 + _t41;
								_t54 = _t54 + 1;
								 *_t54 =  *_t54 + _t41;
								 *_t45 =  *_t45 + _t67;
								_t9 = _t41;
								_t41 =  *0x746c0000;
								 *0x746c0000 = _t9;
								 *_t41 =  *_t41 + _t41;
								__eflags =  *_t41;
								if( *_t41 > 0) {
									 *_t41 =  *_t41 + _t41;
									 *_t41 =  *_t41 + _t41;
									 *_t41 =  *_t41 + _t41;
									__eflags =  *_t41;
								}
								 *_t51 =  *_t51 + _t41;
								 *_t41 =  *_t41 + _t54;
								asm("adc [eax], al");
								 *_t51 =  *_t51 + _t41;
								 *_t41 =  *_t41 + _t51;
								 *((intOrPtr*)(_t41 + 5)) =  *((intOrPtr*)(_t41 + 5)) + _t51;
								 *_t41 =  *_t41 + _t41;
								_push(ss);
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t51;
								 *_t41 =  *_t41 + _t41;
								__eflags =  *_t41;
								L15:
								 *_t41 =  *_t41 + _t41;
								asm("adc [eax], al");
								 *_t41 =  *_t41 + _t41;
								__eflags =  *_t41;
								L16:
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t41;
								 *_t51 =  *_t51 + _t41;
								 *_t41 =  *_t41 + _t51;
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t41;
								 *((intOrPtr*)(_t41 + 1)) =  *((intOrPtr*)(_t41 + 1)) + _t41;
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t41;
								 *_t51 =  *_t51 + _t41;
								 *_t41 =  *_t41 + _t41;
								__eflags =  *_t41;
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t41;
								 *_t41 =  *_t41 + _t41;
								_t14 = _t56 - 0x66;
								 *_t14 =  *((intOrPtr*)(_t56 - 0x66)) + _t54;
								__eflags =  *_t14;
							}
							if(__eflags != 0) {
								goto L11;
							}
							_t54 = 0;
							if(__eflags < 0) {
								goto L12;
							}
							_t41 = 0xcba36600;
						}
						 *0xa76a00cb = _t41;
						asm("rol dword [eax], cl");
						_push(0xffffffa8);
						asm("rol dword [eax], cl");
						_push(0x6700d5a8);
						asm("lodsb");
						_push(0xffffffab);
						_t70 = _t70 +  *_t41 +  *_t41;
						if(__eflags >= 0) {
							goto L15;
						}
						asm("aad 0x0");
						if(__eflags < 0) {
							goto L16;
						}
						asm("fiadd dword [eax]");
						asm("insd");
						 *((intOrPtr*)(_t57 - 0x4b)) =  *((intOrPtr*)(_t57 - 0x4b)) + 0xe5;
						goto 0xe8f57d71;
						_t18 = _t56 - 0x45;
						 *_t18 =  *((intOrPtr*)(_t56 - 0x45)) + _t45;
						__eflags =  *_t18;
					} else {
						asm("scasb");
						asm("das");
						if(_t69 >= 0) {
						}
						asm("invalid");
						asm("invalid");
						asm("in eax, dx");
						return;
						_pop(__edi);
						__eflags = __esi;
					}
				}
			}

0x0040121c
0x0040121c
0x0040121c
0x0040121c
0x00401221
0x00401226
0x00401228
0x0040122a
0x0040122c
0x0040122e
0x00401230
0x00401231
0x00401233
0x00401235
0x00401237
0x00401240
0x00401241
0x00401243
0x00401243
0x00401244
0x00401245
0x0040129e
0x0040129f
0x004012a5
0x004012a7
0x004012a9
0x004012ab
0x004012ad
0x004012af
0x004012b1
0x004012b3
0x004012b5
0x004012b7
0x004012b9
0x004012bb
0x004012bd
0x004012bd
0x00000000
0x00401247
0x00401247
0x00401249
0x0040124b
0x0040124d
0x0040124f
0x00401251
0x00401254
0x0040125e
0x0040125f
0x00401261
0x00401262
0x00401263
0x00401264
0x00401265
0x00401269
0x0040126b
0x0040126d
0x0040126e
0x00401270
0x00401270
0x00401272
0x00401277
0x004012be
0x004012be
0x004012c0
0x004012c2
0x004012c4
0x004012ca
0x004012cf
0x004012cf
0x004012cf
0x004012d2
0x004012d4
0x004012d6
0x004012d7
0x004012d9
0x004012d9
0x004012db
0x004012db
0x004012db
0x004012de
0x004012de
0x004012df
0x004012e0
0x004012e1
0x004012e2
0x004012e3
0x004012e5
0x004012e7
0x004012e8
0x004012ea
0x004012ec
0x004012ec
0x004012ec
0x004012f2
0x004012f2
0x004012f4
0x004012f6
0x004012f8
0x004012fa
0x004012fa
0x004012fa
0x004012fb
0x004012fd
0x004012ff
0x00401301
0x00401303
0x00401305
0x00401308
0x0040130a
0x0040130b
0x0040130d
0x0040130f
0x0040130f
0x00401310
0x00401310
0x00401312
0x00401314
0x00401314
0x00401315
0x00401315
0x00401317
0x00401319
0x0040131b
0x0040131d
0x0040131f
0x00401321
0x00401324
0x00401326
0x00401328
0x0040132a
0x0040132c
0x0040132e
0x00401330
0x00401330
0x00401331
0x00401333
0x00401335
0x00401337
0x00401339
0x00401339
0x00401339
0x00401339
0x0040133e
0x00000000
0x00000000
0x00401340
0x00401342
0x00000000
0x00000000
0x00401344
0x00401344
0x00401347
0x0040134c
0x0040134e
0x00401350
0x00401352
0x00401357
0x0040135a
0x0040135c
0x0040135e
0x00000000
0x00000000
0x00401360
0x00401362
0x00000000
0x00000000
0x00401364
0x00401366
0x00401369
0x0040136c
0x00401371
0x00401371
0x00401371
0x00401279
0x00401279
0x0040127a
0x0040127b
0x0040127b
0x0040127f
0x00401282
0x00401285
0x00401286
0x00401287
0x00401288
0x00401288
0x00401277

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401221

Strings

VB5!6&*, xrefs: 0040121C, 004012DE

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 77f0dead37287a3cb08f528548955b0833df7669557fe37f1f7156945b1dc0d7
Instruction ID: 8ad4c12453b459a4d1c1a92bc06a9c8e6d3bf258dc984dd45e4bb0c94d7f676c
Opcode Fuzzy Hash: 77f0dead37287a3cb08f528548955b0833df7669557fe37f1f7156945b1dc0d7
Instruction Fuzzy Hash: 1D51986158E3C15FD7038BB48C256917FB49E63264B1A05EBC891EF0F3E2AC4C4AC726

Uniqueness

Uniqueness Score: -1.00%

Function 0040697C, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Strings

N, xrefs: 0040698F

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: N
API String ID: 4275171209-1130791706
Opcode ID: 2aaba850eda6ba815705f725e489eb9108915607f6947af858634474001709cf
Instruction ID: 6d33395dfe68d7d8c80f0bd6eeaeec7b163b1d4f498097f706928f1a7acd7db8
Opcode Fuzzy Hash: 2aaba850eda6ba815705f725e489eb9108915607f6947af858634474001709cf
Instruction Fuzzy Hash: A5F012E0B3E266C6E71CA95448545B571B8B74F710A37603B909FB70C1467C5633790F

Uniqueness

Uniqueness Score: -1.00%

Function 004065E9, Relevance: 1.4, APIs: 1, Instructions: 136
memoryCOMMON

Download Yara Rule

C-Code - Quality: 59%

			E004065E9() {
				void* _t3;
				signed char _t5;
				intOrPtr* _t10;
				intOrPtr* _t19;

				if((_t5 | _t5) < 0) {
					 *_t10 =  *_t10 + _t3;
				}
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t10 =  *_t10 + _t3;
				 *_t19 =  *_t19 + 0x16101285;
				asm("cld");
				asm("fnop");
				asm("cld");
				asm("cld");
				asm("clc");
				 *_t19 =  *_t19 + 0x16;
				asm("fnop");
				asm("clc");
				while(1) {
					asm("clc");
					asm("clc");
					asm("clc");
					_push(0x72423e4b);
				}
			}

