Play interactive tour

Edit tour

Analysis Report RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Overview

General Information

Sample Name:	RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Analysis ID:	339372
MD5:	754d599f8cdeb37d1f3f61764669d799
SHA1:	5e48dfb313f300b4d460e73bd25b324b88da0df7
SHA256:	7c328b51dbd9e7fb96ca2ed21358fd5112c809f9666f9287b55927302c7ac1ea
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe (PID: 6180 cmdline: 'C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe' MD5: 754D599F8CDEB37D1F3F61764669D799)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

ReversingLabs: Detection: 20%

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Process Stats: CPU usage > 98%

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437688379.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000000.340886631.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGISELLE.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Binary or memory string: OriginalFilenameGISELLE.exe vs RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

File created: C:\Users\user\AppData\Local\Temp\~DFA8C396C0239A952E.TMP

Jump to behavior

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

ReversingLabs: Detection: 20%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180, type: MEMORY

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_004075B4 push edi; iretd		0_2_004075B6
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_00405F85 push edx; iretd		0_2_00405F86

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_0220323B	0_2_0220323B
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202E11	0_2_02202E11
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202E71	0_2_02202E71
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022026E2	0_2_022026E2
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202EF4	0_2_02202EF4
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202EC5	0_2_02202EC5
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202F69	0_2_02202F69
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202FD4	0_2_02202FD4
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02203057	0_2_02203057
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022038B2	0_2_022038B2
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022030DB	0_2_022030DB
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_0220292A	0_2_0220292A
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02203135	0_2_02203135
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202D19	0_2_02202D19
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022031AB	0_2_022031AB
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202DAD	0_2_02202DAD
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022071E6	0_2_022071E6
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02207DE9	0_2_02207DE9
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022065C3	0_2_022065C3
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02201DDB	0_2_02201DDB

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

RDTSC instruction interceptor: First address: 0000000002206A28 second address: 0000000002206A28 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F9D08895FF8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d test edx, F234E3D4h 0x00000023 add edi, edx 0x00000025 dec dword ptr [ebp+000000F8h] 0x0000002b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000032 jne 00007F9D08895F76h 0x00000034 jmp 00007F9D08895FEEh 0x00000036 test dh, dh 0x00000038 call 00007F9D08896019h 0x0000003d call 00007F9D08896008h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Code function: 0_2_02206A20 rdtsc

0_2_02206A20

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Code function: 0_2_02206A20 rdtsc

0_2_02206A20

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02203669 mov eax, dword ptr fs:[00000030h]	0_2_02203669
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02207258 mov eax, dword ptr fs:[00000030h]	0_2_02207258
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022026E2 mov eax, dword ptr fs:[00000030h]	0_2_022026E2
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022026F4 mov eax, dword ptr fs:[00000030h]	0_2_022026F4
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02205C60 mov eax, dword ptr fs:[00000030h]	0_2_02205C60
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_0220244B mov eax, dword ptr fs:[00000030h]	0_2_0220244B
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02202457 mov eax, dword ptr fs:[00000030h]	0_2_02202457
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022071E6 mov eax, dword ptr fs:[00000030h]	0_2_022071E6
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022071E8 mov eax, dword ptr fs:[00000030h]	0_2_022071E8
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_022065C3 mov eax, dword ptr fs:[00000030h]	0_2_022065C3
Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	Code function: 0_2_02201DDB mov eax, dword ptr fs:[00000030h]	0_2_02201DDB

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe, 00000000.00000002.1437488688.0000000000DB0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Code function: 0_2_02206376 cpuid

0_2_02206376

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery411	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe	20%	ReversingLabs	Win32.Infostealer.PonyStealer

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	339372
Start date:	13.01.2021
Start time:	21:50:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 13.9% (good quality ratio 5.3%) Quality average: 22.5% Quality standard deviation: 31.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe VT rate limit hit for: /opt/package/joesandbox/database/analysis/339372/sample/RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.86757283144284
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
File size:	81920
MD5:	754d599f8cdeb37d1f3f61764669d799
SHA1:	5e48dfb313f300b4d460e73bd25b324b88da0df7
SHA256:	7c328b51dbd9e7fb96ca2ed21358fd5112c809f9666f9287b55927302c7ac1ea
SHA512:	f1c579777f16b1536e51dcc8d6141cb59517b61129072a3bd856abecc12efbee15cd224bc8575488023f6b0c731bb283b64c9353c475b48bda3e6b8c6c20e80d
SSDEEP:	768:ETpAbB+koysOiKEQWvc+ddsx/RRr4mtXbt2+:ETpTTyLizJtdOZbDX
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......_.....................0............... ....@................

File Icon


Icon Hash:	6eeed0e4a4a4e0d2

Static PE Info

General
Entrypoint:	0x40121c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FFEBE91 [Wed Jan 13 09:34:09 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f08e2fa188bfdb85d74117a6c20b7544

Entrypoint Preview

Instruction
push 00401D04h
call 00007F9D08A10015h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi-7D9F66D1h], ah
pop eax
cmp dword ptr [esi-60h], ecx
into
push edx
cmp esi, dword ptr [ebp+00004EE7h]
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
outsb
imul esp, dword ptr fs:[edi+74h], 676E696Eh
outsb
jnc 00007F9D08A10022h
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
and edx, ebp
add ebx, edx
test dword ptr [ebp-51BDDE5Ah], 4F991E50h
xchg eax, edi
test eax, 216A68AEh
outsd
enter 46DCh, BFh
mov ch, F3h
fsubrp st(2), st(0)
test dword ptr [eax], ebp
adc eax, 33AD4F3Ah
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor al, 0Ah
add byte ptr [eax], al
rol dword ptr [08000000h], cl
add byte ptr [ebx+75h], dl
bound esp, dword ptr [ebp+64h]
imul esi, dword ptr [edi+esi+00h], 0009010Dh
jnc 00007F9D08A10098h
popad
jc 00007F9D08A10092h
outsd

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11424	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x884	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xcc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10838	0x11000	False	0.389059627757	data	6.32612919627	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0x1160	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x884	0x1000	False	0.329345703125	data	3.01799002813	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1431c	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x14308	0x14	data
RT_VERSION	0x140f0	0x218	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, _adj_fpatan, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarAdd, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	GISELLE
FileVersion	1.00
CompanyName	Web Share.
ProductName	Decalogues2
ProductVersion	1.00
OriginalFilename	GISELLE.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180 Parent PID: 5852

