Play interactive tour

Edit tour

Analysis Report Odeme_310521657_876007850.exe

Overview

General Information

Sample Name:	Odeme_310521657_876007850.exe
Analysis ID:	431163
MD5:	391ca3cf343a25bfd2b452478e54591b
SHA1:	07392a3e453fbf57a85190e0342e15c83e4eaffb
SHA256:	6abdca229afbc8050590a71d0a4be6dcaeaa44725e19d4eab23df6152465116d
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Odeme_310521657_876007850.exe (PID: 6940 cmdline: 'C:\Users\user\Desktop\Odeme_310521657_876007850.exe' MD5: 391CA3CF343A25BFD2B452478E54591B)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
Odeme_310521657_876007850.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: Odeme_310521657_876007850.exe

ReversingLabs: Detection: 31%

Source: Odeme_310521657_876007850.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165436070.000000000066A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A488 NtAllocateVirtualMemory,	0_2_0226A488
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A692 NtAllocateVirtualMemory,	0_2_0226A692
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A736 NtAllocateVirtualMemory,	0_2_0226A736
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A7D5 NtAllocateVirtualMemory,	0_2_0226A7D5
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A86E NtAllocateVirtualMemory,	0_2_0226A86E
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A56A NtAllocateVirtualMemory,	0_2_0226A56A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A5F6 NtAllocateVirtualMemory,	0_2_0226A5F6

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A488	0_2_0226A488
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268228	0_2_02268228
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262A06	0_2_02262A06
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261204	0_2_02261204
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02270605	0_2_02270605
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226B200	0_2_0226B200
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261A08	0_2_02261A08
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02260E15	0_2_02260E15
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268A12	0_2_02268A12
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226864A	0_2_0226864A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261AA6	0_2_02261AA6
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022612A0	0_2_022612A0
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268EBC	0_2_02268EBC
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262285	0_2_02262285
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226828A	0_2_0226828A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267E94	0_2_02267E94
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262A98	0_2_02262A98
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02265AEC	0_2_02265AEC
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022686C4	0_2_022686C4
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266ACD	0_2_02266ACD
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261ED2	0_2_02261ED2
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226AED1	0_2_0226AED1
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022656DC	0_2_022656DC
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226B2DA	0_2_0226B2DA
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02265724	0_2_02265724
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02264F25	0_2_02264F25
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266B22	0_2_02266B22
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261B20	0_2_02261B20
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226830C	0_2_0226830C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226230A	0_2_0226230A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226B378	0_2_0226B378
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262F54	0_2_02262F54
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226AF52	0_2_0226AF52
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022683A0	0_2_022683A0
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268B80	0_2_02268B80
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261F80	0_2_02261F80
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02265788	0_2_02265788
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261B94	0_2_02261B94
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262F9B	0_2_02262F9B
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02264F98	0_2_02264F98
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262799	0_2_02262799
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022673E4	0_2_022673E4
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261BEE	0_2_02261BEE
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262BEE	0_2_02262BEE
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022627FA	0_2_022627FA
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262FC6	0_2_02262FC6
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267FC0	0_2_02267FC0
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02264BCD	0_2_02264BCD
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022617CB	0_2_022617CB
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268FD8	0_2_02268FD8
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02260823	0_2_02260823
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226082E	0_2_0226082E
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226882E	0_2_0226882E
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226502C	0_2_0226502C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226843C	0_2_0226843C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266C3A	0_2_02266C3A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226200C	0_2_0226200C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268C0C	0_2_02268C0C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226B418	0_2_0226B418
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261850	0_2_02261850
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267C5A	0_2_02267C5A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268058	0_2_02268058
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022610A3	0_2_022610A3
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022638BD	0_2_022638BD
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02260884	0_2_02260884
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261C88	0_2_02261C88
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262090	0_2_02262090
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022698E6	0_2_022698E6
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022684E6	0_2_022684E6
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022618EE	0_2_022618EE
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022688E8	0_2_022688E8
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022610F4	0_2_022610F4
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226ECC2	0_2_0226ECC2
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267CD4	0_2_02267CD4
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226592E	0_2_0226592E
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226293C	0_2_0226293C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262114	0_2_02262114
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268119	0_2_02268119
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268164	0_2_02268164
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267D6C	0_2_02267D6C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226B16C	0_2_0226B16C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A56A	0_2_0226A56A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226116B	0_2_0226116B
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261974	0_2_02261974
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02263174	0_2_02263174
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266D50	0_2_02266D50
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022621A4	0_2_022621A4
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022639AD	0_2_022639AD
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022659AB	0_2_022659AB
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261DB2	0_2_02261DB2
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022629B8	0_2_022629B8
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226A5F6	0_2_0226A5F6
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022659F5	0_2_022659F5
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022651FC	0_2_022651FC
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268DC9	0_2_02268DC9
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266DD8	0_2_02266DD8
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022639D8	0_2_022639D8

Source: Odeme_310521657_876007850.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165584382.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Odeme_310521657_876007850.exe
Source: Odeme_310521657_876007850.exe, 00000000.00000000.639617040.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameForconceit7.exe vs Odeme_310521657_876007850.exe
Source: Odeme_310521657_876007850.exe	Binary or memory string: OriginalFilenameForconceit7.exe vs Odeme_310521657_876007850.exe

Source: Odeme_310521657_876007850.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Source: Odeme_310521657_876007850.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Odeme_310521657_876007850.exe

ReversingLabs: Detection: 31%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: Odeme_310521657_876007850.exe, type: SAMPLE
Source: Yara match	File source: 0.0.Odeme_310521657_876007850.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Odeme_310521657_876007850.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0040CF5C push ebp; iretd		0_2_0040CF5D
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02269120 push 39C8A12Dh; retf		0_2_0226912C

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226AA23	0_2_0226AA23
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268228	0_2_02268228
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261A08	0_2_02261A08
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226864A	0_2_0226864A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261AA6	0_2_02261AA6
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262285	0_2_02262285
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226828A	0_2_0226828A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267E94	0_2_02267E94
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022686C4	0_2_022686C4
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266ACD	0_2_02266ACD
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261ED2	0_2_02261ED2
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226AED1	0_2_0226AED1
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022656DC	0_2_022656DC
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261B20	0_2_02261B20
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02264700	0_2_02264700
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226830C	0_2_0226830C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226230A	0_2_0226230A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226470A	0_2_0226470A
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226475C	0_2_0226475C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022683A0	0_2_022683A0
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261F80	0_2_02261F80
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261B94	0_2_02261B94
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022673E4	0_2_022673E4
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261BEE	0_2_02261BEE
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022647F0	0_2_022647F0
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267FC0	0_2_02267FC0
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022617CB	0_2_022617CB
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267420	0_2_02267420
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226843C	0_2_0226843C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226200C	0_2_0226200C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266453	0_2_02266453
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261850	0_2_02261850
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266451	0_2_02266451
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268058	0_2_02268058
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261C88	0_2_02261C88
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262090	0_2_02262090
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02264890	0_2_02264890
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022698E6	0_2_022698E6
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022684E6	0_2_022684E6
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022618EE	0_2_022618EE
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267CD4	0_2_02267CD4
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022674D8	0_2_022674D8
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02264924	0_2_02264924
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02262114	0_2_02262114
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268119	0_2_02268119
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02268164	0_2_02268164
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02267D6C	0_2_02267D6C
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261974	0_2_02261974
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022621A4	0_2_022621A4
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022639AD	0_2_022639AD
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02261DB2	0_2_02261DB2

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226A8D3 second address: 000000000226A8D3 instructions:
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226A973 second address: 000000000226A973 instructions:
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226AA14 second address: 000000000226AA6A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FA1809A4D2Ch 0x0000000f call 00007FA1809A4A99h 0x00000014 mov dword ptr [ebp+000001DDh], ecx 0x0000001a test ax, 00006196h 0x0000001e mov ecx, 744B4324h 0x00000023 cmp ebx, edx 0x00000025 xor ecx, 3F893887h 0x0000002b xor ecx, 86A7B7DBh 0x00000031 test bl, bl 0x00000033 sub ecx, CD65CC3Ch 0x00000039 pushad 0x0000003a mov cx, 6E0Fh 0x0000003e cmp cx, 6E0Fh 0x00000043 jne 00007FA1809A870Fh 0x00000049 popad 0x0000004a push ecx 0x0000004b mov ecx, dword ptr [ebp+000001DDh] 0x00000051 cmp dx, bx 0x00000054 push dword ptr [ebp+00000140h] 0x0000005a pushad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226AA6A second address: 000000000226AA6A instructions:
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226F981 second address: 000000000226F981 instructions:
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 0000000002272352 second address: 0000000002272352 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226E6B7 second address: 000000000226E7D9 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push E16449FBh 0x00000010 jmp 00007FA1809BA75Eh 0x00000012 cmp cl, bl 0x00000014 call 00007FA1809BA744h 0x00000019 cmp ah, ch 0x0000001b mov dword ptr [ebp+04h], eax 0x0000001e mov ebx, dword ptr [eax+3Ch] 0x00000021 add eax, ebx 0x00000023 mov ebx, dword ptr [eax+78h] 0x00000026 mov eax, dword ptr [ebp+04h] 0x00000029 jmp 00007FA1809BA75Eh 0x0000002b test dl, dl 0x0000002d add eax, ebx 0x0000002f mov ecx, dword ptr [eax+18h] 0x00000032 test bh, ah 0x00000034 mov dword ptr [ebp+08h], ecx 0x00000037 cmp cl, bl 0x00000039 mov ecx, dword ptr [eax+1Ch] 0x0000003c mov dword ptr [ebp+14h], ecx 0x0000003f cmp cl, cl 0x00000041 mov ecx, dword ptr [eax+24h] 0x00000044 mov dword ptr [ebp+10h], ecx 0x00000047 test dl, dl 0x00000049 mov esi, dword ptr [eax+20h] 0x0000004c add esi, dword ptr [ebp+04h] 0x0000004f xor ecx, ecx 0x00000051 test bh, FFFFFFA3h 0x00000054 cmp ax, bx 0x00000057 pushad 0x00000058 lfence 0x0000005b rdtsc
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226A8D3 second address: 000000000226A8D3 instructions:
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226A973 second address: 000000000226A973 instructions:
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226AA14 second address: 000000000226AA6A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a jmp 00007FA1809A4D2Ch 0x0000000f call 00007FA1809A4A99h 0x00000014 mov dword ptr [ebp+000001DDh], ecx 0x0000001a test ax, 00006196h 0x0000001e mov ecx, 744B4324h 0x00000023 cmp ebx, edx 0x00000025 xor ecx, 3F893887h 0x0000002b xor ecx, 86A7B7DBh 0x00000031 test bl, bl 0x00000033 sub ecx, CD65CC3Ch 0x00000039 pushad 0x0000003a mov cx, 6E0Fh 0x0000003e cmp cx, 6E0Fh 0x00000043 jne 00007FA1809A870Fh 0x00000049 popad 0x0000004a push ecx 0x0000004b mov ecx, dword ptr [ebp+000001DDh] 0x00000051 cmp dx, bx 0x00000054 push dword ptr [ebp+00000140h] 0x0000005a pushad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226AA6A second address: 000000000226AA6A instructions:
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226F981 second address: 000000000226F981 instructions:
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 0000000002272352 second address: 0000000002272352 instructions:
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	RDTSC instruction interceptor: First address: 000000000226F43E second address: 000000000226F4DF instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov dword ptr [ebp+000000F8h], 00A95F60h 0x00000015 test ecx, ecx 0x00000017 cmp al, al 0x00000019 cmp bl, cl 0x0000001b call 00007FA1809A4C5Eh 0x00000020 call 00007FA1809A4C6Ah 0x00000025 lfence 0x00000028 mov edx, 70E07C5Ch 0x0000002d xor edx, A2B34B25h 0x00000033 xor edx, 89B1DF2Eh 0x00000039 xor edx, 241CE843h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 jmp 00007FA1809A4C2Eh 0x00000046 test dx, cx 0x00000049 cmp ebx, edx 0x0000004b cmp bl, FFFFFF8Ch 0x0000004e jmp 00007FA1809A4C2Eh 0x00000050 test bl, bl 0x00000052 test ax, cx 0x00000055 nop 0x00000056 pushad 0x00000057 mov dx, B385h 0x0000005b cmp dx, B385h 0x00000060 jne 00007FA1809A3B2Dh 0x00000066 popad 0x00000067 ret 0x00000068 mov esi, edx 0x0000006a pushad 0x0000006b rdtsc

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe

Code function: 0_2_0226AA23 rdtsc

0_2_0226AA23

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe

Code function: 0_2_0226AA23 rdtsc

0_2_0226AA23

Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02270605 mov eax, dword ptr fs:[00000030h]	0_2_02270605
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266ACD mov eax, dword ptr fs:[00000030h]	0_2_02266ACD
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_022656DC mov eax, dword ptr fs:[00000030h]	0_2_022656DC
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266B22 mov eax, dword ptr fs:[00000030h]	0_2_02266B22
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226EF31 mov eax, dword ptr fs:[00000030h]	0_2_0226EF31
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266453 mov eax, dword ptr fs:[00000030h]	0_2_02266453
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02266451 mov eax, dword ptr fs:[00000030h]	0_2_02266451
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_0226E55E mov eax, dword ptr fs:[00000030h]	0_2_0226E55E
Source: C:\Users\user\Desktop\Odeme_310521657_876007850.exe	Code function: 0_2_02269D90 mov eax, dword ptr fs:[00000030h]	0_2_02269D90

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165487714.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165487714.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165487714.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Odeme_310521657_876007850.exe, 00000000.00000002.1165487714.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery41	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Odeme_310521657_876007850.exe	32%	ReversingLabs	Win32.Trojan.Graftor

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	431163
Start date:	08.06.2021
Start time:	14:46:17
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Odeme_310521657_876007850.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	19
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.4% (good quality ratio 1.3%) Quality average: 13.8% Quality standard deviation: 25.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe VT rate limit hit for: /opt/package/joesandbox/database/analysis/431163/sample/Odeme_310521657_876007850.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.618776972416774
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Odeme_310521657_876007850.exe
File size:	147456
MD5:	391ca3cf343a25bfd2b452478e54591b
SHA1:	07392a3e453fbf57a85190e0342e15c83e4eaffb
SHA256:	6abdca229afbc8050590a71d0a4be6dcaeaa44725e19d4eab23df6152465116d
SHA512:	dc230172a32d092f3a34a94d3bfaf05d07e6ae657d6898acf02a11b53f677bfb81513bcb98678baa7c508b70d3fac8e137233a555e7def301667217d5073f516
SSDEEP:	1536:t28QwqzWiG9dErUYmetkhpRnV3hRHOjSfteYwThUIHkfA2S0:cMoWiG4rUVetWvRHOjSftnwTSIHKv
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......`.....................0............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4014b8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x60BF1EFE [Tue Jun 8 07:40:46 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b1d5215cf0ff1abab4dacdc311d642d4

