Play interactive tour

Edit tour

Analysis Report Order-078CNLTD.exe

Overview

General Information

Sample Name:	Order-078CNLTD.exe
Analysis ID:	433965
MD5:	db7cc0b29cf38b5ed2a176c0043b2a58
SHA1:	8e5c1a3ca8e4b5cd7c43cd7f0acbc40a09cefbef
SHA256:	aa70c51a1df950f7b8406f4599a7e3bb89bc61fec570fc0e3a53826d42cbf13c
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Initial sample is a PE file and has a suspicious name

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Order-078CNLTD.exe (PID: 5800 cmdline: 'C:\Users\user\Desktop\Order-078CNLTD.exe' MD5: DB7CC0B29CF38B5ED2A176C0043B2A58)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://andreameixueiro.com/TODAY_tRiyv97.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/TODAY_tRiyv97.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: Order-078CNLTD.exe	Virustotal: Detection: 70%	Perma Link
Source: Order-078CNLTD.exe	Metadefender: Detection: 25%	Perma Link
Source: Order-078CNLTD.exe	ReversingLabs: Detection: 86%

Source: Order-078CNLTD.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://andreameixueiro.com/TODAY_tRiyv97.bin

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Order-078CNLTD.exe

Source: C:\Users\user\Desktop\Order-078CNLTD.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02103179 NtAllocateVirtualMemory,		0_2_02103179
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02105DA2 NtProtectVirtualMemory,		0_2_02105DA2

Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02106A9E	0_2_02106A9E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021018ED	0_2_021018ED
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02105633	0_2_02105633
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102637	0_2_02102637
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210263B	0_2_0210263B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210263F	0_2_0210263F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102653	0_2_02102653
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102657	0_2_02102657
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210265B	0_2_0210265B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210265F	0_2_0210265F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102643	0_2_02102643
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102647	0_2_02102647
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210264B	0_2_0210264B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02106E4E	0_2_02106E4E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210264F	0_2_0210264F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102673	0_2_02102673
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102663	0_2_02102663
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102667	0_2_02102667
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210266E	0_2_0210266E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021026AE	0_2_021026AE
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056D9	0_2_021056D9
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056DB	0_2_021056DB
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056DF	0_2_021056DF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056F3	0_2_021056F3
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056F7	0_2_021056F7
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056FB	0_2_021056FB
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056FF	0_2_021056FF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056E3	0_2_021056E3
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056E7	0_2_021056E7
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056EB	0_2_021056EB
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021056EF	0_2_021056EF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02105713	0_2_02105713
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02105703	0_2_02105703
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02105707	0_2_02105707
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210570E	0_2_0210570E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210574E	0_2_0210574E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02104C4F	0_2_02104C4F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02104CC0	0_2_02104CC0
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02104D1A	0_2_02104D1A
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210155C	0_2_0210155C
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021015D4	0_2_021015D4

Source: Order-078CNLTD.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Order-078CNLTD.exe, 00000000.00000000.211129834.0000000000447000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameOneiro.exe vs Order-078CNLTD.exe
Source: Order-078CNLTD.exe	Binary or memory string: OriginalFilenameOneiro.exe vs Order-078CNLTD.exe

Source: Order-078CNLTD.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.rans.troj.evad.winEXE@1/0@0/0

Source: Order-078CNLTD.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Order-078CNLTD.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Order-078CNLTD.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Order-078CNLTD.exe	Virustotal: Detection: 70%
Source: Order-078CNLTD.exe	Metadefender: Detection: 25%
Source: Order-078CNLTD.exe	ReversingLabs: Detection: 86%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00401260 pushfd ; retf 0042h	0_2_00401261
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0041C42A push ss; ret	0_2_0041C431
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0041A4EE push edi; iretd	0_2_0041A4EF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00419E84 push cs; ret	0_2_00419E85
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0041A372 pushad ; ret	0_2_0041A379
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0041C12C push ds; ret	0_2_0041C131
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0041B998 push 8DED9D04h; retf	0_2_0041B99D
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_005424F3 push edx; ret	0_2_00542521
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00541054 push edx; ret	0_2_00541081
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00542854 push edx; ret	0_2_00542881
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00544054 push edx; ret	0_2_00544081
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00545854 push edx; ret	0_2_00545881
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00547054 push edx; ret	0_2_00547081
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00546844 push edx; ret	0_2_00546871
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00540843 push edx; ret	0_2_00540871
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00542043 push edx; ret	0_2_00542071
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00543843 push edx; ret	0_2_00543871
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00545043 push edx; ret	0_2_00545071
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00542074 push edx; ret	0_2_005420A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00543874 push edx; ret	0_2_005438A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00545074 push edx; ret	0_2_005450A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00546875 push edx; ret	0_2_005468A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00540878 push edx; ret	0_2_005408A1
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00546065 push edx; ret	0_2_00546091
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00543063 push edx; ret	0_2_00543091
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00541863 push edx; ret	0_2_00541891
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00544863 push edx; ret	0_2_00544891
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00540068 push edx; ret	0_2_00540091
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00546814 push edx; ret	0_2_00546841
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00543813 push edx; ret	0_2_00543841
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_00542013 push edx; ret	0_2_00542041

Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02106A9E	0_2_02106A9E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021028E8	0_2_021028E8
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021028EB	0_2_021028EB
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021018ED	0_2_021018ED
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021028EF	0_2_021028EF
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102913	0_2_02102913
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102917	0_2_02102917
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210291B	0_2_0210291B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210291F	0_2_0210291F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210290F	0_2_0210290F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102923	0_2_02102923
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210512B	0_2_0210512B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02105153	0_2_02105153
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02105157	0_2_02105157
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210515B	0_2_0210515B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210515F	0_2_0210515F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210514F	0_2_0210514F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102637	0_2_02102637
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210263B	0_2_0210263B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210263F	0_2_0210263F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102653	0_2_02102653
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102657	0_2_02102657
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210265B	0_2_0210265B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210265F	0_2_0210265F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102643	0_2_02102643
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102647	0_2_02102647
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210264B	0_2_0210264B
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210264F	0_2_0210264F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102673	0_2_02102673
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102663	0_2_02102663
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102667	0_2_02102667
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210266E	0_2_0210266E
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021026AE	0_2_021026AE
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02104C4F	0_2_02104C4F
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02104D1A	0_2_02104D1A
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_0210155C	0_2_0210155C
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021015D4	0_2_021015D4

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 0000000002105246 second address: 0000000002105246 instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 00000000021052BC second address: 00000000021052BC instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 00000000021053D3 second address: 00000000021053D3 instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 0000000002105066 second address: 0000000002105100 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cx, AD9Ah 0x0000000f xor edi, edi 0x00000011 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000001b call 00007F0FCD0B577Ch 0x00000020 call 00007F0FCD0B577Fh 0x00000025 lfence 0x00000028 mov edx, 7FFEFDDCh 0x0000002d add edx, FFFFB1D9h 0x00000033 sub edx, 0000CDF5h 0x00000039 add edx, 00001E54h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 cmp ecx, ebx 0x00000046 cmp ecx, ecx 0x00000048 pushad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 0000000002105100 second address: 00000000021050B5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cx, 9ED2h 0x0000000f ret 0x00000010 mov esi, edx 0x00000012 pushad 0x00000013 rdtsc

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 0000000002105246 second address: 0000000002105246 instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 00000000021052BC second address: 00000000021052BC instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 00000000021053D3 second address: 00000000021053D3 instructions:
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 0000000002105066 second address: 0000000002105100 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cx, AD9Ah 0x0000000f xor edi, edi 0x00000011 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000001b call 00007F0FCD0B577Ch 0x00000020 call 00007F0FCD0B577Fh 0x00000025 lfence 0x00000028 mov edx, 7FFEFDDCh 0x0000002d add edx, FFFFB1D9h 0x00000033 sub edx, 0000CDF5h 0x00000039 add edx, 00001E54h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 cmp ecx, ebx 0x00000046 cmp ecx, ecx 0x00000048 pushad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	RDTSC instruction interceptor: First address: 0000000002105100 second address: 00000000021050B5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cx, 9ED2h 0x0000000f ret 0x00000010 mov esi, edx 0x00000012 pushad 0x00000013 rdtsc

Source: C:\Users\user\Desktop\Order-078CNLTD.exe

Code function: 0_2_02101202 rdtsc

0_2_02101202

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Order-078CNLTD.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Order-078CNLTD.exe

Code function: 0_2_02101202 rdtsc

0_2_02101202

Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02104A24 mov eax, dword ptr fs:[00000030h]	0_2_02104A24
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102006 mov eax, dword ptr fs:[00000030h]	0_2_02102006
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_021018ED mov eax, dword ptr fs:[00000030h]	0_2_021018ED
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02104E30 mov eax, dword ptr fs:[00000030h]	0_2_02104E30
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02105633 mov eax, dword ptr fs:[00000030h]	0_2_02105633
Source: C:\Users\user\Desktop\Order-078CNLTD.exe	Code function: 0_2_02102E68 mov eax, dword ptr fs:[00000030h]	0_2_02102E68

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Order-078CNLTD.exe, 00000000.00000002.737431739.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Order-078CNLTD.exe, 00000000.00000002.737431739.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Order-078CNLTD.exe, 00000000.00000002.737431739.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Order-078CNLTD.exe, 00000000.00000002.737431739.0000000000C90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Order-078CNLTD.exe

Code function: 0_2_02103A54 cpuid

0_2_02103A54

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Order-078CNLTD.exe	70%	Virustotal		Browse
Order-078CNLTD.exe	29%	Metadefender		Browse
Order-078CNLTD.exe	86%	ReversingLabs	Win32.Infostealer.Fareit

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://andreameixueiro.com/TODAY_tRiyv97.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://andreameixueiro.com/TODAY_tRiyv97.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433965
Start date:	14.06.2021
Start time:	08:52:46
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 47s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Order-078CNLTD.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.2% (good quality ratio 0.2%) Quality average: 52% Quality standard deviation: 5.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.742264491721508
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Order-078CNLTD.exe
File size:	294912
MD5:	db7cc0b29cf38b5ed2a176c0043b2a58
SHA1:	8e5c1a3ca8e4b5cd7c43cd7f0acbc40a09cefbef
SHA256:	aa70c51a1df950f7b8406f4599a7e3bb89bc61fec570fc0e3a53826d42cbf13c
SHA512:	ed42d70c69df510f2e832af1ea72d9579486b433cc478e1a10265e02a453cc031696f7f74b2530c42826852e4eb3a88ccd37359fec59843a2e5dc2f8e10549e3
SSDEEP:	3072:VO64I415+Uznrw1JmTgxViFJqryHbQbZ:Q64I4HHz0oym7
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L...B.NY.................P... ...............`....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401f04
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x594ECB42 [Sat Jun 24 20:27:46 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fd5523c2b03dc52202311eff5bcab494

Entrypoint Preview

Instruction
push 00428164h
call 00007F0FCCFA9933h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jbe 00007F0FCCFA98EFh
sti

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x45974	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x47000	0x9f4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x170	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x44f44	0x45000	False	0.212437726449	data	4.83296274478	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x46000	0xab4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x47000	0x9f4	0x1000	False	0.1806640625	data	2.21609318156	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x478c4	0x130	data
RT_ICON	0x475dc	0x2e8	data
RT_ICON	0x474b4	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x47484	0x30	data
RT_VERSION	0x47150	0x334	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Classical, Inc.
InternalName	Oneiro
FileVersion	1.00
CompanyName	Classical, Inc.
LegalTrademarks	Classical, Inc.
Comments	Classical, Inc.
ProductName	Classical, Inc.
ProductVersion	1.00
FileDescription	Classical, Inc.
OriginalFilename	Oneiro.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Order-078CNLTD.exe PID: 5800 Parent PID: 5580

