Play interactive tour

Edit tour

Analysis Report TT SWIFT COPY.scr

Overview

General Information

Sample Name:	TT SWIFT COPY.scr (renamed file extension from scr to exe)
Analysis ID:	345064
MD5:	cb3b77181a200f9b066fd29e4431ad0f
SHA1:	0019eab67d15bf22a9e90345bf7281b4f0c11d5f
SHA256:	d94aa8eba8dce581912552261b549bb8bcf04e8380fa68dc525c0d94236b761b
Tags:	RemcosRATscr
Most interesting Screenshot:

Detection

Remcos GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected GuLoader

Yara detected Remcos RAT

Connects to many ports of the same IP (likely port scanning)

Contain functionality to detect virtual machines

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Uses dynamic DNS services

Writes to foreign memory regions

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Startup

System is w10x64

TT SWIFT COPY.exe (PID: 2016 cmdline: 'C:\Users\user\Desktop\TT SWIFT COPY.exe' MD5: CB3B77181A200F9B066FD29E4431AD0F)

ieinstal.exe (PID: 6612 cmdline: 'C:\Users\user\Desktop\TT SWIFT COPY.exe' MD5: DAD17AB737E680C47C8A44CBB95EE67E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.1027344976.0000000003500000.00000004.00000040.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: TT SWIFT COPY.exe PID: 2016	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: ieinstal.exe PID: 6612	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
Process Memory Space: ieinstal.exe PID: 6612	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

System Summary:

Sigma detected: Remcos

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Internet Explorer\ieinstal.exe, ProcessId: 6612, TargetFilename: C:\Users\user\AppData\Roaming\remcos\logs.dat

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: TT SWIFT COPY.exe	Virustotal: Detection: 29%			Perma Link
Source: TT SWIFT COPY.exe	ReversingLabs: Detection: 11%

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000008.00000002.1027344976.0000000003500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 6612, type: MEMORY

Compliance:

Uses 32bit PE files

Show sources

Source: TT SWIFT COPY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Uses secure TLS version for HTTPS connections

Show sources

Source: unknown

HTTPS traffic detected: 172.217.22.225:443 -> 192.168.2.4:49750 version: TLS 1.2

Networking:

Connects to many ports of the same IP (likely port scanning)

Show sources

Source: global traffic

TCP traffic: 41.217.65.85 ports 0,2,52360,3,5,6

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealthybillionaire.ddns.net

Source: global traffic

TCP traffic: 192.168.2.4:49756 -> 41.217.65.85:52360

Source: Joe Sandbox View

IP Address: 172.217.22.225 172.217.22.225

Source: Joe Sandbox View

ASN Name: SpectranetNG SpectranetNG

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-10-4c-docs.googleusercontent.com

Source: ieinstal.exe

String found in binary or memory: https://drive.google.com/uc?export=download&id=1PP54bVrSlJhC7UatjJUO9mpLD_h1IDyr

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49750
Source: unknown	Network traffic detected: HTTP traffic on port 49750 -> 443

Source: unknown

HTTPS traffic detected: 172.217.22.225:443 -> 192.168.2.4:49750 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: TT SWIFT COPY.exe, 00000001.00000002.766614289.00000000007AA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

E-Banking Fraud:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000008.00000002.1027344976.0000000003500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 6612, type: MEMORY

System Summary:

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00785569 NtWriteVirtualMemory,	1_2_00785569
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00785E81 NtProtectVirtualMemory,	1_2_00785E81
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007847E5 NtResumeThread,	1_2_007847E5
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00786458 NtResumeThread,	1_2_00786458
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078285A NtWriteVirtualMemory,	1_2_0078285A
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00786432 NtResumeThread,	1_2_00786432
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00782818 NtWriteVirtualMemory,	1_2_00782818
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078641E NtResumeThread,	1_2_0078641E
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007824DA NtWriteVirtualMemory,	1_2_007824DA
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007828B8 NtWriteVirtualMemory,	1_2_007828B8
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007864B9 NtResumeThread,	1_2_007864B9
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007824BA NtWriteVirtualMemory,	1_2_007824BA
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00782556 NtWriteVirtualMemory,	1_2_00782556
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00782935 NtWriteVirtualMemory,	1_2_00782935
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00786526 NtResumeThread,	1_2_00786526
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078250D NtWriteVirtualMemory,	1_2_0078250D
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00785D04 NtProtectVirtualMemory,	1_2_00785D04
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007825E6 NtWriteVirtualMemory,	1_2_007825E6
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007825AE NtWriteVirtualMemory,	1_2_007825AE
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078267E NtWriteVirtualMemory,	1_2_0078267E
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00785E37 NtProtectVirtualMemory,	1_2_00785E37
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00782607 NtWriteVirtualMemory,	1_2_00782607
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007826D9 NtWriteVirtualMemory,	1_2_007826D9
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007826B3 NtWriteVirtualMemory,	1_2_007826B3
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00782773 NtWriteVirtualMemory,	1_2_00782773
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078632E NtResumeThread,	1_2_0078632E
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078271A NtWriteVirtualMemory,	1_2_0078271A
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007863AA NtResumeThread,	1_2_007863AA
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007863AD NtResumeThread,	1_2_007863AD
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00782792 NtWriteVirtualMemory,	1_2_00782792
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078238E NtWriteVirtualMemory,	1_2_0078238E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85E81 NtProtectVirtualMemory,	8_2_00E85E81
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85525 NtProtectVirtualMemory,	8_2_00E85525
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E864B9 NtProtectVirtualMemory,	8_2_00E864B9
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85E58 NtProtectVirtualMemory,	8_2_00E85E58
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E86458 NtProtectVirtualMemory,	8_2_00E86458
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E86432 NtProtectVirtualMemory,	8_2_00E86432
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85E37 NtProtectVirtualMemory,	8_2_00E85E37
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E8641E NtProtectVirtualMemory,	8_2_00E8641E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E863AA NtProtectVirtualMemory,	8_2_00E863AA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E863AD NtProtectVirtualMemory,	8_2_00E863AD
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E8632E NtProtectVirtualMemory,	8_2_00E8632E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E86526 NtProtectVirtualMemory,	8_2_00E86526
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85D04 NtProtectVirtualMemory,	8_2_00E85D04
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E8631A NtProtectVirtualMemory,	8_2_00E8631A

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_004018FB	1_2_004018FB
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00401BF8	1_2_00401BF8
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00401BAC	1_2_00401BAC
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007847E5	1_2_007847E5
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078498A	1_2_0078498A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85525	8_2_00E85525
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E8498A	8_2_00E8498A

Source: TT SWIFT COPY.exe, 00000001.00000000.646632334.0000000000421000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameRombudd.exe vs TT SWIFT COPY.exe
Source: TT SWIFT COPY.exe	Binary or memory string: OriginalFilenameRombudd.exe vs TT SWIFT COPY.exe

Source: TT SWIFT COPY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/1@7/3

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

File created: C:\Users\user\AppData\Roaming\remcos

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Mutant created: \Sessions\1\BaseNamedObjects\Remcos-ZULZ4Y

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

File created: C:\Users\user\AppData\Local\Temp\~DF895962AEC71A13C1.TMP

Jump to behavior

Source: TT SWIFT COPY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: TT SWIFT COPY.exe	Virustotal: Detection: 29%
Source: TT SWIFT COPY.exe	ReversingLabs: Detection: 11%

Source: unknown	Process created: C:\Users\user\Desktop\TT SWIFT COPY.exe 'C:\Users\user\Desktop\TT SWIFT COPY.exe'
Source: unknown	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\TT SWIFT COPY.exe'
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\TT SWIFT COPY.exe'	Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 6612, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: TT SWIFT COPY.exe PID: 2016, type: MEMORY

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contain functionality to detect virtual machines

Show sources

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		1_2_0078436A
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: C:\Program Files\Qemu-ga\qemu-ga.exe C:\Program Files\Qemu-ga\qemu-ga.exe		1_2_007841A6

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078087B TerminateProcess,	1_2_0078087B
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781456 LoadLibraryA,	1_2_00781456
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00780856 TerminateProcess,	1_2_00780856
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00780829 TerminateProcess,	1_2_00780829
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007808D4 TerminateProcess,	1_2_007808D4
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007808B6 TerminateProcess,	1_2_007808B6
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781972	1_2_00781972
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781936	1_2_00781936
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078192C	1_2_0078192C
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00780905 TerminateProcess,	1_2_00780905
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007809FF TerminateProcess,	1_2_007809FF
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007819AE	1_2_007819AE
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00780983 TerminateProcess,	1_2_00780983
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00780A36 TerminateProcess,	1_2_00780A36
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781A1A	1_2_00781A1A
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781A0D	1_2_00781A0D
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781AF6	1_2_00781AF6
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781ADA	1_2_00781ADA
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007806D0 TerminateProcess,	1_2_007806D0
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007816CA	1_2_007816CA
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00780AB3 TerminateProcess,	1_2_00780AB3
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781A83	1_2_00781A83
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00780A86 TerminateProcess,	1_2_00780A86
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00780778 TerminateProcess,	1_2_00780778
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781B62	1_2_00781B62
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781B20	1_2_00781B20
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007807FB TerminateProcess,	1_2_007807FB
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781BC3	1_2_00781BC3
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078079E TerminateProcess,	1_2_0078079E
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781B82	1_2_00781B82

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	RDTSC instruction interceptor: First address: 000000000078093D second address: 000000000078093D instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E80C2D second address: 0000000000E80E69 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp dword ptr [ebp+74h], 01h 0x0000000e jne 00007F05948909DBh 0x00000014 cmp dword ptr [ebp+7Ch], 00000000h 0x00000018 je 00007F05948907F7h 0x0000001a jmp 00007F05948907F2h 0x0000001c pushad 0x0000001d mov ecx, 000000D5h 0x00000022 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E81941 second address: 0000000000E81941 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E819E9 second address: 0000000000E819E9 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E81BA8 second address: 0000000000E81BA8 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E81C29 second address: 0000000000E81C29 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, dword ptr [esi+0Ch] 0x0000000d push eax 0x0000000e cmp cl, dl 0x00000010 call 00007F0594893587h 0x00000015 mov ecx, dword ptr [esp+0Ch] 0x00000019 jmp 00007F05948907F2h 0x0000001b test ebx, ecx 0x0000001d mov edx, dword ptr [esp+08h] 0x00000021 mov ebx, dword ptr [esp+04h] 0x00000025 jmp 00007F05948907F2h 0x00000027 cmp edx, 4DACAB7Dh 0x0000002d test ecx, ecx 0x0000002f je 00007F0594890839h 0x00000031 jmp 00007F05948907F2h 0x00000033 test bx, D941h 0x00000038 retn 000Ch 0x0000003b pop ecx 0x0000003c add esi, 28h 0x0000003f inc ecx 0x00000040 cmp ecx, dword ptr [edi+00000804h] 0x00000046 jne 00007F059489079Ch 0x00000048 push ecx 0x00000049 push dword ptr [esi+10h] 0x0000004c mov edx, dword ptr [ebp+20h] 0x0000004f add edx, dword ptr [esi+14h] 0x00000052 push edx 0x00000053 mov eax, dword ptr [edi+00000800h] 0x00000059 jmp 00007F05948907F2h 0x0000005b pushad 0x0000005c rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: TT SWIFT COPY.exe, ieinstal.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	RDTSC instruction interceptor: First address: 0000000000785A98 second address: 0000000000785B02 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f mov byte ptr [eax], FFFFFF90h 0x00000012 mov eax, dword ptr [esp+1Ch] 0x00000016 mov byte ptr [eax], 0000006Ah 0x00000019 jmp 00007F0594BA2322h 0x0000001b cmp dh, FFFFFFCCh 0x0000001e mov byte ptr [eax+01h], 00000000h 0x00000022 cmp dh, dh 0x00000024 mov byte ptr [eax+02h], FFFFFFB8h 0x00000028 mov edx, dword ptr [ebp+0000013Ch] 0x0000002e mov dword ptr [eax+03h], edx 0x00000031 jmp 00007F0594BA2322h 0x00000033 cmp cx, ax 0x00000036 mov byte ptr [eax+07h], FFFFFFFFh 0x0000003a test ecx, BB2D02B9h 0x00000040 mov byte ptr [eax+08h], FFFFFFD0h 0x00000044 test bl, dl 0x00000046 pushad 0x00000047 lfence 0x0000004a rdtsc
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	RDTSC instruction interceptor: First address: 000000000078093D second address: 000000000078093D instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E85A98 second address: 0000000000E85B02 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+18h] 0x0000000f mov byte ptr [eax], FFFFFF90h 0x00000012 mov eax, dword ptr [esp+1Ch] 0x00000016 mov byte ptr [eax], 0000006Ah 0x00000019 jmp 00007F0594BA2322h 0x0000001b cmp dh, FFFFFFCCh 0x0000001e mov byte ptr [eax+01h], 00000000h 0x00000022 cmp dh, dh 0x00000024 mov byte ptr [eax+02h], FFFFFFB8h 0x00000028 mov edx, dword ptr [ebp+0000013Ch] 0x0000002e mov dword ptr [eax+03h], edx 0x00000031 jmp 00007F0594BA2322h 0x00000033 cmp cx, ax 0x00000036 mov byte ptr [eax+07h], FFFFFFFFh 0x0000003a test ecx, BB2D02B9h 0x00000040 mov byte ptr [eax+08h], FFFFFFD0h 0x00000044 test bl, dl 0x00000046 pushad 0x00000047 lfence 0x0000004a rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E80C2D second address: 0000000000E80E69 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp dword ptr [ebp+74h], 01h 0x0000000e jne 00007F05948909DBh 0x00000014 cmp dword ptr [ebp+7Ch], 00000000h 0x00000018 je 00007F05948907F7h 0x0000001a jmp 00007F05948907F2h 0x0000001c pushad 0x0000001d mov ecx, 000000D5h 0x00000022 rdtsc
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E81941 second address: 0000000000E81941 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E819E9 second address: 0000000000E819E9 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E81BA8 second address: 0000000000E81BA8 instructions:
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	RDTSC instruction interceptor: First address: 0000000000E81C29 second address: 0000000000E81C29 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a add eax, dword ptr [esi+0Ch] 0x0000000d push eax 0x0000000e cmp cl, dl 0x00000010 call 00007F0594893587h 0x00000015 mov ecx, dword ptr [esp+0Ch] 0x00000019 jmp 00007F05948907F2h 0x0000001b test ebx, ecx 0x0000001d mov edx, dword ptr [esp+08h] 0x00000021 mov ebx, dword ptr [esp+04h] 0x00000025 jmp 00007F05948907F2h 0x00000027 cmp edx, 4DACAB7Dh 0x0000002d test ecx, ecx 0x0000002f je 00007F0594890839h 0x00000031 jmp 00007F05948907F2h 0x00000033 test bx, D941h 0x00000038 retn 000Ch 0x0000003b pop ecx 0x0000003c add esi, 28h 0x0000003f inc ecx 0x00000040 cmp ecx, dword ptr [edi+00000804h] 0x00000046 jne 00007F059489079Ch 0x00000048 push ecx 0x00000049 push dword ptr [esi+10h] 0x0000004c mov edx, dword ptr [ebp+20h] 0x0000004f add edx, dword ptr [esi+14h] 0x00000052 push edx 0x00000053 mov eax, dword ptr [edi+00000800h] 0x00000059 jmp 00007F05948907F2h 0x0000005b pushad 0x0000005c rdtsc

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

Code function: 1_2_0078087B rdtsc

1_2_0078087B

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe

Window / User API: threadDelayed 830

Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6664	Thread sleep count: 830 > 30			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe TID: 6664	Thread sleep time: -8300000s >= -30000s			Jump to behavior

Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Last function: Thread delayed
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Last function: Thread delayed

Source: TT SWIFT COPY.exe, ieinstal.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

Code function: 1_2_0078087B rdtsc

1_2_0078087B

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

Code function: 1_2_007839FA LdrInitializeThunk,

1_2_007839FA

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_004018FB mov ebx, dword ptr fs:[00000030h]	1_2_004018FB
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00401B7C mov ebx, dword ptr fs:[00000030h]	1_2_00401B7C
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00401B90 mov ebx, dword ptr fs:[00000030h]	1_2_00401B90
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00401BAC mov ebx, dword ptr fs:[00000030h]	1_2_00401BAC
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078205E mov eax, dword ptr fs:[00000030h]	1_2_0078205E
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00782032 mov eax, dword ptr fs:[00000030h]	1_2_00782032
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078202C mov eax, dword ptr fs:[00000030h]	1_2_0078202C
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007820BE mov eax, dword ptr fs:[00000030h]	1_2_007820BE
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00785972 mov eax, dword ptr fs:[00000030h]	1_2_00785972
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078594E mov eax, dword ptr fs:[00000030h]	1_2_0078594E
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00785935 mov eax, dword ptr fs:[00000030h]	1_2_00785935
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_0078192C mov eax, dword ptr fs:[00000030h]	1_2_0078192C
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007851F3 mov eax, dword ptr fs:[00000030h]	1_2_007851F3
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00782DD1 mov eax, dword ptr fs:[00000030h]	1_2_00782DD1
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781DB2 mov eax, dword ptr fs:[00000030h]	1_2_00781DB2
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781E32 mov eax, dword ptr fs:[00000030h]	1_2_00781E32
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00785A0A mov eax, dword ptr fs:[00000030h]	1_2_00785A0A
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_007852F6 mov eax, dword ptr fs:[00000030h]	1_2_007852F6
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00784AB5 mov eax, dword ptr fs:[00000030h]	1_2_00784AB5
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781E83 mov eax, dword ptr fs:[00000030h]	1_2_00781E83
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00785335 mov eax, dword ptr fs:[00000030h]	1_2_00785335
Source: C:\Users\user\Desktop\TT SWIFT COPY.exe	Code function: 1_2_00781FCA mov eax, dword ptr fs:[00000030h]	1_2_00781FCA
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E84AB5 mov eax, dword ptr fs:[00000030h]	8_2_00E84AB5
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85A0A mov eax, dword ptr fs:[00000030h]	8_2_00E85A0A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E859E1 mov eax, dword ptr fs:[00000030h]	8_2_00E859E1
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E82DCE mov eax, dword ptr fs:[00000030h]	8_2_00E82DCE
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E8597E mov eax, dword ptr fs:[00000030h]	8_2_00E8597E
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85941 mov eax, dword ptr fs:[00000030h]	8_2_00E85941
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E8592A mov eax, dword ptr fs:[00000030h]	8_2_00E8592A
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85931 mov eax, dword ptr fs:[00000030h]	8_2_00E85931
Source: C:\Program Files (x86)\Internet Explorer\ieinstal.exe	Code function: 8_2_00E85333 mov eax, dword ptr fs:[00000030h]	8_2_00E85333

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

Memory written: C:\Program Files (x86)\Internet Explorer\ieinstal.exe base: E80000

Jump to behavior

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

Process created: C:\Program Files (x86)\Internet Explorer\ieinstal.exe 'C:\Users\user\Desktop\TT SWIFT COPY.exe'

Jump to behavior

Source: ieinstal.exe, 00000008.00000002.1027358864.0000000003507000.00000004.00000040.sdmp	Binary or memory string: Program ManagerE
Source: ieinstal.exe, 00000008.00000002.1027386338.00000000038A0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: ieinstal.exe, 00000008.00000002.1027358864.0000000003507000.00000004.00000040.sdmp	Binary or memory string: Program Manager Started
Source: ieinstal.exe, 00000008.00000002.1027386338.00000000038A0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: ieinstal.exe, 00000008.00000002.1027386338.00000000038A0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: logs.dat.8.dr	Binary or memory string: [ Program Manager ]
Source: ieinstal.exe, 00000008.00000002.1027358864.0000000003507000.00000004.00000040.sdmp	Binary or memory string: Program Managere.ddns.net{
Source: ieinstal.exe, 00000008.00000002.1027358864.0000000003507000.00000004.00000040.sdmp	Binary or memory string: Program Managerinistrator
Source: ieinstal.exe, 00000008.00000002.1027386338.00000000038A0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\TT SWIFT COPY.exe

Code function: 1_2_00781841 cpuid

1_2_00781841

Stealing of Sensitive Information:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000008.00000002.1027344976.0000000003500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 6612, type: MEMORY

Remote Access Functionality:

Yara detected Remcos RAT

Show sources

Source: Yara match	File source: 00000008.00000002.1027344976.0000000003500000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ieinstal.exe PID: 6612, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection112	Masquerading1	Input Capture1	Security Software Discovery721	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion32	LSASS Memory	Virtualization/Sandbox Evasion32	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery311	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
TT SWIFT COPY.exe	30%	Virustotal		Browse
TT SWIFT COPY.exe	11%	ReversingLabs	Win32.Trojan.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
wealthybillionaire.ddns.net	1%	Virustotal		Browse

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealthybillionaire.ddns.net	41.217.65.85	true	true	1%, Virustotal, Browse	unknown
googlehosted.l.googleusercontent.com	172.217.22.225	true	false		high
doc-10-4c-docs.googleusercontent.com	unknown	unknown	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.22.225	unknown	United States		15169	GOOGLEUS	false
41.217.65.85	unknown	Nigeria		37340	SpectranetNG	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	345064
Start date:	27.01.2021
Start time:	16:47:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	TT SWIFT COPY.scr (renamed file extension from scr to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/1@7/3
EGA Information:	Failed
HDC Information:	Successful, ratio: 18.4% (good quality ratio 13.5%) Quality average: 40.3% Quality standard deviation: 29.5%
HCA Information:	Successful, ratio: 51% Number of executed functions: 147 Number of non-executed functions: 51
Cookbook Comments:	Adjust boot time Enable AMSI
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 13.64.90.137, 104.43.139.144, 51.104.144.132, 95.101.22.134, 95.101.22.125, 72.247.178.35, 72.247.178.8, 172.217.22.206, 52.155.217.156, 172.217.20.238, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, docs.google.com, skypedataprdcolwus17.cloudapp.net, arc.msn.com.nsatc.net, db3p-ris-pf-prod-atm.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, a767.dscg3.akamai.net, a1449.dscg2.akamai.net, arc.msn.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, au-bg-shim.trafficmanager.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
16:48:50	API Interceptor	1109x Sleep call for process: ieinstal.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
172.217.22.225	http://examwriting.blogspot.com/2015/02/describe-person-your-best-friend.html	Get hash	malicious	Browse	1.bp.blogspot.com/-tW6bdJ2wjUE/U2FhguGfv0I/AAAAAAAAApY/eoNiqBbrlyI/s1600/essay.png
172.217.22.225	http://www.boererate.com	Get hash	malicious	Browse	4.bp.blogspot.com/_QXfrrj8yn44/SiuczvogmnI/AAAAAAAABe8/d9uiCWfh0j8/w72-h72-p-k-no-nu/hare.jpg

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealthybillionaire.ddns.net	bedrapes.exe	Get hash	malicious	Browse	154.118.68.3
googlehosted.l.googleusercontent.com	DHL-INVOICE RECEIPT.html	Get hash	malicious	Browse	172.217.22.225
	Tebling_Resortsac_FILE-HP38XM.htm	Get hash	malicious	Browse	172.217.22.225
	67654565677.htmL	Get hash	malicious	Browse	172.217.22.225
	STJYFHJWQA.dll	Get hash	malicious	Browse	172.217.23.1
	MPCAHXYTRX.dll	Get hash	malicious	Browse	172.217.23.1
	Cherokeebrick Progress billing(malware).html	Get hash	malicious	Browse	172.217.23.1
	fe89833d-6e0a-4916-929d-81ffbd4a244e_ORDER54#0.html	Get hash	malicious	Browse	172.217.23.1
	mfpVTSmyz-Fichero.msi	Get hash	malicious	Browse	172.217.23.1
	Maersk_BL Draft_copy_Shipping_documents.html	Get hash	malicious	Browse	172.217.23.1
	4892.htm	Get hash	malicious	Browse	172.217.22.225
	4892.htm	Get hash	malicious	Browse	142.250.180.161
	demo.js	Get hash	malicious	Browse	142.250.180.161
	demo.js	Get hash	malicious	Browse	142.250.180.161
	Release Pending messages on account.html	Get hash	malicious	Browse	142.250.180.161
	vefHXTlef-Fichero-ES.msi	Get hash	malicious	Browse	142.250.180.161
	kkToaAZ6Mm.exe	Get hash	malicious	Browse	216.58.215.225
	ACH PAYMENT REMITTANCE ADVICE.xlsx	Get hash	malicious	Browse	108.177.126.132
	Notice_Admin_Johnstoncompanies_8578.htm	Get hash	malicious	Browse	108.177.126.132
	ACH WIRE PAYMENT ADVICE..xlsx	Get hash	malicious	Browse	108.177.126.132
	WFLPGBTMZH.dll	Get hash	malicious	Browse	108.177.126.132

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
SpectranetNG	Doc.exe	Get hash	malicious	Browse	154.120.95.234
	0712020.exe	Get hash	malicious	Browse	41.217.69.179
	49221o3F5N.exe	Get hash	malicious	Browse	41.217.64.43
	0LGpT3WYf1.exe	Get hash	malicious	Browse	154.120.96.115
	PURCHASE ORDER TOUSE IMPORT& EXPORT CO. ,LTD.ZIP FILE.exe	Get hash	malicious	Browse	41.217.62.17
	INV9938884.exe	Get hash	malicious	Browse	154.118.49.103
	bedrapes.exe	Get hash	malicious	Browse	154.118.68.3
	5Shipment 09252018 - Ship REPORT WEEK 37.exe	Get hash	malicious	Browse	197.242.116.57
	7Statement of account.exe	Get hash	malicious	Browse	154.118.3.123
	26SHIPMENT PASSED-Draft BL, Packing list.exe	Get hash	malicious	Browse	197.242.99.110
	Property Enquiry Ref-00255487453342065334.exe	Get hash	malicious	Browse	154.120.125.40
	59Purchase order.exe	Get hash	malicious	Browse	197.242.119.100
	42Invoice.exe	Get hash	malicious	Browse	154.118.11.196
	DHL correction form.exe	Get hash	malicious	Browse	41.217.118.185
	3Doc_EZ19029587.js	Get hash	malicious	Browse	154.120.121.109
	3Doc_EZ19029587.js	Get hash	malicious	Browse	154.120.121.109
GOOGLEUS	qGQNEyWr7F.dll	Get hash	malicious	Browse	35.198.73.208
	s8mlt68JFA.exe	Get hash	malicious	Browse	35.198.73.208
	Order confirmation 64236000000025 26.01.2021.exe	Get hash	malicious	Browse	34.102.136.180
	Overdue_invoices.exe	Get hash	malicious	Browse	108.177.119.109
	DHL-INVOICE RECEIPT.html	Get hash	malicious	Browse	172.217.22.225
	SPECIFICATION REQUEST.exe	Get hash	malicious	Browse	34.102.136.180
	0113 INV_PAK.xlsx	Get hash	malicious	Browse	34.102.136.180
	SIT-10295.exe	Get hash	malicious	Browse	108.177.119.109
	PAYMENT LIST .xlsx	Get hash	malicious	Browse	34.102.136.180
	wno5UOP8TJ.exe	Get hash	malicious	Browse	8.8.8.8
	quote20210126.exe.exe	Get hash	malicious	Browse	34.102.136.180
	org.mozilla.firefox_2015785883.apk	Get hash	malicious	Browse	172.217.20.238
	org.mozilla.firefox_2015785883.apk	Get hash	malicious	Browse	172.217.23.14
	SecuriteInfo.com.Trojan.Packed2.42783.14936.exe	Get hash	malicious	Browse	34.102.136.180
	PAYMENT.260121.xlsx	Get hash	malicious	Browse	34.102.136.180
	4NoiNHCNoU.exe	Get hash	malicious	Browse	216.58.207.179
	bXFjrxjRlb.exe	Get hash	malicious	Browse	34.102.136.180
	xl2Ml2iNJe.exe	Get hash	malicious	Browse	34.102.136.180
	eEXZHxdxFE.exe	Get hash	malicious	Browse	35.228.108.144
	v07PSzmSp9.exe	Get hash	malicious	Browse	34.102.136.180

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	Luminar4 (4.4).exe	Get hash	malicious	Browse	172.217.22.225
	case (2553).xls	Get hash	malicious	Browse	172.217.22.225
	case (4374).xls	Get hash	malicious	Browse	172.217.22.225
	file.dll	Get hash	malicious	Browse	172.217.22.225
	case (547).xls	Get hash	malicious	Browse	172.217.22.225
	The Mental Health Center.xlsx	Get hash	malicious	Browse	172.217.22.225
	Xy4f5rcxOm.dll	Get hash	malicious	Browse	172.217.22.225
	Attached_672651.xlsb	Get hash	malicious	Browse	172.217.22.225
	RFQ RPM202011-776JD.jpg.lnk	Get hash	malicious	Browse	172.217.22.225
	New Profit Distribution.pdf.lnk	Get hash	malicious	Browse	172.217.22.225
	IRS_Covid-19_Relief_Payment_Notice_pdf.exe	Get hash	malicious	Browse	172.217.22.225
	PAYMENT INFO.xlsx	Get hash	malicious	Browse	172.217.22.225
	k.dll	Get hash	malicious	Browse	172.217.22.225
	DOCUMENTS_RECEIVED.html	Get hash	malicious	Browse	172.217.22.225
	case (348).xls	Get hash	malicious	Browse	172.217.22.225
	request_form_1611565093.xlsm	Get hash	malicious	Browse	172.217.22.225
	creoagent.dll	Get hash	malicious	Browse	172.217.22.225
	creoagent.dll	Get hash	malicious	Browse	172.217.22.225
	case (426).xls	Get hash	malicious	Browse	172.217.22.225
	case (250).xls	Get hash	malicious	Browse	172.217.22.225

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Roaming\remcos\logs.dat Download File
Process:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	74
Entropy (8bit):	4.761677312794259
Encrypted:	false
SSDEEP:	3:ttUWdYFOJKrA4RXMRPHv31aeo:tmbEJ4XqdHv3IP
MD5:	CCE1AAB72179A0181668FA420CCDB994
SHA1:	92BD82FDD219BEDAED8F627D305D74AA3A9D91C0
SHA-256:	6F40F518DBC5052C964E12111EE853D3B4C8BD84B4D0B280B4B1D76FA3F3CF0C
SHA-512:	10D3909C8FC7C98D41217AA08A59BB15BD85FAD785BDF374D6406324BD4B3B5A3DF43EA8FEF5947E66238573A48C7C83A47F4B9932261E8563FEB734AC1487A6
Malicious:	true
Reputation:	low
Preview:	..[2021/01/27 16:48:50 Offline Keylogger Started]....[ Program Manager ]..

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.2833548504304
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	TT SWIFT COPY.exe
File size:	139264
MD5:	cb3b77181a200f9b066fd29e4431ad0f
SHA1:	0019eab67d15bf22a9e90345bf7281b4f0c11d5f
SHA256:	d94aa8eba8dce581912552261b549bb8bcf04e8380fa68dc525c0d94236b761b
SHA512:	727c614587570ce6ecf1489dcce3fd0e7415f83937dd9b349a3b055f4568fcdd319978310c47c01dcb2bc151426807d0812579e922dee4ffc329e3e8117885e3
SSDEEP:	1536:nz2K0+KowzEQVKnQrIskYv67Z6ojCaXDdoDIlB:zSuwoLyaBo6B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...H..V..................... ......,.............@................

