Play interactive tour

Edit tour

Windows Analysis Report PRICE-(BPS).exe

Overview

General Information

Sample Name:	PRICE-(BPS).exe
Analysis ID:	434933
MD5:	a75c6c6953a362788c54b36ec7f8dbf2
SHA1:	36c2485f9bec118660d3dcfb60e4b184c01c5d61
SHA256:	19a93cf55d422bf9dcca2ece46b98704248641f86ca7ed2a21d903c724c79a53
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

PRICE-(BPS).exe (PID: 632 cmdline: 'C:\Users\user\Desktop\PRICE-(BPS).exe' MD5: A75C6C6953A362788C54B36EC7F8DBF2)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=4775355831E91CD1&resid=4775355831E91CD1%215798&authkey=ADoN1Lkq2uiLQT4Z"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
PRICE-(BPS).exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.201011246.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.PRICE-(BPS).exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.2.PRICE-(BPS).exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: PRICE-(BPS).exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=4775355831E91CD1&resid=4775355831E91CD1%215798&authkey=ADoN1Lkq2uiLQT4Z"}

Source: PRICE-(BPS).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=4775355831E91CD1&resid=4775355831E91CD1%215798&authkey=ADoN1Lkq2uiLQT4Z

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175C85 NtAllocateVirtualMemory,	0_2_02175C85
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175E44 NtAllocateVirtualMemory,	0_2_02175E44
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175CC6 NtAllocateVirtualMemory,	0_2_02175CC6
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175CF4 NtAllocateVirtualMemory,	0_2_02175CF4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175D57 NtAllocateVirtualMemory,	0_2_02175D57
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175DB2 NtAllocateVirtualMemory,	0_2_02175DB2
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175DA1 NtAllocateVirtualMemory,	0_2_02175DA1
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175DCA NtAllocateVirtualMemory,	0_2_02175DCA

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_004123C1	0_2_004123C1
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175C85	0_2_02175C85
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217422C	0_2_0217422C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171267	0_2_02171267
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021742BF	0_2_021742BF
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021712BB	0_2_021712BB
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021742E4	0_2_021742E4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171300	0_2_02171300
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217432F	0_2_0217432F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02170351	0_2_02170351
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02170377	0_2_02170377
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02170398	0_2_02170398
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217438F	0_2_0217438F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021703D4	0_2_021703D4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021743D4	0_2_021743D4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174804	0_2_02174804
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174837	0_2_02174837
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217282F	0_2_0217282F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174028	0_2_02174028
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217984C	0_2_0217984C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174070	0_2_02174070
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217986F	0_2_0217986F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179894	0_2_02179894
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02172880	0_2_02172880
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217488C	0_2_0217488C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021798B0	0_2_021798B0
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021710A3	0_2_021710A3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021740D3	0_2_021740D3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021728D0	0_2_021728D0
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021798DC	0_2_021798DC
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021748EF	0_2_021748EF
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179914	0_2_02179914
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171110	0_2_02171110
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179907	0_2_02179907
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174124	0_2_02174124
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179928	0_2_02179928
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174950	0_2_02174950
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179950	0_2_02179950
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171144	0_2_02171144
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02179963	0_2_02179963
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217119D	0_2_0217119D
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174180	0_2_02174180
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217998B	0_2_0217998B
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021799B3	0_2_021799B3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021741D4	0_2_021741D4
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021711F3	0_2_021711F3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171E35	0_2_02171E35
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217463A	0_2_0217463A
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173E5C	0_2_02173E5C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171E44	0_2_02171E44
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02171E90	0_2_02171E90
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178E90	0_2_02178E90
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217469B	0_2_0217469B
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173EAB	0_2_02173EAB
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178EC8	0_2_02178EC8
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021746E8	0_2_021746E8
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173F1B	0_2_02173F1B
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217473F	0_2_0217473F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173F5C	0_2_02173F5C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02172745	0_2_02172745
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02172787	0_2_02172787
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173FB3	0_2_02173FB3
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021727D7	0_2_021727D7
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173C0F	0_2_02173C0F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C0C	0_2_02178C0C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174437	0_2_02174437
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C28	0_2_02178C28
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174448	0_2_02174448
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02174494	0_2_02174494
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C88	0_2_02178C88
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175CC6	0_2_02175CC6
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178CCC	0_2_02178CCC
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021744EC	0_2_021744EC
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178D17	0_2_02178D17
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178D5F	0_2_02178D5F
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217456B	0_2_0217456B
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021745B8	0_2_021745B8
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_021745CD	0_2_021745CD
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178DF7	0_2_02178DF7
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02173DFC	0_2_02173DFC

Source: PRICE-(BPS).exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: PRICE-(BPS).exe, 00000000.00000002.580289950.0000000000442000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMazier6.exe vs PRICE-(BPS).exe
Source: PRICE-(BPS).exe, 00000000.00000002.581959451.0000000002150000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs PRICE-(BPS).exe
Source: PRICE-(BPS).exe	Binary or memory string: OriginalFilenameMazier6.exe vs PRICE-(BPS).exe

Source: PRICE-(BPS).exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

File created: C:\Users\user\AppData\Local\Temp\~DF583CFE3EF48CF414.TMP

Jump to behavior

Source: PRICE-(BPS).exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: PRICE-(BPS).exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.201011246.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.PRICE-(BPS).exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.PRICE-(BPS).exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0040A678 pushfd ; retf	0_2_0040A6A0
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175A90 push edx; retf	0_2_02175AB0
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_0217353A push 39000002h; ret	0_2_0217354A

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02172745	0_2_02172745
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C0C	0_2_02178C0C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C28	0_2_02178C28
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C88	0_2_02178C88
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178CCC	0_2_02178CCC
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178D17	0_2_02178D17

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Code function: 0_2_02175C85 rdtsc

0_2_02175C85

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Code function: 0_2_02175C85 rdtsc

0_2_02175C85

Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178289 mov eax, dword ptr fs:[00000030h]	0_2_02178289
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C0C mov eax, dword ptr fs:[00000030h]	0_2_02178C0C
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02178C28 mov eax, dword ptr fs:[00000030h]	0_2_02178C28
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02175574 mov eax, dword ptr fs:[00000030h]	0_2_02175574
Source: C:\Users\user\Desktop\PRICE-(BPS).exe	Code function: 0_2_02177DB0 mov eax, dword ptr fs:[00000030h]	0_2_02177DB0

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: PRICE-(BPS).exe, 00000000.00000002.580883020.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: PRICE-(BPS).exe, 00000000.00000002.580883020.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: PRICE-(BPS).exe, 00000000.00000002.580883020.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: PRICE-(BPS).exe, 00000000.00000002.580883020.0000000000C60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\PRICE-(BPS).exe

Code function: 0_2_021724CA cpuid

0_2_021724CA

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery111	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=4775355831E91CD1&resid=4775355831E91CD1%215798&authkey=ADoN1Lkq2uiLQT4Z	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	434933
Start date:	15.06.2021
Start time:	16:54:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	PRICE-(BPS).exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	30
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Max analysis timeout: 220s exceeded, the analysis took too long Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.944349649221438
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PRICE-(BPS).exe
File size:	270336
MD5:	a75c6c6953a362788c54b36ec7f8dbf2
SHA1:	36c2485f9bec118660d3dcfb60e4b184c01c5d61
SHA256:	19a93cf55d422bf9dcca2ece46b98704248641f86ca7ed2a21d903c724c79a53
SHA512:	f46923ff9169e4339462c589eebc6cc4f2f3523331c6b929a25f9bb1d85fdfcc893ce613a2184cbe716e599c706e8eafa931e0546e70afe2fe5d166834c41a5f
SSDEEP:	3072:goQ3J7Mb+bnPdaljI+dJrODGqrK9+p7r2qrFx0fi0XdtaHS2Jp:M1aO+eDdrw+pXpxU73l
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........c.S............&........ .......$......Rich....................PE..L...w@WJ.....................0.......(............@........

File Icon


Icon Hash:	6828bae9d2777576

Static PE Info

General
Entrypoint:	0x402894
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4A574077 [Fri Jul 10 13:21:59 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	adaafa2c180eccb7addf1201d12c8322

Entrypoint Preview

Instruction
push 004035CCh
call 00007FCE208172E3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+17h], bl
xchg eax, esp
sbb eax, 4E82842Ch
mov ch, 42h
jno 00007FCE208172AEh
sub dword ptr [edx+0000710Fh], ebx
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ebx
dec ebx
push edx
dec ecx
inc esi
push esp
inc ebp
push edx
dec esi
inc ebp
push ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add byte ptr [ecx], ch
mov esp, 4648D29Dh
or eax, 18C2B743h
jbe 00007FCE20817343h
stc
dec edi
inc edx
imul esp, edx, BFh
jmp ecx
inc esi
add ecx, dword ptr [ecx-5Ch]
xchg eax, esp
retn 88B6h
jo 00007FCE20817311h
xor dword ptr [edx], edi
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov word ptr [esi], es
add byte ptr [eax], al
xchg dword ptr [esi], eax
add byte ptr [eax], al
add byte ptr [eax+eax], cl
push ebx
je 00007FCE20817357h
jc 00007FCE20817360h
outsd
popa
arpl word ptr [ecx+61h], bp
insb
add byte ptr [66000901h], cl
jc 00007FCE20817353h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3efd4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x42000	0x9d0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1b0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x3e68c	0x3f000	False	0.293794177827	data	6.07796755742	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x40000	0x1be8	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x42000	0x9d0	0x1000	False	0.225830078125	data	2.1244697174	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x426e8	0x2e8	data
RT_ICON	0x42500	0x1e8	data
RT_ICON	0x423d8	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x423a8	0x30	data
RT_VERSION	0x42150	0x258	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaLineInputStr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, __vbaFileClose, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaRedim, __vbaRecUniToAnsi, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaVarLateMemCallLd, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Mazier6
FileVersion	1.00
CompanyName	Orion Solutions
Comments	Orion Solutions
ProductName	SKRIFTERNES
ProductVersion	1.00
OriginalFilename	Mazier6.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: PRICE-(BPS).exe PID: 632 Parent PID: 5548