0x004065ec
0x004065ee
0x004065ee
0x004065ef
0x004065f1
0x004065f3
0x004065f5
0x004065f7
0x004065f9
0x004065fb
0x004065fd
0x004065ff
0x00406601
0x00406603
0x00406605
0x00406607
0x00406609
0x0040660b
0x0040660d
0x0040660f
0x00406611
0x00406613
0x00406632
0x00406656
0x00406686
0x004066c8
0x0040673a
0x00406744
0x00406766
0x00406791
0x004067d7
0x004067d7
0x00406808
0x0040682c
0x0040683c
0x0040683c

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 346011dca647ff9edff64e239f2a3c407e13a75de34c605448fd4fc0e243eebf
Instruction ID: d614807b64c222c5551784140138bee4cc8ee46dd8faccceafdac250f8331f7b
Opcode Fuzzy Hash: 346011dca647ff9edff64e239f2a3c407e13a75de34c605448fd4fc0e243eebf
Instruction Fuzzy Hash: 92114CE1A6F322CAD258665449501F571ACEA1FB28A33A83BD08F774C6963D0537790F

Uniqueness

Uniqueness Score: -1.00%

Function 0040668A, Relevance: 1.4, APIs: 1, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6b0e68cd244ccc3a98d620236417856fac1acd26a7e5135a259966f42a7d91e5
Instruction ID: 56ac22aef18cf2407ae68e4fe39388890a9b9985759875106098873eb1fbfef5
Opcode Fuzzy Hash: 6b0e68cd244ccc3a98d620236417856fac1acd26a7e5135a259966f42a7d91e5
Instruction Fuzzy Hash: 4D01C8E1A6F227C9E258751449405B460ACE60FB18633A43BD08F734C7863D5537791F

Uniqueness

Uniqueness Score: -1.00%

Function 0040665A, Relevance: 1.4, APIs: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 27fb98ae4be8c9b13997c5c781920b894baf68ced8e49cde164531d5346c37f2
Instruction ID: 391482e6064562be384cb2a249c0030f8aef7722bfa90cb32382f09d244a7817
Opcode Fuzzy Hash: 27fb98ae4be8c9b13997c5c781920b894baf68ced8e49cde164531d5346c37f2
Instruction Fuzzy Hash: 1F01A5E2A6F227C9E258651449405B460BCE60FB18633A43BD08F734C7863D5637791F

Uniqueness

Uniqueness Score: -1.00%

Function 0040676B, Relevance: 1.4, APIs: 1, Instructions: 120
memoryCOMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040676B() {
				void* _t13;
				void* _t34;

				_t34 = _t13 + 1;
				asm("sbb edx, [ebx+edi*2+0x7b]");
				if(_t34 != 0) {
					asm("stosb");
					asm("stosb");
					L22:
					asm("stosb");
					asm("stosb");
					L23:
					asm("stosb");
					L24:
					L25:
					L36:
					asm("clc");
					L37:
					L39:
					asm("clc");
					_push(0x72423e4b);
				}
				if(_t34 != 0) {
					goto L22;
				}
				if(_t34 != 0) {
					goto L23;
				}
				if(_t34 != 0) {
					goto L25;
				}
				if(_t34 != 0) {
					asm("das");
					asm("lahf");
					L27:
					asm("insb");
					asm("adc esp, ebx");
					L28:
					asm("fcomp3 st4");
					L29:
					asm("fcomp3 st4");
					L30:
					asm("fcomp3 st4");
					L31:
					asm("fcomp3 st4");
					L32:
					asm("fcomp3 st4");
					L33:
					asm("fcomp3 st4");
					L34:
					asm("fcomp3 st4");
					L35:
					goto L36;
				}
				if(_t34 != 0) {
					goto L27;
				}
				if(_t34 != 0) {
					goto L28;
				}
				if(_t34 != 0) {
					goto L29;
				}
				if(_t34 != 0) {
					goto L30;
				}
				if(_t34 != 0) {
					goto L31;
				}
				if(_t34 != 0) {
					goto L32;
				}
				if(_t34 != 0) {
					goto L33;
				}
				if(_t34 != 0) {
					goto L34;
				}
				if(_t34 != 0) {
					goto L35;
				}
				if(_t34 != 0) {
					goto L37;
				}
				if(_t34 != 0) {
					goto L39;
				}
				if (_t34 != 0) goto L13;
				asm("clc");
				asm("clc");
				goto L24;
			}

0x0040676b
0x0040676c
0x00406770
0x004067ed
0x004067ee
0x004067ef
0x004067ef
0x004067f0
0x004067f1
0x004067f1
0x00000000
0x004067f3
0x00406808
0x00406808
0x00406809
0x0040682c
0x0040682c
0x0040683c
0x0040683c
0x00406772
0x00000000
0x00000000
0x00406774
0x00000000
0x00000000
0x00406776
0x00000000
0x00000000
0x00406778
0x004067f5
0x004067f6
0x004067f7
0x004067f7
0x004067f8
0x004067f9
0x004067f9
0x004067fb
0x004067fb
0x004067fd
0x004067fd
0x004067ff
0x004067ff
0x00406801
0x00406801
0x00406803
0x00406803
0x00406805
0x00406805
0x00406807
0x00000000
0x00406807
0x0040677a
0x00000000
0x00000000
0x0040677c
0x00000000
0x00000000
0x0040677e
0x00000000
0x00000000
0x00406780
0x00000000
0x00000000
0x00406782
0x00000000
0x00000000
0x00406784
0x00000000
0x00000000
0x00406786
0x00000000
0x00000000
0x00406788
0x00000000
0x00000000
0x0040678a
0x00000000
0x00000000
0x0040678c
0x00000000
0x00000000
0x0040678e
0x00000000
0x00406829
0x00406790
0x00406791
0x004067d7
0x00000000

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: acfcdfc804a6eba0044f3a062da6dcfc1e9bb3c53b1ef203aa01077a8f100802
Instruction ID: 8cd88cf906a33233c27ea14095fbde2d452e8715032ded6fe3ae0eef3964f4b2
Opcode Fuzzy Hash: acfcdfc804a6eba0044f3a062da6dcfc1e9bb3c53b1ef203aa01077a8f100802
Instruction Fuzzy Hash: 802187A192F212DADB58AA2C88508B0727DE62F724633A53BC44B3B4C7C63C5133795F

Uniqueness

Uniqueness Score: -1.00%

Function 004066CD, Relevance: 1.4, APIs: 1, Instructions: 111memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2ec4d7d989593048acce765372e167a9679aab788e2cf0658989e29e0c5910ed
Instruction ID: de5983eb8b7ea087a7f72944079559d6e2a7f104d7362c6ddb2c2a1e471cf18e
Opcode Fuzzy Hash: 2ec4d7d989593048acce765372e167a9679aab788e2cf0658989e29e0c5910ed
Instruction Fuzzy Hash: E011E5E1A6F326CAE658695449402B471ADE60FB04A33A43B908F774C6863D5237790F

Uniqueness

Uniqueness Score: -1.00%

Function 00406844, Relevance: 1.4, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 49e057a30bc04c9c8e23259bda4010a925a78b8431dc9e1c43c2c04c6e81cd30
Instruction ID: 4d4a0b98332057eb322e59ecf9f46a71374f930617cfca0a926a8daf5e5eed5f
Opcode Fuzzy Hash: 49e057a30bc04c9c8e23259bda4010a925a78b8431dc9e1c43c2c04c6e81cd30
Instruction Fuzzy Hash: 1BF0AFE1A6F226CAE228654049805B871BCEA0FB10633B43BD08F734C6863D5633790F

Uniqueness

Uniqueness Score: -1.00%

Function 00406911, Relevance: 1.4, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 76fde89ad5ebd12ce0bb0e807adc81bae28acb6a877c1f7bd9f98c3b31312908
Instruction ID: 6b01f32959cdfc30781f65453e729fa2b977fd2887e84d692d334435ad3ea588
Opcode Fuzzy Hash: 76fde89ad5ebd12ce0bb0e807adc81bae28acb6a877c1f7bd9f98c3b31312908
Instruction Fuzzy Hash: E3118ED16EE219CDF6146A4448830B82229A5CA310733957B885BFA8C196FD5233F9CF

