Play interactive tour

Edit tour

Windows Analysis Report SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Overview

General Information

Sample Name:	SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Analysis ID:	450598
MD5:	597eff6540780213008d384ca831852a
SHA1:	74fcaa7b00efdfc2056eb4651aea03c529d9bf8d
SHA256:	464e32b273ff94e18247402fec1445dceb07fe8ea16490038fa64b9a23672cf0
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe' MD5: 597EFF6540780213008D384CA831852A)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://andreameixueiro.com/karin_entmCGmZw1b;z"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000000.00000000.647663159.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.2.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/karin_entmCGmZw1b;z"}

Multi AV Scanner detection for submitted file

Show sources

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Virustotal: Detection: 20%

Perma Link

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://andreameixueiro.com/karin_entmCGmZw1b;z

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8812F NtAllocateVirtualMemory,	0_2_02C8812F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C88299 NtAllocateVirtualMemory,	0_2_02C88299
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8834D NtAllocateVirtualMemory,	0_2_02C8834D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C88365 NtAllocateVirtualMemory,	0_2_02C88365
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C881E5 NtAllocateVirtualMemory,	0_2_02C881E5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C881FD NtAllocateVirtualMemory,	0_2_02C881FD

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8812F	0_2_02C8812F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C862C9	0_2_02C862C9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C862D5	0_2_02C862D5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C862E1	0_2_02C862E1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84289	0_2_02C84289
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84295	0_2_02C84295
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C2AB	0_2_02C8C2AB
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C842AD	0_2_02C842AD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8427F	0_2_02C8427F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8620D	0_2_02C8620D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83214	0_2_02C83214
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86225	0_2_02C86225
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86231	0_2_02C86231
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C843D5	0_2_02C843D5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C843E1	0_2_02C843E1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C863E3	0_2_02C863E3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8B3F9	0_2_02C8B3F9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86385	0_2_02C86385
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8B3BD	0_2_02C8B3BD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84351	0_2_02C84351
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8636D	0_2_02C8636D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8B361	0_2_02C8B361
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86379	0_2_02C86379
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84085	0_2_02C84085
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86095	0_2_02C86095
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C860B9	0_2_02C860B9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84061	0_2_02C84061
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8600D	0_2_02C8600D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8401B	0_2_02C8401B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C87010	0_2_02C87010
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8702B	0_2_02C8702B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8B022	0_2_02C8B022
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86025	0_2_02C86025
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C871C9	0_2_02C871C9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C841D1	0_2_02C841D1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C841F5	0_2_02C841F5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C871B1	0_2_02C871B1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8E156	0_2_02C8E156
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86169	0_2_02C86169
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86161	0_2_02C86161
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86175	0_2_02C86175
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84109	0_2_02C84109
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C87109	0_2_02C87109
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8411D	0_2_02C8411D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86111	0_2_02C86111
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84111	0_2_02C84111
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84135	0_2_02C84135
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C6C9	0_2_02C8C6C9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8568B	0_2_02C8568B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86695	0_2_02C86695
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C866B9	0_2_02C866B9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C6BD	0_2_02C8C6BD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C649	0_2_02C8C649
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C625	0_2_02C8C625
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C631	0_2_02C8C631
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C837D4	0_2_02C837D4
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C7E1	0_2_02C8C7E1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C877A8	0_2_02C877A8
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C7BD	0_2_02C8C7BD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C741	0_2_02C8C741
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C759	0_2_02C8C759
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86729	0_2_02C86729
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86735	0_2_02C86735
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C735	0_2_02C8C735
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C864DD	0_2_02C864DD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C864E5	0_2_02C864E5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C844E5	0_2_02C844E5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C864F1	0_2_02C864F1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C854B5	0_2_02C854B5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80459	0_2_02C80459
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86455	0_2_02C86455
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80465	0_2_02C80465
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86479	0_2_02C86479
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8047D	0_2_02C8047D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8447D	0_2_02C8447D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84475	0_2_02C84475
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83476	0_2_02C83476
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80407	0_2_02C80407
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8643D	0_2_02C8643D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86431	0_2_02C86431
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C865CD	0_2_02C865CD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C865C2	0_2_02C865C2
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C865F1	0_2_02C865F1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C598	0_2_02C8C598
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8452D	0_2_02C8452D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86536	0_2_02C86536
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CAC5	0_2_02C8CAC5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DAC7	0_2_02C8DAC7
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8BAD3	0_2_02C8BAD3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80AE8	0_2_02C80AE8
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DAF5	0_2_02C8DAF5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86A89	0_2_02C86A89
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DA89	0_2_02C8DA89