General

Start time:	16:55:17
Start date:	15/06/2021
Path:	C:\Users\user\Desktop\PRICE-(BPS).exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\PRICE-(BPS).exe'
Imagebase:	0x400000
File size:	270336 bytes
MD5 hash:	A75C6C6953A362788C54B36EC7F8DBF2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.201011246.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: PRICE-(BPS).exe PID: 632 Parent PID: 5548 PRICE-(BPS).exeCOMMON

Executed Functions

Function 02175C85, Relevance: 1.7, APIs: 1, Instructions: 164memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(B4227853,00000004), ref: 02175ECC

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d913ee2eb11192a1c8afce2e4a15ec7fc248be2c3724ece85d4bfea417dd42ea
Instruction ID: 83aa7fec0ec9556fd799c2138c7b67b7056cab6c8e3a517110485d515533cfbf
Opcode Fuzzy Hash: d913ee2eb11192a1c8afce2e4a15ec7fc248be2c3724ece85d4bfea417dd42ea
Instruction Fuzzy Hash: 9C5157712443899FEB359E75CD943DE7BB6AF89360F95012DCD8D8B210D7318A42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02175CC6, Relevance: 1.6, APIs: 1, Instructions: 144memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(B4227853,00000004), ref: 02175ECC

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f774bc6b015e7d1d3a3a23c31b42599d89a717a45c073c08c76df9bc605ec75b
Instruction ID: e029b8f33e5fa9bb5ce64d4fb0694b8fbfb25a18662c78589416befc0d4f6e8b
Opcode Fuzzy Hash: f774bc6b015e7d1d3a3a23c31b42599d89a717a45c073c08c76df9bc605ec75b
Instruction Fuzzy Hash: A44135711443889FEB349E74CD947DE7BB6EF893A0F95012CDD899B210D7318A42CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02175CF4, Relevance: 1.6, APIs: 1, Instructions: 133memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(B4227853,00000004), ref: 02175ECC

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1c3d9580a87470ed3aa10b7c412a56b368f1b08ba6bf0aaf60e911f687079f7d
Instruction ID: cc69eea67a0c747eeced675bb87ef8834517b806b14dc62158428606a6446bfa
Opcode Fuzzy Hash: 1c3d9580a87470ed3aa10b7c412a56b368f1b08ba6bf0aaf60e911f687079f7d
Instruction Fuzzy Hash: 964120716443889FEB259E74CC847DE7BB6EF893A0F95011DDC899B260D7318A42CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02175DB2, Relevance: 1.6, APIs: 1, Instructions: 132memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(B4227853,00000004), ref: 02175ECC

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 56a2c901bbf0d3391375f1dd3402b97b1c6b5e0007d5852184d729aa50dcc891
Instruction ID: edf4bb48de0d3807157b0032bceb8eae48c086a185bfa9f43081c1ec52af5301
Opcode Fuzzy Hash: 56a2c901bbf0d3391375f1dd3402b97b1c6b5e0007d5852184d729aa50dcc891
Instruction Fuzzy Hash: 124142711443889FEB259F29CC887EEBBB2EF89360F95021DCC8D8B225D7318942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02175D57, Relevance: 1.6, APIs: 1, Instructions: 111memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(B4227853,00000004), ref: 02175ECC

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c3aee8d5490df3a8fbb0ba03886e1295d685aa60a019c90cb21bebc682136346
Instruction ID: 2ebb83d04461115cf00203d5fc7978c153b6aadd731834dc463f8b82161ee527
Opcode Fuzzy Hash: c3aee8d5490df3a8fbb0ba03886e1295d685aa60a019c90cb21bebc682136346
Instruction Fuzzy Hash: D241EF711443889FEB259E748D847EE7BB2EF89360F95021DDD8D8B260D7318A42CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02175DA1, Relevance: 1.6, APIs: 1, Instructions: 105memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(B4227853,00000004), ref: 02175ECC

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: b0b2a61b3018855d71ea592bd12d00e36bd0ea3e5851d1c2476ce9e142143df3
Instruction ID: a474ac010a9b89c0a2f1f4ad917e9291e2b8abc1744b0381f1ddcc5136e76a1d
Opcode Fuzzy Hash: b0b2a61b3018855d71ea592bd12d00e36bd0ea3e5851d1c2476ce9e142143df3
Instruction Fuzzy Hash: D64120701483889FEB258F68CC847DDBBB2EF89364F95011DDD998B261C3319942CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02175DCA, Relevance: 1.6, APIs: 1, Instructions: 100memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(B4227853,00000004), ref: 02175ECC

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2339b985a0d2ee24ea38c1682bcaabab933489cc79ad1ab8ac60ec121d005116
Instruction ID: d26bb156aa6d7b82c1bed08bfdf07e10ad4d28181d298e057ba860c7f8613237
Opcode Fuzzy Hash: 2339b985a0d2ee24ea38c1682bcaabab933489cc79ad1ab8ac60ec121d005116
Instruction Fuzzy Hash: 763103715053889FE7219F64CC817DEBBB6EF89360F65021DCD8C8B161D7319942CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02175E44, Relevance: 1.6, APIs: 1, Instructions: 77memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(B4227853,00000004), ref: 02175ECC

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 1eccc874cca83fcd2445a20b86c3380e751fafddde037f275088aee04d03c0d8
Instruction ID: 2b1de610178b4434b4aae307355964c3854a296542421b794beeecc6d35c0614
Opcode Fuzzy Hash: 1eccc874cca83fcd2445a20b86c3380e751fafddde037f275088aee04d03c0d8
Instruction Fuzzy Hash: 602124714086889FD7329F69CC807CDBBB6EF8A3A0FA54109DD4C8B221D7319A42CF80

Uniqueness

Uniqueness Score: -1.00%

Function 004123C1, Relevance: 1.4, APIs: 1, Instructions: 120memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000F000,00001000,?,004261AC,?,?,?), ref: 00412596

Memory Dump Source

Source File: 00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.579750427.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.580245753.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.580289950.0000000000442000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 29729516343ba644ed72a6d634c84007bfe8a46a0cab257e3bad33ac386bfbca
Instruction ID: bf0e0bced42003cfdaff35814b47d70dab4e8f1023e64c53611c388a8b9e8199
Opcode Fuzzy Hash: 29729516343ba644ed72a6d634c84007bfe8a46a0cab257e3bad33ac386bfbca
Instruction Fuzzy Hash: 563102B3F163245FD7C36970C540BD67651BF26284B3287169824FB6A1F72A9ECB06C8

Uniqueness

Uniqueness Score: -1.00%

Function 0043EA60, Relevance: 59.7, APIs: 31, Strings: 3, Instructions: 198COMMON

Download Yara Rule

APIs

__vbaStrCat.MSVBVM60(00408164,9/9), ref: 0043EABC
#557.MSVBVM60(00000008), ref: 0043EAD0
__vbaFreeVar.MSVBVM60 ref: 0043EAE7
__vbaOnError.MSVBVM60(00000000), ref: 0043EAF7
__vbaNew2.MSVBVM60(004044F8,00440DC0), ref: 0043EB0F
__vbaHresultCheckObj.MSVBVM60(00000000,0213ED94,004046C0,00000014), ref: 0043EB34
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404A58,000000E0), ref: 0043EB5E
__vbaStrMove.MSVBVM60 ref: 0043EB73
__vbaFreeObj.MSVBVM60 ref: 0043EB78
#539.MSVBVM60(00000008,00000001,00000001,00000001), ref: 0043EB88
__vbaStrVarMove.MSVBVM60(00000008), ref: 0043EB92
__vbaStrMove.MSVBVM60 ref: 0043EB9D
__vbaFreeVar.MSVBVM60 ref: 0043EBA2
__vbaNew2.MSVBVM60(004044F8,00440DC0), ref: 0043EBBA
__vbaHresultCheckObj.MSVBVM60(00000000,0213ED94,004046C0,00000014), ref: 0043EBDF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404A58,0000013C), ref: 0043EC36
__vbaFreeObj.MSVBVM60 ref: 0043EC3F
#539.MSVBVM60(00000008,00000001,00000001,00000001), ref: 0043EC4F
__vbaStrVarMove.MSVBVM60(00000008), ref: 0043EC59
__vbaStrMove.MSVBVM60 ref: 0043EC64
__vbaFreeVar.MSVBVM60 ref: 0043EC69
#535.MSVBVM60 ref: 0043EC6F
#569.MSVBVM60(00000003), ref: 0043EC79
__vbaVarDup.MSVBVM60 ref: 0043EC9B
#645.MSVBVM60(00000008,00000000), ref: 0043ECA6
__vbaStrMove.MSVBVM60 ref: 0043ECB1
__vbaFreeVar.MSVBVM60 ref: 0043ECB6
__vbaFreeStr.MSVBVM60(0043ECFB), ref: 0043ECE9
__vbaFreeStr.MSVBVM60 ref: 0043ECEE
__vbaFreeStr.MSVBVM60 ref: 0043ECF3
__vbaFreeStr.MSVBVM60 ref: 0043ECF8

