Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe

Overview

General Information

Sample Name:ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
Analysis ID:403997
MD5:5777362ea00ed2dd6c40121450291e7d
SHA1:4cbdfa68ef829f9709ee74bb883985d8a18c4048
SHA256:f6f23db6c1ecdf6b5766a22434e7a9c24585ecf94cf8a784f1a15640d0f0ba45
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

DLL reload attack detected
Found malware configuration
Malicious sample detected (through community Yara rule)
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Tries to detect virtualization through RDTSC time measurements
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
PE file contains executable resources (Code or Archives)
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1hJRfPD7mATt1zd_Z0FIM8Q9qnryDNQsL"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security
    00000000.00000000.204937287.000000000040C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x110c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
    00000000.00000002.1285251776.000000000040C000.00000020.00020000.sdmpLokiBot_Dropper_Packed_R11_Feb18Auto-generated rule - file scan copy.pdf.r11Florian Roth
    • 0x110c:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB

    Sigma Overview

    No Sigma rule has matched

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmpMalware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1hJRfPD7mATt1zd_Z0FIM8Q9qnryDNQsL"}
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://drive.google.com/uc?export=download&id=1hJRfPD7mATt1zd_Z0FIM8Q9qnryDNQsL

    System Summary:

    barindex
    Malicious sample detected (through community Yara rule)Show sources
    Source: 00000000.00000000.204937287.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: 00000000.00000002.1285251776.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B54FB9 NtProtectVirtualMemory,0_2_02B54FB9
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B525DA NtAllocateVirtualMemory,0_2_02B525DA
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B52786 NtAllocateVirtualMemory,0_2_02B52786
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B52781 NtAllocateVirtualMemory,0_2_02B52781
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeStatic PE information: Resource name: RT_VERSION type: COM executable for DOS
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeBinary or memory string: OriginalFilenamePHILAD.exe vs ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: 00000000.00000000.204937287.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: 00000000.00000002.1285251776.000000000040C000.00000020.00020000.sdmp, type: MEMORYMatched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/
    Source: classification engineClassification label: mal80.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeFile created: C:\Users\user\AppData\Local\Temp\~DF6274FC7E47975599.TMPJump to behavior
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, type: MEMORY

    Hooking and other Techniques for Hiding and Protection:

    barindex
    DLL reload attack detectedShow sources
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeModule Loaded: Original DLL: "C:\USERS\user\DESKTOP\ACS ROUTE reload: AIRCRAFT COND. REQ INFORMATION & DOC00710020210501154406 PDF.EXE"
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeRDTSC instruction interceptor: First address: 0000000002B54D0E second address: 0000000002B54D0E instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b inc ecx 0x0000000c inc ebx 0x0000000d cmp bh, bh 0x0000000f cmp dword ptr [ebx], 9090C350h 0x00000015 jne 00007F0481024659h 0x00000017 cmp edx, dword ptr [ebx] 0x00000019 jne 00007F048102464Bh 0x0000001b cmp byte ptr [ebx], FFFFFFE8h 0x0000001e jne 00007F04810246B3h 0x00000020 fnop 0x00000022 cmp byte ptr [ebx], FFFFFFB8h 0x00000025 jne 00007F0481024664h 0x00000027 cmp ecx, 00002000h 0x0000002d jne 00007F048102455Ch 0x00000033 pushad 0x00000034 lfence 0x00000037 rdtsc
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeRDTSC instruction interceptor: First address: 0000000002B5243D second address: 0000000002B5243D instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F04803CB82Ah 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 cmp ax, cx 0x00000024 cmp ecx, 00000000h 0x00000027 jne 00007F04803CB80Bh 0x00000029 push ecx 0x0000002a test ebx, edx 0x0000002c cmp dx, cx 0x0000002f call 00007F04803CB84Bh 0x00000034 call 00007F04803CB83Ah 0x00000039 lfence 0x0000003c mov edx, dword ptr [7FFE0014h] 0x00000042 lfence 0x00000045 ret 0x00000046 mov esi, edx 0x00000048 pushad 0x00000049 rdtsc
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B514AA rdtsc 0_2_02B514AA
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B514AA rdtsc 0_2_02B514AA
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B51240 mov eax, dword ptr fs:[00000030h]0_2_02B51240
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B5424A mov eax, dword ptr fs:[00000030h]0_2_02B5424A
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B523A3 mov eax, dword ptr fs:[00000030h]0_2_02B523A3
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B545A8 mov eax, dword ptr fs:[00000030h]0_2_02B545A8
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B54B81 mov eax, dword ptr fs:[00000030h]0_2_02B54B81
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B5171E mov eax, dword ptr fs:[00000030h]0_2_02B5171E
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B51718 mov eax, dword ptr fs:[00000030h]0_2_02B51718
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCode function: 0_2_02B54B5D mov eax, dword ptr fs:[00000030h]0_2_02B54B5D
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe, 00000000.00000002.1286359625.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe, 00000000.00000002.1286359625.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe, 00000000.00000002.1286359625.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe, 00000000.00000002.1286359625.0000000000D70000.00000002.00000001.sdmpBinary or memory string: Progmanlock
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeQueries volume information: C:\ VolumeInformationJump to behavior
    Source: C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeQueries volume information: C:\ VolumeInformationJump to behavior

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationDLL Side-Loading1Process Injection1Process Injection1OS Credential DumpingSecurity Software Discovery11Remote ServicesData from Local SystemExfiltration Over Other Network MediumApplication Layer Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsDLL Side-Loading1DLL Side-Loading1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or InformationSecurity Account ManagerSystem Information Discovery111SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    No Antivirus matches

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    No Antivirus matches

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:32.0.0 Black Diamond
    Analysis ID:403997
    Start date:04.05.2021
    Start time:16:05:50
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 10m 43s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:22
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal80.troj.evad.winEXE@1/0@0/0
    EGA Information:
    • Successful, ratio: 100%
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 100%
    • Number of executed functions: 4
    • Number of non-executed functions: 9
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Found application associated with file extension: .exe
    Warnings:
    Show All
    • Report size getting too big, too many NtAllocateVirtualMemory calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.777529017205276
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
    File size:98304
    MD5:5777362ea00ed2dd6c40121450291e7d
    SHA1:4cbdfa68ef829f9709ee74bb883985d8a18c4048
    SHA256:f6f23db6c1ecdf6b5766a22434e7a9c24585ecf94cf8a784f1a15640d0f0ba45
    SHA512:b040be11572cb05338212e73492d475211f24c79be94486ada0a5d4438d436bd24e92479d001531dcb6f56045a6901ab5526c72b9dee968e24f8e4a0380d4014
    SSDEEP:1536:OR02SmQFaUvIZddDGaz24YxUzAoma3vx:OnrsaXdZG1409ovJ
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L......W.................P... ......|........`....@................

    File Icon

    Icon Hash:b074cecec891b2e4

    Static PE Info

    General

    Entrypoint:0x40157c
    Entrypoint Section:.text
    Digitally signed:false
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x5711B91D [Sat Apr 16 04:01:33 2016 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:631ffe9ad0b821781f48149fabda62f6

    Entrypoint Preview

    Instruction
    push 0040CA8Ch
    call 00007F0480BA7975h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    cmp byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    mov dh, 80h
    leave
    leave
    retf
    salc
    clc
    dec edi
    call far 49E6h : 708BCD81h
    fild word ptr [eax]
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [eax+edx*2+72h], bl
    outsd
    push 00000065h
    outsb
    popad
    outsb
    jnc 00007F0480BA7983h
    add byte ptr [eax], al
    add byte ptr [eax], al
    dec esp
    xor dword ptr [eax], eax
    sub byte ptr [esi+0B9DFADDh], ah
    sal edx, 1
    dec ecx
    stosb
    sub eax, 8D5E5938h
    jnle 00007F0480BA79F7h
    aad 85h
    and cl, ch
    mov ecx, AA4E556Bh
    test eax, 87B2E630h
    or dword ptr [edx], esp
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    mov dh, B3h
    add byte ptr [eax], al
    push esp
    add al, byte ptr [eax]
    add byte ptr [eax], al
    or dword ptr [eax], eax
    jbe 00007F0480BA79EBh
    outsb
    imul esp, dword ptr [ebp+74h], 73h
    jc 00007F0480BA79E3h
    add byte ptr [6B000901h], cl
    outsd
    push 0000006Fh
    insd
    jc 00007983h
    sbb dword ptr [ecx], eax
    add byte ptr [edx+00h], al