General

Start time:	08:53:38
Start date:	14/06/2021
Path:	C:\Users\user\Desktop\Order-078CNLTD.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Order-078CNLTD.exe'
Imagebase:	0x400000
File size:	294912 bytes
MD5 hash:	DB7CC0B29CF38B5ED2A176C0043B2A58
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Order-078CNLTD.exe PID: 5800 Parent PID: 5580 Order-078CNLTD.exeCOMMON

Executed Functions

Function 02103179, Relevance: 1.6, APIs: 1, Instructions: 71memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 0210322A

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 264b6c2181246aa30c4d8009b6ae68d7502381c5d663313c64c8c3ea8756e2aa
Instruction ID: 01789d7453ae6ce6c09af0c843cb2dd7cc6cdddcf607ca1506637f709c5bd93f
Opcode Fuzzy Hash: 264b6c2181246aa30c4d8009b6ae68d7502381c5d663313c64c8c3ea8756e2aa
Instruction Fuzzy Hash: F12107B16413489FEB305E34CCD17ED37A2AF05764F84011DDD995A2E0D7758684CF12

Uniqueness

Uniqueness Score: -1.00%

Function 02105DA2, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,021056C3,00000040,02102580,00000000,00000000,00000000,00000000,?,00000000,00000000,02104E5D), ref: 02105DBB

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 00440733, Relevance: 87.8, APIs: 46, Strings: 4, Instructions: 329
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00440733(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char* _v24;
				char* _v28;
				char* _v32;
				char* _v36;
				char* _v40;
				char* _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				char* _v60;
				char* _v64;
				void* _v68;
				void* _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char _v120;
				char* _v136;
				char* _v144;
				char _v152;
				intOrPtr _v176;
				char _v184;
				char* _t110;
				char* _t116;
				void* _t118;
				intOrPtr* _t119;
				void* _t120;
				void* _t122;
				intOrPtr* _t123;
				void* _t124;
				void* _t126;
				intOrPtr* _t127;
				void* _t128;
				void* _t130;
				intOrPtr* _t131;
				void* _t132;
				void* _t134;
				intOrPtr* _t135;
				void* _t136;
				void* _t139;
				intOrPtr _t192;
				intOrPtr* _t195;
				intOrPtr* _t196;
				intOrPtr* _t197;
				intOrPtr* _t198;
				intOrPtr* _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t202;
				intOrPtr* _t203;
				intOrPtr* _t204;
				intOrPtr _t207;
				intOrPtr _t211;
				intOrPtr _t214;
				intOrPtr _t218;
				intOrPtr _t221;
				intOrPtr _t224;

				_push(0x401ce6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t207;
				_v12 = _t207 - 0xcc;
				_v8 = 0x401cb0;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				_v40 = 0;
				_v48 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v72 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				_v152 = 0;
				_v184 = 0;
				L00401EBA();
				L00401EBA();
				_t192 = 0xc;
				_push(1);
				_push(1);
				_push( &_v104);
				_push( &_v88);
				_push( &_v120);
				_v96 = 0x80020004;
				_v104 = 0xa;
				_v80 = _t192;
				_v88 = 2;
				L00401D9A();
				_push( &_v120);
				_t110 =  &_v184;
				_push(_t110);
				_v176 = _t192;
				_v184 = 0x8002;
				L00401DA0();
				_push( &_v120);
				_push( &_v104);
				_push( &_v88);
				_push(3);
				L00401E7E();
				if(_t110 == 0) {
					_t139 = 0x429568;
				} else {
					_t211 =  *0x446370; // 0x220e8b4
					if(_t211 == 0) {
						_push(0x446370);
						_push(0x429578);
						L00401ED2();
					}
					_t201 =  *0x446370; // 0x220e8b4
					_t130 =  *((intOrPtr*)( *_t201 + 0x14))(_t201,  &_v72);
					asm("fclex");
					if(_t130 >= 0) {
						_t139 = 0x429568;
					} else {
						_push(0x14);
						_t139 = 0x429568;
						_push(0x429568);
						_push(_t201);
						_push(_t130);
						L00401ECC();
					}
					_t131 = _v72;
					_t202 = _t131;
					_t132 =  *((intOrPtr*)( *_t131 + 0xe8))(_t131,  &_v68);
					asm("fclex");
					if(_t132 < 0) {
						_push(0xe8);
						_push(0x429588);
						_push(_t202);
						_push(_t132);
						L00401ECC();
					}
					_v68 = 0;
					L00401ED8();
					L00401EC6();
					_t214 =  *0x446370; // 0x220e8b4
					if(_t214 == 0) {
						_push(0x446370);
						_push(0x429578);
						L00401ED2();
					}
					_t203 =  *0x446370; // 0x220e8b4
					_t134 =  *((intOrPtr*)( *_t203 + 0x14))(_t203,  &_v72);
					asm("fclex");
					if(_t134 < 0) {
						_push(0x14);
						_push(_t139);
						_push(_t203);
						_push(_t134);
						L00401ECC();
					}
					_t135 = _v72;
					_t204 = _t135;
					_t136 =  *((intOrPtr*)( *_t135 + 0x58))(_t135,  &_v68);
					asm("fclex");
					if(_t136 < 0) {
						_push(0x58);
						_push(0x429588);
						_push(_t204);
						_push(_t136);
						L00401ECC();
					}
					_v68 = 0;
					L00401ED8();
					L00401EC6();
					_v144 = L"Svrdsiden";
					_v152 = 8;
					L00401DF4();
					_push( &_v88);
					L00401D94();
					L00401ED8();
					L00401E96();
				}
				_push(L"Projektorienteret");
				_push(L"apophyges");
				_push( &_v88); // executed
				L00401D8E(); // executed
				_push( &_v88);
				_t116 =  &_v152;
				_push(_t116);
				_v144 = 0;
				_v152 = 0x8008;
				L00401DA0();
				L00401E96();
				if(_t116 != 0) {
					_t218 =  *0x446370; // 0x220e8b4
					if(_t218 == 0) {
						_push(0x446370);
						_push(0x429578);
						L00401ED2();
					}
					_t197 =  *0x446370; // 0x220e8b4
					_t122 =  *((intOrPtr*)( *_t197 + 0x14))(_t197,  &_v72);
					asm("fclex");
					if(_t122 < 0) {
						_push(0x14);
						_push(_t139);
						_push(_t197);
						_push(_t122);
						L00401ECC();
					}
					_t123 = _v72;
					_t198 = _t123;
					_t124 =  *((intOrPtr*)( *_t123 + 0x58))(_t123,  &_v68);
					asm("fclex");
					if(_t124 < 0) {
						_push(0x58);
						_push(0x429588);
						_push(_t198);
						_push(_t124);
						L00401ECC();
					}
					_v68 = 0;
					L00401ED8();
					L00401EC6();
					_t221 =  *0x446370; // 0x220e8b4
					if(_t221 == 0) {
						_push(0x446370);
						_push(0x429578);
						L00401ED2();
					}
					_t199 =  *0x446370; // 0x220e8b4
					_t126 =  *((intOrPtr*)( *_t199 + 0x14))(_t199,  &_v72);
					asm("fclex");
					if(_t126 < 0) {
						_push(0x14);
						_push(_t139);
						_push(_t199);
						_push(_t126);
						L00401ECC();
					}
					_t127 = _v72;
					_t200 = _t127;
					_t128 =  *((intOrPtr*)( *_t127 + 0x60))(_t127,  &_v68);
					asm("fclex");
					if(_t128 < 0) {
						_push(0x60);
						_push(0x429588);
						_push(_t200);
						_push(_t128);
						L00401ECC();
					}
					_v68 = 0;
					L00401ED8();
					L00401EC6();
					_push(0xf8);
					L00401D88();
				}
				_t224 =  *0x446370; // 0x220e8b4
				if(_t224 == 0) {
					_push(0x446370);
					_push(0x429578);
					L00401ED2();
				}
				_t195 =  *0x446370; // 0x220e8b4
				_t118 =  *((intOrPtr*)( *_t195 + 0x14))(_t195,  &_v72);
				asm("fclex");
				if(_t118 < 0) {
					_push(0x14);
					_push(_t139);
					_push(_t195);
					_push(_t118);
					L00401ECC();
				}
				_t119 = _v72;
				_t196 = _t119;
				_t120 =  *((intOrPtr*)( *_t119 + 0xf8))(_t119,  &_v68);
				asm("fclex");
				if(_t120 < 0) {
					_push(0xf8);
					_push(0x429588);
					_push(_t196);
					_push(_t120);
					L00401ECC();
				}
				_v68 = 0;
				L00401ED8();
				L00401EC6();
				_v56 = 0x68e02b20;
				_v52 = 0x5afc;
				_push(0x440b82);
				L00401EAE();
				L00401EAE();
				L00401EAE();
				L00401EAE();
				L00401EAE();
				L00401EAE();
				L00401EAE();
				L00401EAE();
				return _t120;
			}

0x00440738
0x00440743
0x00440744
0x00440754
0x00440757
0x00440766
0x00440769
0x0044076c
0x0044076f
0x00440772
0x00440775
0x00440778
0x0044077b
0x0044077e
0x00440781
0x00440784
0x00440787
0x0044078a
0x0044078d
0x00440793
0x00440799
0x0044079f
0x004407aa
0x004407b1
0x004407b2
0x004407b4
0x004407b9
0x004407bd
0x004407c1
0x004407c2
0x004407c9
0x004407d0
0x004407d3
0x004407da
0x004407e2
0x004407e3
0x004407e9
0x004407ea
0x004407f0
0x004407fa
0x00440805
0x00440809
0x0044080d
0x0044080e
0x00440810
0x0044081b
0x00440952
0x00440821
0x00440821
0x00440827
0x00440829
0x0044082e
0x00440833
0x00440833
0x00440838
0x00440845
0x00440848
0x0044084c
0x0044085f
0x0044084e
0x0044084e
0x00440850
0x00440855
0x00440856
0x00440857
0x00440858
0x00440858
0x00440864
0x0044086e
0x00440870
0x00440876
0x0044087a
0x0044087c
0x00440881
0x00440886
0x00440887
0x00440888
0x00440888
0x00440893
0x00440896
0x0044089e
0x004408a3
0x004408a9
0x004408ab
0x004408b0
0x004408b5
0x004408b5
0x004408ba
0x004408c7
0x004408ca
0x004408ce
0x004408d0
0x004408d2
0x004408d3
0x004408d4
0x004408d5
0x004408d5
0x004408da
0x004408e4
0x004408e6
0x004408e9
0x004408ed
0x004408ef
0x004408f1
0x004408f6
0x004408f7
0x004408f8
0x004408f8
0x00440903
0x00440906
0x0044090e
0x0044091c
0x00440926
0x00440930
0x00440938
0x00440939
0x00440943
0x0044094b
0x0044094b
0x00440957
0x0044095c
0x00440964
0x00440965
0x0044096d
0x0044096e
0x00440974
0x00440975
0x0044097b
0x00440985
0x00440990
0x00440998
0x0044099e
0x004409a4
0x004409a6
0x004409ab
0x004409b0
0x004409b0
0x004409b5
0x004409c2
0x004409c5
0x004409c9
0x004409cb
0x004409cd
0x004409ce
0x004409cf
0x004409d0
0x004409d0
0x004409d5
0x004409df
0x004409e1
0x004409e4
0x004409e8
0x004409ea
0x004409ec
0x004409f1
0x004409f2
0x004409f3
0x004409f3
0x004409fe
0x00440a01
0x00440a09
0x00440a0e
0x00440a14
0x00440a16
0x00440a1b
0x00440a20
0x00440a20
0x00440a25
0x00440a32
0x00440a35
0x00440a39
0x00440a3b
0x00440a3d
0x00440a3e
0x00440a3f
0x00440a40
0x00440a40
0x00440a45
0x00440a4f
0x00440a51
0x00440a54
0x00440a58
0x00440a5a
0x00440a5c
0x00440a61
0x00440a62
0x00440a63
0x00440a63
0x00440a6e
0x00440a71
0x00440a79
0x00440a7e
0x00440a83
0x00440a83
0x00440a88
0x00440a8e
0x00440a90
0x00440a95
0x00440a9a
0x00440a9a
0x00440a9f
0x00440aac
0x00440aaf
0x00440ab3
0x00440ab5
0x00440ab7
0x00440ab8
0x00440ab9
0x00440aba
0x00440aba
0x00440abf
0x00440ac9
0x00440acb
0x00440ad1
0x00440ad5
0x00440ad7
0x00440adc
0x00440ae1
0x00440ae2
0x00440ae3
0x00440ae3
0x00440aee
0x00440af1
0x00440af9
0x00440afe
0x00440b05
0x00440b0c
0x00440b44
0x00440b4c
0x00440b54
0x00440b5c
0x00440b64
0x00440b6c
0x00440b74
0x00440b7c
0x00440b81