Strings

tmmen, xrefs: 0043EC13
liniehybriden, xrefs: 0043EC87
9/9, xrefs: 0043EAB2

Memory Dump Source

Source File: 00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.579750427.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.580245753.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.580289950.0000000000442000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Move$CheckHresult$#539New2$#535#557#569#645Error
String ID: 9/9$liniehybriden$tmmen
API String ID: 345979831-2612214716
Opcode ID: b6432234b2059283a1b9237826dab9e2023a4b9ea4471d5bd7867a0a917fc338
Instruction ID: 44d9fd2fe2f80f433ccab5a18a0cca1e4dacc8546bbdcb26f246a81edd1f5e67
Opcode Fuzzy Hash: b6432234b2059283a1b9237826dab9e2023a4b9ea4471d5bd7867a0a917fc338
Instruction Fuzzy Hash: 41711CB5D01208AFCB14DFA4DD89ADDBBB4FF48700F10442AF546B72A4DB786985CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043E9A0, Relevance: 6.0, APIs: 4, Instructions: 36COMMON

Download Yara Rule

APIs

#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0043E9EA
__vbaStrMove.MSVBVM60 ref: 0043E9F5
__vbaFreeVar.MSVBVM60 ref: 0043E9FE
__vbaFreeStr.MSVBVM60(0043EA2E), ref: 0043EA27

Memory Dump Source

Source File: 00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.579750427.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.580245753.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.580289950.0000000000442000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#702Move
String ID:
API String ID: 1078434368-0
Opcode ID: 0c4121d969acc760da360c115b1770c6e7536f20e3960871f6c4d4c233b22b61
Instruction ID: f3530bd99b33c4fe9ed73d2451ee0e8a7e0a46347d6f3379154b9ecab98e4f8e
Opcode Fuzzy Hash: 0c4121d969acc760da360c115b1770c6e7536f20e3960871f6c4d4c233b22b61
Instruction Fuzzy Hash: 7F01E170C05209ABCB00DF95DE49B9EBBB8BB48725F208325E425725E0D7781945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00402894, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00402899

Strings

VB5!6&*, xrefs: 00402894

Memory Dump Source

Source File: 00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.579750427.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.580245753.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.580289950.0000000000442000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 2e70f509b98bc928c12a1fc859713131f19c4819eac41f43c01d4ac2fb442dff
Instruction ID: a539dae0691de87fe52dbd7b62208277a1992bd7304424b42eeb98a4995ed929
Opcode Fuzzy Hash: 2e70f509b98bc928c12a1fc859713131f19c4819eac41f43c01d4ac2fb442dff
Instruction Fuzzy Hash: B64163A584E7C18FD70347709D656913FB4AE13219B0E42EBD4C0CF0E3E2AC495AD766

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02172745, Relevance: 14.7, Strings: 11, Instructions: 940COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(sx;, xrefs: 02173ECE
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$(sx;$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-4283064541
Opcode ID: 38352b4f67cafc497e218e8c605faaebc7eb805627b8343c2137ee9a4bcecca4
Instruction ID: a1623180631d8ee8f736951df9bca78e15f071ea947f94f833f9000b7241e361
Opcode Fuzzy Hash: 38352b4f67cafc497e218e8c605faaebc7eb805627b8343c2137ee9a4bcecca4
Instruction Fuzzy Hash: 2472647164434A9FDB789E78CD947EA7BB2FF99350F96412EDC8A97210C3308981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0217986F, Relevance: 14.6, Strings: 11, Instructions: 889COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(sx;, xrefs: 02173ECE
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$(sx;$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-4283064541
Opcode ID: 7a02718f3f3b32d426f846681cd59a2280ead63698c005737e79062313d0b838
Instruction ID: 59154c80d49ac5ccea8d7abd21e788d1282355f10d4118312416b67c79f04378
Opcode Fuzzy Hash: 7a02718f3f3b32d426f846681cd59a2280ead63698c005737e79062313d0b838
Instruction Fuzzy Hash: 31726571684346DFDB389E68CD943EA77B2FF99350F56812EDC8A97210C3348985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02173C0F, Relevance: 14.5, Strings: 11, Instructions: 799COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(sx;, xrefs: 02173ECE
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$(sx;$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-4283064541
Opcode ID: dc4816a34be3d9c8b98e875116b47faca6a257916b11762cfb780e715c191cba
Instruction ID: 128506054a3e4c6842cf1cbcf1fe05dce206b80c8718adec8d53065eea52b6e3
Opcode Fuzzy Hash: dc4816a34be3d9c8b98e875116b47faca6a257916b11762cfb780e715c191cba
Instruction Fuzzy Hash: AA6255B1684345DFDB388E68CD943EA77B2FF99350F96422EDC9A97250C3358981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02173DFC, Relevance: 14.5, Strings: 11, Instructions: 733COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(sx;, xrefs: 02173ECE
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$(sx;$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-4283064541
Opcode ID: a6562265591a38c5517001fd5a7f27ab183d0dbd4d2ec98d641b5bdcba7c2b9a
Instruction ID: 116b018ec9946557ce06b0f64a687cf8e52daad5aeeeac68be30c4000961fc05
Opcode Fuzzy Hash: a6562265591a38c5517001fd5a7f27ab183d0dbd4d2ec98d641b5bdcba7c2b9a
Instruction Fuzzy Hash: 935255716443469FDB789E68CD947EA7BB2FF99350F56822EDC8A97210C3348981CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02173E5C, Relevance: 14.5, Strings: 11, Instructions: 713COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(sx;, xrefs: 02173ECE
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$(sx;$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-4283064541
Opcode ID: fc39c193028520f17f9491eb3554b909d078326a917c29109458c0d98e6827b6
Instruction ID: 7f96fcd9b38116fe0b4a5e19d93febe20a80571443a3664f5cd278afc351e7fc
Opcode Fuzzy Hash: fc39c193028520f17f9491eb3554b909d078326a917c29109458c0d98e6827b6
Instruction Fuzzy Hash: 615244B16443469FDB789E68CD947EA7BB2FF99350F56412EDC8A97210C3348981CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02173EAB, Relevance: 14.4, Strings: 11, Instructions: 698COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(sx;, xrefs: 02173ECE
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$(sx;$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-4283064541
Opcode ID: 20c0f918030503a477089e11c72cb7944bba0bc9ce62bfc35189c968819667ed
Instruction ID: 3a05ce9e50551786d4bdbd8e16fb140ee87a2d925eff4a4b2755e34b8bae36d8
Opcode Fuzzy Hash: 20c0f918030503a477089e11c72cb7944bba0bc9ce62bfc35189c968819667ed
Instruction Fuzzy Hash: 294245716443469FDB789E68CD947EA7BB2FF99350F56812EDC8A87210C3348981CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02173F1B, Relevance: 13.2, Strings: 10, Instructions: 676COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-3022882483
Opcode ID: c390bc3f9bf2f961281ba6c8f966ed7198b4696fd56d89cc3582dd09c078f228
Instruction ID: 42832f0d0107b6435dd2688726a1bbce766297f92195c90648383c9f3b3aafa1
Opcode Fuzzy Hash: c390bc3f9bf2f961281ba6c8f966ed7198b4696fd56d89cc3582dd09c078f228
Instruction Fuzzy Hash: EA42337164434A9FDB789E68CD947EA7BB2FF99350F56422EDC8A87250C3348981CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02173F5C, Relevance: 13.2, Strings: 10, Instructions: 664COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-3022882483
Opcode ID: 4fa94121e6b892cb47740fb294bc504c92b2ab983b664b2e9358bd2c00dc976e
Instruction ID: 711bc55fd8dba83d45f4298b22cde64e4ca0162c8a6f9113d88a20fc7287124d
Opcode Fuzzy Hash: 4fa94121e6b892cb47740fb294bc504c92b2ab983b664b2e9358bd2c00dc976e
Instruction Fuzzy Hash: 9342437164434A9FDB789E68CD947EA7BB2FF99350F56422EDC8A87210D3348981CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02173FB3, Relevance: 13.1, Strings: 10, Instructions: 648COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-3022882483
Opcode ID: ea4cd06e85e0bb1cb35c469eee73dde14b6dff9cfd2eb94923b0d6ed095d7085
Instruction ID: 639609a6906a1fa467bcd98dbaec959445e143e32941695665935bc832608288
Opcode Fuzzy Hash: ea4cd06e85e0bb1cb35c469eee73dde14b6dff9cfd2eb94923b0d6ed095d7085
Instruction Fuzzy Hash: BD42457164434A9FDB789E68CD947EA7BB2FF99350F56422EDC9A87210C3348981CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02174028, Relevance: 13.1, Strings: 10, Instructions: 625COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-3022882483
Opcode ID: edf9c0c0669c74182ff42c7aeebe08957258212f020924ed11e0b7beaaeae83d
Instruction ID: 04e292f1595650d251c732cf4451f418d630c17feae25ee8698506ef5e8c216e
Opcode Fuzzy Hash: edf9c0c0669c74182ff42c7aeebe08957258212f020924ed11e0b7beaaeae83d
Instruction Fuzzy Hash: 5332447164434A9FDF789E68CD947EA7BB2FF99350F56412EDC8A87210C3348981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0217984C, Relevance: 12.7, Strings: 10, Instructions: 162COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
(Rn, xrefs: 02174055
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$(Rn$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-3022882483
Opcode ID: 4aaa5e0361fed348420185eb89e69cddf689d8c98309e690c66e5115c54f1636
Instruction ID: 5a9da0ef7e8538bc558f0953d1fa77f919aef6114af050d53db14190cbaae791
Opcode Fuzzy Hash: 4aaa5e0361fed348420185eb89e69cddf689d8c98309e690c66e5115c54f1636
Instruction Fuzzy Hash: A35134306C4309CEEF7D9D78CAA97F922B3AFC6350F92416ACC578B155D725848DC612