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x14ed40x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x170000x5a4.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x10c.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x143500x15000False0.341331845238data5.21336422112IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x160000xad40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x170000x5a40x1000False0.182861328125data1.71064501623IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x173bc0x1e8data
    RT_GROUP_ICON0x173a80x14data
    RT_VERSION0x170f00x2b8COM executable for DOSEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    InternalNamePHILAD
    FileVersion1.00
    CompanyNameMummys Technology
    CommentsMummys Technology
    ProductNameMummys Technology
    ProductVersion1.00
    FileDescriptionMummys Technology
    OriginalFilenamePHILAD.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    High Level Behavior Distribution

    Click to dive into process behavior distribution

    System Behavior

    Analysis Process: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe PID: 4744 Parent PID: 5584

    General

    Start time:16:06:39
    Start date:04/05/2021
    Path:C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe'
    Imagebase:0x400000
    File size:98304 bytes
    MD5 hash:5777362EA00ED2DD6C40121450291E7D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Author: Joe Security
    • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000000.204937287.000000000040C000.00000020.00020000.sdmp, Author: Florian Roth
    • Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000000.00000002.1285251776.000000000040C000.00000020.00020000.sdmp, Author: Florian Roth
    Reputation:low

    Chronological Activities

    Disassembly

    Code Analysis

    Reset < >

      Analysis Process: ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exe PID: 4744 Parent PID: 5584 ACS route, aircraft cond. req information & doc00710020210501154406 PDF.exeCOMMON

      Execution Graph

      Execution Coverage:1.1%
      Dynamic/Decrypted Code Coverage:100%
      Signature Coverage:20%
      Total number of Nodes:942
      Total number of Limit Nodes:4