APIs

__vbaStrCopy.MSVBVM60 ref: 0044079F
__vbaStrCopy.MSVBVM60 ref: 004407AA
#660.MSVBVM60(?,?,?,00000001,00000001), ref: 004407DA
__vbaVarTstNe.MSVBVM60(?,?,?,?,?,00000001,00000001), ref: 004407FA
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?,?,?,?,?,?,00000001,00000001), ref: 00440810
__vbaNew2.MSVBVM60(00429578,00446370,00000001), ref: 00440833
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,00000014), ref: 00440858
__vbaHresultCheckObj.MSVBVM60(00000000,?,00429588,000000E8), ref: 00440888
__vbaStrMove.MSVBVM60(00000000,?,00429588,000000E8), ref: 00440896
__vbaFreeObj.MSVBVM60(00000000,?,00429588,000000E8), ref: 0044089E
__vbaNew2.MSVBVM60(00429578,00446370), ref: 004408B5
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,00000014), ref: 004408D5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00429588,00000058), ref: 004408F8
__vbaStrMove.MSVBVM60(00000000,?,00429588,00000058), ref: 00440906
__vbaFreeObj.MSVBVM60(00000000,?,00429588,00000058), ref: 0044090E
__vbaVarDup.MSVBVM60(00000000,?,00429588,00000058), ref: 00440930
#667.MSVBVM60(00000002), ref: 00440939
__vbaStrMove.MSVBVM60(00000002), ref: 00440943
__vbaFreeVar.MSVBVM60(00000002), ref: 0044094B
#692.MSVBVM60(00000002,apophyges,Projektorienteret,00000001), ref: 00440965
__vbaVarTstNe.MSVBVM60(?,00000002,00000002,apophyges,Projektorienteret,00000001), ref: 00440985
__vbaFreeVar.MSVBVM60(?,00000002,00000002,apophyges,Projektorienteret,00000001), ref: 00440990
__vbaNew2.MSVBVM60(00429578,00446370,?,00000002,00000002,apophyges,Projektorienteret,00000001), ref: 004409B0
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,00000014), ref: 004409D0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00429588,00000058), ref: 004409F3
__vbaStrMove.MSVBVM60(00000000,?,00429588,00000058), ref: 00440A01
__vbaFreeObj.MSVBVM60(00000000,?,00429588,00000058), ref: 00440A09
__vbaNew2.MSVBVM60(00429578,00446370), ref: 00440A20
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,00000014), ref: 00440A40
__vbaHresultCheckObj.MSVBVM60(00000000,?,00429588,00000060), ref: 00440A63
__vbaStrMove.MSVBVM60(00000000,?,00429588,00000060), ref: 00440A71
__vbaFreeObj.MSVBVM60(00000000,?,00429588,00000060), ref: 00440A79
#569.MSVBVM60(000000F8), ref: 00440A83
__vbaNew2.MSVBVM60(00429578,00446370,?,00000002,00000002,apophyges,Projektorienteret,00000001), ref: 00440A9A
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,00000014), ref: 00440ABA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00429588,000000F8), ref: 00440AE3
__vbaStrMove.MSVBVM60(00000000,?,00429588,000000F8), ref: 00440AF1
__vbaFreeObj.MSVBVM60(00000000,?,00429588,000000F8), ref: 00440AF9
__vbaFreeStr.MSVBVM60(00440B82), ref: 00440B44
__vbaFreeStr.MSVBVM60(00440B82), ref: 00440B4C
__vbaFreeStr.MSVBVM60(00440B82), ref: 00440B54
__vbaFreeStr.MSVBVM60(00440B82), ref: 00440B5C
__vbaFreeStr.MSVBVM60(00440B82), ref: 00440B64
__vbaFreeStr.MSVBVM60(00440B82), ref: 00440B6C
__vbaFreeStr.MSVBVM60(00440B82), ref: 00440B74
__vbaFreeStr.MSVBVM60(00440B82), ref: 00440B7C

Strings

+h, xrefs: 00440AFE
apophyges, xrefs: 0044095C
Svrdsiden, xrefs: 0044091C
Projektorienteret, xrefs: 00440957

Memory Dump Source

Source File: 00000000.00000002.736529309.0000000000428000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.736384854.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.736410701.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736434485.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736668752.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.736681827.0000000000447000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$Copy$#569#660#667#692List
String ID: +h$Projektorienteret$Svrdsiden$apophyges
API String ID: 427701729-582109686
Opcode ID: 851f2b035a9cfc892479f4d0b635a739cb7b40d848def2dfae00b6ec6dbe3950
Instruction ID: 2b8ad8d3355316aa90a5a5288b6f33c39df9ac9dcf5ad05805f88f778f684813
Opcode Fuzzy Hash: 851f2b035a9cfc892479f4d0b635a739cb7b40d848def2dfae00b6ec6dbe3950
Instruction Fuzzy Hash: 26C16F71940218ABDB10EF92CC45EEEB7B8FF54304F20452AF505B71A1DB786E06CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00401F04, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401F09

Strings

VB5!6%*, xrefs: 00401F04

Memory Dump Source

Source File: 00000000.00000002.736410701.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.736384854.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.736434485.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736529309.0000000000428000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736668752.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.736681827.0000000000447000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: 3485ff89e817f082ef6d55a07d39d3c0734aa106d736a8006fe6cdaf49ac610b
Instruction ID: 2ba4fc5989459096bc5fc765590c71ee668455d01b26dd4d95b5b01bf47cab60
Opcode Fuzzy Hash: 3485ff89e817f082ef6d55a07d39d3c0734aa106d736a8006fe6cdaf49ac610b
Instruction Fuzzy Hash: 23D0AE5595F3D41EC3076370582242A2F720D0320431F80DB98C0DF0F3C5280C1DD366

Uniqueness

Uniqueness Score: -1.00%

Function 005424F3, Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.737167456.0000000000540000.00000020.00000001.sdmp, Offset: 00540000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ce733f0d73a078076f5817ec54c82fc995484d3889b148cf019bae12d006138
Instruction ID: e5eeeedb11e762fb01626943f881a534d3f957779e2bd50a8aee78a3d5d9c582
Opcode Fuzzy Hash: 8ce733f0d73a078076f5817ec54c82fc995484d3889b148cf019bae12d006138
Instruction Fuzzy Hash: 2FD0177270F280AFD309EA248A659963FE0AB82215F0808EEE144CB282E62498059762

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021018ED, Relevance: 2.1, Strings: 1, Instructions: 820COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: e3895b463d3410b6b13afab6de58745109f4e6977fa79c485e38e5b9e0014461
Instruction ID: c5c8633f48e24d0af6e601c6b1ece83a24cd79565f0b5802a78bffee74da70d0
Opcode Fuzzy Hash: e3895b463d3410b6b13afab6de58745109f4e6977fa79c485e38e5b9e0014461
Instruction Fuzzy Hash: A4523771780706AFEB249E38CCD4BD573A6FF05320F948229ED99932D0D7B99895CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02104D1A, Relevance: 1.7, Strings: 1, Instructions: 479COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 9cb07b17f92850ef96c4db2eefc9c71ee1959d20d0817a1ef3a6323c4d939be5
Instruction ID: cacc485ce2c00b33c9d9ce2e7a78cf3187a3b2d93121fd689bb11df23ec6d40a
Opcode Fuzzy Hash: 9cb07b17f92850ef96c4db2eefc9c71ee1959d20d0817a1ef3a6323c4d939be5
Instruction Fuzzy Hash: A3F16371680346AFEB354E38CC89BE97762FF42320F948229EE85571D0D3F99896CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02104C4F, Relevance: 1.7, Strings: 1, Instructions: 455COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 44a8c12f23b091ba4027d8ea6e4296dcdd29eaba3e452631c11f28eb895685a0
Instruction ID: 87236554a02bc1be6f62c690799a97d2ccb3895bedc136011d7e136f964541c1
Opcode Fuzzy Hash: 44a8c12f23b091ba4027d8ea6e4296dcdd29eaba3e452631c11f28eb895685a0
Instruction Fuzzy Hash: 14F12171680306AFEB355E74CD897E97762EF02360F948229EE85971D0D3F988C6DB05

Uniqueness

Uniqueness Score: -1.00%

Function 021015D4, Relevance: 1.7, Strings: 1, Instructions: 451COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: DI>
API String ID: 2167126740-1745360361
Opcode ID: d5b2d621efb723a9715ea7236f6fc47556575bfb4167af28cf7d1165b15cac13
Instruction ID: f1bbf8d44b3048e665bc12500a882c51d83b458a975452da3d53f7b84915d5e7
Opcode Fuzzy Hash: d5b2d621efb723a9715ea7236f6fc47556575bfb4167af28cf7d1165b15cac13
Instruction Fuzzy Hash: ABF13271680346AFEB351E38CD89BE53762FF52360F948229EE85571D0D3F9988ACB05

Uniqueness

Uniqueness Score: -1.00%

Function 02106A9E, Relevance: 1.7, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: dd2afcebd8048bd65fcafc992f013678ab41427cb2809948c48c8097aea2667d
Instruction ID: 2dbf8f708145c609ce456428001522d7b890b833ff0db0ff066b3f6d07e7efc4
Opcode Fuzzy Hash: dd2afcebd8048bd65fcafc992f013678ab41427cb2809948c48c8097aea2667d
Instruction Fuzzy Hash: BFE154B1680346AFEB355E38CD897E57762FF12320F948229EE85571D0D3F9988ACB05

Uniqueness

Uniqueness Score: -1.00%

Function 0210155C, Relevance: 1.7, Strings: 1, Instructions: 409COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: DI>
API String ID: 2167126740-1745360361
Opcode ID: 26e29e4459d296cdf1493e147aff5648bc56f061d4e25b4ea05ba966c4ee8b99
Instruction ID: d81d5fab6fa20ab979062d6df037abc29e00ea59fb17a90c1e9c06cc45223ef6
Opcode Fuzzy Hash: 26e29e4459d296cdf1493e147aff5648bc56f061d4e25b4ea05ba966c4ee8b99
Instruction Fuzzy Hash: B5E111B1680307AFEB255E34CD897E57762FF02360F948229EE85571D0D3F9989ACB05