Entrypoint Preview

Instruction
push 00401778h
call 00007FA1808ED165h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+15F6D919h], ah
adc bl, byte ptr [esi+40579444h]
mov bh, A9h
cmp al, 80h
jp 00007FA1808ED172h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [edx+00h], al
push es
push eax
add dword ptr [ecx], 73h
imul esi, dword ptr [edx+64h], 64h
jc 00007FA1808ED1E6h
push 0000006Ch
add ah, al
sub edi, ebp
add al, byte ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or byte ptr [edi], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20ab4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0xa04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x154	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2002c	0x21000	False	0.328095407197	data	4.86222481282	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1234	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0xa04	0x1000	False	0.181640625	data	2.18911865835	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x248d4	0x130	data
RT_ICON	0x245ec	0x2e8	data
RT_ICON	0x244c4	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x24494	0x30	data
RT_VERSION	0x24150	0x344	data	Sesotho (Sutu)	South Africa

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0430 0x04b0
LegalCopyright	Yonyou Network
InternalName	Forconceit7
FileVersion	1.00
CompanyName	Yonyou Network
LegalTrademarks	Yonyou Network
Comments	Yonyou Network
ProductName	Yonyou Network
ProductVersion	1.00
FileDescription	Yonyou Network
OriginalFilename	Forconceit7.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Sesotho (Sutu)	South Africa

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Odeme_310521657_876007850.exe PID: 6940 Parent PID: 5828

General

Start time:	14:47:03
Start date:	08/06/2021
Path:	C:\Users\user\Desktop\Odeme_310521657_876007850.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Odeme_310521657_876007850.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	391CA3CF343A25BFD2B452478E54591B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Odeme_310521657_876007850.exe PID: 6940 Parent PID: 5828 Odeme_310521657_876007850.exeCOMMON

Executed Functions

Function 0226A488, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 720COMMON

Download Yara Rule

Strings

g7, xrefs: 0226AE15
.7, xrefs: 0226AE4E

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: .7$g7
API String ID: 0-3029042821
Opcode ID: d2cd84004b00c8810d2e03957b69baa35acac46580d4ff1c8144943afb2ccd6e
Instruction ID: d6b8cd23264ddd06e0403a621677e0e3103febc3d9d8ad619b3d3a7f495ed612
Opcode Fuzzy Hash: d2cd84004b00c8810d2e03957b69baa35acac46580d4ff1c8144943afb2ccd6e
Instruction Fuzzy Hash: A5226F36269682CFDB21FE7C84947E63BB1EF36310F54405BD4859B226C362A987CBC5

Uniqueness

Uniqueness Score: -1.00%

Function 0226A56A, Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201796080b967846ff40ab806d2371e25fe559f786193e39b1aa748ed61eff68
Instruction ID: bc545ba3b2aecaaa823fb56780fd70cf5872fe65ce79ef23b406b8100cf4b8fc
Opcode Fuzzy Hash: 201796080b967846ff40ab806d2371e25fe559f786193e39b1aa748ed61eff68
Instruction Fuzzy Hash: E2614836614346CFDF309EA889D87EE77A1EF16350F50402ADC8AA7254E3719A89CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0226A5F6, Relevance: 1.7, APIs: 1, Instructions: 209memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0226A8E4

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 0aa56c6f938e0d84839c00fcf49ccdbdf0fec4f574003c9dc943ce0d89e245a0
Instruction ID: 0cac8162b9407931617c65626b9e362daa8283eac9a43983fe14ac2816a6d2cc
Opcode Fuzzy Hash: 0aa56c6f938e0d84839c00fcf49ccdbdf0fec4f574003c9dc943ce0d89e245a0
Instruction Fuzzy Hash: C1514B36219346CFDF309EA889D87EE77A1EF16350F50402ADC8AA7214D3715A89CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0226A692, Relevance: 1.7, APIs: 1, Instructions: 187memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0226A8E4

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 5d5a968f9516ec1257cba57a16509a8d6c2547d47af70b65daf285ad33ab5f27
Instruction ID: c00a859676ee2e7f81e5decac76824eb0fec9fb9066c79883bf930e8d84bade3
Opcode Fuzzy Hash: 5d5a968f9516ec1257cba57a16509a8d6c2547d47af70b65daf285ad33ab5f27
Instruction Fuzzy Hash: 77514D36718242CFDB319EA8C8D87EE7BF1EF16310F50402ADC89A7215D3719A86CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0226A736, Relevance: 1.7, APIs: 1, Instructions: 164memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0226A8E4

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 8b888791c85e9a7b4ce2206bdf0c94b4dd33fff574904b0d369a1c5808170b91
Instruction ID: af93b95390c8c26860e979646a68d08b7c5020f3baaf9ee3d6df967c9818f0c1
Opcode Fuzzy Hash: 8b888791c85e9a7b4ce2206bdf0c94b4dd33fff574904b0d369a1c5808170b91
Instruction Fuzzy Hash: D9412C36218246CFDB31DEA8C9D87ED77B1EF1A310F10402AD849A7215D7729A86CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0226A7D5, Relevance: 1.6, APIs: 1, Instructions: 140memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0226A8E4

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 51d767599c6cbca760168840ec28ab12d47060f99483c5d1c54b55c8ca76cbe7
Instruction ID: d70e79e09e3be38cb51b2c153d60ca928aa87805a479d4854cfc7f43d5dfb7dc
Opcode Fuzzy Hash: 51d767599c6cbca760168840ec28ab12d47060f99483c5d1c54b55c8ca76cbe7
Instruction Fuzzy Hash: B6413D36618643CFEB31DEA8C8D47E977B1EF2A310F60402AD885A7115D772DA87CB85

Uniqueness

Uniqueness Score: -1.00%

Function 0226A86E, Relevance: 1.6, APIs: 1, Instructions: 119memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 0226A8E4

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 8f7c772ad908d729b4c4e590dab37e7f726c0a9f237f2b4d10e7b7daac9e384a
Instruction ID: e9a43c38eb72f9f492b87c46046b1fd0994b5b68ce0c4b2b22451041c8d3c166
Opcode Fuzzy Hash: 8f7c772ad908d729b4c4e590dab37e7f726c0a9f237f2b4d10e7b7daac9e384a
Instruction Fuzzy Hash: 3031513A658643CFDB21EE98C494BE977B1EF2A350F604016D485A7115D372DB87CB84

Uniqueness

Uniqueness Score: -1.00%

Function 0041C8D0, Relevance: 300.9, APIs: 159, Strings: 12, Instructions: 1669COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 0041CA0C
#563.MSVBVM60(?), ref: 0041CA19
__vbaFreeVar.MSVBVM60 ref: 0041CA32
#531.MSVBVM60(Sammenskruendes), ref: 0041CA42
#606.MSVBVM60(00000001,?), ref: 0041CA65
__vbaStrMove.MSVBVM60 ref: 0041CA73
__vbaStrCmp.MSVBVM60(00402BC0,00000000), ref: 0041CA7F
__vbaFreeVar.MSVBVM60 ref: 0041CAA1
__vbaNew2.MSVBVM60(00402BE4,004223C0), ref: 0041CABF
__vbaObjSetAddref.MSVBVM60(?,00401168), ref: 0041CAD5
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEDD4,00402BD4,00000010), ref: 0041CAF5
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041CB32
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CB4E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,00000158), ref: 0041CB78
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041CBFC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CC18
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000001E0), ref: 0041CC42
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041CC57
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CC73
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000001A0), ref: 0041CC9D
__vbaStrCopy.MSVBVM60 ref: 0041CCAA
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,000006F8), ref: 0041CCF9
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041CD17
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041CD33
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CD4F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C18,00000130), ref: 0041CD79
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041CD8D
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041CDA9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CDC5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000001D8), ref: 0041CDEF
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041CE04
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CE20
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000048), ref: 0041CE44
__vbaStrCopy.MSVBVM60 ref: 0041CE51
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041CE5E
__vbaStrMove.MSVBVM60 ref: 0041CE6C
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0041CEC4
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041CEE8
__vbaFreeVar.MSVBVM60 ref: 0041CEF7
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041CF10
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CF2C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,00000150), ref: 0041CF56
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,000006FC), ref: 0041CF95
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041CFB6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CFD2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C18,00000050), ref: 0041CFF6
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D00B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D027
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,000000E8), ref: 0041D051
__vbaStrMove.MSVBVM60 ref: 0041D073
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D0C4
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D0F0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D10C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,000001E0), ref: 0041D136
__vbaStrMove.MSVBVM60 ref: 0041D162
__vbaStrCopy.MSVBVM60 ref: 0041D173
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,00000700), ref: 0041D1B3
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041D1C5
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D1ED
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D209
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C18,00000190), ref: 0041D233
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D248
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D264
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000070), ref: 0041D288
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D29D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D2B9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,000001C8), ref: 0041D2E3
__vbaStrCopy.MSVBVM60 ref: 0041D2F0
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,00000704), ref: 0041D343
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041D368
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D384
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D3A0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,000001F0), ref: 0041D3CA
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D41D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D439
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,00000128), ref: 0041D463
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D478
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D494
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,00000088), ref: 0041D4BE
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,00000708), ref: 0041D502
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D514
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D530
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D54C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000000E0), ref: 0041D576
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,0000070C), ref: 0041D5B3
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D5D4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D5F0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,00000148), ref: 0041D61A
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D62F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D64B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,00000048), ref: 0041D66F
__vbaStrMove.MSVBVM60 ref: 0041D69B
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041D6DB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D6F1
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D70D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D729
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000058), ref: 0041D74D
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D762
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D77E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,00000148), ref: 0041D7A8
__vbaStrMove.MSVBVM60 ref: 0041D7C0
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,00000710), ref: 0041D7F9
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D817
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D833
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D84F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000178), ref: 0041D879
__vbaStrCopy.MSVBVM60 ref: 0041D8C4
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D90F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D92B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,000001E0), ref: 0041D955
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041D96A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041D986
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,00000218), ref: 0041D9B0
__vbaStrMove.MSVBVM60 ref: 0041D9DC
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,00000714), ref: 0041DA2B
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041DA3D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DA53
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041DA6F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DA8B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C18,00000120), ref: 0041DAB5
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041DACA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DAE6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,00000110), ref: 0041DB10
__vbaStrCopy.MSVBVM60 ref: 0041DB29
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041DB43
__vbaI4Var.MSVBVM60(00000000), ref: 0041DB4D
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,00000718), ref: 0041DB83
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DBA8
__vbaFreeVar.MSVBVM60 ref: 0041DBB7
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041DBD0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DBEC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000000D8), ref: 0041DC16
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041DC2B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DC47
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000170), ref: 0041DC71
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041DC86
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DCA2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000170), ref: 0041DCCC
__vbaStrCopy.MSVBVM60 ref: 0041DCF1
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041DD4E
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041DD6A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DD86
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000130), ref: 0041DDB0
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041DDC5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DDE1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,00000130), ref: 0041DE0B
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402634,0000071C), ref: 0041DE76
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DE88
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041DEA4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DEC0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,000001C0), ref: 0041DEEA
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041DEFF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041DF1B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,00000110), ref: 0041DF45
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041DF81
__vbaHresultCheckObj.MSVBVM60(00000000,00401168,00402604,000002B4), ref: 0041DFA5
__vbaVarAdd.MSVBVM60(00000002,00000008,?), ref: 0041DFDF
__vbaVarMove.MSVBVM60 ref: 0041DFE6
__vbaVarTstLt.MSVBVM60(00000002,?), ref: 0041E007

Strings

Daftardar7, xrefs: 0041D8B9
FORSRGELSES, xrefs: 0041DCE0
Frihedsheltens, xrefs: 0041DD03
skattejagters, xrefs: 0041D168
}D, xrefs: 0041D9C8
, xrefs: 0041CA51
BEGROANS, xrefs: 0041D197
Sammenskruendes, xrefs: 0041CA3D
CARCINEMIA, xrefs: 0041DB18
Estancieros, xrefs: 0041D2E5
Whiney, xrefs: 0041CE46
Logria1, xrefs: 0041CC9F

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$New2$Free$List$Move$Copy$CallLate$#531#563#606Addref
String ID: $BEGROANS$CARCINEMIA$Daftardar7$Estancieros$FORSRGELSES$Frihedsheltens$Logria1$Sammenskruendes$Whiney$skattejagters$}D
API String ID: 1653403094-3881086472
Opcode ID: e19d701afb3a3f405a1b4d2b77c020a1346a03a949c1fd9185a4237572535171
Instruction ID: 991e71e41e58f83da936f9a20d40cc9ed17c73eb58c40a97077ea3583f50819c
Opcode Fuzzy Hash: e19d701afb3a3f405a1b4d2b77c020a1346a03a949c1fd9185a4237572535171
Instruction Fuzzy Hash: AAE241B0A00219ABDB25DF50CD88FDA77BCBF48704F0085AAF649F7191DA745A85CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00418575, Relevance: 1.4, APIs: 1, Instructions: 155memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(33C19207,00018000,-8F4D55ED,-98B6D2CD,00407D7D), ref: 00418B1B

Memory Dump Source

Source File: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3514ce04a6e00c75592932c75f08c25608ea5e3c7cfa8dfe1e5643274c2241a1
Instruction ID: e63bac0323583743ddc7f484032fdc18e45756bd43d2fb67bc7d79909f33445c
Opcode Fuzzy Hash: 3514ce04a6e00c75592932c75f08c25608ea5e3c7cfa8dfe1e5643274c2241a1
Instruction Fuzzy Hash: 8F414963E1960585FF722068CAD01EDA012CB96341F32867BDD6E338E53E3E09C6259B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022698E6, Relevance: 5.0, Strings: 3, Instructions: 1242COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A
EYB, xrefs: 02268087
(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,$EYB$(MG
API String ID: 0-356900274
Opcode ID: a7257a55896e4aaf7637b6241f6ec3b7e181f4933a40d4080b7ab99e3ae86cb5
Instruction ID: 0d859bb933385e1ae0021a37ad47dc8cdf2ee23a973040f4cbe62601aa5cf930
Opcode Fuzzy Hash: a7257a55896e4aaf7637b6241f6ec3b7e181f4933a40d4080b7ab99e3ae86cb5
Instruction Fuzzy Hash: D392667261430ADFCB345EB489A83FA77A3EF52390F95412ADC8697208D77589C6CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022617CB, Relevance: 4.5, Strings: 3, Instructions: 795COMMON

Download Yara Rule

Strings

S].N, xrefs: 02262AA2
(MG, xrefs: 0226852B
8, xrefs: 022700BA

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 8$S].N$(MG
API String ID: 0-2217212759
Opcode ID: d0311eacf42ac6ef374729e78f3cbc9a56154eb5b22f77bc83903fd7897ab17f
Instruction ID: 7f13809f4ec38f12866a96728ef24f282f44f5f1cf5a92e3d4743bf0720e74f5
Opcode Fuzzy Hash: d0311eacf42ac6ef374729e78f3cbc9a56154eb5b22f77bc83903fd7897ab17f
Instruction Fuzzy Hash: 6B529C32A58346DFDB309EB889987FB33A2AF55350F85422EDCC997258D37589C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0226AED1, Relevance: 3.8, Strings: 2, Instructions: 1317COMMON