File Icon


Icon Hash:	b064666ae6d6ee6c

Static PE Info

General
Entrypoint:	0x40152c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x56BFC148 [Sat Feb 13 23:50:32 2016 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	20fa7021831ab23270faf65321b1b2e3

Entrypoint Preview

Instruction
push 00408BACh
call 00007F059475F493h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ebp
xchg eax, ebx
into
mov esi, 4EE7931Fh
mov al, FDh
loopne 00007F059475F4AEh
pop ds
cmp dword ptr [esi+00000095h], esp
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx+00h], al
push es
push eax
add dword ptr [ecx], 6Dh
imul esi, dword ptr [ebx+67h], 00860072h
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
pop eax
and dl, bh
push eax
inc ebx
loope 00007F059475F4E7h
xchg eax, ebx
sbb eax, 097A1802h
add al, 3Fh
in al, 66h
mov word ptr [ebp+2Ch], gs

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf664	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x11000	0x10b34	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x120	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xeb2c	0xf000	False	0.453678385417	data	6.18718833178	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x10000	0xa48	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x11000	0x10b34	0x11000	False	0.124540441176	data	4.29488419368	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x110e8	0x10828	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x21910	0x14	data
RT_VERSION	0x21924	0x210	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaDateVar, _CIlog, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Rombudd
FileVersion	1.00
CompanyName	Longines
ProductName	Longines
ProductVersion	1.00
OriginalFilename	Rombudd.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 16:48:49.658221006 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.700680971 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.700802088 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.701518059 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.745665073 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.759439945 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.759474993 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.759500980 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.759522915 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.759556055 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.759603024 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.773170948 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.816327095 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.816487074 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.817303896 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.864830017 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.983856916 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.983881950 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.983938932 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.983952999 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:49.983962059 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.983978987 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:49.984044075 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:50.381218910 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:50.425501108 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.003437996 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.003489017 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.003526926 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.003566980 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.004884005 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.004914999 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.004976034 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.005017996 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.006592035 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.006654978 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.006720066 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.006755114 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.009722948 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.009777069 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.009821892 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.009848118 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.012815952 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.012868881 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.012892008 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.012916088 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.015885115 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.015938997 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.015976906 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.016000032 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.018995047 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.019017935 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.019076109 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.020843983 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.020873070 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.020916939 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.020941019 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.023940086 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.023967028 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.024028063 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.024046898 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.027069092 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.027189970 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.046031952 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.046061993 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.046120882 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.046156883 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.047482967 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.047524929 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.047566891 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.047586918 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.050605059 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.050635099 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.050702095 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.053744078 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.053777933 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.053822041 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.053850889 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.056838036 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.056874037 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.056916952 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.056940079 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.059954882 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.059993029 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.060040951 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.060065031 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.063044071 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.063091993 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.063114882 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.063143969 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.066198111 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.066242933 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.066278934 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.066324949 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.069329977 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.069372892 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.069490910 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.072274923 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.072334051 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:48:51.072351933 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.072391033 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:48:51.200222969 CET	49756	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:48:54.202102900 CET	49756	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:49:00.233917952 CET	49756	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:49:13.375659943 CET	49767	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:49:16.375791073 CET	49767	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:49:22.376302958 CET	49767	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:49:36.098659992 CET	49768	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:49:39.096483946 CET	49768	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:49:45.112684011 CET	49768	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:49:58.271168947 CET	49770	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:50:01.285892963 CET	49770	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:50:07.286390066 CET	49770	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:50:20.447057962 CET	49771	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:50:23.459593058 CET	49771	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:50:29.461057901 CET	49771	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:50:38.459234953 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:50:38.501533031 CET	443	49750	172.217.22.225	192.168.2.4
Jan 27, 2021 16:50:38.501601934 CET	49750	443	192.168.2.4	172.217.22.225
Jan 27, 2021 16:50:42.664093971 CET	49772	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:50:45.664592981 CET	49772	52360	192.168.2.4	41.217.65.85
Jan 27, 2021 16:50:51.665102959 CET	49772	52360	192.168.2.4	41.217.65.85

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 27, 2021 16:47:52.199857950 CET	49257	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:47:52.251549006 CET	53	49257	8.8.8.8	192.168.2.4
Jan 27, 2021 16:47:53.401667118 CET	62389	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:47:53.452290058 CET	53	62389	8.8.8.8	192.168.2.4
Jan 27, 2021 16:47:54.748959064 CET	49910	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:47:54.798152924 CET	53	49910	8.8.8.8	192.168.2.4
Jan 27, 2021 16:47:56.092576027 CET	55854	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:47:56.140506029 CET	53	55854	8.8.8.8	192.168.2.4
Jan 27, 2021 16:47:57.445337057 CET	64549	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:47:57.501646042 CET	53	64549	8.8.8.8	192.168.2.4
Jan 27, 2021 16:47:58.529681921 CET	63153	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:47:58.577590942 CET	53	63153	8.8.8.8	192.168.2.4
Jan 27, 2021 16:47:59.502315044 CET	52991	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:47:59.550240993 CET	53	52991	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:01.316770077 CET	53700	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:01.364873886 CET	53	53700	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:02.614227057 CET	51726	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:02.663778067 CET	53	51726	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:03.592953920 CET	56794	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:03.654442072 CET	53	56794	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:04.860775948 CET	56534	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:04.908763885 CET	53	56534	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:05.819096088 CET	56627	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:05.869807959 CET	53	56627	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:07.242556095 CET	56621	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:07.303323030 CET	53	56621	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:08.404150009 CET	63116	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:08.453174114 CET	53	63116	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:09.410604954 CET	64078	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:09.461582899 CET	53	64078	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:10.582242966 CET	64801	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:10.638855934 CET	53	64801	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:20.587336063 CET	61721	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:20.635426044 CET	53	61721	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:34.118211031 CET	51255	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:34.178715944 CET	53	51255	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:41.792427063 CET	61522	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:41.853951931 CET	53	61522	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:48.438832998 CET	52337	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:48.503421068 CET	53	52337	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:48.952749968 CET	55046	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:49.011135101 CET	53	55046	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:49.577096939 CET	49612	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:49.632471085 CET	49285	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:49.655276060 CET	53	49612	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:49.688832045 CET	53	49285	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:49.994541883 CET	50601	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:50.063925982 CET	53	50601	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:50.275145054 CET	60875	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:50.339596033 CET	53	60875	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:50.930318117 CET	56448	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:50.987020969 CET	53	56448	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:51.133460999 CET	59172	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:51.135895014 CET	62420	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:51.185509920 CET	53	62420	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:51.199150085 CET	53	59172	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:51.465825081 CET	60579	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:51.524655104 CET	53	60579	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:52.177882910 CET	50183	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:52.234494925 CET	53	50183	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:52.892705917 CET	61531	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:52.954174042 CET	53	61531	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:53.725513935 CET	49228	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:53.789880991 CET	53	49228	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:54.969630003 CET	59794	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:55.030900955 CET	53	59794	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:55.893250942 CET	55916	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:55.949723959 CET	53	55916	8.8.8.8	192.168.2.4
Jan 27, 2021 16:48:59.302361012 CET	52752	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:48:59.365312099 CET	53	52752	8.8.8.8	192.168.2.4
Jan 27, 2021 16:49:13.310650110 CET	60542	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:49:13.374368906 CET	53	60542	8.8.8.8	192.168.2.4
Jan 27, 2021 16:49:36.041059971 CET	60689	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:49:36.097318888 CET	53	60689	8.8.8.8	192.168.2.4
Jan 27, 2021 16:49:37.338814974 CET	64206	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:49:37.387098074 CET	53	64206	8.8.8.8	192.168.2.4
Jan 27, 2021 16:49:58.210439920 CET	50904	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:49:58.269824982 CET	53	50904	8.8.8.8	192.168.2.4
Jan 27, 2021 16:50:20.384707928 CET	57525	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:50:20.444418907 CET	53	57525	8.8.8.8	192.168.2.4
Jan 27, 2021 16:50:42.605174065 CET	53814	53	192.168.2.4	8.8.8.8
Jan 27, 2021 16:50:42.661493063 CET	53	53814	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Jan 27, 2021 16:48:49.577096939 CET	192.168.2.4	8.8.8.8	0x93ed	Standard query (0)	doc-10-4c-docs.googleusercontent.com	A (IP address)	IN (0x0001)
Jan 27, 2021 16:48:51.133460999 CET	192.168.2.4	8.8.8.8	0xdedc	Standard query (0)	wealthybillionaire.ddns.net	A (IP address)	IN (0x0001)
Jan 27, 2021 16:49:13.310650110 CET	192.168.2.4	8.8.8.8	0x591d	Standard query (0)	wealthybillionaire.ddns.net	A (IP address)	IN (0x0001)
Jan 27, 2021 16:49:36.041059971 CET	192.168.2.4	8.8.8.8	0x8409	Standard query (0)	wealthybillionaire.ddns.net	A (IP address)	IN (0x0001)
Jan 27, 2021 16:49:58.210439920 CET	192.168.2.4	8.8.8.8	0x65ff	Standard query (0)	wealthybillionaire.ddns.net	A (IP address)	IN (0x0001)
Jan 27, 2021 16:50:20.384707928 CET	192.168.2.4	8.8.8.8	0x13e3	Standard query (0)	wealthybillionaire.ddns.net	A (IP address)	IN (0x0001)
Jan 27, 2021 16:50:42.605174065 CET	192.168.2.4	8.8.8.8	0x8a28	Standard query (0)	wealthybillionaire.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Jan 27, 2021 16:48:49.655276060 CET	8.8.8.8	192.168.2.4	0x93ed	No error (0)	doc-10-4c-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Jan 27, 2021 16:48:49.655276060 CET	8.8.8.8	192.168.2.4	0x93ed	No error (0)	googlehosted.l.googleusercontent.com		172.217.22.225	A (IP address)	IN (0x0001)
Jan 27, 2021 16:48:51.199150085 CET	8.8.8.8	192.168.2.4	0xdedc	No error (0)	wealthybillionaire.ddns.net		41.217.65.85	A (IP address)	IN (0x0001)
Jan 27, 2021 16:49:13.374368906 CET	8.8.8.8	192.168.2.4	0x591d	No error (0)	wealthybillionaire.ddns.net		41.217.65.85	A (IP address)	IN (0x0001)
Jan 27, 2021 16:49:36.097318888 CET	8.8.8.8	192.168.2.4	0x8409	No error (0)	wealthybillionaire.ddns.net		41.217.65.85	A (IP address)	IN (0x0001)
Jan 27, 2021 16:49:58.269824982 CET	8.8.8.8	192.168.2.4	0x65ff	No error (0)	wealthybillionaire.ddns.net		41.217.65.85	A (IP address)	IN (0x0001)
Jan 27, 2021 16:50:20.444418907 CET	8.8.8.8	192.168.2.4	0x13e3	No error (0)	wealthybillionaire.ddns.net		41.217.65.85	A (IP address)	IN (0x0001)
Jan 27, 2021 16:50:42.661493063 CET	8.8.8.8	192.168.2.4	0x8a28	No error (0)	wealthybillionaire.ddns.net		41.217.65.85	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Jan 27, 2021 16:48:49.759522915 CET	172.217.22.225	443	192.168.2.4	49750	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Jan 05 13:11:08 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Mar 30 14:11:07 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Jan 27, 2021 16:48:49.759522915 CET	172.217.22.225	443	192.168.2.4	49750	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: TT SWIFT COPY.exe PID: 2016 Parent PID: 6040

General

Start time:	16:47:56
Start date:	27/01/2021
Path:	C:\Users\user\Desktop\TT SWIFT COPY.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TT SWIFT COPY.exe'
Imagebase:	0x400000
File size:	139264 bytes
MD5 hash:	CB3B77181A200F9B066FD29E4431AD0F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: ieinstal.exe PID: 6612 Parent PID: 2016

General

Start time:	16:48:37
Start date:	27/01/2021
Path:	C:\Program Files (x86)\Internet Explorer\ieinstal.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\TT SWIFT COPY.exe'
Imagebase:	0x1000000
File size:	480256 bytes
MD5 hash:	DAD17AB737E680C47C8A44CBB95EE67E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000008.00000002.1027344976.0000000003500000.00000004.00000040.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	moderate

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: TT SWIFT COPY.exe PID: 2016 Parent PID: 6040 TT SWIFT COPY.exeCOMMON

Executed Functions

Function 00785569, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 406COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
D#, xrefs: 00782631
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$D#$8
API String ID: 0-1303400988
Opcode ID: 60f45798f01edec2e8aa49b8be81a495acf84472bdf47e9e7a186408b0ec954b
Instruction ID: 722e57801584ea43eddc37e23eda3098582ef32af44acb8fa13fd9fb251c8238
Opcode Fuzzy Hash: 60f45798f01edec2e8aa49b8be81a495acf84472bdf47e9e7a186408b0ec954b
Instruction Fuzzy Hash: EAD143703C0305EFEB353E20CC9ABEA3666AF51790F644128FD85961D2D3BE9886D742

Uniqueness

Uniqueness Score: -1.00%

Function 0078238E, Relevance: 10.9, APIs: 1, Strings: 5, Instructions: 406COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
D#, xrefs: 00782631
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$D#$8
API String ID: 0-1303400988
Opcode ID: 39895a987c75bc9c75f11e93f09bbd60ff5734ee9e63b705e736d4f2f2c1840c
Instruction ID: 43afb78ba1e01396464a1af014323036041c030a5d7af7f6565d883179bfb867
Opcode Fuzzy Hash: 39895a987c75bc9c75f11e93f09bbd60ff5734ee9e63b705e736d4f2f2c1840c
Instruction Fuzzy Hash: 8FD133702C4381EFEB217E208D99BE93B62AF52351F244169ED899A493C37D8887D752

Uniqueness

Uniqueness Score: -1.00%

Function 007824DA, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 297COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
D#, xrefs: 00782631
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$D#$8
API String ID: 0-1303400988
Opcode ID: 497f4d78eeeeb9ccf9eb277fdd02a692c290daf4b5770095eb038bc9af7ac5c8
Instruction ID: 78f0ba5157bd6754618fd0a7a4000961bbd49214b4ac21ac08e20c51f2f339c5
Opcode Fuzzy Hash: 497f4d78eeeeb9ccf9eb277fdd02a692c290daf4b5770095eb038bc9af7ac5c8
Instruction Fuzzy Hash: 5FA146B03C0305EFEB357E20CD9ABE93666BF55741F204024FE859A1D2C3BD98969741

Uniqueness

Uniqueness Score: -1.00%

Function 0078250D, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 295COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
D#, xrefs: 00782631
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$D#$8
API String ID: 0-1303400988
Opcode ID: 6d832dd6ab67b76345f45107a0e626d5d24c18c22d20102b5d240870656e6305
Instruction ID: 44ea76040e632932cc93058dcae60398c687c91aa089f433c8754ab1a3930bd7
Opcode Fuzzy Hash: 6d832dd6ab67b76345f45107a0e626d5d24c18c22d20102b5d240870656e6305
Instruction Fuzzy Hash: EDA127B02C4306EFEB357E20CC9ABE93A66BF51741F144024FE849A1D2C3BD989A9741

Uniqueness

Uniqueness Score: -1.00%

Function 007824BA, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 293COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
D#, xrefs: 00782631
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$D#$8
API String ID: 0-1303400988
Opcode ID: b949f58109b1db354ae8990540f80729353a978649bffe4a5d2a7c8d4a781621
Instruction ID: e81a64a031ab5af3f6fe3ff5190382771e8b4d4f6e47f28cf19675711ffe265c
Opcode Fuzzy Hash: b949f58109b1db354ae8990540f80729353a978649bffe4a5d2a7c8d4a781621
Instruction Fuzzy Hash: 7AA146702C4306AFEB357F20CD9ABE93B62BF55341F244028FE8997192C3BD98969741

Uniqueness

Uniqueness Score: -1.00%

Function 00782607, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 289COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
D#, xrefs: 00782631
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$D#$8
API String ID: 0-1303400988
Opcode ID: afe94abf2df44988846204012633fe8ac76bb6d981d13f8cd323db3047d6833f
Instruction ID: 608f08c765aedc0ce6cb81571e9430e839a9eb4ec7fe7e5cfa26b1fbb77dbcee
Opcode Fuzzy Hash: afe94abf2df44988846204012633fe8ac76bb6d981d13f8cd323db3047d6833f
Instruction Fuzzy Hash: FCA136B02C0206EFEB267F24CD96BE93B62FF51341F144028FD8596193D7BD98969781

Uniqueness

Uniqueness Score: -1.00%

Function 00782556, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 284COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
D#, xrefs: 00782631
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$D#$8
API String ID: 0-1303400988
Opcode ID: bdaf24ffe43dbed799bece4a35898273d7958597ee1ffa35e8380c2e926fe0d7
Instruction ID: 67231d782a71804e2ef9edd84e8fd2b4387520da48e35a514dcb67032ab150fa
Opcode Fuzzy Hash: bdaf24ffe43dbed799bece4a35898273d7958597ee1ffa35e8380c2e926fe0d7
Instruction Fuzzy Hash: 7D9126B02C0206AFEB357E24CD9ABE93B66FF55741F244024FE849A1D2C3BD98969741

Uniqueness

Uniqueness Score: -1.00%

Function 007825AE, Relevance: 10.8, APIs: 1, Strings: 5, Instructions: 257COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
D#, xrefs: 00782631
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$D#$8
API String ID: 0-1303400988
Opcode ID: f15dc78ebcdd694ef84d4177cedfb0ae7c7509fd596cba834c71a3e9c58b61e8
Instruction ID: de13b8f4fd8a2b5011874f1d337c52d23aa480d984133d4557f7d3437d6dd8d9
Opcode Fuzzy Hash: f15dc78ebcdd694ef84d4177cedfb0ae7c7509fd596cba834c71a3e9c58b61e8
Instruction Fuzzy Hash: 438116B02C0306EFEB257F20CD96BEA3A66FF55381F244024FD8597192C7BD989A9741

Uniqueness

Uniqueness Score: -1.00%

Function 007825E6, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 244COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
D#, xrefs: 00782631
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$D#$8
API String ID: 0-1303400988
Opcode ID: b6845729b07f03ab531ed578a48c135417086f93c526e07aa4935171208c879b
Instruction ID: 6f72470fc2e7dee19fdd82eade49ba6affd053bca552a8e95af33f419dcbc633
Opcode Fuzzy Hash: b6845729b07f03ab531ed578a48c135417086f93c526e07aa4935171208c879b
Instruction Fuzzy Hash: 4C8126B02C0206EFEB357F24CD96BE93666FF55381F204024FD859B192C7BD989A9741

Uniqueness

Uniqueness Score: -1.00%

Function 007826D9, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 235COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$8
API String ID: 0-3302722744
Opcode ID: 936586e9aac80f671a888b292d16beba5600860dc6a299db9ef52555890388d3
Instruction ID: 7a0bd0b9b13b82e4226922243062df8d10ba0eb25f994735195bea1c139d4bf1
Opcode Fuzzy Hash: 936586e9aac80f671a888b292d16beba5600860dc6a299db9ef52555890388d3
Instruction Fuzzy Hash: DD711A702C4345AFEB367E24CC96BE53B26BF56351F184025FE84DA093C37D988A9742

Uniqueness

Uniqueness Score: -1.00%

Function 007826B3, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 231COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$8
API String ID: 0-3302722744
Opcode ID: 106bc4cabd8dde7955471ad396f1c6e484528642e847d317c2a3a618a8d1c2ae
Instruction ID: 391f2dcf5594b8e27cbbf01b13e33f4ef3213ba9bd83b43f95a58d6ff5ec7c2a
Opcode Fuzzy Hash: 106bc4cabd8dde7955471ad396f1c6e484528642e847d317c2a3a618a8d1c2ae
Instruction Fuzzy Hash: 1E7135702C4305AFEB367E20CC96BE93B62BF55381F144029FEC496093C7BD899A9781

Uniqueness

Uniqueness Score: -1.00%

Function 0078267E, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 216COMMON

Download Yara Rule

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: _j@h$jjj$&'$8
API String ID: 0-3302722744
Opcode ID: 7dfd47b3c6750afafeca123a280cfe21e8ac3598d31d531a9d3453fe7b817570
Instruction ID: 2504afce9c53a7315c295fa90ee72c8fe4cd61e8d58fef1c3993722cd95e6ade
Opcode Fuzzy Hash: 7dfd47b3c6750afafeca123a280cfe21e8ac3598d31d531a9d3453fe7b817570
Instruction Fuzzy Hash: C07104B02C030AAFEB257F24CC96BE93776FF55381F144024FE849A192C7BD989A9741

Uniqueness

Uniqueness Score: -1.00%

Function 0078271A, Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 200nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 00782925

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: _j@h$jjj$&'$8
API String ID: 3527976591-3302722744
Opcode ID: 43203e6199865b5ba96b7956eed65cee73292b3ea114f40dbe4a553ebc458c4d
Instruction ID: 151a02ddb55b8128e39dedf388c65647c9b3c21820c80ff51f0dd5c80c64e8fe
Opcode Fuzzy Hash: 43203e6199865b5ba96b7956eed65cee73292b3ea114f40dbe4a553ebc458c4d
Instruction Fuzzy Hash: 056128702C0305EFEF367E20CC96BE93A66FF55781F144024FE859A192C7BD998A9741

Uniqueness

Uniqueness Score: -1.00%

Function 00782773, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 178nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 00782925

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: _j@h$jjj$&'$8
API String ID: 3527976591-3302722744
Opcode ID: 1165c606aec6d6b0a45570fa960b71b03d57320ff3060976b4e1315f7614afbf
Instruction ID: b54063bb16dfee2ce22afcba4e870291f12f8a0065b4e5b1b4d8a08d783a337d
Opcode Fuzzy Hash: 1165c606aec6d6b0a45570fa960b71b03d57320ff3060976b4e1315f7614afbf
Instruction Fuzzy Hash: F85105B02C0205AFEF357E24CD96BE93666BF55752F144024FE84DA093C7BD988A9781

Uniqueness

Uniqueness Score: -1.00%

Function 00782792, Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 140nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 00782925

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
jjj, xrefs: 007827BB
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: _j@h$jjj$&'$8
API String ID: 3527976591-3302722744
Opcode ID: c0799b869c11a559f5e71c949656668d18271f08761d52b35f072b53e6028611
Instruction ID: c2ff2b00b6d9bd78c46bfa6cf2f5f538a256575a9677dd2b263df898c12ef378
Opcode Fuzzy Hash: c0799b869c11a559f5e71c949656668d18271f08761d52b35f072b53e6028611
Instruction Fuzzy Hash: 624115B02C0205BFEF3A7E20CD96BE93666FF55781F144024FE8496192C7BD989A9781

Uniqueness

Uniqueness Score: -1.00%

Function 00782818, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 137nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 00782925

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: _j@h$&'$8
API String ID: 3527976591-1052070840
Opcode ID: dcb220b0a3fde470c7c4c5aeed024ffa3ea25b5474dbe8c193a56cabd5f557b2
Instruction ID: 61d61b1f7209452fbaec02b41cfab48919d262c8380035b910a1b1561c06a2d7
Opcode Fuzzy Hash: dcb220b0a3fde470c7c4c5aeed024ffa3ea25b5474dbe8c193a56cabd5f557b2
Instruction Fuzzy Hash: 5D4112B02C0245AFEF267E24CD967E93A66BF15351F144124ED84860A3C77D98869741

Uniqueness

Uniqueness Score: -1.00%

Function 0078285A, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 99nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 00782925

Strings

8, xrefs: 00782A2A
_j@h, xrefs: 00782869
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: _j@h$&'$8
API String ID: 3527976591-1052070840
Opcode ID: d98517a08c27c28e7c791509070c50c6a95b1eb72f970e72f3b8bd0d50ce253f
Instruction ID: db5806dd382a932478e774d5fae0f785619f95cc0fa8481d88f10c8547767272
Opcode Fuzzy Hash: d98517a08c27c28e7c791509070c50c6a95b1eb72f970e72f3b8bd0d50ce253f
Instruction Fuzzy Hash: 213128B02C0209FFEF267F20CD86BE93666FF58781F104024FD8896196C77DA896A741

Uniqueness

Uniqueness Score: -1.00%

Function 007828B8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 124nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 00782925

Strings

8, xrefs: 00782A2A
&', xrefs: 007828B0

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: &'$8
API String ID: 3527976591-37966445
Opcode ID: 85ba186b3983954c0e4f4ff8023798c0a40deb49ded2c2d670e5712fb0d84c03
Instruction ID: f1d594e2e7002505cdd7a1ef26b8384e8e4f01e350683d8a9626ccfca66655c4
Opcode Fuzzy Hash: 85ba186b3983954c0e4f4ff8023798c0a40deb49ded2c2d670e5712fb0d84c03
Instruction Fuzzy Hash: 51410370288282AFDF267E30CD967D93B72BF16351F180065ED889A053C76D985BD791

Uniqueness

Uniqueness Score: -1.00%

Function 0078436A, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 101fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(007804EA,80000000,00000001,00000000,00000003,00000000,00000000,00784217,007843AA,007804EA), ref: 00784357

Strings

C:\Program Files\qga\qga.exe, xrefs: 00784388
C:\Program Files\Qemu-ga\qemu-ga.exe, xrefs: 007843AA

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: CreateFile
String ID: C:\Program Files\Qemu-ga\qemu-ga.exe$C:\Program Files\qga\qga.exe
API String ID: 823142352-3663382728
Opcode ID: 47e4b91993845cf0d219f8fdff14aa6f910115e82e5309ca11a638ff28f6c941
Instruction ID: 4b3802e4c2bafc585f1906d0f0565a9122efd7c2d831609be9dd3a15cb58fbb1
Opcode Fuzzy Hash: 47e4b91993845cf0d219f8fdff14aa6f910115e82e5309ca11a638ff28f6c941
Instruction Fuzzy Hash: 8A219A265D82C399EF30B96455967B53B998B33310F68427EAA87E3907D1CC4811C3D6

Uniqueness

Uniqueness Score: -1.00%

Function 007806D0, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

C, xrefs: 0078071C

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: C
API String ID: 0-2515487769
Opcode ID: c3178681075ad50e8ec27a5afb4e8c501ff3d0a421e2a309d8a809425706ad4a
Instruction ID: bacf7d07c290d9c0a704c21b127f92536d5ca6dca2c1581b8abf0f0f7a0be469
Opcode Fuzzy Hash: c3178681075ad50e8ec27a5afb4e8c501ff3d0a421e2a309d8a809425706ad4a
Instruction Fuzzy Hash: E1818870BC4206DEEF743A248D997FD3666AF42360F34852AEC46C7182D66CC88DD792

Uniqueness

Uniqueness Score: -1.00%

Function 00780905, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

7B, xrefs: 007808C9

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: 7B
API String ID: 0-3974370324
Opcode ID: bb56c89fb0aa148fe1d91c3cba52cf5ccdc6acb4ef6e411ed51f6dafda503d6c
Instruction ID: 783fd872f05cfe8adb09ecd7031f3fbdf49bed59c33ccbbaf5cd5a92e66dcbee
Opcode Fuzzy Hash: bb56c89fb0aa148fe1d91c3cba52cf5ccdc6acb4ef6e411ed51f6dafda503d6c
Instruction Fuzzy Hash: 4C819B62AC9341CEFBB57A344D6E7F92B259F42320F38816ADC818B083D16C994DC7C2

Uniqueness

Uniqueness Score: -1.00%

Function 00781456, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

`, xrefs: 00781631

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: b7e39fe73e2da02bc9819edc0302c43264c0fd4dabeabe4c2868e41ac494b8bf
Instruction ID: 4eaedb4f09a2b1cb58be763e51c93288a5a939098c92edbf71f095801490bf19
Opcode Fuzzy Hash: b7e39fe73e2da02bc9819edc0302c43264c0fd4dabeabe4c2868e41ac494b8bf
Instruction Fuzzy Hash: F971A1643C9282CED725797889657E93B6D8B92354FF4407EE8CBC7002E59C8887C793

Uniqueness

Uniqueness Score: -1.00%

Function 00782935, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 80nativeCOMMON

Download Yara Rule

APIs

NtWriteVirtualMemory.NTDLL(?,00000000,?,00000000,-00002000,?,?,?,00000000,?,00001000,00000040,?,00000000,?,?), ref: 00782925

Strings

8, xrefs: 00782A2A

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryVirtualWrite
String ID: 8
API String ID: 3527976591-1379460269
Opcode ID: 7e0721c7a259c186d4525300c487c2ce05bf2e58a4421046c884a5103ae78bbd
Instruction ID: ff7e31b31ece35279e9c835a902bcf8c6d5dca6f0f2aa83221fd2afd33f565f4
Opcode Fuzzy Hash: 7e0721c7a259c186d4525300c487c2ce05bf2e58a4421046c884a5103ae78bbd
Instruction Fuzzy Hash: EB21B3B02C4146EFDF257E24CD82BE83AA2BF15751F141124ED88A6123C77DA896D781

Uniqueness

Uniqueness Score: -1.00%

Function 007839FA, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00783A75

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00783A10

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
API String ID: 2994545307-3478744561
Opcode ID: c87873f8ea4f9078d50ef6f86b9879515761a3e2e48d8f9145758f88d4df4560
Instruction ID: d3f629a8f955015e181b5d6794c0e25ec609614f363f944f51e9520c1ed8bd54
Opcode Fuzzy Hash: c87873f8ea4f9078d50ef6f86b9879515761a3e2e48d8f9145758f88d4df4560
Instruction Fuzzy Hash: E211442699E3D099CB36AB78429A6837F60BA93B10718C09DD4C105067C699AB12E7D7

Uniqueness

Uniqueness Score: -1.00%

Function 007847E5, Relevance: 3.1, APIs: 1, Instructions: 1558COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cdee233e2348b80ca0ac28ff5a5a50db731ceba42c1507926916423282080a4
Instruction ID: ebe8420d68b0f5bb4cb4c94a73ce66bd7217d18708ef9704711cf6a92ed7de36
Opcode Fuzzy Hash: 5cdee233e2348b80ca0ac28ff5a5a50db731ceba42c1507926916423282080a4
Instruction Fuzzy Hash: E222B935BEC292FAEE32B420869A5A117407973339BF5106ED846D2845DF0DE572F3B2

Uniqueness

Uniqueness Score: -1.00%

Function 0078498A, Relevance: 2.8, APIs: 1, Instructions: 1338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8dca7986b5882393258146e76eb8279a4e809435cd9d76c419efc53cb1a1e3
Instruction ID: e7c2b44206a5a3ce8cd7b06dcba42c4d2475258e163e7c8fb7fe7ccb7a3c7397
Opcode Fuzzy Hash: bb8dca7986b5882393258146e76eb8279a4e809435cd9d76c419efc53cb1a1e3
Instruction Fuzzy Hash: 31825F07ACA183CEC734BE79575B7E97F609692710B6C42BDCA828B407D1DC8A11C3DA

Uniqueness

Uniqueness Score: -1.00%

Function 007851F3, Relevance: 2.3, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7d3c54b84f84a52383cad7f6c965bf9b1db56bf9e5e268827a7361a7433ccb0
Instruction ID: 00ba5bd78d21d0878a41ef466f18ecfff3373e1cf654bcadaa04eace00106345
Opcode Fuzzy Hash: c7d3c54b84f84a52383cad7f6c965bf9b1db56bf9e5e268827a7361a7433ccb0
Instruction Fuzzy Hash: D142D1569C9DC1CEC731B979564B7D93F22AB82350FBC02BDC9868B803E58D8A51C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 004018FB, Relevance: 1.9, APIs: 1, Instructions: 655COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 543114ed511c9fdbb0aca44d44a2d9c68d948504ebdedac27a0172125d06b362
Instruction ID: 245ee147e7db1749dbe22c176d829ab401513bc32b0aba366f4736dc8a0c588a
Opcode Fuzzy Hash: 543114ed511c9fdbb0aca44d44a2d9c68d948504ebdedac27a0172125d06b362
Instruction Fuzzy Hash: DED13C3F60DAA14FE3058516B8920F13761D7C6B33B34C86BD405AEE96D9384C8E92E7