      Graph

      execution_graph 4257 2b50675 4258 2b5064a 4257->4258 4260 2b52e36 7 API calls 4258->4260 4290 2b54262 4258->4290 4259 2b545a8 GetPEB 4264 2b523ba 4259->4264 4261 2b5079c 4260->4261 4299 2b523a3 GetPEB 4261->4299 4263 2b507a1 4265 2b542b6 7 API calls 4263->4265 4266 2b507c4 4265->4266 4267 2b554bd GetPEB 4266->4267 4268 2b507d5 4267->4268 4270 2b542b6 7 API calls 4268->4270 4277 2b5083c 4268->4277 4269 2b542b6 7 API calls 4271 2b50987 4269->4271 4272 2b507fa 4270->4272 4274 2b542b6 7 API calls 4271->4274 4273 2b554bd GetPEB 4272->4273 4273->4277 4275 2b509a5 4274->4275 4276 2b554bd GetPEB 4275->4276 4278 2b509c4 4276->4278 4277->4269 4277->4290 4279 2b509e3 4278->4279 4280 2b50a0e 4278->4280 4278->4290 4284 2b51bac 7 API calls 4279->4284 4289 2b509fd 4279->4289 4281 2b50b68 4280->4281 4283 2b50eb7 7 API calls 4280->4283 4282 2b50b88 4281->4282 4285 2b50b7c 4281->4285 4286 2b50eb7 7 API calls 4281->4286 4288 2b50b8f 7 API calls 4282->4288 4293 2b50a23 4283->4293 4284->4279 4285->4282 4287 2b5103c 7 API calls 4285->4287 4286->4285 4287->4282 4288->4290 4291 2b554bd GetPEB 4289->4291 4290->4259 4292 2b5238f 4291->4292 4293->4281 4294 2b54b5d 7 API calls 4293->4294 4295 2b50b2d 4294->4295 4296 2b50c77 7 API calls 4295->4296 4297 2b50b3c 4296->4297 4298 2b510db GetPEB 4297->4298 4298->4281 4299->4263 3757 2b542bd 3758 2b54361 3757->3758 3767 2b54395 3757->3767 3759 2b545a8 GetPEB 3758->3759 3760 2b5436d 3759->3760 3761 2b5438b 3760->3761 3763 2b545a8 GetPEB 3760->3763 3764 2b543aa 7 API calls 3761->3764 3762 2b543aa 7 API calls 3765 2b543a4 3762->3765 3766 2b5437c 3763->3766 3764->3767 3766->3761 3768 2b545a8 GetPEB 3766->3768 3767->3762 3768->3761 4097 2b54f3d 4100 2b54f3f 4097->4100 4099 2b54fb0 4101 2b54fb9 NtProtectVirtualMemory 4100->4101 4101->4099 3756 2b54fb9 NtProtectVirtualMemory 4102 2b54d3a 4103 2b54d0a 4102->4103 4103->4103 4104 2b54e9c 4103->4104 4106 2b54fb9 NtProtectVirtualMemory 4103->4106 4106->4104 4300 2b5277a 4301 2b5277f 4300->4301 4302 2b542b6 7 API calls 4301->4302 4304 2b528ec 4301->4304 4303 2b52893 NtAllocateVirtualMemory 4302->4303 4303->4304 4305 2b51465 4306 2b513a3 4305->4306 4322 2b51471 4305->4322 4307 2b554bd GetPEB 4306->4307 4306->4322 4307->4306 4308 2b51733 4309 2b51997 7 API calls 4308->4309 4310 2b5173a GetPEB 4309->4310 4314 2b5175e 4310->4314 4311 2b51bac 4312 2b51bc7 4311->4312 4339 2b50516 4311->4339 4313 2b54b5d 7 API calls 4312->4313 4316 2b51bd3 4313->4316 4315 2b5181c 4314->4315 4318 2b554bd GetPEB 4314->4318 4320 2b517ee 4314->4320 4319 2b554bd GetPEB 4316->4319 4317 2b525da 7 API calls 4317->4339 4318->4314 4323 2b51c46 4319->4323 4321 2b554bd GetPEB 4320->4321 4321->4315 4322->4308 4322->4311 4322->4315 4325 2b52007 4323->4325 4327 2b52257 7 API calls 4323->4327 4324 2b554bd GetPEB 4324->4339 4326 2b554bd GetPEB 4325->4326 4329 2b5201a 4326->4329 4330 2b51c81 4327->4330 4328 2b542b6 7 API calls 4328->4339 4331 2b554bd GetPEB 4329->4331 4333 2b554bd GetPEB 4330->4333 4332 2b52037 4331->4332 4334 2b554bd GetPEB 4332->4334 4336 2b51d27 4333->4336 4335 2b5204e 4334->4335 4337 2b554bd GetPEB 4335->4337 4336->4325 4338 2b554bd GetPEB 4336->4338 4340 2b5210c 4337->4340 4341 2b51d71 4338->4341 4339->4317 4339->4324 4339->4328 4342 2b505ce 7 API calls 4339->4342 4344 2b53371 4339->4344 4349 2b543ef 4339->4349 4341->4325 4343 2b554bd GetPEB 4341->4343 4342->4339 4350 2b51e65 4343->4350 4345 2b530f2 7 API calls 4344->4345 4346 2b53376 4345->4346 4347 2b530a8 7 API calls 4346->4347 4348 2b5338c 4347->4348 4350->4325 4351 2b554bd GetPEB 4350->4351 4352 2b51f74 4351->4352 4352->4325 4353 2b554bd GetPEB 4352->4353 4354 2b51fb4 4353->4354 4354->4325 4355 2b51fc1 4354->4355 4356 2b554bd GetPEB 4355->4356 4357 2b51fdf 4356->4357 4358 2b554bd GetPEB 4357->4358 4359 2b51ff8 4358->4359 4360 2b52364 4361 2b52781 7 API calls 4360->4361 4362 2b5236e 4361->4362 3774 2b544a6 3775 2b50454 3774->3775 3776 2b54583 3775->3776 3779 2b50431 3775->3779 3778 2b50459 3780 2b5043c 3779->3780 3781 2b50448 3780->3781 3787 2b50516 3780->3787 3782 2b50431 7 API calls 3781->3782 3784 2b50459 3782->3784 3783 2b525da 7 API calls 3783->3787 3784->3778 3785 2b554bd GetPEB 3785->3787 3786 2b542b6 7 API calls 3786->3787 3787->3783 3787->3785 3787->3786 3788 2b505ce 7 API calls 3787->3788 3789 2b53371 3787->3789 3794 2b543ef 3787->3794 3788->3787 3790 2b530f2 7 API calls 3789->3790 3791 2b53376 3790->3791 3792 2b530a8 7 API calls 3791->3792 3793 2b5338c 3792->3793 3793->3778 3794->3778 3795 2b534a6 3796 2b534bd 3795->3796 3797 2b52181 7 API calls 3796->3797 3798 2b534e5 3797->3798 3801 2b5215a 3798->3801 3802 2b52781 7 API calls 3801->3802 3803 2b52165 3802->3803 3804 2b52181 7 API calls 3803->3804 3805 2b534e5 3804->3805 3806 2b5215a 7 API calls 3805->3806 3807 2b5350b 3806->3807 3808 2b54ea1 3809 2b54eb8 3808->3809 3812 2b54f3f 3809->3812 3813 2b54ed6 3809->3813 3811 2b54fb0 3817 2b54fb9 NtProtectVirtualMemory 3812->3817 3816 2b54fb9 NtProtectVirtualMemory 3813->3816 3815 2b54f38 3816->3815 3817->3811 4416 2b51161 4417 2b5120c 4416->4417 4418 2b554bd GetPEB 4416->4418 4419 2b51230 4417->4419 4420 2b554bd GetPEB 4417->4420 4418->4417 4420->4419 3818 2b544ad 3819 2b50454 3818->3819 3820 2b54583 3819->3820 3821 2b50431 7 API calls 3819->3821 3822 2b50459 3821->3822 3823 2b514aa 3841 2b514c1 3823->3841 3824 2b51733 3825 2b51997 7 API calls 3824->3825 3826 2b5173a GetPEB 3825->3826 3831 2b5175e 3826->3831 3827 2b51bac 3828 2b51bc7 3827->3828 3853 2b50516 3827->3853 3830 2b54b5d 7 API calls 3828->3830 3829 2b542b6 7 API calls 3829->3853 3833 2b51bd3 3830->3833 3832 2b5181c 3831->3832 3835 2b554bd GetPEB 3831->3835 3837 2b517ee 3831->3837 3836 2b554bd GetPEB 3833->3836 3834 2b525da 7 API calls 3834->3853 3835->3831 3839 2b51c46 3836->3839 3838 2b554bd GetPEB 3837->3838 3838->3832 3842 2b52007 3839->3842 3844 2b52257 7 API calls 3839->3844 3840 2b554bd GetPEB 3840->3853 3841->3824 3841->3827 3841->3832 3843 2b554bd GetPEB 3842->3843 3845 2b5201a 3843->3845 3846 2b51c81 3844->3846 3847 2b554bd GetPEB 3845->3847 3849 2b554bd GetPEB 3846->3849 3848 2b52037 3847->3848 3850 2b554bd GetPEB 3848->3850 3852 2b51d27 3849->3852 3851 2b5204e 3850->3851 3854 2b554bd GetPEB 3851->3854 3852->3842 3855 2b554bd GetPEB 3852->3855 3853->3829 3853->3834 3853->3840 3858 2b505ce 7 API calls 3853->3858 3860 2b53371 3853->3860 3865 2b543ef 3853->3865 3856 2b5210c 3854->3856 3857 2b51d71 3855->3857 3857->3842 3859 2b554bd GetPEB 3857->3859 3858->3853 3866 2b51e65 3859->3866 3861 2b530f2 7 API calls 3860->3861 3862 2b53376 3861->3862 3863 2b530a8 7 API calls 3862->3863 3864 2b5338c 3863->3864 3866->3842 3867 2b554bd GetPEB 3866->3867 3868 2b51f74 3867->3868 3868->3842 3869 2b554bd GetPEB 3868->3869 3870 2b51fb4 3869->3870 3870->3842 3871 2b51fc1 3870->3871 3872 2b554bd GetPEB 3871->3872 3873 2b51fdf 3872->3873 3874 2b554bd GetPEB 3873->3874 3875 2b51ff8 3874->3875 3876 2b50c95 3877 2b554bd GetPEB 3876->3877 3878 2b50d58 3877->3878 3879 2b554bd GetPEB 3878->3879 3880 2b50d75 3879->3880 3881 2b554bd GetPEB 3880->3881 3882 2b50dd1 3881->3882 3883 2b554bd GetPEB 3882->3883 3884 