General

Start time:	21:51:23
Start date:	13/01/2021
Path:	C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe'
Imagebase:	0x400000
File size:	81920 bytes
MD5 hash:	754D599F8CDEB37D1F3F61764669D799
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180 Parent PID: 5852 RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exeCOMMON

Executed Functions

Function 0040121C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 68%

			_entry_(signed int __eax, void* __ebx, signed int __edx, signed int __edi, void* __esi, void* __fp0) {
				intOrPtr* _t47;
				signed int _t48;
				signed int _t50;
				signed int _t51;
				void* _t55;
				signed int _t61;
				signed int _t64;
				signed int _t66;
				signed int _t69;
				signed int _t70;
				signed int _t77;
				intOrPtr _t83;
				void* _t86;
				void* _t89;

				_t89 = __fp0;
				_push("VB5!6&*"); // executed
				L00401216(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t47 = __eax + 1;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *((intOrPtr*)(__esi - 0x7d9f66d1)) =  *((intOrPtr*)(__esi - 0x7d9f66d1)) + _t47;
				asm("das");
				asm("cdq");
				asm("pushad");
				asm("sbb byte [eax+0x39], 0x4c");
				asm("cmpsb");
				_t48 =  *0xb53b52ce;
				asm("out 0x4e, eax");
				 *_t48 =  *_t48 + _t48;
				 *_t48 =  *_t48 + _t48;
				 *_t48 =  *_t48 + _t48;
				 *_t48 =  *_t48 + _t48;
				 *_t48 =  *_t48 + _t48;
				 *_t48 =  *_t48 + _t48;
				 *_t48 =  *_t48 + _t48;
				 *_t48 =  *_t48 + _t48;
				asm("a16 gs outsb");
				_t70 =  *[fs:edi+0x74] * 0x676e696e;
				asm("gs outsb");
				if (_t70 >= 0) goto L2;
				 *_t48 =  *_t48 + _t48;
				 *_t48 =  *_t48 + _t48;
				asm("int3");
				 *_t48 =  *_t48 ^ _t48;
				_t61 = __edx & _t69;
				_t55 = __ebx + __ebx + _t61;
				_t64 = _t48;
				asm("outsd");
				asm("enter 0x46dc, 0xbf");
				asm("fsubrp st2, st0");
				asm("adc eax, 0x33ad4f3a");
				asm("cdq");
				asm("iretw");
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				 *__edi =  *__edi + __edi;
				_t50 = __edi ^ 0x0000000a;
				 *_t50 =  *_t50 + _t50;
				asm("rol dword [0x8000000], cl");
				 *((intOrPtr*)(_t55 + 0x75)) =  *((intOrPtr*)(_t55 + 0x75)) + _t61;
				asm("bound esp, [ebp+0x64]");
				_t66 =  *(_t64 + __esi) * 0x9010d;
				while(1) {
					_t51 = _t50 | 0x73000901;
					_t77 = _t51;
					L4:
					while(1) {
						if(_t77 <= 0) {
							_push(0x6700d5a8);
						} else {
							asm("popad");
						}
						asm("a16 lodsb");
						_push(0xffffffab);
						_t89 = _t89 +  *_t51 +  *_t51;
						if(_t86 >= 0) {
							 *_t51 =  *_t51 + _t51;
							asm("adc [eax], al");
							 *_t51 =  *_t51 + _t51;
							L14:
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *0xf3 =  *0xf3 + _t51;
							 *_t51 =  *_t51 + 0xf3;
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *((intOrPtr*)(_t51 + 1)) =  *((intOrPtr*)(_t51 + 1)) + _t51;
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *0xf3 =  *0xf3 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							 *_t51 =  *_t51 + _t51;
							_t19 = _t64 - 0x66;
							 *_t19 =  *((intOrPtr*)(_t64 - 0x66)) + _t61;
							_t83 =  *_t19;
						}
						asm("aad 0x0");
						if(_t86 < 0) {
							goto L14;
						}
						asm("fiadd dword [eax]");
						asm("insd");
						 *((intOrPtr*)(_t66 - 0x4b)) =  *((intOrPtr*)(_t66 - 0x4b)) + 0xe5;
						goto 0xe8f57d74;
						 *((intOrPtr*)(_t64 - 0x45)) =  *((intOrPtr*)(_t64 - 0x45)) + _t55;
					}
				}
			}

0x0040121c
0x0040121c
0x00401221
0x00401226
0x00401228
0x0040122a
0x0040122c
0x0040122e
0x00401230
0x00401231
0x00401233
0x00401235
0x00401237
0x00401239
0x0040123a
0x0040123b
0x0040123c
0x00401240
0x00401241
0x00401246
0x00401248
0x0040124a
0x0040124c
0x0040124e
0x00401250
0x00401252
0x00401254
0x00401256
0x00401258
0x0040125b
0x00401263
0x00401265
0x00401267
0x00401269
0x0040126d
0x0040126e
0x00401270
0x00401272
0x0040127e
0x00401284
0x00401285
0x0040128c
0x00401290
0x00401295
0x00401296
0x00401298
0x0040129e
0x0040129f
0x004012a5
0x004012a7
0x004012a9
0x004012ab
0x004012ad
0x004012af
0x004012b1
0x004012b3
0x004012b5
0x004012b7
0x004012b9
0x004012bb
0x004012bd
0x004012bf
0x004012c1
0x004012c3
0x004012c5
0x004012c7
0x004012c9
0x004012cf
0x004012d2
0x004012d5
0x004012d9
0x004012d9
0x004012d9
0x00000000
0x004012de
0x004012de
0x00401355
0x004012df
0x004012df
0x004012df
0x00401359
0x0040135d
0x0040135f
0x00401361
0x00401313
0x00401315
0x00401317
0x00401318
0x00401318
0x0040131a
0x0040131c
0x0040131e
0x00401320
0x00401322
0x00401324
0x00401327
0x00401329
0x0040132b
0x0040132d
0x0040132f
0x00401331
0x00401333
0x00401334
0x00401336
0x00401338
0x0040133a
0x0040133c
0x0040133c
0x0040133c
0x0040133c
0x00401363
0x00401365
0x00000000
0x00000000
0x00401367
0x00401369
0x0040136c
0x0040136f
0x00401374
0x00401376
0x004012de