Uniqueness

Uniqueness Score: -1.00%

Function 00785D04, Relevance: 1.9, APIs: 1, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b5ed502579c9c04c87f51200d28a0a8aef089efe1e2a8075e4a0d1705c3cda4
Instruction ID: 972f02cda748cad11a8ad6274e9b248fc5d16f98fc02030510e9d2c30e5c9601
Opcode Fuzzy Hash: 7b5ed502579c9c04c87f51200d28a0a8aef089efe1e2a8075e4a0d1705c3cda4
Instruction Fuzzy Hash: 379149226CDE809FD725BA388DCE7A53B61DB53310F1842AED882CF197D15C9906C7B2

Uniqueness

Uniqueness Score: -1.00%

Function 0078632E, Relevance: 1.8, APIs: 1, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e1aa843f82aa09f6f3a5dbea89e23b494bae6d7f0ef0d950aa16af7e71158c5
Instruction ID: 61cb13dd697bb767d279b132afa858b4e9820ae0f783c8f8bb30bba306c79df6
Opcode Fuzzy Hash: 4e1aa843f82aa09f6f3a5dbea89e23b494bae6d7f0ef0d950aa16af7e71158c5
Instruction Fuzzy Hash: 49816D16AC9281FDDB35BE399A5A3EC3E619742310F68027DD9418BC47D26DCA54C3C2

Uniqueness

Uniqueness Score: -1.00%

Function 00780829, Relevance: 1.8, APIs: 1, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e89edad272a7c3f745830e28dc61d2c710811e24040d8959762a29c1910db5f
Instruction ID: d4d8396172adafeddce86e3bcc9aad0c74bd94b66931b1e1eb54e47b8bfc8c92
Opcode Fuzzy Hash: 2e89edad272a7c3f745830e28dc61d2c710811e24040d8959762a29c1910db5f
Instruction Fuzzy Hash: 67813625BC9305DEFBB536284D6A7FD26659F42350F38812AEC868A183D56CC9CDC3D2

Uniqueness

Uniqueness Score: -1.00%

Function 0078079E, Relevance: 1.8, APIs: 1, Instructions: 278COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac1e30b3b7292949a1ac882c0164c1d11a9c1685d9520a252262314229e9a32
Instruction ID: 9e2eabae7d27924ac65c3bd52efac840d1624c07aac8c089ae3053b5fdb71ee6
Opcode Fuzzy Hash: 7ac1e30b3b7292949a1ac882c0164c1d11a9c1685d9520a252262314229e9a32
Instruction Fuzzy Hash: FC719924BC8305DEFF753A288DA97FD26669F42360F384526EC42C60C2C66CD88D87D2

Uniqueness

Uniqueness Score: -1.00%

Function 007807FB, Relevance: 1.8, APIs: 1, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac72a7e4f5b2dce1884a9ebae6b615c1888f867bd5b1013680f5b6cebfd6ba2
Instruction ID: 23796907faccd4690d8b71f67a8a2650563a002c58376e3ed6fc0bdb70916452
Opcode Fuzzy Hash: dac72a7e4f5b2dce1884a9ebae6b615c1888f867bd5b1013680f5b6cebfd6ba2
Instruction Fuzzy Hash: 6D718C65BC4206DEFF743A288D997FD26569F42360F38812AEC46C60C6D56CC8CD97D2

Uniqueness

Uniqueness Score: -1.00%

Function 00780778, Relevance: 1.7, APIs: 1, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e42b5878030cedb207efd29895d611bfde9a72ae05ce2e450654220dd05ec85b
Instruction ID: 85ecc894d66b0175ee8c2f79eb1fc02531a2335709d76b23ca3dd6c5ee2ce47d
Opcode Fuzzy Hash: e42b5878030cedb207efd29895d611bfde9a72ae05ce2e450654220dd05ec85b
Instruction Fuzzy Hash: 3A618B74BC4206DEFF7436288D997FD26569F42360F388526EC46C60D2C56CD88D9792

Uniqueness

Uniqueness Score: -1.00%

Function 00780856, Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32ab7efe35d9d5b4dcba2823829ef3accd7a2ee76e5b8be1b86271551e04b303
Instruction ID: 2f8c867f822fddafa610906379361f60b1bd2044302ea285681e3e61fa917213
Opcode Fuzzy Hash: 32ab7efe35d9d5b4dcba2823829ef3accd7a2ee76e5b8be1b86271551e04b303
Instruction Fuzzy Hash: 64518A64BC4305DEFF753A284D697FD26569F42360F38852AEC86C61C2C66CC8CD8392

Uniqueness

Uniqueness Score: -1.00%

Function 0078087B, Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 256fee7a87374af6cb009fefc5eb5fe2b0f8d2e1960530c96c28b2306214a350
Instruction ID: 8f8a9729f38e613453f416622a75028a26f494afe0a6d2a8a4d14c8907293660
Opcode Fuzzy Hash: 256fee7a87374af6cb009fefc5eb5fe2b0f8d2e1960530c96c28b2306214a350
Instruction Fuzzy Hash: 6D517A64BC4305DAFF743A244D5A7FD26669F82360F388526EC56861C2D66CCCCD93D2

Uniqueness

Uniqueness Score: -1.00%

Function 00785E81, Relevance: 1.7, APIs: 1, Instructions: 204nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00785A83,00000040), ref: 00785E50

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 315a8c5ec739fd69a2d7fe4b13fb10c63a7a7b83579c0a1c17d40e30961a4812
Instruction ID: 6e7db076a61c315ab7ac4ad8b2a264361724f8ffcc12eb8ea87bac6655d7e6ed
Opcode Fuzzy Hash: 315a8c5ec739fd69a2d7fe4b13fb10c63a7a7b83579c0a1c17d40e30961a4812
Instruction Fuzzy Hash: 3841277115DA945FE30DE728CD89F763BA9EB57311F1901DEE0C2CB1A3E4989C468361

Uniqueness

Uniqueness Score: -1.00%

Function 007808B6, Relevance: 1.7, APIs: 1, Instructions: 183COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00782DC6

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 40dc454e01c080da00bd4b98a25b976a8dbf58c45663edab5a04c1cb233115ed
Instruction ID: cff06b078614ba656d1791ed4af6a6d6bcd64d0b7968d1e1a873e598c7298abe
Opcode Fuzzy Hash: 40dc454e01c080da00bd4b98a25b976a8dbf58c45663edab5a04c1cb233115ed
Instruction Fuzzy Hash: 38518C64BC4305EAFF743A648D59BF922569F42360F388526EC46871C2D6ACCC8D9352

Uniqueness

Uniqueness Score: -1.00%

Function 007808D4, Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b717f6d1195b86f474ef10d0e771253e0537b29258248e71506e6e43ab2f8853
Instruction ID: 4e726bd6a1b1d531f3a6b1d30ce31116970e81650754941f171f1fec196e5e49
Opcode Fuzzy Hash: b717f6d1195b86f474ef10d0e771253e0537b29258248e71506e6e43ab2f8853
Instruction Fuzzy Hash: 91417B64BC4305DEFF743A248D597F912669F423A0F388526EC46C61D2C6ACC88D8392

Uniqueness

Uniqueness Score: -1.00%

Function 00780983, Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6902f99235a293d0a4d932bc6d2cac40efa9b011065b8a0c49db25d827f74de
Instruction ID: 5a2a5ceaa6eb899096cb4005886d31d1e58465e5152250c49e6aa43f062d9760
Opcode Fuzzy Hash: c6902f99235a293d0a4d932bc6d2cac40efa9b011065b8a0c49db25d827f74de
Instruction Fuzzy Hash: 8B416C64BC4306D9FFB83A288DAA7FD22569F01360F388516EC55C60D6C66CCCCD8392

Uniqueness

Uniqueness Score: -1.00%

Function 007809FF, Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fff7af41995321522d56843c8169b638f2a0085b2613b4f41867618f397ed4ad
Instruction ID: a75301e032826e98d65abb7a600156dc0476253655833d17b5d6e19ddbd06bdf
Opcode Fuzzy Hash: fff7af41995321522d56843c8169b638f2a0085b2613b4f41867618f397ed4ad
Instruction Fuzzy Hash: 87412964AC4305DDFFB87A28899A7F926559F413A0F38C52ADC45C61D2D66CCC8D87C3

Uniqueness

Uniqueness Score: -1.00%

Function 00780A36, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00782DC6

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: ccd63888d69a6f7f82c777ff7ea61bfbda61054c8b223cb9aeb170c2e34bcbc7
Instruction ID: 126a799f166bb13e1e9366b7147dc0d755d43540597c80cf0cb2a38cf6885a71
Opcode Fuzzy Hash: ccd63888d69a6f7f82c777ff7ea61bfbda61054c8b223cb9aeb170c2e34bcbc7
Instruction Fuzzy Hash: 9D316869AC8305CDEFB87A7849997E92AA19F02360F28C56ADD45C60D2C65CC98D9382

Uniqueness

Uniqueness Score: -1.00%

Function 00780AB3, Relevance: 1.6, APIs: 1, Instructions: 111COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00782DC6

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 48b56a8427c54a76b4f157b0df203f8ecb216fc60a0dfa8b98ae572f0b9b9cb0
Instruction ID: 4153188ddee3f8eff15f1f6a6c10c1be7d4f2c06af05c3a8d1ecea4715d5ae46
Opcode Fuzzy Hash: 48b56a8427c54a76b4f157b0df203f8ecb216fc60a0dfa8b98ae572f0b9b9cb0
Instruction Fuzzy Hash: AB3199617C9346CEFBB479388E5A7E92AA18F02360F388169DC51861C3C2AC894DD3D2

Uniqueness

Uniqueness Score: -1.00%

Function 00780A86, Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00782DC6

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 06a92d8db0ed4ec6725a19a9f54da750f5248cee0910425f314ff29daca0c892
Instruction ID: 24aecd2b7c89d93c79370cb8e027f444f1e9b3c22dfaae2724bfa24228bfa4fb
Opcode Fuzzy Hash: 06a92d8db0ed4ec6725a19a9f54da750f5248cee0910425f314ff29daca0c892
Instruction Fuzzy Hash: DA3136646C470AD9FFB43A384D9A7E92A929F02360F388556DD52C60D2C66CC98D9392

Uniqueness

Uniqueness Score: -1.00%

Function 00786458, Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 0078655B

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 959571eafd9ea34281bfbbeafcb44ffbbf3ac10f3a61ab6d0ed8b392f22382d7
Instruction ID: fc685e94e8e25b301fe29c5d19d85d765042e77422bd1eb62ffaad8531877308
Opcode Fuzzy Hash: 959571eafd9ea34281bfbbeafcb44ffbbf3ac10f3a61ab6d0ed8b392f22382d7
Instruction Fuzzy Hash: E3313B705C9381FEDB35BE34C5197AC3BA19F02330F69429ED9494B45AC33C89A8C792

Uniqueness

Uniqueness Score: -1.00%

Function 007864B9, Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 0078655B

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 40061fc128a276b9efbc8b907405d2e2ebe52b6f198dbdf86161a276ba100051
Instruction ID: 1dd2230ffee11c08068e7c1f2d857b13ff2b22206d8a095cbab4090c3105ee18
Opcode Fuzzy Hash: 40061fc128a276b9efbc8b907405d2e2ebe52b6f198dbdf86161a276ba100051
Instruction Fuzzy Hash: 833138509C9385FEDB257A2485297BC3B619F12330F6D069ED9094B09EC36CC9A8C392

Uniqueness

Uniqueness Score: -1.00%

Function 007863AD, Relevance: 1.6, APIs: 1, Instructions: 91nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 0078655B

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 00071edfe251fe5ed69acd62aafac82ba583b440bdcba95829daec5a29646422
Instruction ID: c0ef554055018b1b4ee62ce10cfb13ac5c636f4100fe1ef293806abd7d1a25c0
Opcode Fuzzy Hash: 00071edfe251fe5ed69acd62aafac82ba583b440bdcba95829daec5a29646422
Instruction Fuzzy Hash: AA31FB706C5705FEEF247A14C8287A83262AB52334FA9165ED5064B5DDC37C88D8D792

Uniqueness

Uniqueness Score: -1.00%

Function 007863AA, Relevance: 1.6, APIs: 1, Instructions: 85nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 0078655B

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c04f6ca400eb70b77c7795c209c56fa1eaa6c65c3106af48a17982521ac4a4e3
Instruction ID: f5e691f2ef37f4c84e935717726031bd4bef9ec226f2dc5dca2a2f3ca8493f97
Opcode Fuzzy Hash: c04f6ca400eb70b77c7795c209c56fa1eaa6c65c3106af48a17982521ac4a4e3
Instruction Fuzzy Hash: CE21F7706C5705FEEF247A14C8287B832A2AF11334FAA165ED9064B1EDC33C88E8D752

Uniqueness

Uniqueness Score: -1.00%

Function 0078641E, Relevance: 1.6, APIs: 1, Instructions: 70nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 0078655B

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 38137a2649c16071ddef852bc076ab397df2c6b43f0ca3a9a84b1856560396bf
Instruction ID: 637aff80cfd3d59937ad20bf141a9d82e3fb4889e77dbd0f0887930188da12ed
Opcode Fuzzy Hash: 38137a2649c16071ddef852bc076ab397df2c6b43f0ca3a9a84b1856560396bf
Instruction Fuzzy Hash: 7D21D5706C9349FEDF247A24C4287B83762AF11334FAA565ED545460DDC33C88E8D752

Uniqueness

Uniqueness Score: -1.00%

Function 00786432, Relevance: 1.6, APIs: 1, Instructions: 69nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 0078655B

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: c1a88bcde5809f4a508801ae06c89d20d1031a047bfb36a4ee3d644a9e08c9f9
Instruction ID: 6415b1f87c22621801b54b458b33b1ecd3a5589eb95b886949907a9f5f46cdbe
Opcode Fuzzy Hash: c1a88bcde5809f4a508801ae06c89d20d1031a047bfb36a4ee3d644a9e08c9f9
Instruction Fuzzy Hash: 1721E7616C5345FEDF347A20C4287B83762AB12330FA9165ED5058609DC33C89E8C752

Uniqueness

Uniqueness Score: -1.00%

Function 00401BAC, Relevance: 1.5, APIs: 1, Instructions: 289
COMMONCrypto

Download Yara Rule

C-Code - Quality: 70%

			E00401BAC(signed int* __ebx, void* __ecx, void* __esi) {
				signed int* _t25;
				intOrPtr _t26;
				void* _t27;
				signed int _t47;
				signed int _t53;
				signed int _t58;
				signed int _t59;
				signed int _t66;

				_t25 = __ebx;
				_t47 = __ecx + 1;
				_t66 = _t47;
				if(_t66 == 0) {
					if(__eflags < 0) {
						asm("les edi, [esi]");
						L32:
						_pop(ss);
						_pop(ss);
						L33:
						_pop(ss);
						_pop(ss);
						L34:
						_pop(ss);
						L35:
						_pop(ss);
						L36:
						_pop(ss);
						L37:
						_pop(ss);
						L38:
						_pop(ss);
						L39:
						_pop(ss);
						L40:
						_pop(ss);
						L41:
						_pop(ss);
						_pop(ss);
						_pop(ss);
						L42:
						_t26 =  *((intOrPtr*)(_t25 + _t53));
						goto L43;
						asm("rcl byte [eax-0x140076b5], 1");
						_t27 = _t26 - 1;
						asm("invalid");
						_push(es);
						 *_t47 =  *_t47 >> _t47;
					}
					L13:
					if(__eflags < 0) {
						goto L32;
					}
					L14:
					if(__eflags < 0) {
						goto L33;
					}
					L15:
					if (__eflags < 0) goto L34;
					L16:
					if(__eflags < 0) {
						goto L34;
					}
					L17:
					if(__eflags < 0) {
						goto L35;
					}
					if(__eflags < 0) {
						goto L36;
					}
					if(__eflags < 0) {
						goto L37;
					}
					if(__eflags < 0) {
						goto L38;
					}
					if(__eflags < 0) {
						goto L39;
					}
					if(__eflags < 0) {
						goto L40;
					}
					if(__eflags < 0) {
						goto L41;
					}
					L24:
					_t58 = _t53 ^ 0x000000e0;
					asm("repne loopne 0x3");
					 *0x7474740c = 0x7474740c +  *0x7474740c;
					_t59 = _t58 - 0xd50;
					asm("rol byte [ecx+0x887f2], cl");
					 *((intOrPtr*)(_t47 - 0x14367637)) =  *((intOrPtr*)(_t47 - 0x14367637)) + _t47;
					asm("sbb [edx+0x577c9b43], ah");
					_t53 = _t59 ^ 0x00001e46;
					asm("fnop");
					goto L42;
				}
				if(_t66 == 0) {
					goto L13;
				}
				if(_t66 == 0) {
					goto L14;
				}
				if (_t66 == 0) goto L15;
				if(_t66 == 0) {
					goto L15;
				}
				if(_t66 == 0) {
					goto L16;
				}
				if(_t66 == 0) {
					goto L17;
				}
				 *(__ebx + 0x1d + _t47 * 4) =  *(__ebx + 0x1d + _t47 * 4) << _t47;
				 *0x7474740c =  *0x7474740c ^ 0x7474740c;
				 *0x7474740c = 0x7474740c +  *0x7474740c;
				_t25 = __ebx[2];
				_t47 =  *_t25;
				_t53 = 0x14f1;
				goto L24;
			}

0x00401bac
0x00401bac
0x00401bac
0x00401bb2
0x00401c28
0x00401c9a
0x00401c9c
0x00401c9c
0x00401c9d
0x00401c9e
0x00401c9e
0x00401c9f
0x00401ca0
0x00401ca0
0x00401ca1
0x00401ca1
0x00401ca2
0x00401ca2
0x00401ca3
0x00401ca3
0x00401ca4
0x00401ca4
0x00401ca5
0x00401ca5
0x00401ca6
0x00401ca6
0x00401ca7
0x00401ca7
0x00401ca8
0x00401ca9
0x00401cac
0x00401cac
0x00401cb3
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cdb
0x00401cdd
0x00401c2a
0x00401c2a
0x00000000
0x00000000
0x00401c2c
0x00401c2c
0x00000000
0x00000000
0x00401c2e
0x00401c2e
0x00401c2f
0x00401c2f
0x00000000
0x00000000
0x00401c30
0x00401c30
0x00000000
0x00000000
0x00401c31
0x00000000
0x00000000
0x00401c32
0x00000000
0x00000000
0x00401c33
0x00000000
0x00000000
0x00401c34
0x00000000
0x00000000
0x00401c35
0x00000000
0x00000000
0x00401c36
0x00000000
0x00000000
0x00401c37
0x00401c37
0x00401c38
0x00401c3b
0x00401c41
0x00401c65
0x00401c6b
0x00401c71
0x00401c8a
0x00401c90
0x00000000
0x00401c96
0x00401bb4
0x00000000
0x00000000
0x00401bb6
0x00000000
0x00000000
0x00401bb8
0x00401bb9
0x00000000
0x00000000
0x00401bba
0x00000000
0x00000000
0x00401bbb
0x00000000
0x00000000
0x00401bbd
0x00401bc1
0x00401bc3
0x00401beb
0x00401bf2
0x00401c16
0x00000000

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d240f8b7c779cd07f85b4d38c5dc59ebfd3f0e3d7fef711d8fa830c1b700b921
Instruction ID: 7d7650872476fde92d07dff82789ba36a43a786c5f61cdbad5cc2682ec75793f
Opcode Fuzzy Hash: d240f8b7c779cd07f85b4d38c5dc59ebfd3f0e3d7fef711d8fa830c1b700b921
Instruction Fuzzy Hash: 6161BD3674C6018BE31C8829A4D45F6228397C9322A38D43B950AFB7F5DD7CCC4B928E

Uniqueness

Uniqueness Score: -1.00%

Function 00786526, Relevance: 1.5, APIs: 1, Instructions: 32nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 0078655B

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 182e98d46df4053053ded380ae0594e70f41ce4104b83233a4ad00d447563c92
Instruction ID: 3bb4e1d70ba6fc48689e685eb393667ee0c6d62b84cf773bf05a68e40ed08cb6
Opcode Fuzzy Hash: 182e98d46df4053053ded380ae0594e70f41ce4104b83233a4ad00d447563c92
Instruction Fuzzy Hash: 2CF0E5618C8641FD9F2AFD38D66E2ACB6229EC1710B28061DD9828740CD23D8534C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00785E37, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00785A83,00000040), ref: 00785E50

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00401B7C, Relevance: 1.5, APIs: 1, Instructions: 208
memoryCOMMON

Download Yara Rule

C-Code - Quality: 39%

			E00401B7C(signed char __eax, void* __ebx, signed int __ecx, void* __esi) {
				signed char _t17;
				void* _t25;
				signed char* _t26;
				signed char _t27;
				void* _t28;
				signed int _t47;
				signed char _t48;

				_t47 = __ecx;
				_t25 = __ebx;
				_t17 = __eax;
				_push(cs);
				_push(cs);
				_push(cs);
				_push(cs);
				_push(cs);
				_push(cs);
				while(1) {
					_t47 = _t47 - 1;
					asm("fnop");
					asm("lfence");
					asm("fnop");
					if(_t47 != 0x1efffffa) {
						asm("emms");
						continue;
					}
					 *(_t25 + 0x1d + _t47 * 4) =  *(_t25 + 0x1d + _t47 * 4) << _t47;
					 *_t17 =  *_t17 ^ _t17;
					 *_t17 =  *_t17 + _t17;
					_t26 =  *(_t25 + 8);
					_t48 =  *_t26;
					asm("repne loopne 0x3");
					 *_t17 =  *_t17 + _t17;
					asm("rol byte [ecx+0x887f2], cl");
					 *((intOrPtr*)(_t48 - 0x14367637)) =  *((intOrPtr*)(_t48 - 0x14367637)) + _t48;
					asm("sbb [edx+0x577c9b43], ah");
					asm("fnop");
					_t27 = _t26[0x14f1];
					goto L19;
					asm("rcl byte [eax-0x140076b5], 1");
					_t28 = _t27 - 1;
					asm("invalid");
					_push(es);
					 *_t48 =  *_t48 >> _t48;
				}
			}

0x00401b7c
0x00401b7c
0x00401b7c
0x00401b81
0x00401b82
0x00401b83
0x00401b84
0x00401b85
0x00401b86
0x00401b87
0x00401b89
0x00401b8a
0x00401b98
0x00401b9b
0x00401ba5
0x00401b76
0x00000000
0x00401b76
0x00401bbd
0x00401bc1
0x00401bc3
0x00401beb
0x00401bf2
0x00401c38
0x00401c3b
0x00401c65
0x00401c6b
0x00401c71
0x00401c90
0x00401cac
0x00401cb3
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cdb
0x00401cdd

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1c0a94ddd42f2e5095a9f093a3eb71a3ec92937c145fc0d07489b65603433597
Instruction ID: f0b3a7f984de25b61aec3f564888135f8616d2b34c5343f76e64712a38022713
Opcode Fuzzy Hash: 1c0a94ddd42f2e5095a9f093a3eb71a3ec92937c145fc0d07489b65603433597
Instruction Fuzzy Hash: F251633075D7028FD71C886998E0576608797D9310B38D13EAA1AEB7E9ED7CCC07624E

Uniqueness

Uniqueness Score: -1.00%

Function 00401B90, Relevance: 1.4, APIs: 1, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c9f3fd619a430abaa3e7132d6304484aa629f52e62f1411b30c0ac237e603ba
Instruction ID: 5afbaed3de13dd5ff98a60fedfddce3a25bbeddedc7e06d70adfc8e199e22724
Opcode Fuzzy Hash: 9c9f3fd619a430abaa3e7132d6304484aa629f52e62f1411b30c0ac237e603ba
Instruction Fuzzy Hash: 0251623175D7028BD71C886998E0576608397D9310B38D13EA61AEB7E9DD7CCC07A24E

Uniqueness

Uniqueness Score: -1.00%

Function 00401BF8, Relevance: 1.4, APIs: 1, Instructions: 190
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 33%

			E00401BF8(signed int __eax, void* __ebx, signed char __ecx, void* __esi) {
				signed char _t20;
				intOrPtr _t29;
				void* _t30;
				signed char _t49;

				_t49 = __ecx;
				asm("les eax, [ebx]");
				asm("into");
				_t20 = __eax ^ 0x0000000c | 0xc;
				asm("repne loopne 0x3");
				 *_t20 =  *_t20 + _t20;
				asm("rol byte [ecx+0x887f2], cl");
				 *((intOrPtr*)(__ecx - 0x14367637)) =  *((intOrPtr*)(__ecx - 0x14367637)) + __ecx;
				asm("sbb [edx+0x577c9b43], ah");
				asm("fnop");
				_t29 =  *((intOrPtr*)(__ebx + 0x14f1));
				goto L10;
				asm("rcl byte [eax-0x140076b5], 1");
				_t30 = _t29 - 1;
				asm("invalid");
				_push(es);
				 *_t49 =  *_t49 >> _t49;
			}

0x00401bf8
0x00401bf8
0x00401bfa
0x00401c0d
0x00401c38
0x00401c3b
0x00401c65
0x00401c6b
0x00401c71
0x00401c90
0x00401cac
0x00401cb3
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cdb

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 610f3773a18c7cb4da11e4dd89cd6d98b3bf374c06f2cc61d0a387c6f84bf8c2
Instruction ID: f133384d0768423471818cfbea6ba46df88be2839f1420b6e4637e1742bfc70c
Opcode Fuzzy Hash: 610f3773a18c7cb4da11e4dd89cd6d98b3bf374c06f2cc61d0a387c6f84bf8c2
Instruction Fuzzy Hash: 8E41613075D3428BE71C886998D45775087A7DA310B38D03EAA0AEB3E9DD7CCC07624E

Uniqueness

Uniqueness Score: -1.00%

Function 0040EBB6, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040EBB6(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a28, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v40;
				void* _v56;
				intOrPtr _v60;
				char _v64;
				signed int _v68;
				intOrPtr _v76;
				char _v84;
				signed int _v108;
				char _v116;
				intOrPtr _v124;
				intOrPtr _v132;
				void* _v152;
				signed int _v156;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				short _t58;
				short _t59;
				char* _t63;
				signed int _t67;
				intOrPtr _t97;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t97;
				L00401380();
				_v12 = _t97;
				_v8 = 0x401300;
				L004014C4();
				L004014CA();
				L004014C4();
				_push(L"Bombeflyet");
				_push(L"Sporuliferous");
				_push( &_v84); // executed
				L0040142E(); // executed
				_v108 = _v108 & 0x00000000;
				_v116 = 0x8008;
				_push( &_v84);
				_t58 =  &_v116;
				_push(_t58);
				L00401482();
				_v152 = _t58;
				L00401500();
				_t59 = _v152;
				if(_t59 != 0) {
					if( *0x410010 != 0) {
						_v168 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x408e78);
						L004014F4();
						_v168 = 0x410010;
					}
					_t63 =  &_v64;
					L004014FA();
					_v152 = _t63;
					_t67 =  *((intOrPtr*)( *_v152 + 0x178))(_v152,  &_v68, _t63,  *((intOrPtr*)( *((intOrPtr*)( *_v168)) + 0x30c))( *_v168));
					asm("fclex");
					_v156 = _t67;
					if(_v156 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x178);
						_push(0x4097ec);
						_push(_v152);
						_push(_v156);
						L004014EE();
						_v172 = _t67;
					}
					_v164 = _v68;
					_v68 = _v68 & 0x00000000;
					_v76 = _v164;
					_v84 = 9;
					_v124 = 0x77e4c5;
					_v132 = 3;
					_push(0x10);
					L00401380();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t59 = 0x10;
					L00401380();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"df5wmyiN1lSqhs111");
					_push(_v60);
					L00401428();
					L004014AC();
					L00401500();
				}
				_push(0x40edb5);
				L004014BE();
				L00401500();
				L00401500();
				L004014AC();
				return _t59;
			}

0x0040ebbb
0x0040ebc6
0x0040ebc7
0x0040ebd3
0x0040ebdb
0x0040ebde
0x0040ebeb
0x0040ebf6
0x0040ec01
0x0040ec06
0x0040ec0b
0x0040ec13
0x0040ec14
0x0040ec19
0x0040ec1d
0x0040ec27
0x0040ec28
0x0040ec2b
0x0040ec2c
0x0040ec31
0x0040ec3b
0x0040ec40
0x0040ec49
0x0040ec56
0x0040ec73
0x0040ec58
0x0040ec58
0x0040ec5d
0x0040ec62
0x0040ec67
0x0040ec67
0x0040ec97
0x0040ec9b
0x0040eca0
0x0040ecb8
0x0040ecbe
0x0040ecc0
0x0040eccd
0x0040ecf2
0x0040eccf
0x0040eccf
0x0040ecd4
0x0040ecd9
0x0040ecdf
0x0040ece5
0x0040ecea
0x0040ecea
0x0040ecfc
0x0040ed02
0x0040ed0c
0x0040ed0f
0x0040ed16
0x0040ed1d
0x0040ed24
0x0040ed27
0x0040ed31
0x0040ed32
0x0040ed33
0x0040ed34
0x0040ed37
0x0040ed38
0x0040ed42
0x0040ed43
0x0040ed44
0x0040ed45
0x0040ed46
0x0040ed48
0x0040ed4d
0x0040ed50
0x0040ed5b
0x0040ed63
0x0040ed63
0x0040ed68
0x0040ed97
0x0040ed9f
0x0040eda7
0x0040edaf
0x0040edb4

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040EBD3
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040EBEB
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040EBF6
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040EC01
#692.MSVBVM60(?,Sporuliferous,Bombeflyet,?,?,?,?,00401386), ref: 0040EC14
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0040EC2C
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0040EC3B
__vbaNew2.MSVBVM60(00408E78,00410010,00008008,?), ref: 0040EC62
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0040EC9B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097EC,00000178,?,?,?,?,?,?,?,?,?,?,?,00008008), ref: 0040ECE5
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0040ED27
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0040ED38
__vbaLateMemCall.MSVBVM60(?,df5wmyiN1lSqhs111,00000002,?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0040ED50
__vbaFreeObj.MSVBVM60 ref: 0040ED5B
__vbaFreeVar.MSVBVM60 ref: 0040ED63
__vbaFreeStr.MSVBVM60(0040EDB5,00008008,?), ref: 0040ED97
__vbaFreeVar.MSVBVM60(0040EDB5,00008008,?), ref: 0040ED9F
__vbaFreeVar.MSVBVM60(0040EDB5,00008008,?), ref: 0040EDA7
__vbaFreeObj.MSVBVM60(0040EDB5,00008008,?), ref: 0040EDAF

Strings

df5wmyiN1lSqhs111, xrefs: 0040ED48
Bombeflyet, xrefs: 0040EC06
Sporuliferous, xrefs: 0040EC0B

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$#692CallCheckCopyHresultLateNew2
String ID: Bombeflyet$Sporuliferous$df5wmyiN1lSqhs111
API String ID: 4164985210-3113689884
Opcode ID: 1e6d906f84e36465f1ec5e9fae0cd54defffc53665ee8f5ed603ca44f98ad853
Instruction ID: b39aa78b732d2479a4d31e2bfb0f1645793c05e16ccdfc743a1725e7acf6af76
Opcode Fuzzy Hash: 1e6d906f84e36465f1ec5e9fae0cd54defffc53665ee8f5ed603ca44f98ad853
Instruction Fuzzy Hash: B8513B70900218ABDB10DFA5CC86BDEB7B4BF05308F10456AF5097B2E2DBB95A85CF55

Uniqueness

Uniqueness Score: -1.00%

Function 007832C2, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00783A75

Strings

jjjj, xrefs: 007832B1
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00783A10

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko$jjjj
API String ID: 2994545307-1121625262
Opcode ID: a15c0ee42be8038ab3b603e8f3b8172102cfc088ac202e0809ddb29cceb606ed
Instruction ID: 0a9dfbfd72f2c529f437aca5f8e4df459e681fcbdabc7e7f000e42d3851834a4
Opcode Fuzzy Hash: a15c0ee42be8038ab3b603e8f3b8172102cfc088ac202e0809ddb29cceb606ed
Instruction Fuzzy Hash: A0512731688386DBDB35AF2CCD55BEA3F61FF02B00F24841DE9899A142D7789A40D761