Uniqueness

Uniqueness Score: -1.00%

Function 02102653, Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: dcb51a44fca64e1622165502846878a7eb8a2fb425711aba220a0039030b2a8b
Instruction ID: 24a453e703c3b334ef0b3acbcb10293eba853b54f78074643649c5ad27c08945
Opcode Fuzzy Hash: dcb51a44fca64e1622165502846878a7eb8a2fb425711aba220a0039030b2a8b
Instruction Fuzzy Hash: C0C12FB1680346AFEB354E34CD897D57762FF02320F948229ED85971E0D3B999CACB45

Uniqueness

Uniqueness Score: -1.00%

Function 0210264F, Relevance: 1.6, Strings: 1, Instructions: 326COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 731a9f74eab02ba1812c6d339f86ea5617b01b12f1798e6ec7b8c6b11a211713
Instruction ID: ce85fd8b500eb5f70cd14e5e0128fdad02b9057222bb6c6fe8b42fd04919a7e5
Opcode Fuzzy Hash: 731a9f74eab02ba1812c6d339f86ea5617b01b12f1798e6ec7b8c6b11a211713
Instruction Fuzzy Hash: 6DC110B1680346AFEB354E34CD897E57762FF02320F948229ED85971E0D3F9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 02102657, Relevance: 1.6, Strings: 1, Instructions: 324COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 5927e0dd14153244bca6d3675a3863207b2e462f37c86b3ce1e47a3fd7689871
Instruction ID: a95d0d4acd2dcc6d71e3e8f5c4e58296ade560e9b392f45ad8f14f88c28f401b
Opcode Fuzzy Hash: 5927e0dd14153244bca6d3675a3863207b2e462f37c86b3ce1e47a3fd7689871
Instruction Fuzzy Hash: A9C11FB1680346AFEB354E34CD897D57762FF02320F948229ED85971E0D3B9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 0210265B, Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: d4280b646f51ed730f4dfd7bec5a0aa9f7f7d36877cfed5ffcd37eb58d38514a
Instruction ID: 1a80168022bc7b18d9a61c832e3d3a4c17fdd6ee66ce64dfe6e357b202076900
Opcode Fuzzy Hash: d4280b646f51ed730f4dfd7bec5a0aa9f7f7d36877cfed5ffcd37eb58d38514a
Instruction Fuzzy Hash: 9DC11EB1680346AFEB354E34CD897E57762FF02320F948229ED85971E0D3F9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 0210265F, Relevance: 1.6, Strings: 1, Instructions: 322COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 59ee5930bb15a5f53e1edae30bca6370c39e3c98a574925e1ef28b097accd442
Instruction ID: 7fba3e7e00cc590f47134a9c8063e8096315e356449115fbc6db630311faafad
Opcode Fuzzy Hash: 59ee5930bb15a5f53e1edae30bca6370c39e3c98a574925e1ef28b097accd442
Instruction Fuzzy Hash: AEC12EB1680346AFEB354E34CD897E57762FF02320F948229ED85971E0D3B9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 02102663, Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 2abd2f313b6450700a5b60103a5e49b617c804b09d082662ba9711e388a84a19
Instruction ID: 9c3c267baa23b08d760b9f2eacf65f0610150cdb0983ef75f6fbf24eb2d4af56
Opcode Fuzzy Hash: 2abd2f313b6450700a5b60103a5e49b617c804b09d082662ba9711e388a84a19
Instruction Fuzzy Hash: 55B120B1680346AFEB354E34CD897E57762FF02320F948229ED85971E0D3F9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 02102667, Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 069c27d40027abeb197aa91331acc7e3bb02827f33e3dd8cef5e641cce33fb0f
Instruction ID: c5a970b1faf4bb6049f549576a365e5edc1d5eff3f2c8ba10dd1e3d8d7b08012
Opcode Fuzzy Hash: 069c27d40027abeb197aa91331acc7e3bb02827f33e3dd8cef5e641cce33fb0f
Instruction Fuzzy Hash: A2B120B1680346AFEB354E34CD897D57762FF02320F948229ED85971E0D3F9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 02102637, Relevance: 1.6, Strings: 1, Instructions: 319COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 28d53d2aa354633c2392db372ce1d3ddf22c3894306d986ed312073074628ce1
Instruction ID: b5c85fa09bb4448b6f02c5256207fba4d874a7983b8f34922465a6c32a7602af
Opcode Fuzzy Hash: 28d53d2aa354633c2392db372ce1d3ddf22c3894306d986ed312073074628ce1
Instruction Fuzzy Hash: E7B11FB1680346AFEB350E34CD897D57762FF02320F948229ED85971E1D3F9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 0210263B, Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 8b291228f7a73862fb5346a9014585ff44de1a296abbc8a5905869adf36ceb9b
Instruction ID: d0654f2e25ae672a6878f65563daf0c9d097ca9707008d3221283dbc3675d48e
Opcode Fuzzy Hash: 8b291228f7a73862fb5346a9014585ff44de1a296abbc8a5905869adf36ceb9b
Instruction Fuzzy Hash: 9CB12FB1680346AFEB350E34CD897E57762FF02320F948229ED85971E1D3F9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 02102673, Relevance: 1.6, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: f044d09c07222a4fb99f73ec72bca05436c4a64396ae600d639a840a1adcc68b
Instruction ID: 51608fb09e2907c580002cb02826ec2d9dd7972ba4dd447881821a0853f6de36
Opcode Fuzzy Hash: f044d09c07222a4fb99f73ec72bca05436c4a64396ae600d639a840a1adcc68b
Instruction Fuzzy Hash: 2EB11EB1680346AFEB350E34CD897D57762FF02320F948229ED85971E0D3F9998A8B45

Uniqueness

Uniqueness Score: -1.00%

Function 0210266E, Relevance: 1.6, Strings: 1, Instructions: 317COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 07a8e918b2df56a2a6823b29e33593a731668c2817fdfbc6fc45a6b749f93304
Instruction ID: 9a77633c597eb32c944a24ef0be7c879637c260ec6485b19d75e51cfb3f25590
Opcode Fuzzy Hash: 07a8e918b2df56a2a6823b29e33593a731668c2817fdfbc6fc45a6b749f93304
Instruction Fuzzy Hash: 7AB12FB1680346AFEB350E34CD897D57762FF02320F948229ED85971E0D3F9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 0210263F, Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: ee8dd8f4e1361644c1bbc6600c04cc28e1c9299e2b6b97b584f0dd63881ce211
Instruction ID: 2ff43189c0773bb2ba45b404a82eeedfcecc59b3bd2678ff392a93ad2d84d0d1
Opcode Fuzzy Hash: ee8dd8f4e1361644c1bbc6600c04cc28e1c9299e2b6b97b584f0dd63881ce211
Instruction Fuzzy Hash: 1FB120B2640346AFEB354E34CD897D47762FF02320F948229ED85971E1D3B999CACB46

Uniqueness

Uniqueness Score: -1.00%

Function 02102647, Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: dac5fb8e5c5186f9e7795b529a81360f79cf13ede1fc3151e87f8fe77499e727
Instruction ID: 701b737cc15e816f0a932191d0684af001798933bf961bf2b5a66f487a7a01f0
Opcode Fuzzy Hash: dac5fb8e5c5186f9e7795b529a81360f79cf13ede1fc3151e87f8fe77499e727
Instruction Fuzzy Hash: F2B12FB1680346AFEB350E24CD897D57762FF02320F948229ED85971E1D3F999CACB45

Uniqueness

Uniqueness Score: -1.00%

Function 021026AE, Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: 6d366150f41bd6152b2244287422539dca1cc19d82ad441bf0ba34135cceaf39
Instruction ID: 75f57f6401fba58350939293150b168877423208887e69c0476473f618292f83
Opcode Fuzzy Hash: 6d366150f41bd6152b2244287422539dca1cc19d82ad441bf0ba34135cceaf39
Instruction Fuzzy Hash: 2EB12EB2680346AFEB350E24CD897D57762FF02320F948229ED85971E0D3F9998ACB45

Uniqueness

Uniqueness Score: -1.00%

Function 02102643, Relevance: 1.6, Strings: 1, Instructions: 313COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: c4daa5ac43f8e73ce16f0d4226dd88e86ef4026b02a82b85d42fda4042d3803a
Instruction ID: c4647aa2c001f23e714f9f60d0cb0aafae76e6c949284bffa209b8925ad6f300
Opcode Fuzzy Hash: c4daa5ac43f8e73ce16f0d4226dd88e86ef4026b02a82b85d42fda4042d3803a
Instruction Fuzzy Hash: DCB12FB2640346AFEB354E34CD897D47762FF02320F948229ED85971E1D3B999CACB46

Uniqueness

Uniqueness Score: -1.00%

Function 0210264B, Relevance: 1.6, Strings: 1, Instructions: 311COMMON

Download Yara Rule

Strings

DI>, xrefs: 0210273F

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: DI>
API String ID: 0-1745360361
Opcode ID: aea231ddbe9f401c9fa272ca945831b3453558a8d0c9fc50838105073bf27526
Instruction ID: 303dbbf3a5943ee6e3debc9961cd501b2836bb5271fdb397f4e28b4d21be73b0
Opcode Fuzzy Hash: aea231ddbe9f401c9fa272ca945831b3453558a8d0c9fc50838105073bf27526
Instruction Fuzzy Hash: A3B12FB2640346AFEB350E34CD897D47722BF02320F948229ED85971E1D3B989CACB45

Uniqueness

Uniqueness Score: -1.00%

Function 021056D9, Relevance: 1.4, Strings: 1, Instructions: 186COMMON

Download Yara Rule

Strings

=, xrefs: 02105799

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 0be6efc16a98ab02fae51635a3763fc5f295484655955c9d070f87a1d91980c1
Instruction ID: 627d4dab6ce9e16ac32485c671879076387737b1493108dd3e1752c186fdf1bc
Opcode Fuzzy Hash: 0be6efc16a98ab02fae51635a3763fc5f295484655955c9d070f87a1d91980c1
Instruction Fuzzy Hash: 196185614487C29EDB258B3988DC751BED26B13374F9DC2EAC8E64E0E7D3A4414AC716

Uniqueness

Uniqueness Score: -1.00%

Function 02105713, Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

=, xrefs: 02105799

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: =
API String ID: 0-2322244508
Opcode ID: 485881b08b69c0b6463be8e393ac957a7d5c69d6f051f1408a9a28757048cf87
Instruction ID: e8ac7e4e281a264ff665cdbf9fefcc99fe9fbd0f0a589f935d50726a5b79ed91
Opcode Fuzzy Hash: 485881b08b69c0b6463be8e393ac957a7d5c69d6f051f1408a9a28757048cf87
Instruction Fuzzy Hash: 3E6182614487C29EDB218B3988DC752BED26F13364F9DC3EAC8E54E0EBD3A5414AC716

Uniqueness

Uniqueness Score: -1.00%

Function 02102006, Relevance: 1.4, Strings: 1, Instructions: 153COMMON

Download Yara Rule

Strings

~R>, xrefs: 02102047

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ~R>
API String ID: 0-3905076789
Opcode ID: f255acbde580a10804419b5fb39510bdf53da2d0efe953b763ade0bea434c6a8
Instruction ID: 5c876022456184a64fa6653c4e16c8175afb400617e102ae15398110e6bc6475
Opcode Fuzzy Hash: f255acbde580a10804419b5fb39510bdf53da2d0efe953b763ade0bea434c6a8
Instruction Fuzzy Hash: BA510370684782DFE7289F78CCDCBA9B7E9BF05324F558259E9568B0E1C3F49980CA11