Uniqueness

Uniqueness Score: -1.00%

Function 00406796, Relevance: 1.3, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 316b2bfd6f7fd91828d3bc3d2d6bcb7b9fdb4dd49bc1ef6cc065e1545819b4c5
Instruction ID: b9fde464ab31eeefdd10c3d55e281ada1c9aed7874536e785209043f14dd7190
Opcode Fuzzy Hash: 316b2bfd6f7fd91828d3bc3d2d6bcb7b9fdb4dd49bc1ef6cc065e1545819b4c5
Instruction Fuzzy Hash: 0DF0CFE2A6F227CAE66875044A405B525BCE60FB04633A43BD08F734C6863D5237790F

Uniqueness

Uniqueness Score: -1.00%

Function 00406635, Relevance: 1.3, APIs: 1, Instructions: 98memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e9fa8ebd07c676a531c26c2a9f04c2a60a454b3c5b52e540e3070a625dcafcc1
Instruction ID: aff3aebf2464b985f0c1baabc7660c4bf1c315959ce444deded6a70e06591088
Opcode Fuzzy Hash: e9fa8ebd07c676a531c26c2a9f04c2a60a454b3c5b52e540e3070a625dcafcc1
Instruction Fuzzy Hash: E801E9E1A6F212C9E25C651449441F460ACE60FB18633A43BD08F734C6863D5237791F

Uniqueness

Uniqueness Score: -1.00%

Function 004067DB, Relevance: 1.3, APIs: 1, Instructions: 84memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a2aa518af39fb5e3411932eb523d8fe86ad38a3306b41f07ba54c553aeec0b5b
Instruction ID: 40f4af9ffaea6af1df3f7ff22a85902a53a8313e8ba7925a44099176122b2a75
Opcode Fuzzy Hash: a2aa518af39fb5e3411932eb523d8fe86ad38a3306b41f07ba54c553aeec0b5b
Instruction Fuzzy Hash: B7F0CFE2A6F226CAE268B51449405F560BCE60FB00633A437908F734C6863D5137790F

Uniqueness

Uniqueness Score: -1.00%

Function 00406835, Relevance: 1.3, APIs: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 48c3162282aba71471eb988f7e3d2db48f83b3a9740431cfbb8508fedcde8309
Instruction ID: fc52b89227ab345ac43fd5b6f8518d5a32c06aa3be8049d3f7a98ce4fd31aa2e
Opcode Fuzzy Hash: 48c3162282aba71471eb988f7e3d2db48f83b3a9740431cfbb8508fedcde8309
Instruction Fuzzy Hash: CA01F6D1ABF226C9E628650409505F422BDE60FB04573A437D4CF774C6863D4237790F

Uniqueness

Uniqueness Score: -1.00%

Function 0040674A, Relevance: 1.3, APIs: 1, Instructions: 76
memoryCOMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040674A() {
				intOrPtr _t13;
				char _t19;
				char* _t23;
				void* _t27;

				 *_t23 = _t19;
				_t3 = _t27 - 0x78787879;
				 *_t3 = _t13;
				_t5 = _t27 - 0x78787879;
				 *_t5 =  *_t3;
				_t7 = _t27 - 0x78787879;
				 *_t7 =  *_t5;
				 *((intOrPtr*)(_t27 - 0x78787879)) =  *_t7;
				asm("fnop");
				asm("clc");
				while(1) {
					asm("clc");
					asm("clc");
					asm("clc");
					_push(0x72423e4b);
				}
			}

0x0040674c
0x0040674e
0x0040674e
0x00406754
0x00406754
0x0040675a
0x0040675a
0x00406760
0x00406766
0x00406791
0x004067d7
0x004067d7
0x00406808
0x0040682c
0x0040683c
0x0040683c

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 433a5c4307dc6c26e9eb67e1b05d4858444eff0d0bdeb9d00b9a9fb35fe300d6
Instruction ID: d8b432d2cc95f7c23c5f7b39f81b331a94446c5ae86035f9d0bfe1f8d8996a88
Opcode Fuzzy Hash: 433a5c4307dc6c26e9eb67e1b05d4858444eff0d0bdeb9d00b9a9fb35fe300d6
Instruction Fuzzy Hash: DB0117A1A6F263C9D719A92444405B471BDEA0FB44633A43BC08F7B0C3863C4173B94F

Uniqueness

Uniqueness Score: -1.00%

Function 0040673D, Relevance: 1.3, APIs: 1, Instructions: 75memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d6c12720af403fc7c45aeb80b5ce43c233a5bf502c2d217aea7d0e2613d4ad1d
Instruction ID: c264be11d5f8f3ac75517e82d6d882d502e9940a2973205aa524832a23997656
Opcode Fuzzy Hash: d6c12720af403fc7c45aeb80b5ce43c233a5bf502c2d217aea7d0e2613d4ad1d
Instruction Fuzzy Hash: 4C01E8E1A6F266C9E25C650449405F521BCE60FB14633A837D08F774C7853D5537791F

Uniqueness

Uniqueness Score: -1.00%

Function 00406890, Relevance: 1.3, APIs: 1, Instructions: 71memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ac77a7c8dec3cf17409e91e7a315a334773e6df8b7e8f6f94257629415cbd296
Instruction ID: 82ae21150bd64444f3347276a179b986c054dbd4d6606409740ad790b9639b29
Opcode Fuzzy Hash: ac77a7c8dec3cf17409e91e7a315a334773e6df8b7e8f6f94257629415cbd296
Instruction Fuzzy Hash: B6F0F8E1A6F326CAE218650049401F470BCE60F710A33A43BD08F734C2863C5633790F

Uniqueness

Uniqueness Score: -1.00%

Function 00406A5C, Relevance: 1.3, APIs: 1, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ee31cb5bc7eb9bc04a7f7a75a054e969337704dc07d53bb21262c4e1c24c257d
Instruction ID: e953d7ca6619898600cf09abff8ff8d8c5c1cb003427f8cb47eb50f8076672e0
Opcode Fuzzy Hash: ee31cb5bc7eb9bc04a7f7a75a054e969337704dc07d53bb21262c4e1c24c257d
Instruction Fuzzy Hash: 21E0B69092E2A6D5E6588A6415941F676BCE60F7157333877D08FFB0C2893CA133712F

Uniqueness

Uniqueness Score: -1.00%

Function 004068D0, Relevance: 1.3, APIs: 1, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b5b3e7a8f383bb05e5e6fa7049ebb08098144a5f85b96afc58e01b1471de02b7
Instruction ID: b32f2ef23c73d8bf42fc0415d264be0bc2a81b66aadc443f990239ea9b0f2fdb
Opcode Fuzzy Hash: b5b3e7a8f383bb05e5e6fa7049ebb08098144a5f85b96afc58e01b1471de02b7
Instruction Fuzzy Hash: D3F0FEE0A5E366CAD25C696049401B5707CEA4F700633643BD08FB34C6863C5633794F

Uniqueness

Uniqueness Score: -1.00%

Function 00406B37, Relevance: 1.3, APIs: 1, Instructions: 58memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81e4eb49aed5d78d6745a030456b6cad63ef8fd20c76898a0197593b8cce557d
Instruction ID: 92648bb5a9e2345e74ae6ea25dbebc4df10bcc23709468ab14a7e2beb0779a00
Opcode Fuzzy Hash: 81e4eb49aed5d78d6745a030456b6cad63ef8fd20c76898a0197593b8cce557d
Instruction Fuzzy Hash: D7D0CAA0A3E26AC8EAAC051009940B82038E81FB40233203BD08FF30C2893CA133310F

Uniqueness

Uniqueness Score: -1.00%

Function 0040687C, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 30a1aacb29cf3c1e11ec886429e74019010e1ab835f16fdd39ad605e45919fa5
Instruction ID: e4dd69c98077f44fd5d2d0986a3def1359c5366392e712408be5d616862707b1
Opcode Fuzzy Hash: 30a1aacb29cf3c1e11ec886429e74019010e1ab835f16fdd39ad605e45919fa5
Instruction Fuzzy Hash: 85F0C4E1A6F256CAD319A61445401B435BCEA0F710737A47BD08F774D2853C5537BA0F