Uniqueness

Uniqueness Score: -1.00%

Function 00783192, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00783A75

Strings

wininet.dll, xrefs: 00783A5A
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00783A10

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko$wininet.dll
API String ID: 2994545307-2860968620
Opcode ID: 57e0cfa3688c4b6fbd7f211d99071c7b202d152b2cd6973ad9eefd22fd818b99
Instruction ID: 43f8e3660b765a2fdea3298390ce9f421ff87e39528c8426d4e65707ecf08772
Opcode Fuzzy Hash: 57e0cfa3688c4b6fbd7f211d99071c7b202d152b2cd6973ad9eefd22fd818b99
Instruction Fuzzy Hash: 0D31577164A3C6DAC731FF3885687DA3F61AF42710F64809DE8C24B146D7798A02D797

Uniqueness

Uniqueness Score: -1.00%

Function 007831CE, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 108libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00783A75

Strings

wininet.dll, xrefs: 00783A5A
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00783A10

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko$wininet.dll
API String ID: 2994545307-2860968620
Opcode ID: 83ce5571fcad723c77a00ef202af7d75d5a3207dea6aacebbd27380271510027
Instruction ID: fd55afee6712145b61f4f8d7463cb2149ce51a6fed18e35fd041df518652239b
Opcode Fuzzy Hash: 83ce5571fcad723c77a00ef202af7d75d5a3207dea6aacebbd27380271510027
Instruction Fuzzy Hash: 4031773158A386DACB35FF7885597DA3F21BF52B10F68805DE8C24B146C6789B02C797

Uniqueness

Uniqueness Score: -1.00%

Function 007830C2, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00783A10

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
API String ID: 0-3478744561
Opcode ID: 87b5ed6060dac521cc3194ab7f91c8a311cf642de2c273c059f88417bb771e17
Instruction ID: b9733d9d4f9e1243f49fe35e5a7e3576eb36637fe7f5f6b190347fefa9a5eb72
Opcode Fuzzy Hash: 87b5ed6060dac521cc3194ab7f91c8a311cf642de2c273c059f88417bb771e17
Instruction Fuzzy Hash: C4414B31A85385CECB35FF3886597DA3F61AF53B10F64806DD8828B146D7B88A01D792

Uniqueness

Uniqueness Score: -1.00%

Function 007832E8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 131libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00783A75

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00783A10

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
API String ID: 2994545307-3478744561
Opcode ID: 530156071360fe4a72bcad8335acd2b434870403e0935c198caa39298e16f76e
Instruction ID: 752e4ac014b2590693c9b1d7fab39459380cdbafd5667dd1acfde495fd842d89
Opcode Fuzzy Hash: 530156071360fe4a72bcad8335acd2b434870403e0935c198caa39298e16f76e
Instruction Fuzzy Hash: 914148312883C6EBD731BF3CCD567EA3FA5AF02700F188459E9898A452D7789B40D762

Uniqueness

Uniqueness Score: -1.00%

Function 0040152C, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401531

Strings

VB5!6&*, xrefs: 0040152C

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: bb00983b61f8e18a2aeaa5668a6f0c4e5c2472a85428e762dbedd3e0d28788be
Instruction ID: c03713d3a7154865992e1effdc6917bed9dcf77df6b1bf37c375250f96a27bf2
Opcode Fuzzy Hash: bb00983b61f8e18a2aeaa5668a6f0c4e5c2472a85428e762dbedd3e0d28788be
Instruction Fuzzy Hash: 234164A684E7C05FC3134B705C666A53FB4AE63225B1A46EBD4D1CF4E3E21C180AD763

Uniqueness

Uniqueness Score: -1.00%

Function 0078327A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 98libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00783A75

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00783A10

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
API String ID: 2994545307-3478744561
Opcode ID: e4b5deca4904a8cccc723be6fb10ec8401cc2fb6fb98dc629616f9c9e2c06a74
Instruction ID: 73b83680f33aeaf6b9af26764b996dfae83242c1d8b50c9d9d6a77115a4271d9
Opcode Fuzzy Hash: e4b5deca4904a8cccc723be6fb10ec8401cc2fb6fb98dc629616f9c9e2c06a74
Instruction Fuzzy Hash: 6C31483164A386CBC735FF38866A7DA3F61BF53710F68809CD4C25B146D6789A01C792

Uniqueness

Uniqueness Score: -1.00%

Function 00783236, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00783A75

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00783A10

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
API String ID: 2994545307-3478744561
Opcode ID: a339ebc4e45c98f1cd0eb255ccb29eaf0307dbe501255905959f336c78023e89
Instruction ID: bf31aac887413dc3d3d7f18166e831910a6efdaa9402d8b3ce25402034fc1dea
Opcode Fuzzy Hash: a339ebc4e45c98f1cd0eb255ccb29eaf0307dbe501255905959f336c78023e89
Instruction Fuzzy Hash: 4531893168A386CACB35FF3885697DA3F61BF52710F64815DD8C24F246D6788A01D792

Uniqueness

Uniqueness Score: -1.00%

Function 007839C9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL ref: 00783A75

Strings

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko, xrefs: 00783A10

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko
API String ID: 2994545307-3478744561
Opcode ID: 7c283666f7a843e8b60b609bec9716cd283743017f0b72417d6d47e264b4dc3d
Instruction ID: e22d362005b2974fefd25ddfa297d1d3336e903a03a0ad678e5cc41862eb11e7
Opcode Fuzzy Hash: 7c283666f7a843e8b60b609bec9716cd283743017f0b72417d6d47e264b4dc3d
Instruction Fuzzy Hash: CE118872A8E7D1AAC3276B3445AA153BF60BE53610719C0CDC4C10A163C6999A12D792

Uniqueness

Uniqueness Score: -1.00%

Function 00783189, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

wininet.dll, xrefs: 00783A5A

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: wininet.dll
API String ID: 2994545307-3354682871
Opcode ID: e94f447f52e1fc1e26766551ec9b7a765d0cb0f5e6e5728721a990cd5fe296ec
Instruction ID: ef74348de1e1ec0001b77c6666dc5487aff3115392d59c90ac4b8cd3f048407b
Opcode Fuzzy Hash: e94f447f52e1fc1e26766551ec9b7a765d0cb0f5e6e5728721a990cd5fe296ec
Instruction Fuzzy Hash: 87D02B62A8168449E2043599014D75737144750B12B58D00A78C283116CE199B06B753

Uniqueness

Uniqueness Score: -1.00%

Function 0078220B, Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5550fa30a242aa625e0a836cf3bf8baf9770d7c8d06739a40a2f1acec707ed56
Instruction ID: d076a98c82abd04d26d95a1562151751547a6aacf4ff4ee99a3a6ce757fce0fc
Opcode Fuzzy Hash: 5550fa30a242aa625e0a836cf3bf8baf9770d7c8d06739a40a2f1acec707ed56
Instruction Fuzzy Hash: F84138B06C4302DFE7147F24C989BAA3665BF147A5F304169FC92870A2D7BCC9819B62

Uniqueness

Uniqueness Score: -1.00%

Function 00784BC2, Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00784C03

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c32ff045de977a155ac185cdb691270894eeca5910ff4bbb2767e467f87fe70
Instruction ID: 22ba88a318e49f9425c5343a511e53cb8c3d5c10ad261ccf6ae9696aa4efca12
Opcode Fuzzy Hash: 9c32ff045de977a155ac185cdb691270894eeca5910ff4bbb2767e467f87fe70
Instruction Fuzzy Hash: 493156756CA113CBCB14FF2085207FA3BA4AF21754FB54269EE8717140D3ECAE01A7A4

Uniqueness

Uniqueness Score: -1.00%

Function 00780B1C, Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00782DC6

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 02b8407611385a959eccfbbcc0feea31c7909c2b1db32c27114cf124762b882c
Instruction ID: f96375c923e26ef703ea9db214d32677da12f8532e7d2bbdc17fc92d23555eab
Opcode Fuzzy Hash: 02b8407611385a959eccfbbcc0feea31c7909c2b1db32c27114cf124762b882c
Instruction Fuzzy Hash: 2F215A616C9385DDFBB13A384D5A7E92E518F03364F6881A5DD518B1C7C6AC890DC3D1

Uniqueness

Uniqueness Score: -1.00%

Function 00780B7A, Relevance: 1.6, APIs: 1, Instructions: 96COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00782DC6

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: af88545a3044bf90beca26074b223d1635263d5b684a6c7795a963df4d1bb982
Instruction ID: 3f319adfbde2817287519f4c948daab6cb5fbba9e00f32a95a85c136cf28430d
Opcode Fuzzy Hash: af88545a3044bf90beca26074b223d1635263d5b684a6c7795a963df4d1bb982
Instruction Fuzzy Hash: 5D218AA0AC8685C9FBB17A744C457D57F909F03364F3802A69C91CA0E3D66C890EC3D1

Uniqueness

Uniqueness Score: -1.00%

Function 00780B3A, Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00782DC6

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a9843ac8bb477889204d7163d7d8554ce230579a5e9d19a9e5dc1d5b0e5ad633
Instruction ID: fc2b84c005fa24245fced339f55439ccdcce48f3091e172a9b2df8532b4a3ddb
Opcode Fuzzy Hash: a9843ac8bb477889204d7163d7d8554ce230579a5e9d19a9e5dc1d5b0e5ad633
Instruction Fuzzy Hash: C4117AB0BC8246CDFFB035745D4D7E82E818F02364F288266DE254A0C3D5AC444E87D1

Uniqueness

Uniqueness Score: -1.00%

Function 00780C0E, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00782DC6

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: 0db18e433812c7d0737e7051c0eb66ffc4708004efc088088d36059a3067a2ff
Instruction ID: 89ce7d319db9c50e7970f1aeec27119502977ae9fb8126f3a62e13884713afbc
Opcode Fuzzy Hash: 0db18e433812c7d0737e7051c0eb66ffc4708004efc088088d36059a3067a2ff
Instruction Fuzzy Hash: 5801F59119A2C59DEB732B345C157D93F609F03368F2816C798D1CE0F3D6198A4AC392

Uniqueness

Uniqueness Score: -1.00%

Function 00784B3F, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00784C03

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7ce7ce5ad2c9aaa7084182a6251877891a3bb52ab68c5d2f9c0b45c4e28326a4
Instruction ID: c229c3eeb944a9b1774218e79b4ddc791404c16c1efa3f1a2633c6d8428cff1c
Opcode Fuzzy Hash: 7ce7ce5ad2c9aaa7084182a6251877891a3bb52ab68c5d2f9c0b45c4e28326a4
Instruction Fuzzy Hash: 47F0F0E46CA203CADB203A655A5A7FC1D198F6038CFA0417ABC82C7402D2CCC9446793

Uniqueness

Uniqueness Score: -1.00%

Function 007842AA, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(007804EA,80000000,00000001,00000000,00000003,00000000,00000000,00784217,007843AA,007804EA), ref: 00784357

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 73daa48235be72bd4a53868966f6fdfa768a10128eea682c0e34033b11712d87
Instruction ID: bf01fa4b942cfd16c874aa3831e12e3ff9e0a2814edefec558a2eea27a78c55a
Opcode Fuzzy Hash: 73daa48235be72bd4a53868966f6fdfa768a10128eea682c0e34033b11712d87
Instruction Fuzzy Hash: 71F0F626ADC143D5DF34753C0AC77A4BA50B362700FA8027A7A416688AD1DD4150C3C7

Uniqueness

Uniqueness Score: -1.00%

Function 00780BCF, Relevance: 1.5, APIs: 1, Instructions: 36COMMON

Download Yara Rule

APIs

TerminateProcess.KERNELBASE(000000FF,00000000), ref: 00782DC6

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: ProcessTerminate
String ID:
API String ID: 560597551-0
Opcode ID: a5de55eae84701ef7d37bd2436fbe1c9675c8a55ac95594ad3e8f63ea762548f
Instruction ID: 7a511824fca64a2d512ed4c6e73d5922741ab7eb895779e8390107bc3a08f6bd
Opcode Fuzzy Hash: a5de55eae84701ef7d37bd2436fbe1c9675c8a55ac95594ad3e8f63ea762548f
Instruction Fuzzy Hash: BFF0275068A2C59EE76227284C047993F60EF03729F381A8394D6CE5F3D518C84BC3A3

Uniqueness

Uniqueness Score: -1.00%

Function 00784B72, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00784C03

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 80add25eca7a5356154dac6f28fb411a633c091d42dddceba31fcad3a9fc5be0
Instruction ID: 4a8e6a294c5d9ea38e44385238f8508ac706b5ad2601b72b1b3db8369bc0473c
Opcode Fuzzy Hash: 80add25eca7a5356154dac6f28fb411a633c091d42dddceba31fcad3a9fc5be0
Instruction Fuzzy Hash: B7F055B82CA303CA8B043AB2525A3ED2E198C60708FE001B9AC878700092DC860427A2

Uniqueness

Uniqueness Score: -1.00%

Function 00784BDA, Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00784C03

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 45e358dfd4265c58c2cff9c796bd2eb5a1fd2b04edcca641c632f56897d15260
Instruction ID: 201b347dd0ef14a4d31c27906f6f7582538a81fc6856991b35aecdcb266a77f2
Opcode Fuzzy Hash: 45e358dfd4265c58c2cff9c796bd2eb5a1fd2b04edcca641c632f56897d15260
Instruction Fuzzy Hash: 67E022E85CA107C68B247AB5568A3F82E194C64748BE441BAAC878700192ECC6406BE2

Uniqueness

Uniqueness Score: -1.00%

Function 00784B86, Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00784C03

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b13415208e7801b7e1e0cb7d11b91bcd85640417c6f010a9f7af154f812d87d5
Instruction ID: a894a1f12ef599aa45af351c2b9fdf4f4b71b044b100adaf3101de080a65afcd
Opcode Fuzzy Hash: b13415208e7801b7e1e0cb7d11b91bcd85640417c6f010a9f7af154f812d87d5
Instruction Fuzzy Hash: 25E022E8ACA203CA8B143A75565A3F82E198C64748FF441BAAC838700192DCC6406BE2

Uniqueness

Uniqueness Score: -1.00%

Function 0078052E, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00780562,?,00000000), ref: 0078054B

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: d80876ad75ede2d83a455fe74426862304b0c82d16a96cc6056e8ab06324c9cc
Instruction ID: b4ad2d131d14a1624d79af945e2f2f307bb1e6a5a650df2655de89aa5e8d30f6
Opcode Fuzzy Hash: d80876ad75ede2d83a455fe74426862304b0c82d16a96cc6056e8ab06324c9cc
Instruction Fuzzy Hash: 62F0E5301C4240CFD780FA389C6AFE977A5AFC6320F644578E858C71A1C56945AACFE0

Uniqueness

Uniqueness Score: -1.00%

Function 00784B06, Relevance: 1.5, APIs: 1, Instructions: 26libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00784C03

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 68bc1aa8ff1ea6ea3942158116b7d493c6f2f6264c5ad2094780fc9985d7666a
Instruction ID: f0353f7d49a410faff58c217e23429ff21b28e04726fddc1c266ed38570def2b
Opcode Fuzzy Hash: 68bc1aa8ff1ea6ea3942158116b7d493c6f2f6264c5ad2094780fc9985d7666a
Instruction Fuzzy Hash: 2DE0C2D86CB253CAEB103A719A083FA096E4F647D5FB0402A7C4B83041A2CCCA806773

Uniqueness

Uniqueness Score: -1.00%

Function 007842DA, Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(007804EA,80000000,00000001,00000000,00000003,00000000,00000000,00784217,007843AA,007804EA), ref: 00784357

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 27620ca41072042a9fefc89b7b51eea4d9f91ffc1e8b112e550c02eb420d3024
Instruction ID: cf9fe41b0925da17065e2c59c1ce07d91b17a5858d9a3273f70bce977eae84b8
Opcode Fuzzy Hash: 27620ca41072042a9fefc89b7b51eea4d9f91ffc1e8b112e550c02eb420d3024
Instruction Fuzzy Hash: 88D05E30BD8303F9EE3862001D9AFB52182AB60B01F76411A7F06384C5E2E41580E313

Uniqueness

Uniqueness Score: -1.00%

Function 0078430A, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(007804EA,80000000,00000001,00000000,00000003,00000000,00000000,00784217,007843AA,007804EA), ref: 00784357

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 852703033fa6481e23d5fb919b091a76aa6d540ff82f3c0f03cceab6f4b773f0
Instruction ID: 0a6227a216bb9a037464f9b6bc7d6cdd2797529781cc95750cc5810dbe4cf425
Opcode Fuzzy Hash: 852703033fa6481e23d5fb919b091a76aa6d540ff82f3c0f03cceab6f4b773f0
Instruction Fuzzy Hash: A3D080306E4303EDFE3466144C49FFD2192D760701F764116FA0579445D1F51080D711

Uniqueness

Uniqueness Score: -1.00%

Function 00401C4B, Relevance: 1.5, APIs: 1, Instructions: 234
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E00401C4B(signed int __ebx, signed int __ecx, signed int __edx, void* __esi) {
				void* _t14;
				void* _t15;
				signed int _t24;
				signed int _t43;
				void* _t56;
				void* _t57;
				signed int _t60;

				_t49 = __edx;
				_t43 = __ecx;
				_t24 = __ebx;
				_t57 = _t56 + 1;
				_t15 = _t14;
				asm("out dx, al");
				_t1 = _t15 + 0x78;
				 *_t1 =  *(_t15 + 0x78) | __ebx;
				_t60 =  *_t1;
				if(_t60 < 0) {
					L17:
					asm("fnop");
					L18:
					asm("rcl byte [eax-0x140076b5], 1");
					L19:
					_t24 = _t24 - 1;
					L20:
					asm("invalid");
					L21:
					_push(es);
					L25:
					L26:
					 *_t43 =  *_t43 >> _t43;
				}
				if(_t60 < 0) {
					goto L18;
				}
				if(_t60 < 0) {
					goto L19;
				}
				if(_t60 < 0) {
					goto L20;
				}
				if(_t60 < 0) {
					goto L21;
				}
				if(_t60 < 0) {
					asm("out 0x6f, eax");
					L23:
					_t43 = _t43 &  *(_t49 + 0x39d2898a);
					L24:
					_t43 =  *((intOrPtr*)(_t43 + 0x750b39d2));
					goto L25;
				}
				if(_t60 < 0) {
					goto L23;
				}
				if(_t60 < 0) {
					goto L24;
				}
				if(_t60 < 0) {
					goto L26;
				}
				if (_t60 < 0) goto 0x401bee;
				asm("rol byte [ecx+0x887f2], cl");
				 *((intOrPtr*)(__ecx - 0x14367637)) =  *((intOrPtr*)(__ecx - 0x14367637)) + __ecx;
				asm("sbb [edx+0x577c9b43], ah");
				_t49 = __edx ^ 0x00001e46;
				asm("fnop");
				_t24 =  *(__ebx + _t49);
				goto L17;
			}

0x00401c4b
0x00401c4b
0x00401c4b
0x00401c4b
0x00401c4c
0x00401c4d
0x00401c4e
0x00401c4e
0x00401c4e
0x00401c51
0x00401ccc
0x00401ccc
0x00401ccd
0x00401ccd
0x00401ccf
0x00401ccf
0x00401cd1
0x00401cd1
0x00401cd3
0x00401cd3
0x00000000
0x00401cdb
0x00401cdb
0x00401cdd
0x00401c53
0x00000000
0x00000000
0x00401c55
0x00000000
0x00000000
0x00401c57
0x00000000
0x00000000
0x00401c59
0x00000000
0x00000000
0x00401c5b
0x00401cd5
0x00401cd7
0x00401cd7
0x00401cd9
0x00401cd9
0x00000000
0x00401cd9
0x00401c5d
0x00000000
0x00000000
0x00401c5f
0x00000000
0x00000000
0x00401c61
0x00000000
0x00000000
0x00401c63
0x00401c65
0x00401c6b
0x00401c71
0x00401c8a
0x00401c90
0x00401cac
0x00000000

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bffef0621c46c05881bb58bcdbef06c6b8a1c3a4eaed3e5d22058c23fde09119
Instruction ID: 1b872ae5e45eb92f29d05fb691817c7894e449bab54bead513ef426a8cd050be
Opcode Fuzzy Hash: bffef0621c46c05881bb58bcdbef06c6b8a1c3a4eaed3e5d22058c23fde09119
Instruction Fuzzy Hash: FD51A23175D2428BE70C446998E46776583A7DA310B38907FAA0AEB3F5DD7CDC07A24E

Uniqueness

Uniqueness Score: -1.00%

Function 00401C1C, Relevance: 1.5, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00401C1C(intOrPtr* __eax, void* __ebx, signed char __ecx, signed int __edx, void* __esi, void* __eflags) {
				intOrPtr _t19;
				void* _t20;
				signed char _t39;
				signed int _t50;
				signed int _t51;
				void* _t54;

				_t45 = __edx;
				_t39 = __ecx;
				_t18 = __ebx;
				asm("lds esi, [eax+0x70700b52]");
				if(__eflags < 0) {
					L20:
					L21:
					L34:
					_t19 =  *((intOrPtr*)(_t18 + _t45));
					goto L35;
					asm("rcl byte [eax-0x140076b5], 1");
					_t20 = _t19 - 1;
					asm("invalid");
					_push(es);
					 *_t39 =  *_t39 >> _t39;
				}
				if(__eflags < 0) {
					goto L21;
				}
				if(__eflags < 0) {
					_t18 = __ebx + _t54;
					__eflags = _t18;
					L23:
					asm("les edi, [esi]");
					L24:
					_pop(ss);
					_pop(ss);
					L25:
					_pop(ss);
					_pop(ss);
					L26:
					_pop(ss);
					L27:
					_pop(ss);
					L28:
					_pop(ss);
					L29:
					_pop(ss);
					L30:
					_pop(ss);
					L31:
					_pop(ss);
					L32:
					_pop(ss);
					L33:
					_pop(ss);
					_pop(ss);
					_pop(ss);
					goto L34;
				}
				if(__eflags < 0) {
					goto L23;
				}
				if(__eflags < 0) {
					goto L24;
				}
				if(__eflags < 0) {
					goto L25;
				}
				if (__eflags < 0) goto L26;
				if(__eflags < 0) {
					goto L26;
				}
				if(__eflags < 0) {
					goto L27;
				}
				if(__eflags < 0) {
					goto L28;
				}
				if(__eflags < 0) {
					goto L29;
				}
				if(__eflags < 0) {
					goto L30;
				}
				if(__eflags < 0) {
					goto L31;
				}
				if(__eflags < 0) {
					goto L32;
				}
				if(__eflags < 0) {
					goto L33;
				}
				_t50 = __edx ^ 0x000000e0;
				asm("repne loopne 0x3");
				 *__eax =  *__eax + __eax;
				_t51 = _t50 - 0xd50;
				asm("rol byte [ecx+0x887f2], cl");
				 *((intOrPtr*)(__ecx - 0x14367637)) =  *((intOrPtr*)(__ecx - 0x14367637)) + __ecx;
				asm("sbb [edx+0x577c9b43], ah");
				_t45 = _t51 ^ 0x00001e46;
				asm("fnop");
				goto L20;
			}

0x00401c1c
0x00401c1c
0x00401c1c
0x00401c1c
0x00401c22
0x00000000
0x00401c96
0x00401cac
0x00401cac
0x00401cb3
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cdb
0x00401cdd
0x00401c24
0x00000000
0x00000000
0x00401c26
0x00401c98
0x00401c98
0x00401c9a
0x00401c9a
0x00401c9c
0x00401c9c
0x00401c9d
0x00401c9e
0x00401c9e
0x00401c9f
0x00401ca0
0x00401ca0
0x00401ca1
0x00401ca1
0x00401ca2
0x00401ca2
0x00401ca3
0x00401ca3
0x00401ca4
0x00401ca4
0x00401ca5
0x00401ca5
0x00401ca6
0x00401ca6
0x00401ca7
0x00401ca7
0x00401ca8
0x00401ca9
0x00000000
0x00401ca9
0x00401c28
0x00000000
0x00000000
0x00401c2a
0x00000000
0x00000000
0x00401c2c
0x00000000
0x00000000
0x00401c2e
0x00401c2f
0x00000000
0x00000000
0x00401c30
0x00000000
0x00000000
0x00401c31
0x00000000
0x00000000
0x00401c32
0x00000000
0x00000000
0x00401c33
0x00000000
0x00000000
0x00401c34
0x00000000
0x00000000
0x00401c35
0x00000000
0x00000000
0x00401c36
0x00000000
0x00000000
0x00401c37
0x00401c38
0x00401c3b
0x00401c41
0x00401c65
0x00401c6b
0x00401c71
0x00401c8a
0x00401c90
0x00000000

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1180986271ee1dfe8b69b20bf55314e31bbbf625e3f044f127d38476aabd0b54
Instruction ID: d50717efde17b912427cd4282cddf39786d36928c4df1589805c4199d8b201fe
Opcode Fuzzy Hash: 1180986271ee1dfe8b69b20bf55314e31bbbf625e3f044f127d38476aabd0b54
Instruction Fuzzy Hash: CD415D6179D2028BE71C487998945762183A7DA355738903FA60AFB3F9DDBCCC07634E

Uniqueness

Uniqueness Score: -1.00%

Function 00401BCB, Relevance: 1.4, APIs: 1, Instructions: 193
memoryCOMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401BCB(intOrPtr* __eax, void* __ebx, void* __edx, void* __esi) {
				signed char* _t29;
				signed char _t30;
				void* _t31;
				signed char _t50;
				signed int _t74;

				_pop(ds);
				 *((intOrPtr*)(__edx + 0x14)) =  *((intOrPtr*)(__edx + 0x14)) + __edx;
				_t74 =  *(__ebx + 0x6b) * 0x6b;
				_t29 =  *(__ebx + 8);
				_t50 =  *_t29;
				asm("repne loopne 0x3");
				 *__eax =  *__eax + __eax;
				asm("rol byte [ecx+0x887f2], cl");
				 *((intOrPtr*)(_t50 - 0x14367637)) =  *((intOrPtr*)(_t50 - 0x14367637)) + _t50;
				asm("sbb [edx+0x577c9b43], ah");
				asm("fnop");
				_t30 = _t29[0x14f1];
				goto L12;
				asm("rcl byte [eax-0x140076b5], 1");
				_t31 = _t30 - 1;
				asm("invalid");
				_push(es);
				 *_t50 =  *_t50 >> _t50;
			}

0x00401bcb
0x00401bcc
0x00401be7
0x00401beb
0x00401bf2
0x00401c38
0x00401c3b
0x00401c65
0x00401c6b
0x00401c71
0x00401c90
0x00401cac
0x00401cb3
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cdb

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: da79c5b397c7db628c056a1f416697550a521d3b3640d6e0fa9da9698da5a3d1
Instruction ID: b769f965c8b5469373ddc8f50df2d4308cd7e2a8e6a24f3276da4e8666fcf8bd
Opcode Fuzzy Hash: da79c5b397c7db628c056a1f416697550a521d3b3640d6e0fa9da9698da5a3d1
Instruction Fuzzy Hash: 1441423075D7428FD71C886998E05766087A7D9310B38D03EAA1AEB3E9DD7CCC07A24E

Uniqueness

Uniqueness Score: -1.00%

Function 00401CB5, Relevance: 1.4, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00401CB5(void* __eax, void* __ebx, void* __edx, void* __esi) {
				void* _t20;
				void* _t21;
				signed char _t40;

				_t20 = __ebx;
				_push(ds);
				_t40 = ss;
				goto L2;
				asm("rcl byte [eax-0x140076b5], 1");
				_t21 = _t20 - 1;
				asm("invalid");
				_push(es);
				 *_t40 =  *_t40 >> _t40;
			}

0x00401cb5
0x00401cb5
0x00401cb6
0x00401ccb
0x00401ccd
0x00401ccf
0x00401cd1
0x00401cd3
0x00401cdb

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52d09c5a62f1bb01cc470fdb44b021e8b0d933fe63096a1bf244658c15369686
Instruction ID: e76187921de70ba5edf47e9a3a7eebf602c92bfa3bb7e7d8dee6944310ef805f
Opcode Fuzzy Hash: 52d09c5a62f1bb01cc470fdb44b021e8b0d933fe63096a1bf244658c15369686
Instruction Fuzzy Hash: 204153717496028BD70C846998E467B1187A7D9314739D03EAA0AEB3E5DE7C8C07624E

Uniqueness

Uniqueness Score: -1.00%

Function 00401D56, Relevance: 1.4, APIs: 1, Instructions: 151memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 469dcb52f5c4c116d7b31976874562ba03e30ae94117bccfd62bcd5178c42433
Instruction ID: 59e0a52674dd5535f86c21f62bf0303f56a72fdcc58250ff170954f3d5aecf69
Opcode Fuzzy Hash: 469dcb52f5c4c116d7b31976874562ba03e30ae94117bccfd62bcd5178c42433
Instruction Fuzzy Hash: 31314D3075D7028FD75C846998D067B1087A7D9315638D13EAA1EEB3E9EEBC8C07624E

Uniqueness

Uniqueness Score: -1.00%

Function 00401CE7, Relevance: 1.4, APIs: 1, Instructions: 146memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0c824baa0dbe51dd183322d80830b3dcaecc180abe1959d12953fd60a4a1be5f
Instruction ID: 7a95562f1e26bce56947cc5472b51fd0e25fddde7e6d5f622120ac031e697d71
Opcode Fuzzy Hash: 0c824baa0dbe51dd183322d80830b3dcaecc180abe1959d12953fd60a4a1be5f
Instruction Fuzzy Hash: 423182607493028FD70C446998D05771087A7DA351B38D03EAA0AEB3E9ED7C8C07628E

Uniqueness

Uniqueness Score: -1.00%

Function 00401E64, Relevance: 1.4, APIs: 1, Instructions: 131memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 99d48a2c48c31eddf28e8332b0e5969a06fdeeda785edc6706dc63173e9b95e7
Instruction ID: ce0acb1810a939e7d21135bbeb151fd3db869e03148dd1ca45650664ed14434c
Opcode Fuzzy Hash: 99d48a2c48c31eddf28e8332b0e5969a06fdeeda785edc6706dc63173e9b95e7
Instruction Fuzzy Hash: 47216D307193038FD71C446D98D457B2087A3D9315638D13EAA0AEB3EADEBC8C07628E

Uniqueness

Uniqueness Score: -1.00%

Function 00401E94, Relevance: 1.4, APIs: 1, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e87da119251850babce54112f35ff590f093e1b43c6f82b778e06176d5847839
Instruction ID: 511213c142282c85e28b92e05e5ccea140903fd4fa90ecad11d2732e923b8ff6
Opcode Fuzzy Hash: e87da119251850babce54112f35ff590f093e1b43c6f82b778e06176d5847839
Instruction Fuzzy Hash: E721D33170D2838FC71C856854985363653A7D634273890BFA606A72FADF7D8C47978D

Uniqueness

Uniqueness Score: -1.00%

Function 00401D9E, Relevance: 1.4, APIs: 1, Instructions: 115memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4a74fe13702c32fb7a722a0faadd07612e31b31431429994463c2e710a461df0
Instruction ID: b9346ae23da023e59e29299b0f2e506c4faa4bca94c586fc92e7a6d769e67a48
Opcode Fuzzy Hash: 4a74fe13702c32fb7a722a0faadd07612e31b31431429994463c2e710a461df0
Instruction Fuzzy Hash: 7121713075D3028FD71C486998D067B1087A7D9315A38D03FAA0AEB3E9DE7C8C07628E

Uniqueness

Uniqueness Score: -1.00%

Function 00401E1D, Relevance: 1.4, APIs: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8428a25b837c7cac5c2d4598f9f6c0ac649427496b22cbc5c1a2f75e02dd7a29
Instruction ID: 6413b328a6b04c20cc8974a7eeaa88a71443232a5b16aef09112e66e8e7de510
Opcode Fuzzy Hash: 8428a25b837c7cac5c2d4598f9f6c0ac649427496b22cbc5c1a2f75e02dd7a29
Instruction Fuzzy Hash: ED21513475D3038FD71C4469949057B2087A7D9315A38D13EBA0AEB3E9DE7C8C07628E