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A8D	0_2_02C82A8D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A81	0_2_02C82A81
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83A9C	0_2_02C83A9C
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CAAD	0_2_02C8CAAD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CAA1	0_2_02C8CAA1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83AB2	0_2_02C83AB2
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A40	0_2_02C82A40
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DA43	0_2_02C8DA43
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83A45	0_2_02C83A45
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A5B	0_2_02C82A5B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83A5D	0_2_02C83A5D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DA61	0_2_02C8DA61
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A79	0_2_02C82A79
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86A7D	0_2_02C86A7D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CA0D	0_2_02C8CA0D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CA19	0_2_02C8CA19
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83A1F	0_2_02C83A1F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CA25	0_2_02C8CA25
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83A31	0_2_02C83A31
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86BC9	0_2_02C86BC9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DBCD	0_2_02C8DBCD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83BD5	0_2_02C83BD5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80BD5	0_2_02C80BD5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DBD5	0_2_02C8DBD5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DBED	0_2_02C8DBED
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DBF9	0_2_02C8DBF9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86BFD	0_2_02C86BFD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85B8D	0_2_02C85B8D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8BB99	0_2_02C8BB99
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DB9D	0_2_02C8DB9D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DBA9	0_2_02C8DBA9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83BA6	0_2_02C83BA6
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83BBD	0_2_02C83BBD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83BB1	0_2_02C83BB1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DBB5	0_2_02C8DBB5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80B49	0_2_02C80B49
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DB47	0_2_02C8DB47
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82B5D	0_2_02C82B5D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DB5D	0_2_02C8DB5D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82B51	0_2_02C82B51
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82B69	0_2_02C82B69
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85B69	0_2_02C85B69
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80B61	0_2_02C80B61
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85B75	0_2_02C85B75
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DB75	0_2_02C8DB75
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82B0C	0_2_02C82B0C
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83B0D	0_2_02C83B0D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8BB05	0_2_02C8BB05
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8BB1D	0_2_02C8BB1D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86B2D	0_2_02C86B2D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CB2D	0_2_02C8CB2D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86B21	0_2_02C86B21
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80B3D	0_2_02C80B3D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DB3D	0_2_02C8DB3D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85B3F	0_2_02C85B3F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80B33	0_2_02C80B33
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C8FD	0_2_02C8C8FD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8688D	0_2_02C8688D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C85D	0_2_02C8C85D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86869	0_2_02C86869
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86875	0_2_02C86875
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8A877	0_2_02C8A877
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C816	0_2_02C8C816
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C869F3	0_2_02C869F3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C989	0_2_02C8C989
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C995	0_2_02C8C995
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C9A1	0_2_02C8C9A1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C869B9	0_2_02C869B9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8594D	0_2_02C8594D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85959	0_2_02C85959
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8090F	0_2_02C8090F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86919	0_2_02C86919
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85920	0_2_02C85920
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86925	0_2_02C86925
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86931	0_2_02C86931
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CEC9	0_2_02C8CEC9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82ED9	0_2_02C82ED9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CED5	0_2_02C8CED5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CEED	0_2_02C8CEED
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82EF9	0_2_02C82EF9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86EF5	0_2_02C86EF5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CEBD	0_2_02C8CEBD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CE41	0_2_02C8CE41
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86E25	0_2_02C86E25
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86F8D	0_2_02C86F8D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8AF6A	0_2_02C8AF6A
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CF61	0_2_02C8CF61
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86F0D	0_2_02C86F0D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86F01	0_2_02C86F01
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86F19	0_2_02C86F19
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82F1D	0_2_02C82F1D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86CCD	0_2_02C86CCD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DCED	0_2_02C8DCED
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85CE5	0_2_02C85CE5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DCE5	0_2_02C8DCE5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8ACAC	0_2_02C8ACAC
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86CB5	0_2_02C86CB5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DC59	0_2_02C8DC59
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C87C57	0_2_02C87C57
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DC71	0_2_02C8DC71
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86C09	0_2_02C86C09
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85C09	0_2_02C85C09
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DC0D	0_2_02C8DC0D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DC19	0_2_02C8DC19
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85C15	0_2_02C85C15
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86C15	0_2_02C86C15
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85C2D	0_2_02C85C2D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86C21	0_2_02C86C21
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DC25	0_2_02C8DC25
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DDC9	0_2_02C8DDC9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DD9D	0_2_02C8DD9D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DDA5	0_2_02C8DDA5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DDB1	0_2_02C8DDB1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86D75	0_2_02C86D75
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86D11	0_2_02C86D11
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8DD11	0_2_02C8DD11