Uniqueness

Uniqueness Score: -1.00%

Function 02174070, Relevance: 11.9, Strings: 9, Instructions: 606COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-1744730169
Opcode ID: 07fa8dcaf75be216a45020bcaacff9e17841681e68db7e84e749ef78dfec7f67
Instruction ID: bb6a89d3b3315be78934c69c48990a96182ca2f4535c5d25371cccb646ba1ae5
Opcode Fuzzy Hash: 07fa8dcaf75be216a45020bcaacff9e17841681e68db7e84e749ef78dfec7f67
Instruction Fuzzy Hash: D63233B564434A9FDB789E68CD947EA7BB2FF94350F56422EDC8A87210C3358981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021740D3, Relevance: 11.8, Strings: 9, Instructions: 588COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-1744730169
Opcode ID: 0e97cd7e66e3ab43bd4ecc3cb79fc55341e0e36719d2bbe3fa78ce6e41d905c7
Instruction ID: 3ba294436c87c98be3cf08a44f6a543aaf3d49ebb63693707b9e3528dc37cb0a
Opcode Fuzzy Hash: 0e97cd7e66e3ab43bd4ecc3cb79fc55341e0e36719d2bbe3fa78ce6e41d905c7
Instruction Fuzzy Hash: 053234B164434A9FDB789E68CD947EE7BB2FF95350F95412EDC8A8B210C3358A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02174124, Relevance: 11.8, Strings: 9, Instructions: 572COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-1744730169
Opcode ID: 98ac347dbf897e7c2685ad9e1d89c71eb46775284a01aa11a5c10118a52efe11
Instruction ID: 2785e9577c0a70901dc57433283435ee292d5ecf3462911fe0a6b5ed6a7458a7
Opcode Fuzzy Hash: 98ac347dbf897e7c2685ad9e1d89c71eb46775284a01aa11a5c10118a52efe11
Instruction Fuzzy Hash: D72233B164434A9FDB789E68CD947EA77B2FF99350F95412EDC8A8B210D3348A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02174180, Relevance: 11.8, Strings: 9, Instructions: 552COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-1744730169
Opcode ID: 377c6b35609366fb13bc6ecf58f3b61f60190e4bf5d453ff92131e3210858b6d
Instruction ID: 586ba2aa8231b8641435e5104e7a0ece5dc9e1ea08f2938399f75ea02145ade3
Opcode Fuzzy Hash: 377c6b35609366fb13bc6ecf58f3b61f60190e4bf5d453ff92131e3210858b6d
Instruction Fuzzy Hash: CD2244B164434ADFDB789E68CD947EA77B2FF95350F95422EDC8A87260C3348981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021741D4, Relevance: 11.8, Strings: 9, Instructions: 535COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27
\V, xrefs: 021741E6

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$\V$jQ$y$R
API String ID: 0-1744730169
Opcode ID: f6e5205ec1b24f3efbae9f28c4efcb14426fc1284ebaae37e5e436180afc2fd9
Instruction ID: f9a4fdae2c4db00c04b720afc654091c2eb2b3f78edbfb5a0e124f21673e8f13
Opcode Fuzzy Hash: f6e5205ec1b24f3efbae9f28c4efcb14426fc1284ebaae37e5e436180afc2fd9
Instruction Fuzzy Hash: B22243B168434A9FDB789E68CD907EA77B2FF95350F51422EDC8A87220D3358981CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0217422C, Relevance: 10.5, Strings: 8, Instructions: 516COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: 6889342474130ca19c0d14f4fd6d0e823b989594da8ecc617ed3f464024ba252
Instruction ID: 6275b056992cead5513866b53b52beeb84bd89b2a7e998aabd3dd5528b9eae61
Opcode Fuzzy Hash: 6889342474130ca19c0d14f4fd6d0e823b989594da8ecc617ed3f464024ba252
Instruction Fuzzy Hash: 221233B164434ADFDB789E68CD947EA77B2FF95350F51412EDC8A87220D3358A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021742BF, Relevance: 10.5, Strings: 8, Instructions: 495COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: 7ebb3bc02d8ca141c16c977a1f50e1ec136921546287357c0c65461fb0fdc578
Instruction ID: 9adf3d923cabe2a389ba602436ceb7f018e6e48768ff3b64c48304359733a460
Opcode Fuzzy Hash: 7ebb3bc02d8ca141c16c977a1f50e1ec136921546287357c0c65461fb0fdc578
Instruction Fuzzy Hash: 1612337168434A9FDF789E68CD947EA77B2FF99350F51412EDC8A87250C3358A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021742E4, Relevance: 10.5, Strings: 8, Instructions: 486COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: 99de08af8d3f3b2dae0248894ee7afbe98a91700f2461d3c095c7cd3594c5f93
Instruction ID: 73fc0b362281f5c125815d7e4f2237885fea7b7a177e15b62eaa74017f0a64f7
Opcode Fuzzy Hash: 99de08af8d3f3b2dae0248894ee7afbe98a91700f2461d3c095c7cd3594c5f93
Instruction Fuzzy Hash: 2B1233B168434A9FDB789E68CD947EA77B2FF99350F51412EDC8A87260C3358981CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0217432F, Relevance: 10.5, Strings: 8, Instructions: 470COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: deff811606b9b02179af807ea52b0c29661030cbc103d39f9c0e302837c699ea
Instruction ID: 30fba51969049c3602f33293392db2c12c67585adf87cf6dd43161948e112a6b
Opcode Fuzzy Hash: deff811606b9b02179af807ea52b0c29661030cbc103d39f9c0e302837c699ea
Instruction Fuzzy Hash: 750232B16843499FDF789E68CD947EA77B2FF99350F51412EDC8A87260C3358A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0217438F, Relevance: 10.5, Strings: 8, Instructions: 454COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: 3b75aef12aa0f9f13a1127ab8629bae0a0610f1de785af3acf8a23104e953e1d
Instruction ID: a38f2c2415f51aee078dfc70e99ddae1be2895e94848618e6e26dff682e78e84
Opcode Fuzzy Hash: 3b75aef12aa0f9f13a1127ab8629bae0a0610f1de785af3acf8a23104e953e1d
Instruction Fuzzy Hash: 3D0220716843499FDF789E68CC947EA77B2FF99350F51412EDD8A8B260C3358A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021743D4, Relevance: 10.4, Strings: 8, Instructions: 444COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: d292cf71d016e31df998decaf142b539107c3685d09f93b75331505bd67e61a0
Instruction ID: 90872ea977b76669862356d6d184487476e49b2e96a97dfb9e5c2ee1ab4e07f2
Opcode Fuzzy Hash: d292cf71d016e31df998decaf142b539107c3685d09f93b75331505bd67e61a0
Instruction Fuzzy Hash: 86F123716843499FDF789E68CC907EA37B2FF99350F55412EDD8A8B260D3358A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02174437, Relevance: 10.4, Strings: 8, Instructions: 430COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: 9c23b61c45989888a21f1957baa68368ad4c666b440f1aa00f28485d6a839fb9
Instruction ID: da45c19174aab2db869e20b46312de404219e1fa12fefd0773adad4ea682a7cb
Opcode Fuzzy Hash: 9c23b61c45989888a21f1957baa68368ad4c666b440f1aa00f28485d6a839fb9
Instruction Fuzzy Hash: 15F102716843499FDF789E68CC947EE37B2EF99350F55412EDD8A8B260C3358A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02174448, Relevance: 10.4, Strings: 8, Instructions: 429COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: 1d62ba7959dc6c67d063cc9a15335091d160cf42ed606c3f65e3af9e12c71644
Instruction ID: 5404f65583b3afd73a820bec5acf8d9926e1e83fe249e30ef93eaef179927337
Opcode Fuzzy Hash: 1d62ba7959dc6c67d063cc9a15335091d160cf42ed606c3f65e3af9e12c71644
Instruction Fuzzy Hash: BEF113716843499FDF749E68CC947EE37B2EF99350F55412EDD8A8B260D3358A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02174494, Relevance: 10.4, Strings: 8, Instructions: 415COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: 7cbb401660f8f8e95de986b39fc4b28e9e37a7e31feddcaf6ff170dcedf2c306
Instruction ID: fe3cf5608d256c3004e136c60ddd9ae48421a4202111a1706ef49db95f1f31f1
Opcode Fuzzy Hash: 7cbb401660f8f8e95de986b39fc4b28e9e37a7e31feddcaf6ff170dcedf2c306
Instruction Fuzzy Hash: 62F111716843499FDF789E68CC947EA37B2EF99350F55412AED898B250C7358A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021744EC, Relevance: 10.4, Strings: 8, Instructions: 396COMMON