Uniqueness

Uniqueness Score: -1.00%

Function 00401DE2, Relevance: 1.4, APIs: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bf1263c66fe38c9a86c0ca6c0b750c96e455312fa82214069b8fd681060b5560
Instruction ID: e32291ddcc5138224db3756fccb990cb3e61bf857725bc81c9caaac4054a9fa0
Opcode Fuzzy Hash: bf1263c66fe38c9a86c0ca6c0b750c96e455312fa82214069b8fd681060b5560
Instruction Fuzzy Hash: 1521623471D3468FD71C486994D057B2087A7D9315638D03EAA0AEB3E9DE7C8C07A28E

Uniqueness

Uniqueness Score: -1.00%

Function 00401DC7, Relevance: 1.4, APIs: 1, Instructions: 107memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4fc7712626f8deeef7e870a32b6a738cf597a8170db25b2559f22e15dd7e3bd8
Instruction ID: 983c1e4ed42a13b6682c2854d5dc2187621e91ef1c89e7dfd57dac67e69ed733
Opcode Fuzzy Hash: 4fc7712626f8deeef7e870a32b6a738cf597a8170db25b2559f22e15dd7e3bd8
Instruction Fuzzy Hash: 1C214D7075D3028FD71C446998D467B1087A7D9315638D03FAA0AEB7EADEBC8C07628E

Uniqueness

Uniqueness Score: -1.00%

Function 00401E0D, Relevance: 1.3, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fd666f792f09197439ff3db697dc71797b3212f14338dc12fa81d8a01786f4ba
Instruction ID: 4c06910cced42568d037c2ba2af978c69b3d44a041ebee2a3f0225b1447240e7
Opcode Fuzzy Hash: fd666f792f09197439ff3db697dc71797b3212f14338dc12fa81d8a01786f4ba
Instruction Fuzzy Hash: 50213D347593028FD71C446D98D467B1087A7D9315A38D13E7A0AEB3EADE7C8C07628E

Uniqueness

Uniqueness Score: -1.00%

Function 00401E41, Relevance: 1.3, APIs: 1, Instructions: 96memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2504d649acb21dff7af6239a79777899d268988f494481debe5434717cc73b3b
Instruction ID: 3a9345b7027ea138d038d0ea29ffd1712a7d8e43637d82056f68667356dc2c5d
Opcode Fuzzy Hash: 2504d649acb21dff7af6239a79777899d268988f494481debe5434717cc73b3b
Instruction Fuzzy Hash: 2E11423475D3028FD71C4469949457B2087A3D9315A38D13EBA0AEB3E9DEBC8C07628E

Uniqueness

Uniqueness Score: -1.00%

Function 00401EBA, Relevance: 1.3, APIs: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fdd26f5ccedcd50a0ad5fdfe4e552573ed9e27a24af8c5d670d12f96b378661d
Instruction ID: c4f31c4a8fb08d05e61490e273068d0a4c42081a778ef855e35e21f9aefc1399
Opcode Fuzzy Hash: fdd26f5ccedcd50a0ad5fdfe4e552573ed9e27a24af8c5d670d12f96b378661d
Instruction Fuzzy Hash: 6101403075D2028FC71C44695494A3B2087A7D9315638D03EBA0AEB7E9DE7CCC07624D

Uniqueness

Uniqueness Score: -1.00%

Function 00401F02, Relevance: 1.3, APIs: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8c090c5eaee3edd83d7f608b0d5366ec4cdcf3db3ee043a2241ac6bbf330f0fd
Instruction ID: f7e256f4430211143b326b8392a1e7a4f7460dae457526be645b581ef6f095a7
Opcode Fuzzy Hash: 8c090c5eaee3edd83d7f608b0d5366ec4cdcf3db3ee043a2241ac6bbf330f0fd
Instruction Fuzzy Hash: CA011930B596028FD71C481D54946772083A7D9312A39C13EB60AEB7EADE79CC07628E

Uniqueness

Uniqueness Score: -1.00%

Function 00401EED, Relevance: 1.3, APIs: 1, Instructions: 62memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,00001B46,FFFFFE39), ref: 00401F1F

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1bd08f0c88aac7bf0280df398478e8f6d3e1d89c3c763340e109e7e68fc31b34
Instruction ID: 46ccdb1c61f01f8ef98665c100eb2073da9c584cf1ca3df6b3e7d3d2ffeb4b97
Opcode Fuzzy Hash: 1bd08f0c88aac7bf0280df398478e8f6d3e1d89c3c763340e109e7e68fc31b34
Instruction Fuzzy Hash: 7D01282471A2428FC71C481C50545772187A7D9311B78D17EB61AEB7EADEB9CC07638A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 007841A6, Relevance: 2.6, Strings: 2, Instructions: 86COMMON

Download Yara Rule

Strings

a*, xrefs: 007841D6
C:\Program Files\Qemu-ga\qemu-ga.exe, xrefs: 007843AA

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID: C:\Program Files\Qemu-ga\qemu-ga.exe$a*
API String ID: 0-1547270941
Opcode ID: c6827a66483c7f926c90c868756a4e791cfa7b2fa97c1bb05127eb3d54c03cca
Instruction ID: 794245dcc3657ad30d4383aa4b56fb84893e14b77aee5f556b346681029a80ba
Opcode Fuzzy Hash: c6827a66483c7f926c90c868756a4e791cfa7b2fa97c1bb05127eb3d54c03cca
Instruction Fuzzy Hash: 052138665C83C7CEDB21BA7085A57B52B969B37320B68426A998B82503D0DC48419792

Uniqueness

Uniqueness Score: -1.00%

Function 0078192C, Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffb574e43417d7a607866cacb699e378ad74b76f82f9bb7a2a691ac9e3014ffb
Instruction ID: d555553a62e05a8789087aef66ba29a248a1a6a170534b6c122cb04fcf0e80ce
Opcode Fuzzy Hash: ffb574e43417d7a607866cacb699e378ad74b76f82f9bb7a2a691ac9e3014ffb
Instruction Fuzzy Hash: 57D12870380706EFD714AF28CC95BD6B3A5FF05350FA58229EC9997281D778A896CB90

Uniqueness

Uniqueness Score: -1.00%

Function 00781936, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 657db0cf40634bedb2e11e393149067e0ef39683510735490dd91c6d0dcc16b4
Instruction ID: 68044f19997917a8b49c6afb93f53abec58b6295c660dd15e0aa0a1bc6b65a00
Opcode Fuzzy Hash: 657db0cf40634bedb2e11e393149067e0ef39683510735490dd91c6d0dcc16b4
Instruction Fuzzy Hash: 14A16971385702EFD714AF28CC95BD6B7A9FF05310FA48229EC9983281D778AC56CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00781972, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf1f943fd6ef15ac3e19973e3fac62abf30ebecbc9dfc8c89b6421c5a0ca94d
Instruction ID: c1fafac5ea3725a809fb6ab0dc85775b1a314e492f270a0bc87f5cfa8c62f995
Opcode Fuzzy Hash: 8bf1f943fd6ef15ac3e19973e3fac62abf30ebecbc9dfc8c89b6421c5a0ca94d
Instruction Fuzzy Hash: 11812870385702EFE718AF24CC95BD2B7A5FF05350F648229EC9983281D778B855CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00781A0D, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de52370520eba4df5773fb4a3c1fb31f64bb332d2a72b48ba014ca1d9c966bd7
Instruction ID: 9295eeb60e7e6fef4827cd97c30c1dba0dfaafd843232a1804c560511cb9ef77
Opcode Fuzzy Hash: de52370520eba4df5773fb4a3c1fb31f64bb332d2a72b48ba014ca1d9c966bd7
Instruction Fuzzy Hash: A3812B70385702EFE358AF28CD95BD6B7A9FF05310FA48229E85983281D778AC55CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 007819AE, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3edf009253924ae138a34fc6591f3e91f35a143bafa2fcabc38b84603b307e1
Instruction ID: 03d5abc6cb3d6fe9ebce11b9141a6446b98d149cfdb3426819e2baac0f161c3e
Opcode Fuzzy Hash: b3edf009253924ae138a34fc6591f3e91f35a143bafa2fcabc38b84603b307e1
Instruction Fuzzy Hash: FF811870385706EFE318AF28CD95BD2B3A9FF05350F648229E89983281D778BC55CB91

Uniqueness

Uniqueness Score: -1.00%

Function 00781A83, Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f1d45cabedb7c6ba7c6a228dc3e24467020e22f2c4e3f15a0e66593b689175
Instruction ID: 335267dabfb09e9cdbaa0bf6adaba8178daa1265c177d9e07f332e0048bdcfaf
Opcode Fuzzy Hash: 48f1d45cabedb7c6ba7c6a228dc3e24467020e22f2c4e3f15a0e66593b689175
Instruction Fuzzy Hash: ED712771385702EFD315AF38CC95BD5B7A9FF01310F648229E89987281D768AC96C791

Uniqueness

Uniqueness Score: -1.00%

Function 00781A1A, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 059fecb39de349717d254b3309bb4e412a30c3a4db107cfb01788cd1b1b542b4
Instruction ID: cc9fc346a45d2849c2dba44a4545992cbe91ce863ddd918377b7005aec4b35c3
Opcode Fuzzy Hash: 059fecb39de349717d254b3309bb4e412a30c3a4db107cfb01788cd1b1b542b4
Instruction Fuzzy Hash: AB713C71384706EFD318AF28CC95BD2B7A9FF05310FA48229E89983281D7786C95CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 00781B20, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762bf10d29571da28622552dcaf60046ec15a46d1424f4748608a0d140f163c3
Instruction ID: da2523995270310b64f1d5c5efff398af2890cb17af902b7cfea7957558845fb
Opcode Fuzzy Hash: 762bf10d29571da28622552dcaf60046ec15a46d1424f4748608a0d140f163c3
Instruction Fuzzy Hash: F0616BB13C4201EFD325BB28CC95BD577A9FF01310FA98229E89983281E76CAC56C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00781DB2, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c9df0a93d3e054cb17a40634218e7c79abbf4597ff82ef0c5c1d33c63135779
Instruction ID: 43126cf04d92dbeb40c729583ee95f9538f46301efa589841fe9046d2f2bb63a
Opcode Fuzzy Hash: 6c9df0a93d3e054cb17a40634218e7c79abbf4597ff82ef0c5c1d33c63135779
Instruction Fuzzy Hash: E5614671780605EFD725BB38CC95BE673E8BF06350FA54229EC95C7242D728A846CB90

Uniqueness

Uniqueness Score: -1.00%

Function 0078594E, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 540fb6b5bebf1ad805ba4711cf2e91b92fb9d6f3b8fa1e97d59db535f164fbd3
Instruction ID: b1ab1f3e73fa6a2cfa64feb1cffb967d84c4c1bdbcbd981288f63603e4230fe6
Opcode Fuzzy Hash: 540fb6b5bebf1ad805ba4711cf2e91b92fb9d6f3b8fa1e97d59db535f164fbd3
Instruction Fuzzy Hash: 5E6126B0588B42CEDB25EF6484D4761BFD19F12320F64C29ED9968F2D2C27C8841CB67

Uniqueness

Uniqueness Score: -1.00%

Function 00781ADA, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b6747ce186f433f03135b488a9296f16636e46335ef40606ef3b0b96f2000e9
Instruction ID: fc112ba1cf36a95b34fd86868311df5daeeb6eba2761970e8d199f3f6ede4709
Opcode Fuzzy Hash: 1b6747ce186f433f03135b488a9296f16636e46335ef40606ef3b0b96f2000e9
Instruction Fuzzy Hash: D4518E71385201EFD729AF28CC95BD677A9FF01310FA58225E89983281E77CAC56C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00785935, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b016b5b20aac46960b19e9256d6fc7674ff7fb5f1929add449489bbe52b8525
Instruction ID: edbf7b65cbcc211e34d4c90dc0a3803f6a4d7165efe5e53bab972141abd161fb
Opcode Fuzzy Hash: 2b016b5b20aac46960b19e9256d6fc7674ff7fb5f1929add449489bbe52b8525
Instruction Fuzzy Hash: F96115B0588B42CFDB25EF68C4D8765BFD19F12320F54C29ED9968F2D2C2788841CB66

Uniqueness

Uniqueness Score: -1.00%

Function 00781B62, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c2d9b976663a2b20766f49b6a0850a2b727b492e329d83c8d9d383134a06656
Instruction ID: ee19de2ac74f0794e404917ba0ac1a48e5c49c470d177753fa6b22a052ee902b
Opcode Fuzzy Hash: 3c2d9b976663a2b20766f49b6a0850a2b727b492e329d83c8d9d383134a06656
Instruction Fuzzy Hash: B7511BB1384201DFD728BF38CD95BD5B7A9FF01310FA58265E89983241E7686C56C7D1

Uniqueness

Uniqueness Score: -1.00%

Function 00781AF6, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b710d8fdb9094d9ec5f80a82ddad808e9a6de194f8467747220c6048d92d193
Instruction ID: 374d8064a2924f3c64f62aabd0cec8023f689585368ed838cd411b02025b3760
Opcode Fuzzy Hash: 5b710d8fdb9094d9ec5f80a82ddad808e9a6de194f8467747220c6048d92d193
Instruction Fuzzy Hash: 73513CB1384202EFD724AF28CC95BD6B799FF05350FA58225E89983281D778AC96C791

Uniqueness

Uniqueness Score: -1.00%

Function 00785972, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45e076d24e63bad51f6266531c025922f22077c349aaa689c37321070f69cfa7
Instruction ID: aa02791af32ab9c2c90efe9bcb08e01aa8dbfc7c9dad164bfd8a2ba6516d8487
Opcode Fuzzy Hash: 45e076d24e63bad51f6266531c025922f22077c349aaa689c37321070f69cfa7
Instruction Fuzzy Hash: 1551E6B0588B82CEDB25EF68C4D4765BFD19F12320F54C29ED9964F2D6C3788842CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00785A0A, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 67f12cd6176216feac9408f74e7e323478dafd02cd002fb9ec6e1d998969505e
Instruction ID: 9cf7bc0c40ae658afe823aa5e1a61e8bde51d6ddf8b84d9790f331bbc89aaa9e
Opcode Fuzzy Hash: 67f12cd6176216feac9408f74e7e323478dafd02cd002fb9ec6e1d998969505e
Instruction Fuzzy Hash: 2551A770588B46CEDB25DF6888D4761BFD19F62320F58C29ED9A64F2D6C3788481CB27

Uniqueness

Uniqueness Score: -1.00%

Function 00781B82, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e23eb3c48ee0bf32a440ed822128ccc77aa8c4c569444de6c990c86fa76478f
Instruction ID: 990bc132cd7bef8937ec33283e10717216037823848c54eaab757276fc6d6524
Opcode Fuzzy Hash: 5e23eb3c48ee0bf32a440ed822128ccc77aa8c4c569444de6c990c86fa76478f
Instruction Fuzzy Hash: 97514971384601DFD728AF28CC95BD6B7A9FF01310FA44225E89A83281D768AC96C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 00781BC3, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55ed2d84a7d4250d00bdab8f168266c274bbcdd0afdb238a0ec86d3c45c96e63
Instruction ID: ac0aff321b7e605dd519aa4842d6b445d18409a2c54caa80e7814af1e4dcfcba
Opcode Fuzzy Hash: 55ed2d84a7d4250d00bdab8f168266c274bbcdd0afdb238a0ec86d3c45c96e63
Instruction Fuzzy Hash: BC515BB0384601DFD319BF38C8957D5BBE9BF01300F944259D89983242E76C6C56CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 00781FCA, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6986b9621f0380acbb4a3ab5288df1d7a3d73e92a9924eda58dd315a4903cbe
Instruction ID: bd688ce6639163d4e6b893af96cad1deb7c31e35dbcae987627c3268e632d735
Opcode Fuzzy Hash: a6986b9621f0380acbb4a3ab5288df1d7a3d73e92a9924eda58dd315a4903cbe
Instruction Fuzzy Hash: 86410570784304EFEB247E248D99BE933A5AF02751F644229EE829B1D3D72D9887D712

Uniqueness

Uniqueness Score: -1.00%

Function 00781E83, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978b79f1e275f3ec96e2ba753157bae3a7c53d86047542f0e30ed0deec838deb
Instruction ID: 011ecf243aaa7c1993619021d6761689efc89fdfbe4d4682a9c6630586c3cd27
Opcode Fuzzy Hash: 978b79f1e275f3ec96e2ba753157bae3a7c53d86047542f0e30ed0deec838deb
Instruction Fuzzy Hash: 36415B71684205DFD715BB28CCA5BE637A9BF06351FA50228FC95C7282DB2DD84AC780

Uniqueness

Uniqueness Score: -1.00%

Function 0078202C, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 376d4432cbfb6a304f2477f2580315b00fdcb95be6dd7f8db19f5ea4e6a8cbe6
Instruction ID: c5bd7b48e0fd6b16938900c2a699c5095d5ffb0453ab06423ca3f323b47c382c
Opcode Fuzzy Hash: 376d4432cbfb6a304f2477f2580315b00fdcb95be6dd7f8db19f5ea4e6a8cbe6
Instruction Fuzzy Hash: D64105706C4300EFE7247F248D9DBE933A2AF05752F644259ED959B0E7C7788886CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00781E32, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0f2d7feb86686f24fb19dd440c191542cd1793a6d50c3cf6912e9ef26974ec8
Instruction ID: 8a7b2936b65c42ce5a6e5982a1da3dca697d5c34c708f4703171eec4de0032a6
Opcode Fuzzy Hash: f0f2d7feb86686f24fb19dd440c191542cd1793a6d50c3cf6912e9ef26974ec8
Instruction Fuzzy Hash: DC314A75680205AFD724BA28CCA5BE633E9BF06350FA14228ED95C7282DB2DD846D790

Uniqueness

Uniqueness Score: -1.00%

Function 00782032, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8e529cd4984f012df963a3a2897da42ab01311cd2b3e28192d04e76aba0d3f9
Instruction ID: 9f8db9a08dc9be7fc6ec07d990d6e907845509ff0da27efe128b234ed8289be2
Opcode Fuzzy Hash: b8e529cd4984f012df963a3a2897da42ab01311cd2b3e28192d04e76aba0d3f9
Instruction Fuzzy Hash: 1F3126307C4700EEEB247E248DD9BD933A1AF01711FA44269EE829B1D3C7399886C712

Uniqueness

Uniqueness Score: -1.00%

Function 0078205E, Relevance: .1, Instructions: 106COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 131ff47caa12d6c890dc8ab7f9f5246ebc678231236f91e009c2e5e57634addb
Instruction ID: e91bd756c4e4465f419cb4e78bb132f5747ba68d6e4cf3762c9f4d10f6840bbc
Opcode Fuzzy Hash: 131ff47caa12d6c890dc8ab7f9f5246ebc678231236f91e009c2e5e57634addb
Instruction Fuzzy Hash: D231E4307C8300EFEB247A248DD9BA933A1AF01711F658169EE819B1D3C77D9846CB16

Uniqueness

Uniqueness Score: -1.00%

Function 00781841, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7a3f738f36c2f23fd0f8be49696893ade6b5c901bbea77f0f15dec37f736aaf
Instruction ID: 506b32ccf935affbb9b33bdece3faeee5c24258631756b79420f8fc8ed0388e7
Opcode Fuzzy Hash: e7a3f738f36c2f23fd0f8be49696893ade6b5c901bbea77f0f15dec37f736aaf
Instruction Fuzzy Hash: 2B2178712C4302FEE7343A248C5BBDA272A9B42770FE4452AFD15560C1C3AE8C82D382

Uniqueness

Uniqueness Score: -1.00%

Function 007820BE, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 939dde1aa48e4bfc6876b06e97feecdee2139b66137866603471f50993854d36
Instruction ID: 6611fbbca9c0b8d923fa9595b907caccdde7bcbb6ede087462abbc8b642abf06
Opcode Fuzzy Hash: 939dde1aa48e4bfc6876b06e97feecdee2139b66137866603471f50993854d36
Instruction Fuzzy Hash: 9521D870BC4304EFEB247B248D8DF993762AF05751FA58159EA455B0E3C7384847D716

Uniqueness

Uniqueness Score: -1.00%

Function 007852F6, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e3aca0bb399683e151da74912a3f2c8634df176abbde2595bb09148851b67f
Instruction ID: 30af7517a9348d4b4d4422c7b26b7c6485d660cfed81237cd27a2e80d8b99172
Opcode Fuzzy Hash: 90e3aca0bb399683e151da74912a3f2c8634df176abbde2595bb09148851b67f
Instruction Fuzzy Hash: 06F02261694B40CFCB26FB24C2C5B6A3362AB963C4F7541B8E4028BA16C3ACDC40E752

Uniqueness

Uniqueness Score: -1.00%

Function 00785335, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5440224c153f4d6c481720701a290dff81d38df6c3ca9a0d638f6558c74530da
Instruction ID: 689303cac69c2e0029471d836eb15a40106992658108cc3a0ab151ae30d107a3
Opcode Fuzzy Hash: 5440224c153f4d6c481720701a290dff81d38df6c3ca9a0d638f6558c74530da
Instruction Fuzzy Hash: 86F0C2356C0A00CFCB24FA14C2D5F9A33A1A7A57C4FB54269E0024BA12C2EC9C40D752

Uniqueness

Uniqueness Score: -1.00%

Function 007816CA, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52804d09f51124fe542c35f41742b2e4d4c1760bd492ad41e397c0efb0944569
Instruction ID: fcbe977ad8d2d868a2669d141fb07086c55117feebbd8348f3cb72e2a0d186a5
Opcode Fuzzy Hash: 52804d09f51124fe542c35f41742b2e4d4c1760bd492ad41e397c0efb0944569
Instruction Fuzzy Hash: 09E0204534C0828CFF25327803583B8680A8747310FF98278A5C7818C7BC4EC9471347

Uniqueness

Uniqueness Score: -1.00%

Function 00782DD1, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50859868c4a7020475e079c925fee477dcf1746ffda045cd51314ca6c5de1b71
Instruction ID: fffcf13fb07463a04623a4c79ef0b8ed59cee5d8ef91f815146e7991d19bcc61
Opcode Fuzzy Hash: 50859868c4a7020475e079c925fee477dcf1746ffda045cd51314ca6c5de1b71
Instruction Fuzzy Hash: 33C048BA641680DBEB4ADA08C992B4073B4AB15A85B0805D0EC028B712D228ED019A10

Uniqueness

Uniqueness Score: -1.00%

Function 00784AB5, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.766593904.0000000000780000.00000040.00000001.sdmp, Offset: 00780000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0040F11C, Relevance: 30.1, APIs: 20, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0040F11C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12, void* _a32, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				void* _v44;
				char _v48;
				intOrPtr _v52;
				void* _v56;
				void* _v60;
				signed int _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				void* _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _t59;
				char* _t63;
				signed int _t69;
				signed int _t75;
				intOrPtr _t102;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t102;
				_t59 = 0x60;
				L00401380();
				_v12 = _t102;
				_v8 = 0x401338;
				L004014C4();
				L004014CA();
				L004014CA();
				L004014CA();
				_push(_v52);
				L00401422();
				L0040150C();
				_push(_t59);
				_push(0x409abc);
				L0040149A();
				asm("sbb eax, eax");
				_v84 =  ~( ~( ~_t59));
				L004014BE();
				_t63 = _v84;
				if(_t63 != 0) {
					if( *0x4102d4 != 0) {
						_v108 = 0x4102d4;
					} else {
						_push(0x4102d4);
						_push(0x409964);
						L004014F4();
						_v108 = 0x4102d4;
					}
					_v84 =  *_v108;
					_t69 =  *((intOrPtr*)( *_v84 + 0x4c))(_v84,  &_v60);
					asm("fclex");
					_v88 = _t69;
					if(_v88 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x409954);
						_push(_v84);
						_push(_v88);
						L004014EE();
						_v112 = _t69;
					}
					_v92 = _v60;
					_v72 = 0xd1;
					_v80 = 2;
					L00401380();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t75 =  *((intOrPtr*)( *_v92 + 0x1c))(_v92, 0x10,  &_v64);
					asm("fclex");
					_v96 = _t75;
					if(_v96 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x409ac0);
						_push(_v92);
						_push(_v96);
						L004014EE();
						_v116 = _t75;
					}
					_v104 = _v64;
					_v64 = _v64 & 0x00000000;
					_push(_v104);
					_t63 =  &_v48;
					_push(_t63);
					L004014FA();
					L004014AC();
				}
				_push(0x40f2dc);
				L00401500();
				L004014BE();
				L004014BE();
				L004014AC();
				L004014BE();
				return _t63;
			}

0x0040f121
0x0040f12c
0x0040f12d
0x0040f136
0x0040f137
0x0040f13f
0x0040f142
0x0040f14f
0x0040f15a
0x0040f165
0x0040f172
0x0040f177
0x0040f17a
0x0040f184
0x0040f189
0x0040f18a
0x0040f18f
0x0040f196
0x0040f19c
0x0040f1a3
0x0040f1a8
0x0040f1ae
0x0040f1bb
0x0040f1d5
0x0040f1bd
0x0040f1bd
0x0040f1c2
0x0040f1c7
0x0040f1cc
0x0040f1cc
0x0040f1e1
0x0040f1f0
0x0040f1f3
0x0040f1f5
0x0040f1fc
0x0040f215
0x0040f1fe
0x0040f1fe
0x0040f200
0x0040f205
0x0040f208
0x0040f20b
0x0040f210
0x0040f210
0x0040f21c
0x0040f21f
0x0040f226
0x0040f234
0x0040f23e
0x0040f23f
0x0040f240
0x0040f241
0x0040f24a
0x0040f24d
0x0040f24f
0x0040f256
0x0040f26f
0x0040f258
0x0040f258
0x0040f25a
0x0040f25f
0x0040f262
0x0040f265
0x0040f26a
0x0040f26a
0x0040f276
0x0040f279
0x0040f27d
0x0040f280
0x0040f283
0x0040f284
0x0040f28c
0x0040f28c
0x0040f291
0x0040f2b6
0x0040f2be
0x0040f2c6
0x0040f2ce
0x0040f2d6
0x0040f2db

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040F137
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040F14F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040F15A
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040F165
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040F172
#523.MSVBVM60(?,?,?,?,?,00401386), ref: 0040F17A
__vbaStrMove.MSVBVM60(?,?,?,?,?,00401386), ref: 0040F184
__vbaStrCmp.MSVBVM60(00409ABC,00000000,?,?,?,?,?,00401386), ref: 0040F18F
__vbaFreeStr.MSVBVM60(00409ABC,00000000,?,?,?,?,?,00401386), ref: 0040F1A3
__vbaNew2.MSVBVM60(00409964,004102D4,00409ABC,00000000,?,?,?,?,?,00401386), ref: 0040F1C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409954,0000004C), ref: 0040F20B
__vbaChkstk.MSVBVM60(?), ref: 0040F234
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,0000001C), ref: 0040F265
__vbaObjSet.MSVBVM60(?,?), ref: 0040F284
__vbaFreeObj.MSVBVM60(?,?), ref: 0040F28C
__vbaFreeVar.MSVBVM60(0040F2DC,00409ABC,00000000,?,?,?,?,?,00401386), ref: 0040F2B6
__vbaFreeStr.MSVBVM60(0040F2DC,00409ABC,00000000,?,?,?,?,?,00401386), ref: 0040F2BE
__vbaFreeStr.MSVBVM60(0040F2DC,00409ABC,00000000,?,?,?,?,?,00401386), ref: 0040F2C6
__vbaFreeObj.MSVBVM60(0040F2DC,00409ABC,00000000,?,?,?,?,?,00401386), ref: 0040F2CE
__vbaFreeStr.MSVBVM60(0040F2DC,00409ABC,00000000,?,?,?,?,?,00401386), ref: 0040F2D6

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$CheckChkstkHresult$#523MoveNew2
String ID:
API String ID: 3620881825-0
Opcode ID: 8fc6568f9bd9bcd1d2c57a6e37710c5f063b4c7a435ef8183ce5994cdceb0558
Instruction ID: 617567a47ea58285ee334c47bbd2b673d9a05957eda95e0970b7c5b541a71bd0
Opcode Fuzzy Hash: 8fc6568f9bd9bcd1d2c57a6e37710c5f063b4c7a435ef8183ce5994cdceb0558
Instruction Fuzzy Hash: 3651D471910248AFDF10EFE1C846ADDBBB4AF04708F10413AF401BB6E5DBB96949CB18

Uniqueness

Uniqueness Score: -1.00%

Function 0040DE2E, Relevance: 26.3, APIs: 13, Strings: 2, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040DE2E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				intOrPtr _v44;
				char _v48;
				char _v64;
				char _v80;
				char* _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				char _v128;
				void* _v132;
				signed int _v136;
				intOrPtr* _v148;
				signed int _v152;
				short _t50;
				signed int _t53;
				intOrPtr _t55;
				char* _t56;
				void* _t69;
				void* _t71;
				intOrPtr _t72;

				_t72 = _t71 - 0xc;
				 *[fs:0x0] = _t72;
				L00401380();
				_v16 = _t72;
				_v12 = 0x401250;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401386, _t69);
				L004014C4();
				_v104 = L"12:12:12";
				_v112 = 8;
				L004014C4();
				_push( &_v64);
				_push( &_v80);
				L0040147C();
				_v120 = 0xc;
				_v128 = 0x8002;
				_push( &_v80);
				_t50 =  &_v128;
				_push(_t50);
				L00401482();
				_v132 = _t50;
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L004014DC();
				_t53 = _v132;
				if(_t53 != 0) {
					if( *0x4102d4 != 0) {
						_v148 = 0x4102d4;
					} else {
						_push(0x4102d4);
						_push(0x409964);
						L004014F4();
						_v148 = 0x4102d4;
					}
					_t55 =  *_v148;
					_v132 = _t55;
					L00401476();
					_t56 =  &_v48;
					L004014FA();
					_t53 =  *((intOrPtr*)( *_v132 + 0x40))(_v132, _t56, _t56, _t55, _v44, 0x4099e8, L"brahmanists");
					asm("fclex");
					_v136 = _t53;
					if(_v136 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x409954);
						_push(_v132);
						_push(_v136);
						L004014EE();
						_v152 = _t53;
					}
					L004014AC();
				}
				_push(0x40dfb3);
				L00401500();
				L004014AC();
				return _t53;
			}

0x0040de31
0x0040de40
0x0040de4c
0x0040de54
0x0040de57
0x0040de5e
0x0040de6d
0x0040de76
0x0040de7b
0x0040de82
0x0040de8f
0x0040de97
0x0040de9b
0x0040de9c
0x0040dea1
0x0040dea8
0x0040deb2
0x0040deb3
0x0040deb6
0x0040deb7
0x0040debc
0x0040dec3
0x0040dec7
0x0040dec8
0x0040deca
0x0040ded2
0x0040ded8
0x0040dee5
0x0040df02
0x0040dee7
0x0040dee7
0x0040deec
0x0040def1
0x0040def6
0x0040def6
0x0040df12
0x0040df14
0x0040df24
0x0040df2a
0x0040df2e
0x0040df3c
0x0040df3f
0x0040df41
0x0040df4e
0x0040df6d
0x0040df50
0x0040df50
0x0040df52
0x0040df57
0x0040df5a
0x0040df60
0x0040df65
0x0040df65
0x0040df77
0x0040df77
0x0040df7c
0x0040dfa5
0x0040dfad
0x0040dfb2