Download Yara Rule

Strings

EYB, xrefs: 02268087
(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: EYB$(MG
API String ID: 0-3060920885
Opcode ID: fbac1d46382f16cdcaef06bfd7b3a86ab0abc21f377344cde8e4fdfea36cb714
Instruction ID: ca4c2af2a8d29863a44286ce8500df8a4b767eb8735d543d0a1905a2c9eeba95
Opcode Fuzzy Hash: fbac1d46382f16cdcaef06bfd7b3a86ab0abc21f377344cde8e4fdfea36cb714
Instruction Fuzzy Hash: 4DA277726143469FDB349EB8C9A83EA77A3FF52390F914129DC8A97208D37589C5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022656DC, Relevance: 3.4, Strings: 2, Instructions: 920COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A
\H, xrefs: 022660A1

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,$\H
API String ID: 0-1396638078
Opcode ID: 26c3a5bb7cb136f304b43a876f0cc0dcfd1aaff95959d40139182cb63f5f23a6
Instruction ID: ba786b785205dff25bfd8daf59612e116bca34066e039c596a60dec1959660d1
Opcode Fuzzy Hash: 26c3a5bb7cb136f304b43a876f0cc0dcfd1aaff95959d40139182cb63f5f23a6
Instruction Fuzzy Hash: 01626672614306DFCB348E68C9A87EA77E6FF49350F45422EDC899B248D7349D86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02267CD4, Relevance: 3.4, Strings: 2, Instructions: 897COMMON

Download Yara Rule

Strings

EYB, xrefs: 02268087
(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: EYB$(MG
API String ID: 0-3060920885
Opcode ID: a970a0d175b3d0a0bfb07b5244090d00df77781e49a737b6387d90e49da84aea
Instruction ID: f03d458b33f1aa1a1672bae8a72ff8e23aa3a8cea676e664e76d21647c545999
Opcode Fuzzy Hash: a970a0d175b3d0a0bfb07b5244090d00df77781e49a737b6387d90e49da84aea
Instruction Fuzzy Hash: 086286726143469FCB355EB8C9983EA7BA3FF52390F91422DDC8697208D37589C9CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02267D6C, Relevance: 3.4, Strings: 2, Instructions: 880COMMON

Download Yara Rule

Strings

EYB, xrefs: 02268087
(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: EYB$(MG
API String ID: 0-3060920885
Opcode ID: cacaf5fe45b01496e63d3b5f67040925e0d576834b60c57752dcc41c720b3be8
Instruction ID: a763fcf6ad7ea1e5f262a6cf35c83873ba798df39c3467b78a2c59bb80a1cb5e
Opcode Fuzzy Hash: cacaf5fe45b01496e63d3b5f67040925e0d576834b60c57752dcc41c720b3be8
Instruction Fuzzy Hash: 0B6287726143469FCB355EB8C9983EA7BA3FF52390F91412DDC8687208D3B589C9CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02267E94, Relevance: 3.3, Strings: 2, Instructions: 840COMMON

Download Yara Rule

Strings

EYB, xrefs: 02268087
(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: EYB$(MG
API String ID: 0-3060920885
Opcode ID: 540649c90904ff0941da9e394bcdf1aff5430bf5815457f1f5c355b7b8e83161
Instruction ID: 7f6872b139a98612a03420b8b509b5e43bb429ad824e8b1aa1c71d88fb8060bf
Opcode Fuzzy Hash: 540649c90904ff0941da9e394bcdf1aff5430bf5815457f1f5c355b7b8e83161
Instruction Fuzzy Hash: 8F5277726143469FDB355EB8C9983EA7BA3FF52390F91412DDC8687208D37589CACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02267FC0, Relevance: 3.3, Strings: 2, Instructions: 805COMMON

Download Yara Rule

Strings

EYB, xrefs: 02268087
(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: EYB$(MG
API String ID: 0-3060920885
Opcode ID: f6301f1faed3b3b998709bd2f08de3de137043af216b636b2abda3024be44d10
Instruction ID: 28988202c3ef7df1b84a6059cdf1d97b3f0ff44e54a245df5f1b38542a7c1203
Opcode Fuzzy Hash: f6301f1faed3b3b998709bd2f08de3de137043af216b636b2abda3024be44d10
Instruction Fuzzy Hash: A75256726143469FDB355EB8C9A83FA7BA3FF52390F954129DC8687208D37589C6CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02268058, Relevance: 3.3, Strings: 2, Instructions: 787COMMON

Download Yara Rule

Strings

EYB, xrefs: 02268087
(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: EYB$(MG
API String ID: 0-3060920885
Opcode ID: e08b0fd67d46fdbda533ca517e676b3784bdd6ff8030dfe3a4d86338dc882369
Instruction ID: 84d813ed15515f8a7c60455adc819e54196b58ce50eaa70f7d0f4c728f2aa2ef
Opcode Fuzzy Hash: e08b0fd67d46fdbda533ca517e676b3784bdd6ff8030dfe3a4d86338dc882369
Instruction Fuzzy Hash: 624256726143469FDB356EB8C9983FA77A3FF52390F954129DC8687208D37589C6CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02270605, Relevance: 3.0, Strings: 2, Instructions: 509COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A
$#,{, xrefs: 022708F2

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: $#,{$0IS,
API String ID: 0-1065003264
Opcode ID: 929c5814def86b84e18c370c04423b047500526d82433c9b9a821be5d6eb48da
Instruction ID: 7bac3487afc8e41a154af37a2ae3704269e5d2230a6fde9900fed2db741f0bba
Opcode Fuzzy Hash: 929c5814def86b84e18c370c04423b047500526d82433c9b9a821be5d6eb48da
Instruction Fuzzy Hash: 84024B316183868FDB219F7889A87DA7BD29F53360F49C2AACCD54B1DAD3748586C703

Uniqueness

Uniqueness Score: -1.00%

Function 02264F25, Relevance: 2.8, Strings: 2, Instructions: 261COMMON

Download Yara Rule

Strings

na5, xrefs: 02264FCD
w#i$, xrefs: 022655BE

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: w#i$$na5
API String ID: 0-1551618217
Opcode ID: 7f771cd00453d7dcebcc8f58083617f02bc6777c5caa8c712b5fe4df5ae76364
Instruction ID: 039e139907b720978abc73384dd9c56acde0d0d7da371a9085779540062a269b
Opcode Fuzzy Hash: 7f771cd00453d7dcebcc8f58083617f02bc6777c5caa8c712b5fe4df5ae76364
Instruction Fuzzy Hash: 629137717143499FDF388E7489A87EE33A7AF55780F96452EDC8AD7644D3308986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02264F98, Relevance: 2.7, Strings: 2, Instructions: 245COMMON

Download Yara Rule

Strings

na5, xrefs: 02264FCD
w#i$, xrefs: 022655BE

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: w#i$$na5
API String ID: 0-1551618217
Opcode ID: 056eab86f9c32a8dc7d2467eb1f275673c64cf7b915f24c0faa257afff49214b
Instruction ID: d0ff5a15bfd3d3de44c902dddb82f8ef27dfc502610b46157083c860c61d113b
Opcode Fuzzy Hash: 056eab86f9c32a8dc7d2467eb1f275673c64cf7b915f24c0faa257afff49214b
Instruction Fuzzy Hash: F88127317143599FDF388E3889A87EE37A7AF95740F96402EDC8ADB654D3308986CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02268164, Relevance: 2.0, Strings: 1, Instructions: 783COMMON

Download Yara Rule

Strings

(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: (MG
API String ID: 0-2960061269
Opcode ID: af0492284993ced771309567c8b64ba56331c3b3cfe2c3eab26c8d1b39625411
Instruction ID: 21d5f720f334b9b28ec9227c711060513e68343be0acabd756893939346e5c39
Opcode Fuzzy Hash: af0492284993ced771309567c8b64ba56331c3b3cfe2c3eab26c8d1b39625411
Instruction Fuzzy Hash: 224256722143469FDB35AEB8C9983FA7BA3FF52390F954129DC8687208D37585C6CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02268119, Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: (MG
API String ID: 0-2960061269
Opcode ID: 147b470b4fb69bf4a7978924bcbb89de6fedcacbfa83633f33e9f21314dd4705
Instruction ID: 03175e7b6aa3f91cb61be9059ba1dcf89bcd1cfaad9bca95a60f3f76c504f2f1
Opcode Fuzzy Hash: 147b470b4fb69bf4a7978924bcbb89de6fedcacbfa83633f33e9f21314dd4705
Instruction Fuzzy Hash: 664266722103469FDB356EB8C9983FA7BA3FF52390F914129DC8687208D37589C6CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02268228, Relevance: 2.0, Strings: 1, Instructions: 753COMMON

Download Yara Rule

Strings

(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: (MG
API String ID: 0-2960061269
Opcode ID: e63cdeeae6ad5fc41f9cac20dc5e6d201de829584de38bb994d9000e69499da6
Instruction ID: dad24e9163d327d8b0db05d65400787839e7c578b03f4019d7035cc85ef19751
Opcode Fuzzy Hash: e63cdeeae6ad5fc41f9cac20dc5e6d201de829584de38bb994d9000e69499da6
Instruction Fuzzy Hash: ED4277722143469FDB35AEB8C9983FA77A3FF52390F954129DC8687208D37589C6CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0226828A, Relevance: 2.0, Strings: 1, Instructions: 741COMMON

Download Yara Rule

Strings

(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: (MG
API String ID: 0-2960061269
Opcode ID: 119c28eee004482733050ba50ec4e439a4fa10ff39480dcc723ae6458f127d6c
Instruction ID: 866976a3bdd055ff8bc9dffb0d46e21f95cfdda3203eff870497c6419486059f
Opcode Fuzzy Hash: 119c28eee004482733050ba50ec4e439a4fa10ff39480dcc723ae6458f127d6c
Instruction Fuzzy Hash: 914266722103469FCB356EB8C9983FA77A3FF52390F954129DC8687218D77589C6CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0226830C, Relevance: 1.9, Strings: 1, Instructions: 691COMMON

Download Yara Rule

Strings

(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: (MG
API String ID: 0-2960061269
Opcode ID: 0c09ba1bd4c9026e2505bf0f696829bb4a38996468f8d956eea5c3728ae417dc
Instruction ID: 9e121131019ab0773e44beae6657e81b0f4271d4d24239a0d76ef44b1f325b15
Opcode Fuzzy Hash: 0c09ba1bd4c9026e2505bf0f696829bb4a38996468f8d956eea5c3728ae417dc
Instruction Fuzzy Hash: 963266726103469FCB356EB8C9983FA77A3FF52390F914129DC8687208D7B585C5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022683A0, Relevance: 1.9, Strings: 1, Instructions: 671COMMON

Download Yara Rule

Strings

(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: (MG
API String ID: 0-2960061269
Opcode ID: 94802065b292c8d85008298de4dda90368df059f0f99902717fab31e2d42886f
Instruction ID: 7c511df48f682d6cf5a2458310f9e2381aba858cf5c2b19c450a6a74ebcf24c8
Opcode Fuzzy Hash: 94802065b292c8d85008298de4dda90368df059f0f99902717fab31e2d42886f
Instruction Fuzzy Hash: B532667261034A9FDB355EB8C9983FA7BA3FF52390F914129DC8687208D7B589C5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02265724, Relevance: 1.9, Strings: 1, Instructions: 666COMMON

Download Yara Rule

Strings

\H, xrefs: 022660A1

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: \H
API String ID: 0-4177163023
Opcode ID: fa1c9af8fbf0cd76fee61bb7657a5ce26b74bb760c36d8f11f762aa849482c14
Instruction ID: be70dd6d9e857e94117e7c03df9cf5dcfef41c0bfd48d104291806d1a6e7dc02
Opcode Fuzzy Hash: fa1c9af8fbf0cd76fee61bb7657a5ce26b74bb760c36d8f11f762aa849482c14
Instruction Fuzzy Hash: 3F224536754642CFDB20DE68C898BE677E1FF29310F85422ADC988B605C375A996CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0226843C, Relevance: 1.9, Strings: 1, Instructions: 648COMMON

Download Yara Rule

Strings

(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: (MG
API String ID: 0-2960061269
Opcode ID: 525689e49383dd57b0188b01916c85ba9d16cd6f623560adfa7804af71073e81
Instruction ID: d578bd384abf42ddd269e994d1a790c3564e323bbbbeb645e5430582abbcf465
Opcode Fuzzy Hash: 525689e49383dd57b0188b01916c85ba9d16cd6f623560adfa7804af71073e81
Instruction Fuzzy Hash: FC22667261034A9FDB355E78C9993FA7BA3FF52390F914129DC8687208D3B585C5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022684E6, Relevance: 1.9, Strings: 1, Instructions: 628COMMON

Download Yara Rule

Strings

(MG, xrefs: 0226852B

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: (MG
API String ID: 0-2960061269
Opcode ID: 33f29731834842a58116844833682e179288e59d308f45af7f023bdd31dd0f6a
Instruction ID: 29da52305fe4ddf0578a65bd240781c099c44477a3fec908cc8cb0734a3ba536
Opcode Fuzzy Hash: 33f29731834842a58116844833682e179288e59d308f45af7f023bdd31dd0f6a
Instruction Fuzzy Hash: F222767221034A9FDB355E74C9A83FA7BA3FF52390F914129DC8687208D7B685C5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02265788, Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

\H, xrefs: 022660A1

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: \H
API String ID: 0-4177163023
Opcode ID: d48a3f85ceaa5bafcca4fb377d26ca56b2007c13983cf858bd3c372ecf5391f7
Instruction ID: d84b0ead39067001cff4d035262a93a6adac9b9e20e0423b9a216a1b724c22e1
Opcode Fuzzy Hash: d48a3f85ceaa5bafcca4fb377d26ca56b2007c13983cf858bd3c372ecf5391f7
Instruction Fuzzy Hash: CDF12372714756DFDB24CE68C898BEAB7A2FF09340F85422ADC8897244C7756D96CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 022639AD, Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,
API String ID: 0-225112966
Opcode ID: 32181ff569f1f916b41d7b6f33968af5c27f5259594f36d2e4b9dbd69c40ee79
Instruction ID: 472cf39691667c22fe4f9155381ab3a98d5c778debc31aaf244425785b0346a0
Opcode Fuzzy Hash: 32181ff569f1f916b41d7b6f33968af5c27f5259594f36d2e4b9dbd69c40ee79
Instruction Fuzzy Hash: 91D169326143499FDB349EA88DA47EB37E7AF95780F91411EDCC98B208D37089C6CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0226592E, Relevance: 1.6, Strings: 1, Instructions: 397COMMON

Download Yara Rule

Strings

\H, xrefs: 022660A1

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: \H
API String ID: 0-4177163023
Opcode ID: 9abf7aea988f909eba4512dfec62d030b6c0f084ebc55cfa270577e8e8c3cfc5
Instruction ID: c388e161406f22a5e8a6c35a9fa7dd743891c78234ffd91acef33f0061b84099
Opcode Fuzzy Hash: 9abf7aea988f909eba4512dfec62d030b6c0f084ebc55cfa270577e8e8c3cfc5
Instruction Fuzzy Hash: 6EE13232614746DFDB24CE68C898BEAB7E1FF19350F85422EDC988B244C7756996CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 022659F5, Relevance: 1.6, Strings: 1, Instructions: 374COMMON