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000000.00000000.647693248.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameReamusekbman.exe vs SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000000.00000002.1170103596.0000000002280000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Binary or memory string: OriginalFilenameReamusekbman.exe vs SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

File created: C:\Users\user\AppData\Local\Temp\~DF6BDFD07AB53422A8.TMP

Jump to behavior

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Virustotal: Detection: 20%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.647663159.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_0040662E push ebp; iretd	0_2_00406638
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80791 push edi; retf	0_2_02C80790
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80753 push edi; retf	0_2_02C8076B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8076C push edi; retf	0_2_02C8076B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8076C push edi; retf	0_2_02C80790

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C862C9	0_2_02C862C9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C862D5	0_2_02C862D5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C862E1	0_2_02C862E1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8620D	0_2_02C8620D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83214	0_2_02C83214
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86225	0_2_02C86225
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86231	0_2_02C86231
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C863E3	0_2_02C863E3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86385	0_2_02C86385
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8636D	0_2_02C8636D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86379	0_2_02C86379
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86095	0_2_02C86095
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C860B9	0_2_02C860B9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8600D	0_2_02C8600D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86025	0_2_02C86025
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86169	0_2_02C86169
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86161	0_2_02C86161
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86175	0_2_02C86175
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86111	0_2_02C86111
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8568B	0_2_02C8568B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C837D4	0_2_02C837D4
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C877A8	0_2_02C877A8
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C864DD	0_2_02C864DD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C864E5	0_2_02C864E5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C864F1	0_2_02C864F1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86455	0_2_02C86455
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86479	0_2_02C86479
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C80407	0_2_02C80407
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8643D	0_2_02C8643D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86431	0_2_02C86431
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C865CD	0_2_02C865CD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C865C2	0_2_02C865C2
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C865F1	0_2_02C865F1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C598	0_2_02C8C598
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C86536	0_2_02C86536
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8BAD3	0_2_02C8BAD3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A8D	0_2_02C82A8D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A81	0_2_02C82A81
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A40	0_2_02C82A40
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A5B	0_2_02C82A5B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82A79	0_2_02C82A79
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C83A1F	0_2_02C83A1F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C82B0C	0_2_02C82B0C
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C85B3F	0_2_02C85B3F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C87878	0_2_02C87878
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8A877	0_2_02C8A877
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CEC9	0_2_02C8CEC9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CED5	0_2_02C8CED5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CEED	0_2_02C8CEED
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CEBD	0_2_02C8CEBD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CE41	0_2_02C8CE41
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CF61	0_2_02C8CF61
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8CF79	0_2_02C8CF79