Download Yara Rule

Strings

R, xrefs: 0217455B
#n?, xrefs: 021749DA
t*,, xrefs: 02174C87
CK, xrefs: 02174CFF
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y$R
API String ID: 0-1442512638
Opcode ID: 67d26efab2a821e04254c86c9def6f160938b40fd97cc4eb2d329c26b1dc98c1
Instruction ID: adc4c687a4949a53b901387170822883f9f211e23f6f0b70237d319b508d8f79
Opcode Fuzzy Hash: 67d26efab2a821e04254c86c9def6f160938b40fd97cc4eb2d329c26b1dc98c1
Instruction Fuzzy Hash: 00E101756843499FDF789E64CC907EE37B2BF99350F55412AED8A8B260C3358A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0217456B, Relevance: 9.1, Strings: 7, Instructions: 376COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y
API String ID: 0-1510999821
Opcode ID: e388ccb5ca084599422b5d81bf4c455ccb44a6c83b094109f866c6401b2ad4d2
Instruction ID: a19caef3dba9dbe93b5c55f0a301f65acd02aed646386da68c9b03d27f8ebdbb
Opcode Fuzzy Hash: e388ccb5ca084599422b5d81bf4c455ccb44a6c83b094109f866c6401b2ad4d2
Instruction Fuzzy Hash: DAE112756843459FDF789E64CC947EE37B2BF99350F56412EED8A8B260C3354A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021745CD, Relevance: 9.1, Strings: 7, Instructions: 374COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y
API String ID: 0-1510999821
Opcode ID: 9f9040a1c02ebe1d61b7cb370da9281ab82cc89bc2c3b3b5f9998c48331996d2
Instruction ID: f37ecf894411f4956bdf93bb5d83084893d51bfb99a7bb3e15eb88d280495b23
Opcode Fuzzy Hash: 9f9040a1c02ebe1d61b7cb370da9281ab82cc89bc2c3b3b5f9998c48331996d2
Instruction Fuzzy Hash: 61E120756843459FCF799E68CC907EA37B2FF99350F56412EED8A8B260C7354A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021745B8, Relevance: 9.1, Strings: 7, Instructions: 361COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y
API String ID: 0-1510999821
Opcode ID: 826e2a2217a1e767def004b68da2b9398cf530dc61a4d4d4322b51665adf3bbb
Instruction ID: 5b8697db3c30fb43876ab41fa7a79eca2d0112cade407751a6196e4170da8a69
Opcode Fuzzy Hash: 826e2a2217a1e767def004b68da2b9398cf530dc61a4d4d4322b51665adf3bbb
Instruction Fuzzy Hash: A9D1F0756843459FDF789E68CC907EE37B2BF99350F52412EED8A8B260C7754981CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0217463A, Relevance: 9.1, Strings: 7, Instructions: 339COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y
API String ID: 0-1510999821
Opcode ID: 0a6fdd579c0fce9bfb49135279a9a28b485e87563f0479f89b14566fe2a934ee
Instruction ID: b10bb8786bac01d7ba68e39b0e33a51012fdad85cad976f9d9a5b1454c3900fa
Opcode Fuzzy Hash: 0a6fdd579c0fce9bfb49135279a9a28b485e87563f0479f89b14566fe2a934ee
Instruction Fuzzy Hash: C5D101756843459FDF789E68CC907EE37B2BF98350F55412EDD8A8B260C3754A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0217469B, Relevance: 9.1, Strings: 7, Instructions: 320COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
jQ, xrefs: 021746D8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$jQ$y
API String ID: 0-1510999821
Opcode ID: f53f253f481b37f0013e420575b70e5d4b33ada944fbd2286210013f2d9946b3
Instruction ID: 7f811f876829fc2aad0fd2e7892d6a7e51642091f47975eb5092e74f5cf610c3
Opcode Fuzzy Hash: f53f253f481b37f0013e420575b70e5d4b33ada944fbd2286210013f2d9946b3
Instruction Fuzzy Hash: 6CC1F1756843499FDF799E68CC907EE37B2FF99350F914129ED8A8B260C3754A81CB01

Uniqueness

Uniqueness Score: -1.00%

Function 021746E8, Relevance: 7.8, Strings: 6, Instructions: 307COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$y
API String ID: 0-1057097089
Opcode ID: 300af2b3fbd1d718c027fe4c96dceaab016ca9d7916c44a5fdf7059ef19c6dfe
Instruction ID: 2c480c9663def863afe631fea38091c830f8bab888f96659081b0c020b2dfcb6
Opcode Fuzzy Hash: 300af2b3fbd1d718c027fe4c96dceaab016ca9d7916c44a5fdf7059ef19c6dfe
Instruction Fuzzy Hash: 41C112756843459FCF799E68CD907EE37B2BF99350F52412EDD8A8B260C3358A81CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0217473F, Relevance: 7.8, Strings: 6, Instructions: 297COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$y
API String ID: 0-1057097089
Opcode ID: 90efd1e75d7a385dfe08826e8bc688bf1598f5d6e55ccc63c7c9f2722869c101
Instruction ID: 566392b42bb069288826d86c3857d20146879d0bb15b57bd524329edb4139f9f
Opcode Fuzzy Hash: 90efd1e75d7a385dfe08826e8bc688bf1598f5d6e55ccc63c7c9f2722869c101
Instruction Fuzzy Hash: C6B143B56843499FDF398E68CC907EA37B2FF99350F52412ADD8A8B260C7354A81CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02174804, Relevance: 7.8, Strings: 6, Instructions: 255COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$y
API String ID: 0-1057097089
Opcode ID: edabf7f90da9ff71cc7ff5921aff6aa4bb7cedab9a9f9ec9775f1207a26d1e96
Instruction ID: d480a868764274c4133bdde4dc12d4254f592f31b25e8e0e8f39aafa4463e30a
Opcode Fuzzy Hash: edabf7f90da9ff71cc7ff5921aff6aa4bb7cedab9a9f9ec9775f1207a26d1e96
Instruction Fuzzy Hash: 31A123756843499FDF399E68CCA47EE37B2BF98350F51412EDD8A8B260C7358A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02174837, Relevance: 7.7, Strings: 6, Instructions: 245COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$y
API String ID: 0-1057097089
Opcode ID: efc54b9b789ed49f015cb251d76fb59126955e8015b0c1ea25606d10e7879e19
Instruction ID: b3fbda0af9f2f52aa409bef12575a36c075a5eeb37236b14d243f35233583791
Opcode Fuzzy Hash: efc54b9b789ed49f015cb251d76fb59126955e8015b0c1ea25606d10e7879e19
Instruction Fuzzy Hash: 399134756843499FDF399E68CC947EE37B2FF98350F514129DD8A8B260C7358A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0217488C, Relevance: 7.7, Strings: 6, Instructions: 230COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$y
API String ID: 0-1057097089
Opcode ID: 3237b128f229285a7f2909f60f36f776602fd8350d01bfa01a6f20ed7bd592ef
Instruction ID: 0df671868aafced61a3a8f8071c6f821ecf664dc619a34243d841294c714e845
Opcode Fuzzy Hash: 3237b128f229285a7f2909f60f36f776602fd8350d01bfa01a6f20ed7bd592ef
Instruction Fuzzy Hash: 7D8123B5684349AFDF399E68CC947EE37B3BF98350F514129DD8A8B260C7358A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021748EF, Relevance: 7.7, Strings: 6, Instructions: 209COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$y
API String ID: 0-1057097089
Opcode ID: d2eef6108f7716068ae345f57981c24f184faa9f585c8f1d4470bb330309aec7
Instruction ID: af2986d89b7381ca2ca32db87026b397d8bb56cda8a0d2d51d8bfa4aadec735d
Opcode Fuzzy Hash: d2eef6108f7716068ae345f57981c24f184faa9f585c8f1d4470bb330309aec7
Instruction Fuzzy Hash: AA8113B56843499FCF399E68CD947EE37B3BFA8390F514229DD898B250C7354A82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02174950, Relevance: 7.7, Strings: 6, Instructions: 191COMMON

Download Yara Rule

Strings

#n?, xrefs: 021749DA
CK, xrefs: 02174CFF
t*,, xrefs: 02174C87
aiL, xrefs: 02174BD8
(7, xrefs: 02174AAF
y, xrefs: 02174B27

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: #n?$aiL$t*,$(7$CK$y
API String ID: 0-1057097089
Opcode ID: 2b4022251b684a626e6af519a4fc057aceecddb6726fecadf8bb279156febe30
Instruction ID: 49ad409260b97d544198fa888579c242fa37e3e93517bc2240cd983a42f6a5a5
Opcode Fuzzy Hash: 2b4022251b684a626e6af519a4fc057aceecddb6726fecadf8bb279156febe30
Instruction Fuzzy Hash: E37103B96843499FCF359E68CD907EE37B2BF98390F924129DD898B250C7754A82CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02171144, Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

&, xrefs: 02171159

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: da08f3f0f09ef22574da254479c7ffc82ac14942143f66e8ae60538519fb3ee7
Instruction ID: 734ad9b3211a847537650506fc9bda5b9fafeacc427df70a9fc3906766b99cae
Opcode Fuzzy Hash: da08f3f0f09ef22574da254479c7ffc82ac14942143f66e8ae60538519fb3ee7
Instruction Fuzzy Hash: AD816D75A84345AFCF385E6888987FA33B79F85760FA6041EEC4ED7680D7318981CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02170377, Relevance: 1.4, Strings: 1, Instructions: 140COMMON