Download Yara Rule

Strings

\H, xrefs: 022660A1

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: \H
API String ID: 0-4177163023
Opcode ID: 67bc532d1ce98bfa184f672611a47473402484d2aad642b7450173de0fc0b85f
Instruction ID: 4d2425f2d69144e6a7df88edc708779c3b89609c64f3426ce5b596ce9c0b7641
Opcode Fuzzy Hash: 67bc532d1ce98bfa184f672611a47473402484d2aad642b7450173de0fc0b85f
Instruction Fuzzy Hash: 62D12272614346DFDB30CE68C898BEA77E5BF0A350F45422ADC988B245C7756D9ACB80

Uniqueness

Uniqueness Score: -1.00%

Function 022659AB, Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

\H, xrefs: 022660A1

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: \H
API String ID: 0-4177163023
Opcode ID: f271d32e38e27410b14a5859466d3b65412d71b6006af939e560270a172e814f
Instruction ID: b70fa065417d9cf884313d9475db35e0a645491bb6518f03882891bfceda70e1
Opcode Fuzzy Hash: f271d32e38e27410b14a5859466d3b65412d71b6006af939e560270a172e814f
Instruction Fuzzy Hash: 92D12472614346DFDB34CF68CC98BEA77A5BF09350F45421ADC898B244C7746D96CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02267C5A, Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

EYB, xrefs: 02268087

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: EYB
API String ID: 0-1996301025
Opcode ID: 7c59d7061b797ec41115cdce16bb54ac44caf4cd9b226a17e74208acbf75b30f
Instruction ID: 478fbbc5df35ea1718acff1dbd53651a8d1d9d89ed05eea20161f050a8c102bb
Opcode Fuzzy Hash: 7c59d7061b797ec41115cdce16bb54ac44caf4cd9b226a17e74208acbf75b30f
Instruction Fuzzy Hash: C7C18772618316DFCF305EB88D983EA77A2EF46350F92412DDC86A7254D77489C9CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02265AEC, Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

\H, xrefs: 022660A1

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: \H
API String ID: 0-4177163023
Opcode ID: 41ccc0b17b20a41774e42a7a942126a35942f2a459433f4bcac37e3b11182d94
Instruction ID: 8f346abf88f24092fe08aa87bfa570b0994c1f7c060a97edd2e399449aaccdd6
Opcode Fuzzy Hash: 41ccc0b17b20a41774e42a7a942126a35942f2a459433f4bcac37e3b11182d94
Instruction Fuzzy Hash: 34B12572614356DFCB348EA8CC98BEA77E6BF09350F45421ADC898B248C7745D96CB80

Uniqueness

Uniqueness Score: -1.00%

Function 0226ECC2, Relevance: 1.5, Strings: 1, Instructions: 278COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,
API String ID: 0-225112966
Opcode ID: c44e230442dd88a5ea9f8f6cd54ee60390e6bf799fd23c2de262ed06e2dd0692
Instruction ID: aea9c55c0134e6cb1b110c9ef239767f75259b028e03b0e55a5ef754a11400f5
Opcode Fuzzy Hash: c44e230442dd88a5ea9f8f6cd54ee60390e6bf799fd23c2de262ed06e2dd0692
Instruction Fuzzy Hash: B1917C366143069FDF205EA889E97FB77A7AF56780F96412ACCC547208E37584C7C702

Uniqueness

Uniqueness Score: -1.00%

Function 02260E15, Relevance: 1.5, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,
API String ID: 0-225112966
Opcode ID: 7b7a98a76ffed8279d4913a0d59ae96bf2c1a61000004440cd3cca24a469109d
Instruction ID: 2ae3f82ab55dbc09ad9bf9f776ced2c5444adb78e7fe99a80973cf4175293788
Opcode Fuzzy Hash: 7b7a98a76ffed8279d4913a0d59ae96bf2c1a61000004440cd3cca24a469109d
Instruction Fuzzy Hash: 11917C766243059FDB249EA889A53FB37E6AF56380F91412ECCCA87248D77485C7CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02262799, Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

S].N, xrefs: 02262AA2

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: S].N
API String ID: 0-117155592
Opcode ID: 45c665fcb7968043942e72cb7fe93cc9d46f59b00a765092d69e75913b5f95a7
Instruction ID: 33eba6a5e725e7b2b735f5b5c23ba3a3dfdcf2778aa46d789c44962b16946420
Opcode Fuzzy Hash: 45c665fcb7968043942e72cb7fe93cc9d46f59b00a765092d69e75913b5f95a7
Instruction Fuzzy Hash: B5918976A58306CFDB30AEB889987FA33A2EF55350F8A422EDCC257559D37584C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02266ACD, Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

?<i, xrefs: 02272BA2

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: ?<i
API String ID: 0-1140130776
Opcode ID: a4d94daf493599bbfd3c87ed60fc38079bfe5c8f733dd3e6ea78a4c899b7185d
Instruction ID: a526835a029f37da7d148c94946e2957cc10134629e0a7970dad89820aaee386
Opcode Fuzzy Hash: a4d94daf493599bbfd3c87ed60fc38079bfe5c8f733dd3e6ea78a4c899b7185d
Instruction Fuzzy Hash: 0D91AB32628342CFDB205EB4C9987FA77A5FF053A0F45425EDC969B1A9C3798981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022627FA, Relevance: 1.5, Strings: 1, Instructions: 255COMMON

Download Yara Rule

Strings

S].N, xrefs: 02262AA2

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: S].N
API String ID: 0-117155592
Opcode ID: 4e0bb36aba96da55c1588d03f756d1e5868e6c5e3f7191d567d0a570f67e48dd
Instruction ID: ca67d14d0937a62259078babf44c350007009777f0bd4b823a781c33ce217a9d
Opcode Fuzzy Hash: 4e0bb36aba96da55c1588d03f756d1e5868e6c5e3f7191d567d0a570f67e48dd
Instruction Fuzzy Hash: 90919972A58306CFDB30AEB889987FA33A2EF51350F8A422EDCC257159D37584C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0226502C, Relevance: 1.5, Strings: 1, Instructions: 230COMMON

Download Yara Rule

Strings

w#i$, xrefs: 022655BE

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: w#i$
API String ID: 0-1704692671
Opcode ID: 3be44fa3d30656ffad6d422bc833ac6b2238be33fa3d5bef05de732a9ab21292
Instruction ID: d8123ae6f5d1956bf7a08e4c434513c439947ff0f948f4f2ba8d163022b2c69a
Opcode Fuzzy Hash: 3be44fa3d30656ffad6d422bc833ac6b2238be33fa3d5bef05de732a9ab21292
Instruction Fuzzy Hash: F371293171435A9FDF348E3889A87EE37A7AF95740F96402EDC89DB254D3308986CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0226293C, Relevance: 1.5, Strings: 1, Instructions: 219COMMON

Download Yara Rule

Strings

S].N, xrefs: 02262AA2

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: S].N
API String ID: 0-117155592
Opcode ID: 666fbb88296438a05b1c1e81f5ec82b1fd25c56e94d2f9e22868e056a9cae94f
Instruction ID: b598039be786f4abf6582a9ff7cd0e90ba603ba01d8030abc2ea286c0351dbe9
Opcode Fuzzy Hash: 666fbb88296438a05b1c1e81f5ec82b1fd25c56e94d2f9e22868e056a9cae94f
Instruction Fuzzy Hash: 24716977A68346CFDB30AEB889987FA33A2AF41350F9A422EDCC157558D37584C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022629B8, Relevance: 1.5, Strings: 1, Instructions: 217COMMON

Download Yara Rule

Strings

S].N, xrefs: 02262AA2

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: S].N
API String ID: 0-117155592
Opcode ID: 2c2f390c2f561fdda4c3ddedc8812feb79ba43f31214a7c5acd6af49db4bf056
Instruction ID: 4a80cb01755acb17da7b66c42a7e45108d601c3a032db033df33c6c1d678e5b0
Opcode Fuzzy Hash: 2c2f390c2f561fdda4c3ddedc8812feb79ba43f31214a7c5acd6af49db4bf056
Instruction Fuzzy Hash: 9A717C33A68346CFDB30ADB889987FA37A2AF51360F5A422EDCD153558D37684C5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02262A06, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

S].N, xrefs: 02262AA2

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: S].N
API String ID: 0-117155592
Opcode ID: 98ed199652ec122d847741e4fa29afdf0dd79c9ce71c8d57176ef151c767c1fe
Instruction ID: bffb63b8976680ceb76f17c88ad94f70494ea8cf53c29d25de2fae77d384d43e
Opcode Fuzzy Hash: 98ed199652ec122d847741e4fa29afdf0dd79c9ce71c8d57176ef151c767c1fe
Instruction Fuzzy Hash: 62617833968306CFDB30ADB889987FA37A2AF41360F5A462EDCD253548D37584C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022610A3, Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,
API String ID: 0-225112966
Opcode ID: 261f51b725298a116a2b86be539ac1637e82673442aa6f9cb9844cf51f999032
Instruction ID: 935042a861389e08dfb81fad7a894c650b1b36b49383dbe1805c02aee99bab61
Opcode Fuzzy Hash: 261f51b725298a116a2b86be539ac1637e82673442aa6f9cb9844cf51f999032
Instruction Fuzzy Hash: E3517B766543099FDF245EA489A93EB77E7AF96380F56812ECCC947208E37485C7CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022610F4, Relevance: 1.4, Strings: 1, Instructions: 197COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,
API String ID: 0-225112966
Opcode ID: ce5588bfdfba4ab9b7c1d3442f0e3713133281e9e249b63ca7e928284ac61a89
Instruction ID: 1f039a8a53792b2a0bb2145f01a1401303529348430336a100e57a356ecaa6b9
Opcode Fuzzy Hash: ce5588bfdfba4ab9b7c1d3442f0e3713133281e9e249b63ca7e928284ac61a89
Instruction Fuzzy Hash: B4518D726543099FDF245EA489A93EB77E7AF96380F56412ECCC947208E37585C7CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0226116B, Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,
API String ID: 0-225112966
Opcode ID: c99fad94b8810ac5d371d5d290a71a626d8314605d17664162cb1a37c77a97c1
Instruction ID: 99e2c0a739e75d8d6365c5dcd539a7bafc1c31fa4b23885f3a301bc117dce61d
Opcode Fuzzy Hash: c99fad94b8810ac5d371d5d290a71a626d8314605d17664162cb1a37c77a97c1
Instruction Fuzzy Hash: 8B518972A543059FDF245EA489A93EB77A7AF95380F96412ECCC947208E77485C7CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022651FC, Relevance: 1.4, Strings: 1, Instructions: 169COMMON

Download Yara Rule

Strings

w#i$, xrefs: 022655BE

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: w#i$
API String ID: 0-1704692671
Opcode ID: 1b9955ad7a0d8986167d0e37e3b3d3e792d5cba4fc5ee5e332b4b2b7037d2e65
Instruction ID: 1bf4271fc2c72fb5df3b3cd6aa04970dec41045c9dc1b229d6489c32a38b858a
Opcode Fuzzy Hash: 1b9955ad7a0d8986167d0e37e3b3d3e792d5cba4fc5ee5e332b4b2b7037d2e65
Instruction Fuzzy Hash: 5351267171434A9FDF348E3889A87EA37A7AF55780F95412EDC89DB248D7308A85CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02261204, Relevance: 1.4, Strings: 1, Instructions: 160COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,
API String ID: 0-225112966
Opcode ID: 53bd13e921ec52a8aaf57eb1e8d64867840de73b9a3ef8a2f3beb254c7d7523e
Instruction ID: 87bb8fc8b28942234a4a9d68e54eae873c5c22e5f5aa49b705e28b3029ac727d
Opcode Fuzzy Hash: 53bd13e921ec52a8aaf57eb1e8d64867840de73b9a3ef8a2f3beb254c7d7523e
Instruction Fuzzy Hash: 84518B77A543059BDF245E648DA93EB77A7AF95740F96412ECCC947208E33484C7CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022612A0, Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

0IS,, xrefs: 0226138A

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: 0IS,
API String ID: 0-225112966
Opcode ID: a8bec2eef0fd65ce26a2f33d19c1b61cd7c9c011d174ffc60c9adfcd719e8172
Instruction ID: 8bcd8212b5cb63d3f3053b993ac029967b1cd58c069000abe351d7293545638b
Opcode Fuzzy Hash: a8bec2eef0fd65ce26a2f33d19c1b61cd7c9c011d174ffc60c9adfcd719e8172
Instruction Fuzzy Hash: 1F418776A543059BDF209EA88DB93EB77A7AF95780F96412ACCC947208E73485C7C702

Uniqueness

Uniqueness Score: -1.00%

Function 02260823, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

r, xrefs: 022609A4

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 5b020706862dea12448e5f06be6a67a94af6eaaeb985a0935b7efb5e03596e46
Instruction ID: 9d88babaa8c02809916be1d5d372a7ffe1679280c482338033e1d23559ff31b5
Opcode Fuzzy Hash: 5b020706862dea12448e5f06be6a67a94af6eaaeb985a0935b7efb5e03596e46
Instruction Fuzzy Hash: 12412732A29305DBDB042EB49A697FB33A6AF12390F46061DDDD353145E3658AC4CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0226082E, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

r, xrefs: 022609A4

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: 62b7bfcffc26a5241d957778862f774989f661e70bbe1eb5f693c93226bd1598
Instruction ID: 78adaf20b054f3fea1364cdfa58698816062b439643df745b4881eed3b8dce97
Opcode Fuzzy Hash: 62b7bfcffc26a5241d957778862f774989f661e70bbe1eb5f693c93226bd1598
Instruction Fuzzy Hash: 53412732A283099BDB142EB49A6A7FB32E2AF12390F46061DDDD253144E36586C4CE43

Uniqueness

Uniqueness Score: -1.00%

Function 02260884, Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

r, xrefs: 022609A4

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: r
API String ID: 0-1812594589
Opcode ID: e2f635b43db059dccad144ea0096df3e4895952049062763a812c168a840da53
Instruction ID: 4c8f36a4e06ae88dc78e5658a22ac899a938d6f30451b5eee71330b3b1f3e2c9
Opcode Fuzzy Hash: e2f635b43db059dccad144ea0096df3e4895952049062763a812c168a840da53
Instruction Fuzzy Hash: B9413932A28305EBDB042EB49A6A7FB73E6AF123A0F46061DDDD253144E36586C4CF53