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040DE4C
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040DE76
__vbaVarDup.MSVBVM60 ref: 0040DE8F
#544.MSVBVM60(?,?), ref: 0040DE9C
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 0040DEB7
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0040DECA
__vbaNew2.MSVBVM60(00409964,004102D4,?,?,00401386), ref: 0040DEF1
__vbaCastObj.MSVBVM60(?,004099E8,brahmanists), ref: 0040DF24
__vbaObjSet.MSVBVM60(?,00000000,?,004099E8,brahmanists), ref: 0040DF2E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409954,00000040), ref: 0040DF60
__vbaFreeObj.MSVBVM60(00000000,?,00409954,00000040), ref: 0040DF77
__vbaFreeVar.MSVBVM60(0040DFB3,?,?,00401386), ref: 0040DFA5
__vbaFreeObj.MSVBVM60(0040DFB3,?,?,00401386), ref: 0040DFAD

Strings

brahmanists, xrefs: 0040DF17
12:12:12, xrefs: 0040DE7B

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#544CastCheckChkstkHresultListNew2
String ID: 12:12:12$brahmanists
API String ID: 1363663338-3054137016
Opcode ID: bf89a5f1619ce3465203b7510eb06eec6dfb262dfa7a5d19b7f0fe316b341af6
Instruction ID: ffb45777648bca4e96cc8f368c8e22e7b1a3e927abeabbbc3c4872d477f94024
Opcode Fuzzy Hash: bf89a5f1619ce3465203b7510eb06eec6dfb262dfa7a5d19b7f0fe316b341af6
Instruction Fuzzy Hash: E941E9B1D00209AFDB10EFA5C986FDDBBB8BF04708F10816AF505B72A1DB785949DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EF2F, Relevance: 24.1, APIs: 16, Instructions: 135
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040EF2F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v96;
				intOrPtr* _v100;
				signed int _v104;
				signed int _v108;
				char* _t57;
				char* _t61;
				signed int _t65;
				char* _t67;
				signed int _t70;
				char* _t73;
				intOrPtr _t95;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t95;
				_push(0x58);
				L00401380();
				_v12 = _t95;
				_v8 = 0x401328;
				L004014CA();
				if( *0x410010 != 0) {
					_v96 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x408e78);
					L004014F4();
					_v96 = 0x410010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x308))( *_v96));
				_t57 =  &_v40;
				_push(_t57);
				L004014FA();
				_v84 = _t57;
				_v64 = 0x80020004;
				_v72 = 0xa;
				if( *0x410010 != 0) {
					_v100 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x408e78);
					L004014F4();
					_v100 = 0x410010;
				}
				_t61 =  &_v32;
				L004014FA();
				_v76 = _t61;
				_t65 =  *((intOrPtr*)( *_v76 + 0x178))(_v76,  &_v36, _t61,  *((intOrPtr*)( *((intOrPtr*)( *_v100)) + 0x30c))( *_v100));
				asm("fclex");
				_v80 = _t65;
				if(_v80 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x4097ec);
					_push(_v76);
					_push(_v80);
					L004014EE();
					_v104 = _t65;
				}
				L00401380();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t67 =  &_v56;
				L004014D6();
				L004014B8();
				L0040150C();
				_t70 =  *((intOrPtr*)( *_v84 + 0x1ec))(_v84, _t67, _t67, _t67, _v36, 0, 0, 0x10);
				asm("fclex");
				_v88 = _t70;
				if(_v88 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4097ec);
					_push(_v84);
					_push(_v88);
					L004014EE();
					_v108 = _t70;
				}
				L004014BE();
				_push( &_v40);
				_push( &_v36);
				_t73 =  &_v32;
				_push(_t73);
				_push(3);
				L004014E2();
				L00401500();
				_push(0x40f109);
				L004014BE();
				return _t73;
			}

0x0040ef34
0x0040ef3f
0x0040ef40
0x0040ef47
0x0040ef4a
0x0040ef52
0x0040ef55
0x0040ef62
0x0040ef6e
0x0040ef88
0x0040ef70
0x0040ef70
0x0040ef75
0x0040ef7a
0x0040ef7f
0x0040ef7f
0x0040efa2
0x0040efa3
0x0040efa6
0x0040efa7
0x0040efac
0x0040efaf
0x0040efb6
0x0040efc4
0x0040efde
0x0040efc6
0x0040efc6
0x0040efcb
0x0040efd0
0x0040efd5
0x0040efd5
0x0040eff9
0x0040effd
0x0040f002
0x0040f011
0x0040f017
0x0040f019
0x0040f020
0x0040f03c
0x0040f022
0x0040f022
0x0040f027
0x0040f02c
0x0040f02f
0x0040f032
0x0040f037
0x0040f037
0x0040f043
0x0040f04d
0x0040f04e
0x0040f04f
0x0040f050
0x0040f058
0x0040f05c
0x0040f065
0x0040f06f
0x0040f07d
0x0040f083
0x0040f085
0x0040f08c
0x0040f0a8
0x0040f08e
0x0040f08e
0x0040f093
0x0040f098
0x0040f09b
0x0040f09e
0x0040f0a3
0x0040f0a3
0x0040f0af
0x0040f0b7
0x0040f0bb
0x0040f0bc
0x0040f0bf
0x0040f0c0
0x0040f0c2
0x0040f0cd
0x0040f0d2
0x0040f103
0x0040f108

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040EF4A
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040EF62
__vbaNew2.MSVBVM60(00408E78,00410010,?,?,?,?,00401386), ref: 0040EF7A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EFA7
__vbaNew2.MSVBVM60(00408E78,00410010,?,00000000), ref: 0040EFD0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EFFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097EC,00000178), ref: 0040F032
__vbaChkstk.MSVBVM60 ref: 0040F043
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040F05C
__vbaStrVarMove.MSVBVM60(00000000), ref: 0040F065
__vbaStrMove.MSVBVM60(00000000), ref: 0040F06F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097EC,000001EC), ref: 0040F09E
__vbaFreeStr.MSVBVM60 ref: 0040F0AF
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040F0C2
__vbaFreeVar.MSVBVM60 ref: 0040F0CD
__vbaFreeStr.MSVBVM60(0040F109), ref: 0040F103

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultMoveNew2$CallCopyLateList
String ID:
API String ID: 2463591421-0
Opcode ID: a0039d295f61f64bb278ad6743da87e6cb250ace04a265d994be4dd249047957
Instruction ID: 9f7cdb3014e5a3f35f8918543003576658071702060ab7a592d8b0f8392e529a
Opcode Fuzzy Hash: a0039d295f61f64bb278ad6743da87e6cb250ace04a265d994be4dd249047957
Instruction Fuzzy Hash: E9510871A00208AFDB11EFD1C845FDEBBB9AF08304F20443AF505BB2A1DBB96945DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E4A4, Relevance: 21.1, APIs: 14, Instructions: 65
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0040E4A4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a28, void* _a48, void* _a56) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				intOrPtr _v44;
				void* _v48;
				void* _v64;
				void* _v68;
				char _v84;
				intOrPtr _v108;
				char _v116;
				short _v120;
				void* _t32;
				short _t35;
				short _t36;
				void* _t53;
				void* _t55;
				intOrPtr _t56;

				_t56 = _t55 - 0xc;
				 *[fs:0x0] = _t56;
				L00401380();
				_v16 = _t56;
				_v12 = 0x401298;
				_v8 = 0;
				_t32 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x68,  *[fs:0x0], 0x401386, _t53);
				L004014C4();
				L004014C4();
				L004014CA();
				L004014CA();
				_push(0x409a14);
				L00401452();
				_push(_t32);
				_push( &_v84);
				L00401458();
				_v108 = 0x409a0c;
				_v116 = 0x8008;
				_push( &_v84);
				_t35 =  &_v116;
				_push(_t35);
				L00401482();
				_v120 = _t35;
				L00401500();
				_t36 = _v120;
				if(_t36 != 0) {
					_push(0x50);
					L0040144C();
					_v44 = _t36;
				}
				_push(0x40e598);
				L00401500();
				L004014BE();
				L00401500();
				L004014BE();
				return _t36;
			}

0x0040e4a7
0x0040e4b6
0x0040e4c0
0x0040e4c8
0x0040e4cb
0x0040e4d2
0x0040e4e1
0x0040e4ea
0x0040e4f5
0x0040e500
0x0040e50b
0x0040e510
0x0040e515
0x0040e51a
0x0040e51e
0x0040e51f
0x0040e524
0x0040e52b
0x0040e535
0x0040e536
0x0040e539
0x0040e53a
0x0040e53f
0x0040e546
0x0040e54b
0x0040e551
0x0040e553
0x0040e555
0x0040e55a
0x0040e55a
0x0040e55d
0x0040e57a
0x0040e582
0x0040e58a
0x0040e592
0x0040e597

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040E4C0
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040E4EA
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040E4F5
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040E500
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040E50B
__vbaI4Str.MSVBVM60(00409A14,?,?,?,?,00401386), ref: 0040E515
#608.MSVBVM60(?,00000000,00409A14,?,?,?,?,00401386), ref: 0040E51F
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0040E53A
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0040E546
#570.MSVBVM60(00000050,00008008,?), ref: 0040E555
__vbaFreeVar.MSVBVM60(0040E598,00008008,?), ref: 0040E57A
__vbaFreeStr.MSVBVM60(0040E598,00008008,?), ref: 0040E582
__vbaFreeVar.MSVBVM60(0040E598,00008008,?), ref: 0040E58A
__vbaFreeStr.MSVBVM60(0040E598,00008008,?), ref: 0040E592

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$#570#608Chkstk
String ID:
API String ID: 1920509413-0
Opcode ID: 44066cfee870cd57e53b4d2ddd71e663bd5136f8307131b8e9aba0e35cb289b5
Instruction ID: 9a24467dc7f8930dacf84240de20e3f9466feebbbb04802614c97ad664f1b9aa
Opcode Fuzzy Hash: 44066cfee870cd57e53b4d2ddd71e663bd5136f8307131b8e9aba0e35cb289b5
Instruction Fuzzy Hash: A021DB71900248AACB04EFE1C991ADD7778BF44748F50853EF4057B1F2EB785A09CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6CA, Relevance: 19.6, APIs: 13, Instructions: 150
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040E6CA(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				void* _v40;
				char _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				short _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				short _v140;
				intOrPtr _v144;
				signed int _v148;
				char* _t68;
				signed int _t72;
				char* _t76;
				signed int _t83;
				char* _t85;
				intOrPtr _t93;
				void* _t104;
				void* _t106;
				intOrPtr* _t107;
				intOrPtr _t113;

				_t113 = __fp0;
				_t107 = _t106 - 0xc;
				 *[fs:0x0] = _t107;
				L00401380();
				_v16 = _t107;
				_v12 = 0x4012b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x7c,  *[fs:0x0], 0x401386, _t104);
				L004014C4();
				if( *0x410010 != 0) {
					_v128 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x408e78);
					L004014F4();
					_v128 = 0x410010;
				}
				_t68 =  &_v44;
				L004014FA();
				_v104 = _t68;
				_t72 =  *((intOrPtr*)( *_v104 + 0x240))(_v104,  &_v100, _t68,  *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x314))( *_v128));
				asm("fclex");
				_v108 = _t72;
				if(_v108 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x240);
					_push(0x4097fc);
					_push(_v104);
					_push(_v108);
					L004014EE();
					_v132 = _t72;
				}
				if( *0x410010 != 0) {
					_v136 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x408e78);
					L004014F4();
					_v136 = 0x410010;
				}
				_t93 =  *((intOrPtr*)( *_v136));
				_t76 =  &_v48;
				L004014FA();
				_v112 = _t76;
				_v88 = 0x80020004;
				_v96 = 0xa;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				L00401380();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401380();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401380();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v140 = _v100;
				asm("fild dword [ebp-0x88]");
				_v144 = _t113;
				 *_t107 = _v144;
				_t83 =  *((intOrPtr*)( *_v112 + 0x1b4))(_v112, _t93, 0x10, 0x10, 0x10, _t76,  *((intOrPtr*)(_t93 + 0x304))( *_v136));
				asm("fclex");
				_v116 = _t83;
				if(_v116 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(0x1b4);
					_push(0x40980c);
					_push(_v112);
					_push(_v116);
					L004014EE();
					_v148 = _t83;
				}
				_push( &_v48);
				_t85 =  &_v44;
				_push(_t85);
				_push(2);
				L004014E2();
				asm("wait");
				_push(0x40e8dc);
				L00401500();
				return _t85;
			}

0x0040e6ca
0x0040e6cd
0x0040e6dc
0x0040e6e6
0x0040e6ee
0x0040e6f1
0x0040e6f8
0x0040e707
0x0040e710
0x0040e71c
0x0040e736
0x0040e71e
0x0040e71e
0x0040e723
0x0040e728
0x0040e72d
0x0040e72d
0x0040e751
0x0040e755
0x0040e75a
0x0040e769
0x0040e76f
0x0040e771
0x0040e778
0x0040e794
0x0040e77a
0x0040e77a
0x0040e77f
0x0040e784
0x0040e787
0x0040e78a
0x0040e78f
0x0040e78f
0x0040e79f
0x0040e7bc
0x0040e7a1
0x0040e7a1
0x0040e7a6
0x0040e7ab
0x0040e7b0
0x0040e7b0
0x0040e7d6
0x0040e7e0
0x0040e7e4
0x0040e7e9
0x0040e7ec
0x0040e7f3
0x0040e7fa
0x0040e801
0x0040e808
0x0040e80f
0x0040e819
0x0040e823
0x0040e824
0x0040e825
0x0040e826
0x0040e82a
0x0040e834
0x0040e835
0x0040e836
0x0040e837
0x0040e83b
0x0040e845
0x0040e846
0x0040e847
0x0040e848
0x0040e84d
0x0040e853
0x0040e859
0x0040e866
0x0040e871
0x0040e877
0x0040e879
0x0040e880
0x0040e89f
0x0040e882
0x0040e882
0x0040e887
0x0040e88c
0x0040e88f
0x0040e892
0x0040e897
0x0040e897
0x0040e8a9
0x0040e8aa
0x0040e8ad
0x0040e8ae
0x0040e8b0
0x0040e8b8
0x0040e8b9
0x0040e8d6
0x0040e8db

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040E6E6
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040E710
__vbaNew2.MSVBVM60(00408E78,00410010,?,?,?,?,00401386), ref: 0040E728
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E755
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097FC,00000240), ref: 0040E78A
__vbaNew2.MSVBVM60(00408E78,00410010), ref: 0040E7AB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E7E4
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E819
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E82A
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E83B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040980C,000001B4,?,?,00000000), ref: 0040E892
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 0040E8B0
__vbaFreeVar.MSVBVM60(0040E8DC,?,?,00401386), ref: 0040E8D6

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2$List
String ID:
API String ID: 1303183447-0
Opcode ID: 45942d7a08e7c1a5bdb05a37087e5db0aa0130380300aefc0a45579fd2c8a18c
Instruction ID: e7231768d897a5362656107a8faef677499189f2b705a76209a7cc30167aae3e
Opcode Fuzzy Hash: 45942d7a08e7c1a5bdb05a37087e5db0aa0130380300aefc0a45579fd2c8a18c
Instruction Fuzzy Hash: 59511571900208DFDB10DFA5C885BDDBBB5BF08304F20846AE945BB2A1CBB95945DF15

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8FB, Relevance: 19.6, APIs: 13, Instructions: 99
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040E8FB(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a8, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v56;
				char _v60;
				char _v64;
				intOrPtr* _v68;
				signed int _v72;
				signed int _v76;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t47;
				char* _t51;
				signed int _t55;
				void* _t71;
				void* _t73;
				intOrPtr _t74;

				_t74 = _t73 - 0xc;
				 *[fs:0x0] = _t74;
				L00401380();
				_v16 = _t74;
				_v12 = 0x4012d0;
				_v8 = 0;
				_t47 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x401386, _t71);
				L004014C4();
				L004014C4();
				_push(0x409a34);
				L00401440();
				L00401446();
				L00401470();
				asm("fcomp qword [0x4012c8]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x410010 != 0) {
						_v88 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x408e78);
						L004014F4();
						_v88 = 0x410010;
					}
					_t51 =  &_v60;
					L004014FA();
					_v68 = _t51;
					_t55 =  *((intOrPtr*)( *_v68 + 0x110))(_v68,  &_v64, _t51,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x2fc))( *_v88));
					asm("fclex");
					_v72 = _t55;
					if(_v72 >= 0) {
						_t27 =  &_v92;
						 *_t27 = _v92 & 0x00000000;
						__eflags =  *_t27;
					} else {
						_push(0x110);
						_push(0x4097dc);
						_push(_v68);
						_push(_v72);
						L004014EE();
						_v92 = _t55;
					}
					_t47 =  *((intOrPtr*)( *_a4 + 0x15c))(_a4, _v64);
					asm("fclex");
					_v76 = _t47;
					if(_v76 >= 0) {
						_t38 =  &_v96;
						 *_t38 = _v96 & 0x00000000;
						__eflags =  *_t38;
					} else {
						_push(0x15c);
						_push(0x4095e4);
						_push(_a4);
						_push(_v76);
						L004014EE();
						_v96 = _t47;
					}
					L004014AC();
				}
				asm("wait");
				_push(0x40ea5b);
				L00401500();
				L00401500();
				return _t47;
			}

0x0040e8fe
0x0040e90d
0x0040e917
0x0040e91f
0x0040e922
0x0040e929
0x0040e938
0x0040e941
0x0040e94c
0x0040e951
0x0040e956
0x0040e95b
0x0040e960
0x0040e965
0x0040e96b
0x0040e96d
0x0040e96e
0x0040e97b
0x0040e995
0x0040e97d
0x0040e97d
0x0040e982
0x0040e987
0x0040e98c
0x0040e98c
0x0040e9b0
0x0040e9b4
0x0040e9b9
0x0040e9c8
0x0040e9ce
0x0040e9d0
0x0040e9d7
0x0040e9f3
0x0040e9f3
0x0040e9f3
0x0040e9d9
0x0040e9d9
0x0040e9de
0x0040e9e3
0x0040e9e6
0x0040e9e9
0x0040e9ee
0x0040e9ee
0x0040ea02
0x0040ea08
0x0040ea0a
0x0040ea11
0x0040ea2d
0x0040ea2d
0x0040ea2d
0x0040ea13
0x0040ea13
0x0040ea18
0x0040ea1d
0x0040ea20
0x0040ea23
0x0040ea28
0x0040ea28
0x0040ea34
0x0040ea34
0x0040ea39
0x0040ea3a
0x0040ea4d
0x0040ea55
0x0040ea5a

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040E917
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040E941
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040E94C
__vbaR8Str.MSVBVM60(00409A34,?,?,?,?,00401386), ref: 0040E956
__vbaFPFix.MSVBVM60(00409A34,?,?,?,?,00401386), ref: 0040E95B
__vbaFpR8.MSVBVM60(00409A34,?,?,?,?,00401386), ref: 0040E960
__vbaNew2.MSVBVM60(00408E78,00410010,00409A34,?,?,?,?,00401386), ref: 0040E987
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E9B4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097DC,00000110), ref: 0040E9E9
__vbaHresultCheckObj.MSVBVM60(00000000,004012D0,004095E4,0000015C), ref: 0040EA23
__vbaFreeObj.MSVBVM60(00000000,004012D0,004095E4,0000015C), ref: 0040EA34
__vbaFreeVar.MSVBVM60(0040EA5B,00409A34,?,?,?,?,00401386), ref: 0040EA4D
__vbaFreeVar.MSVBVM60(0040EA5B,00409A34,?,?,?,?,00401386), ref: 0040EA55

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2
String ID:
API String ID: 1237124366-0
Opcode ID: 74c4b87ce6ec9fb7b8703c8dc59916b69d35e94628e4dcd267a96b07f6450c21
Instruction ID: d08d13ea57228f1204535775cf8fd7dbb24f020aaa68478da2ff6c32a9809382
Opcode Fuzzy Hash: 74c4b87ce6ec9fb7b8703c8dc59916b69d35e94628e4dcd267a96b07f6450c21
Instruction Fuzzy Hash: 4D41F470A00248EFCB00EF95C946BDDBBB4BF08348F10847AF505BA2B1CBB85955DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DC1C, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040DC1C(void* __ebx, void* __edi, void* __esi, void* _a8, void* _a36, signed int* _a56) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v56;
				void* _v72;
				void* _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v120;
				signed int _v124;
				signed int _v128;
				signed int _t49;
				signed int _t54;
				void* _t69;
				intOrPtr _t70;

				_t70 = _t69 - 0xc;
				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t70;
				_push(0x68);
				L00401380();
				_v16 = _t70;
				_v12 = 0x401230;
				L004014C4();
				L004014C4();
				 *_a56 =  *_a56 & 0x00000000;
				if( *0x4102d4 != 0) {
					_v120 = 0x4102d4;
				} else {
					_push(0x4102d4);
					_push(0x409964);
					L004014F4();
					_v120 = 0x4102d4;
				}
				_v96 =  *_v120;
				_t49 =  *((intOrPtr*)( *_v96 + 0x14))(_v96,  &_v76);
				asm("fclex");
				_v100 = _t49;
				if(_v100 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x409954);
					_push(_v96);
					_push(_v100);
					L004014EE();
					_v124 = _t49;
				}
				_v104 = _v76;
				_v84 = 0x80020004;
				_v92 = 0xa;
				L00401380();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t54 =  *((intOrPtr*)( *_v104 + 0x13c))(_v104, L"Takkebrevene3", 0x10);
				asm("fclex");
				_v108 = _t54;
				if(_v108 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x13c);
					_push(0x409994);
					_push(_v104);
					_push(_v108);
					L004014EE();
					_v128 = _t54;
				}
				L004014AC();
				_push(0x40dd67);
				L00401500();
				L00401500();
				return _t54;
			}

0x0040dc1f
0x0040dc22
0x0040dc2d
0x0040dc2e
0x0040dc35
0x0040dc38
0x0040dc40
0x0040dc43
0x0040dc50
0x0040dc5b
0x0040dc63
0x0040dc6d
0x0040dc87
0x0040dc6f
0x0040dc6f
0x0040dc74
0x0040dc79
0x0040dc7e
0x0040dc7e
0x0040dc93
0x0040dca2
0x0040dca5
0x0040dca7
0x0040dcae
0x0040dcc7
0x0040dcb0
0x0040dcb0
0x0040dcb2
0x0040dcb7
0x0040dcba
0x0040dcbd
0x0040dcc2
0x0040dcc2
0x0040dcce
0x0040dcd1
0x0040dcd8
0x0040dce2
0x0040dcec
0x0040dced
0x0040dcee
0x0040dcef
0x0040dcfd
0x0040dd03
0x0040dd05
0x0040dd0c
0x0040dd28
0x0040dd0e
0x0040dd0e
0x0040dd13
0x0040dd18
0x0040dd1b
0x0040dd1e
0x0040dd23
0x0040dd23
0x0040dd2f
0x0040dd34
0x0040dd59
0x0040dd61
0x0040dd66

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040DC38
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040DC50
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040DC5B
__vbaNew2.MSVBVM60(00409964,004102D4,?,?,?,?,00401386), ref: 0040DC79
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409954,00000014), ref: 0040DCBD
__vbaChkstk.MSVBVM60 ref: 0040DCE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409994,0000013C), ref: 0040DD1E
__vbaFreeObj.MSVBVM60 ref: 0040DD2F
__vbaFreeVar.MSVBVM60(0040DD67), ref: 0040DD59
__vbaFreeVar.MSVBVM60(0040DD67), ref: 0040DD61

Strings

Takkebrevene3, xrefs: 0040DCF0

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$New2
String ID: Takkebrevene3
API String ID: 2652103358-399500223
Opcode ID: 172a045f91378d7aee67340b66fdc26a892b8993d2747027ae7377efbeecae3f
Instruction ID: e72fe39e1d887e11c12ac506ae22afb5fb03a0b3e22c6ec97a8d1140f0b504d6
Opcode Fuzzy Hash: 172a045f91378d7aee67340b66fdc26a892b8993d2747027ae7377efbeecae3f
Instruction Fuzzy Hash: 5C31B070D00348AFDB11EFE5C986BDDBBB5AF05708F20412AE405BB2E2D7B85949CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB06, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040DB06(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				signed int _t26;
				char* _t29;
				intOrPtr _t44;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t44;
				_t26 = 0x20;
				L00401380();
				_v12 = _t44;
				_v8 = 0x401220;
				L004014CA();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x409934);
				_push(_v24);
				L004014A0();
				L0040150C();
				_push(_v24);
				_push(0x40993c);
				L0040149A();
				if(_t26 != 0) {
					if( *0x4102d4 != 0) {
						_v48 = 0x4102d4;
					} else {
						_push(0x4102d4);
						_push(0x409964);
						L004014F4();
						_v48 = 0x4102d4;
					}
					_v36 =  *_v48;
					_t29 =  &_v32;
					L00401494();
					_t26 =  *((intOrPtr*)( *_v36 + 0x10))(_v36, _t29, _t29, _a4);
					asm("fclex");
					_v40 = _t26;
					if(_v40 >= 0) {
						_v52 = _v52 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x409954);
						_push(_v36);
						_push(_v40);
						L004014EE();
						_v52 = _t26;
					}
					L004014AC();
				}
				_push(0x40dbff);
				L004014BE();
				return _t26;
			}

0x0040db0b
0x0040db16
0x0040db17
0x0040db20
0x0040db21
0x0040db29
0x0040db2c
0x0040db3b
0x0040db40
0x0040db42
0x0040db44
0x0040db46
0x0040db48
0x0040db4d
0x0040db50
0x0040db5a
0x0040db5f
0x0040db62
0x0040db67
0x0040db6e
0x0040db77
0x0040db91
0x0040db79
0x0040db79
0x0040db7e
0x0040db83
0x0040db88
0x0040db88
0x0040db9d
0x0040dba3
0x0040dba7
0x0040dbb5
0x0040dbb8
0x0040dbba
0x0040dbc1
0x0040dbda
0x0040dbc3
0x0040dbc3
0x0040dbc5
0x0040dbca
0x0040dbcd
0x0040dbd0
0x0040dbd5
0x0040dbd5
0x0040dbe1
0x0040dbe1
0x0040dbe6
0x0040dbf9
0x0040dbfe

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040DB21
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040DB3B
#712.MSVBVM60(?,00409934,00000000,00000001,000000FF,00000000,?,?,?,?,00401386), ref: 0040DB50
__vbaStrMove.MSVBVM60(?,00409934,00000000,00000001,000000FF,00000000,?,?,?,?,00401386), ref: 0040DB5A
__vbaStrCmp.MSVBVM60(0040993C,?,?,00409934,00000000,00000001,000000FF,00000000,?,?,?,?,00401386), ref: 0040DB67
__vbaNew2.MSVBVM60(00409964,004102D4,0040993C,?,?,00409934,00000000,00000001,000000FF,00000000,?,?,?,?,00401386), ref: 0040DB83
__vbaObjSetAddref.MSVBVM60(?,?,0040993C,?,?,00409934,00000000,00000001,000000FF,00000000,?,?,?,?,00401386), ref: 0040DBA7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409954,00000010,?,?,?,?,?,?,00401386), ref: 0040DBD0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00401386), ref: 0040DBE1
__vbaFreeStr.MSVBVM60(0040DBFF,0040993C,?,?,00409934,00000000,00000001,000000FF,00000000,?,?,?,?,00401386), ref: 0040DBF9

Strings

cer, xrefs: 0040DB33

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#712AddrefCheckChkstkCopyHresultMoveNew2
String ID: cer
API String ID: 3534376734-324084633
Opcode ID: fcf2648e8622ce266f4e21da6f003576e632b70a682d000ea4ad2ab64145ece3
Instruction ID: ee6257d5521cbde50e4c9c3d79d9efc76b5765aed4e2fc2196043c97af7f132c
Opcode Fuzzy Hash: fcf2648e8622ce266f4e21da6f003576e632b70a682d000ea4ad2ab64145ece3
Instruction Fuzzy Hash: CB21F770D00209ABDF00EB95CD46FEEB7B4AB08708F20416AF401762F1DBBD6D449B29

Uniqueness

Uniqueness Score: -1.00%

Function 0040E18E, Relevance: 18.1, APIs: 12, Instructions: 141
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040E18E(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, char __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				char _v48;
				char _v56;
				char _v64;
				char _v72;
				intOrPtr _v80;
				void* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				char* _t60;
				signed int _t66;
				void* _t68;
				char* _t69;
				signed int _t72;
				intOrPtr _t83;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t83;
				_push(0x70);
				L00401380();
				_v12 = _t83;
				_v8 = 0x401278;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				_push( &_v64);
				_push( &_v48);
				asm("fld1");
				_v48 = __fp0;
				asm("fld1");
				_v56 = __fp0;
				asm("fld1");
				_v64 = __fp0;
				asm("fld1");
				_v72 = __fp0;
				L0040146A();
				L00401470();
				asm("fcomp qword [0x401270]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t10 =  &_v120;
					 *_t10 = _v120 & 0x00000000;
					__eflags =  *_t10;
				} else {
					_v120 = 1;
				}
				_v100 =  ~_v120;
				_push( &_v64);
				_push( &_v48);
				_push(2);
				L004014DC();
				_t60 = _v100;
				if(_t60 != 0) {
					if( *0x4102d4 != 0) {
						_v124 = 0x4102d4;
					} else {
						_push(0x4102d4);
						_push(0x409964);
						L004014F4();
						_v124 = 0x4102d4;
					}
					_v100 =  *_v124;
					_t66 =  *((intOrPtr*)( *_v100 + 0x1c))(_v100,  &_v28);
					asm("fclex");
					_v104 = _t66;
					if(_v104 >= 0) {
						_t30 =  &_v128;
						 *_t30 = _v128 & 0x00000000;
						__eflags =  *_t30;
					} else {
						_push(0x1c);
						_push(0x409954);
						_push(_v100);
						_push(_v104);
						L004014EE();
						_v128 = _t66;
					}
					_v108 = _v28;
					_v72 = 1;
					_v80 = 2;
					_t68 = 0x10;
					L00401380();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401476();
					_t69 =  &_v32;
					L004014FA();
					_t72 =  *((intOrPtr*)( *_v108 + 0x58))(_v108, _t69, _t69, _t68, _v24, 0x4099e8);
					asm("fclex");
					_v112 = _t72;
					if(_v112 >= 0) {
						_t47 =  &_v132;
						 *_t47 = _v132 & 0x00000000;
						__eflags =  *_t47;
					} else {
						_push(0x58);
						_push(0x4099f8);
						_push(_v108);
						_push(_v112);
						L004014EE();
						_v132 = _t72;
					}
					_push( &_v28);
					_t60 =  &_v32;
					_push(_t60);
					_push(2);
					L004014E2();
				}
				asm("wait");
				_push(0x40e35f);
				L004014AC();
				return _t60;
			}

0x0040e193
0x0040e19e
0x0040e19f
0x0040e1a6
0x0040e1a9
0x0040e1b1
0x0040e1b4
0x0040e1bb
0x0040e1c2
0x0040e1c9
0x0040e1d0
0x0040e1da
0x0040e1de
0x0040e1df
0x0040e1e3
0x0040e1e6
0x0040e1ea
0x0040e1ed
0x0040e1f1
0x0040e1f4
0x0040e1f8
0x0040e1fb
0x0040e200
0x0040e205
0x0040e20b
0x0040e20d
0x0040e20e
0x0040e219
0x0040e219
0x0040e219
0x0040e210
0x0040e210
0x0040e210
0x0040e222
0x0040e229
0x0040e22d
0x0040e22e
0x0040e230
0x0040e238
0x0040e23e
0x0040e24b
0x0040e265
0x0040e24d
0x0040e24d
0x0040e252
0x0040e257
0x0040e25c
0x0040e25c
0x0040e271
0x0040e280
0x0040e283
0x0040e285
0x0040e28c
0x0040e2a5
0x0040e2a5
0x0040e2a5
0x0040e28e
0x0040e28e
0x0040e290
0x0040e295
0x0040e298
0x0040e29b
0x0040e2a0
0x0040e2a0
0x0040e2ac
0x0040e2af
0x0040e2b6
0x0040e2bf
0x0040e2c0
0x0040e2ca
0x0040e2cb
0x0040e2cc
0x0040e2cd
0x0040e2d6
0x0040e2dc
0x0040e2e0
0x0040e2ee
0x0040e2f1
0x0040e2f3
0x0040e2fa
0x0040e313
0x0040e313
0x0040e313
0x0040e2fc
0x0040e2fc
0x0040e2fe
0x0040e303
0x0040e306
0x0040e309
0x0040e30e
0x0040e30e
0x0040e31a
0x0040e31b
0x0040e31e
0x0040e31f
0x0040e321
0x0040e326
0x0040e329
0x0040e32a
0x0040e359
0x0040e35e