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

RDTSC instruction interceptor: First address: 0000000002C8BB89 second address: 0000000002C8BB89 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	RDTSC instruction interceptor: First address: 0000000002C8BB89 second address: 0000000002C8BB89 instructions:
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	RDTSC instruction interceptor: First address: 0000000002C8B7D7 second address: 0000000002C8B73A instructions: 0x00000000 rdtsc 0x00000002 mov eax, E2C96E1Dh 0x00000007 add eax, F5135739h 0x0000000c add eax, 4CB33013h 0x00000011 xor eax, 248FF568h 0x00000016 cpuid 0x00000018 popad 0x00000019 cmp al, bl 0x0000001b call 00007FC1149B7DB0h 0x00000020 lfence 0x00000023 mov edx, CF8A4B87h 0x00000028 xor edx, 92055ED3h 0x0000002e sub edx, 11EA7C92h 0x00000034 xor edx, 345A98D6h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test eax, edx 0x00000041 cmp ebx, eax 0x00000043 cmp ch, ch 0x00000045 cmp dh, dh 0x00000047 jmp 00007FC1149B7D92h 0x00000049 test ecx, eax 0x0000004b test dx, cx 0x0000004e test ecx, 5A8CACB8h 0x00000054 cmp bh, 0000006Fh 0x00000057 ret 0x00000058 test ecx, edx 0x0000005a sub edx, esi 0x0000005c ret 0x0000005d test cx, cx 0x00000060 test dh, ch 0x00000062 test eax, ecx 0x00000064 add edi, edx 0x00000066 cmp cx, cx 0x00000069 dec dword ptr [ebp+000000F8h] 0x0000006f pushad 0x00000070 lfence 0x00000073 rdtsc
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	RDTSC instruction interceptor: First address: 0000000002C8B73A second address: 0000000002C8B7D7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000012 jne 00007FC1149B6FFEh 0x00000014 cmp dx, cx 0x00000017 cmp dl, bl 0x00000019 call 00007FC1149B70E0h 0x0000001e call 00007FC1149B70A3h 0x00000023 lfence 0x00000026 mov edx, CF8A4B87h 0x0000002b xor edx, 92055ED3h 0x00000031 sub edx, 11EA7C92h 0x00000037 xor edx, 345A98D6h 0x0000003d mov edx, dword ptr [edx] 0x0000003f lfence 0x00000042 test eax, edx 0x00000044 cmp ebx, eax 0x00000046 cmp ch, ch 0x00000048 cmp dh, dh 0x0000004a jmp 00007FC1149B7062h 0x0000004c test ecx, eax 0x0000004e test dx, cx 0x00000051 test ecx, 5A8CACB8h 0x00000057 cmp bh, 0000006Fh 0x0000005a ret 0x0000005b mov esi, edx 0x0000005d pushad 0x0000005e rdtsc

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Code function: 0_2_02C8812F rdtsc

0_2_02C8812F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Code function: 0_2_02C8812F rdtsc

0_2_02C8812F

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8401B mov eax, dword ptr fs:[00000030h]	0_2_02C8401B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8B199 mov eax, dword ptr fs:[00000030h]	0_2_02C8B199
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8C598 mov eax, dword ptr fs:[00000030h]	0_2_02C8C598
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C87A5C mov eax, dword ptr fs:[00000030h]	0_2_02C87A5C
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C84B10 mov eax, dword ptr fs:[00000030h]	0_2_02C84B10
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 0_2_02C8A910 mov eax, dword ptr fs:[00000030h]	0_2_02C8A910

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000000.00000002.1169996437.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000000.00000002.1169996437.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000000.00000002.1169996437.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000000.00000002.1169996437.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Code function: 0_2_02C8D094 cpuid

0_2_02C8D094

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	21%	Virustotal		Browse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://andreameixueiro.com/karin_entmCGmZw1b;z	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://andreameixueiro.com/karin_entmCGmZw1b;z	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	450598
Start date:	19.07.2021
Start time:	12:33:18
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 22s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.5% (good quality ratio 3.1%) Quality average: 20.3% Quality standard deviation: 30.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.2291079634082305
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
File size:	241664
MD5:	597eff6540780213008d384ca831852a
SHA1:	74fcaa7b00efdfc2056eb4651aea03c529d9bf8d
SHA256:	464e32b273ff94e18247402fec1445dceb07fe8ea16490038fa64b9a23672cf0
SHA512:	c15389829bb474e00e8c60912a5c78ff7f5bc459e55bf984f5ce9f4e2478c005908d51d4a629708cb1f811f37213bd8c04a8b9fc68459ce666983cb767b80114
SSDEEP:	3072:v3BepJlZa/Qrp8XvPZFbzt2dQXty7gHJlZapGBR:piUQrOfKorHP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....?@P................. ...................0....@................