Uniqueness

Uniqueness Score: -1.00%

Function 02105633, Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 819bda030f4662deda356d2e1233aa376095d2341c56276d8b553710733ffe1c
Instruction ID: cee6882f176be014318130d2caaa50cc9ec7527b68d8de89c0b45e4545a09c09
Opcode Fuzzy Hash: 819bda030f4662deda356d2e1233aa376095d2341c56276d8b553710733ffe1c
Instruction Fuzzy Hash: 77E1D5719487825EDB21DB38C8DC756BB926F13364F89C2E9C8E58F1E7D3A48446CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02102917, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce1c1be7223f7ba657e9ebb80ff13418699fdf6acd2d37c88dc25a065a1e54e2
Instruction ID: 044803423e4b5a2ae57b2547464217777998ff1586f8d62ed7a39fbca7c77d99
Opcode Fuzzy Hash: ce1c1be7223f7ba657e9ebb80ff13418699fdf6acd2d37c88dc25a065a1e54e2
Instruction Fuzzy Hash: 295100B1680346AFEB760E64CDC87E43726AF16360F954125FE859B1E1C3FA49C99B02

Uniqueness

Uniqueness Score: -1.00%

Function 0210290F, Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecad1d013e7ae702959cea411a37cf3658e2deeffa70ad834b9d1034bf6ee5ed
Instruction ID: 9fee488c252ed9e1cc13ab9eb2217d059a6091cd12c6a8df04a674ab47ba6370
Opcode Fuzzy Hash: ecad1d013e7ae702959cea411a37cf3658e2deeffa70ad834b9d1034bf6ee5ed
Instruction Fuzzy Hash: C2510FB158034AAFEB760E24CDC8BE43366EF16360F958125FE89571E1C3FA49C99B01

Uniqueness

Uniqueness Score: -1.00%

Function 02102913, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 702a41adbf5ec5c9a5a04b40b51737b29454bbd4df38a4dd93d3e6cb20f531b9
Instruction ID: 0557d86c444fd1cd91b3f339ec8398f7392b71f2e262cf43f30c1c8ad2af6608
Opcode Fuzzy Hash: 702a41adbf5ec5c9a5a04b40b51737b29454bbd4df38a4dd93d3e6cb20f531b9
Instruction Fuzzy Hash: D6512FB168034AAFEB760E24CDC87E43326EF16360F958025FE89571E1C3FA49C99B01

Uniqueness

Uniqueness Score: -1.00%

Function 0210291B, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0d09b0019e01abca5ce7e011040d25f3ce6fe3fc830c7727af9c07bb320d1a
Instruction ID: e5c03ae2244a747cc3621017381d24522a173d9ee0c8c428376a3cff1a0028a0
Opcode Fuzzy Hash: 1d0d09b0019e01abca5ce7e011040d25f3ce6fe3fc830c7727af9c07bb320d1a
Instruction Fuzzy Hash: B55110B1680346AFEB760E24CDC87E43326EF16364F954125FE85571E1C3FA49C99B02

Uniqueness

Uniqueness Score: -1.00%

Function 021056F3, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7189fd55bf26a656044a7b49091ee2140b90e85b7eee358871c8e1c70a8919e
Instruction ID: 50a9635c3c9e5db6a93928752a966ea8f998d7d529e351b464ea702e251fcf14
Opcode Fuzzy Hash: e7189fd55bf26a656044a7b49091ee2140b90e85b7eee358871c8e1c70a8919e
Instruction Fuzzy Hash: A37191614487C25EDB228B79889C752BED26F13374F9EC3EAC8E54E0E7D3A4414AC716

Uniqueness

Uniqueness Score: -1.00%

Function 0210291F, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 127f0ac8df906e22cd7096ccad6e243d35fccd1120e9eb9a49c537a0490c4440
Instruction ID: ba2566991ba2d814529444cd8d8cc41ef32b5c35e56599e70f2b845fafa34116
Opcode Fuzzy Hash: 127f0ac8df906e22cd7096ccad6e243d35fccd1120e9eb9a49c537a0490c4440
Instruction Fuzzy Hash: 7051FFB1680346AFEB760E24CDC87E43356AF16360F954125BE85571E1C3FA49C99B01

Uniqueness

Uniqueness Score: -1.00%

Function 021028E8, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 314942f30e4502ecb08a6bc42dfb58ac28aafa2ef57b9084b7cfc079f231512e
Instruction ID: 5315744d493a0a8adb62d6e56f53e22eaae09803824576c881f4918934439987
Opcode Fuzzy Hash: 314942f30e4502ecb08a6bc42dfb58ac28aafa2ef57b9084b7cfc079f231512e
Instruction Fuzzy Hash: 09510EB1580346AFEB3A0E64CDC87E43366AF16364F958125FE89571E1C3FA49C99B02

Uniqueness

Uniqueness Score: -1.00%

Function 021028EB, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2649406c8d2c9d6e9859258a2feaa719013a2f75f48b4918c6e932092ddea80a
Instruction ID: a6597a774c975273b4c4acf8714aed71bd7d1d15d357f5a06e8e374cc65079c9
Opcode Fuzzy Hash: 2649406c8d2c9d6e9859258a2feaa719013a2f75f48b4918c6e932092ddea80a
Instruction Fuzzy Hash: F4510EB1580346AFEB3A0E64CDC87E43366AF16324F954125FE85571E1C3FA49C9DB02

Uniqueness

Uniqueness Score: -1.00%

Function 021056F7, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d1a5028773075e3c11c9643cc29c4d547b5dd48d7cd2b508d9b188aedbfa2ad
Instruction ID: 7472456d2f9fa3fb25c171508e51e99126f7597adb60721289c250b1b7a92242
Opcode Fuzzy Hash: 0d1a5028773075e3c11c9643cc29c4d547b5dd48d7cd2b508d9b188aedbfa2ad
Instruction Fuzzy Hash: 057192614487C25EDB228B79889C752BED26F13374F8EC3EAC8E54E0E7D3A4414AC716

Uniqueness

Uniqueness Score: -1.00%

Function 02102923, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe741b2db6c75a7904445eb0622c7f0543f2cd4245463076d4275cf3722d52c
Instruction ID: 0b75ac4586f748db04f92fbb3a3b5a09522a11947b384fbc9cd777434ba1a225
Opcode Fuzzy Hash: cfe741b2db6c75a7904445eb0622c7f0543f2cd4245463076d4275cf3722d52c
Instruction Fuzzy Hash: BD511EB1580346AFEB7A0E24CDC8BE43366AF16320F958125FE85571E1C3FA49C9DB02

Uniqueness

Uniqueness Score: -1.00%

Function 021028EF, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b9e54d2455aeab9873de71d6a264072dcdd63a4d69a14555a392843f179a51c
Instruction ID: 4900295cbdbbf7fb0d85d292afeac8cc6d4043501488d1ebbd7650977492432a
Opcode Fuzzy Hash: 7b9e54d2455aeab9873de71d6a264072dcdd63a4d69a14555a392843f179a51c
Instruction Fuzzy Hash: 2A51FDB1580346AFEB3A0E64CDC8BE43366AF16364F958125FE85571E1C3FA49C99B02

Uniqueness

Uniqueness Score: -1.00%

Function 021056FB, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3887822d52ba0dcd98e011a975f8824de22b25667ab2e4626c61350ee76992db
Instruction ID: 7d0f83bb694d64996f9ef21f7ff710a3ba8fc2311a789af694ee83359da8c75c
Opcode Fuzzy Hash: 3887822d52ba0dcd98e011a975f8824de22b25667ab2e4626c61350ee76992db
Instruction Fuzzy Hash: 3F7192614487C25EDB228B39889C751BED26B13374F8DC3EAC8E54E0E7D3A4414AC716

Uniqueness

Uniqueness Score: -1.00%

Function 02105707, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c3bf445750cdc33862dc6b89506c998f3a154031d23b1abaa9ee777f414ad9e
Instruction ID: 2286be139e4e433c730b3191b87aaa0838203abdbe42043aaaa970da28b7289e
Opcode Fuzzy Hash: 3c3bf445750cdc33862dc6b89506c998f3a154031d23b1abaa9ee777f414ad9e
Instruction Fuzzy Hash: 717181614487C25EDB228B79889C752BED26F13374F8DC3EAC8E54E0E7D3A5814AC716

Uniqueness

Uniqueness Score: -1.00%

Function 021056FF, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5171e7d19d3c74a9f6ee583ea18718c2475d84a5eb910269946ec69b59576e44
Instruction ID: 73db1f4afa1401dcd00fe0bff5911e2a6448e7b4ff3e3a24b944ca6a71abea30
Opcode Fuzzy Hash: 5171e7d19d3c74a9f6ee583ea18718c2475d84a5eb910269946ec69b59576e44
Instruction Fuzzy Hash: 147194614487C25EDB228B3988DC752BED26F13364F8DC3EAC8E54E0E7D3A5814AC712

Uniqueness

Uniqueness Score: -1.00%

Function 02105703, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2e331ef2edc2f8404b05cfbc79ec856fb830f0d7a29bf6be1d25b8fac4bc9c7
Instruction ID: e81aa23b662ec87731ce89367871918c4be0e3d2e9828cdf59fd5bd6dfd95491
Opcode Fuzzy Hash: c2e331ef2edc2f8404b05cfbc79ec856fb830f0d7a29bf6be1d25b8fac4bc9c7
Instruction Fuzzy Hash: CC71A3614487C25EDB228B79889C752BED26F13374F8DC3EAC8E54E0E7D3A5414AC716

Uniqueness

Uniqueness Score: -1.00%

Function 021056DB, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64743cc3b83321e00ad2a2f38b417d4f1aa6d29484a0d7946dec98bbad86df89
Instruction ID: 6da74109eae61a3ba50d442753034ff3d1a3b959db6de0f376c90cf4bcc0412f
Opcode Fuzzy Hash: 64743cc3b83321e00ad2a2f38b417d4f1aa6d29484a0d7946dec98bbad86df89
Instruction Fuzzy Hash: A56194614487C25DDB228B3988DC751BED26B13374F9DC3EAC8E94E0E7D3A54146C716

Uniqueness

Uniqueness Score: -1.00%

Function 0210570E, Relevance: .2, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8adf54b54373a9eb33045aee2898f4ef4e2d7473e7634615271fd6e31da8c820
Instruction ID: 9d5c57fb9d93488ee9dcc729eecf0a89ef2cf8182d229cc6b64b302886b52470
Opcode Fuzzy Hash: 8adf54b54373a9eb33045aee2898f4ef4e2d7473e7634615271fd6e31da8c820
Instruction Fuzzy Hash: 917183614487C25DDB228B79889C752BED26F13374F8DC3EAC8E54E0E7D3A54146C716

Uniqueness

Uniqueness Score: -1.00%

Function 0210574E, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5797ade053af6bc1d46a2532287f3185858a191c046162a9b2d629c9e4ed1965
Instruction ID: 9d229dbd3ed1d5cd9e52cda13444ce94856b48048331934af26272f061d06a6e
Opcode Fuzzy Hash: 5797ade053af6bc1d46a2532287f3185858a191c046162a9b2d629c9e4ed1965
Instruction Fuzzy Hash: 1F6193614487C25EDB228B79889C752BED26F13374F8DC3EAC8E54E0E7D3A5414AC716

Uniqueness

Uniqueness Score: -1.00%

Function 021056DF, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 097fc659ec10b93803d126aaddf57264b76f1dae24d0181f3ec4b23be2e5ae94
Instruction ID: 8b747d452dbe5395e1ca98de5f99ed4e370c88b44ebb35beeb4b98a5b87a289d
Opcode Fuzzy Hash: 097fc659ec10b93803d126aaddf57264b76f1dae24d0181f3ec4b23be2e5ae94
Instruction Fuzzy Hash: A36183614487C29EDB218B3988DC751BED26B13374F9DC3EAC8E64E0E7D3A5814AC716