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401221

Strings

VB5!6&*, xrefs: 0040121C

Memory Dump Source

Source File: 00000000.00000002.1436896100.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436876777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1436930248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1436949015.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4ca35f2ad908258e319170bf9eff7cab9d4e9c1d980268a5d15811ec358a48a5
Instruction ID: b3a964a8d03c87ec461944f5a3bebe3891ff2ae2f18056dfea4bef812c8c90ae
Opcode Fuzzy Hash: 4ca35f2ad908258e319170bf9eff7cab9d4e9c1d980268a5d15811ec358a48a5
Instruction Fuzzy Hash: 6201CA6294E3C24FC7039A719E256897FB5AE5361030A04EBC980DF2B7D2690859C76A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022071E6, Relevance: 6.9, Strings: 5, Instructions: 631COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B
M), xrefs: 022077BA

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: M)$j@h$\J$xM$|0
API String ID: 0-2195698710
Opcode ID: 4742fa2d0b17c97959513bd481cac612228c2ec43be9ce784fe29150bc46fb1e
Instruction ID: c548735db16308d0d852c9f68ab93a1bc9c07c51b30c09b7a8c74d5ea7836861
Opcode Fuzzy Hash: 4742fa2d0b17c97959513bd481cac612228c2ec43be9ce784fe29150bc46fb1e
Instruction Fuzzy Hash: 6E2290707203029FEF208FA8CCC4BE9B6A2AF46350F948269DD959B1DFD3B49485CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02207DE9, Relevance: 6.8, Strings: 5, Instructions: 585COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B
xEP, xrefs: 02208376

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xEP$xM$|0
API String ID: 0-3765853036
Opcode ID: 1bedae5647758f9102754e45494af569f60d10ef8ffe0fac131257761d6fd93f
Instruction ID: 0d124605184d0e8227155b62dabfd804a40559c91c9a6a44d3240cb2abc5ff58
Opcode Fuzzy Hash: 1bedae5647758f9102754e45494af569f60d10ef8ffe0fac131257761d6fd93f
Instruction Fuzzy Hash: 21025970720306DEFF215EA4CDC4BEA7662BF45360F904229EE469A1DAD7B498C5CA02

Uniqueness

Uniqueness Score: -1.00%

Function 0220292A, Relevance: 6.7, Strings: 5, Instructions: 456COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B
, xrefs: 0220390C

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: $j@h$\J$xM$|0
API String ID: 0-4152431378
Opcode ID: 8f68eef1c6948acc9f913e26cfb6edcee75996288789e74be16342137ab398be
Instruction ID: bdfe6b550d980c57a63004636f101afde670537a44d80fa8d60ce29ea9c561ca
Opcode Fuzzy Hash: 8f68eef1c6948acc9f913e26cfb6edcee75996288789e74be16342137ab398be
Instruction Fuzzy Hash: 2DE17A70710306AFFB219EA8CDC5BD97662FF45360FA04265FE45AB1DAD7B89884CB40

Uniqueness

Uniqueness Score: -1.00%

Function 022038B2, Relevance: 6.7, Strings: 5, Instructions: 420COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B
, xrefs: 0220390C

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: $j@h$\J$xM$|0
API String ID: 0-4152431378
Opcode ID: b1affd07370b3a9645e276efc83778fcbbcabc48f3789659ec83f9d0388fc820
Instruction ID: 56dd7aafd8aa405538ebff511fb5656f796d2ce003d06d6b5de0829ca0636fdd
Opcode Fuzzy Hash: b1affd07370b3a9645e276efc83778fcbbcabc48f3789659ec83f9d0388fc820
Instruction Fuzzy Hash: 14D18B70750306AFFB219EA8CDC5BE93662FF45360FA04225FE45AB1DAD7F894858B01

Uniqueness

Uniqueness Score: -1.00%

Function 02201DDB, Relevance: 5.8, Strings: 4, Instructions: 805COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: 35e316e2cf2d90583a3e8dabad19fb92a929887ea719b6c27cdea82f4e53a61b
Instruction ID: bacb0139eef0a4e9f46bb296e2832103ab45aba732571ef00ee0e4b357d753a1
Opcode Fuzzy Hash: 35e316e2cf2d90583a3e8dabad19fb92a929887ea719b6c27cdea82f4e53a61b
Instruction Fuzzy Hash: 8A428A70720306EFEB209FA4CCC4BE573A6BF05350F944229ED59972CAD7B4A895CB80

Uniqueness

Uniqueness Score: -1.00%

Function 022026E2, Relevance: 5.5, Strings: 4, Instructions: 463COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: e9e188d56f2f987db02481d0ad79952e8cc7f49de14646bf51248177ab223028
Instruction ID: a9d2a19b4caca826231bbc997aecb9ae455282046aba11ddca13de3588ed1475
Opcode Fuzzy Hash: e9e188d56f2f987db02481d0ad79952e8cc7f49de14646bf51248177ab223028
Instruction Fuzzy Hash: 22E17B70360305EFFB219EA4CDC9BE97662BF01750F904269FE45AB1DAD7F89884CA01

Uniqueness

Uniqueness Score: -1.00%

Function 02202D19, Relevance: 5.3, Strings: 4, Instructions: 346COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: d24814e84c730b4cee80c7f5882a750eba1181a427b99533271e8d2c9efae4da
Instruction ID: a0e975e1f530c4da0d499103d7b0dfdabac544e2606a0f51e0930b4f24ed8def
Opcode Fuzzy Hash: d24814e84c730b4cee80c7f5882a750eba1181a427b99533271e8d2c9efae4da
Instruction Fuzzy Hash: 7BA17970710306AEFB219EB8CDC9BE97562FF45760F904228FE45A61DAD7F89489CA40

Uniqueness

Uniqueness Score: -1.00%

Function 02202DAD, Relevance: 5.3, Strings: 4, Instructions: 320COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: fdd8eff1abf9862813bf909b0e7203aec6fb294f636c8fb4a91a83ae80cb2b28
Instruction ID: 850a9a0909c5877f1bce1dfcb624dfa89b702bd03909d823a473169911fc63c6
Opcode Fuzzy Hash: fdd8eff1abf9862813bf909b0e7203aec6fb294f636c8fb4a91a83ae80cb2b28
Instruction Fuzzy Hash: 3BA16970710306AEFB219EB4CDC57E97662FF45760F904228FE55AB2DAD7F89488CA40