Download Yara Rule

Strings

b_6, xrefs: 02170595

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: b_6
API String ID: 0-2459290170
Opcode ID: ddb6d21846dc35fcc31c4712849375af3acf10397267f98ba1aefbb0475e81c6
Instruction ID: b3b6bc20ef64531080fc0426cb500dbcc262c78f2285b3797f5f94b70a52b3c2
Opcode Fuzzy Hash: ddb6d21846dc35fcc31c4712849375af3acf10397267f98ba1aefbb0475e81c6
Instruction Fuzzy Hash: 2441B1729893199FCB285E649A603EB37F1DF8D3A0F17040EEC97A7140E7348E85CA81

Uniqueness

Uniqueness Score: -1.00%

Function 02170351, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

b_6, xrefs: 02170595

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: b_6
API String ID: 0-2459290170
Opcode ID: b2f67a950387f050100ae2ba00e7ab5cf724398a2a242b02d50bdb83d5af86eb
Instruction ID: 8f929a1dc19bd3e8aba6433b555b9e6bdadafdf46d347e2057aedb0e481d6d83
Opcode Fuzzy Hash: b2f67a950387f050100ae2ba00e7ab5cf724398a2a242b02d50bdb83d5af86eb
Instruction Fuzzy Hash: 4D419C72588318AFCB286E645B603EB36F69F89390F07040AEC9BB7100D7348E44C582

Uniqueness

Uniqueness Score: -1.00%

Function 02170398, Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

b_6, xrefs: 02170595

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: b_6
API String ID: 0-2459290170
Opcode ID: bf28dcde88ba9efe636afce36485d48043dc01a7b5999c94095544e9c790fd4d
Instruction ID: 00c55abe5dd567371d77ef059a367fcb1437b4fe952199d1356f57638e9a60d5
Opcode Fuzzy Hash: bf28dcde88ba9efe636afce36485d48043dc01a7b5999c94095544e9c790fd4d
Instruction Fuzzy Hash: DA41AC726893189FCB286E649B607EB37F6DF8D290F07051AEC97B7140D7358D84CA82

Uniqueness

Uniqueness Score: -1.00%

Function 021703D4, Relevance: 1.4, Strings: 1, Instructions: 119COMMON

Download Yara Rule

Strings

b_6, xrefs: 02170595

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: b_6
API String ID: 0-2459290170
Opcode ID: 50486cdcb2446cc4843906c87654e82e175aad382ab6baa198f0cec3082d8d58
Instruction ID: ebd9a97ff5be0f7492b6fb85385ec029b29d6ee8fb3fee36949ffcaa5962f6c2
Opcode Fuzzy Hash: 50486cdcb2446cc4843906c87654e82e175aad382ab6baa198f0cec3082d8d58
Instruction Fuzzy Hash: FE418D72589319AFCB386E649AA03EB33F5EF9D390F42041AEC56A7100D7358E45C681

Uniqueness

Uniqueness Score: -1.00%

Function 021724CA, Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

<x4M, xrefs: 021725CF

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID: <x4M
API String ID: 0-1914466103
Opcode ID: 93ec1c4a79eeb0dcebe49e8dbef85bbd56380efb32fed94db9deaa6d8e5175d0
Instruction ID: e866eb8cdce3e7f5fd9b335b5bfc3e62e7a2ee6ca4acc77ebdf9b3843e7ba691
Opcode Fuzzy Hash: 93ec1c4a79eeb0dcebe49e8dbef85bbd56380efb32fed94db9deaa6d8e5175d0
Instruction Fuzzy Hash: 6941187964434A9FCB349E24C9A47FA3BB2EFD6390F45412DACCA67290D3354D86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02178C0C, Relevance: .4, Instructions: 444COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34238f3dede3dd2a62c508b1ebcf35d28b84b1b15986aab3019126646246f6af
Instruction ID: 3fe5a08a3954aeb133241f9b77ee7c9de599027134eae07048991feb9e41b1e6
Opcode Fuzzy Hash: 34238f3dede3dd2a62c508b1ebcf35d28b84b1b15986aab3019126646246f6af
Instruction Fuzzy Hash: B5F1FC209483828EDF25DB38889C756BBE25F97234F59C39AC8E68F1D6D7748486C713

Uniqueness

Uniqueness Score: -1.00%

Function 021710A3, Relevance: .3, Instructions: 287COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec89ff3469feb1835e12eee90faf0154374fb2e488236f29c5019d3f61dcfb07
Instruction ID: c4afcf268cf30c18a02fd0b5f8b532f20ffc55d87766dc35406cf9ff2cf2e7ff
Opcode Fuzzy Hash: ec89ff3469feb1835e12eee90faf0154374fb2e488236f29c5019d3f61dcfb07
Instruction Fuzzy Hash: 7CA13B75A84345AFDF385E6888947EA33B7AF85360F96052EEC4ED7640D7308A81CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02178C28, Relevance: .3, Instructions: 273COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2015e8f68df3d3ba04138c4a5e2616302a7275c663e4f67c0eb5af12672a8315
Instruction ID: 12cc892982e454ca0e797cf19922c78e1efe7fe1c44f95ad573f31fd060ebe3e
Opcode Fuzzy Hash: 2015e8f68df3d3ba04138c4a5e2616302a7275c663e4f67c0eb5af12672a8315
Instruction Fuzzy Hash: 34A1D9215483828EDB258B38C89C756BFE29F53334F5AC2DAC8E58F1E7D3658586C712

Uniqueness

Uniqueness Score: -1.00%

Function 02171110, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60bbcb78e850049853c0c3f61f0cc8cefa19627b809b3bcdfbda97d51d8a8ea3
Instruction ID: e29d2e0bafbb24e0b022cad02c20d0ef96995c9311953aa228cbaa92af276f5d
Opcode Fuzzy Hash: 60bbcb78e850049853c0c3f61f0cc8cefa19627b809b3bcdfbda97d51d8a8ea3
Instruction Fuzzy Hash: 10815B75A84345AFCF385E6888587FA33B79F85360F96442EEC4ED7640D7318A81CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0217119D, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de961050abefe30019480417cf2ab74fa35ca69a04dcc80d1971787a197957ee
Instruction ID: 4724e34b7749f2273c5c998d656a669c36fa9c028e3510d602b19aff9dbe0a5a
Opcode Fuzzy Hash: de961050abefe30019480417cf2ab74fa35ca69a04dcc80d1971787a197957ee
Instruction Fuzzy Hash: 7A818D75984305AFCF3C5E6888947FA32779F85760F96052EEC4EDB640D7318A81CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02178C88, Relevance: .2, Instructions: 249COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26b2e90e35ada0ceca9e28c0dc90862d804fd52669e4eb8e79d408cc7fcf2f49
Instruction ID: c1ba5b379adb0667f489e77f7189870711d1f05b10bbd3c3ab6acfc7c3c9e06d
Opcode Fuzzy Hash: 26b2e90e35ada0ceca9e28c0dc90862d804fd52669e4eb8e79d408cc7fcf2f49
Instruction Fuzzy Hash: 4491C7219483C28EDB268B38889C756BFD19F53234F5AC2DAC8E58F1E7D3648186C317

Uniqueness

Uniqueness Score: -1.00%

Function 02178CCC, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65d44630b6a0a0664cdab4fee4cefa89024a0385d5dbe8ed219ac3194a76c657
Instruction ID: e0750554b35bd42c0b09e4bb2524fee1fd4898d2be2932884644b5e3b4256e6c
Opcode Fuzzy Hash: 65d44630b6a0a0664cdab4fee4cefa89024a0385d5dbe8ed219ac3194a76c657
Instruction Fuzzy Hash: CC91A4219483C28EDB268B38889C756BFD25F53234F5AC3DAC8E58F1E7D7658186C316

Uniqueness

Uniqueness Score: -1.00%

Function 021711F3, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05a0539b6b6f876608e175802629b1e9f36c21c51d8f41e4c3333447741e7ab
Instruction ID: 329b0cd49fcd11d8ed3d2256a30097f1391df477b641f050df59e827b0864f6d
Opcode Fuzzy Hash: e05a0539b6b6f876608e175802629b1e9f36c21c51d8f41e4c3333447741e7ab
Instruction Fuzzy Hash: 05718075A84305AFCF3C5E6888943FA22779F85360F96041EDC4ED7680D7318985CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02178D17, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ddc4ef9c74c13f9df7c26bfba79650aa2a75c70eb157ac6597fdf5fed572b75
Instruction ID: c3190081ebb739aa744882982fbf877c13ae336a6cd3a5bd5e512d49dff20337
Opcode Fuzzy Hash: 5ddc4ef9c74c13f9df7c26bfba79650aa2a75c70eb157ac6597fdf5fed572b75
Instruction Fuzzy Hash: E58194215483C18EDB268B38889C756BEE25F53224F5EC3DAC8E58F1E7D3658186D317

Uniqueness

Uniqueness Score: -1.00%

Function 02171267, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf12df690c9b82af92c69d77f99b97ee570ed1dee272c3c83582dfcd2ddca930
Instruction ID: ab0079cb71ef2a63bc6914cc90372b3877480d65a3d85e36c9c0a4142a58db2e
Opcode Fuzzy Hash: cf12df690c9b82af92c69d77f99b97ee570ed1dee272c3c83582dfcd2ddca930
Instruction Fuzzy Hash: 8B615C75A84309AFCF3C5E6888953FA23B79F85360F96441EEC4ED7290D7318985CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02178D5F, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49458b304a6234d8b9f588c3c3bec252ea6ac5f19c14aa3da85e18d3bc016de7
Instruction ID: bbd09a9817accbab25800779a64a776b410e5c95f5ab083029d96fdcf95edab2
Opcode Fuzzy Hash: 49458b304a6234d8b9f588c3c3bec252ea6ac5f19c14aa3da85e18d3bc016de7
Instruction Fuzzy Hash: 8E71B5219883818EDB258B38889C756BEE15F43234F5AC2DAC8E58E1E7D3658186D717