Uniqueness

Uniqueness Score: -1.00%

Function 004068BD, Relevance: 1.3, APIs: 1, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a3abe3ca836ca6e5281c7538c8b34b790e93fd931d7015649d61abff66be044b
Instruction ID: 71de8f3eba1e05a10ecdc4d2589855d5fbc8ed00ff08dabc4a7843b649633e20
Opcode Fuzzy Hash: a3abe3ca836ca6e5281c7538c8b34b790e93fd931d7015649d61abff66be044b
Instruction Fuzzy Hash: BAF0DAE1A6E766CAD618665049541B571BCF60F710B33A43BD08FB74C2863C5533790F

Uniqueness

Uniqueness Score: -1.00%

Function 004068F5, Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: df59f0b3bffbdcc18a83e30ba47ec52058449a379e53c049f38a6f9bd3d2840a
Instruction ID: 250b37a6f88b592a0524bfc480408b2194c0e6a19778c71e4f2ade420e0bb37e
Opcode Fuzzy Hash: df59f0b3bffbdcc18a83e30ba47ec52058449a379e53c049f38a6f9bd3d2840a
Instruction Fuzzy Hash: 54F01CE0A6E366CAD218A51445805B870BDE60F710633A437D08F735C2863C5633790F

Uniqueness

Uniqueness Score: -1.00%

Function 004069B3, Relevance: 1.3, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bcc08726f8d857ce9c6f06f22320001103fd6832e341d63bb0a78e5bd2d2228e
Instruction ID: 12d1527ee898115ea2add350daecbb03b6f5b22fe657073cf18a53935384a299
Opcode Fuzzy Hash: bcc08726f8d857ce9c6f06f22320001103fd6832e341d63bb0a78e5bd2d2228e
Instruction Fuzzy Hash: FEF0F895A2E2A6C9D618591048446B036A8AA0F7107376877D48BB70C2857CA633750F

Uniqueness

Uniqueness Score: -1.00%

Function 00406A3B, Relevance: 1.3, APIs: 1, Instructions: 43memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406B62

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ce2b08df978f40d3d1a213a0f48ef9aab9570a59fa239a068c3b0ab0cbbaace3
Instruction ID: b7baedc87e23ed7327f1d7c459ef751ecbe8254f0167ce9454058aa2d594e9f9
Opcode Fuzzy Hash: ce2b08df978f40d3d1a213a0f48ef9aab9570a59fa239a068c3b0ab0cbbaace3
Instruction Fuzzy Hash: C5D01CD0B3E26AC9E228590009805F831BCE95FB10137A037D08FB75C24A3C6233364F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02291D3A, Relevance: 4.7, Strings: 3, Instructions: 960COMMON

Download Yara Rule

Strings

advapi32, xrefs: 02294D24
.dll, xrefs: 02294CDB
1.!T, xrefs: 02290859

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID: .dll$1.!T$advapi32
API String ID: 0-1744229641
Opcode ID: b5f59e73912fcb68ea2525276ac197e291f11802329527ce7e42c01ebe6715e3
Instruction ID: ced67196d1de409c114424a1a3ebde7cf5b653984638879b638f1949fc194f86
Opcode Fuzzy Hash: b5f59e73912fcb68ea2525276ac197e291f11802329527ce7e42c01ebe6715e3
Instruction Fuzzy Hash: CC62BC71760306EFEF249FA4CC90BE573A6FF45350F548228ED899B288D7B49885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 022975A7, Relevance: 4.3, Strings: 3, Instructions: 539COMMON

Download Yara Rule

Strings

advapi32, xrefs: 02294D24
.dll, xrefs: 02294CDB
1.!T, xrefs: 02290859

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID: .dll$1.!T$advapi32
API String ID: 0-1744229641
Opcode ID: 9e4146dcb43909edfacf5ae2403817690282f4e6487a2da99bb6f0a33537de9a
Instruction ID: 0701613422e71120bc3a078d01af698a8dce75571728ae364a64ce099ad3aad0
Opcode Fuzzy Hash: 9e4146dcb43909edfacf5ae2403817690282f4e6487a2da99bb6f0a33537de9a
Instruction Fuzzy Hash: 310268B46343438EEF249FB489E47E5B792AF46360F848269DC964B2DED3A4C442C712

Uniqueness

Uniqueness Score: -1.00%

Function 022939D5, Relevance: 4.3, Strings: 3, Instructions: 517COMMON

Download Yara Rule

Strings

advapi32, xrefs: 02294D24
.dll, xrefs: 02294CDB
1.!T, xrefs: 02290859

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID: .dll$1.!T$advapi32
API String ID: 0-1744229641
Opcode ID: fce89abe58e755a45c8f0bcd4d0b370cb8acf9d8d0d3b520289236243913a38b
Instruction ID: 1000c45a1b0b25ebcfd53f8a8302136f19ca95c73665478ee86caf89c82aeb52
Opcode Fuzzy Hash: fce89abe58e755a45c8f0bcd4d0b370cb8acf9d8d0d3b520289236243913a38b
Instruction Fuzzy Hash: A0F1AA7476030AEFFF209EA0CC957E936A2EF46750F944225FE855B2C8D3B49885CB46

Uniqueness

Uniqueness Score: -1.00%

Function 022941BE, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d1d8d276a223edcee2eaba51699e3f1a66ad5679c5aba46b664d6b34572b31
Instruction ID: de67adf9162067255a4aab5cc0257a9b8014b20dcac9dfc845ab6027314e1630
Opcode Fuzzy Hash: 90d1d8d276a223edcee2eaba51699e3f1a66ad5679c5aba46b664d6b34572b31
Instruction Fuzzy Hash: CCB1577079030AAFFF205E60CD95BE93662EF41740F948128FE899B2D8D7B994C5CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02292CF1, Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 845cebe88f31fadaba326ce57fefe2854727f40a40c73424b21613857811fa45
Instruction ID: d2faab77c5542fd4144b4980de2d555bd2d099a6f262e6753285d015cfc0132f
Opcode Fuzzy Hash: 845cebe88f31fadaba326ce57fefe2854727f40a40c73424b21613857811fa45
Instruction Fuzzy Hash: 0EB158B029030AEFFF205E60CD95BE93662EF41340F948128FE859B2D8D7B994C5CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02292D6E, Relevance: .3, Instructions: 303COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bcf4411adf8bf4d491666ad57d995ce2cecf55fcfa81b665d849ba70c100036
Instruction ID: 26277f80089edba0e2788d431b333ee00eaf64ea125a0c52a2d65bda8316cf29
Opcode Fuzzy Hash: 2bcf4411adf8bf4d491666ad57d995ce2cecf55fcfa81b665d849ba70c100036
Instruction Fuzzy Hash: F7A179B025030AEFFF218E60CD95BE93662EF45340F948128FE859B2D8D7B994C5CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02291D53, Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79d3114acc03aecbfe790b7dce03a22cc5260f25343785dc1c978a8d81af1991
Instruction ID: 0a3e20e173428679c2a8d41cd0855b58ba58c90e029511f391f5b7651ff3104d
Opcode Fuzzy Hash: 79d3114acc03aecbfe790b7dce03a22cc5260f25343785dc1c978a8d81af1991
Instruction Fuzzy Hash: 5CA104B5610707EFEB149F68CD90BD1B3A5FF06350F548328DC9983248E7B8A855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02292DD1, Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25fd10fd9a1423cb4c2c51f34c6c145b6c118f42f634fa13d5a9217a86b41705
Instruction ID: 53f6b51981508b34bb8efcb24ea1058afd498d88258ef975e0f4a56317f5e545
Opcode Fuzzy Hash: 25fd10fd9a1423cb4c2c51f34c6c145b6c118f42f634fa13d5a9217a86b41705
Instruction Fuzzy Hash: F49148B065030AAFFF218E60CD957E936A2EF45340F548128FE859B2D8D7B994C5CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02291DAF, Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98fbf972ac061333d0e403595b78a02abe4ab2438fd6b6a45e89efec61672484
Instruction ID: af51f4129956a21a5096cd7ca35f91b1d913062820382d554da64417f54094f8
Opcode Fuzzy Hash: 98fbf972ac061333d0e403595b78a02abe4ab2438fd6b6a45e89efec61672484
Instruction Fuzzy Hash: 1891E1B5710707EFEB149FA8CD90BE5B3A5BF06350F548328DC9983248E7B4A895CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02292E31, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 249e2f8b29de53e3c379f04a41fab2c1df9f04a8ff7d8b5201d14e9f27a43e44
Instruction ID: 56bacf34de7390ba3f5d6b5b8ae109b62534aeb98302729e77b6bc84e0e94485
Opcode Fuzzy Hash: 249e2f8b29de53e3c379f04a41fab2c1df9f04a8ff7d8b5201d14e9f27a43e44
Instruction Fuzzy Hash: 778148B029030AAFFF218E60CD957E93762EF45340F548128EE858B2D8D7F994C5CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02291E19, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd664c2949d88ad78cacdde75e14a7a1ae30f1f28643a7da095d8c90bc4cdaf3
Instruction ID: c57aba192913887edd54719ee3cf9a9eda199460eed51196f6ea6aaa7030a39f
Opcode Fuzzy Hash: fd664c2949d88ad78cacdde75e14a7a1ae30f1f28643a7da095d8c90bc4cdaf3
Instruction Fuzzy Hash: BC810F71710706EFEB158F68CD90BE1B3A5FF06350F648328DC9983249E7B4A895CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02292E6F, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d057702fbb61e10837b4ab97c745df36c33d8f47201e0d7982e8fe15e764f59
Instruction ID: 257833724040d775d14f706226c484a7881b7a7131013d84ffebc5035dd8a999
Opcode Fuzzy Hash: 0d057702fbb61e10837b4ab97c745df36c33d8f47201e0d7982e8fe15e764f59
Instruction Fuzzy Hash: 3281677025030AAFFF218EA0CD95BE97662EF45340F544128FD898B1D8C7B998D4DB86