Uniqueness

Uniqueness Score: -1.00%

Function 02202E11, Relevance: 5.3, Strings: 4, Instructions: 305COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: 301a053bfdc6389acb9d36eb5cf348266d5a46569f444d1d29921a06d92eef73
Instruction ID: 479d4a1cc3fc749573df2265621e786a2552b4c0b8a56eb0be4bbf3b0cb2136a
Opcode Fuzzy Hash: 301a053bfdc6389acb9d36eb5cf348266d5a46569f444d1d29921a06d92eef73
Instruction Fuzzy Hash: EE917970710306AEFB219EB4CDC87E97562FF45760F904228FE45AB2DAD7F89489CA40

Uniqueness

Uniqueness Score: -1.00%

Function 02202E71, Relevance: 5.3, Strings: 4, Instructions: 288COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: 543605e6c21a9b0906459b6f9eea4e6cd7ad1396b035d390f56f818d59be7503
Instruction ID: ffab69d238e86656b6b65e8187e5c997f50853c51543396afb32b68f6a84862e
Opcode Fuzzy Hash: 543605e6c21a9b0906459b6f9eea4e6cd7ad1396b035d390f56f818d59be7503
Instruction Fuzzy Hash: C0918B70710306AEFB219EB8CDC97E97562FF45760F904228FE95AB1CAD7F89489C640

Uniqueness

Uniqueness Score: -1.00%

Function 02202EF4, Relevance: 5.3, Strings: 4, Instructions: 274COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: 5449d759e043c6dad243f86298d20327b791fbc646d333cc04eb4bac65cf00a2
Instruction ID: c42ad243c5738a0d847877ffade051a02a4551ce9760c050a5e9e5393af0963c
Opcode Fuzzy Hash: 5449d759e043c6dad243f86298d20327b791fbc646d333cc04eb4bac65cf00a2
Instruction Fuzzy Hash: D2816970710306AEFB219EB4CDC57E97562FF45760F904228FE95AA1DAD7F89488C640

Uniqueness

Uniqueness Score: -1.00%

Function 02202EC5, Relevance: 5.3, Strings: 4, Instructions: 255COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: 74c38c4ef23164472b8ba99dc0f6e1420bb429c200abaea71898bc1b65b577e5
Instruction ID: 2f9cf2e369eadb39692a95a9177ce7c00b101b3001eac9e342700cf2ac1d02cd
Opcode Fuzzy Hash: 74c38c4ef23164472b8ba99dc0f6e1420bb429c200abaea71898bc1b65b577e5
Instruction Fuzzy Hash: AA81177171030AAEFB219F94CDC5BE97663FF45390F904228EE45AA1CAD7F994888B41

Uniqueness

Uniqueness Score: -1.00%

Function 02202F69, Relevance: 5.3, Strings: 4, Instructions: 251COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: de65dad63e6a76b5b32a0bcc929987431ddc15dcb4122ce7eeb1dcc207b0fb1a
Instruction ID: 84fc9918889a629c7d35a0a42b3c3be45c395ea01cf66b3b89ee4e7b3032a6d9
Opcode Fuzzy Hash: de65dad63e6a76b5b32a0bcc929987431ddc15dcb4122ce7eeb1dcc207b0fb1a
Instruction Fuzzy Hash: 43716C70710306AEFB259EB4CDC5BE93563EF45760F904228FE959A1DAC7F894C8C640

Uniqueness

Uniqueness Score: -1.00%

Function 02202FD4, Relevance: 5.2, Strings: 4, Instructions: 236COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
xM, xrefs: 02203037
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$xM$|0
API String ID: 0-318701446
Opcode ID: 9aa5db601691d5ea09077e099f571c761fde8ca8e4b642dde11d14899931f826
Instruction ID: e8bc5065127a0d850df8797cf98114f2fe2ad203401de22503b7e5d864c0a945
Opcode Fuzzy Hash: 9aa5db601691d5ea09077e099f571c761fde8ca8e4b642dde11d14899931f826
Instruction Fuzzy Hash: EB61697071030AAEFF259EB4CDC5BE93563EF45760F900128FE959A1DAC7F458C88640

Uniqueness

Uniqueness Score: -1.00%

Function 02203057, Relevance: 4.0, Strings: 3, Instructions: 208COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$|0
API String ID: 0-1997040385
Opcode ID: d6e9636ed6dfe97f5c09e0e683539dd1f0e694990a8bb5b93640c2f601a8e7fc
Instruction ID: 14005173a91a171e105cbafd5207f02af6e374e0d78322fecf98a2af9bf2405c
Opcode Fuzzy Hash: d6e9636ed6dfe97f5c09e0e683539dd1f0e694990a8bb5b93640c2f601a8e7fc
Instruction Fuzzy Hash: A5515870710306AEFF269EB4CDC9BE93562EF45760F940224FE959A1DAC7F898C8C640

Uniqueness

Uniqueness Score: -1.00%

Function 022030DB, Relevance: 3.9, Strings: 3, Instructions: 177COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$|0
API String ID: 0-1997040385
Opcode ID: bb6be085815a4942f1208bd9e5ab38c63e2288d746f979619b89f209f72f5860
Instruction ID: 2a7ac6e84f77d9de52cc26436fd71b5c493446478ce1e559a07e021f79001338
Opcode Fuzzy Hash: bb6be085815a4942f1208bd9e5ab38c63e2288d746f979619b89f209f72f5860
Instruction Fuzzy Hash: BA514570710306AEEB269EB4CDC87E93562FF85760F940224FE919A1DAC7F95888CA40

Uniqueness

Uniqueness Score: -1.00%

Function 02203135, Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$|0
API String ID: 0-1997040385
Opcode ID: f9adbbc79140fe2f76ef254fc057987b3af32c1cf06dc3354f9fef553cef5730
Instruction ID: 8adce2a1ad8d003171f9ace509bd6680179c17e16ef2e7b53e63de411a78fb24
Opcode Fuzzy Hash: f9adbbc79140fe2f76ef254fc057987b3af32c1cf06dc3354f9fef553cef5730
Instruction Fuzzy Hash: 7C416970710306AEEB269EB4CEC87E93563FF85760F940224FE95961DAC7F958D88640

Uniqueness

Uniqueness Score: -1.00%

Function 022031AB, Relevance: 3.9, Strings: 3, Instructions: 142COMMON

Download Yara Rule

Strings

j@h, xrefs: 022031EE
\J, xrefs: 02203353
|0, xrefs: 0220322B

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: j@h$\J$|0
API String ID: 0-1997040385
Opcode ID: 4becdae04e9ceda627e02af75bc9ece3b415cc643247c44b32bd09af7fd353f2
Instruction ID: 30e4607cf5a7a9acfbe820989a1b17a93548febb018bc0c7e741100bd8a17f94
Opcode Fuzzy Hash: 4becdae04e9ceda627e02af75bc9ece3b415cc643247c44b32bd09af7fd353f2
Instruction Fuzzy Hash: 02418D70700306AEEB169EB4CDC87E93663FF45760F440224FE95961DAC7F59498C640