File Icon


Icon Hash:	f8fcd4ccf4e4e8d0

Static PE Info

General
Entrypoint:	0x4019b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x50403FEF [Fri Aug 31 04:39:11 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e9f7dd0da1a2a1266893e1ae4ef42b67

Entrypoint Preview

Instruction
push 00408AC8h
call 00007FC114B99255h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov gs, word ptr [eax]
retf 5E45h
dec esp
dec esi
xchg eax, esp
or byte ptr [ecx+ebp-2Ah], bl
les ecx, fword ptr [edx-3Bh]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
je 00007FC114B99299h
inc ecx
insb
imul edx, dword ptr [eax+4Ch], 45544E41h
push ebx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
xor dword ptr [ebx+ecx*8-05h], ebp
and bl, bh
xchg eax, ebp
add cl, byte ptr [ebp-67h]
dec esi
fcmovne st(0), st(3)
aam 4Eh
xor ecx, ecx
in al, dx
cmp byte ptr [ecx+3737A5A5h], dh
inc ebp
mov esp, 1EF3FCEAh
cdq
idiv dword ptr [ebx+33AD4F3Ah]
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push cs
jo 00007FC114B99262h
add byte ptr [esi+00000068h], bl
add eax, 6C656300h
jnc 00007FC114B99263h
or eax, 4D000C01h
jne 00007FC114B992D1h
outsb
imul esi, dword ptr [ebp+6Dh], 6C616D73h
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32194	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x6d26	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1a4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31804	0x32000	False	0.390200195312	data	6.38510729758	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x33000	0x1290	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x35000	0x6d26	0x7000	False	0.482107979911	data	5.46196518031	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3ae7e	0xea8	data
RT_ICON	0x3a5d6	0x8a8	data
RT_ICON	0x39f0e	0x6c8	data
RT_ICON	0x399a6	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x373fe	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x36356	0x10a8	data
RT_ICON	0x359ce	0x988	data
RT_ICON	0x35566	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x354f0	0x76	data
RT_VERSION	0x35240	0x2b0	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Socialbakers
InternalName	Reamusekbman
FileVersion	1.00
CompanyName	Socialbakers
LegalTrademarks	Socialbakers
ProductName	PLANTES
ProductVersion	1.00
OriginalFilename	Reamusekbman.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe PID: 7052 Parent PID: 6000

General

Start time:	12:34:06
Start date:	19/07/2021
Path:	C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe'
Imagebase:	0x400000
File size:	241664 bytes
MD5 hash:	597EFF6540780213008D384CA831852A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.647663159.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe PID: 7052 Parent PID: 6000 SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCOMMON

Executed Functions

Function 02C8812F, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02C88392

Strings

&%F, xrefs: 02C88548

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: &%F
API String ID: 2167126740-2740587206
Opcode ID: 3fe264aead40bf1ac246a9fd1ca55b65070f521ce84ade10588ba40a3dfd5f10
Instruction ID: 3d5a0d5d903ad725a7591d5c5e132dd39b8508405a9b1b6d3003e70f8c46db1f
Opcode Fuzzy Hash: 3fe264aead40bf1ac246a9fd1ca55b65070f521ce84ade10588ba40a3dfd5f10
Instruction Fuzzy Hash: C0514775A143098FEF347E6498A53EB37E3AF56358FC5822DCC8A4B611D7304986CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 02C881E5, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

&%F, xrefs: 02C88548

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: &%F
API String ID: 0-2740587206
Opcode ID: 2a61fd2d8045ad5b49581120acde08502ddf4302b109d80c060af5cdd96c85ee
Instruction ID: 4bdb85846fc9581f54cbb69cd74fbc64d62090e2b5fa744773df5492db3199ae
Opcode Fuzzy Hash: 2a61fd2d8045ad5b49581120acde08502ddf4302b109d80c060af5cdd96c85ee
Instruction Fuzzy Hash: 8E415972B04349CFEF34AE6188903EE37E2BF56318F95852ECC895B611D7304A86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02C881FD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02C88392