Uniqueness

Uniqueness Score: -1.00%

Function 021056E3, Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc6c6d1cff45695e035d23e8f1659e1d17ef6dbfa56b98f3ec1711b5c1f96973
Instruction ID: dfa0162bb504b8ac7ee6017ac5f30c6a233e74612d4212767a224696155b61f5
Opcode Fuzzy Hash: fc6c6d1cff45695e035d23e8f1659e1d17ef6dbfa56b98f3ec1711b5c1f96973
Instruction Fuzzy Hash: C06183614487C29EDB228B7988DC751BED26B13374F8DC3EAC8E54E0E7D3A5414AC716

Uniqueness

Uniqueness Score: -1.00%

Function 021056E7, Relevance: .2, Instructions: 178COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03c12220b128b4de1989f4d35210d9d463f5835e2280d0a54a77512f74fec8a3
Instruction ID: 8e478034b73fa03bd1100629b7e29f7eb1dfdd0e322d8166b0b46f88583ab7d8
Opcode Fuzzy Hash: 03c12220b128b4de1989f4d35210d9d463f5835e2280d0a54a77512f74fec8a3
Instruction Fuzzy Hash: 0D6183614487C25DDB228B7988DC752BED26B13374F8DC3EAC8E54E0E7D3A5414AC716

Uniqueness

Uniqueness Score: -1.00%

Function 021056EB, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaaba6e5ee6bbd7f4d0369bf7b9e65b8e7af39395dbe8405cbbb39d926f0386f
Instruction ID: a428ced265f926651bf0ac576f8ebe04300f84c8c144e735d0d830d7dbef9f78
Opcode Fuzzy Hash: aaaba6e5ee6bbd7f4d0369bf7b9e65b8e7af39395dbe8405cbbb39d926f0386f
Instruction Fuzzy Hash: E761A4614487C29DDB219B3988DCB51BED26B13374F8DC3EAC8E94E0E7D3A5814AC716

Uniqueness

Uniqueness Score: -1.00%

Function 021056EF, Relevance: .2, Instructions: 175COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c676cd15ceef6d6f6d3dbc4b2b598e93e0575d82417e0dd0d9f95bc0a97bbc2e
Instruction ID: e7a387e83489523becfe84ede8e52324381a2275c0e17edfa0bfb9add7309a74
Opcode Fuzzy Hash: c676cd15ceef6d6f6d3dbc4b2b598e93e0575d82417e0dd0d9f95bc0a97bbc2e
Instruction Fuzzy Hash: A86194614487C29DDB218B3988DC751BED26B13374F8DC3EAC8E64E0EBD3A5814AC716

Uniqueness

Uniqueness Score: -1.00%

Function 02104CC0, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95178081cbe919ec8591c2c4c9b7e0779abaa4f98f4f021c1bf1860e2cd8a77f
Instruction ID: f3bb7f02a758f608d66df5788ae49092076f68bf24c4253cffb237649bbaa242
Opcode Fuzzy Hash: 95178081cbe919ec8591c2c4c9b7e0779abaa4f98f4f021c1bf1860e2cd8a77f
Instruction Fuzzy Hash: 6B2126357047068F8B249E7CC5E07973392EF9E360B59867DED96CB392D7A19842CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0210512B, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44a7f950807568d60e8330689d1f70deb6d19209abf0b2b7138a91d60454c8ad
Instruction ID: 986272df14cabe143e0fe73cf2d1bb1c9d4884b7e37c2369a4cf5fce178b1675
Opcode Fuzzy Hash: 44a7f950807568d60e8330689d1f70deb6d19209abf0b2b7138a91d60454c8ad
Instruction Fuzzy Hash: 20F022A830450B1ED66919A84AF03FAB18ADF5A3A0FD0C23DFD5B521C1E3C50DC44401

Uniqueness

Uniqueness Score: -1.00%

Function 02101202, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f7e8361f6854f833713601d48bc58b9a723866c9329fdbb7b7cff341736625
Instruction ID: c33656b61588caa8f34aeaab90c2bb68cad80133c2dd35dff129f5c5eaadd1ef
Opcode Fuzzy Hash: 84f7e8361f6854f833713601d48bc58b9a723866c9329fdbb7b7cff341736625
Instruction Fuzzy Hash: 9D01D231680748EFEF321F908EC5BDD3A13AF45760F214225FE1C291D087BA4B809D12

Uniqueness

Uniqueness Score: -1.00%

Function 02106E4E, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b7f49881be9911c2392815c86eaa3b59339db48d3932ac4b6f8b38d11baece9
Instruction ID: 05a6b8cadd133f2f1d1697d5c8d3988e7cedaa020917d2cb774cd5e2f9c39599
Opcode Fuzzy Hash: 1b7f49881be9911c2392815c86eaa3b59339db48d3932ac4b6f8b38d11baece9
Instruction Fuzzy Hash: 77F0123415C66A6E9B27CE24591298EFB90F7C2310732F069C1C29B5D3CF108D5BB284

Uniqueness

Uniqueness Score: -1.00%

Function 0210514F, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14204d5dbbcedf6506ab4a900061a433a743a7a4c2f7490270541a6e690820ea
Instruction ID: ca8369eedee8fff61ddb5f14824c79488f7a92583c0cd2fdcde5e747cf173659
Opcode Fuzzy Hash: 14204d5dbbcedf6506ab4a900061a433a743a7a4c2f7490270541a6e690820ea
Instruction Fuzzy Hash: EDE086EC24515B2DD776199817B43FD75035B0B3B0FF19138EC5B592C672C68EC51405

Uniqueness

Uniqueness Score: -1.00%

Function 02105153, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e1de598221bfa44078e397e71d46261c5079de53d475ee3880237b4a9f225aa
Instruction ID: 3fce9e94ccc6c6705ad6e6902d28cd7066ba9994d8d24daa8c214abd456d8edf
Opcode Fuzzy Hash: 9e1de598221bfa44078e397e71d46261c5079de53d475ee3880237b4a9f225aa
Instruction Fuzzy Hash: 3AE08CBD2491176DD7662A9843B83FD7102AB0B3B0FE1C138EC6B5A2C6A2C68EC05855

Uniqueness

Uniqueness Score: -1.00%

Function 02105157, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00e61f49cd75038366504c7b58853f2806e43929d9e5ce5b0d9fc461d6911e31
Instruction ID: f32158e9c9c43eadb1d947d70cd6479549ca9620b87a8372922fef72232edda7
Opcode Fuzzy Hash: 00e61f49cd75038366504c7b58853f2806e43929d9e5ce5b0d9fc461d6911e31
Instruction Fuzzy Hash: 20E0C2EC24905B2CD77A299847743FC74029B0B370FF18138AC5B592C573C68EC04814

Uniqueness

Uniqueness Score: -1.00%

Function 0210515B, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb97bf4661ee9b0b1f602a88ce4ab041c0e1a33fb926fa33edaafac4af85cfe
Instruction ID: f886ad06d8ff9db73a939e9ea5fd55d73ae0009240e7a4bdaaac4a6be66630e7
Opcode Fuzzy Hash: aeb97bf4661ee9b0b1f602a88ce4ab041c0e1a33fb926fa33edaafac4af85cfe
Instruction Fuzzy Hash: 31E0C2E914E2A72CDB2A2A6C06B03F87E035B2B270FF58128EC97152C663C649C48511

Uniqueness

Uniqueness Score: -1.00%

Function 0210515F, Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e298288c13bb959f6d1b1c95c651e90da468f3312fc3a2243b2fee90467c62
Instruction ID: 01558a61cf9e7ec6082f6e21702ffeb910e9fca4eaff37ad98375442ed894636
Opcode Fuzzy Hash: 68e298288c13bb959f6d1b1c95c651e90da468f3312fc3a2243b2fee90467c62
Instruction Fuzzy Hash: 7BD05EEC24A16B2CDA7B29A813B43FD65039B0B3B0FF19138EC5B552C573C68EC14455

Uniqueness

Uniqueness Score: -1.00%

Function 02104E30, Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f9b5de0feb0bf7467b2dc7fbb5472691b7b400ed5d953886828c35a0751cf788
Instruction ID: fcbaf5d7908204caad5aec79c13dd16214411541e87dae28c2c2df58fc5af42f
Opcode Fuzzy Hash: f9b5de0feb0bf7467b2dc7fbb5472691b7b400ed5d953886828c35a0751cf788
Instruction Fuzzy Hash: 2AE01A353412019FC715DB48C5D4F5773A6BB98750FB18465E6018B6A1D778EC80CB14

Uniqueness

Uniqueness Score: -1.00%

Function 02103A54, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: aef34c9991aa9a8f459f226ff224e5c93c416d9b1a7189ec36d4325b3c3703ec
Instruction ID: 6db781e1e5a7c5c5971dd4dbaf70648ca338d76505c54bfd30439e58dcdefae0
Opcode Fuzzy Hash: aef34c9991aa9a8f459f226ff224e5c93c416d9b1a7189ec36d4325b3c3703ec
Instruction Fuzzy Hash: 63E012782443854FD705AFB584D078D2B526F85710F208079E885C7284EBB8C846DA59

Uniqueness

Uniqueness Score: -1.00%

Function 02104A24, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5caf58640b87ee9e7facefa9520ae69d9b41019bc652a92720da2784ef534457
Instruction ID: 61ff2251bcf39c410875126ecc8f23bef564206a9fbb2bbae3fd2c4b8850762a
Opcode Fuzzy Hash: 5caf58640b87ee9e7facefa9520ae69d9b41019bc652a92720da2784ef534457
Instruction Fuzzy Hash: 9BC08C367115048FF3A1CBA9C280B807BA2EB4E250B804084E62087705C1A8E940C660

Uniqueness

Uniqueness Score: -1.00%

Function 02102E68, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.738009135.0000000002100000.00000040.00000001.sdmp, Offset: 02100000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9b20768b5c37523d794889b33131225d1d5f37e2ab1421184cb3d84ae2876bd
Instruction ID: b9ce990e231750f054115c16556dcc0fab5c4413a5add108c803a6967b2a1e39
Opcode Fuzzy Hash: b9b20768b5c37523d794889b33131225d1d5f37e2ab1421184cb3d84ae2876bd
Instruction Fuzzy Hash: 80C092BB7529808FFB15CB08C892B00B3A2FB00749FC80490E002CB712C228ED10CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00440115, Relevance: 73.7, APIs: 38, Strings: 4, Instructions: 230
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00440115(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v32;
				char _v40;
				char _v44;
				char _v48;
				char _v64;
				intOrPtr _v72;
				char _v80;
				char _v84;
				intOrPtr _t53;
				void* _t55;
				intOrPtr* _t56;
				void* _t57;
				intOrPtr* _t58;
				intOrPtr* _t60;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				char* _t68;
				char* _t69;
				intOrPtr* _t71;
				intOrPtr* _t109;
				intOrPtr* _t111;
				intOrPtr* _t112;
				intOrPtr* _t113;
				intOrPtr* _t114;
				intOrPtr _t117;
				intOrPtr _t118;
				intOrPtr _t121;
				intOrPtr _t124;
				intOrPtr _t128;
				void* _t133;