Uniqueness

Uniqueness Score: -1.00%

Function 0220323B, Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

\J, xrefs: 02203353

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID: \J
API String ID: 0-1681272394
Opcode ID: 559d5a5ef7df12f2fcb9a6593f717dd6ba8ebc79b95ced601d62f9c97df08a25
Instruction ID: 1c332d28614d0e6da44bc2b81c073ed573ea73cbcdbe365c2ab8d261ad96c47c
Opcode Fuzzy Hash: 559d5a5ef7df12f2fcb9a6593f717dd6ba8ebc79b95ced601d62f9c97df08a25
Instruction Fuzzy Hash: BB316C70B00316AEDB199EB8CEC87E83623FF85B60F540234FE55962DEC7B55495C640

Uniqueness

Uniqueness Score: -1.00%

Function 022071E8, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf21488a2cc0a05cc3e7acc51341bf1c89df2da26e96bc40f2752ffa5faca3f4
Instruction ID: ac8fec5dbcabb3dac130c1d33c80fc79c8937be5b1b156acf69f3eef08077379
Opcode Fuzzy Hash: bf21488a2cc0a05cc3e7acc51341bf1c89df2da26e96bc40f2752ffa5faca3f4
Instruction Fuzzy Hash: 45611C74A243538EDB24DFB884D4799BBA19F56720F48C29EDC928B2EBD3709446C712

Uniqueness

Uniqueness Score: -1.00%

Function 02207258, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d55c7072b9f6ef3fe280cec6287b92dd67ae15c87eba309fa658d4fb0892e8a0
Instruction ID: 3f4e2489c54468eb826c28185f839132f4e13c2249b7b90d1afdafa925e4965d
Opcode Fuzzy Hash: d55c7072b9f6ef3fe280cec6287b92dd67ae15c87eba309fa658d4fb0892e8a0
Instruction Fuzzy Hash: 7151FE60A643538EDB24DFB884D87A4FF919F53620F48C2A9CDD68B2EBD3609446C712

Uniqueness

Uniqueness Score: -1.00%

Function 02202457, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46d8af8a3d402cd79a0df62e879cd25571cc140f314b19123fd2e74ecc02f3be
Instruction ID: 0084e8c809585e3f37dd0f51fe9f26f569cff5aabb55cd0183dcab9f296180bb
Opcode Fuzzy Hash: 46d8af8a3d402cd79a0df62e879cd25571cc140f314b19123fd2e74ecc02f3be
Instruction Fuzzy Hash: EB412971B10313EBC7189EB8CDE9BD137A5BF42B60F584325ECA5932DACB509849CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0220244B, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef919b36b5de9fd50d48d0440de4f34b589330ae4c3cdf4fe5bf650286a90ea
Instruction ID: ee26f75f812c2eeae9ebfa66b2b53780891db8b91c61e9566772b4e47a4a7522
Opcode Fuzzy Hash: 4ef919b36b5de9fd50d48d0440de4f34b589330ae4c3cdf4fe5bf650286a90ea
Instruction Fuzzy Hash: 8E316A71660306DFC7649AA8CCA5BD237E5BF01360F54431AECA8932CADB25EC89CB50

Uniqueness

Uniqueness Score: -1.00%

Function 022026F4, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c46d767f611db1a43996907f5f7ccf1711b90ebd41696f60c6a028446b41cdc
Instruction ID: dabb583c745a23df0481feaf925d18fff83e44be74bfe0580cb48caaa61a6b4c
Opcode Fuzzy Hash: 2c46d767f611db1a43996907f5f7ccf1711b90ebd41696f60c6a028446b41cdc
Instruction Fuzzy Hash: DD312930664311EEDB29AEF4CDCDBE436519F01F10F9441A5FE869B2FBC3A09485C951

Uniqueness

Uniqueness Score: -1.00%

Function 022065C3, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d53f8a474bfbaa2271a44c1fbbb8f2ad2063b9d96951838a5e939588e7236e70
Instruction ID: c97a67761e4ff8c1d02c591e036b4153719548314ffb9e6499d32ba9aa96ad12
Opcode Fuzzy Hash: d53f8a474bfbaa2271a44c1fbbb8f2ad2063b9d96951838a5e939588e7236e70
Instruction Fuzzy Hash: 4D214B742353029EEB206AD08AD8BB9265AFF42360FD04126AD42870CFD7B8D961CE11

Uniqueness

Uniqueness Score: -1.00%

Function 02206376, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 815741d749b252a76fc1a245df948a45e322f0232ae514f6d69520dad1399c01
Instruction ID: 79c16def351f2006589f18b57e9c50187d995bbe541cf9ee064289a3605bd4c2
Opcode Fuzzy Hash: 815741d749b252a76fc1a245df948a45e322f0232ae514f6d69520dad1399c01
Instruction Fuzzy Hash: 50114C64578306E9DF2036D04AE8BBA1516BF92760FD04113ED83820CFD7F88476CD12

Uniqueness

Uniqueness Score: -1.00%

Function 02206A20, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ee55ccd3c4d8c9a420f4973adbe05c9ddc3cc59a80e3797f742c8969ec89eeb
Instruction ID: 146b075b16542deb4097843a0fa444994ea5e5779fbd92028d759839f4d6f237
Opcode Fuzzy Hash: 3ee55ccd3c4d8c9a420f4973adbe05c9ddc3cc59a80e3797f742c8969ec89eeb
Instruction Fuzzy Hash: 2AB012439342A10A976232F1278807D040E45C3634301C6703051B628ED84C4FD5CB61