Strings

&%F, xrefs: 02C88548

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: &%F
API String ID: 2167126740-2740587206
Opcode ID: 770309fa3e7b025d7b2d313da2335c5c5336954ab4c14e4a6bde6db035e0744a
Instruction ID: cc6a57efa21a2634bfed2a3ad7b1cbc124d03f9087a8cea01d3509f010f4046b
Opcode Fuzzy Hash: 770309fa3e7b025d7b2d313da2335c5c5336954ab4c14e4a6bde6db035e0744a
Instruction Fuzzy Hash: 18412772A04349CFEF34AE6198943EE37E2AF56318F95852DDC895B211D7304986CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02C88299, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

&%F, xrefs: 02C88548

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: &%F
API String ID: 0-2740587206
Opcode ID: 2eb57967900dcabb4ae9da02a567249951e2dd320d424dfcb2ccf2097f339fac
Instruction ID: 884eecd9db833281ff6873971790120b524a61075036f948de34b89c3f454027
Opcode Fuzzy Hash: 2eb57967900dcabb4ae9da02a567249951e2dd320d424dfcb2ccf2097f339fac
Instruction Fuzzy Hash: 5C31C172A04349DFEF74AE2198543EE77E2BFA5318F95852DDC894B610D7308A86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02C8834D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

&%F, xrefs: 02C88548

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: &%F
API String ID: 0-2740587206
Opcode ID: 0f970d11da6d1ce2da4ed1262fae49cee0e38e92dfcb91863e29bb3043009154
Instruction ID: 176514e9634f7fd727121402c88fc531ceda3e90cfafb8e4b9fff2522e2eadd4
Opcode Fuzzy Hash: 0f970d11da6d1ce2da4ed1262fae49cee0e38e92dfcb91863e29bb3043009154
Instruction Fuzzy Hash: D521E4325042498FDF35AE6188507DE37E2BFAA318FD4862DDC898B610D7308682CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C88365, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02C88392

Strings

&%F, xrefs: 02C88548

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: &%F
API String ID: 2167126740-2740587206
Opcode ID: 56f24b2829fae647f8c179a827ac60fadebf881d941b948692376f04f32d0b0d
Instruction ID: 0a2a5ff42f4067a161d86cc69d2063bf2f54b95b73aeaeeb53ac28e1d5cd090a
Opcode Fuzzy Hash: 56f24b2829fae647f8c179a827ac60fadebf881d941b948692376f04f32d0b0d
Instruction Fuzzy Hash: A6112732505349CFEB31AF6188507DE3BE2BF5A318FD8852DDC898B610D7308682CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00431E00, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 263COMMON

Download Yara Rule

APIs

#607.MSVBVM60(?,000000FF,?), ref: 00431E62
__vbaStrVarMove.MSVBVM60(?), ref: 00431E6C
__vbaStrMove.MSVBVM60 ref: 00431E7D
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00431E89
__vbaLenBstr.MSVBVM60(?), ref: 00431E96
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431EA5
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431EB6
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 00431EC2
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00431ECD
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00431EDB
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00431EEB
#537.MSVBVM60(00000000,?,00000001), ref: 00431EFB
__vbaStrMove.MSVBVM60 ref: 00431F06
__vbaInStr.MSVBVM60(00000000,00000000), ref: 00431F0A
__vbaFreeStr.MSVBVM60 ref: 00431F1F
#537.MSVBVM60(00000000,?,00000001), ref: 00431F32
__vbaStrMove.MSVBVM60 ref: 00431F3D
__vbaInStr.MSVBVM60(00000000,00000000), ref: 00431F41
#616.MSVBVM60(?,-00000001), ref: 00431F55
__vbaStrMove.MSVBVM60 ref: 00431F60
__vbaFreeStr.MSVBVM60 ref: 00431F65
__vbaStrCat.MSVBVM60(00409E20), ref: 00431F79
__vbaStrMove.MSVBVM60 ref: 00431F80
__vbaStrCat.MSVBVM60(?,00000000), ref: 00431F87
__vbaStrMove.MSVBVM60 ref: 00431F8E
__vbaFreeStr.MSVBVM60 ref: 00431F93
__vbaErrorOverflow.MSVBVM60 ref: 00431FFB
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 00432071
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,00000014), ref: 0043209C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000110), ref: 004320CA
__vbaStrMove.MSVBVM60 ref: 004320D9
__vbaFreeObj.MSVBVM60 ref: 004320E2
#598.MSVBVM60 ref: 004320E8
__vbaStrCopy.MSVBVM60 ref: 004320F6