Uniqueness

Uniqueness Score: -1.00%

Function 0226AA23, Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

$CKt, xrefs: 0226AA2D

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID: $CKt
API String ID: 0-942536455
Opcode ID: 052c7f42f8b03e55aa6a93ddd82dece66175cfaf008b1d23df2dc0444a09bf13
Instruction ID: fc730e7d3973f2329833de29a1f850a98b02104d574138ffadec5a76512e59d3
Opcode Fuzzy Hash: 052c7f42f8b03e55aa6a93ddd82dece66175cfaf008b1d23df2dc0444a09bf13
Instruction Fuzzy Hash: 2531683A6103099FDB306EE4C9A8BFD36A7AF4E360F90402EED4A5B149D2754EC5CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0226864A, Relevance: .6, Instructions: 569COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91133d6a059f63c5126a94b0936d3741f6608b9e06b07f0e0063c825ddb822f7
Instruction ID: abfdaf432ca9087bd6bcb0282d1dab1b53cc537f1980eaedb8830c7bc368e2dd
Opcode Fuzzy Hash: 91133d6a059f63c5126a94b0936d3741f6608b9e06b07f0e0063c825ddb822f7
Instruction Fuzzy Hash: 8912547221034A9FDB356E74C9983FA7BA3FF56350F914129DC8A87208D7B689C5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022686C4, Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a46fcd3a19acb2a5371359cdedfbb1f09548ea8a35e1d3c1705e4744a4af7be7
Instruction ID: b9fc0ad76c605dd270f87eaa485818fdbff3d8fd4508ba5d142325d2f5293c7c
Opcode Fuzzy Hash: a46fcd3a19acb2a5371359cdedfbb1f09548ea8a35e1d3c1705e4744a4af7be7
Instruction Fuzzy Hash: 1712657261034A9FDB356E64C9983FA37A3FF66350F914129DC8687208D7B689C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022621A4, Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffda7c93445333211bac7b956b2096331d6f8ef6e7304900220e518cd6405e32
Instruction ID: 37779cadadfe9d5e7ed06cdd7ff3840bb3fbcc16572e0ead9ad6c8839e85e85b
Opcode Fuzzy Hash: ffda7c93445333211bac7b956b2096331d6f8ef6e7304900220e518cd6405e32
Instruction Fuzzy Hash: 6AF14C36269682CFE722EE6CD4A47E677B09F36310B54425BCCD44B267C362A587CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0226882E, Relevance: .5, Instructions: 504COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c67646c84516ba8aa99514f30fbb309a434c86be2e980dd04f5ad09d99006192
Instruction ID: 564d87cba9837059d41c6894863bece8ff24806e068f02a45d87feec7df48326
Opcode Fuzzy Hash: c67646c84516ba8aa99514f30fbb309a434c86be2e980dd04f5ad09d99006192
Instruction Fuzzy Hash: 4D02557261434A9FDB356E68C9983FA37A3EF66350F91402DDCCA87208D7B649C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02261850, Relevance: .5, Instructions: 503COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90d3b7ac370338af092f08ae588d074fc2ad00447344032fe04335e3df7a405
Instruction ID: e99ac80342fddf10cd2ed4c7a64bf6332fbd30c97ce4ab80bb6cfcd0e642a6bf
Opcode Fuzzy Hash: d90d3b7ac370338af092f08ae588d074fc2ad00447344032fe04335e3df7a405
Instruction Fuzzy Hash: 1902BD32A5834ADFDB349E688CA87FB33A3AF56390F45411ECC8997258D37589C5C702

Uniqueness

Uniqueness Score: -1.00%

Function 022618EE, Relevance: .5, Instructions: 483COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1c1bfd6ccc0929c7f1a35284f20cf9ae5a0ccdef09882f06f0f85673e6ce86c
Instruction ID: 9b5bf4973a9446d02b98dd06ffc615d951e0fb238c13252ed4de414ab925803e
Opcode Fuzzy Hash: b1c1bfd6ccc0929c7f1a35284f20cf9ae5a0ccdef09882f06f0f85673e6ce86c
Instruction Fuzzy Hash: F9F1AE32A58386DFDB349EA88DA87FB33A36F56390F45411ECC8997258D37589C5C702

Uniqueness

Uniqueness Score: -1.00%

Function 022688E8, Relevance: .5, Instructions: 477COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70ba7b5b8f115be4047784fc5b919831eda15395c81dbbf8bc8fbde181ac6773
Instruction ID: 6b55f58ccf91a08c7db9d5745b8320ce8d131e172efdd18b2824846cd21b1ae3
Opcode Fuzzy Hash: 70ba7b5b8f115be4047784fc5b919831eda15395c81dbbf8bc8fbde181ac6773
Instruction Fuzzy Hash: 71F1447261434A9FDB356E68C9983FA37A3EF66350F95402DDCCA8B208D77649C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02261974, Relevance: .5, Instructions: 464COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2db749011b11c9e135c5ca160002677192fa943b406601a9452e103ed1ada3d3
Instruction ID: 75e7bbf492c258f1f5c02b089e26cbd20b82e1af5ecfa6f125fdad90a74b0040
Opcode Fuzzy Hash: 2db749011b11c9e135c5ca160002677192fa943b406601a9452e103ed1ada3d3
Instruction Fuzzy Hash: D5F1BF32A58346DFDF349EA889A87FB33A36F56390F85411ECC8997258D37589C9C702

Uniqueness

Uniqueness Score: -1.00%

Function 02261A08, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4537cd92a6870b42f453b39e0d73059bee1f4a22a3b6d0d5ed3d72c391721810
Instruction ID: 9213532fc173756259e16084ac76d2494bc3ef50f6bf92eb09a910267dcb4bb2
Opcode Fuzzy Hash: 4537cd92a6870b42f453b39e0d73059bee1f4a22a3b6d0d5ed3d72c391721810
Instruction Fuzzy Hash: E9E1D132A58346DFDB309EB889A83FB33A36F56350F85421ECC8997259D37589C9C742

Uniqueness

Uniqueness Score: -1.00%

Function 02268A12, Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12b444ef8eff9631d4255f7131f8fab268cee8134795ab8d648b1f7d6369785
Instruction ID: 0a0999b324075b623e753eaabb0ae5dedb680824c6d3bddd1febf7592a165bed
Opcode Fuzzy Hash: c12b444ef8eff9631d4255f7131f8fab268cee8134795ab8d648b1f7d6369785
Instruction Fuzzy Hash: 08F1547261034A9FDB356E68C9983FA37A3FF56350F954029DCCA87218D7B689C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02261AA6, Relevance: .4, Instructions: 422COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d468d13f353bf4d837f9d1cc03924a3814cb6ac01508b1766976be8d41d3e161
Instruction ID: 7eaf4093ddce75e8587af0ab054f68fda12754a405c87d04104587caff090da4
Opcode Fuzzy Hash: d468d13f353bf4d837f9d1cc03924a3814cb6ac01508b1766976be8d41d3e161
Instruction Fuzzy Hash: F3E1AF32A64346DFDB309EB889A83FB33A36F56350F85421ECC8997259D37589C9C742

Uniqueness

Uniqueness Score: -1.00%

Function 02261B20, Relevance: .4, Instructions: 407COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4e9433ffe02c10e4804e9809d6656d62868b1175822da7363ff04fe006a39a9
Instruction ID: 0db24d0d12f4180ff504a644a22f07396c6088062fb2fb55b748c7cb7aec5542
Opcode Fuzzy Hash: b4e9433ffe02c10e4804e9809d6656d62868b1175822da7363ff04fe006a39a9
Instruction Fuzzy Hash: 3EE1BE32A18346DFDB309EB888A87EB33A36F56350F85421ECC8997259D37589C9C742

Uniqueness

Uniqueness Score: -1.00%

Function 02261B94, Relevance: .4, Instructions: 400COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6aae9d3fbec7d537411641c1917b8ac66d6b55de6c9dac7d0b7a22e213f4f56e
Instruction ID: 45bb3a24c5f4279eccb02ce5d8d1d1b2c3659e6e2c2ae3bfd9503f401c295a9e
Opcode Fuzzy Hash: 6aae9d3fbec7d537411641c1917b8ac66d6b55de6c9dac7d0b7a22e213f4f56e
Instruction Fuzzy Hash: 07D1CE32A58386CFDB309E688CA87EB33B26F56350F85421ECC8997259D37589C9C742

Uniqueness

Uniqueness Score: -1.00%

Function 022638BD, Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef5363ef2c4226fd4fab1b516969cc769fa0cdd599aedec7ea901e9bcb57b741
Instruction ID: 46c2b1e1ac9d485929d566d1de9aea7bec4a53cc474078ad99a75cb3b0ff1f85
Opcode Fuzzy Hash: ef5363ef2c4226fd4fab1b516969cc769fa0cdd599aedec7ea901e9bcb57b741
Instruction Fuzzy Hash: C7C15737658642CFDB31EE6CC894BE677F1EF69710F50415BD8998B225C372A9838B80

Uniqueness

Uniqueness Score: -1.00%

Function 02261BEE, Relevance: .4, Instructions: 387COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ff5c4ff1c829ce6bccedaa1a738a359465419b18446be70444ba8703a169fe1
Instruction ID: 7d70bc5f7c077e2017d5dbc58e0c7bdf425bd7c528e10a14bc43f119831542b1
Opcode Fuzzy Hash: 5ff5c4ff1c829ce6bccedaa1a738a359465419b18446be70444ba8703a169fe1
Instruction Fuzzy Hash: 9DD1AD32A58386DFDB309E6888A87EB33A36F56350F85421ECC8997259D37589C9C742

Uniqueness

Uniqueness Score: -1.00%

Function 02268B80, Relevance: .4, Instructions: 386COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e61ae3b96ef12d880e7b89c7306551f348ac90eb6a049eee2e5e76d7d47818
Instruction ID: 06407a7a7c00565a1424ad61bcf11c188be5d919995cecc785edbaadb8a5f956
Opcode Fuzzy Hash: f2e61ae3b96ef12d880e7b89c7306551f348ac90eb6a049eee2e5e76d7d47818
Instruction Fuzzy Hash: 5ED1227261034A9FDB356E68C9983FA37A3FF56350F954029DCCA87218DB7685C6CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02268C0C, Relevance: .4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dabb4f2e395850415bfddb17485e59f90147d0dbc6277cee208b6a9e0d1c1f62
Instruction ID: ee96ae1a07f6fa78e7d36df4f554bc3ff572e17d2e34e698828997ca02734aa5
Opcode Fuzzy Hash: dabb4f2e395850415bfddb17485e59f90147d0dbc6277cee208b6a9e0d1c1f62
Instruction Fuzzy Hash: 54D1347261034A9FDF356E68C9943FA37A3EF56350F95402ADCC987218D77689C6CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02261C88, Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c15c9508b09479ee6fc5b80cc3426ea02a30bca46a525f863acc116abe4c9a87
Instruction ID: ffa9dc33ad0e76dfa7087fc30e5d434c1684e110798cd0a546b6c8588a6213e0
Opcode Fuzzy Hash: c15c9508b09479ee6fc5b80cc3426ea02a30bca46a525f863acc116abe4c9a87
Instruction Fuzzy Hash: 1FD1BE32A58386DFDF308E788DA87EB33A26F56350F89421ECC8997259D37589C5C742

Uniqueness

Uniqueness Score: -1.00%

Function 02268DC9, Relevance: .3, Instructions: 341COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d16fb2e2e0d74d60f96013c9ff83181b7b0d66d05455c34d6688fe75d56a0a68
Instruction ID: cfa4f7793c74ec818ea90edce79963a1442e588bcbbdfe073fabd6a516c5d120
Opcode Fuzzy Hash: d16fb2e2e0d74d60f96013c9ff83181b7b0d66d05455c34d6688fe75d56a0a68
Instruction Fuzzy Hash: 81C14472614346CFDB25AE68C9943FA37A2FF66310F95412EDCC987214C77289CACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02261DB2, Relevance: .3, Instructions: 331COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c1164ebe7ca60ca7471d528ac098447de66c5c8e92187dc811df4c729b60914
Instruction ID: cfbc15e657c25ec90d3be90870c3fc62093c4b0ceb62840ae24b9c9260204b46
Opcode Fuzzy Hash: 4c1164ebe7ca60ca7471d528ac098447de66c5c8e92187dc811df4c729b60914
Instruction Fuzzy Hash: E6B1C032A18386CFDF308E688D687FB77A26F56350F49421ECC899B299D37589C5C742

Uniqueness

Uniqueness Score: -1.00%

Function 0226AF52, Relevance: .3, Instructions: 313COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f30ff96c4d0455d2d99a85166e1e4866fb6b8f4e92872e9ee81e308702a3be8
Instruction ID: 4b47768f7e30cbed5c2e5b8a5c2163dd61e041d7c57bd89235e29adc3289dc73
Opcode Fuzzy Hash: 9f30ff96c4d0455d2d99a85166e1e4866fb6b8f4e92872e9ee81e308702a3be8
Instruction Fuzzy Hash: 90B1597261434B9FDB309E78CD657EB32A6EF66794F804039DC8AEB508E3718981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02261ED2, Relevance: .3, Instructions: 289COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af8309adf9f8b7dd367fcd24c1e9547e656fe45b400d6ac988e7c17c8e739309
Instruction ID: b4264e2ad0513d9138e4d7e124331a7b9c8fd476d7f69229398af5a6a88bd7b9
Opcode Fuzzy Hash: af8309adf9f8b7dd367fcd24c1e9547e656fe45b400d6ac988e7c17c8e739309
Instruction Fuzzy Hash: C2A1CF32A18386DFDB309E7C8D683FA77A26F06350F89421ECC8997299D37589C5C742

Uniqueness

Uniqueness Score: -1.00%

Function 02262F54, Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44af1d004f117162cac2b14b6463fe813b07d874ef9f2a095df2aa8d4217065b
Instruction ID: 93895a08049acb81ccb191918267af9f082fceb9b682c3966d88b35c67a382bb
Opcode Fuzzy Hash: 44af1d004f117162cac2b14b6463fe813b07d874ef9f2a095df2aa8d4217065b
Instruction Fuzzy Hash: 4E914932519BC2DFD722DA6C88497E77B61AF23730F5843DEC8944719AC372684AC781

Uniqueness

Uniqueness Score: -1.00%

Function 02261F80, Relevance: .3, Instructions: 275COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34d4ee9e7065c4477cfe8d5e308366b7e86cecfa7e45f4091b89d34103ae5140
Instruction ID: a57e11add5325cbdf35377073ecd240b0c408788b49a8da89cfb1f79b6c767b5
Opcode Fuzzy Hash: 34d4ee9e7065c4477cfe8d5e308366b7e86cecfa7e45f4091b89d34103ae5140
Instruction Fuzzy Hash: 0F91C032A18386DFDB319E7C8C683FA77A26F16360F89421ECC8557199D37549C5C742