Uniqueness

Uniqueness Score: -1.00%

Function 02203669, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c77a516f013dce8e387cb25df7df2222a73ecc5be39ad8ab7ef4c09422337c9
Instruction ID: 303a3a1b4da61c4d7aebd1aeeb6a7437b6d539e268b7b194875c708a6fd51262
Opcode Fuzzy Hash: 3c77a516f013dce8e387cb25df7df2222a73ecc5be39ad8ab7ef4c09422337c9
Instruction Fuzzy Hash: A6C092B2300580CFEF02CF08C995B8073A0FF2AA88B0905D0E802DF712C324ED00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 02205C60, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1437725895.0000000002200000.00000040.00000001.sdmp, Offset: 02200000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61aa7df7f61ab54fbc6441d541c45e4166f573bc2affee881a0a33748950dc78
Instruction ID: 3d0ccb0fc4b4e7ed14ac2dd34b9f45857ac927cea501b663831b237d600ebf74
Opcode Fuzzy Hash: 61aa7df7f61ab54fbc6441d541c45e4166f573bc2affee881a0a33748950dc78
Instruction Fuzzy Hash: 3FB09230220A40CFCF99CA4AC1C4E04B3B0BB44600B814490E0118BB62C2A4E840C900

Uniqueness

Uniqueness Score: -1.00%

Function 004110F6, Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 221
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004110F6(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v32;
				char _v44;
				char _v52;
				signed int _v56;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				signed int _v100;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				char _t122;
				char* _t124;
				intOrPtr _t179;

				_push(0x4010f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t179;
				_push(0x68);
				L004010F0();
				_v12 = _t179;
				_v8 = 0x4010e0;
				_push(0x11);
				_push(0x402670);
				_t122 =  &_v44;
				_push(_t122);
				L00401192();
				_v56 = _v56 & 0x00000000;
				if(_v56 >= 0x33) {
					L0040118C();
					_v64 = _t122;
				} else {
					_v64 = _v64 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 1;
				if(_v56 >= 0x33) {
					L0040118C();
					_v68 = _t122;
				} else {
					_v68 = _v68 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 2;
				if(_v56 >= 0x33) {
					L0040118C();
					_v72 = _t122;
				} else {
					_v72 = _v72 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 3;
				if(_v56 >= 0x33) {
					L0040118C();
					_v76 = _t122;
				} else {
					_v76 = _v76 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 4;
				if(_v56 >= 0x33) {
					L0040118C();
					_v80 = _t122;
				} else {
					_v80 = _v80 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 5;
				if(_v56 >= 0x33) {
					L0040118C();
					_v84 = _t122;
				} else {
					_v84 = _v84 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 6;
				if(_v56 >= 0x33) {
					L0040118C();
					_v88 = _t122;
				} else {
					_v88 = _v88 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 7;
				if(_v56 >= 0x33) {
					L0040118C();
					_v92 = _t122;
				} else {
					_v92 = _v92 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 8;
				if(_v56 >= 0x33) {
					L0040118C();
					_v96 = _t122;
				} else {
					_v96 = _v96 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 9;
				if(_v56 >= 0x33) {
					L0040118C();
					_v100 = _t122;
				} else {
					_v100 = _v100 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xa;
				if(_v56 >= 0x33) {
					L0040118C();
					_v104 = _t122;
				} else {
					_v104 = _v104 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xb;
				if(_v56 >= 0x33) {
					L0040118C();
					_v108 = _t122;
				} else {
					_v108 = _v108 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xc;
				if(_v56 >= 0x33) {
					L0040118C();
					_v112 = _t122;
				} else {
					_v112 = _v112 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xd;
				if(_v56 >= 0x33) {
					L0040118C();
					_v116 = _t122;
				} else {
					_v116 = _v116 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xe;
				if(_v56 >= 0x33) {
					L0040118C();
					_v120 = _t122;
				} else {
					_v120 = _v120 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_v56 = 0xf;
				if(_v56 >= 0x33) {
					L0040118C();
					_v124 = _t122;
				} else {
					_v124 = _v124 & 0x00000000;
				}
				L00401186();
				 *((char*)(_v32 + _v56)) = _t122;
				_push(0x411407);
				_v52 =  &_v44;
				_t124 =  &_v52;
				_push(_t124);
				_push(0);
				L00401180();
				return _t124;
			}

0x004110fb
0x00411106
0x00411107
0x0041110e
0x00411111
0x00411119
0x0041111c
0x00411123
0x00411125
0x0041112a
0x0041112d
0x0041112e
0x00411133
0x0041113b
0x00411143
0x00411148
0x0041113d
0x0041113d
0x0041113d
0x0041114f
0x0041115a
0x0041115c
0x00411167
0x0041116f
0x00411174
0x00411169
0x00411169
0x00411169
0x0041117b
0x00411186
0x00411188
0x00411193
0x0041119b
0x004111a0
0x00411195
0x00411195
0x00411195
0x004111a7
0x004111b2
0x004111b4
0x004111bf
0x004111c7
0x004111cc
0x004111c1
0x004111c1
0x004111c1
0x004111d3
0x004111de
0x004111e0
0x004111eb
0x004111f3
0x004111f8
0x004111ed
0x004111ed
0x004111ed
0x004111ff
0x0041120a
0x0041120c
0x00411217
0x0041121f
0x00411224
0x00411219
0x00411219
0x00411219
0x0041122b
0x00411236
0x00411238
0x00411243
0x0041124b
0x00411250
0x00411245
0x00411245
0x00411245
0x00411257
0x00411262
0x00411264
0x0041126f
0x00411277
0x0041127c
0x00411271
0x00411271
0x00411271
0x00411283
0x0041128e
0x00411290
0x0041129b
0x004112a3
0x004112a8
0x0041129d
0x0041129d
0x0041129d
0x004112af
0x004112ba
0x004112bc
0x004112c7
0x004112cf
0x004112d4
0x004112c9
0x004112c9
0x004112c9
0x004112db
0x004112e6
0x004112e8
0x004112f3
0x004112fb
0x00411300
0x004112f5
0x004112f5
0x004112f5
0x00411307
0x00411312
0x00411314
0x0041131f
0x00411327
0x0041132c
0x00411321
0x00411321
0x00411321
0x00411333
0x0041133e
0x00411340
0x0041134b
0x00411353
0x00411358
0x0041134d
0x0041134d
0x0041134d
0x0041135f
0x0041136a
0x0041136c
0x00411377
0x0041137f
0x00411384
0x00411379
0x00411379
0x00411379
0x0041138b
0x00411396
0x00411398
0x004113a3
0x004113ab
0x004113b0
0x004113a5
0x004113a5
0x004113a5
0x004113b7
0x004113c2
0x004113c4
0x004113cf
0x004113d7
0x004113dc
0x004113d1
0x004113d1
0x004113d1
0x004113e3
0x004113ee
0x004113f0
0x004113f8
0x004113fb
0x004113fe
0x004113ff
0x00411401
0x00411406