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040E1A9
#675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 0040E1FB
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 0040E200
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 0040E230
__vbaNew2.MSVBVM60(00409964,004102D4), ref: 0040E257
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409954,0000001C), ref: 0040E29B
__vbaChkstk.MSVBVM60(00000000,?,00409954,0000001C), ref: 0040E2C0
__vbaCastObj.MSVBVM60(?,004099E8), ref: 0040E2D6
__vbaObjSet.MSVBVM60(?,00000000,?,004099E8), ref: 0040E2E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004099F8,00000058), ref: 0040E309
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040E321
__vbaFreeObj.MSVBVM60(0040E35F), ref: 0040E359

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultList$#675CastNew2
String ID:
API String ID: 4043689613-0
Opcode ID: 5343e85faf832d02756ec269b6e592dc6194572f7f7e123816e2fbd29009e333
Instruction ID: 16880806b55806aa9cf2c2ff6e9e3dda2cca3bde2774629a43249ac155b0753d
Opcode Fuzzy Hash: 5343e85faf832d02756ec269b6e592dc6194572f7f7e123816e2fbd29009e333
Instruction Fuzzy Hash: 1C5129B1D40208EFDB10DFA2C84ABEEBBB9AB04704F10456EE405BB2A1D7B95954DB19

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFD2, Relevance: 18.1, APIs: 12, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E0040DFD2(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v92;
				intOrPtr* _v96;
				signed int _v100;
				signed int _v104;
				char* _t53;
				char* _t57;
				signed int _t61;
				signed int _t65;
				char* _t67;
				intOrPtr _t86;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t86;
				_push(0x54);
				L00401380();
				_v12 = _t86;
				_v8 = 0x401260;
				L004014C4();
				if( *0x410010 != 0) {
					_v92 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x408e78);
					L004014F4();
					_v92 = 0x410010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x308))( *_v92));
				_t53 =  &_v52;
				_push(_t53);
				L004014FA();
				_v80 = _t53;
				_v60 = 0x80020004;
				_v68 = 0xa;
				if( *0x410010 != 0) {
					_v96 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x408e78);
					L004014F4();
					_v96 = 0x410010;
				}
				_t57 =  &_v48;
				L004014FA();
				_v72 = _t57;
				_t61 =  *((intOrPtr*)( *_v72 + 0x1b8))(_v72,  &_v44, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x314))( *_v96));
				asm("fclex");
				_v76 = _t61;
				if(_v76 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x4097fc);
					_push(_v72);
					_push(_v76);
					L004014EE();
					_v100 = _t61;
				}
				L00401380();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t65 =  *((intOrPtr*)( *_v80 + 0x1ec))(_v80, _v44, 0x10);
				asm("fclex");
				_v84 = _t65;
				if(_v84 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4097ec);
					_push(_v80);
					_push(_v84);
					L004014EE();
					_v104 = _t65;
				}
				L004014BE();
				_push( &_v52);
				_t67 =  &_v48;
				_push(_t67);
				_push(2);
				L004014E2();
				_push(0x40e173);
				L00401500();
				return _t67;
			}

0x0040dfd7
0x0040dfe2
0x0040dfe3
0x0040dfea
0x0040dfed
0x0040dff5
0x0040dff8
0x0040e005
0x0040e011
0x0040e02b
0x0040e013
0x0040e013
0x0040e018
0x0040e01d
0x0040e022
0x0040e022
0x0040e045
0x0040e046
0x0040e049
0x0040e04a
0x0040e04f
0x0040e052
0x0040e059
0x0040e067
0x0040e081
0x0040e069
0x0040e069
0x0040e06e
0x0040e073
0x0040e078
0x0040e078
0x0040e09c
0x0040e0a0
0x0040e0a5
0x0040e0b4
0x0040e0ba
0x0040e0bc
0x0040e0c3
0x0040e0df
0x0040e0c5
0x0040e0c5
0x0040e0ca
0x0040e0cf
0x0040e0d2
0x0040e0d5
0x0040e0da
0x0040e0da
0x0040e0e6
0x0040e0f0
0x0040e0f1
0x0040e0f2
0x0040e0f3
0x0040e0ff
0x0040e105
0x0040e107
0x0040e10e
0x0040e12a
0x0040e110
0x0040e110
0x0040e115
0x0040e11a
0x0040e11d
0x0040e120
0x0040e125
0x0040e125
0x0040e131
0x0040e139
0x0040e13a
0x0040e13d
0x0040e13e
0x0040e140
0x0040e148
0x0040e16d
0x0040e172

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040DFED
__vbaVarDup.MSVBVM60(?,?,?,?,00401386), ref: 0040E005
__vbaNew2.MSVBVM60(00408E78,00410010,?,?,?,?,00401386), ref: 0040E01D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E04A
__vbaNew2.MSVBVM60(00408E78,00410010,?,00000000), ref: 0040E073
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E0A0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097FC,000001B8), ref: 0040E0D5
__vbaChkstk.MSVBVM60 ref: 0040E0E6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097EC,000001EC), ref: 0040E120
__vbaFreeStr.MSVBVM60 ref: 0040E131
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040E140
__vbaFreeVar.MSVBVM60(0040E173), ref: 0040E16D

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$List
String ID:
API String ID: 3897332912-0
Opcode ID: 050180346cd6bf453cb89ae1808c16a04e2291091cc8b3048ab481d7688526d8
Instruction ID: e424049ac062e471a5f49b91360d82e0e47ce8779e45ec850be740cb4d45d4ed
Opcode Fuzzy Hash: 050180346cd6bf453cb89ae1808c16a04e2291091cc8b3048ab481d7688526d8
Instruction Fuzzy Hash: 1341F571900258EFCB10DFD5C885BDDBBB8BF08704F10442AF441BB2A1C7B96956DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040F4CE, Relevance: 15.1, APIs: 10, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040F4CE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				char _v48;
				char _v64;
				intOrPtr _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				char _v112;
				signed int _v116;
				signed int _v120;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _t50;
				signed int _t52;
				signed int _t55;
				char* _t58;
				void* _t67;
				void* _t69;
				intOrPtr _t70;

				_t70 = _t69 - 0xc;
				 *[fs:0x0] = _t70;
				L00401380();
				_v16 = _t70;
				_v12 = 0x401368;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x74,  *[fs:0x0], 0x401386, _t67);
				_v88 = 0x409b00;
				_v96 = 8;
				L004014C4();
				_push( &_v64);
				_t50 =  &_v48;
				_push(_t50);
				L00401416();
				_v116 = _t50;
				if(_v116 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(_v116);
					L00401410();
					_v132 = _t50;
				}
				_v104 = 2;
				_v112 = 0x8002;
				_push( &_v64);
				_t52 =  &_v112;
				_push(_t52);
				L00401482();
				_v120 = _t52;
				_push( &_v64);
				_push( &_v48);
				_push(2);
				L004014DC();
				_t55 = _v120;
				if(_t55 != 0) {
					if( *0x4102d4 != 0) {
						_v136 = 0x4102d4;
					} else {
						_push(0x4102d4);
						_push(0x409964);
						L004014F4();
						_v136 = 0x4102d4;
					}
					_v116 =  *_v136;
					_t58 =  &_v32;
					L00401494();
					_t55 =  *((intOrPtr*)( *_v116 + 0x10))(_v116, _t58, _t58, _a4);
					asm("fclex");
					_v120 = _t55;
					if(_v120 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x409954);
						_push(_v116);
						_push(_v120);
						L004014EE();
						_v140 = _t55;
					}
					L004014AC();
				}
				asm("wait");
				_push(0x40f638);
				return _t55;
			}

0x0040f4d1
0x0040f4e0
0x0040f4ea
0x0040f4f2
0x0040f4f5
0x0040f4fc
0x0040f50b
0x0040f50e
0x0040f515
0x0040f522
0x0040f52a
0x0040f52b
0x0040f52e
0x0040f52f
0x0040f534
0x0040f53b
0x0040f54a
0x0040f53d
0x0040f53d
0x0040f540
0x0040f545
0x0040f545
0x0040f54e
0x0040f555
0x0040f55f
0x0040f560
0x0040f563
0x0040f564
0x0040f569
0x0040f570
0x0040f574
0x0040f575
0x0040f577
0x0040f57f
0x0040f585
0x0040f592
0x0040f5af
0x0040f594
0x0040f594
0x0040f599
0x0040f59e
0x0040f5a3
0x0040f5a3
0x0040f5c1
0x0040f5c7
0x0040f5cb
0x0040f5d9
0x0040f5dc
0x0040f5de
0x0040f5e5
0x0040f601
0x0040f5e7
0x0040f5e7
0x0040f5e9
0x0040f5ee
0x0040f5f1
0x0040f5f4
0x0040f5f9
0x0040f5f9
0x0040f60b
0x0040f60b
0x0040f610
0x0040f611
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040F4EA
__vbaVarDup.MSVBVM60 ref: 0040F522
#564.MSVBVM60(?,?), ref: 0040F52F
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?), ref: 0040F540
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?), ref: 0040F564
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?,?,?,?,?,?), ref: 0040F577
__vbaNew2.MSVBVM60(00409964,004102D4,?,?,00401386), ref: 0040F59E
__vbaObjSetAddref.MSVBVM60(?,00401368), ref: 0040F5CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409954,00000010), ref: 0040F5F4
__vbaFreeObj.MSVBVM60(00000000,?,00409954,00000010), ref: 0040F60B

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#564AddrefChkstkListNew2
String ID:
API String ID: 2560365401-0
Opcode ID: 62ec6ed6d086f357b297cc2e8a503251a924a4563d3618b531b47b2ab2eecd42
Instruction ID: e695fa7c30d2f5fbe0d165fe6699c8c88d48edd77f85847f649844d49dfaeda5
Opcode Fuzzy Hash: 62ec6ed6d086f357b297cc2e8a503251a924a4563d3618b531b47b2ab2eecd42
Instruction Fuzzy Hash: 8341F771C00218AFDB20DFA1C945BDDBBB8BB04708F20857AE505B72A2DB795949DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5B7, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040E5B7(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t37;
				signed int _t41;
				void* _t52;
				void* _t54;
				intOrPtr _t55;

				_t55 = _t54 - 0xc;
				 *[fs:0x0] = _t55;
				L00401380();
				_v16 = _t55;
				_v12 = 0x4012a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401386, _t52);
				L004014CA();
				if( *0x410010 != 0) {
					_v56 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x408e78);
					L004014F4();
					_v56 = 0x410010;
				}
				_t37 =  &_v32;
				L004014FA();
				_v40 = _t37;
				_t41 =  *((intOrPtr*)( *_v40 + 0x298))(_v40, L"Postie5",  &_v36, _t37,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x314))( *_v56));
				asm("fclex");
				_v44 = _t41;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x298);
					_push(0x4097fc);
					_push(_v40);
					_push(_v44);
					L004014EE();
					_v60 = _t41;
				}
				L004014AC();
				_push(0x40e6ab);
				L004014BE();
				return _t41;
			}

0x0040e5ba
0x0040e5c9
0x0040e5d3
0x0040e5db
0x0040e5de
0x0040e5e5
0x0040e5f4
0x0040e5fd
0x0040e609
0x0040e623
0x0040e60b
0x0040e60b
0x0040e610
0x0040e615
0x0040e61a
0x0040e61a
0x0040e63e
0x0040e642
0x0040e647
0x0040e65b
0x0040e661
0x0040e663
0x0040e66a
0x0040e686
0x0040e66c
0x0040e66c
0x0040e671
0x0040e676
0x0040e679
0x0040e67c
0x0040e681
0x0040e681
0x0040e68d
0x0040e692
0x0040e6a5
0x0040e6aa

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040E5D3
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040E5FD
__vbaNew2.MSVBVM60(00408E78,00410010,?,?,?,?,00401386), ref: 0040E615
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E642
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097FC,00000298), ref: 0040E67C
__vbaFreeObj.MSVBVM60 ref: 0040E68D
__vbaFreeStr.MSVBVM60(0040E6AB), ref: 0040E6A5

Strings

Postie5, xrefs: 0040E64E

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID: Postie5
API String ID: 2810356740-336301564
Opcode ID: 94dd55237de467d57474be10df5a1944e84e3d294ca4460e9d8f7670b323fbaf
Instruction ID: fef86499bb135d8b1876e3b06461342d8e2300f77fb6de98b6a485bec247ffc7
Opcode Fuzzy Hash: 94dd55237de467d57474be10df5a1944e84e3d294ca4460e9d8f7670b323fbaf
Instruction Fuzzy Hash: 95211771A00208EFCB00DF95D989BDEBBB4EB18704F20496AF401B72A1C7B9A955DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040EDC8, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040EDC8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v100;
				signed int _v104;
				char* _t42;
				signed int _t48;
				intOrPtr _t52;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L00401380();
				_v16 = _t65;
				_v12 = 0x401318;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x401386, _t62);
				if( *0x410010 != 0) {
					_v100 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x408e78);
					L004014F4();
					_v100 = 0x410010;
				}
				_t52 =  *((intOrPtr*)( *_v100));
				_t42 =  &_v32;
				L004014FA();
				_v84 = _t42;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401380();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401380();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401380();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 =  *0x401310;
				_t48 =  *((intOrPtr*)( *_v84 + 0x1cc))(_v84, _t52, 0x10, 0x10, 0x10, _t42,  *((intOrPtr*)(_t52 + 0x2fc))( *_v100));
				asm("fclex");
				_v88 = _t48;
				if(_v88 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x1cc);
					_push(0x4097dc);
					_push(_v84);
					_push(_v88);
					L004014EE();
					_v104 = _t48;
				}
				L004014AC();
				asm("wait");
				_push(0x40ef08);
				return _t48;
			}

0x0040edcb
0x0040edda
0x0040ede4
0x0040edec
0x0040edef
0x0040edf6
0x0040ee05
0x0040ee0f
0x0040ee29
0x0040ee11
0x0040ee11
0x0040ee16
0x0040ee1b
0x0040ee20
0x0040ee20
0x0040ee3a
0x0040ee44
0x0040ee48
0x0040ee4d
0x0040ee50
0x0040ee57
0x0040ee5e
0x0040ee65
0x0040ee6c
0x0040ee73
0x0040ee7d
0x0040ee87
0x0040ee88
0x0040ee89
0x0040ee8a
0x0040ee8e
0x0040ee98
0x0040ee99
0x0040ee9a
0x0040ee9b
0x0040ee9f
0x0040eea9
0x0040eeaa
0x0040eeab
0x0040eeac
0x0040eeb4
0x0040eebf
0x0040eec5
0x0040eec7
0x0040eece
0x0040eeea
0x0040eed0
0x0040eed0
0x0040eed5
0x0040eeda
0x0040eedd
0x0040eee0
0x0040eee5
0x0040eee5
0x0040eef1
0x0040eef6
0x0040eef7
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040EDE4
__vbaNew2.MSVBVM60(00408E78,00410010,?,?,?,?,00401386), ref: 0040EE1B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EE48
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040EE7D
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040EE8E
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040EE9F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097DC,000001CC,?,?,00000000), ref: 0040EEE0
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0040EEF1

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 43c75a544f1274365f4b194d6443e136feb7fde84836a0a0d9d96f6f9f974e9f
Instruction ID: ea9f16787c8e633e09245df196e121dffb4d908c8bf62ccc8c12fe60411bcd6d
Opcode Fuzzy Hash: 43c75a544f1274365f4b194d6443e136feb7fde84836a0a0d9d96f6f9f974e9f
Instruction Fuzzy Hash: B7313871900708EFDB01DF95C849B9EBBB6BF09704F20882AF905BF2A1C7B95945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E372, Relevance: 12.1, APIs: 8, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040E372(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v28;
				char _v32;
				intOrPtr _v40;
				char _v48;
				intOrPtr* _v52;
				signed int _v56;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				char* _t32;
				char* _t36;
				signed int _t40;
				intOrPtr _t54;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t54;
				_t32 = 0x34;
				L00401380();
				_v12 = _t54;
				_v8 = 0x401288;
				_push(0x409a0c);
				L00401464();
				if(_t32 != 0x61) {
					if( *0x410010 != 0) {
						_v68 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x408e78);
						L004014F4();
						_v68 = 0x410010;
					}
					_t36 =  &_v32;
					L004014FA();
					_v52 = _t36;
					_t40 =  *((intOrPtr*)( *_v52 + 0x218))(_v52,  &_v28, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x30c))( *_v68));
					asm("fclex");
					_v56 = _t40;
					if(_v56 >= 0) {
						_v72 = _v72 & 0x00000000;
					} else {
						_push(0x218);
						_push(0x4097ec);
						_push(_v52);
						_push(_v56);
						L004014EE();
						_v72 = _t40;
					}
					_v64 = _v28;
					_v28 = _v28 & 0x00000000;
					_v40 = _v64;
					_v48 = 8;
					_t32 =  &_v48;
					_push(_t32);
					L0040145E();
					L004014AC();
					L00401500();
				}
				_push(0x40e487);
				return _t32;
			}

0x0040e377
0x0040e382
0x0040e383
0x0040e38c
0x0040e38d
0x0040e395
0x0040e398
0x0040e39f
0x0040e3a4
0x0040e3ad
0x0040e3ba
0x0040e3d4
0x0040e3bc
0x0040e3bc
0x0040e3c1
0x0040e3c6
0x0040e3cb
0x0040e3cb
0x0040e3ef
0x0040e3f3
0x0040e3f8
0x0040e407
0x0040e40d
0x0040e40f
0x0040e416
0x0040e432
0x0040e418
0x0040e418
0x0040e41d
0x0040e422
0x0040e425
0x0040e428
0x0040e42d
0x0040e42d
0x0040e439
0x0040e43c
0x0040e443
0x0040e446
0x0040e44d
0x0040e450
0x0040e451
0x0040e459
0x0040e461
0x0040e461
0x0040e466
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040E38D
#516.MSVBVM60(00409A0C,?,?,?,?,00401386), ref: 0040E3A4
__vbaNew2.MSVBVM60(00408E78,00410010,00409A0C,?,?,?,?,00401386), ref: 0040E3C6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00409A0C,?,?,?,?,00401386), ref: 0040E3F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097EC,00000218,?,?,?,?,?,?,?,?,00409A0C), ref: 0040E428
#529.MSVBVM60(00000008,?,?,?,?,?,?,?,?,00409A0C,?,?,?,?,00401386), ref: 0040E451
__vbaFreeObj.MSVBVM60(00000008,?,?,?,?,?,?,?,?,00409A0C,?,?,?,?,00401386), ref: 0040E459
__vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?,?,?,?,00409A0C,?,?,?,?,00401386), ref: 0040E461

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#516#529CheckChkstkHresultNew2
String ID:
API String ID: 609554944-0
Opcode ID: e1d475f9b9d3d99a3385dff5b0cb89012cc0e91ddc4dd6d4942957af3b0ab977
Instruction ID: cb60dccf728f985933e6b9191ab2bb801452a9d55e37d617607a6e6506e59efb
Opcode Fuzzy Hash: e1d475f9b9d3d99a3385dff5b0cb89012cc0e91ddc4dd6d4942957af3b0ab977
Instruction Fuzzy Hash: 4331F771D41208EFCB10DFA5D88ABDEBBB8BB08704F20457AF401B72A1C7B96945CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F2EF, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040F2EF(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v28;
				char _v36;
				char _v52;
				char* _v92;
				char _v100;
				signed int _v104;
				signed int _v112;
				signed int _t30;
				signed int _t33;
				intOrPtr _t42;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_push(0x5c);
				L00401380();
				_v12 = _t42;
				_v8 = 0x401348;
				_v28 = 0xe;
				_v36 = 2;
				_push( &_v36);
				_push( &_v52);
				L0040141C();
				_v92 = L"Out of string space";
				_v100 = 0x8008;
				_push( &_v52);
				_t30 =  &_v100;
				_push(_t30);
				L00401482();
				_v104 = _t30;
				_push( &_v52);
				_push( &_v36);
				_push(2);
				L004014DC();
				_t33 = _v104;
				if(_t33 != 0) {
					_t33 =  *((intOrPtr*)( *_a4 + 0x720))(_a4);
					_v104 = _t33;
					if(_v104 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x720);
						_push(0x409614);
						_push(_a4);
						_push(_v104);
						L004014EE();
						_v112 = _t33;
					}
				}
				_push(0x40f3c4);
				return _t33;
			}

0x0040f2f4
0x0040f2ff
0x0040f300
0x0040f307
0x0040f30a
0x0040f312
0x0040f315
0x0040f31c
0x0040f323
0x0040f32d
0x0040f331
0x0040f332
0x0040f337
0x0040f33e
0x0040f348
0x0040f349
0x0040f34c
0x0040f34d
0x0040f352
0x0040f359
0x0040f35d
0x0040f35e
0x0040f360
0x0040f368
0x0040f36e
0x0040f378
0x0040f37e
0x0040f385
0x0040f3a1
0x0040f387
0x0040f387
0x0040f38c
0x0040f391
0x0040f394
0x0040f397
0x0040f39c
0x0040f39c
0x0040f385
0x0040f3a5
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040F30A
#652.MSVBVM60(?,?,?,?,?,?,00401386), ref: 0040F332
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0040F34D
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?), ref: 0040F360
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409614,00000720), ref: 0040F397

Strings

Out of string space, xrefs: 0040F337

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#652CheckChkstkFreeHresultList
String ID: Out of string space
API String ID: 690012341-1418083887
Opcode ID: 824ac6b9e16ff206043a001364d7537c032a371577666b25627997b71fd027b1
Instruction ID: 2b4a36b9abd3458fb0705371fec71d718747162e8a371ef413030b24764bcffa
Opcode Fuzzy Hash: 824ac6b9e16ff206043a001364d7537c032a371577666b25627997b71fd027b1
Instruction Fuzzy Hash: 6321F9B1910318AADF10DFD1CD45FAEBBB8BB04754F14403AB504BB5A1D7789908CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD84, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040DD84(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				char _v48;
				char _v64;
				char* _v72;
				intOrPtr _v80;
				char* _t19;
				intOrPtr _t28;

				_push(0x401386);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t28;
				_push(0x40);
				L00401380();
				_v12 = _t28;
				_v8 = 0x401240;
				_v72 = L"8-8-8";
				_v80 = 8;
				L004014C4();
				_push( &_v48);
				_push( &_v64);
				L00401488();
				_push( &_v64);
				L0040148E();
				_v28 = __fp0;
				_push( &_v64);
				_t19 =  &_v48;
				_push(_t19);
				_push(2);
				L004014DC();
				asm("wait");
				_push(0x40de11);
				return _t19;
			}

0x0040dd89
0x0040dd94
0x0040dd95
0x0040dd9c
0x0040dd9f
0x0040dda7
0x0040ddaa
0x0040ddb1
0x0040ddb8
0x0040ddc5
0x0040ddcd
0x0040ddd1
0x0040ddd2
0x0040ddda
0x0040dddb
0x0040dde0
0x0040dde6
0x0040dde7
0x0040ddea
0x0040ddeb
0x0040dded
0x0040ddf5
0x0040ddf6
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040DD9F
__vbaVarDup.MSVBVM60 ref: 0040DDC5
#687.MSVBVM60(?,?), ref: 0040DDD2
__vbaDateVar.MSVBVM60(?,?,?), ref: 0040DDDB
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0040DDED

Strings

8-8-8, xrefs: 0040DDB1

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#687ChkstkDateFreeList
String ID: 8-8-8
API String ID: 913103056-662382048
Opcode ID: a993a54d658e460b7730ad89a2ad67c41d9d094dfa93ad4ceb86a72f29031626
Instruction ID: db06368bd878c47e756dc30599416966e420851bbd1672a4bce8d9474c0c475c
Opcode Fuzzy Hash: a993a54d658e460b7730ad89a2ad67c41d9d094dfa93ad4ceb86a72f29031626
Instruction Fuzzy Hash: 730112B1D0060CBADB10EBD6C846FDEB77CEB04704F50852BF514B61A1DB7C65098BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3D7, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E0040F3D7(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v48;
				signed int _v52;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401380();
				_v16 = _t47;
				_v12 = 0x401358;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x1c,  *[fs:0x0], 0x401386, _t44);
				if( *0x410010 != 0) {
					_v48 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x408e78);
					L004014F4();
					_v48 = 0x410010;
				}
				_t33 =  &_v28;
				L004014FA();
				_v32 = _t33;
				_t36 =  *((intOrPtr*)( *_v32 + 0x264))(_v32, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x314))( *_v48));
				asm("fclex");
				_v36 = _t36;
				if(_v36 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x264);
					_push(0x4097fc);
					_push(_v32);
					_push(_v36);
					L004014EE();
					_v52 = _t36;
				}
				L004014AC();
				_push(0x40f4af);
				return _t36;
			}

0x0040f3da
0x0040f3e9
0x0040f3f3
0x0040f3fb
0x0040f3fe
0x0040f405
0x0040f414
0x0040f41e
0x0040f438
0x0040f420
0x0040f420
0x0040f425
0x0040f42a
0x0040f42f
0x0040f42f
0x0040f453
0x0040f457
0x0040f45c
0x0040f467
0x0040f46d
0x0040f46f
0x0040f476
0x0040f492
0x0040f478
0x0040f478
0x0040f47d
0x0040f482
0x0040f485
0x0040f488
0x0040f48d
0x0040f48d
0x0040f499
0x0040f49e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040F3F3
__vbaNew2.MSVBVM60(00408E78,00410010,?,?,?,?,00401386), ref: 0040F42A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F457
__vbaHresultCheckObj.MSVBVM60(00000000,?,004097FC,00000264), ref: 0040F488
__vbaFreeObj.MSVBVM60 ref: 0040F499

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 17e854910400d190d498921587951d6dbb4acc581ec86172d2c287dd6ff10000
Instruction ID: 568a4c1ae016c861c70d426c4988975d7f42a3776a275f9e8bc9f8191011ea30
Opcode Fuzzy Hash: 17e854910400d190d498921587951d6dbb4acc581ec86172d2c287dd6ff10000
Instruction Fuzzy Hash: 0B21F571A00208AFCB10EFA5C849BDEBBB4BB18704F10807AF841BB6A1C7B95445DF68

Uniqueness

Uniqueness Score: -1.00%

Function 0040EB09, Relevance: 7.5, APIs: 5, Instructions: 36
COMMON

Download Yara Rule

C-Code - Quality: 79%

			E0040EB09(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v40;
				char _v48;
				char* _t18;
				void* _t26;
				void* _t28;
				intOrPtr _t29;

				_t29 = _t28 - 0xc;
				 *[fs:0x0] = _t29;
				L00401380();
				_v16 = _t29;
				_v12 = 0x4012f0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401386, _t26);
				_v40 = 1;
				_v48 = 2;
				_push(0);
				_t18 =  &_v48;
				_push(_t18);
				L00401434();
				L0040150C();
				L00401500();
				_push(0x40eb8d);
				L004014BE();
				return _t18;
			}

0x0040eb0c
0x0040eb1b
0x0040eb25
0x0040eb2d
0x0040eb30
0x0040eb37
0x0040eb46
0x0040eb49
0x0040eb50
0x0040eb57
0x0040eb59
0x0040eb5c
0x0040eb5d
0x0040eb67
0x0040eb6f
0x0040eb74
0x0040eb87
0x0040eb8c

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040EB25
#705.MSVBVM60(00000002,00000000), ref: 0040EB5D
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 0040EB67
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 0040EB6F
__vbaFreeStr.MSVBVM60(0040EB8D,00000002,00000000), ref: 0040EB87

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#705ChkstkMove
String ID:
API String ID: 4082102812-0
Opcode ID: 7fd3e2a99560ab5f1264a05cbff8ae8ee54065e0712f07d08c96788d0c08985c
Instruction ID: b6c031fb29e7391e8e98e2226c271bfec5e33eb4ebb7a2951bfeb33ba7467965
Opcode Fuzzy Hash: 7fd3e2a99560ab5f1264a05cbff8ae8ee54065e0712f07d08c96788d0c08985c
Instruction Fuzzy Hash: 81011270900208ABDB00EF95C946BDEBBB8AF04744F50806AF801B76E1D7786905CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA7A, Relevance: 6.0, APIs: 4, Instructions: 30
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0040EA7A(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _t15;
				void* _t22;
				void* _t24;
				intOrPtr _t25;

				_t25 = _t24 - 0xc;
				 *[fs:0x0] = _t25;
				L00401380();
				_v16 = _t25;
				_v12 = 0x4012e0;
				_v8 = 0;
				_t15 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x18,  *[fs:0x0], 0x401386, _t22);
				L004014CA();
				L0040143A();
				_v32 = __fp0;
				asm("wait");
				_push(0x40eadc);
				L004014BE();
				return _t15;
			}

0x0040ea7d
0x0040ea8c
0x0040ea96
0x0040ea9e
0x0040eaa1
0x0040eaa8
0x0040eab7
0x0040eac0
0x0040eac5
0x0040eaca
0x0040eacd
0x0040eace
0x0040ead6
0x0040eadb

APIs

__vbaChkstk.MSVBVM60(?,00401386), ref: 0040EA96
__vbaStrCopy.MSVBVM60(?,?,?,?,00401386), ref: 0040EAC0
#535.MSVBVM60(?,?,?,?,00401386), ref: 0040EAC5
__vbaFreeStr.MSVBVM60(0040EADC,?,?,?,?,00401386), ref: 0040EAD6

Memory Dump Source

Source File: 00000001.00000002.766369706.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.766365178.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766382719.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.766387769.0000000000411000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.766398707.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#535ChkstkCopyFree
String ID:
API String ID: 854224474-0
Opcode ID: 6959915c1bb9d2e872a45824aac4fde0429ad371b052c6c3ce4a3ae6591149cd
Instruction ID: 07bb06e9c7ec7b12efe21d23b265f30416844b7db41fd02d61635fcc920e8fdf
Opcode Fuzzy Hash: 6959915c1bb9d2e872a45824aac4fde0429ad371b052c6c3ce4a3ae6591149cd
Instruction Fuzzy Hash: 7BF01D70941208ABCB00EF95C946B9EBBB4FF04744F50856AF404B75A1C77C9945CB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: ieinstal.exe PID: 6612 Parent PID: 2016 ieinstal.exeCOMMON

Executed Functions

Function 00E85525, Relevance: 3.1, APIs: 1, Instructions: 1562COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5c158fd24dc0a6e6caef320f3cded850e8bc180a8f680c3cd93f7967078203e
Instruction ID: 2ceed26db236c92ae734d6145edabe46c9cefe1303138b77ac237968adc68d9f
Opcode Fuzzy Hash: e5c158fd24dc0a6e6caef320f3cded850e8bc180a8f680c3cd93f7967078203e
Instruction Fuzzy Hash: BA22A435B1C2529BEE3AB62086965A117407A7333DBF5306ED8DEF2845DF01E462D3B2

Uniqueness

Uniqueness Score: -1.00%

Function 00E8498A, Relevance: 2.9, APIs: 1, Instructions: 1394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d87e5a24d6878a5a7670ba8a9ce9bfdd834d95f6204a73a4d22747f80c275d6f
Instruction ID: d81a8b0fc0b27703ece903ab34379ef3ad35ae2f8bab80e466b8108a65438f8c
Opcode Fuzzy Hash: d87e5a24d6878a5a7670ba8a9ce9bfdd834d95f6204a73a4d22747f80c275d6f
Instruction Fuzzy Hash: 9A927CC768A483CED735BA79434B7E9BE60D692304B6832BD8A8E7B4C7E5518901C3C5