2b50de3 3883->3884 4421 2b51757 4422 2b5175e 4421->4422 4423 2b5181c 4422->4423 4424 2b554bd GetPEB 4422->4424 4425 2b517ee 4422->4425 4424->4422 4426 2b554bd GetPEB 4425->4426 4426->4423 3885 2b54691 3887 2b5472e 3885->3887 3886 2b523ba 3887->3886 3888 2b554bd GetPEB 3887->3888 3889 2b5482b 3887->3889 3888->3887 3890 2b545a8 GetPEB 3889->3890 3890->3886 4160 2b5061d 4161 2b5061f 4160->4161 4162 2b50634 7 API calls 4161->4162 4165 2b50624 4162->4165 4163 2b5062b 4164 2b545a8 GetPEB 4169 2b523ba 4164->4169 4165->4163 4166 2b52e36 7 API calls 4165->4166 4196 2b54262 4165->4196 4167 2b5079c 4166->4167 4205 2b523a3 GetPEB 4167->4205 4170 2b507a1 4171 2b542b6 7 API calls 4170->4171 4172 2b507c4 4171->4172 4173 2b554bd GetPEB 4172->4173 4174 2b507d5 4173->4174 4176 2b542b6 7 API calls 4174->4176 4183 2b5083c 4174->4183 4175 2b542b6 7 API calls 4177 2b50987 4175->4177 4178 2b507fa 4176->4178 4180 2b542b6 7 API calls 4177->4180 4179 2b554bd GetPEB 4178->4179 4179->4183 4181 2b509a5 4180->4181 4182 2b554bd GetPEB 4181->4182 4184 2b509c4 4182->4184 4183->4175 4183->4196 4185 2b509e3 4184->4185 4186 2b50a0e 4184->4186 4184->4196 4190 2b51bac 7 API calls 4185->4190 4195 2b509fd 4185->4195 4187 2b50b68 4186->4187 4189 2b50eb7 7 API calls 4186->4189 4188 2b50b88 4187->4188 4191 2b50b7c 4187->4191 4192 2b50eb7 7 API calls 4187->4192 4194 2b50b8f 7 API calls 4188->4194 4199 2b50a23 4189->4199 4190->4185 4191->4188 4193 2b5103c 7 API calls 4191->4193 4192->4191 4193->4188 4194->4196 4197 2b554bd GetPEB 4195->4197 4196->4164 4198 2b5238f 4197->4198 4199->4187 4200 2b54b5d 7 API calls 4199->4200 4201 2b50b2d 4200->4201 4202 2b50c77 7 API calls 4201->4202 4203 2b50b3c 4202->4203 4204 2b510db GetPEB 4203->4204 4204->4187 4205->4170 4427 2b5085d 4428 2b508fc 4427->4428 4429 2b54262 4428->4429 4431 2b542b6 7 API calls 4428->4431 4430 2b545a8 GetPEB 4429->4430 4435 2b523ba 4430->4435 4432 2b50987 4431->4432 4433 2b542b6 7 API calls 4432->4433 4434 2b509a5 4433->4434 4436 2b554bd GetPEB 4434->4436 4437 2b509c4 4436->4437 4437->4429 4438 2b509e3 4437->4438 4439 2b50a0e 4437->4439 4443 2b51bac 7 API calls 4438->4443 4448 2b509fd 4438->4448 4440 2b50b68 4439->4440 4442 2b50eb7 7 API calls 4439->4442 4441 2b50b88 4440->4441 4444 2b50b7c 4440->4444 4445 2b50eb7 7 API calls 4440->4445 4447 2b50b8f 7 API calls 4441->4447 4451 2b50a23 4442->4451 4443->4438 4444->4441 4446 2b5103c 7 API calls 4444->4446 4445->4444 4446->4441 4447->4429 4449 2b554bd GetPEB 4448->4449 4450 2b5238f 4449->4450 4451->4440 4452 2b54b5d 7 API calls 4451->4452 4453 2b50b2d 4452->4453 4454 2b50c77 7 API calls 4453->4454 4455 2b50b3c 4454->4455 4456 2b510db GetPEB 4455->4456 4456->4440 4206 2b5371f 4207 2b53730 4206->4207 4213 2b5374b 4206->4213 4208 2b51063 7 API calls 4207->4208 4209 2b5373a 4208->4209 4210 2b50ec4 7 API calls 4209->4210 4211 2b53743 4210->4211 4212 2b50ee2 7 API calls 4211->4212 4212->4213 4057 2b52bd9 4058 2b52c72 4057->4058 4059 2b52e1d 4058->4059 4061 2b554bd GetPEB 4058->4061 4060 2b554bd GetPEB 4059->4060 4062 2b52e31 4060->4062 4063 2b52cc8 4061->4063 4063->4059 4064 2b554bd GetPEB 4063->4064 4065 2b52dc9 4063->4065 4064->4063 4066 2b554bd GetPEB 4065->4066 4067 2b52dde 4066->4067 4068 2b554bd GetPEB 4067->4068 4069 2b52df1 4068->4069 3891 2b50d98 3892 2b50dd1 3891->3892 3893 2b554bd GetPEB 3891->3893 3894 2b554bd GetPEB 3892->3894 3893->3892 3895 2b50de3 3894->3895 4223 2b50418 4224 2b52781 7 API calls 4223->4224 4225 2b50422 4224->4225 4226 2b542b6 7 API calls 4225->4226 4227 2b5042f 4226->4227 4228 2b50431 7 API calls 4227->4228 4229 2b50459 4228->4229 4230 2b51718 4231 2b51733 4230->4231 4232 2b51997 7 API calls 4231->4232 4233 2b5173a GetPEB 4232->4233 4234 2b5175e 4233->4234 4235 2b5181c 4234->4235 4236 2b554bd GetPEB 4234->4236 4237 2b517ee 4234->4237 4236->4234 4238 2b554bd GetPEB 4237->4238 4238->4235 3896 2b5459b 3897 2b545a7 3896->3897 3898 2b51bac 3896->3898 3899 2b51bc7 3898->3899 3920 2b50516 3898->3920 3901 2b54b5d 7 API calls 3899->3901 3900 2b542b6 7 API calls 3900->3920 3902 2b51bd3 3901->3902 3904 2b554bd GetPEB 3902->3904 3903 2b525da 7 API calls 3903->3920 3905 2b51c46 3904->3905 3907 2b52007 3905->3907 3909 2b52257 7 API calls 3905->3909 3906 2b554bd GetPEB 3906->3920 3908 2b554bd GetPEB 3907->3908 3910 2b5201a 3908->3910 3911 2b51c81 3909->3911 3912 2b554bd GetPEB 3910->3912 3914 2b554bd GetPEB 3911->3914 3913 2b52037 3912->3913 3915 2b554bd GetPEB 3913->3915 3917 2b51d27 3914->3917 3916 2b5204e 3915->3916 3918 2b554bd GetPEB 3916->3918 3917->3907 3919 2b554bd GetPEB 3917->3919 3921 2b5210c 3918->3921 3922 2b51d71 3919->3922 3920->3900 3920->3903 3920->3906 3923 2b505ce 7 API calls 3920->3923 3925 2b53371 3920->3925 3928 2b543ef 3920->3928 3922->3907 3924 2b554bd GetPEB 3922->3924 3923->3920 3931 2b51e65 3924->3931 3926 2b530f2 7 API calls 3925->3926 3927 2b53376 3926->3927 3929 2b530a8 7 API calls 3927->3929 3930 2b5338c 3929->3930 3931->3907 3932 2b554bd GetPEB 3931->3932 3933 2b51f74 3932->3933 3933->3907 3934 2b554bd GetPEB 3933->3934 3935 2b51fb4 3934->3935 3935->3907 3936 2b51fc1 3935->3936 3937 2b554bd GetPEB 3936->3937 3938 2b51fdf 3937->3938 3939 2b554bd GetPEB 3938->3939 3940 2b51ff8 3939->3940 4457 2b5205a 4458 2b520f2 4457->4458 4459 2b554bd GetPEB 4458->4459 4460 2b5210c 4459->4460 3941 2b55585 3942 2b5562c 3941->3942 3943 2b54a88 GetPEB 3941->3943 3943->3942 4239 2b52005 4240 2b52007 4239->4240 4241 2b554bd GetPEB 4240->4241 4242 2b5201a 4241->4242 4243 2b554bd GetPEB 4242->4243 4244 2b52037 4243->4244 4245 2b554bd GetPEB 4244->4245 4246 2b5204e 4245->4246 4247 2b554bd GetPEB 4246->4247 4248 2b5210c 4247->4248 4249 2b52505 4250 2b5250a 4249->4250 4252 2b52586 4250->4252 4253 2b52589 4250->4253 4254 2b5258e 4253->4254 4254->4250 4254->4253 4255 2b545a8 GetPEB 4254->4255 4256 2b523ba 4255->4256 4256->4250 4461 2b54647 4462 2b54660 4461->4462 4468 2b523ba 4461->4468 4463 2b542b6 7 API calls 4462->4463 4465 2b5466e 4463->4465 4464 2b554bd GetPEB 4464->4465 4465->4464 4466 2b5482b 4465->4466 4465->4468 4467 2b545a8 GetPEB 4466->4467 4467->4468 3267 2b52786 3268 2b52834 3267->3268 3271 2b528ec 3267->3271 3272 2b542b6 3268->3272 3273 2b54355 3272->3273 3274 2b54395 3273->3274 3298 2b545a8 3273->3298 3284 2b543aa 3274->3284 3276 2b5436d 3277 2b5438b 3276->3277 3279 2b545a8 GetPEB 3276->3279 3280 2b543aa 7 API calls 3277->3280 3282 2b5437c 3279->3282 3280->3274 3281 2b52893 NtAllocateVirtualMemory 3281->3271 3282->3277 3283 2b545a8 GetPEB 3282->3283 3283->3277 3285 2b50516 3284->3285 3288 2b543ef 3284->3288 3286 2b542b6 7 API calls 3285->3286 3301 2b525da 3285->3301 3286->3285 3288->3281 3289 2b542b6 7 API calls 3292 2b5053a 3289->3292 3292->3284 3292->3289 3293 2b53371 3292->3293 3319 2b554bd 3292->3319 3321 2b505ce 3292->3321 3371 2b530f2 3293->3371 3299 2b545b4 GetPEB 3298->3299 3300 2b523ba 3298->3300 3299->3300 3300->3276 3302 2b542b6 6 API calls 3301->3302 3303 2b525e7 3302->3303 3304 2b542b6 3303->3304 3305 2b52767 3303->3305 3308 2b545a8 GetPEB 3304->3308 3317 2b54395 3304->3317 3306 2b528ec 3305->3306 3307 2b542b6 6 API calls 3305->3307 3306->3292 3310 2b52893 