Uniqueness

Uniqueness Score: -1.00%

Function 02268EBC, Relevance: .3, Instructions: 267COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0f424fda3df21b068edd417de8d052e512e4c2332667144c2debc474406d6f
Instruction ID: 27a45b49dbe834c5429d028ea14f9da86b10bb0e23cbcbd5109b401df3057ecb
Opcode Fuzzy Hash: 6f0f424fda3df21b068edd417de8d052e512e4c2332667144c2debc474406d6f
Instruction Fuzzy Hash: C8A1133261034A9FDB396E64C9943FA37A3BF56350F95412DDCCA8B118CBB689C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0226200C, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6519aecd2faf80656039d83f1552698d33bb2ccbaa19be45937b160f4598d195
Instruction ID: 57dd5fd79c8ec42ae66cda32e0c2a94e25c75db6480e5849e56d801b3485ed8a
Opcode Fuzzy Hash: 6519aecd2faf80656039d83f1552698d33bb2ccbaa19be45937b160f4598d195
Instruction Fuzzy Hash: 0F91CE32918386CFDB349E788CA83FA77A26F563A4F88421ECCC547199D37585C5C742

Uniqueness

Uniqueness Score: -1.00%

Function 02266453, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 807f4962de44c7511a8943422dac331a719331d12e62753bde93fb2874f2bd20
Instruction ID: 78226752da0701377f92281711ab47bbb573ec8b52d35c7b35ddbc5e093391da
Opcode Fuzzy Hash: 807f4962de44c7511a8943422dac331a719331d12e62753bde93fb2874f2bd20
Instruction Fuzzy Hash: 33815B32664256DFCB349E58C8587FA33A6EF193A0F45412BEC899B304D775AD86CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 0226B16C, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d390a1abebeb80775d3ab1f309b59bbc7e2a6045e13705f40363578de7b9973
Instruction ID: 0d31b5327f23e089cce6557bf1d8c57b389bdc0c03e14774662611c8c6177c35
Opcode Fuzzy Hash: 7d390a1abebeb80775d3ab1f309b59bbc7e2a6045e13705f40363578de7b9973
Instruction Fuzzy Hash: 9681463261434B9FDB309E78CD657EB32E6EF66794F844029DC8AEB508E3718981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02262090, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d7409a189466fd1f9b721c61c5eb753943ab14cc0f2364c4b0dd8db053db9274
Instruction ID: 820078b19e3d67c161ae6720d8457ae0b329626aaa4d0e7f28f0f4866c831f8c
Opcode Fuzzy Hash: d7409a189466fd1f9b721c61c5eb753943ab14cc0f2364c4b0dd8db053db9274
Instruction Fuzzy Hash: A981BD32928386DFDB349E788D683FA77A26F163A4F89421ECCC587199D33545C5C742

Uniqueness

Uniqueness Score: -1.00%

Function 02268FD8, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0c9cae0b117ffec1fe08cffce2b556f6dbee7ae5d008d79770fc9529d40c3a
Instruction ID: 46ba52a566fc27ea66833dd459b8517c804c8afc6f0b6a38a03fef8438d1174a
Opcode Fuzzy Hash: 1d0c9cae0b117ffec1fe08cffce2b556f6dbee7ae5d008d79770fc9529d40c3a
Instruction Fuzzy Hash: F981E13661034A9FDF396E64C9947F937A3BF66310F95412DDC8987218CBB689C5CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02262FC6, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71eb0c92bd0c4d18760ee12c520ef6ba429dd2d4f2b20f43fa302613882d18d9
Instruction ID: 1e2884a7d416dea86fd90dfd8ba7d7b9ff5bd4c1773729555241931ab04d9041
Opcode Fuzzy Hash: 71eb0c92bd0c4d18760ee12c520ef6ba429dd2d4f2b20f43fa302613882d18d9
Instruction Fuzzy Hash: 01714B324187C69AD732DA7C88097E77B62AF53730F5843DECC954728AD3B2294AC781

Uniqueness

Uniqueness Score: -1.00%

Function 02262F9B, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40dc34286acdb578644148d7d52590ef053f47741779d2d102631d1125a27344
Instruction ID: b2e4091ffe53cb41889f60b634256f8d2dbc6c4d93dbbb3b3c11205402279fbe
Opcode Fuzzy Hash: 40dc34286acdb578644148d7d52590ef053f47741779d2d102631d1125a27344
Instruction Fuzzy Hash: 388168724187C69AD7328AB889093E7BB626F53730F9943DECC854B28AD3B11845C781

Uniqueness

Uniqueness Score: -1.00%

Function 0226B200, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a202d36f8c675490ab5e07b2b00a43c746d6afd1d6327de345a292792a601110
Instruction ID: 57fe68f7981724dc42fbe6f1966fd7203e899c173403d164f74d9303cf1a1086
Opcode Fuzzy Hash: a202d36f8c675490ab5e07b2b00a43c746d6afd1d6327de345a292792a601110
Instruction Fuzzy Hash: 4581573261835B9FDB309E78C9657EB33A6EF26794F844029DC8AEB504E3718981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02262114, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8aafa1f9fbb71a3fdc481b2f3931602109ae6e5cf4ab34621128748cf8f041f2
Instruction ID: 1bf9215262125dc7ccb73a3a567c116e1304e616e1fdd1457da371bafd2ddcd9
Opcode Fuzzy Hash: 8aafa1f9fbb71a3fdc481b2f3931602109ae6e5cf4ab34621128748cf8f041f2
Instruction Fuzzy Hash: 3071BB32928386DFDB319EB88DA83FA77A26F163A4F88421ECCC587199C33545C5C742

Uniqueness

Uniqueness Score: -1.00%

Function 02266451, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f0a32ecf837c2a23beacf7bc6fe2fff8e3082ade74ea147f72a68eee212af67
Instruction ID: 2b9003c0e01215a5ab8a75eab270c46c079b525b61bb9459d5ba747e1c5ad481
Opcode Fuzzy Hash: 1f0a32ecf837c2a23beacf7bc6fe2fff8e3082ade74ea147f72a68eee212af67
Instruction Fuzzy Hash: 69713972A203569FCB359F54C8687F933A6EF493A0F45412AEC89AB304E7759DC5CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02266B22, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eceeeca655d2ed282a9704f6f0a907223c0077100699ed14b5be9f82628f744
Instruction ID: 325f25fabaa60b3817d761a20c88eadc4f8f23d9943356d297f3b5b34492a86b
Opcode Fuzzy Hash: 3eceeeca655d2ed282a9704f6f0a907223c0077100699ed14b5be9f82628f744
Instruction Fuzzy Hash: F9718C32624342CFDB305EB489987FA77A5EF56390F85025EDC95AB1A9C3798981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022639D8, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ffd481b66182e64c6f1a9d51af272bad1e530c80b2bb0cb47ae06179c1bc1c
Instruction ID: eeefce2216e139cef55f64101b8cc098209e949f67134b8d6e5aaf869c59f79a
Opcode Fuzzy Hash: e7ffd481b66182e64c6f1a9d51af272bad1e530c80b2bb0cb47ae06179c1bc1c
Instruction Fuzzy Hash: 9D613736618656CFDB30EEA88C44BEB77B2AFA8750F51415AEC8D8B214C3715DC28B81

Uniqueness

Uniqueness Score: -1.00%

Function 0226B2DA, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e7a94fab65566b8c0a3f5997bb079a190d623b4583707a1a17782a5c0617bc7
Instruction ID: e93d8f62fb549526e9472b5a676696fbc2503a0ac5d6d480ac68a8736969d35b
Opcode Fuzzy Hash: 1e7a94fab65566b8c0a3f5997bb079a190d623b4583707a1a17782a5c0617bc7
Instruction Fuzzy Hash: D571463261835B9FDB309E68CD657EB32A6EF25794F84402DDC8AEB504E3318A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02262285, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba05726411ce6818d515e12170d463f647e4890a6633ee074727fa84c5e0b7b3
Instruction ID: 8af29e5f75c561f532743153d5e6fa108ac1ce564451858a59bcadc65ad210a7
Opcode Fuzzy Hash: ba05726411ce6818d515e12170d463f647e4890a6633ee074727fa84c5e0b7b3
Instruction Fuzzy Hash: 8B619A32668786DFEB31EE788C687FA77A16F26350F88421ECC854718AC37154C5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02266DD8, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27746ce3fa59840a941620e0ebf3102b4db90262427d06bed1f5661bd8de6ad5
Instruction ID: 916b4f890e844b18cf1db46918b6408cf9871ff022ba7fab115e0227cd54bdc2
Opcode Fuzzy Hash: 27746ce3fa59840a941620e0ebf3102b4db90262427d06bed1f5661bd8de6ad5
Instruction Fuzzy Hash: B2519C32628742CFEB20AEB8C995BFA77E5EF25350F44021FDC9587259C3758986CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0226230A, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c715b811e8bd89aa6be6a3da1db89a75d59875af055b6c90e9054b52b8f7bc6
Instruction ID: 492430192755995c20b2471ec88f1c4c35443ac89b9f03e2d93bed5941821282
Opcode Fuzzy Hash: 9c715b811e8bd89aa6be6a3da1db89a75d59875af055b6c90e9054b52b8f7bc6
Instruction Fuzzy Hash: 3661AC32668786CFEB21DE7C8CA87FA37A16F26360F48435ECC850B18AC3755485CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022673E4, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90615ff08b040e9b807e79b6ab513c7910da7dd08039ee2ab988abf588d10fb2
Instruction ID: bfdaa8c2e89fad77f8900a5f34c0d0417127d4df41118cc51774590eb7b776b8
Opcode Fuzzy Hash: 90615ff08b040e9b807e79b6ab513c7910da7dd08039ee2ab988abf588d10fb2
Instruction Fuzzy Hash: D0514975614312DFD714AE38C9A97EA77A2FF15394F85826CDCC68B159D73488C1CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0226B378, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78ffe6802d8546280d13c81bb10660c4684a00b746882e4f7e74c4132a9df223
Instruction ID: 51ff29f915e3addd240ab91d491423bbef711bfd44e86097d89d0a7a53e3fa6a
Opcode Fuzzy Hash: 78ffe6802d8546280d13c81bb10660c4684a00b746882e4f7e74c4132a9df223
Instruction Fuzzy Hash: 9961363265435B9FDF308E78CD657EB32E6AF16790F84402ADC8AEB504E3718A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02262A98, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7207b94671541917c7db8fcdec3e2a52246b75c86ed2732c8021fe1a99da2aa2
Instruction ID: 0f9fd7a3adbfee74b5d5b57dbbe3a1ef4fe0223e33313ab6e0a929f6e480b284
Opcode Fuzzy Hash: 7207b94671541917c7db8fcdec3e2a52246b75c86ed2732c8021fe1a99da2aa2
Instruction Fuzzy Hash: 1D513533A58306DFDB30AEB889997FA37A2AF02360F5A422EDCD253558D37544C5CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02263174, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc5e9745ce3469845f74d229ddf98747d90c0c787facfdc9e41bfba3346bdb9d
Instruction ID: 441d21b795a1b5d904f1384e8d7adfa268618dc3e01d9d383cd5fb6e02052f7a
Opcode Fuzzy Hash: bc5e9745ce3469845f74d229ddf98747d90c0c787facfdc9e41bfba3346bdb9d
Instruction Fuzzy Hash: DB512832118BC69BD722CA7C88497E7BF626F53330F5843DAC8954B28AD3B16946C781

Uniqueness

Uniqueness Score: -1.00%

Function 02266C3A, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2505e5517360d9f0fabc66f642d3cd0cf3c18f95d6369a9cd38e0ba1285fc5e
Instruction ID: 24f126598c62a9392399d3b8f91bb0debe53b53398a421568a5a70cd633f5728
Opcode Fuzzy Hash: a2505e5517360d9f0fabc66f642d3cd0cf3c18f95d6369a9cd38e0ba1285fc5e
Instruction Fuzzy Hash: D351AD72624352CFDB305EB48D987FA37A6AF45390F41021EDC95AB298C37589C1CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0226B418, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9cbb232b79a3246d4e9aada0c4a10442e070d563456169136ba3a26e39e239d9
Instruction ID: 7155e425e88ee6cad21d90412ce7780d72ab4626629ddf4d62ceaa85b2c44ce4
Opcode Fuzzy Hash: 9cbb232b79a3246d4e9aada0c4a10442e070d563456169136ba3a26e39e239d9
Instruction Fuzzy Hash: 7351363265435B9FDB30CE74CD647EE32E6AF16390F404029DD8AEB604E3708A81CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02264700, Relevance: .2, Instructions: 154COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc252adf67e6b7cb8351572740a7e71885d4a748d42eee16a23c7bbfd6f11089
Instruction ID: a7aed2451956522f0d6e834bd545eff34f584c3cbee74f22f8aca2e9b77ccda9
Opcode Fuzzy Hash: cc252adf67e6b7cb8351572740a7e71885d4a748d42eee16a23c7bbfd6f11089
Instruction Fuzzy Hash: 30512B72710346DFDF30AEA4CCA87EB3667AF99340F948129DC898724AE73589C5CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02266D50, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37a6e7f49b9125ceb21dc2821d48fd2fed2eba9b8a38911db2397f354b767833
Instruction ID: c78ac3e2f0baec040c9967664d92685dd74bcca140b7884b272c82cb5bb4d742
Opcode Fuzzy Hash: 37a6e7f49b9125ceb21dc2821d48fd2fed2eba9b8a38911db2397f354b767833
Instruction Fuzzy Hash: F251AD72628352DFDB305EB88D597FA37B5AF05390F45021EDC96AB299C37489C1CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0226470A, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93fe1ed5c26a062579c41f32384123e4ea6609e15598e710dbde6dd30c330926
Instruction ID: 614a1df74aa1b5b606e51c085faf4f33fdd2b01208f52f45b846b1a725345cb8
Opcode Fuzzy Hash: 93fe1ed5c26a062579c41f32384123e4ea6609e15598e710dbde6dd30c330926
Instruction Fuzzy Hash: F7411972710346DFDF30AEA4CCA87EB3663AF99340F948029DC899720AE77589C5CB11

Uniqueness

Uniqueness Score: -1.00%

Function 0226475C, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf7272cdff6f31bb0f1ddf07d5e80d2a25e3d5ba3a1fe6a72b691156e909392
Instruction ID: 0cbc1a88c8805b2d18a110c1bd385bce90153d72fa199b79679692ccb441a23c
Opcode Fuzzy Hash: abf7272cdff6f31bb0f1ddf07d5e80d2a25e3d5ba3a1fe6a72b691156e909392
Instruction Fuzzy Hash: 7C411776710346DFDB30AE94CCE97EB3663AF99340F948029DC899720AE73589C5CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02264BCD, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e96e741d9093771cc76ef881d89867c250059231ecfad60e3a01450eb1625ff
Instruction ID: 74f05c76b5c1683907b45254b7d13784bc6cdfa0c57f656d4bda3320d676bcaf
Opcode Fuzzy Hash: 3e96e741d9093771cc76ef881d89867c250059231ecfad60e3a01450eb1625ff
Instruction Fuzzy Hash: 67410571B1434A9FDF349DF88D987EA37A69F86360F94412ADC89C7215E7309981CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02262BEE, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e018e46aacfcef9f53ba528683ec9bc899c9887eb9e28727f2db9adab5079b5
Instruction ID: 7c885ab2a8d1d65e4ce10605c71e639b881f700b9fa87e7ff0836ca6396a8d81
Opcode Fuzzy Hash: 4e018e46aacfcef9f53ba528683ec9bc899c9887eb9e28727f2db9adab5079b5
Instruction Fuzzy Hash: 1C413476A08306DFDB209EB489957EB73B2AF45350F8A062EDCC153508E37549C5CB43