Uniqueness

Uniqueness Score: -1.00%

Function 00E85D04, Relevance: 1.9, APIs: 1, Instructions: 399COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc0fb3d5409b5dac927cfdd15a30a89d015cca089889b44dc0f992bb3309f78d
Instruction ID: c97716264fbd9329dacb05fdebce0474684144b73b6154486c246dfea18d83f7
Opcode Fuzzy Hash: bc0fb3d5409b5dac927cfdd15a30a89d015cca089889b44dc0f992bb3309f78d
Instruction Fuzzy Hash: 0AA18B6360DF808FD725B6388D8A7A63B61DB53314F1861AED88EEB0D3DD548806C792

Uniqueness

Uniqueness Score: -1.00%

Function 00E8632E, Relevance: 1.8, APIs: 1, Instructions: 287nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(00000000,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E8655B

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: b3765bfea566231189f86fdbd43910440920ccf3b23f9a73c57e2eebd04955e8
Instruction ID: 5d6978ff402f1e54467120f9ece11c885cc61bfd59d7173b977b917ccea7a8dc
Opcode Fuzzy Hash: b3765bfea566231189f86fdbd43910440920ccf3b23f9a73c57e2eebd04955e8
Instruction Fuzzy Hash: D2814B12A49241CEDB35BE789A5A7EC3A719BC2318F68357DD94DBB497D221C844C3C2

Uniqueness

Uniqueness Score: -1.00%

Function 00E85E58, Relevance: 1.8, APIs: 1, Instructions: 264nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00E85A83,00000040,00E82509,00000000,00000000), ref: 00E85E50

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 90f593367ce055bc7d9e9102aa45662b310deb657db00af06c4920fa71848d2f
Instruction ID: d132452fd3af027f655cc71566dfacb0a687d3b2edd99e9ca6956af987b8741f
Opcode Fuzzy Hash: 90f593367ce055bc7d9e9102aa45662b310deb657db00af06c4920fa71848d2f
Instruction Fuzzy Hash: D551897361DA805FE319A738CD8AFB53FA9DB97314B18119EE48ED7053E8509D06C3A1

Uniqueness

Uniqueness Score: -1.00%

Function 00E85E81, Relevance: 1.7, APIs: 1, Instructions: 204nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00E85A83,00000040,00E82509,00000000,00000000), ref: 00E85E50

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 315a8c5ec739fd69a2d7fe4b13fb10c63a7a7b83579c0a1c17d40e30961a4812
Instruction ID: 397b8c965554dcb86ad88f035a82e3e3c4ba401598cf8ad040156cf91724e5eb
Opcode Fuzzy Hash: 315a8c5ec739fd69a2d7fe4b13fb10c63a7a7b83579c0a1c17d40e30961a4812
Instruction Fuzzy Hash: DF41457221DA945FE30DE328CD85FB63BA9EB57310B1910DEE0CAC71A3E8949C468361

Uniqueness

Uniqueness Score: -1.00%

Function 00E8631A, Relevance: 1.6, APIs: 1, Instructions: 116nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(00000000,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E8655B

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 87d98342db738eea7e91aafd9c88a563674a22abe8cecf4b238cbaaeb4b0a347
Instruction ID: dad6d76854e03e24d677892b5b71d0e1110bd01012ed47840cf2b2edce75a335
Opcode Fuzzy Hash: 87d98342db738eea7e91aafd9c88a563674a22abe8cecf4b238cbaaeb4b0a347
Instruction Fuzzy Hash: 2D310831608705CEEF247F24C9547F836A2AB56318FA57A2ED95EAB1DDC33488C8D742

Uniqueness

Uniqueness Score: -1.00%

Function 00E864B9, Relevance: 1.6, APIs: 1, Instructions: 96nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(00000000,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E8655B

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 40061fc128a276b9efbc8b907405d2e2ebe52b6f198dbdf86161a276ba100051
Instruction ID: 6e740e68d76571f555f9145706fa0dd187ab431250f50a6bc3f4e149c0c15f24
Opcode Fuzzy Hash: 40061fc128a276b9efbc8b907405d2e2ebe52b6f198dbdf86161a276ba100051
Instruction Fuzzy Hash: 47313810949345CEDF257B2495293FC3B61AF12328F6D3A9ED91D7B0DEC3648888C382

Uniqueness

Uniqueness Score: -1.00%

Function 00E86458, Relevance: 1.6, APIs: 1, Instructions: 96nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(00000000,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E8655B

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 959571eafd9ea34281bfbbeafcb44ffbbf3ac10f3a61ab6d0ed8b392f22382d7
Instruction ID: b6f26142a79182fb12f9247eab06e8fa0ae71389863cc6ad945640228c345211
Opcode Fuzzy Hash: 959571eafd9ea34281bfbbeafcb44ffbbf3ac10f3a61ab6d0ed8b392f22382d7
Instruction Fuzzy Hash: 62310630549341CEDB35BB3485193EC3BB1BF12328F697A9ED95D7A09AC3348888C782

Uniqueness

Uniqueness Score: -1.00%

Function 00E863AD, Relevance: 1.6, APIs: 1, Instructions: 91nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(00000000,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E8655B

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 00071edfe251fe5ed69acd62aafac82ba583b440bdcba95829daec5a29646422
Instruction ID: dbb7bfe7c650e7ce6c52f93c396c6e29cff1c7bc76758682bbccb189d0c4aac9
Opcode Fuzzy Hash: 00071edfe251fe5ed69acd62aafac82ba583b440bdcba95829daec5a29646422
Instruction Fuzzy Hash: F531FB70605705CEEF347B14C9287E832A2BB51318FA93A6ED51E7B1D9C37488C8D782

Uniqueness

Uniqueness Score: -1.00%

Function 00E85333, Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c46d55e8608801c7347e192b8ca54e542210cee3040c618464f3a220c333d6a
Instruction ID: a86b98ed20982950c3fb5e8aa48b7a66a71019b2df5e58859e37a1ae378cfc7b
Opcode Fuzzy Hash: 8c46d55e8608801c7347e192b8ca54e542210cee3040c618464f3a220c333d6a
Instruction Fuzzy Hash: BC2129F5605607CEDB21BA109780BF96299DF64794FB0706AF84FB7095DB90CD80A712

Uniqueness

Uniqueness Score: -1.00%

Function 00E863AA, Relevance: 1.6, APIs: 1, Instructions: 85nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(00000000,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E8655B

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c04f6ca400eb70b77c7795c209c56fa1eaa6c65c3106af48a17982521ac4a4e3
Instruction ID: 631f08d1950754f67830632bc2d1fd8b8416ae4b8b2e24853336730ed3728200
Opcode Fuzzy Hash: c04f6ca400eb70b77c7795c209c56fa1eaa6c65c3106af48a17982521ac4a4e3
Instruction Fuzzy Hash: 1521EA70605605CEEF247B14C8287F832A2BF51318FA93A5ED91E7B1E9C33484C4D742

Uniqueness

Uniqueness Score: -1.00%

Function 00E8641E, Relevance: 1.6, APIs: 1, Instructions: 70nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(00000000,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E8655B

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 38137a2649c16071ddef852bc076ab397df2c6b43f0ca3a9a84b1856560396bf
Instruction ID: c32b13c28df26ff42de896fab332a152cd38e1d8f05bc1b3dbb6311a111fee32
Opcode Fuzzy Hash: 38137a2649c16071ddef852bc076ab397df2c6b43f0ca3a9a84b1856560396bf
Instruction Fuzzy Hash: FA219360609309DEDF257B24C5287E83762AF11319FAA7E5ED55D6A0EDC33488C8D742

Uniqueness

Uniqueness Score: -1.00%

Function 00E86432, Relevance: 1.6, APIs: 1, Instructions: 69nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(00000000,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E8655B

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c1a88bcde5809f4a508801ae06c89d20d1031a047bfb36a4ee3d644a9e08c9f9
Instruction ID: 6e85f86d1c87f8a06f7323cfa169441edfa72bd57cb12b746a3b54a3258a0359
Opcode Fuzzy Hash: c1a88bcde5809f4a508801ae06c89d20d1031a047bfb36a4ee3d644a9e08c9f9
Instruction Fuzzy Hash: 2921A561605305DEDF347B24C5287E83762BB52329FA97E5ED51D660EDC33088C8C742

Uniqueness

Uniqueness Score: -1.00%

Function 00E86526, Relevance: 1.5, APIs: 1, Instructions: 32nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(00000000,?,?,?,?,?,00000000,00000004,00000000,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00E8655B

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 182e98d46df4053053ded380ae0594e70f41ce4104b83233a4ad00d447563c92
Instruction ID: a20604182b8023212b7f61670499efe3e862101e1d65f6dde690b4008105f782
Opcode Fuzzy Hash: 182e98d46df4053053ded380ae0594e70f41ce4104b83233a4ad00d447563c92
Instruction Fuzzy Hash: 1FF0E561848641CD9F2AFF38D66E2ECB6239EC1718B283E1DD98E7740C92318404C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00E85E37, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00E85A83,00000040,00E82509,00000000,00000000), ref: 00E85E50

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00E832C2, Relevance: 4.7, APIs: 3, Instructions: 153librarynetworkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00E839F3,00000004), ref: 00E8337A
LdrInitializeThunk.NTDLL(?,?,?,00000000,00E83C01,?,00E83B2D,?,00E82605,?,?,00000000,?,?,?,?), ref: 00E83A75

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InitializeInternetOpenThunk
String ID:
API String ID: 1460551137-0
Opcode ID: 625ac7cfeb2e20910d2f977a90237ae00fce4704addb3c667d8fb13e009ccc7b
Instruction ID: 98895843c856c829619fb6355beb4e8ca93a85c81925088b67257d08fddca500
Opcode Fuzzy Hash: 625ac7cfeb2e20910d2f977a90237ae00fce4704addb3c667d8fb13e009ccc7b
Instruction Fuzzy Hash: FF514631608386EBDB35AF34CD55BEA3F60EF42B00F24945DE98EAA182D7709A40D761

Uniqueness

Uniqueness Score: -1.00%

Function 00E83863, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

rX4, xrefs: 00E8398F

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID:
String ID: rX4
API String ID: 0-805084833
Opcode ID: be4ca3ac3b83fba420309a54dd68479c50ad17866fe1f297e121d812e8a9d40c
Instruction ID: 58ef216d3ab6a00c68062151372e678ea45b0ef87c49eeadbf4f512214df0a90
Opcode Fuzzy Hash: be4ca3ac3b83fba420309a54dd68479c50ad17866fe1f297e121d812e8a9d40c
Instruction Fuzzy Hash: 44C17C619093818FCB35FF7485562D97FA2AF92B00F2861ADD88DBB147D671CA01C7C2

Uniqueness

Uniqueness Score: -1.00%

Function 00E83966, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,00000000,00E83C01,?,00E83B2D,?,00E82605,?,?,00000000,?,?,?,?), ref: 00E83A75

Strings

rX4, xrefs: 00E8398F

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID: rX4
API String ID: 2994545307-805084833
Opcode ID: e9a74a01a005d942c0122d4a1c17b74d84a0feb044a004fec436df7dac36aa0a
Instruction ID: fa9e86ab35973d35ce70b23ed66ea0e6df42ea1f6fe5e9a634ccf6defe3e1818
Opcode Fuzzy Hash: e9a74a01a005d942c0122d4a1c17b74d84a0feb044a004fec436df7dac36aa0a
Instruction Fuzzy Hash: 1E515A6154D2C19FC726BB7445962997F60AF83B14B1CA1DDC4CDBB117D6A0CB02C782

Uniqueness

Uniqueness Score: -1.00%

Function 00E83172, Relevance: 3.2, APIs: 2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eeeee5a70ff05f6c5ed4d3106b75fbdf523a7609c1b6d694c5ad019482ebbd5
Instruction ID: afac842685c9450eb639495c1d083cd8a3885e34ed2a0222b824bcb7b9163b88
Opcode Fuzzy Hash: 4eeeee5a70ff05f6c5ed4d3106b75fbdf523a7609c1b6d694c5ad019482ebbd5
Instruction Fuzzy Hash: 984177B160A3878ACB35BF3086553EA3BA1EF52750F64606DECCE7B182D7708A41D752

Uniqueness

Uniqueness Score: -1.00%

Function 00E832E8, Relevance: 3.1, APIs: 2, Instructions: 131librarynetworkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00E839F3,00000004), ref: 00E8337A
LdrInitializeThunk.NTDLL(?,?,?,00000000,00E83C01,?,00E83B2D,?,00E82605,?,?,00000000,?,?,?,?), ref: 00E83A75

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InitializeInternetOpenThunk
String ID:
API String ID: 1460551137-0
Opcode ID: 530156071360fe4a72bcad8335acd2b434870403e0935c198caa39298e16f76e
Instruction ID: f6b16c6e270660d1bc981b1d975e0204b2c7ddc474800e706da13cb98c4d255c
Opcode Fuzzy Hash: 530156071360fe4a72bcad8335acd2b434870403e0935c198caa39298e16f76e
Instruction Fuzzy Hash: 04414830208386DBD732BF34CD567EA3FA5AF42700F189459D98DAA052D7709B40D762

Uniqueness

Uniqueness Score: -1.00%

Function 00E832A8, Relevance: 3.1, APIs: 2, Instructions: 92librarynetworkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00E83A10,00000000,00000000,00000000,00000000), ref: 00E832BA

Part of subcall function 00E83304: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00E839F3,00000004), ref: 00E8337A

LdrInitializeThunk.NTDLL(?,?,?,00000000,00E83C01,?,00E83B2D,?,00E82605,?,?,00000000,?,?,?,?), ref: 00E83A75

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: a8d39663440bb05447e38f8878ccdd0391de34fcb70be59892060d93309d299f
Instruction ID: 29039bcb25c529dc0bba741929df4c5265840f60c918d638ebfdee8783430001
Opcode Fuzzy Hash: a8d39663440bb05447e38f8878ccdd0391de34fcb70be59892060d93309d299f
Instruction Fuzzy Hash: 0C215731A4D3C19AD3367B34895A7963F60AF43B00F2CA4CDD5CEB90A3D6619B01D792

Uniqueness

Uniqueness Score: -1.00%

Function 00E82B0B, Relevance: 2.2, APIs: 1, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1f6af66544da25c670610ff2f99146032afd5ff84caf3c9d1b1bd70ea7d777
Instruction ID: a783f22a16f164521190f59bc0dd24218ed51b213d18d6b361be1f036d95000a
Opcode Fuzzy Hash: ce1f6af66544da25c670610ff2f99146032afd5ff84caf3c9d1b1bd70ea7d777
Instruction Fuzzy Hash: 7122D9701483859FDB227B308D5A7E8BF61BF42B04F18A15EEA8D7B0D3D3658A45D382

Uniqueness

Uniqueness Score: -1.00%

Function 00E82E8E, Relevance: 1.7, APIs: 1, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08a4096da666e2bc70b3340ee17a1e8147b8302955b311795793fbd1ffad7a7d
Instruction ID: 99c739f7c2ce06545af85390d86e8468891c89c1bd36056221257be661c1bb1d
Opcode Fuzzy Hash: 08a4096da666e2bc70b3340ee17a1e8147b8302955b311795793fbd1ffad7a7d
Instruction Fuzzy Hash: 79414CB0644342DFEB117E708985BE976A4DF15758F6420ADEE8EB70E2D3B4C980D722

Uniqueness

Uniqueness Score: -1.00%

Function 00E8390A, Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a5a7c32d09160e5b128b90760ae96c2caa260c6b6dab1127fd322deda07ff49
Instruction ID: 502c834181f5bf6397ffb436affda27b9608356d44ba20d57832c3d59087afb3
Opcode Fuzzy Hash: 4a5a7c32d09160e5b128b90760ae96c2caa260c6b6dab1127fd322deda07ff49
Instruction Fuzzy Hash: 9D41F3525492818FCB26BA78895A2D97F60AB43F14B1CA6DEC4CDBB053D360DF02C7C1

Uniqueness

Uniqueness Score: -1.00%

Function 00E8332E, Relevance: 1.6, APIs: 1, Instructions: 125networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00E839F3,00000004), ref: 00E8337A

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 1355a57d98f03b01b6961cc03d5814bfa21ad3e7b45068f9a8f4940c09318edf
Instruction ID: 569161f9420ee406d6069f85ab0d04b0d1d10a5a64f17fd6480c670a4c9f25fa
Opcode Fuzzy Hash: 1355a57d98f03b01b6961cc03d5814bfa21ad3e7b45068f9a8f4940c09318edf
Instruction Fuzzy Hash: 714113212093C6DFD732AA388D657E93B609F42B04F1814AAD96DEA443DA60CB48C762

Uniqueness

Uniqueness Score: -1.00%

Function 00E821B2, Relevance: 1.6, APIs: 1, Instructions: 124threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 00E821E0

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 60b0101908cdcba31659131b3d47f89341f169a6f7eed535f8015f8d322ecbff
Instruction ID: 8a3227ed87cb1957dfffb773e6d46e999acf006a169ac151ae9654afea566159
Opcode Fuzzy Hash: 60b0101908cdcba31659131b3d47f89341f169a6f7eed535f8015f8d322ecbff
Instruction Fuzzy Hash: 3D2179347083009EE7257A248A95BD937A25F46350F3561ACDF9EB71E6C330C481D312

Uniqueness

Uniqueness Score: -1.00%

Function 00E82155, Relevance: 1.6, APIs: 1, Instructions: 122threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 00E821E0

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 2ffee8dcd20fba47d1645db8c24fddaaebeee444abfa42b9d320105746bbdc08
Instruction ID: efe6158c368d4c78678a48fdf2b1a8ecb5d55ca820e7d483a82c1ece09565d20
Opcode Fuzzy Hash: 2ffee8dcd20fba47d1645db8c24fddaaebeee444abfa42b9d320105746bbdc08
Instruction Fuzzy Hash: E2216874704300AEE7257A248EA0B9933A66F45764F31616CEF9FB71E6C730C881D722

Uniqueness

Uniqueness Score: -1.00%

Function 00E821EA, Relevance: 1.6, APIs: 1, Instructions: 120threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 00E821E0

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 63c675f472949b605d298f11b3cac06f3245268b3a4acaaa0fe5ad5e96131ecd
Instruction ID: a390467536b3edfbba2bb82c08368daa53619b0bfb26ffe9dc43dc336c05eb90
Opcode Fuzzy Hash: 63c675f472949b605d298f11b3cac06f3245268b3a4acaaa0fe5ad5e96131ecd
Instruction Fuzzy Hash: 9F416770604340AFE7156F348D95B9A3BA1AF46354F2551ACEB8EA70E7C374C980CB62

Uniqueness

Uniqueness Score: -1.00%

Function 00E84BC2, Relevance: 1.6, APIs: 1, Instructions: 114libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00E84C03

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9c32ff045de977a155ac185cdb691270894eeca5910ff4bbb2767e467f87fe70
Instruction ID: bd11aa207d801bcad78820399314065319422def3fa45bf47b158f0f10fabd0a
Opcode Fuzzy Hash: 9c32ff045de977a155ac185cdb691270894eeca5910ff4bbb2767e467f87fe70
Instruction Fuzzy Hash: 993124F550A117DBDB14FE2082207FAB7A4EE25754BB57269EC8F3B1C4D321AD01A781

Uniqueness

Uniqueness Score: -1.00%

Function 00E831CE, Relevance: 1.6, APIs: 1, Instructions: 108libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,00000000,00E83C01,?,00E83B2D,?,00E82605,?,?,00000000,?,?,?,?), ref: 00E83A75

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6eb90b986f5eee2508904dab7e2eadc3460eaa5781e57071138ff20f16d630be
Instruction ID: fd503ac8852781e97ad5955d68c0338123a3ea684c9b49d4ef5dbc8f08ffc77b
Opcode Fuzzy Hash: 6eb90b986f5eee2508904dab7e2eadc3460eaa5781e57071138ff20f16d630be
Instruction Fuzzy Hash: 8E31A83150A3869ACB35FF7086553DA3F61EF52B10F68A09DD8CE7B146C7318A02C796

Uniqueness

Uniqueness Score: -1.00%

Function 00E8327A, Relevance: 1.6, APIs: 1, Instructions: 98libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,00000000,00E83C01,?,00E83B2D,?,00E82605,?,?,00000000,?,?,?,?), ref: 00E83A75

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 4096000a7b9191e0c1c8d9d81f7afaf6bd00640b3dbb4171e791024e4c714e58
Instruction ID: 72790cc3b310510cda0cbbc7f689be012036cb319ca5b9a3fc8fe7cfef8c5d46
Opcode Fuzzy Hash: 4096000a7b9191e0c1c8d9d81f7afaf6bd00640b3dbb4171e791024e4c714e58
Instruction Fuzzy Hash: C831573160A386DAC735FF3486667DA3F60AF53700F68A09CD4CE2B156D6708A01C792

Uniqueness

Uniqueness Score: -1.00%

Function 00E83236, Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,00000000,00E83C01,?,00E83B2D,?,00E82605,?,?,00000000,?,?,?,?), ref: 00E83A75

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 6d09c6e96bba4dd3681859432a914999a46d1354ae3a9c98997dff81f17ab5f7
Instruction ID: a1a7f894543263010900e8c637288f06904477004d10360c5f1b022cd704401b
Opcode Fuzzy Hash: 6d09c6e96bba4dd3681859432a914999a46d1354ae3a9c98997dff81f17ab5f7
Instruction Fuzzy Hash: F931673160A386DACB35FF3086653DA3F61FF52700F64A19DD8CE6B256D6318A01D792

Uniqueness

Uniqueness Score: -1.00%

Function 00E83304, Relevance: 1.6, APIs: 1, Instructions: 89networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00E839F3,00000004), ref: 00E8337A

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: c16bcc73002cc8fddc661f36443dd45fde921bece0da059daec853ede90f362a
Instruction ID: 389789649e11eee74f98f1565903472ba4a85c045a48287325cc746e6b0b52a9
Opcode Fuzzy Hash: c16bcc73002cc8fddc661f36443dd45fde921bece0da059daec853ede90f362a
Instruction Fuzzy Hash: 4331F43024438BEBEB31AE28CC51FEE33A6AF40740F509525FD1EAA090CB718784A721

Uniqueness

Uniqueness Score: -1.00%

Function 00E821AA, Relevance: 1.6, APIs: 1, Instructions: 80threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNELBASE(000000FE,00000000), ref: 00E821E0

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 713ba6615373a8f17a725444bda7decc99f18786a2bd7e4380c417b86f8d8977
Instruction ID: eb13057454eb1bee7dfc68764052bc6819e63ee0773e7af05bacd1ccbecb2d9a
Opcode Fuzzy Hash: 713ba6615373a8f17a725444bda7decc99f18786a2bd7e4380c417b86f8d8977
Instruction Fuzzy Hash: A7216574700300AEE7247A248A91BE932A6AF45764F316168EF5EB71E6C330C8819725

Uniqueness

Uniqueness Score: -1.00%

Function 00E83366, Relevance: 1.6, APIs: 1, Instructions: 66networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00E839F3,00000004), ref: 00E8337A

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 95f614a487974da233ee87ec63418dc6f8518a90ebbee2ffcd1022f5e99f82dc
Instruction ID: c23474ca218d5431c1b3a7ba1301a252bac47edadcd2cb62c5fd5091e6d41868
Opcode Fuzzy Hash: 95f614a487974da233ee87ec63418dc6f8518a90ebbee2ffcd1022f5e99f82dc
Instruction Fuzzy Hash: D721A23034438BEBEB35AE38CD91BEE37A5EB01B04F545429ED6DEA041DB3196849721

Uniqueness

Uniqueness Score: -1.00%

Function 00E839C9, Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E83304: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,00E839F3,00000004), ref: 00E8337A

Part of subcall function 00E832A8: InternetOpenA.WININET(00E83A10,00000000,00000000,00000000,00000000), ref: 00E832BA

LdrInitializeThunk.NTDLL(?,?,?,00000000,00E83C01,?,00E83B2D,?,00E82605,?,?,00000000,?,?,?,?), ref: 00E83A75

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: 7c283666f7a843e8b60b609bec9716cd283743017f0b72417d6d47e264b4dc3d
Instruction ID: eb533f20b952c2008c0ae48ebbd4d7404e088fdc2086ce628dbd529c514b1bad
Opcode Fuzzy Hash: 7c283666f7a843e8b60b609bec9716cd283743017f0b72417d6d47e264b4dc3d
Instruction Fuzzy Hash: 0F11AB72A0E7D1AEC3276B3045AB193BF60BE53700729D0CDC4C92A163D691DB12D7D2

Uniqueness

Uniqueness Score: -1.00%

Function 00E839FA, Relevance: 1.6, APIs: 1, Instructions: 58libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,00000000,00E83C01,?,00E83B2D,?,00E82605,?,?,00000000,?,?,?,?), ref: 00E83A75

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: c87873f8ea4f9078d50ef6f86b9879515761a3e2e48d8f9145758f88d4df4560
Instruction ID: b5802c5a90057822047dc0a52dca1666d6f4e0439fd68b7be028d7da13db9cc6
Opcode Fuzzy Hash: c87873f8ea4f9078d50ef6f86b9879515761a3e2e48d8f9145758f88d4df4560
Instruction Fuzzy Hash: F911AB3251E3C095CB36BB70019A1837FA0BA9371071CE0CDC4C925067D691DB12D7C6

Uniqueness

Uniqueness Score: -1.00%

Function 00E84B3F, Relevance: 1.5, APIs: 1, Instructions: 45libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00E84C03

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 7ce7ce5ad2c9aaa7084182a6251877891a3bb52ab68c5d2f9c0b45c4e28326a4
Instruction ID: 4bbb2207104a459b914248f014e3be0d3bafdf55e306e77a83e5f22850e60deb
Opcode Fuzzy Hash: 7ce7ce5ad2c9aaa7084182a6251877891a3bb52ab68c5d2f9c0b45c4e28326a4
Instruction Fuzzy Hash: 79F0F6E454A207C9EB203A6557527FC9158CF6074CFA071797C8EF70C6D680C5445783

Uniqueness

Uniqueness Score: -1.00%

Function 00E842AA, Relevance: 1.5, APIs: 1, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00E84217), ref: 00E84357

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 73daa48235be72bd4a53868966f6fdfa768a10128eea682c0e34033b11712d87
Instruction ID: 827a392c0e996efd6d2880ac18d11ef11a4ac3b0cb4fed0eea840e7ffbc40ffc
Opcode Fuzzy Hash: 73daa48235be72bd4a53868966f6fdfa768a10128eea682c0e34033b11712d87
Instruction Fuzzy Hash: 81F0F6E6A5C143D9DF34757C0AC77E4BA10D362700FA8227A7A4D760DAD1514150C3C7

Uniqueness

Uniqueness Score: -1.00%

Function 00E84B72, Relevance: 1.5, APIs: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00E84C03

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 80add25eca7a5356154dac6f28fb411a633c091d42dddceba31fcad3a9fc5be0
Instruction ID: 42c3353514650621f0360cf1043e29a1cad34ce9ab6928137bc8fd7feea5c547
Opcode Fuzzy Hash: 80add25eca7a5356154dac6f28fb411a633c091d42dddceba31fcad3a9fc5be0
Instruction Fuzzy Hash: 24F05CF914A307C6AB047AB153513EDAA48CC60704BE031B99C8FB70C4965085042782

Uniqueness

Uniqueness Score: -1.00%

Function 00E84BDA, Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00E84C03

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 45e358dfd4265c58c2cff9c796bd2eb5a1fd2b04edcca641c632f56897d15260
Instruction ID: ff6b66fdeb1cfd29e0201d5cb414cbfb0737824f52eb2eff2d7ae90b9cea2a41
Opcode Fuzzy Hash: 45e358dfd4265c58c2cff9c796bd2eb5a1fd2b04edcca641c632f56897d15260
Instruction Fuzzy Hash: 95E0ABE914A10BC66B147AB013423F8AA04CC207087E031BAAC8FB30C04210C60027C2

Uniqueness

Uniqueness Score: -1.00%

Function 00E84B86, Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00E84C03

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b13415208e7801b7e1e0cb7d11b91bcd85640417c6f010a9f7af154f812d87d5
Instruction ID: a10bfd1e865a80f31f36975346ba295322aaa897515d742ea2e3347972b3015e
Opcode Fuzzy Hash: b13415208e7801b7e1e0cb7d11b91bcd85640417c6f010a9f7af154f812d87d5
Instruction Fuzzy Hash: 12E02BE854A20BC66B147A7553563F8AA44CC54748BF471B9AC8FB70C15654C64067C2

Uniqueness

Uniqueness Score: -1.00%

Function 00E84B06, Relevance: 1.5, APIs: 1, Instructions: 26libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,?,00000040,00000000,?), ref: 00E84C03

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 68bc1aa8ff1ea6ea3942158116b7d493c6f2f6264c5ad2094780fc9985d7666a
Instruction ID: 8bdce799efd3a0e7e46aba021f083bf2f6411fe5211c85af00dbdcfde9b3975f
Opcode Fuzzy Hash: 68bc1aa8ff1ea6ea3942158116b7d493c6f2f6264c5ad2094780fc9985d7666a
Instruction Fuzzy Hash: D2E086D464B157CAFB1039615B043FA415CCE64795FB060167C4FB30D5A284C9406752

Uniqueness

Uniqueness Score: -1.00%

Function 00E842DA, Relevance: 1.5, APIs: 1, Instructions: 20fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00E84217), ref: 00E84357

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 27620ca41072042a9fefc89b7b51eea4d9f91ffc1e8b112e550c02eb420d3024
Instruction ID: e224feb3b7f8280c27de23aa8c5c1d949e61dbfed99cd7ec2b81fca893ee4842
Opcode Fuzzy Hash: 27620ca41072042a9fefc89b7b51eea4d9f91ffc1e8b112e550c02eb420d3024
Instruction Fuzzy Hash: 6DD05EB1B98303F9EE3862001D96FF52182DB60F01F76511A7F0E380C5E2A01580E313

Uniqueness

Uniqueness Score: -1.00%

Function 00E8430A, Relevance: 1.5, APIs: 1, Instructions: 13fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00E84217), ref: 00E84357

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 852703033fa6481e23d5fb919b091a76aa6d540ff82f3c0f03cceab6f4b773f0
Instruction ID: 353aa57b570698fdde818ed132398b900722073f0c131f98c857987cb67a8a19
Opcode Fuzzy Hash: 852703033fa6481e23d5fb919b091a76aa6d540ff82f3c0f03cceab6f4b773f0
Instruction Fuzzy Hash: 80D080B0664303EDFE3466544C49FFD2192D760B01F765116FA0D390C5D1711080D711

Uniqueness

Uniqueness Score: -1.00%

Function 00E84F55, Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNELBASE(?), ref: 00E84F58

Memory Dump Source

Source File: 00000008.00000002.1026414841.0000000000E82000.00000040.00000001.sdmp, Offset: 00E82000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 220daa5338d32fc5cf86272b8904f92532e8cd44741e87f4eb26035de74381a7
Instruction ID: 273c34ca1c9d2fa2d0f9bf30aa59d1fc45615bbac0378d15a63e74845e6ab341
Opcode Fuzzy Hash: 220daa5338d32fc5cf86272b8904f92532e8cd44741e87f4eb26035de74381a7
Instruction Fuzzy Hash: 1DC0CAB010810ABB8F042F508A48ADE3B3AAE85385B106004BE6E690A0C3328968AB12

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report TT SWIFT COPY.scr

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

Function 00401BAC, Relevance: 1.5, APIs: 1, Instructions: 289
COMMONCrypto

Function 00401B7C, Relevance: 1.5, APIs: 1, Instructions: 208
memoryCOMMON