Uniqueness

Uniqueness Score: -1.00%

Function 021712BB, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e73dba1290bdba6ce03dca3efa095625d8f684f9058d1a82030cfa2b067d62
Instruction ID: 3fa5306be6f69df0096db284b63ef500a37ed7ac3af2741d1616cf9763b9fb4f
Opcode Fuzzy Hash: b1e73dba1290bdba6ce03dca3efa095625d8f684f9058d1a82030cfa2b067d62
Instruction Fuzzy Hash: A5515B75A80309AFCF3C5E6888943FA23B7AF85360F96441EEC5ED7640D7358A85CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02172787, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db334366686610cc165d8b7915b23d3eb4fc07c8a494ac9b941097afab3a5141
Instruction ID: 2b7aca5ec710b9f3d201c9ad1edb661cfdcae9b1c878b4ccc7390dd630e9d9fa
Opcode Fuzzy Hash: db334366686610cc165d8b7915b23d3eb4fc07c8a494ac9b941097afab3a5141
Instruction Fuzzy Hash: F161DE71A483459FCB68AE24C8657EB77B6FF84350F96052EECDA87650D3304A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02171300, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ac4681ccfd4ac7293841516169b544a33db98a893606b6235f15ca8a7e5c93e
Instruction ID: 2e11f62f7e2bce9c08cab33aefac0c084ff56ef20495c5d0ec491fed8172462f
Opcode Fuzzy Hash: 4ac4681ccfd4ac7293841516169b544a33db98a893606b6235f15ca8a7e5c93e
Instruction Fuzzy Hash: BA518E75AC0305AFCF3C5E6888A43FA23779F85360F96441EEC5AD7640D7358A86CE46

Uniqueness

Uniqueness Score: -1.00%

Function 02178DF7, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9971c4ac6ab634e6e7cf5f1f15f59462b4a28f010e083f4dbd8107e5da5b22e4
Instruction ID: b1b9ae743411627e13fa3a2a83cea499694d24d25d7370cc2f6a5d3e4e15610f
Opcode Fuzzy Hash: 9971c4ac6ab634e6e7cf5f1f15f59462b4a28f010e083f4dbd8107e5da5b22e4
Instruction Fuzzy Hash: E251D8219983818EDF258A388C9C756BBE19F43234F5AC39EC8E58E1D7D3658186C717

Uniqueness

Uniqueness Score: -1.00%

Function 021727D7, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06a92de088b739250ff4f7b12d50fb57e19916eec13c7559bcd61379846b0146
Instruction ID: 62bc64d330bc0ec39e23584ae78e5ad1d3472b8a0727853e1f8ef500ba899f93
Opcode Fuzzy Hash: 06a92de088b739250ff4f7b12d50fb57e19916eec13c7559bcd61379846b0146
Instruction Fuzzy Hash: 9C51BF71648345AFCB749E24C8A57EB77F6FF94350F96041EDD9A87250D3304A82CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0217282F, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 413bf8f218cb0c8aa208c946350b68b1c9e2004d77f2dc0fe9b31d590d1d38b5
Instruction ID: 5a9fbdda845b354748c902e9043a1a063b842da60c8bf999ac88a8432326bd94
Opcode Fuzzy Hash: 413bf8f218cb0c8aa208c946350b68b1c9e2004d77f2dc0fe9b31d590d1d38b5
Instruction Fuzzy Hash: 9D51B1716483459FCB389E28C8A57EB77B6FF94350F96042EDD9E87250D3304A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02179894, Relevance: .1, Instructions: 147COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3c3f785c01bc7b3245cc94f7d084d207c362a70d876758648514c1b46136321
Instruction ID: 4b776e08281219eb5a2f583c354dfbb5b5471590fd7ffe3781c43855405439ac
Opcode Fuzzy Hash: a3c3f785c01bc7b3245cc94f7d084d207c362a70d876758648514c1b46136321
Instruction Fuzzy Hash: C2412230AC430ACEDB7E9D38C9A57F572B2AFC6350F96406ACC578B125D735848DCA12

Uniqueness

Uniqueness Score: -1.00%

Function 021798B0, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0519f8cd56b4ef31b6fd8056b98637f57d8b0f4a1ebf5bf49731d275b669422
Instruction ID: 47efe9d52c98fad65f106024785d1dac93107b378966ea9f5a61a520bee22a94
Opcode Fuzzy Hash: d0519f8cd56b4ef31b6fd8056b98637f57d8b0f4a1ebf5bf49731d275b669422
Instruction Fuzzy Hash: 62412231AC4306CFDB2E9D38C9A57A522B2AFC6350F96446ACC538B165D735888DCA52

Uniqueness

Uniqueness Score: -1.00%

Function 021798DC, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c16885e9649377abe95d9ef985f7898fdb050fa22d2e2f9cdbfe3ba9852c3d
Instruction ID: 29dbf90ffcc36cb553b52fa4df88b4f8275bbe3e0dce60735ad39d3c631def13
Opcode Fuzzy Hash: 77c16885e9649377abe95d9ef985f7898fdb050fa22d2e2f9cdbfe3ba9852c3d
Instruction Fuzzy Hash: 69412430AC4305CFDB3E9D38C9A57B572B2AFC6350F96446ACC538B125D735888DCA52

Uniqueness

Uniqueness Score: -1.00%

Function 02172880, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 629cef9fbebd0d513f2e699e4c8298fa2ad1865fdf0f75bfcde946df39fdc79f
Instruction ID: 8fdbde087fe776039a3d1c3dda092ebaf03bf4b82c23994cffa3bbc3e0391112
Opcode Fuzzy Hash: 629cef9fbebd0d513f2e699e4c8298fa2ad1865fdf0f75bfcde946df39fdc79f
Instruction Fuzzy Hash: 9551D3716483459FCB349E28C8657EB77B6EF98350F96051EEC9EC7250D7304A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02179907, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 958519737346abadc2ceb7c0df6ad8fcce3c1356c1f8241d2e6398b862e4f819
Instruction ID: 78ebc4f6622cc005322fe8eb06c4bc920eb017bfc05d36ec021c268995cd3944
Opcode Fuzzy Hash: 958519737346abadc2ceb7c0df6ad8fcce3c1356c1f8241d2e6398b862e4f819
Instruction Fuzzy Hash: A8410134A84309CFDB7D9D38C9A57B572B2AFC6350F86416ACC538B125D735848ECA12

Uniqueness

Uniqueness Score: -1.00%

Function 02179914, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f1a6aed6910bdaedbf22fa4efc3e2509f6d0c13372dd400aca39b96a5eac13
Instruction ID: fe2739812a34663eaee3b39014f3e1701f4515ef0522f5c9abe994ded594980f
Opcode Fuzzy Hash: 73f1a6aed6910bdaedbf22fa4efc3e2509f6d0c13372dd400aca39b96a5eac13
Instruction Fuzzy Hash: 3F412330A84305CFDB7D9D38C9A5BF572B2AFC6350F86416ACC538B125D735848DCA12

Uniqueness

Uniqueness Score: -1.00%

Function 02179928, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcf7435daa52b239ef9a8077deee43c2b5b9d119f246f0470ff570f6b2ee7aeb
Instruction ID: e1bc36a7e3213da8b895e4714012c9f7399aa48676b290b7e42e339b30869d7f
Opcode Fuzzy Hash: dcf7435daa52b239ef9a8077deee43c2b5b9d119f246f0470ff570f6b2ee7aeb
Instruction Fuzzy Hash: F9413430A84306CFDB7E9E38C9A57F572B2AFC6350F92441ACC538B165D7358889CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02178E90, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3126b974e4da50f81d9c3d67a6bfc2d4d0a883267d5b115be9b62d7f86797bc3
Instruction ID: cb2fd6de589077c1ecd46a94197980250e3445c46a3393b572afc87793200ef6
Opcode Fuzzy Hash: 3126b974e4da50f81d9c3d67a6bfc2d4d0a883267d5b115be9b62d7f86797bc3
Instruction Fuzzy Hash: FB412C309983428FDF258A388CD8766BBE59F43234F5683AFC8E58E1DAD3654086C713

Uniqueness

Uniqueness Score: -1.00%

Function 02171E35, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8046014ca31b181d695ff0ba983b10bb683ed6eb0b3b35189854a3247f56b207
Instruction ID: cea8a5f4f746b165c1f90ffd2750abc4007e7caed92ccd8251f1f02d8a2525a1
Opcode Fuzzy Hash: 8046014ca31b181d695ff0ba983b10bb683ed6eb0b3b35189854a3247f56b207
Instruction Fuzzy Hash: BF412731644355AFDB68AE7588E07EE77F6AF99300F56442EEC9AC7600C7308984CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02179950, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427f92d7d8aee137a4dfd266e11a808bc07eb3874005cd090eb98732f7b04d41
Instruction ID: 3141b357cabb279021b4bae2d62238fa683d51eaea10024b4e6af6b4655498c9
Opcode Fuzzy Hash: 427f92d7d8aee137a4dfd266e11a808bc07eb3874005cd090eb98732f7b04d41
Instruction Fuzzy Hash: A1412330A84309CFDB7E9E38C9A5BF572B2AFC6350F86412ACC538B165D7358489CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02179963, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14a87ec40ccd364d4462c83d15018858023ec2efe4f2bc0f27b0a9969779f642
Instruction ID: 042c54a254a6241184a27ff1ef10d46df49da1daf1a9e27f75b0cd4854c1d937
Opcode Fuzzy Hash: 14a87ec40ccd364d4462c83d15018858023ec2efe4f2bc0f27b0a9969779f642
Instruction Fuzzy Hash: 71416531A85305CFCB3A9E38C9A9BF576B2AFC6350F92445ACC438B165D735848DCA12