Uniqueness

Uniqueness Score: -1.00%

Function 02267420, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b890c5d77ca272fd450ba85c21f69ef64440222d882f2796cfe30fcee431ee32
Instruction ID: fa46fbd2ad93b10531ed9ac4e025d25a4e340551d8e4ec2238bc42820a70a410
Opcode Fuzzy Hash: b890c5d77ca272fd450ba85c21f69ef64440222d882f2796cfe30fcee431ee32
Instruction Fuzzy Hash: 674118312053069FDB18AE38D5A97DABBA2FF25394F41412DDCCA8B16AD7709985CF80

Uniqueness

Uniqueness Score: -1.00%

Function 022647F0, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffadddc0df3d31e79e36a9d8ec8c17be3ddde2a100e2493e6dadf10bebb1dfde
Instruction ID: 2078eb6e3080d13f80085e39a6e9d4cc14366b2c5ea8c18a86ac1dba85b40a93
Opcode Fuzzy Hash: ffadddc0df3d31e79e36a9d8ec8c17be3ddde2a100e2493e6dadf10bebb1dfde
Instruction Fuzzy Hash: 34412672710346DFDF31AEA4CCA97EA3767AF55300FD440299C899B20AE77589C0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 022674D8, Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33b55677a0727db419da8aefeab87125642a4df7dbb372dd2ee94aa38f7d0f3a
Instruction ID: 9c18a2bda3f4e715e48ac0901c177011ec62df3ecc6b3a08cf5a8a244ca8d469
Opcode Fuzzy Hash: 33b55677a0727db419da8aefeab87125642a4df7dbb372dd2ee94aa38f7d0f3a
Instruction Fuzzy Hash: FF3125716043128FDB189E3985A97DDB7A2FF29394F50813CDC8A8B269D7749685CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02264890, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4aa62f87eb4716e018019c2d790dfebcf63cbe7ddd6378a2ad1210f83d800cd
Instruction ID: de983037c6504dda37afe80fd7b6b28696e1455606f2e01ee99491b47050d34e
Opcode Fuzzy Hash: e4aa62f87eb4716e018019c2d790dfebcf63cbe7ddd6378a2ad1210f83d800cd
Instruction Fuzzy Hash: 59312976B10346DFDF316EA4C8A97EA3663BF55310FD480299C8997209E7758AC0CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02264924, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 052360c610147cef4869e3a4b0ba99d2331f453a37d43be396956ec15f0b118e
Instruction ID: 0a15b80dfb6204a241a314597f18620f078cb5c164983bd48013dad0fddfebbf
Opcode Fuzzy Hash: 052360c610147cef4869e3a4b0ba99d2331f453a37d43be396956ec15f0b118e
Instruction Fuzzy Hash: 63210877B10306DFDF317DA4C8697E63266AF26350FD58029AC8697205E77589C1C741

Uniqueness

Uniqueness Score: -1.00%

Function 0226EF31, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b8d45fffcc3347041ff558b2ee2ebfcab5125527715cf4d4b1c0b91e43b08b9
Instruction ID: 0b0713a28988240255ef8efdac8a89a3daad01d7a7780116308955c89d6e184f
Opcode Fuzzy Hash: 5b8d45fffcc3347041ff558b2ee2ebfcab5125527715cf4d4b1c0b91e43b08b9
Instruction Fuzzy Hash: 42F0623A220202DFCB29DF44D5D8FA53362AF25740F424458E8468B659C7359881CA10

Uniqueness

Uniqueness Score: -1.00%

Function 02269D90, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a9732690de6fc360cfce81041ce66cf747a8b16b8c43924e50494c7ffe9687f
Instruction ID: 41da8a9a5ddeef6fd0f1264c2761f35fea44aca3248638aabf5fe29ca4523090
Opcode Fuzzy Hash: 3a9732690de6fc360cfce81041ce66cf747a8b16b8c43924e50494c7ffe9687f
Instruction Fuzzy Hash: F3C09B7A2415818FEF01EE08C451B407370F7147D4B0504D0D441DB711C718E901C500

Uniqueness

Uniqueness Score: -1.00%

Function 0226E55E, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1165660957.0000000002260000.00000040.00000001.sdmp, Offset: 02260000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54f8d6c3ba91fd74ea66705cb5ee1fe46ee17d4a1f048298106d2a194f85afe7
Instruction ID: c76938af6d70ccdbb833a572b2b576bf5d268ae1e423d7ecd5d02cb8b83352d8
Opcode Fuzzy Hash: 54f8d6c3ba91fd74ea66705cb5ee1fe46ee17d4a1f048298106d2a194f85afe7
Instruction Fuzzy Hash: 9AB09231350640CFCA42CE08C290F8073A0BF15A80B424480A8408BB11C324E804CA00

Uniqueness

Uniqueness Score: -1.00%

Function 004202B0, Relevance: 28.7, APIs: 19, Instructions: 182COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00420310
#522.MSVBVM60(?,?), ref: 0042031E
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042033A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042034D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402604,00000160), ref: 00420381
__vbaNew2.MSVBVM60(00402BE4,004223C0), ref: 00420399
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 004203B8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004203D1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,00000120), ref: 004203F8
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00420416
__vbaStrVarMove.MSVBVM60(00000000), ref: 00420420
__vbaStrMove.MSVBVM60 ref: 0042042B
__vbaObjSet.MSVBVM60(?,?,00000000), ref: 00420437
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEDD4,00402BD4,00000040), ref: 00420459
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00420476
__vbaFreeVar.MSVBVM60 ref: 00420482
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0042049B
__vbaObjSet.MSVBVM60(?,00000000), ref: 004204B4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,000000E8), ref: 004204DB

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$ListMove$#522CallLate
String ID:
API String ID: 1420797897-0
Opcode ID: b3f1e0660650dcc5e4a85bfcc8dd7bb2abf983a243178afc902934e260b560fe
Instruction ID: 0e0fecf169d42e48d74bf182181aeb2d1abfb6842c078734caf584d9e593d332
Opcode Fuzzy Hash: b3f1e0660650dcc5e4a85bfcc8dd7bb2abf983a243178afc902934e260b560fe
Instruction Fuzzy Hash: F1612AB1900259AFCB14DFA4DD88EDEBBB8FB08300F50452AF646B32A1D7785585CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF10, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041FF65
__vbaStrCopy.MSVBVM60 ref: 0041FF6F
#515.MSVBVM60(?,?,00000002), ref: 0041FF88
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041FFA4
__vbaFreeVar.MSVBVM60 ref: 0041FFB0
__vbaNew2.MSVBVM60(00402BE4,004223C0), ref: 0041FFD1
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEDD4,00402BD4,0000004C), ref: 0041FFF6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F4C,00000024), ref: 00420024
__vbaStrMove.MSVBVM60 ref: 00420033
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 00420055
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042006E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C4C,00000068), ref: 0042008F

Strings

CAREENING, xrefs: 00420005
Monascidian, xrefs: 0042000A
var, xrefs: 0041FF67

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$CopyNew2$#515FreeMove
String ID: CAREENING$Monascidian$var
API String ID: 4233795418-1736873049
Opcode ID: cc931e4582ae2ea7be36b5809e83c00f282f1072ff100e9fa66893876d9d69eb
Instruction ID: c44dee2dc62ff2fc8c61da4e4f9754a0c3d93d68b6470f9585ebb757eed5dd21
Opcode Fuzzy Hash: cc931e4582ae2ea7be36b5809e83c00f282f1072ff100e9fa66893876d9d69eb
Instruction Fuzzy Hash: DA513AB1900219ABCB14DF95DE88EDEBBF8FF58700F20442AE505F72A0D7B85945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F7E0, Relevance: 16.6, APIs: 11, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041F832
__vbaI4Str.MSVBVM60(00402E9C), ref: 0041F83D
#697.MSVBVM60(00000000), ref: 0041F844
__vbaStrMove.MSVBVM60 ref: 0041F84F
__vbaStrCmp.MSVBVM60(00402B94,00000000), ref: 0041F85B
__vbaNew2.MSVBVM60(00402BE4,004223C0), ref: 0041F88F
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEDD4,00402BD4,0000001C), ref: 0041F8B4
__vbaCastObj.MSVBVM60(?,00402D78), ref: 0041F8E8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F8F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EBC,00000058), ref: 0041F90D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F91D

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$#697CastCopyFreeListMoveNew2
String ID:
API String ID: 2450880159-0
Opcode ID: 3fcb1c583b81b86df17cdd1f7a49b09476406843e95656e0e45bd9719b15cbbc
Instruction ID: f08b1d51fd462b04ac1047bd4c345535ad39708bb9795b788b35618e02b45a92
Opcode Fuzzy Hash: 3fcb1c583b81b86df17cdd1f7a49b09476406843e95656e0e45bd9719b15cbbc
Instruction Fuzzy Hash: 764130B1D40205ABCB04DFA5DA49ADEBBB8FF48701F10812AF541F72A0D7785985CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F550, Relevance: 16.6, APIs: 11, Instructions: 89COMMON

Download Yara Rule

APIs

#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 0041F591
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F59B
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F5B8
#570.MSVBVM60(0000004F,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F5C1
__vbaNew2.MSVBVM60(00401CB0,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F5DA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F5F3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C18,00000158), ref: 0041F61A
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041F62A
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F634
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F647
__vbaFreeVar.MSVBVM60 ref: 0041F653

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#538#557#570CallCheckHresultLateListNew2
String ID:
API String ID: 729259385-0
Opcode ID: 979b762afe6cfe254df0eaa77d916d27259bd1614a5b3a8550c865b30afaf225
Instruction ID: 87394258a2b30c990400dfc2cc4ebfb7d2b8126c2225fd148ef610387fef0748
Opcode Fuzzy Hash: 979b762afe6cfe254df0eaa77d916d27259bd1614a5b3a8550c865b30afaf225
Instruction Fuzzy Hash: B0319E74940244AFCB10DFA4DE89FEEB7B8FB88B00F00452AF542B71A0D7785546CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F6A0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 76COMMON

Download Yara Rule

APIs

#591.MSVBVM60(?), ref: 0041F6E9
__vbaStrMove.MSVBVM60 ref: 0041F6F4
__vbaStrCmp.MSVBVM60(Integer,00000000), ref: 0041F700
__vbaFreeVar.MSVBVM60 ref: 0041F71C
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041F73A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F753
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000080), ref: 0041F77A

Strings

Integer, xrefs: 0041F6FB
KK, xrefs: 0041F6DB

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#591CheckFreeHresultMoveNew2
String ID: Integer$KK
API String ID: 2345547297-2898439456
Opcode ID: 5b242a9285677f7888c145d28a9ea7f081b4154bfebe40f5969823221cd65512
Instruction ID: 74d031bf094f58b22b99d9414bad0201e411197988d685f0dd1dd355f8dbfcaa
Opcode Fuzzy Hash: 5b242a9285677f7888c145d28a9ea7f081b4154bfebe40f5969823221cd65512
Instruction Fuzzy Hash: B8219175940214ABCB10DF94DE48EEEBBB8FB48700F104126E552F32A0D7785946CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDE0, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 74COMMON

Download Yara Rule

APIs

#606.MSVBVM60(00000001,?), ref: 0041FE34
__vbaStrMove.MSVBVM60 ref: 0041FE3F
__vbaStrCmp.MSVBVM60(00402BC0,00000000), ref: 0041FE4B
__vbaFreeVar.MSVBVM60 ref: 0041FE67
__vbaNew2.MSVBVM60(00402BE4,004223C0), ref: 0041FE84
__vbaObjSetAddref.MSVBVM60(?,00401218), ref: 0041FE9A
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEDD4,00402BD4,00000010), ref: 0041FEB7

Strings

, xrefs: 0041FE26

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#606AddrefCheckFreeHresultMoveNew2
String ID:
API String ID: 100920133-3916222277
Opcode ID: 9e9a7665fde057b89f2afbd9f27e3a1437d87d9b5927b71e6fd49077b3cde9f2
Instruction ID: fd1ef77a9c7816bcb68fb86c5cfca6dd9ec17080beaa57d2da966c47b8b88851
Opcode Fuzzy Hash: 9e9a7665fde057b89f2afbd9f27e3a1437d87d9b5927b71e6fd49077b3cde9f2
Instruction Fuzzy Hash: 9C218071900245EFCB00DFA4DE89AEEBBB4FB08705F10412AE942F32A1D7781945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F190, Relevance: 13.6, APIs: 9, Instructions: 116COMMON

Download Yara Rule

APIs

#693.MSVBVM60(00402B94), ref: 0041F1E7
#685.MSVBVM60 ref: 0041F1F5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F206
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041F23F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F258
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000001A8), ref: 0041F27E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402E88,00000044), ref: 0041F2B1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F2C1
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041F2D9

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultList$#685#693New2
String ID:
API String ID: 587155547-0
Opcode ID: 1dc30bcd98b2945004ec01dd363606faca10bcbbe5d45e45391327140d163a4c
Instruction ID: f2238c730e812e15b9af2a31d57ba61689bbb4d57933f49bac823f77d2829b1b
Opcode Fuzzy Hash: 1dc30bcd98b2945004ec01dd363606faca10bcbbe5d45e45391327140d163a4c
Instruction Fuzzy Hash: 1A4116B1D00208AFCB14CFD9D988AEEBBB8BB48700F50846AF655F7290D7785546CF69

Uniqueness

Uniqueness Score: -1.00%

Function 0041F340, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041F37D
__vbaI4Str.MSVBVM60(00402E9C), ref: 0041F388
#698.MSVBVM60(?,00000000), ref: 0041F393
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041F3AF
__vbaFreeVar.MSVBVM60 ref: 0041F3BA
#569.MSVBVM60(00000068), ref: 0041F3C7

Strings

G*, xrefs: 0041F3CD

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#569#698CopyFree
String ID: G*
API String ID: 2968886617-626655979
Opcode ID: 60aec882c9ec493c355c7fb624f3927213cb4d9c7d91bfd3dcb5c502c74ede1f
Instruction ID: b0e84c022fbe0f5b509436cef364a8b4504e7348e9ac6496f93ce0ea21ef1e60
Opcode Fuzzy Hash: 60aec882c9ec493c355c7fb624f3927213cb4d9c7d91bfd3dcb5c502c74ede1f
Instruction Fuzzy Hash: 17111FB5C002499BCB14DFA5DA499DEFBB8FF48700F10C12AE522B36A0D778554ACF65

Uniqueness

Uniqueness Score: -1.00%

Function 00420550, Relevance: 12.1, APIs: 8, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004205A2
__vbaVarDup.MSVBVM60 ref: 004205BC
#528.MSVBVM60(?,?), ref: 004205CA
__vbaVarTstNe.MSVBVM60(?,?), ref: 004205E6
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004205F9
__vbaNew2.MSVBVM60(00402BE4,004223C0), ref: 00420619
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEDD4,00402BD4,0000001C), ref: 0042063E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EBC,00000050), ref: 0042065E