Strings

USERNAME, xrefs: 004320EE

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Move$Free$#537AnsiCheckErrorHresultListUnicode$#598#607#616BstrCopyNew2OverflowSystem
String ID: USERNAME
API String ID: 840069314-1047370299
Opcode ID: 98abaded3819448457fc8e2de2cd7a9c68cc0ccf42334d974409c0a4d972abfb
Instruction ID: 3e1be679c0f899b0f489a956c5e93e21d5b8713d4d3e8ae05c4dc1b8f8f4d0d5
Opcode Fuzzy Hash: 98abaded3819448457fc8e2de2cd7a9c68cc0ccf42334d974409c0a4d972abfb
Instruction Fuzzy Hash: 0591FF75900209AFCB04DFA5DD89DEFBBB8FF48700F10812AF605A72A5DB785945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD80, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 00432071
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,00000014), ref: 0043209C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000110), ref: 004320CA
__vbaStrMove.MSVBVM60 ref: 004320D9
__vbaFreeObj.MSVBVM60 ref: 004320E2
#598.MSVBVM60 ref: 004320E8
__vbaStrCopy.MSVBVM60 ref: 004320F6
__vbaHresultCheckObj.MSVBVM60(00000000,00401730,004091A0,0000074C), ref: 0043211D
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 00432129
__vbaFreeStr.MSVBVM60(00432167), ref: 00432160

Strings

USERNAME, xrefs: 004320EE

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#598CopyListMoveNew2
String ID: USERNAME
API String ID: 3664798572-1047370299
Opcode ID: fd7e87add5e759b9b8e2da88a297157256be3d6bf3fcb6a9c91454db83ca04df
Instruction ID: d37fa5c259a7c521f5af574b843ebce1ebbbcecd524bcb1ce23f290fb7a387e4
Opcode Fuzzy Hash: fd7e87add5e759b9b8e2da88a297157256be3d6bf3fcb6a9c91454db83ca04df
Instruction Fuzzy Hash: E0312371900205ABCB04DF95CD89EEEBBB4FF4C704F10802AF615B7291D7789905CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004019B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004019B5

Strings

VB5!6&*, xrefs: 004019B0

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 1a086d5bf16f81fd9291c755d689b1bb151d5864a31b15e68f48bb950e7c90a2
Instruction ID: 026ec7011811c81fbed3cd22caf46f9a550679e3c692d7f5be09198d702175e5
Opcode Fuzzy Hash: 1a086d5bf16f81fd9291c755d689b1bb151d5864a31b15e68f48bb950e7c90a2
Instruction Fuzzy Hash: 5AD0A4A2A0E7C02ED307273488220812F345DA362030F08EBD0C0DF5B7D46C0848C326

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02C8C598, Relevance: 9.5, Strings: 6, Instructions: 1951COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
a#eT, xrefs: 02C8CCB8
L)-b, xrefs: 02C8631C
(L, xrefs: 02C875B5
ZV&p, xrefs: 02C8D272
iEO, xrefs: 02C80B21