Uniqueness

Uniqueness Score: -1.00%

Function 02292EBF, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 095d8ad1894f0e2afe227502d0a74c535ee1c7018534939b5b12647adb2e5ba9
Instruction ID: 86eb5401fcecbc1a0c5f625aa484928011d556708cecaf9c5227552e679e0723
Opcode Fuzzy Hash: 095d8ad1894f0e2afe227502d0a74c535ee1c7018534939b5b12647adb2e5ba9
Instruction Fuzzy Hash: 1D81497025030AAFFF218E50CD957E93662EF45350F548128FE898B2D8D7F998D5CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02291E92, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65a6feb66092e0c124457eed930df0e6c364933444f57700a9132438a0599a66
Instruction ID: 7617ec3d7f6512e8bdae51df1340656caa6f96ba0317e9cc257cd2b67bc5e5e2
Opcode Fuzzy Hash: 65a6feb66092e0c124457eed930df0e6c364933444f57700a9132438a0599a66
Instruction Fuzzy Hash: 767114B2710717EFEB149F68CD90BE1B3A5FF05350F548328DC9983248E7A5A895CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02292F31, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d43d6ee9a61f4283651ed27fd557998f1864e82b6fea0fc44c623d9239bf164e
Instruction ID: f935836fd4f1198768bbd585883f19fc8b951c17d62ba99ff2b137184dc47f85
Opcode Fuzzy Hash: d43d6ee9a61f4283651ed27fd557998f1864e82b6fea0fc44c623d9239bf164e
Instruction Fuzzy Hash: 6B71377029030AAFFF218E50CD957E93662EF45340F548128FE858B1D8D7F998D5CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02291F15, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb34e623a502a70a291fd53a9b189d023900f13d7a8609edfa4f66955f8fa9a
Instruction ID: cbb7cae64d4fa9cec4dc6ffe8cf41010e8da21db877b0c364b6894a29994a328
Opcode Fuzzy Hash: 7bb34e623a502a70a291fd53a9b189d023900f13d7a8609edfa4f66955f8fa9a
Instruction Fuzzy Hash: B86137B2710716EFEB149B68CD80BE573E5FF05360F548328ED9983288E7A49895CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02292FA6, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 274209b823fa82ce9603b9517ef1c08d426e2d9c36287286492454527cd0bbc5
Instruction ID: 2e51fdf57e5d4ff83888e88820f9b5cb3424c718bbfd8bedfe4c1c973ff9413a
Opcode Fuzzy Hash: 274209b823fa82ce9603b9517ef1c08d426e2d9c36287286492454527cd0bbc5
Instruction Fuzzy Hash: 1B61267029030AAFFF359EA0CD95BE93662EF45340F548124FE898A1D8D7F588C5DB86

Uniqueness

Uniqueness Score: -1.00%

Function 022975B5, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d39876c6c512f2de241789e2a470b034ad442567f8f9f4746e519c64b84ac1f
Instruction ID: 22d8adaf2212d9c7346785cc43a121d6f3ac2636b99f00f38525df10964f07ba
Opcode Fuzzy Hash: 6d39876c6c512f2de241789e2a470b034ad442567f8f9f4746e519c64b84ac1f
Instruction Fuzzy Hash: 5E6127B0638343CEDF259F68C9D47A5B7E2EF56320F4882A9D8968B2DAD3758441C713

Uniqueness

Uniqueness Score: -1.00%

Function 022926AA, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e8a8aae0e797eb2271ea30a638948b7ea715cbc2c9d728e7fd77364cb6c2f52
Instruction ID: 4788a51a8a8bfa7faec146cfcea57eebeffa017286c8c971c8eccbe04da99942
Opcode Fuzzy Hash: 9e8a8aae0e797eb2271ea30a638948b7ea715cbc2c9d728e7fd77364cb6c2f52
Instruction Fuzzy Hash: 2D510A74274301EEEF24ABE8D994BF9329ABF11754F90416AFC4297099C7A5C8C5CE12

Uniqueness

Uniqueness Score: -1.00%

Function 0229300B, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 411c2e08c20d551884f047b3b7777f9e8a9c6d886d70f045e3205c43ec3b9772
Instruction ID: aff97c65a8971529da51da714785d2c745390db6ca1ca25c493385d72952dd5f
Opcode Fuzzy Hash: 411c2e08c20d551884f047b3b7777f9e8a9c6d886d70f045e3205c43ec3b9772
Instruction Fuzzy Hash: 0151587029030AAFFF319E60CD957E936A2EF45340F548024FE898A2D8D7F588C5CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02297604, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80cdbb248cc73483e535ce4b95d6ce7aeec2108d2ef56643efae8b285075f185
Instruction ID: ad6e2bcd089a85b78153aba97e53d1dad19e1e391b62b6b8e45ef80b1b408e72
Opcode Fuzzy Hash: 80cdbb248cc73483e535ce4b95d6ce7aeec2108d2ef56643efae8b285075f185
Instruction Fuzzy Hash: A051F8B06383838EDF259F688994BA5F7D2AF56360F4882ADCC958B2DAD3758441C712

Uniqueness

Uniqueness Score: -1.00%

Function 02293082, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bb07c08744268e60e53e3d7bbdcf9cb19fecb2a243a0cccabaabb93bdb46230
Instruction ID: 7cc86b017cb71811e8e4ec73d6b9f4fc4309157caecb6a41c30862f017397906
Opcode Fuzzy Hash: 1bb07c08744268e60e53e3d7bbdcf9cb19fecb2a243a0cccabaabb93bdb46230
Instruction Fuzzy Hash: 9251597425030AEFFF259E60CD917E83662FF45350F448024FE858A1A8D7F588C5CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02291FD5, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09d84ba5ff3f5ad009e7cff6eb2f1e6eeff8076f62c3c25481f12207da44f354
Instruction ID: d3f6a6e2e5a8194718b68e1965c3ca4664c9ac140f0f26377a98e3aa32d27cf0
Opcode Fuzzy Hash: 09d84ba5ff3f5ad009e7cff6eb2f1e6eeff8076f62c3c25481f12207da44f354
Instruction Fuzzy Hash: 4A513571620712EFDB149F68CC80BD1B3A5FF05320F148328DD5987288EBB4A855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02292037, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51a8c1b50f58f734e8fa96c9f3c0fbfd86a361ecd105e25893b1315b90f92d94
Instruction ID: 7ae33b889bbdd0dc62dd348a85719f68a720369170d0a4fc8b381a80473d7265
Opcode Fuzzy Hash: 51a8c1b50f58f734e8fa96c9f3c0fbfd86a361ecd105e25893b1315b90f92d94
Instruction Fuzzy Hash: 0341F275620712EBDF299F68CCC0BD5B3E1BF05320F548328DC5987288E7B5A895CB92