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$#528CopyFreeListNew2
String ID:
API String ID: 2438565423-0
Opcode ID: 9b0c51f805c69fe251da69a0e7a2cd308c7c5e16e6d82c383b7e975eb7034026
Instruction ID: 466821d77249ec5c5a6bd06a11d7a5ad028c8a85f198cc384b3571c2e1bcad18
Opcode Fuzzy Hash: 9b0c51f805c69fe251da69a0e7a2cd308c7c5e16e6d82c383b7e975eb7034026
Instruction Fuzzy Hash: D0312C70D00249AFCB04DFA5D949ADEBBB8FF98704F10801AE515B72A0D7B85545CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004206C0, Relevance: 10.6, APIs: 7, Instructions: 101COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 00420713
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420732
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0042074E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420767
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,000000E8), ref: 0042078A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000001EC), ref: 004207CA
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004207E3

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$FreeList
String ID:
API String ID: 1549294082-0
Opcode ID: 143606b637eb0e5279eaedbbca68928b43a870a85676a4f9d7213b77864c1449
Instruction ID: 80c763b738411025c93d36ac36ca218f8c0eedd0750852d461d6f84247394975
Opcode Fuzzy Hash: 143606b637eb0e5279eaedbbca68928b43a870a85676a4f9d7213b77864c1449
Instruction Fuzzy Hash: 85312FB0A00214AFC710DFA8DD89F9A7BF8FB48700F10856AF945F7251D6789946CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 0041FAB0, Relevance: 10.6, APIs: 7, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041FAF7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FB16
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041FB32
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FB4B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000198), ref: 0041FB6E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000001EC), ref: 0041FBAE
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FBC7

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$FreeList
String ID:
API String ID: 1549294082-0
Opcode ID: 05941198ae26adf8f085df5744db2805b72825f9783bcf0d63041d7ab72a54dd
Instruction ID: 0b4ad5597fdf40e71fd2b972adfc34c96e4442e45c821166b2a432e63a0e73f3
Opcode Fuzzy Hash: 05941198ae26adf8f085df5744db2805b72825f9783bcf0d63041d7ab72a54dd
Instruction Fuzzy Hash: 6B314FB0A00204ABC700DFA4DD49FDE7BB8FB48704F10457AF945F7291D6789946CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FC30, Relevance: 9.1, APIs: 6, Instructions: 120COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041FC83
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FC9C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402C3C,00000224), ref: 0041FD23
__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041FD47
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD60
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000000D0), ref: 0041FD87

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2
String ID:
API String ID: 1998677070-0
Opcode ID: 7631320c229858d9d6c3f9512fefa413543b0e465147c8d91de7a05fee326136
Instruction ID: ad06103c70c936838a197d8520f48d3a4df8d81d604f52c1579bdc26bad6b44b
Opcode Fuzzy Hash: 7631320c229858d9d6c3f9512fefa413543b0e465147c8d91de7a05fee326136
Instruction Fuzzy Hash: 00416D74A00214AFCB04DFA8D988E9ABBF8FF48700F10856AE945F7361D7789846CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041F420, Relevance: 9.1, APIs: 6, Instructions: 78COMMON

Download Yara Rule

APIs

#713.MSVBVM60(00402EA8,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F465
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F470
__vbaStrCmp.MSVBVM60(00402EB4,00000000,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F47C
__vbaNew2.MSVBVM60(00402BE4,004223C0,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F4AC
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEDD4,00402BD4,0000001C,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F4D1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402EBC,00000050,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F4F1

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$#713MoveNew2
String ID:
API String ID: 3298162717-0
Opcode ID: 21a2bb91353c7c1d26fee9ea561a6694d93ebeec54c3ffe5abd1b5059aa65077
Instruction ID: 8d7338eb987c0cb1ad37b949310fee315236fb652a35c0c1d17985fb2f767bd7
Opcode Fuzzy Hash: 21a2bb91353c7c1d26fee9ea561a6694d93ebeec54c3ffe5abd1b5059aa65077
Instruction Fuzzy Hash: 51219175940214ABCB10DFA4DE49AAFBBB8FF58700F204126F942F72A1D77C5846CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00420900, Relevance: 9.1, APIs: 6, Instructions: 60COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 0042095A
#564.MSVBVM60(?,?), ref: 00420968
__vbaHresultCheck.MSVBVM60(00000000), ref: 00420973
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042098F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004209A1
#568.MSVBVM60(00000093), ref: 004209B4

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#564#568CheckFreeHresultList
String ID:
API String ID: 1114338403-0
Opcode ID: 45a588269ce4b929e0321b472cbcc01945c1a0f300cb3f7b0093a1813fd2ac11
Instruction ID: 578f933fd0a20bef90f3b72ec11ca918e36e48351d853c1e40b6b01f2ef5b07d
Opcode Fuzzy Hash: 45a588269ce4b929e0321b472cbcc01945c1a0f300cb3f7b0093a1813fd2ac11
Instruction Fuzzy Hash: 5C2113B5800258AFDB00DFD4D989ADEBFB8FB48B04F10411AF506BB291D7B85589CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 004201A0, Relevance: 7.6, APIs: 5, Instructions: 68COMMON

Download Yara Rule

APIs

#592.MSVBVM60(?), ref: 004201E2
__vbaFreeVar.MSVBVM60 ref: 004201F9
__vbaNew2.MSVBVM60(00402BE4,004223C0), ref: 00420217
__vbaHresultCheckObj.MSVBVM60(00000000,02BBEDD4,00402BD4,0000001C), ref: 0042023C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402EBC,00000050), ref: 0042025C

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$#592FreeNew2
String ID:
API String ID: 1182041094-0
Opcode ID: 5d5406ef51d9e9b00a45c5a2432aa78f24c24e6f3d2c4d837006b997a95bcf1e
Instruction ID: 40bcdece13b505ff9b8c5915d1980905f9933acf4b136c28cc88a8a3298e0c42
Opcode Fuzzy Hash: 5d5406ef51d9e9b00a45c5a2432aa78f24c24e6f3d2c4d837006b997a95bcf1e
Instruction Fuzzy Hash: 15219274640265EBDB10DFA4DE4DF9E7BB8EF08B04F50006AE941F3291D77858458BB9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F990, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E0041F990(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _t21;
				intOrPtr* _t23;
				intOrPtr* _t25;
				void* _t28;
				intOrPtr* _t30;
				intOrPtr* _t40;
				void* _t41;
				void* _t43;
				intOrPtr _t44;
				intOrPtr _t45;

				_t44 = _t43 - 0xc;
				 *[fs:0x0] = _t44;
				_t45 = _t44 - 0x2c;
				_v16 = _t45;
				_v12 = 0x4011e8;
				_v8 = 0;
				_t21 = _a4;
				 *((intOrPtr*)( *_t21 + 4))(_t21, __edi, __esi, __ebx,  *[fs:0x0], 0x4012c6, _t41);
				_t23 =  *0x422010; // 0x672090
				_v32 = 0;
				_v28 = 0;
				_v36 = 0;
				if(_t23 == 0) {
					__imp____vbaNew2(0x401cb0, 0x422010);
					_t23 =  *0x422010; // 0x672090
				}
				_t25 =  &_v36;
				__imp____vbaObjSet(_t25,  *((intOrPtr*)( *_t23 + 0x318))(_t23));
				_t30 = _t45 - 0x10;
				 *_t30 = 0xa;
				_t40 = _t25;
				 *((intOrPtr*)(_t30 + 4)) = _v48;
				 *((intOrPtr*)(_t30 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t30 + 0xc)) = _v40;
				_t28 =  *((intOrPtr*)( *_t40 + 0x1ec))(_t40, L"Skottehistorien");
				asm("fclex");
				if(_t28 < 0) {
					__imp____vbaHresultCheckObj(_t28, _t40, 0x402bf4, 0x1ec);
				}
				__imp__();
				_v32 = 0x99500000;
				_v28 = 0x4202a36b;
				asm("wait");
				_push(0x41fa74);
				return _t28;
			}

0x0041f993
0x0041f9a2
0x0041f9a9
0x0041f9af
0x0041f9b2
0x0041f9bb
0x0041f9be
0x0041f9c4
0x0041f9c7
0x0041f9ce
0x0041f9d1
0x0041f9d4
0x0041f9d7
0x0041f9e3
0x0041f9e9
0x0041f9e9
0x0041f9f8
0x0041f9fc
0x0041fa05
0x0041fa0c
0x0041fa11
0x0041fa15
0x0041fa1d
0x0041fa29
0x0041fa2c
0x0041fa32
0x0041fa36
0x0041fa44
0x0041fa44
0x0041fa4d
0x0041fa53
0x0041fa5a
0x0041fa61
0x0041fa62
0x00000000

APIs

__vbaNew2.MSVBVM60(00401CB0,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F9E3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004012C6), ref: 0041F9FC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000001EC), ref: 0041FA44

Strings

Skottehistorien, xrefs: 0041FA23

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2
String ID: Skottehistorien
API String ID: 1998677070-3067532313
Opcode ID: 39e6804842ca777069b495f4590a70b2573e962876daa0d25bb7ba6522cad54b
Instruction ID: 2f878d1ef41d8f918f5758ee3b12de5e10e70eb4e82658593cb02e46803c32df
Opcode Fuzzy Hash: 39e6804842ca777069b495f4590a70b2573e962876daa0d25bb7ba6522cad54b
Instruction Fuzzy Hash: B0211270A40244ABCB04DF99C989B9EBBF9FF48700F10856AF505F7251C7789941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F0A0, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401CB0,00422010), ref: 0041F0E3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F0FC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,000001EC), ref: 0041F144

Strings

weet, xrefs: 0041F123

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2
String ID: weet
API String ID: 1998677070-3595723829
Opcode ID: 16a91abf50a17745c3a2f5ec45712f0b4c75e0d88d033750de8cc32463298a2f
Instruction ID: b18f816f5a6cebd8c12166cbe7d8e9cc0fdb23e9e9537a48601d615afbc732c5
Opcode Fuzzy Hash: 16a91abf50a17745c3a2f5ec45712f0b4c75e0d88d033750de8cc32463298a2f
Instruction Fuzzy Hash: DF114FB4A40245ABC714DF68CA49F9ABBF8FB08700F10853AE645F7291D7B89845CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00420830, Relevance: 6.1, APIs: 4, Instructions: 52COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,004012C6), ref: 00420867
__vbaNew2.MSVBVM60(00401CB0,00422010,?,?,?,?,?,?,?,004012C6), ref: 00420880
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004012C6), ref: 00420899
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BF4,00000208,?,?,?,?,?,?,?,004012C6), ref: 004208BC

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckCopyHresultNew2
String ID:
API String ID: 551848230-0
Opcode ID: eda14538a48c8a0219fd8bb71ed42c437e1a3965576d7843c36b0801c5584cd9
Instruction ID: a448b1606826b86465dc73a6a10ab5b7440b45eedcd1d608e5fb8c8a099c5116
Opcode Fuzzy Hash: eda14538a48c8a0219fd8bb71ed42c437e1a3965576d7843c36b0801c5584cd9
Instruction Fuzzy Hash: 5F119170640204ABC710EF94DE89FAF7BF8EB48701F604526F642F32A1C7785941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420110, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00420110(intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v24;
				intOrPtr* _t13;
				signed char _t14;
				intOrPtr* _t15;
				void* _t18;
				void* _t23;
				void* _t25;
				intOrPtr _t27;

				 *[fs:0x0] = _t27;
				_v16 = _t27 - 0x18;
				_v12 = 0x401240;
				_v8 = 0;
				_t13 = _a4;
				_t14 =  *((intOrPtr*)( *_t13 + 4))(_t13, _t23, _t25, _t18,  *[fs:0x0], 0x4012c6);
				__imp____vbaR4Str(0x402f60);
				asm("fcomp dword [0x401238]");
				asm("fnstsw ax");
				if((_t14 & 0x00000040) == 0) {
					__imp____vbaFileOpen(0x20, 0xffffffff, 0x30, L"imprejudice");
				}
				_t15 = _a4;
				 *((intOrPtr*)( *_t15 + 8))(_t15);
				 *[fs:0x0] = _v24;
				return _v8;
			}

0x00420122
0x0042012f
0x00420132
0x00420139
0x00420140
0x00420146
0x0042014e
0x00420154
0x0042015a
0x0042015f
0x0042016c
0x0042016c
0x00420172
0x00420178
0x00420183
0x0042018e

APIs

__vbaR4Str.MSVBVM60(00402F60,?,?,?,?,?,?,?,?,004012C6), ref: 0042014E
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000030,imprejudice,?,?,?,?,?,?,?,?,004012C6), ref: 0042016C

Strings

imprejudice, xrefs: 00420161

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FileOpen
String ID: imprejudice
API String ID: 1444369698-3142114848
Opcode ID: 4648fbe6b61b5df8a957627bb43158804514bfa391af7bbef9485ac94a78e1ad
Instruction ID: 102e3ee6a913a2b95496c33a2415a355c9345f5361aad1fbb880c949e85a82ba
Opcode Fuzzy Hash: 4648fbe6b61b5df8a957627bb43158804514bfa391af7bbef9485ac94a78e1ad
Instruction Fuzzy Hash: B4018F75A40308EFC700DF98DA49B4ABBB8FB48B51F1082AAF945B73D0C7785940CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00420A00, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__vbaVarTstNe.MSVBVM60(?,?), ref: 00420A54
#532.MSVBVM60(Emotionen3), ref: 00420A64

Strings

Emotionen3, xrefs: 00420A5F

Memory Dump Source

Source File: 00000000.00000002.1165107266.000000000041C000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1165049333.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1165068900.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165075886.0000000000405000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1165126247.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1165134381.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #532__vba
String ID: Emotionen3
API String ID: 1414456671-3255538820
Opcode ID: fc8f5e4f67e11ac4de43f197bea584acbf928a5f3cb567b4a0d4f6d447c5e0d6
Instruction ID: ead9a4eb372936f445d78b365acd555a79736c541dcde73f5b34c5a506c41245
Opcode Fuzzy Hash: fc8f5e4f67e11ac4de43f197bea584acbf928a5f3cb567b4a0d4f6d447c5e0d6
Instruction Fuzzy Hash: 83F04FB4901208ABCB10DF94DA49B9EBBF8FB18745FA0405EF401B2290C7B81A098F69

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Odeme_310521657_876007850.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Initial Sample

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Odeme_310521657_876007850.exe PID: 6940 Parent PID: 5828

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Odeme_310521657_876007850.exe PID: 6940 Parent PID: 5828 Odeme_310521657_876007850.exeCOMMON

Executed Functions

Function 0226A488, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 720COMMON

Function 0226A56A, Relevance: 1.7, APIs: 1, Instructions: 225COMMON

Function 0226A5F6, Relevance: 1.7, APIs: 1, Instructions: 209memorynativeCOMMON

Function 0226A692, Relevance: 1.7, APIs: 1, Instructions: 187memorynativeCOMMON