Uniqueness

Uniqueness Score: -1.00%

Function 021728D0, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b47ced0ffd235ef8f74b209d9ba16f7f9a3ee8e3f20d07f7d9af80380f0eb1d
Instruction ID: b72522783714ea2bbe9eddf0df808cef67f172d65db4a79551bae3e8ae1a458f
Opcode Fuzzy Hash: 9b47ced0ffd235ef8f74b209d9ba16f7f9a3ee8e3f20d07f7d9af80380f0eb1d
Instruction Fuzzy Hash: FC41A1726482459FCB389E28C8657EB77F6EF94350F96041EDD8ECB254D3304A82CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02178EC8, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa0fd22e217cba889e7561209b239aec446ea6fd956329ac5fd42e3f30a9323
Instruction ID: 96daf9cfc4addbe322268fe5ec4eca592adaf1b72e5beb64edbb22875dd9c686
Opcode Fuzzy Hash: 5aa0fd22e217cba889e7561209b239aec446ea6fd956329ac5fd42e3f30a9323
Instruction Fuzzy Hash: 28412B309983818FDF259A388CD8766BBE59F43274F5682AFC8D6CE1DAD3654086C713

Uniqueness

Uniqueness Score: -1.00%

Function 0217998B, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdd61bfd93b8cbae1460b4021cfef4a82a2d6964cb2ae67e6fefed3c588c527
Instruction ID: 8d124ea133d6df33480a4d61888dbdec71404672fd0cfdffe2407323800f21e8
Opcode Fuzzy Hash: 5bdd61bfd93b8cbae1460b4021cfef4a82a2d6964cb2ae67e6fefed3c588c527
Instruction Fuzzy Hash: 58415530AC4305CFCB3A9E38C9A9BF572B2AF86390F92405ACC438B125D731848DCA12

Uniqueness

Uniqueness Score: -1.00%

Function 021799B3, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e636d6cda2dd26639c3f2ac487b520d8e7477ba8253fc49a2b45874ddda95a47
Instruction ID: 42d03d392908d00a42ef621137f2cde59fc6aa764823bd862a8ee7d4b82fdb64
Opcode Fuzzy Hash: e636d6cda2dd26639c3f2ac487b520d8e7477ba8253fc49a2b45874ddda95a47
Instruction Fuzzy Hash: BB415631A85305CFCB3A9E24C9A57E573B2EF853A1F92455ACC428B026D735888DCB52

Uniqueness

Uniqueness Score: -1.00%

Function 02171E44, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa4f10eba750d43f9571dca2679e7e8dfa097a4466b51563ab25ec4d5b378e1
Instruction ID: 5036fd4ea8139dd7bab8ea0d5560a3b93fd543e935a4326b27e44bf2388e3503
Opcode Fuzzy Hash: baa4f10eba750d43f9571dca2679e7e8dfa097a4466b51563ab25ec4d5b378e1
Instruction Fuzzy Hash: 94412531A44355AFDB28AE75C8E07FA77F5AF98344F56042DEC9AC7200DB308980CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02171E90, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833a733f40c959a667b782346c52d901bdecf339628ef9d1c760372341b095a2
Instruction ID: c92cdd89260d085450bedf562d2dc0b78dc4ecc65dfdb11fecccadac9432ba90
Opcode Fuzzy Hash: 833a733f40c959a667b782346c52d901bdecf339628ef9d1c760372341b095a2
Instruction Fuzzy Hash: 7E313631648315AFDB28AE65C8A0BFA77F5AF84304F46042EECDA83250D7308D81CF56

Uniqueness

Uniqueness Score: -1.00%

Function 02178289, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 979e3d56c1a82609de3128d50c5b9a27d5e29e32f11a0ead006954dc08627636
Instruction ID: 90b31b5ea12378f678bc787aa02184b34ee649c9b6e916c9a380b38462b04392
Opcode Fuzzy Hash: 979e3d56c1a82609de3128d50c5b9a27d5e29e32f11a0ead006954dc08627636
Instruction Fuzzy Hash: D3F05834341A418FD729DE48C6D8F96B3B1BFA8752F17406AD842CB221D730EC41DA18

Uniqueness

Uniqueness Score: -1.00%

Function 02177DB0, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 389a1abbedfe25e8bbbb67aabd88a12e50fb7bbd0c348a417a681c422c939e2b
Instruction ID: f8fee2ff04b500a98fa73c551b769cb236fc6c0aebc3713d17eb14f027bf4c1c
Opcode Fuzzy Hash: 389a1abbedfe25e8bbbb67aabd88a12e50fb7bbd0c348a417a681c422c939e2b
Instruction Fuzzy Hash: AAC04C39255541CFC659DE09C190EB0B3B0B784500F8284D5E85587595D765D902C500

Uniqueness

Uniqueness Score: -1.00%

Function 02175574, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.583152730.0000000002170000.00000040.00000001.sdmp, Offset: 02170000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3c0d67e63dfcaee69d8b1f580e401da734d9c235b5ad4257a4cbdc5a46d9060
Instruction ID: 90925f7a538dcfa6aaa8664f84f6d212a2760217121fa40c6eae40a4d1721c1b
Opcode Fuzzy Hash: d3c0d67e63dfcaee69d8b1f580e401da734d9c235b5ad4257a4cbdc5a46d9060
Instruction Fuzzy Hash: B5B092B6201580CFEF02CB08C492B4073A0FB19A88B0804D0E802CF712C224ED00CB00

Uniqueness

Uniqueness Score: -1.00%

Function 0043ED20, Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 89COMMON

Download Yara Rule

APIs

#648.MSVBVM60(?), ref: 0043ED78
__vbaFreeVar.MSVBVM60 ref: 0043ED83
__vbaStrCmp.MSVBVM60(004081A0,00000000), ref: 0043ED94
#645.MSVBVM60(?,00000000), ref: 0043EDB5
__vbaStrMove.MSVBVM60 ref: 0043EDC0
__vbaStrCmp.MSVBVM60(004081A0,00000000), ref: 0043EDCC
__vbaFreeStr.MSVBVM60 ref: 0043EDDE
__vbaFreeStr.MSVBVM60(0043EE4D), ref: 0043EE46

Strings

%@, xrefs: 0043ED4E, 0043ED53

Memory Dump Source

Source File: 00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.579750427.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.580245753.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.580289950.0000000000442000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#645#648Move
String ID: %@
API String ID: 2957232524-2048787947
Opcode ID: cf2603fc8a223afedd517b6016eda78c935178f294d288179adf07f8fce84c2c
Instruction ID: ca6e18e46d7f154e3bda12325b5d3027c8736e79c0593bc4087dec71b098676e
Opcode Fuzzy Hash: cf2603fc8a223afedd517b6016eda78c935178f294d288179adf07f8fce84c2c
Instruction Fuzzy Hash: AC3130B4D01209EFCB14DF95DA499AEBBB8FF48700F20411AF911B72A0D7785A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0043EE80, Relevance: 22.8, APIs: 10, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004044F8,00440DC0), ref: 0043EECD
__vbaHresultCheckObj.MSVBVM60(00000000,0213ED94,004046C0,00000014), ref: 0043EEF2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404A58,00000058), ref: 0043EF16
__vbaVarLateMemCallLd.MSVBVM60(?,?,Value,00000000), ref: 0043EF2A
__vbaStrVarVal.MSVBVM60(?,00000000), ref: 0043EF38
#690.MSVBVM60(?,Options,Show Tips at Startup,00000000), ref: 0043EF4D
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0043EF5D
__vbaFreeObj.MSVBVM60 ref: 0043EF69
__vbaFreeVar.MSVBVM60 ref: 0043EF72
__vbaFreeVar.MSVBVM60(0043EFAF), ref: 0043EFA8

Strings

Options, xrefs: 0043EF47
Show Tips at Startup, xrefs: 0043EF42
Value, xrefs: 0043EF1D

Memory Dump Source

Source File: 00000000.00000002.580142915.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.579750427.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.580245753.0000000000440000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.580289950.0000000000442000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$#690CallLateListNew2
String ID: Options$Show Tips at Startup$Value
API String ID: 2162649039-3815377432
Opcode ID: 6ff6c0bca1b633e3e14160710bc7dbcf93c0ba98eef33ebe1cdeca3953d17930
Instruction ID: fe9d29867dc25249f221f935b284c7a4c8055b8495e54ab699fe4c07862122bc
Opcode Fuzzy Hash: 6ff6c0bca1b633e3e14160710bc7dbcf93c0ba98eef33ebe1cdeca3953d17930
Instruction Fuzzy Hash: 18316DB1940208ABCB04DF95DE49EDEBBB8FF58701F14442AF151B71A0DBB8A945CB68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report PRICE-(BPS).exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: PRICE-(BPS).exe PID: 632 Parent PID: 5548

General

Chronological Activities

Disassembly