NtAllocateVirtualMemory 3307->3310 3309 2b5436d 3308->3309 3311 2b5438b 3309->3311 3313 2b545a8 GetPEB 3309->3313 3310->3306 3314 2b543aa 6 API calls 3311->3314 3312 2b543aa 6 API calls 3315 2b543a4 3312->3315 3316 2b5437c 3313->3316 3314->3317 3315->3292 3316->3311 3318 2b545a8 GetPEB 3316->3318 3317->3312 3318->3311 3389 2b554c2 3319->3389 3396 2b52781 3321->3396 3323 2b505d7 3324 2b542b6 7 API calls 3323->3324 3325 2b505f1 3324->3325 3326 2b542b6 7 API calls 3325->3326 3327 2b5060f 3326->3327 3401 2b50634 3327->3401 3329 2b5062b 3329->3292 3330 2b50624 3330->3329 3362 2b54262 3330->3362 3444 2b52e36 3330->3444 3331 2b545a8 GetPEB 3332 2b523ba 3331->3332 3332->3292 3336 2b507a1 3337 2b542b6 7 API calls 3336->3337 3338 2b507c4 3337->3338 3339 2b554bd GetPEB 3338->3339 3340 2b507d5 3339->3340 3342 2b542b6 7 API calls 3340->3342 3349 2b5083c 3340->3349 3341 2b542b6 7 API calls 3343 2b50987 3341->3343 3344 2b507fa 3342->3344 3346 2b542b6 7 API calls 3343->3346 3345 2b554bd GetPEB 3344->3345 3345->3349 3347 2b509a5 3346->3347 3348 2b554bd GetPEB 3347->3348 3350 2b509c4 3348->3350 3349->3341 3349->3362 3351 2b509e3 3350->3351 3352 2b50a0e 3350->3352 3350->3362 3361 2b509fd 3351->3361 3486 2b51bac 3351->3486 3353 2b50b68 3352->3353 3529 2b50eb7 3352->3529 3354 2b50b88 3353->3354 3357 2b50b7c 3353->3357 3358 2b50eb7 7 API calls 3353->3358 3623 2b50b8f 3354->3623 3357->3354 3614 2b5103c 3357->3614 3358->3357 3363 2b554bd GetPEB 3361->3363 3362->3331 3364 2b5238f 3363->3364 3364->3292 3365 2b50a23 3365->3353 3535 2b54b5d 3365->3535 3367 2b50b2d 3552 2b50c77 3367->3552 3369 2b50b3c 3606 2b510db 3369->3606 3372 2b52781 7 API calls 3371->3372 3373 2b530f9 3372->3373 3374 2b542b6 7 API calls 3373->3374 3375 2b53113 3374->3375 3376 2b542b6 7 API calls 3375->3376 3377 2b53128 3376->3377 3378 2b530a8 3377->3378 3379 2b52781 7 API calls 3378->3379 3380 2b530b1 3379->3380 3381 2b542b6 7 API calls 3380->3381 3382 2b530c9 3381->3382 3383 2b542b6 7 API calls 3382->3383 3384 2b530e2 3383->3384 3385 2b530f2 7 API calls 3384->3385 3386 2b53376 3385->3386 3387 2b530a8 7 API calls 3386->3387 3388 2b5338c 3387->3388 3388->3281 3390 2b554cd 3389->3390 3393 2b54a88 3390->3393 3392 2b5562c 3394 2b545a8 GetPEB 3393->3394 3395 2b54aa0 3394->3395 3395->3392 3397 2b52822 3396->3397 3398 2b542b6 6 API calls 3397->3398 3400 2b528ec 3397->3400 3399 2b52893 NtAllocateVirtualMemory 3398->3399 3399->3400 3400->3323 3402 2b52781 7 API calls 3401->3402 3407 2b50640 3402->3407 3403 2b52e36 7 API calls 3404 2b5079c 3403->3404 3626 2b523a3 GetPEB 3404->3626 3406 2b507a1 3408 2b542b6 7 API calls 3406->3408 3407->3403 3435 2b54262 3407->3435 3410 2b507c4 3408->3410 3409 2b545a8 GetPEB 3420 2b523ba 3409->3420 3411 2b554bd GetPEB 3410->3411 3412 2b507d5 3411->3412 3414 2b542b6 7 API calls 3412->3414 3430 2b5083c 3412->3430 3413 2b542b6 7 API calls 3415 2b50987 3413->3415 3416 2b507fa 3414->3416 3418 2b542b6 7 API calls 3415->3418 3417 2b554bd GetPEB 3416->3417 3417->3430 3419 2b509a5 3418->3419 3421 2b554bd GetPEB 3419->3421 3420->3330 3422 2b509c4 3421->3422 3423 2b509e3 3422->3423 3424 2b50a0e 3422->3424 3422->3435 3428 2b51bac 7 API calls 3423->3428 3434 2b509fd 3423->3434 3425 2b50b68 3424->3425 3427 2b50eb7 7 API calls 3424->3427 3426 2b50b88 3425->3426 3429 2b50b7c 3425->3429 3431 2b50eb7 7 API calls 3425->3431 3433 2b50b8f 7 API calls 3426->3433 3438 2b50a23 3427->3438 3428->3423 3429->3426 3432 2b5103c 7 API calls 3429->3432 3430->3413 3430->3435 3431->3429 3432->3426 3433->3435 3436 2b554bd GetPEB 3434->3436 3435->3409 3437 2b5238f 3436->3437 3437->3330 3438->3425 3439 2b54b5d 7 API calls 3438->3439 3440 2b50b2d 3439->3440 3441 2b50c77 7 API calls 3440->3441 3442 2b50b3c 3441->3442 3443 2b510db GetPEB 3442->3443 3443->3425 3445 2b542b6 7 API calls 3444->3445 3446 2b52e56 3445->3446 3447 2b542b6 7 API calls 3446->3447 3448 2b52e70 3447->3448 3449 2b542b6 7 API calls 3448->3449 3450 2b52e82 3449->3450 3451 2b52f35 3450->3451 3452 2b542b6 7 API calls 3450->3452 3453 2b542b6 7 API calls 3451->3453 3452->3451 3454 2b52f49 3453->3454 3455 2b542b6 7 API calls 3454->3455 3456 2b52f5e 3455->3456 3457 2b542b6 7 API calls 3456->3457 3458 2b52f71 3457->3458 3459 2b542b6 7 API calls 3458->3459 3460 2b52f87 3459->3460 3461 2b542b6 7 API calls 3460->3461 3462 2b52fa7 3461->3462 3463 2b542b6 7 API calls 3462->3463 3464 2b52fb9 3463->3464 3465 2b542b6 7 API calls 3464->3465 3466 2b52fda 3465->3466 3467 2b542b6 7 API calls 3466->3467 3468 2b52fed 3467->3468 3469 2b542b6 7 API calls 3468->3469 3470 2b53002 3469->3470 3471 2b542b6 7 API calls 3470->3471 3472 2b5301e 3471->3472 3473 2b542b6 7 API calls 3472->3473 3474 2b5303c 3473->3474 3475 2b542b6 7 API calls 3474->3475 3476 2b5304f 3475->3476 3477 2b542b6 7 API calls 3476->3477 3478 2b53064 3477->3478 3479 2b542b6 7 API calls 3478->3479 3480 2b53079 3479->3480 3481 2b542b6 7 API calls 3480->3481 3482 2b53099 3481->3482 3483 2b530a8 7 API calls 3482->3483 3484 2b5079c 3483->3484 3485 2b523a3 GetPEB 3484->3485 3485->3336 3487 2b51bc7 3486->3487 3508 2b50516 3486->3508 3489 2b54b5d 7 API calls 3487->3489 3488 2b542b6 7 API calls 3488->3508 3490 2b51bd3 3489->3490 3492 2b554bd GetPEB 3490->3492 3491 2b525da 7 API calls 3491->3508 3493 2b51c46 3492->3493 3495 2b52007 3493->3495 3627 2b52257 3493->3627 3494 2b554bd GetPEB 3494->3508 3496 2b554bd GetPEB 3495->3496 3498 2b5201a 3496->3498 3500 2b554bd GetPEB 3498->3500 3501 2b52037 3500->3501 3503 2b554bd GetPEB 3501->3503 3504 2b5204e 3503->3504 3506 2b554bd GetPEB 3504->3506 3509 2b5210c 3506->3509 3508->3488 3508->3491 3508->3494 3511 2b505ce 7 API calls 3508->3511 3513 2b53371 3508->3513 3518 2b543ef 3508->3518 3509->3351 3511->3508 3514 2b530f2 7 API calls 3513->3514 3515 2b53376 3514->3515 3516 2b530a8 7 API calls 3515->3516 3517 2b5338c 3516->3517 3517->3351 3518->3351 3530 2b5373e 3529->3530 3669 2b50ec4 3530->3669 3532 2b53743 3674 2b50ee2 3532->3674 3534 2b5374b 3534->3365 3536 2b542b6 6 API calls 3535->3536 3537 2b54b70 3536->3537 3538 2b542b6 6 API calls 3537->3538 3539 2b54c20 GetPEB 3538->3539 3543 2b54c66 3539->3543 3679 2b54fb9 NtProtectVirtualMemory 3539->3679 3541 2b54e9c 3541->3367 3542 2b54ea5 3546 2b54ed6 3542->3546 3549 2b54f3f 3542->3549 3543->3541 3543->3542 3548 2b54cf1 3543->3548 3545 2b54fb0 3545->3367 3681 2b54fb9 NtProtectVirtualMemory 3546->3681 3548->3541 3548->3548 3680 2b54fb9 NtProtectVirtualMemory 3548->3680 3682 2b54fb9 NtProtectVirtualMemory 3549->3682 3550 2b54f38 3550->3367 3553 2b50d31 3552->3553 3554 2b50d3d 3553->3554 3555 2b51bac 3553->3555 3557 2b50d58 3554->3557 3558 2b554bd GetPEB 3554->3558 3556 2b51bc7 3555->3556 3568 2b50516 3555->3568 3561 2b54b5d 7 API calls 3556->3561 3560 2b554bd GetPEB 3557->3560 3558->3557 3559 2b542b6 7 API calls 3559->3568 3562 2b50d75 3560->3562 3563 2b51bd3 3561->3563 3565 2b554bd GetPEB 3562->3565 3567 2b554bd GetPEB 3563->3567 3564 2b525da 7 API calls 3564->3568 3566 2b50dd1 3565->3566 3569 2b554bd GetPEB 3566->3569 3570 2b51c46 3567->3570 3568->3559 3568->3564 3571 2b554bd GetPEB 3568->3571 3588 2b505ce 7 API calls 3568->3588 3590 2b53371 3568->3590 3595 