				_t133 = __fp0;
				_push(0x401ce6);
				_t53 =  *[fs:0x0];
				_push(_t53);
				 *[fs:0x0] = _t117;
				_t118 = _t117 - 0x54;
				_v12 = _t118;
				_v8 = 0x401c80;
				_v24 = 0;
				_v32 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v64 = 0;
				_v80 = 0;
				_v84 = 0;
				L00401EBA();
				_push(0x42a240);
				L00401DD0();
				if(_t53 != 0x61) {
					_push(L"1:1:");
					_push(0x42a258);
					L00401E54();
					L00401ED8();
					_push(_t53);
					_push( &_v64);
					L00401E5A();
					_push( &_v64);
					L00401EA8();
					L00401ED8();
					L00401EAE();
					L00401E96();
					_t121 =  *0x446370; // 0x220e8b4
					if(_t121 == 0) {
						_push(0x446370);
						_push(0x429578);
						L00401ED2();
					}
					_t112 =  *0x446370; // 0x220e8b4
					_t65 =  *((intOrPtr*)( *_t112 + 0x14))(_t112,  &_v48);
					asm("fclex");
					if(_t65 < 0) {
						_push(0x14);
						_push(0x429568);
						_push(_t112);
						_push(_t65);
						L00401ECC();
					}
					_t66 = _v48;
					_t113 = _t66;
					_t67 =  *((intOrPtr*)( *_t66 + 0x78))(_t66,  &_v84);
					asm("fclex");
					if(_t67 < 0) {
						_push(0x78);
						_push(0x429588);
						_push(_t113);
						_push(_t67);
						L00401ECC();
					}
					L00401EC6();
					_t124 =  *0x446370; // 0x220e8b4
					if(_t124 == 0) {
						_push(0x446370);
						_push(0x429578);
						L00401ED2();
					}
					_t114 =  *0x446370; // 0x220e8b4
					_t68 =  &_v64;
					L00401DBE();
					_t118 = _t118 + 0x10;
					L00401DC4();
					_t69 =  &_v48;
					L00401DCA();
					_t53 =  *((intOrPtr*)( *_t114 + 0xc))(_t114, _t69, _t69, _t68, _t68, _t68, _v24, L"Tv1UE9EC2G986", 0);
					asm("fclex");
					if(_t53 < 0) {
						_push(0xc);
						_push(0x429568);
						_push(_t114);
						_push(_t53);
						L00401ECC();
					}
					L00401EC6();
					L00401E96();
				}
				_push("Tru");
				_push(0x42a2a0);
				L00401E54();
				L00401ED8();
				_push(_t53);
				L00401DB8();
				L00401EAE();
				if( ~(0 | _t53 != 0x0000ffff) != 0) {
					L00401DB2();
					st0 = _t133;
					_t128 =  *0x446370; // 0x220e8b4
					if(_t128 == 0) {
						_push(0x446370);
						_push(0x429578);
						L00401ED2();
					}
					_t109 =  *0x446370; // 0x220e8b4
					_t55 =  *((intOrPtr*)( *_t109 + 0x14))(_t109,  &_v48);
					asm("fclex");
					if(_t55 < 0) {
						_push(0x14);
						_push(0x429568);
						_push(_t109);
						_push(_t55);
						L00401ECC();
					}
					_t56 = _v48;
					_v72 = 0x80020004;
					_v80 = 0xa;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t71 = _t56;
					asm("movsd");
					_t57 =  *((intOrPtr*)( *_t56 + 0x13c))(_t56, L"Theodoras5");
					asm("fclex");
					if(_t57 < 0) {
						_push(0x13c);
						_push(0x429588);
						_push(_t71);
						_push(_t57);
						L00401ECC();
					}
					L00401EC6();
					_t58 =  *0x446010; // 0x5ceab8
					if(_t58 == 0) {
						_push(0x446010);
						_push(0x428434);
						L00401ED2();
						_t58 =  *0x446010; // 0x5ceab8
					}
					_t60 =  &_v48;
					L00401EB4();
					_t111 = _t60;
					_t53 =  *((intOrPtr*)( *_t111 + 0xf8))(_t111, 0,  &_v44, _t60,  *((intOrPtr*)( *_t58 + 0x2fc))(_t58));
					asm("fclex");
					if(_t53 < 0) {
						_push(0xf8);
						_push(0x429668);
						_push(_t111);
						_push(_t53);
						L00401ECC();
					}
					_push(1);
					_push(_v44);
					L00401DAC();
					L00401EAE();
					L00401EC6();
				}
				asm("wait");
				_push(0x440407);
				L00401EC6();
				L00401EAE();
				L00401EAE();
				return _t53;
			}

0x00440115
0x0044011a
0x0044011f
0x00440125
0x00440126
0x0044012d
0x00440133
0x00440136
0x00440145
0x00440148
0x0044014b
0x0044014e
0x00440151
0x00440154
0x00440157
0x0044015a
0x0044015d
0x00440162
0x00440167
0x00440170
0x00440176
0x0044017b
0x00440180
0x0044018a
0x0044018f
0x00440193
0x00440194
0x0044019c
0x0044019d
0x004401a7
0x004401af
0x004401b7
0x004401bc
0x004401c2
0x004401c4
0x004401c9
0x004401ce
0x004401ce
0x004401d3
0x004401e0
0x004401e3
0x004401e7
0x004401e9
0x004401eb
0x004401f0
0x004401f1
0x004401f2
0x004401f2
0x004401f7
0x00440201
0x00440203
0x00440206
0x0044020a
0x0044020c
0x0044020e
0x00440213
0x00440214
0x00440215
0x00440215
0x0044021d
0x00440222
0x00440228
0x0044022a
0x0044022f
0x00440234
0x00440234
0x00440239
0x0044024a
0x0044024e
0x00440253
0x00440257
0x0044025d
0x00440261
0x00440268
0x0044026b
0x0044026f
0x00440271
0x00440273
0x00440278
0x00440279
0x0044027a
0x0044027a
0x00440282
0x0044028a
0x0044028a
0x0044028f
0x00440294
0x00440299
0x004402a3
0x004402a8
0x004402a9
0x004402bf
0x004402c7
0x004402cd
0x004402d2
0x004402d4
0x004402da
0x004402dc
0x004402e1
0x004402e6
0x004402e6
0x004402eb
0x004402f8
0x004402fb
0x004402ff
0x00440301
0x00440303
0x00440308
0x00440309
0x0044030a
0x0044030a
0x0044030f
0x00440319
0x00440320
0x0044032a
0x0044032b
0x0044032c
0x00440333
0x00440335
0x00440336
0x0044033e
0x00440340
0x00440342
0x00440347
0x0044034c
0x0044034d
0x0044034e
0x0044034e
0x00440356
0x0044035b
0x00440362
0x00440364
0x00440369
0x0044036e
0x00440373
0x00440373
0x00440382
0x00440386
0x0044038f
0x00440396
0x0044039c
0x004403a0
0x004403a2
0x004403a7
0x004403ac
0x004403ad
0x004403ae
0x004403ae
0x004403b3
0x004403b5
0x004403b8
0x004403c0
0x004403c8
0x004403c8
0x004403cd
0x004403ce
0x004403f1
0x004403f9
0x00440401
0x00440406

APIs

__vbaStrCopy.MSVBVM60 ref: 0044015D
#696.MSVBVM60(0042A240), ref: 00440167
__vbaStrCat.MSVBVM60(0042A258,1:1:,0042A240), ref: 00440180
__vbaStrMove.MSVBVM60(0042A258,1:1:,0042A240), ref: 0044018A
#541.MSVBVM60(?,00000000,0042A258,1:1:,0042A240), ref: 00440194
__vbaStrVarMove.MSVBVM60(?,?,00000000,0042A258,1:1:,0042A240), ref: 0044019D
__vbaStrMove.MSVBVM60(?,?,00000000,0042A258,1:1:,0042A240), ref: 004401A7
__vbaFreeStr.MSVBVM60(?,?,00000000,0042A258,1:1:,0042A240), ref: 004401AF
__vbaFreeVar.MSVBVM60(?,?,00000000,0042A258,1:1:,0042A240), ref: 004401B7
__vbaNew2.MSVBVM60(00429578,00446370,?,?,00000000,0042A258,1:1:,0042A240), ref: 004401CE
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,00000014), ref: 004401F2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00429588,00000078), ref: 00440215
__vbaFreeObj.MSVBVM60(00000000,?,00429588,00000078), ref: 0044021D
__vbaNew2.MSVBVM60(00429578,00446370), ref: 00440234
__vbaLateMemCallLd.MSVBVM60(?,?,Tv1UE9EC2G986,00000000), ref: 0044024E
__vbaObjVar.MSVBVM60(00000000), ref: 00440257
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000), ref: 00440261
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,0000000C), ref: 0044027A
__vbaFreeObj.MSVBVM60(00000000,0220E8B4,00429568,0000000C), ref: 00440282
__vbaFreeVar.MSVBVM60(00000000,0220E8B4,00429568,0000000C), ref: 0044028A
__vbaStrCat.MSVBVM60(0042A2A0,Tru,0042A240), ref: 00440299
__vbaStrMove.MSVBVM60(0042A2A0,Tru,0042A240), ref: 004402A3
__vbaBoolStr.MSVBVM60(00000000,0042A2A0,Tru,0042A240), ref: 004402A9
__vbaFreeStr.MSVBVM60(00000000,0042A2A0,Tru,0042A240), ref: 004402BF
#535.MSVBVM60(00000000,0042A2A0,Tru,0042A240), ref: 004402CD
__vbaNew2.MSVBVM60(00429578,00446370,00000000,0042A2A0,Tru,0042A240), ref: 004402E6
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,00000014), ref: 0044030A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00429588,0000013C), ref: 0044034E
__vbaFreeObj.MSVBVM60(00000000,?,00429588,0000013C), ref: 00440356
__vbaNew2.MSVBVM60(00428434,00446010), ref: 0044036E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00440386
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00429668,000000F8), ref: 004403AE
#580.MSVBVM60(?,00000001), ref: 004403B8
__vbaFreeStr.MSVBVM60(?,00000001), ref: 004403C0
__vbaFreeObj.MSVBVM60(?,00000001), ref: 004403C8
__vbaFreeObj.MSVBVM60(00440407,00000000,0042A2A0,Tru,0042A240), ref: 004403F1
__vbaFreeStr.MSVBVM60(00440407,00000000,0042A2A0,Tru,0042A240), ref: 004403F9
__vbaFreeStr.MSVBVM60(00440407,00000000,0042A2A0,Tru,0042A240), ref: 00440401

Strings

Tru, xrefs: 0044028F
Tv1UE9EC2G986, xrefs: 00440242
Theodoras5, xrefs: 0044032D
1:1:, xrefs: 00440176

Memory Dump Source

Source File: 00000000.00000002.736529309.0000000000428000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.736384854.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.736410701.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736434485.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736668752.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.736681827.0000000000447000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#535#541#580#696AddrefBoolCallCopyLate
String ID: 1:1:$Theodoras5$Tru$Tv1UE9EC2G986
API String ID: 1381775776-983349194
Opcode ID: cdc919ba04536621bc086a6812ab5dd7c27a6ec2f31abb59975ca53a7cb19bf1
Instruction ID: 91bc4a13583e9f9dd47a66402036a993e5c748367c3cf8f80c8b429be4446bb8
Opcode Fuzzy Hash: cdc919ba04536621bc086a6812ab5dd7c27a6ec2f31abb59975ca53a7cb19bf1
Instruction Fuzzy Hash: F271B071E40204ABDB00EFA6DC46EEE77B8AF14705F60412BF901B31E1DB7C69058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0044041A, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 160
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0044041A(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				char _v60;
				intOrPtr _t34;
				void* _t36;
				intOrPtr* _t37;
				void* _t38;
				void* _t40;
				intOrPtr* _t41;
				void* _t42;
				intOrPtr* _t43;
				intOrPtr* _t45;
				intOrPtr* _t48;
				intOrPtr* _t73;
				intOrPtr* _t74;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t80;
				intOrPtr _t85;
				intOrPtr _t88;