APIs

__vbaChkstk.MSVBVM60(?,004010F6), ref: 00411111
__vbaAryConstruct2.MSVBVM60(?,00402670,00000011,?,?,?,?,004010F6), ref: 0041112E
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 00411143
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041114F
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041116F
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041117B
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041119B
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004111A7
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004111C7
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004111D3
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004111F3
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004111FF
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041121F
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041122B
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041124B
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 00411257
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 00411277
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 00411283
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004112A3
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004112AF
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004112CF
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004112DB
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 00411307
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 00411327
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 00411333
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 00411353
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041135F
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041137F
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 0041138B
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004113AB
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004113B7
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004113D7
__vbaUI1I2.MSVBVM60(?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 004113E3
__vbaAryDestruct.MSVBVM60(00000000,?,00411407,?,?,?,?,00402670,00000011,?,?,?,?,004010F6), ref: 00411401

Strings

3, xrefs: 004113CB

Memory Dump Source

Source File: 00000000.00000002.1436896100.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436876777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1436930248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1436949015.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate$ChkstkConstruct2Destruct
String ID: 3
API String ID: 1280986024-1842515611
Opcode ID: d1268c19ccdfaa79cf906326640715c7af07e26e9fe677dde2a6d899ab91170b
Instruction ID: 8038944a5ac6b089bb33bc9cba75d304917b0d0c476377a0848abb6061d37ef0
Opcode Fuzzy Hash: d1268c19ccdfaa79cf906326640715c7af07e26e9fe677dde2a6d899ab91170b
Instruction Fuzzy Hash: 4AA10774C02249EFDF04EBE5D6517EDBBB1BF16309F20402EE6066A2A2C7780945CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 00410BA4, Relevance: 37.8, APIs: 25, Instructions: 267
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00410BA4(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v44;
				signed int _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v92;
				intOrPtr _v100;
				char _v108;
				char _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v140;
				signed int _v144;
				intOrPtr* _v148;
				signed int _v152;
				intOrPtr* _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr* _v176;
				signed int _v180;
				void* _t138;
				signed int _t142;
				signed int _t146;
				char* _t150;
				signed int _t154;
				signed int _t164;
				signed int _t171;
				signed int _t175;
				char* _t179;
				signed int _t183;
				char* _t192;
				void* _t194;
				void* _t216;
				void* _t217;
				intOrPtr _t218;
				void* _t219;

				 *[fs:0x0] = _t218;
				L004010F0();
				_v16 = _t218;
				_v12 = E004010D0;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_t138 =  *((intOrPtr*)( *_a4 + 4))(_a4, _t216, _t217, _t194,  *[fs:0x0], 0x4010f6);
				_push(0x4025c8);
				_push(0x4025c8);
				L004011FE();
				if(_t138 != 0) {
					L004011F8();
				}
				if( *0x412010 != 0) {
					_v148 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x402870);
					L004011EC();
					_v148 = 0x412010;
				}
				_t142 =  &_v72;
				L004011F2();
				_v116 = _t142;
				_t146 =  *((intOrPtr*)( *_v116 + 0xd8))(_v116,  &_v112, _t142,  *((intOrPtr*)( *((intOrPtr*)( *_v148)) + 0x2fc))( *_v148));
				asm("fclex");
				_v120 = _t146;
				if(_v120 >= 0) {
					_v152 = _v152 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x4025cc);
					_push(_v116);
					_push(_v120);
					L004011E6();
					_v152 = _t146;
				}
				if( *0x412010 != 0) {
					_v156 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x402870);
					L004011EC();
					_v156 = 0x412010;
				}
				_t150 =  &_v76;
				L004011F2();
				_v124 = _t150;
				_t154 =  *((intOrPtr*)( *_v124 + 0x48))(_v124,  &_v64, _t150,  *((intOrPtr*)( *((intOrPtr*)( *_v156)) + 0x2fc))( *_v156));
				asm("fclex");
				_v128 = _t154;
				if(_v128 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x4025cc);
					_push(_v124);
					_push(_v128);
					L004011E6();
					_v160 = _t154;
				}
				_v140 = _v64;
				_v64 = _v64 & 0x00000000;
				L004011E0();
				 *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _v112,  &_v68);
				L004011DA();
				L004011D4();
				_t219 = _t218 + 0xc;
				_t164 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v72,  &_v76);
				asm("fclex");
				_v116 = _t164;
				if(_v116 >= 0) {
					_v164 = _v164 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402324);
					_push(_a4);
					_push(_v116);
					L004011E6();
					_v164 = _t164;
				}
				while(1) {
					_v100 = 1;
					_v108 = 2;
					_push( &_v44);
					_push( &_v108);
					_push( &_v92);
					L004011C8();
					L004011CE();
					if( *0x412010 != 0) {
						_v168 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x402870);
						L004011EC();
						_v168 = 0x412010;
					}
					_t171 =  &_v72;
					L004011F2();
					_v116 = _t171;
					_t175 =  *((intOrPtr*)( *_v116 + 0xd8))(_v116,  &_v112, _t171,  *((intOrPtr*)( *((intOrPtr*)( *_v168)) + 0x2fc))( *_v168));
					asm("fclex");
					_v120 = _t175;
					if(_v120 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0xd8);
						_push(0x4025cc);
						_push(_v116);
						_push(_v120);
						L004011E6();
						_v172 = _t175;
					}
					if( *0x412010 != 0) {
						_v176 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x402870);
						L004011EC();
						_v176 = 0x412010;
					}
					_t179 =  &_v76;
					L004011F2();
					_v124 = _t179;
					_t183 =  *((intOrPtr*)( *_v124 + 0x48))(_v124,  &_v64, _t179,  *((intOrPtr*)( *((intOrPtr*)( *_v176)) + 0x2fc))( *_v176));
					asm("fclex");
					_v128 = _t183;
					if(_v128 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x4025cc);
						_push(_v124);
						_push(_v128);
						L004011E6();
						_v180 = _t183;
					}
					_v144 = _v64;
					_v64 = _v64 & 0x00000000;
					L004011E0();
					 *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _v112,  &_v68);
					L004011DA();
					_push( &_v76);
					_push( &_v72);
					_push(2);
					L004011D4();
					_t219 = _t219 + 0xc;
					_v100 = 0x9ffff;
					_v108 = 0x8003;
					_push( &_v44);
					_t192 =  &_v108;
					_push(_t192);
					L004011C2();
					if(_t192 == 0) {
						break;
					}
				}
				goto __ebx;
			}