2b543ef 3568->3595 3572 2b50de3 3569->3572 3573 2b52007 3570->3573 3575 2b52257 7 API calls 3570->3575 3571->3568 3572->3369 3574 2b554bd GetPEB 3573->3574 3576 2b5201a 3574->3576 3578 2b51c81 3575->3578 3577 2b554bd GetPEB 3576->3577 3579 2b52037 3577->3579 3580 2b554bd GetPEB 3578->3580 3581 2b554bd GetPEB 3579->3581 3583 2b51d27 3580->3583 3582 2b5204e 3581->3582 3584 2b554bd GetPEB 3582->3584 3583->3573 3585 2b554bd GetPEB 3583->3585 3586 2b5210c 3584->3586 3587 2b51d71 3585->3587 3586->3369 3587->3573 3589 2b554bd GetPEB 3587->3589 3588->3568 3596 2b51e65 3589->3596 3591 2b530f2 7 API calls 3590->3591 3592 2b53376 3591->3592 3593 2b530a8 7 API calls 3592->3593 3594 2b5338c 3593->3594 3594->3369 3595->3369 3596->3573 3597 2b554bd GetPEB 3596->3597 3598 2b51f74 3597->3598 3598->3573 3599 2b554bd GetPEB 3598->3599 3600 2b51fb4 3599->3600 3600->3573 3601 2b51fc1 3600->3601 3602 2b554bd GetPEB 3601->3602 3603 2b51fdf 3602->3603 3604 2b554bd GetPEB 3603->3604 3605 2b51ff8 3604->3605 3605->3369 3607 2b554bd GetPEB 3606->3607 3609 2b5110e 3607->3609 3608 2b51238 3608->3353 3609->3608 3610 2b554bd GetPEB 3609->3610 3611 2b5120c 3610->3611 3612 2b51230 3611->3612 3613 2b554bd GetPEB 3611->3613 3612->3353 3613->3612 3615 2b54066 7 API calls 3614->3615 3616 2b5105b 3615->3616 3683 2b51063 3616->3683 3619 2b50ec4 7 API calls 3620 2b53743 3619->3620 3621 2b50ee2 7 API calls 3620->3621 3622 2b5374b 3621->3622 3622->3354 3624 2b50bb3 3623->3624 3688 2b51240 3624->3688 3626->3406 3634 2b54066 3627->3634 3629 2b5226a 3646 2b52181 3629->3646 3635 2b54080 3634->3635 3635->3629 3636 2b545a8 GetPEB 3635->3636 3644 2b54395 3635->3644 3637 2b5436d 3636->3637 3638 2b5438b 3637->3638 3640 2b545a8 GetPEB 3637->3640 3641 2b543aa 7 API calls 3638->3641 3639 2b543aa 7 API calls 3642 2b543a4 3639->3642 3643 2b5437c 3640->3643 3641->3644 3642->3629 3643->3638 3645 2b545a8 GetPEB 3643->3645 3644->3639 3645->3638 3647 2b52781 7 API calls 3646->3647 3648 2b5218c 3647->3648 3650 2b521d8 3648->3650 3657 2b521b3 3648->3657 3652 2b5220a 3650->3652 3660 2b521e6 3650->3660 3656 2b53644 3652->3656 3663 2b52231 3652->3663 3654 2b53625 3654->3656 3666 2b50e5a 3654->3666 3658 2b52781 7 API calls 3657->3658 3659 2b521bc 3658->3659 3659->3650 3661 2b52781 7 API calls 3660->3661 3662 2b521f2 3661->3662 3662->3652 3664 2b52781 7 API calls 3663->3664 3665 2b5223a 3664->3665 3665->3654 3667 2b52781 7 API calls 3666->3667 3668 2b50e63 3667->3668 3668->3656 3670 2b52781 7 API calls 3669->3670 3671 2b50ed2 3670->3671 3672 2b50ee2 7 API calls 3671->3672 3673 2b5374b 3672->3673 3673->3532 3675 2b52781 7 API calls 3674->3675 3676 2b50ee9 3675->3676 3677 2b54066 7 API calls 3676->3677 3678 2b50f10 3677->3678 3678->3534 3679->3543 3680->3541 3681->3550 3682->3545 3684 2b52781 7 API calls 3683->3684 3685 2b5106c 3684->3685 3686 2b510db GetPEB 3685->3686 3687 2b510d8 3686->3687 3687->3619 3689 2b542b6 6 API calls 3688->3689 3708 2b51258 3689->3708 3690 2b51bac 3691 2b51bc7 3690->3691 3714 2b50516 3690->3714 3692 2b54b5d 6 API calls 3691->3692 3693 2b51bd3 3692->3693 3695 2b554bd GetPEB 3693->3695 3694 2b525da 6 API calls 3694->3714 3696 2b51c46 3695->3696 3698 2b52007 3696->3698 3700 2b52257 6 API calls 3696->3700 3697 2b554bd GetPEB 3697->3714 3699 2b554bd GetPEB 3698->3699 3702 2b5201a 3699->3702 3703 2b51c81 3700->3703 3701 2b542b6 6 API calls 3701->3714 3704 2b554bd GetPEB 3702->3704 3707 2b554bd GetPEB 3703->3707 3706 2b52037 3704->3706 3705 2b554bd GetPEB 3705->3708 3709 2b554bd GetPEB 3706->3709 3711 2b51d27 3707->3711 3708->3690 3708->3705 3729 2b5181c 3708->3729 3736 2b51471 3708->3736 3710 2b5204e 3709->3710 3712 2b554bd GetPEB 3710->3712 3711->3698 3713 2b554bd GetPEB 3711->3713 3715 2b5210c 3712->3715 3716 2b51d71 3713->3716 3714->3694 3714->3697 3714->3701 3717 2b505ce 6 API calls 3714->3717 3719 2b53371 3714->3719 3726 2b543ef 3714->3726 3715->3624 3716->3698 3718 2b554bd GetPEB 3716->3718 3717->3714 3728 2b51e65 3718->3728 3720 2b530f2 6 API calls 3719->3720 3721 2b53376 3720->3721 3722 2b530a8 6 API calls 3721->3722 3724 2b5338c 3722->3724 3723 2b51733 3744 2b51997 3723->3744 3724->3624 3726->3624 3727 2b5173a GetPEB 3730 2b5175e 3727->3730 3728->3698 3732 2b554bd GetPEB 3728->3732 3729->3624 3730->3729 3731 2b554bd GetPEB 3730->3731 3734 2b517ee 3730->3734 3731->3730 3733 2b51f74 3732->3733 3733->3698 3737 2b554bd GetPEB 3733->3737 3735 2b554bd GetPEB 3734->3735 3735->3729 3736->3690 3736->3723 3736->3729 3738 2b51fb4 3737->3738 3738->3698 3739 2b51fc1 3738->3739 3740 2b554bd GetPEB 3739->3740 3741 2b51fdf 3740->3741 3742 2b554bd GetPEB 3741->3742 3743 2b51ff8 3742->3743 3743->3624 3745 2b519a7 3744->3745 3745->3727 3746 2b54395 3745->3746 3747 2b545a8 GetPEB 3745->3747 3750 2b543aa 7 API calls 3746->3750 3748 2b5436d 3747->3748 3749 2b5438b 3748->3749 3751 2b545a8 GetPEB 3748->3751 3752 2b543aa 7 API calls 3749->3752 3753 2b543a4 3750->3753 3754 2b5437c 3751->3754 3752->3746 3753->3727 3754->3749 3755 2b545a8 GetPEB 3754->3755 3755->3749 3944 2b54b81 GetPEB 3957 2b54fb9 NtProtectVirtualMemory 3944->3957 3946 2b54e9c 3947 2b54ea5 3951 2b54f3f 3947->3951 3952 2b54ed6 3947->3952 3948 2b54c66 3948->3946 3948->3947 3954 2b54cf1 3948->3954 3950 2b54fb0 3960 2b54fb9 NtProtectVirtualMemory 3951->3960 3959 2b54fb9 NtProtectVirtualMemory 3952->3959 3954->3946 3958 2b54fb9 NtProtectVirtualMemory 3954->3958 3955 2b54f38 3957->3948 3958->3946 3959->3955 3960->3950 4070 2b52dc1 4071 2b52dc9 4070->4071 4072 2b554bd GetPEB 4071->4072 4073 2b52dde 4072->4073 4074 2b554bd GetPEB 4073->4074 4075 2b52df1 4074->4075 3961 2b54e8d 3964 2b54fb9 NtProtectVirtualMemory 3961->3964 3963 2b54e9c 3964->3963 4076 2b52bc9 4077 2b52781 7 API calls 4076->4077 4078 2b52bd0 4077->4078 4079 2b52e1d 4078->4079 4081 2b554bd GetPEB 4078->4081 4080 2b554bd GetPEB 4079->4080 4082 2b52e31 4080->4082 4083 2b52cc8 4081->4083 4083->4079 4084 2b554bd GetPEB 4083->4084 4085 2b52dc9 4083->4085 4084->4083 4086 2b554bd GetPEB 4085->4086 4087 2b52dde 4086->4087 4088 2b554bd GetPEB 4087->4088 4089 2b52df1 4088->4089 3965 2b52e8a 3966 2b542b6 7 API calls 3965->3966 3967 2b52f35 3966->3967 3968 2b542b6 7 API calls 3967->3968 3969 2b52f49 3968->3969 3970 2b542b6 7 API calls 3969->3970 3971 2b52f5e 3970->3971 3972 2b542b6 7 API calls 3971->3972 3973 2b52f71 3972->3973 3974 2b542b6 7 API calls 3973->3974 3975 2b52f87 3974->3975 3976 2b542b6 7 API calls 3975->3976 3977 2b52fa7 3976->3977 3978 2b542b6 7 API calls 3977->3978 3979 2b52fb9 3978->3979 3980 2b542b6 7 API calls 3979->3980 3981 2b52fda 3980->3981 3982 2b542b6 7 API calls 3981->3982 3983 2b52fed 3982->3983 3984 2b542b6 7 API calls 3983->3984 3985 2b53002 3984->3985 3986 2b542b6 7 API calls 3985->3986 3987 2b5301e 3986->3987 3988 2b542b6 7 API calls 3987->3988 3989 2b5303c 3988->3989 3990 2b542b6 7 API calls 3989->3990 3991 2b5304f 3990->3991 3992 2b542b6 7 API calls 3991->3992 3993 2b53064 3992->3993 3994 2b542b6 7 API calls 3993->3994 3995 2b53079 3994->3995 3996 2b542b6 7 API calls 3995->3996 3997 2b53099 3996->3997 3998 2b530a8 7 API calls 3997->3998 3999 2b5338c 3998->3999 4469 2b5424a GetPEB