Uniqueness

Uniqueness Score: -1.00%

Function 022923CB, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 753f3142c8608243d27249e6005925d8cc5498726baef4311520989d81bec80a
Instruction ID: d0103835700ece2967292fcd195777cb13b72ccef0efe22d0fa2f1320f881d70
Opcode Fuzzy Hash: 753f3142c8608243d27249e6005925d8cc5498726baef4311520989d81bec80a
Instruction Fuzzy Hash: DF41F331760716EFDB18AE68C870BD673A5FF02360F654329EC96C7645DB21E889CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022926D9, Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4071b9e9eec2f4809d0022a70c9c3d65d62cac26b1fc08e5f883a42c7b97c18
Instruction ID: 289bc4d5663ca39807c8913d55807427419c533713e1874d77bf12575751ed3d
Opcode Fuzzy Hash: d4071b9e9eec2f4809d0022a70c9c3d65d62cac26b1fc08e5f883a42c7b97c18
Instruction Fuzzy Hash: 5F21EA74260311EBEF349B94D9D6BE472A1AF06B60FA48156FD056F1D8E3E1C881CB17

Uniqueness

Uniqueness Score: -1.00%

Function 02296B9C, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fe0e95ae741ad727f1e3fbdd246d452bba531fb674f97164779ba0fb85800b2
Instruction ID: 2ff133776524f770c4bb64fa68d4411778153cdad338c6ed93d3e240e7bb7f2f
Opcode Fuzzy Hash: 9fe0e95ae741ad727f1e3fbdd246d452bba531fb674f97164779ba0fb85800b2
Instruction Fuzzy Hash: CF2104742343029EDF21AEE4CAE4BF922DEEF00754F904476FC429701EC7A5D889C912

Uniqueness

Uniqueness Score: -1.00%

Function 02296B9E, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc09c84479cdec137b8a5d06cfa248a4dd1b5316b1a77d4107c7a48b7c8b9abb
Instruction ID: 0e6f5e19d8969747e79abd7582a121255ff14fcafcb4797326722b5d347e89a5
Opcode Fuzzy Hash: fc09c84479cdec137b8a5d06cfa248a4dd1b5316b1a77d4107c7a48b7c8b9abb
Instruction Fuzzy Hash: 6D017579110212CFCB128F54C6D57D433F4DF45A20BA08591E5068B326F3A1D942C71A

Uniqueness

Uniqueness Score: -1.00%

Function 0229222F, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3bf7d2b095524c3938902c52e7963d4cc4aa37f14ca05177c4abe75257d6cf2d
Instruction ID: 5e897ec125bcad91146270d82f48d00a91c524f5f234b0367fad21f5399f2b72
Opcode Fuzzy Hash: 3bf7d2b095524c3938902c52e7963d4cc4aa37f14ca05177c4abe75257d6cf2d
Instruction Fuzzy Hash: F801967A520632DBCB219F64D9C57C172B0FF0A321F988760D9198B358E3B45852C78A

Uniqueness

Uniqueness Score: -1.00%

Function 02296B81, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d17fd6450c7f8f7c492351cbc69488ab908e560709efe1c54c08fb2d3e514455
Instruction ID: 6152de79d4826bafcab548dac59378cac766b0dc531d2f46eae28f62a43d36aa
Opcode Fuzzy Hash: d17fd6450c7f8f7c492351cbc69488ab908e560709efe1c54c08fb2d3e514455
Instruction Fuzzy Hash: B6F0A475220312CFCB128F94C6E47A933E9DF05B20FA044A5F4079B25AE3A4DD46C60A

Uniqueness

Uniqueness Score: -1.00%

Function 022964BF, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10a36a288dc5b469419ee852a1dfc668bf512c2dfeab2e2277bceed12a832354
Instruction ID: 3d328c7f1b69ec91b6a2621037ef8f7a99fa9389f56154e3e8f5b3ffc35e26bf
Opcode Fuzzy Hash: 10a36a288dc5b469419ee852a1dfc668bf512c2dfeab2e2277bceed12a832354
Instruction Fuzzy Hash: 00E09A69120221C7CF518F14D6C67D033B4EF46A717D49780A5168F768F3E18902C74B

Uniqueness

Uniqueness Score: -1.00%

Function 022964BD, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6be3fc3155c2007246b4bc059ef8d5f8563d86ae414c07086c662dd447258b5c
Instruction ID: 7c263d97291fc27c9135ba794ec1cb307c6ea473110bd8e4d5d620aebd35a99e
Opcode Fuzzy Hash: 6be3fc3155c2007246b4bc059ef8d5f8563d86ae414c07086c662dd447258b5c
Instruction Fuzzy Hash: C8C00231274545CBCEA5CE89C690AA173F9AB126B4B811681E9678BAAD8395D804C904

Uniqueness

Uniqueness Score: -1.00%

Function 02293776, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f57cdb2b4893ef1216c69a6f60a2df21cafc25b8e300ae96bd5ef87bc1217198
Instruction ID: b5da898dbf16a6001d54df4eb1dc1cb5b429c4682e48da6cc918debd8b5d1281
Opcode Fuzzy Hash: f57cdb2b4893ef1216c69a6f60a2df21cafc25b8e300ae96bd5ef87bc1217198
Instruction Fuzzy Hash: 57C048BA2216808BEA01CA08C691B8073B0AB016C8B240490E8039B712C228E915CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00411216, Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E00411216(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v32;
				char _v44;
				char _v52;
				signed int _v56;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _t122;
				char* _t124;
				intOrPtr _t179;

				_push(0x4010f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t179;
				_push(0x68);
				L004010F0();
				_v12 = _t179;
				_v8 = 0x4010e0;
				_push(0x11);
				_push(0x402660);
				_t122 =  &_v44;
				_push(_t122);
				L00401192();
				_v56 = _v56 & 0x00000000;
				if(_v56 >= 0x33) {
					L0040118C();
					_v64 = _t122;
				} else {
					_v64 = _v64 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 1;
				if(_v56 >= 0x33) {
					L0040118C();
					_v68 = _t122;
				} else {
					_v68 = _v68 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 2;
				if(_v56 >= 0x33) {
					L0040118C();
					_v72 = _t122;
				} else {
					_v72 = _v72 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 3;
				if(_v56 >= 0x33) {
					L0040118C();
					_v76 = _t122;
				} else {
					_v76 = _v76 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 4;
				if(_v56 >= 0x33) {
					L0040118C();
					_v80 = _t122;
				} else {
					_v80 = _v80 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 5;
				if(_v56 >= 0x33) {
					L0040118C();
					_v84 = _t122;
				} else {
					_v84 = _v84 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 6;
				if(_v56 >= 0x33) {
					L0040118C();
					_v88 = _t122;
				} else {
					_v88 = _v88 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 7;
				if(_v56 >= 0x33) {
					L0040118C();
					_v92 = _t122;
				} else {
					_v92 = _v92 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 8;
				if(_v56 >= 0x33) {
					L0040118C();
					_v96 = _t122;
				} else {
					_v96 = _v96 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 9;
				if(_v56 >= 0x33) {
					L0040118C();
					_v100 = _t122;
				} else {
					_v100 = _v100 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xa;
				if(_v56 >= 0x33) {
					L0040118C();
					_v104 = _t122;
				} else {
					_v104 = _v104 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xb;
				if(_v56 >= 0x33) {
					L0040118C();
					_v108 = _t122;
				} else {
					_v108 = _v108 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xc;
				if(_v56 >= 0x33) {
					L0040118C();
					_v112 = _t122;
				} else {
					_v112 = _v112 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xd;
				if(_v56 >= 0x33) {
					L0040118C();
					_v116 = _t122;
				} else {
					_v116 = _v116 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xe;
				if(_v56 >= 0x33) {
					L0040118C();
					_v120 = _t122;
				} else {
					_v120 = _v120 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xf;
				if(_v56 >= 0x33) {
					L0040118C();
					_v124 = _t122;
				} else {
					_v124 = _v124 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_push(0x411527);
				_v52 =  &_v44;
				_t124 =  &_v52;
				_push(_t124);
				_push(0);
				L00401180();
				return _t124;
			}