0x00410bb6
0x00410bc2
0x00410bca
0x00410bcd
0x00410bda
0x00410be3
0x00410bee
0x00410bf1
0x00410bf6
0x00410bfb
0x00410c02
0x00410c04
0x00410c04
0x00410c10
0x00410c2d
0x00410c12
0x00410c12
0x00410c17
0x00410c1c
0x00410c21
0x00410c21
0x00410c51
0x00410c55
0x00410c5a
0x00410c69
0x00410c6f
0x00410c71
0x00410c78
0x00410c97
0x00410c7a
0x00410c7a
0x00410c7f
0x00410c84
0x00410c87
0x00410c8a
0x00410c8f
0x00410c8f
0x00410ca5
0x00410cc2
0x00410ca7
0x00410ca7
0x00410cac
0x00410cb1
0x00410cb6
0x00410cb6
0x00410ce6
0x00410cea
0x00410cef
0x00410cfe
0x00410d01
0x00410d03
0x00410d0a
0x00410d26
0x00410d0c
0x00410d0c
0x00410d0e
0x00410d13
0x00410d16
0x00410d19
0x00410d1e
0x00410d1e
0x00410d30
0x00410d36
0x00410d43
0x00410d57
0x00410d60
0x00410d6f
0x00410d74
0x00410d7f
0x00410d85
0x00410d87
0x00410d8e
0x00410dad
0x00410d90
0x00410d90
0x00410d95
0x00410d9a
0x00410d9d
0x00410da0
0x00410da5
0x00410da5
0x00410db4
0x00410db4
0x00410dbb
0x00410dc5
0x00410dc9
0x00410dcd
0x00410dce
0x00410dd8
0x00410de4
0x00410e01
0x00410de6
0x00410de6
0x00410deb
0x00410df0
0x00410df5
0x00410df5
0x00410e25
0x00410e29
0x00410e2e
0x00410e3d
0x00410e43
0x00410e45
0x00410e4c
0x00410e6b
0x00410e4e
0x00410e4e
0x00410e53
0x00410e58
0x00410e5b
0x00410e5e
0x00410e63
0x00410e63
0x00410e79
0x00410e96
0x00410e7b
0x00410e7b
0x00410e80
0x00410e85
0x00410e8a
0x00410e8a
0x00410eba
0x00410ebe
0x00410ec3
0x00410ed2
0x00410ed5
0x00410ed7
0x00410ede
0x00410efa
0x00410ee0
0x00410ee0
0x00410ee2
0x00410ee7
0x00410eea
0x00410eed
0x00410ef2
0x00410ef2
0x00410f04
0x00410f0a
0x00410f17
0x00410f2b
0x00410f34
0x00410f3c
0x00410f40
0x00410f41
0x00410f43
0x00410f48
0x00410f4b
0x00410f52
0x00410f5c
0x00410f5d
0x00410f60
0x00410f61
0x00410f6b
0x00000000
0x00000000
0x00410f6d
0x00410f77

APIs

__vbaChkstk.MSVBVM60(?,004010F6), ref: 00410BC2
__vbaStrCmp.MSVBVM60(004025C8,004025C8,?,?,?,?,004010F6), ref: 00410BFB
__vbaEnd.MSVBVM60(004025C8,004025C8,?,?,?,?,004010F6), ref: 00410C04
__vbaNew2.MSVBVM60(00402870,00412010,004025C8,004025C8,?,?,?,?,004010F6), ref: 00410C1C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410C55
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025CC,000000D8), ref: 00410C8A
__vbaNew2.MSVBVM60(00402870,00412010), ref: 00410CB1
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410CEA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025CC,00000048), ref: 00410D19
__vbaStrMove.MSVBVM60(00000000,?,004025CC,00000048), ref: 00410D43
__vbaFreeStr.MSVBVM60 ref: 00410D60
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410D6F
__vbaHresultCheckObj.MSVBVM60(00000000,004010D0,00402324,000002B4), ref: 00410DA0
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00410DCE
__vbaVarMove.MSVBVM60(?,00000002,?), ref: 00410DD8
__vbaNew2.MSVBVM60(00402870,00412010,?,00000002,?,00008003,?), ref: 00410DF0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410E29
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025CC,000000D8,?,?,?,?,?,?,?,?,00402870,00412010,?,00000002), ref: 00410E5E
__vbaNew2.MSVBVM60(00402870,00412010,00000000,?,004025CC,000000D8,?,?,?,?,?,?,?,?,00402870,00412010), ref: 00410E85
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410EBE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004025CC,00000048,?,?,?,?,?,?,?,?,00402870,00412010,?,00000002), ref: 00410EED
__vbaStrMove.MSVBVM60(00000000,?,004025CC,00000048,?,?,?,?,?,?,?,?,00402870,00412010,?,00000002), ref: 00410F17
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00402870,00412010,?,00000002,?,00008003,?), ref: 00410F34
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410F43
__vbaVarTstLt.MSVBVM60(00008003,?), ref: 00410F61

Memory Dump Source

Source File: 00000000.00000002.1436896100.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1436876777.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1436930248.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1436949015.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$Move$List$Chkstk
String ID:
API String ID: 3120471521-0
Opcode ID: 56d51d624b344f3c4242cd87f458916aff17787ed6c7a2c5ffe0eef1efeab1b2
Instruction ID: 6b866178065c783742e6e54178ca99d75224d9ea0174c441b82feaac6e7bb524
Opcode Fuzzy Hash: 56d51d624b344f3c4242cd87f458916aff17787ed6c7a2c5ffe0eef1efeab1b2
Instruction Fuzzy Hash: A0C13C71A00218EFCB20DFA1CD45BDDBBB5BF08304F20416AE509BB2A1DBB99985DF54

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180 Parent PID: 5852

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exe PID: 6180 Parent PID: 5852 RFQ#89234A_2021_LISTED_ITEMS_DUC_PHUCS_IMPORT_EXPORT_CO.exeCOMMON

Executed Functions

Function 0040121C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46COMMON

Non-executed Functions

Function 022071E6, Relevance: 6.9, Strings: 5, Instructions: 631COMMON

Function 02207DE9, Relevance: 6.8, Strings: 5, Instructions: 585COMMON

Function 0040121C, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46
COMMON

Function 004110F6, Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 221
COMMON

Function 00410BA4, Relevance: 37.8, APIs: 25, Instructions: 267
COMMON