      Executed Functions

      Function 02B525DA, Relevance: 1.7, APIs: 1, Instructions: 152memorynativeCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000), ref: 02B528CB
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: 399f7699cf36733d005ec124c2e6e395befdbf9a491652bfce04e9cf8dca7bc0
      • Instruction ID: 0bb28b5095a0b7eca5e9e7864e1344b46edaff8d831aa892abebe23bb5a144aa
      • Opcode Fuzzy Hash: 399f7699cf36733d005ec124c2e6e395befdbf9a491652bfce04e9cf8dca7bc0
      • Instruction Fuzzy Hash: 5D41CC716813669FEB31AF349C913DE3BA6EF05360F0042ADEEC59F290D3318582CA41
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B52786, Relevance: 1.6, APIs: 1, Instructions: 141memorynativeCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000), ref: 02B528CB
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: e7644686d25694e0bbdff18bd1e17de2b8e08f955ce6c00e09d6bb5038ab35c3
      • Instruction ID: 1832fcd17aeb31cfbfe20d54b845970bafc56de6886436d51ffa468d2f77478e
      • Opcode Fuzzy Hash: e7644686d25694e0bbdff18bd1e17de2b8e08f955ce6c00e09d6bb5038ab35c3
      • Instruction Fuzzy Hash: C04129B1EE2652ABC7157F7DCD847C8A7B0DB122F8F501E489C84C60DDFA32854189C2
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B52781, Relevance: 1.6, APIs: 1, Instructions: 105memorynativeCOMMON
      Download Yara Rule

      Control-flow Graph

      APIs
      • NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000), ref: 02B528CB
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: a675018ef2b27f9688b9228763929cb7c5e2636616a8a975fb7a57613f676909
      • Instruction ID: eae198876a59c10779c909ad912a418912579ecae81b72883d73874be4a1ec4a
      • Opcode Fuzzy Hash: a675018ef2b27f9688b9228763929cb7c5e2636616a8a975fb7a57613f676909
      • Instruction Fuzzy Hash: 3731047168135A8FEF319E29CD953EA37A5FF19394F00022CDECC9F2A1D77186428A45
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B54FB9, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 71 2b54fb9-2b54fd4 NtProtectVirtualMemory
      APIs
      • NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02B54C66,00000040,02B51BD3,00000000,00000000,00000000,00000000,?,00000000,00000000,02B50C17), ref: 02B54FD2
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID: MemoryProtectVirtual
      • String ID:
      • API String ID: 2706961497-0
      • Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
      • Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
      • Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
      • Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Function 02B51240, Relevance: 1.6, Strings: 1, Instructions: 370COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 151 2b51240-2b51289 call 2b542b6 154 2b51bac-2b51bc1 151->154 155 2b5128f-2b512a2 151->155 156 2b51bc7-2b51c49 call 2b54b5d call 2b52118 call 2b554bd 154->156 157 2b50516-2b5052f call 2b542b6 154->157 158 2b512a8-2b51352 call 2b5422a * 2 155->158 159 2b523ba-2b523c3 155->159 182 2b52007-2b52117 call 2b554bd * 4 156->182 183 2b51c4f-2b51d2a call 2b52257 call 2b54172 call 2b554bd 156->183 168 2b50535 call 2b525da 157->168 174 2b51354-2b5136f 158->174 163 2b523c4-2b523d8 159->163 163->163 167 2b523da-2b523dc 163->167 171 2b5053a-2b50586 call 2b542b6 call 2b554bd call 2b542b6 168->171 198 2b50589-2b505b7 call 2b544a1 171->198 174->154 177 2b51375-2b51385 call 2b5422a 174->177 177->159 188 2b5138b-2b513a1 177->188 183->182 209 2b51d30-2b51d74 call 2b554bd 183->209 188->174 192 2b513a3-2b5146b call 2b554bd 188->192 210 2b51471-2b514bb 192->210 211 2b505b9-2b53372 call 2b505ce call 2b503ec 198->211 209->182 221 2b51d7a-2b51e70 call 2b554bd 209->221 218 2b514c1-2b514cf 210->218 229 2b53371-2b53393 call 2b530f2 call 2b530a8 211->229 230 2b53372 211->230 218->218 222 2b514d1-2b514db 218->222 221->182 234 2b51e76-2b51e7b 221->234 225 2b514dd-2b51502 call 2b5422a 222->225 235 2b51504-2b5152f call 2b5422a 225->235 230->229 233 2b543aa-2b543e9 230->233 233->157 238 2b543ef 233->238 234->182 239 2b51e81-2b51e86 234->239 248 2b51735-2b5177e call 2b51997 GetPEB 235->248 249 2b51535-2b5153a 235->249 242 2b543f0-2b54410 call 2b54448 238->242 243 2b51e93-2b51e9f 239->243 244 2b51e88-2b51e8d 239->244 258 2b54412-2b54419 242->258 259 2b5441b-2b54440 242->259 243->182 250 2b51ea5-2b51eed call 2b544a1 243->250 244->182 244->243 266 2b51784-2b51790 248->266 267 2b51822-2b51833 248->267 254 2b5153e-2b5157b call 2b5422a 249->254 250->182 262 2b51ef3-2b51f3d call 2b523ba 250->262 254->154 264 2b51581-2b5158b 254->264 258->242 258->259 262->182 282 2b51f43-2b51f77 call 2b554bd 262->282 268 2b51591-2b515a5 264->268 269 2b51733 264->269 272 2b51791-2b517ec call 2b51a33 call 2b554bd 266->272 267->159 271 2b55712-2b55717 call 2b51838 267->271 268->159 273 2b515ab-2b515ae 268->273 269->248 287 2b5571c 271->287 292 2b517ee-2b51820 call 2b554bd 272->292 276 2b515b0-2b515b2 273->276 277 2b515b8-2b515be 273->277 276->277 281 2b515c0-2b515d2 277->281 284 2b5170c-2b51713 281->284 285 2b515d8-2b515e4 281->285 282->182 296 2b51f7d-2b51fbf call 2b554bd 282->296 284->254 289 2b515e6 285->289 290 2b515ea-2b51619 call 2b54484 285->290 287->287 295 2b5161b-2b5165e call 2b54484 289->295 290->295 301 2b51660-2b51707 290->301 292->267 295->301 296->182 305 2b51fc1-2b52004 call 2b554bd * 2 296->305 301->281
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: ]b\%
      • API String ID: 0-242929970
      • Opcode ID: ff6632604b554e41972b65d5ad00e6b0585ec8c6f22492fc699b3914cc6e6638
      • Instruction ID: c6d70464c2822850f6a07c1894e1ba35764e416186846e06f7e71bf82ac1f939
      • Opcode Fuzzy Hash: ff6632604b554e41972b65d5ad00e6b0585ec8c6f22492fc699b3914cc6e6638
      • Instruction Fuzzy Hash: 2EC1F371B40612AFE7158F6CCC80BD5B7A5FF09350F588269EC9D9B341DB74A894CB90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B514AA, Relevance: 1.4, Strings: 1, Instructions: 116COMMON
      Download Yara Rule