				_push(0x401ce6);
				_t34 =  *[fs:0x0];
				_push(_t34);
				 *[fs:0x0] = _t80;
				_v12 = _t80 - 0x3c;
				_v8 = 0x401c90;
				_push(2);
				_push(0x42a2c4);
				_push(0x42a2d0);
				_v36 = 0;
				_v40 = 0;
				_v56 = 0;
				_v60 = 0;
				L00401E54();
				L00401ED8();
				_push(_t34);
				_push(0x42a2d0);
				_push(0);
				L00401E60();
				L00401EAE();
				if( ~(0 | _t34 != 0x00000003) != 0) {
					_t85 =  *0x446370; // 0x220e8b4
					if(_t85 == 0) {
						_push(0x446370);
						_push(0x429578);
						L00401ED2();
					}
					_t73 =  *0x446370; // 0x220e8b4
					_t36 =  *((intOrPtr*)( *_t73 + 0x14))(_t73,  &_v40);
					asm("fclex");
					if(_t36 < 0) {
						_push(0x14);
						_push(0x429568);
						_push(_t73);
						_push(_t36);
						L00401ECC();
					}
					_t37 = _v40;
					_t74 = _t37;
					_t38 =  *((intOrPtr*)( *_t37 + 0x68))(_t37,  &_v60);
					asm("fclex");
					if(_t38 < 0) {
						_push(0x68);
						_push(0x429588);
						_push(_t74);
						_push(_t38);
						L00401ECC();
					}
					L00401EC6();
					_t88 =  *0x446370; // 0x220e8b4
					if(_t88 == 0) {
						_push(0x446370);
						_push(0x429578);
						L00401ED2();
					}
					_t75 =  *0x446370; // 0x220e8b4
					_t40 =  *((intOrPtr*)( *_t75 + 0x14))(_t75,  &_v40);
					asm("fclex");
					if(_t40 < 0) {
						_push(0x14);
						_push(0x429568);
						_push(_t75);
						_push(_t40);
						L00401ECC();
					}
					_t41 = _v40;
					_v48 = 0x80020004;
					_v56 = 0xa;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t48 = _t41;
					asm("movsd");
					_t42 =  *((intOrPtr*)( *_t41 + 0x13c))(_t41, L"Parcelhusets1");
					asm("fclex");
					if(_t42 < 0) {
						_push(0x13c);
						_push(0x429588);
						_push(_t48);
						_push(_t42);
						L00401ECC();
					}
					L00401EC6();
					_t43 =  *0x446010; // 0x5ceab8
					if(_t43 == 0) {
						_push(0x446010);
						_push(0x428434);
						L00401ED2();
						_t43 =  *0x446010; // 0x5ceab8
					}
					_t45 =  &_v40;
					L00401EB4();
					_t77 = _t45;
					_t34 =  *((intOrPtr*)( *_t77 + 0x108))(_t77,  &_v36, _t45,  *((intOrPtr*)( *_t43 + 0x308))(_t43));
					asm("fclex");
					if(_t34 < 0) {
						_push(0x108);
						_push(0x4295b0);
						_push(_t77);
						_push(_t34);
						L00401ECC();
					}
					_push(1);
					_push(_v36);
					L00401DAC();
					L00401EAE();
					L00401EC6();
				}
				_v28 = 0xe9ca0480;
				_v24 = 0x5af8;
				_push(0x440616);
				return _t34;
			}

0x0044041f
0x00440424
0x0044042a
0x0044042b
0x00440438
0x0044043b
0x00440442
0x00440446
0x00440450
0x00440451
0x00440454
0x00440457
0x0044045a
0x0044045d
0x00440467
0x0044046c
0x0044046d
0x0044046e
0x0044046f
0x00440484
0x0044048c
0x00440492
0x00440498
0x0044049a
0x0044049f
0x004404a4
0x004404a4
0x004404a9
0x004404b6
0x004404b9
0x004404bd
0x004404bf
0x004404c1
0x004404c6
0x004404c7
0x004404c8
0x004404c8
0x004404cd
0x004404d7
0x004404d9
0x004404dc
0x004404e0
0x004404e2
0x004404e4
0x004404e9
0x004404ea
0x004404eb
0x004404eb
0x004404f3
0x004404f8
0x004404fe
0x00440500
0x00440505
0x0044050a
0x0044050a
0x0044050f
0x0044051c
0x0044051f
0x00440523
0x00440525
0x00440527
0x0044052c
0x0044052d
0x0044052e
0x0044052e
0x00440533
0x0044053d
0x00440544
0x0044054e
0x0044054f
0x00440550
0x00440557
0x00440559
0x0044055a
0x00440562
0x00440564
0x00440566
0x0044056b
0x00440570
0x00440571
0x00440572
0x00440572
0x0044057a
0x0044057f
0x00440586
0x00440588
0x0044058d
0x00440592
0x00440597
0x00440597
0x004405a6
0x004405aa
0x004405b2
0x004405b8
0x004405be
0x004405c2
0x004405c4
0x004405c9
0x004405ce
0x004405cf
0x004405d0
0x004405d0
0x004405d5
0x004405d7
0x004405da
0x004405e2
0x004405ea
0x004405ea
0x004405ef
0x004405f6
0x004405fd
0x00000000

APIs

__vbaStrCat.MSVBVM60(0042A2D0,0042A2C4,00000002), ref: 0044045D
__vbaStrMove.MSVBVM60(0042A2D0,0042A2C4,00000002), ref: 00440467
__vbaInStr.MSVBVM60(00000000,0042A2D0,00000000,0042A2D0,0042A2C4,00000002), ref: 0044046F
__vbaFreeStr.MSVBVM60(00000000,0042A2D0,00000000,0042A2D0,0042A2C4,00000002), ref: 00440484
__vbaNew2.MSVBVM60(00429578,00446370,00000000,0042A2D0,00000000,0042A2D0,0042A2C4,00000002), ref: 004404A4
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,00000014), ref: 004404C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00429588,00000068), ref: 004404EB
__vbaFreeObj.MSVBVM60(00000000,?,00429588,00000068), ref: 004404F3
__vbaNew2.MSVBVM60(00429578,00446370), ref: 0044050A
__vbaHresultCheckObj.MSVBVM60(00000000,0220E8B4,00429568,00000014), ref: 0044052E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00429588,0000013C), ref: 00440572
__vbaFreeObj.MSVBVM60(00000000,?,00429588,0000013C), ref: 0044057A
__vbaNew2.MSVBVM60(00428434,00446010), ref: 00440592
__vbaObjSet.MSVBVM60(?,00000000), ref: 004405AA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004295B0,00000108), ref: 004405D0
#580.MSVBVM60(?,00000001), ref: 004405DA
__vbaFreeStr.MSVBVM60(?,00000001), ref: 004405E2
__vbaFreeObj.MSVBVM60(?,00000001), ref: 004405EA

Strings

Parcelhusets1, xrefs: 00440551

Memory Dump Source

Source File: 00000000.00000002.736529309.0000000000428000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.736384854.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.736410701.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736434485.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736668752.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.736681827.0000000000447000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$#580Move
String ID: Parcelhusets1
API String ID: 985373802-4012875159
Opcode ID: fd6c40684be1a7cb64d161682700c2afe5b7c9e6d9bb6f5e8caa6f2acfa19fd4
Instruction ID: 03ea1f9b2c2127dfa1c71411e4de041836f7e71b180126834c3280a8f207aa5e
Opcode Fuzzy Hash: fd6c40684be1a7cb64d161682700c2afe5b7c9e6d9bb6f5e8caa6f2acfa19fd4
Instruction Fuzzy Hash: 3F51A171A40214ABDB00EFA5DC46EEE76B8EF15705F60006AF901B71E1DBBC6D01CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00440637, Relevance: 12.1, APIs: 8, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00440637(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				char _v48;
				intOrPtr* _t18;
				intOrPtr* _t20;
				void* _t22;
				char* _t23;
				intOrPtr* _t35;
				intOrPtr _t38;

				_push(0x401ce6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t38;
				_v12 = _t38 - 0x38;
				_v8 = 0x401ca0;
				_t18 =  *0x446010; // 0x5ceab8
				_v28 = 0;
				_v32 = 0;
				_v48 = 0;
				if(_t18 == 0) {
					_push(0x446010);
					_push(0x428434);
					L00401ED2();
					_t18 =  *0x446010; // 0x5ceab8
				}
				_t20 =  &_v32;
				L00401EB4();
				_t35 = _t20;
				_t22 =  *((intOrPtr*)( *_t35 + 0x1ac))(_t35, _t20,  *((intOrPtr*)( *_t18 + 0x318))(_t18));
				asm("fclex");
				if(_t22 < 0) {
					_push(0x1ac);
					_push(0x429734);
					_push(_t35);
					_push(_t22);
					L00401ECC();
				}
				L00401EC6();
				_push(0);
				_t23 =  &_v48;
				_push(_t23);
				_v40 = 1;
				_v48 = 2;
				L00401DA6();
				L00401ED8();
				L00401E96();
				_v24 = 0x3cc5;
				_push(0x440716);
				L00401EAE();
				return _t23;
			}

0x0044063c
0x00440647
0x00440648
0x00440655
0x00440658
0x0044065f
0x00440668
0x0044066b
0x0044066e
0x00440671
0x00440673
0x00440678
0x0044067d
0x00440682
0x00440682
0x00440691
0x00440695
0x0044069a
0x0044069f
0x004406a5
0x004406a9
0x004406ab
0x004406b0
0x004406b5
0x004406b6
0x004406b7
0x004406b7
0x004406bf
0x004406c4
0x004406c5
0x004406c8
0x004406c9
0x004406d0
0x004406d7
0x004406e1
0x004406e9
0x004406ee
0x004406f5
0x00440710
0x00440715

APIs

__vbaNew2.MSVBVM60(00428434,00446010), ref: 0044067D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00440695
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00429734,000001AC), ref: 004406B7
__vbaFreeObj.MSVBVM60(00000000,00000000,00429734,000001AC), ref: 004406BF
#705.MSVBVM60(?,00000000), ref: 004406D7
__vbaStrMove.MSVBVM60(?,00000000), ref: 004406E1
__vbaFreeVar.MSVBVM60(?,00000000), ref: 004406E9
__vbaFreeStr.MSVBVM60(00440716,?,00000000), ref: 00440710

Memory Dump Source

Source File: 00000000.00000002.736529309.0000000000428000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.736384854.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.736410701.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736434485.0000000000419000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.736668752.0000000000446000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.736681827.0000000000447000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#705CheckHresultMoveNew2
String ID:
API String ID: 1968677507-0
Opcode ID: 3353e6ad632783ca27701c3af83cbb157ced0b898cd36f7d5194476c01cb76af
Instruction ID: f0b6838683609768a33374784a5227e3b444da542f8ff5073341aabddfc54736
Opcode Fuzzy Hash: 3353e6ad632783ca27701c3af83cbb157ced0b898cd36f7d5194476c01cb76af
Instruction Fuzzy Hash: 66115171D40204ABD710EFA6C846EEFB7B8AF55704F50442BF541B72A1DA7C59018BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Order-078CNLTD.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Order-078CNLTD.exe PID: 5800 Parent PID: 5580

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Order-078CNLTD.exe PID: 5800 Parent PID: 5580 Order-078CNLTD.exeCOMMON

Executed Functions

Function 02103179, Relevance: 1.6, APIs: 1, Instructions: 71memorynativeCOMMON

Function 00440733, Relevance: 87.8, APIs: 46, Strings: 4, Instructions: 329
COMMON

Function 00440115, Relevance: 73.7, APIs: 38, Strings: 4, Instructions: 230
COMMON

Function 0044041A, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 160
COMMON

Function 00440637, Relevance: 12.1, APIs: 8, Instructions: 63
COMMON