0x0041121b
0x00411226
0x00411227
0x0041122e
0x00411231
0x00411239
0x0041123c
0x00411243
0x00411245
0x0041124a
0x0041124d
0x0041124e
0x00411253
0x0041125b
0x00411263
0x00411268
0x0041125d
0x0041125d
0x0041125d
0x0041126f
0x0041127a
0x0041127c
0x00411287
0x0041128f
0x00411294
0x00411289
0x00411289
0x00411289
0x0041129b
0x004112a6
0x004112a8
0x004112b3
0x004112bb
0x004112c0
0x004112b5
0x004112b5
0x004112b5
0x004112c7
0x004112d2
0x004112d4
0x004112df
0x004112e7
0x004112ec
0x004112e1
0x004112e1
0x004112e1
0x004112f3
0x004112fe
0x00411300
0x0041130b
0x00411313
0x00411318
0x0041130d
0x0041130d
0x0041130d
0x0041131f
0x0041132a
0x0041132c
0x00411337
0x0041133f
0x00411344
0x00411339
0x00411339
0x00411339
0x0041134b
0x00411356
0x00411358
0x00411363
0x0041136b
0x00411370
0x00411365
0x00411365
0x00411365
0x00411377
0x00411382
0x00411384
0x0041138f
0x00411397
0x0041139c
0x00411391
0x00411391
0x00411391
0x004113a3
0x004113ae
0x004113b0
0x004113bb
0x004113c3
0x004113c8
0x004113bd
0x004113bd
0x004113bd
0x004113cf
0x004113da
0x004113dc
0x004113e7
0x004113ef
0x004113f4
0x004113e9
0x004113e9
0x004113e9
0x004113fb
0x00411406
0x00411408
0x00411413
0x0041141b
0x00411420
0x00411415
0x00411415
0x00411415
0x00411427
0x00411432
0x00411434
0x0041143f
0x00411447
0x0041144c
0x00411441
0x00411441
0x00411441
0x00411453
0x0041145e
0x00411460
0x0041146b
0x00411473
0x00411478
0x0041146d
0x0041146d
0x0041146d
0x0041147f
0x0041148a
0x0041148c
0x00411497
0x0041149f
0x004114a4
0x00411499
0x00411499
0x00411499
0x004114ab
0x004114b6
0x004114b8
0x004114c3
0x004114cb
0x004114d0
0x004114c5
0x004114c5
0x004114c5
0x004114d7
0x004114e2
0x004114e4
0x004114ef
0x004114f7
0x004114fc
0x004114f1
0x004114f1
0x004114f1
0x00411503
0x0041150e
0x00411510
0x00411518
0x0041151b
0x0041151e
0x0041151f
0x00411521
0x00411526

APIs

__vbaChkstk.MSVBVM60(?,004010F6), ref: 00411231
__vbaAryConstruct2.MSVBVM60(?,00402660,00000011,?,?,?,?,004010F6), ref: 0041124E
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411263
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 0041126F
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 0041128F
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 0041129B
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004112BB
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004112C7
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004112E7
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004112F3
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411313
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 0041131F
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 0041133F
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 0041134B
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 0041136B
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411377
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411397
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004113A3
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004113C3
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004113CF
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004113EF
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004113FB
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411427
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411447
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411453
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411473
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 0041147F
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 0041149F
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004114AB
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004114CB
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004114D7
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 004114F7
__vbaUI1I2.MSVBVM60(?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411503
__vbaAryDestruct.MSVBVM60(00000000,?,00411527,?,?,?,?,00402660,00000011,?,?,?,?,004010F6), ref: 00411521

Strings

3, xrefs: 004114EB

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate$ChkstkConstruct2Destruct
String ID: 3
API String ID: 1280986024-1842515611
Opcode ID: f75905c71338df6ed1d2abd4be98a00b85e6c623aeda3f0dcf26d88cedbdab16
Instruction ID: df3344dd6132dcf06d0667a8feab236afbdf7d6d5bda037fd38ae9cf1a445763
Opcode Fuzzy Hash: f75905c71338df6ed1d2abd4be98a00b85e6c623aeda3f0dcf26d88cedbdab16
Instruction Fuzzy Hash: 08A1F974C07248EFDF04EBE5D6517EDBBB1BF16309F20402EE6066A2A2C7781945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410CC4, Relevance: 37.8, APIs: 25, Instructions: 267
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00410CC4(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v44;
				signed int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v92;
				intOrPtr _v100;
				char _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr* _v176;
				signed int _v180;
				void* _t138;
				signed int _t142;
				signed int _t146;
				char* _t150;
				signed int _t154;
				signed int _t164;
				signed int _t171;
				signed int _t175;
				char* _t179;
				signed int _t183;
				char* _t192;
				void* _t194;
				void* _t216;
				void* _t217;
				intOrPtr _t218;
				void* _t219;

				 *[fs:0x0] = _t218;
				L004010F0();
				_v16 = _t218;
				_v12 = E004010D0;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_t138 =  *((intOrPtr*)( *_a4 + 4))(_a4, _t216, _t217, _t194,  *[fs:0x0], 0x4010f6);
				_push(0x4025b8);
				_push(0x4025b8);
				L004011FE();
				if(_t138 != 0) {
					L004011F8();
				}
				if( *0x412010 != 0) {
					_v148 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x402860);
					L004011EC();
					_v148 = 0x412010;
				}
				_t142 =  &_v72;
				L004011F2();
				_v116 = _t142;
				_t146 =  *((intOrPtr*)( *_v116 + 0xd8))(_v116,  &_v112, _t142,  *((intOrPtr*)( *((intOrPtr*)( *_v148)) + 0x2fc))( *_v148));
				asm("fclex");
				_v120 = _t146;
				if(_v120 >= 0) {
					_v152 = _v152 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x4025bc);
					_push(_v116);
					_push(_v120);
					L004011E6();
					_v152 = _t146;
				}
				if( *0x412010 != 0) {
					_v156 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x402860);
					L004011EC();
					_v156 = 0x412010;
				}
				_t150 =  &_v76;
				L004011F2();
				_v124 = _t150;
				_t154 =  *((intOrPtr*)( *_v124 + 0x48))(_v124,  &_v64, _t150,  *((intOrPtr*)( *((intOrPtr*)( *_v156)) + 0x2fc))( *_v156));
				asm("fclex");
				_v128 = _t154;
				if(_v128 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x4025bc);
					_push(_v124);
					_push(_v128);
					L004011E6();
					_v160 = _t154;
				}
				_v140 = _v64;
				_v64 = _v64 & 0x00000000;
				L004011E0();
				 *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _v112,  &_v68);
				L004011DA();
				L004011D4();
				_t219 = _t218 + 0xc;
				_t164 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v72,  &_v76);
				asm("fclex");
				_v116 = _t164;
				if(_v116 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x40230c);
					_push(_a4);
					_push(_v116);
					L004011E6();
					_v164 = _t164;
				}
				while(1) {
					_v100 = 1;
					_v108 = 2;
					_push( &_v44);
					_push( &_v108);
					_push( &_v92);
					L004011C8();
					L004011CE();
					if( *0x412010 != 0) {
						_v168 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x402860);
						L004011EC();
						_v168 = 0x412010;
					}
					_t171 =  &_v72;
					L004011F2();
					_v116 = _t171;
					_t175 =  *((intOrPtr*)( *_v116 + 0xd8))(_v116,  &_v112, _t171,  *((intOrPtr*)( *((intOrPtr*)( *_v168)) + 0x2fc))( *_v168));
					asm("fclex");
					_v120 = _t175;
					if(_v120 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0xd8);
						_push(0x4025bc);
						_push(_v116);
						_push(_v120);
						L004011E6();
						_v172 = _t175;
					}
					if( *0x412010 != 0) {
						_v176 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x402860);
						L004011EC();
						_v176 = 0x412010;
					}
					_t179 =  &_v76;
					L004011F2();
					_v124 = _t179;
					_t183 =  *((intOrPtr*)( *_v124 + 0x48))(_v124,  &_v64, _t179,  *((intOrPtr*)( *((intOrPtr*)( *_v176)) + 0x2fc))( *_v176));
					asm("fclex");
					_v128 = _t183;
					if(_v128 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4025bc);
						_push(_v124);
						_push(_v128);
						L004011E6();
						_v180 = _t183;
					}
					_v144 = _v64;
					_v64 = _v64 & 0x00000000;
					L004011E0();
					 *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _v112,  &_v68);
					L004011DA();
					_push( &_v76);
					_push( &_v72);
					_push(2);
					L004011D4();
					_t219 = _t219 + 0xc;
					_v100 = 0x9ffff;
					_v108 = 0x8003;
					_push( &_v44);
					_t192 =  &_v108;
					_push(_t192);
					L004011C2();
					if(_t192 == 0) {
						break;
					}
				}
				goto __ebx;
			}