      Control-flow Graph

      • Executed
      • Not Executed
      control_flow_graph 830 2b514aa-2b514bb 831 2b514c1-2b514cf 830->831 831->831 832 2b514d1-2b514db 831->832 833 2b514dd-2b51502 call 2b5422a 832->833 836 2b51504-2b5152f call 2b5422a 833->836 839 2b51735-2b5177e call 2b51997 GetPEB 836->839 840 2b51535-2b5153a 836->840 849 2b51784-2b51790 839->849 850 2b51822-2b51833 839->850 842 2b5153e-2b5157b call 2b5422a 840->842 847 2b51581-2b5158b 842->847 848 2b51bac-2b51bc1 842->848 851 2b51591-2b515a5 847->851 852 2b51733 847->852 855 2b51bc7-2b51c49 call 2b54b5d call 2b52118 call 2b554bd 848->855 856 2b50516-2b5052f call 2b542b6 848->856 857 2b51791-2b517ec call 2b51a33 call 2b554bd 849->857 853 2b55712-2b55717 call 2b51838 850->853 854 2b523ba-2b523c3 850->854 851->854 859 2b515ab-2b515ae 851->859 852->839 878 2b5571c 853->878 863 2b523c4-2b523d8 854->863 895 2b52007-2b52117 call 2b554bd * 4 855->895 896 2b51c4f-2b51d2a call 2b52257 call 2b54172 call 2b554bd 855->896 871 2b50535 call 2b525da 856->871 885 2b517ee-2b51820 call 2b554bd 857->885 865 2b515b0-2b515b2 859->865 866 2b515b8-2b515be 859->866 863->863 870 2b523da-2b523dc 863->870 865->866 872 2b515c0-2b515d2 866->872 875 2b5053a-2b50586 call 2b542b6 call 2b554bd call 2b542b6 871->875 876 2b5170c-2b51713 872->876 877 2b515d8-2b515e4 872->877 911 2b50589-2b505b7 call 2b544a1 875->911 876->842 882 2b515e6 877->882 883 2b515ea-2b51619 call 2b54484 877->883 878->878 889 2b5161b-2b5165e call 2b54484 882->889 883->889 897 2b51660-2b51707 883->897 885->850 889->897 896->895 920 2b51d30-2b51d74 call 2b554bd 896->920 897->872 921 2b505b9-2b53372 call 2b505ce call 2b503ec 911->921 920->895 929 2b51d7a-2b51e70 call 2b554bd 920->929 934 2b53371-2b53393 call 2b530f2 call 2b530a8 921->934 935 2b53372 921->935 929->895 938 2b51e76-2b51e7b 929->938 935->934 937 2b543aa-2b543e9 935->937 937->856 941 2b543ef 937->941 938->895 942 2b51e81-2b51e86 938->942 944 2b543f0-2b54410 call 2b54448 941->944 945 2b51e93-2b51e9f 942->945 946 2b51e88-2b51e8d 942->946 954 2b54412-2b54419 944->954 955 2b5441b-2b54440 944->955 945->895 949 2b51ea5-2b51eed call 2b544a1 945->949 946->895 946->945 949->895 956 2b51ef3-2b51f3d call 2b523ba 949->956 954->944 954->955 956->895 960 2b51f43-2b51f77 call 2b554bd 956->960 960->895 963 2b51f7d-2b51fbf call 2b554bd 960->963 963->895 966 2b51fc1-2b52004 call 2b554bd * 2 963->966
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID: ]b\%
      • API String ID: 0-242929970
      • Opcode ID: de48f65cde0c1425678f286ea6866e5fb248543b46b458ffdc1e3db9472d326a
      • Instruction ID: 7cb20a949ffc227eabf66bd6e5333063646e293a092625b09030e1e005ff751c
      • Opcode Fuzzy Hash: de48f65cde0c1425678f286ea6866e5fb248543b46b458ffdc1e3db9472d326a
      • Instruction Fuzzy Hash: B941CF71710621AFE7298F6CD880BD5B7E1FF09314F1942A9EC9A8B241D770A4A0CBD0
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B54B5D, Relevance: .2, Instructions: 241COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID: MemoryProtectVirtual
      • String ID:
      • API String ID: 2706961497-0
      • Opcode ID: 069f4125af3b150a609e6c6b47cb1ea172f89d7226d52e4e6ec6ef7567a849a6
      • Instruction ID: 6a155339f536daed87011f1021d5f7e91822cb11eaadca69a5f026fd0de81adb
      • Opcode Fuzzy Hash: 069f4125af3b150a609e6c6b47cb1ea172f89d7226d52e4e6ec6ef7567a849a6
      • Instruction Fuzzy Hash: 1681B7309043529EDF25CF6888D8759BBA1DF52220F8982D9DD964F2DAD374C4C2CB22
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B54B81, Relevance: .2, Instructions: 193COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID: MemoryProtectVirtual
      • String ID:
      • API String ID: 2706961497-0
      • Opcode ID: 992cdabfe074e8bb68658b779f49b5baab664c6c60b6c1b42ab53a5a97053b44
      • Instruction ID: 34f476d9497621b073e0428b692e6b7bb7edd4d89e4a4b49cee76cb710bbe284
      • Opcode Fuzzy Hash: 992cdabfe074e8bb68658b779f49b5baab664c6c60b6c1b42ab53a5a97053b44
      • Instruction Fuzzy Hash: 816106A0D957919EC715BF7CC884B44BBB0DB132B4F559AC8DC81CE1EEE7328482C692
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B5171E, Relevance: .1, Instructions: 93COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7f047778c2409c10ab79fd327a4547c3d0678de00af208ce4fc75a3aaffc1b8b
      • Instruction ID: 16303ca88d724b1523f0651ac1f31beed65577b7cd2e9a5a962c4bf3d9420c2d
      • Opcode Fuzzy Hash: 7f047778c2409c10ab79fd327a4547c3d0678de00af208ce4fc75a3aaffc1b8b
      • Instruction Fuzzy Hash: 1231A7717516129FE7699A2CCC41FD5B3A5FF16360F294264ECA8D7381CB24E8458F90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B51718, Relevance: .1, Instructions: 91COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 4ca404faf1a08457176fefff12d32de86b736ee4eac6ef069ee2b43422a6da2e
      • Instruction ID: bf32405052fb8ac15f5caad7d563469e828c85288fd4d7a1fead454b911b175e
      • Opcode Fuzzy Hash: 4ca404faf1a08457176fefff12d32de86b736ee4eac6ef069ee2b43422a6da2e
      • Instruction Fuzzy Hash: 0E21A671751612AFEB689A2CCC51FD573A9FF163A0F194268ACACE7340CB24E8458F90
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B545A8, Relevance: .0, Instructions: 48COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 8c3bed536e9d5b9729bd0f4ef7681b47f2a9b0a224c9cb6dcbcd2edbfe610167
      • Instruction ID: 8be8d4d28b360f48250783d035e5fd59914487399f7c8c15a77143dc5f22217b
      • Opcode Fuzzy Hash: 8c3bed536e9d5b9729bd0f4ef7681b47f2a9b0a224c9cb6dcbcd2edbfe610167
      • Instruction Fuzzy Hash: A00121743126119FD316CE08C5D0FA673A3EF5A3A0F14C2E9ED098F792C324D880C610
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B523A3, Relevance: .0, Instructions: 6COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
      • Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
      • Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04
      Uniqueness

      Uniqueness Score: -1.00%

      Function 02B5424A, Relevance: .0, Instructions: 5COMMON
      Download Yara Rule
      Memory Dump Source
      • Source File: 00000000.00000002.1290771999.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false
      Joe Sandbox IDA Plugin
      • Snapshot File: hcaresult_0_2_2b50000_ACS route, aircraft cond.jbxd
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 3f9e4579068190dac8ef8ac1960053ed5fd427d736587ae53f358c09f68e7aaf
      • Instruction ID: cce9544411941f64f0f767466af53e2866201443a72ef878ed7f567b35b338c0
      • Opcode Fuzzy Hash: 3f9e4579068190dac8ef8ac1960053ed5fd427d736587ae53f358c09f68e7aaf
      • Instruction Fuzzy Hash: F3B00135762A80DFCE96CF19D694F80B3B4FB59B90F4299D5E8119BB22D368E901CA00
      Uniqueness

      Uniqueness Score: -1.00%