0x00410cd6
0x00410ce2
0x00410cea
0x00410ced
0x00410cfa
0x00410d03
0x00410d0e
0x00410d11
0x00410d16
0x00410d1b
0x00410d22
0x00410d24
0x00410d24
0x00410d30
0x00410d4d
0x00410d32
0x00410d32
0x00410d37
0x00410d3c
0x00410d41
0x00410d41
0x00410d71
0x00410d75
0x00410d7a
0x00410d89
0x00410d8f
0x00410d91
0x00410d98
0x00410db7
0x00410d9a
0x00410d9a
0x00410d9f
0x00410da4
0x00410da7
0x00410daa
0x00410daf
0x00410daf
0x00410dc5
0x00410de2
0x00410dc7
0x00410dc7
0x00410dcc
0x00410dd1
0x00410dd6
0x00410dd6
0x00410e06
0x00410e0a
0x00410e0f
0x00410e1e
0x00410e21
0x00410e23
0x00410e2a
0x00410e46
0x00410e2c
0x00410e2c
0x00410e2e
0x00410e33
0x00410e36
0x00410e39
0x00410e3e
0x00410e3e
0x00410e50
0x00410e56
0x00410e63
0x00410e77
0x00410e80
0x00410e8f
0x00410e94
0x00410e9f
0x00410ea5
0x00410ea7
0x00410eae
0x00410ecd
0x00410eb0
0x00410eb0
0x00410eb5
0x00410eba
0x00410ebd
0x00410ec0
0x00410ec5
0x00410ec5
0x00410ed4
0x00410ed4
0x00410edb
0x00410ee5
0x00410ee9
0x00410eed
0x00410eee
0x00410ef8
0x00410f04
0x00410f21
0x00410f06
0x00410f06
0x00410f0b
0x00410f10
0x00410f15
0x00410f15
0x00410f45
0x00410f49
0x00410f4e
0x00410f5d
0x00410f63
0x00410f65
0x00410f6c
0x00410f8b
0x00410f6e
0x00410f6e
0x00410f73
0x00410f78
0x00410f7b
0x00410f7e
0x00410f83
0x00410f83
0x00410f99
0x00410fb6
0x00410f9b
0x00410f9b
0x00410fa0
0x00410fa5
0x00410faa
0x00410faa
0x00410fda
0x00410fde
0x00410fe3
0x00410ff2
0x00410ff5
0x00410ff7
0x00410ffe
0x0041101a
0x00411000
0x00411000
0x00411002
0x00411007
0x0041100a
0x0041100d
0x00411012
0x00411012
0x00411024
0x0041102a
0x00411037
0x0041104b
0x00411054
0x0041105c
0x00411060
0x00411061
0x00411063
0x00411068
0x0041106b
0x00411072
0x0041107c
0x0041107d
0x00411080
0x00411081
0x0041108b
0x00000000
0x00000000
0x0041108d
0x00411097

APIs

__vbaChkstk.MSVBVM60(?,004010F6), ref: 00410CE2
__vbaStrCmp.MSVBVM60(004025B8,004025B8,?,?,?,?,004010F6), ref: 00410D1B
__vbaEnd.MSVBVM60(004025B8,004025B8,?,?,?,?,004010F6), ref: 00410D24
__vbaNew2.MSVBVM60(00402860,00412010,004025B8,004025B8,?,?,?,?,004010F6), ref: 00410D3C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410D75
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025BC,000000D8), ref: 00410DAA
__vbaNew2.MSVBVM60(00402860,00412010), ref: 00410DD1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410E0A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025BC,00000048), ref: 00410E39
__vbaStrMove.MSVBVM60(00000000,?,004025BC,00000048), ref: 00410E63
__vbaFreeStr.MSVBVM60 ref: 00410E80
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410E8F
__vbaHresultCheckObj.MSVBVM60(00000000,004010D0,0040230C,000002B4), ref: 00410EC0
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00410EEE
__vbaVarMove.MSVBVM60(?,00000002,?), ref: 00410EF8
__vbaNew2.MSVBVM60(00402860,00412010,?,00000002,?,00008003,?), ref: 00410F10
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410F49
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025BC,000000D8,?,?,?,?,?,?,?,?,00402860,00412010,?,00000002), ref: 00410F7E
__vbaNew2.MSVBVM60(00402860,00412010,00000000,?,004025BC,000000D8,?,?,?,?,?,?,?,?,00402860,00412010), ref: 00410FA5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410FDE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025BC,00000048,?,?,?,?,?,?,?,?,00402860,00412010,?,00000002), ref: 0041100D
__vbaStrMove.MSVBVM60(00000000,?,004025BC,00000048,?,?,?,?,?,?,?,?,00402860,00412010,?,00000002), ref: 00411037
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00402860,00412010,?,00000002,?,00008003,?), ref: 00411054
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00411063
__vbaVarTstLt.MSVBVM60(00008003,?), ref: 00411081

Memory Dump Source

Source File: 00000000.00000002.1260338476.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1260307562.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1260439853.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1260475100.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$Move$List$Chkstk
String ID:
API String ID: 3120471521-0
Opcode ID: b453b7baef7f5acf329f96688b9d402853702e30811eb04dc5166cc33752f082
Instruction ID: b1f5e038a9e467cfe6b94dc039c1224d37e99d59f089c6fd21403b46ab6b069b
Opcode Fuzzy Hash: b453b7baef7f5acf329f96688b9d402853702e30811eb04dc5166cc33752f082
Instruction Fuzzy Hash: 53C11D71A00218EFCB20DFA5CD49BDDBBB5BF08304F10416AE505BB2A1DBB99985DF58

Uniqueness

Uniqueness Score: -1.00%

Function 022942B7, Relevance: 5.0, Strings: 4, Instructions: 46COMMON

Download Yara Rule

Strings

kernel32, xrefs: 02294CE7
advapi32, xrefs: 02294D24
ntdll, xrefs: 02294CCD
wininet.dll, xrefs: 02294C6A

Memory Dump Source

Source File: 00000000.00000002.1261516751.0000000002290000.00000040.00000001.sdmp, Offset: 02290000, based on PE: false

Similarity

API ID:
String ID: advapi32$kernel32$ntdll$wininet.dll
API String ID: 0-3243727332
Opcode ID: bc9e276a8e33597ed73c2980719d0c6ae991cd488c0393226fe9c4ae51964c5d
Instruction ID: 82c6c7f047c11528a7f1d8498d1b816f909970aad6df8796f29748bff2401747
Opcode Fuzzy Hash: bc9e276a8e33597ed73c2980719d0c6ae991cd488c0393226fe9c4ae51964c5d
Instruction Fuzzy Hash: DBF0E959025392C7CF316B60D5CB2803F70EC422313A8D28951418E32AF7E15A07C74B

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe PID: 5404 Parent PID: 5584

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exe PID: 5404 Parent PID: 5584 RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUC_IMPORT_EXPORT_COs.exeCOMMON

Executed Functions

Function 00406ACA, Relevance: 9.0, APIs: 1, Strings: 5, Instructions: 36memoryCOMMON

Function 0040121C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178COMMON

Function 0040697C, Relevance: 3.1, APIs: 1, Strings: 1, Instructions: 67memoryCOMMON

Function 004065E9, Relevance: 1.4, APIs: 1, Instructions: 136memoryCOMMON

Function 0040121C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 178
COMMON

Function 004065E9, Relevance: 1.4, APIs: 1, Instructions: 136
memoryCOMMON

Function 0040676B, Relevance: 1.4, APIs: 1, Instructions: 120
memoryCOMMON

Function 0040674A, Relevance: 1.3, APIs: 1, Instructions: 76
memoryCOMMON

Function 00411216, Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 221
COMMON

Function 00410CC4, Relevance: 37.8, APIs: 25, Instructions: 267
COMMON