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: (L$L)-b$ZV&p$a#eT$iEO$aI>
API String ID: 0-2482760040
Opcode ID: 3a09e55ae1494616c012e219602e66e29ef6345f26f582758337a6f1738fb00e
Instruction ID: 99f0a08a69c26177b130632779453c4d7847fb1b2cdb8a73c42a8c16f2412ae7
Opcode Fuzzy Hash: 3a09e55ae1494616c012e219602e66e29ef6345f26f582758337a6f1738fb00e
Instruction Fuzzy Hash: 31F27E716043468FDF349E38CD943DA7BA2AF56364F55C22ECCCA8B295D3358A85CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02C877A8, Relevance: 5.0, Strings: 3, Instructions: 1239COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C
iEO, xrefs: 02C80B21

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$iEO$aI>
API String ID: 0-3725514886
Opcode ID: a69651c68944ddbc11062fe8d1008f4dc821c648633fa0c29f1e0ce453536fb9
Instruction ID: 4a812f008556556ba6a3084915743649c9f8097fcebee3b441e4bc0a4d6a1dea
Opcode Fuzzy Hash: a69651c68944ddbc11062fe8d1008f4dc821c648633fa0c29f1e0ce453536fb9
Instruction Fuzzy Hash: 96A2667560430ADFDF34AE34CDA53DA77A2BF55394F95822EDC8A97244D330898ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C80407, Relevance: 5.0, Strings: 3, Instructions: 1200COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C
Si, xrefs: 02C807B5

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$Si$aI>
API String ID: 0-3394714570
Opcode ID: 44a3360c8b6d685e07f6f8acc3afe9b58b9827a0ab6df29ef246bee817696744
Instruction ID: 97c87411b59284f08e570a44ba91e0c154ad3be07e4fda5b5afbddd100d1e0e8
Opcode Fuzzy Hash: 44a3360c8b6d685e07f6f8acc3afe9b58b9827a0ab6df29ef246bee817696744
Instruction Fuzzy Hash: 87A2687560430ADFDF34AE34CD653DA77A2BF95394F95822EDC8A9B244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C83214, Relevance: 4.8, Strings: 3, Instructions: 1054COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
#&vM, xrefs: 02C832D7
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: #&vM$L)-b$aI>
API String ID: 0-226628541
Opcode ID: 2c0cd5db91dd32e893cb9f241799e19491b5380b06cf33860dbace1de13a8c91
Instruction ID: 05ff6e3df1046ceee2c03a56fc88d7f212bbb4b7891c4f0b757f28786c6f87ae
Opcode Fuzzy Hash: 2c0cd5db91dd32e893cb9f241799e19491b5380b06cf33860dbace1de13a8c91
Instruction Fuzzy Hash: 4B82477160430ADFDB349E38CDA57DA77A2FF55394F95822EDC8A9B244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BAD3, Relevance: 3.8, Strings: 2, Instructions: 1283COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: c08250fa61d9b504dd66f755afaf136557ffc9bbbf4cc66733ae2ce808675b2a
Instruction ID: 3efb6449be0980a2c1cbd9c24224ad8d73d9e41094bdf550ca5a28d0c5ae24c4
Opcode Fuzzy Hash: c08250fa61d9b504dd66f755afaf136557ffc9bbbf4cc66733ae2ce808675b2a
Instruction Fuzzy Hash: C3A2587560430ADFDF349E38CDA57DA77A2BF55394F95822ECC8A9B244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C83A1F, Relevance: 3.7, Strings: 2, Instructions: 1236COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 7e851e56c54ada1831b21a0945254b19ebd4569a57db9f383a3d322607b83be1
Instruction ID: edd974022f4e199ab4a2da40b55bf3ee2a51d6efd2b6583f17d4794cf1f936ea
Opcode Fuzzy Hash: 7e851e56c54ada1831b21a0945254b19ebd4569a57db9f383a3d322607b83be1
Instruction Fuzzy Hash: E4A2457160434ADFDB34AE39CDA53DA77A2FF55390F95812EDC8A9B244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C837D4, Relevance: 3.7, Strings: 2, Instructions: 1151COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: f3fc6153241f68b30cb08153d055a6f451c1859306bd438abf485213d555fbfe
Instruction ID: 8bf1cee348bea0d3fb4329d46fd1c49f96de19294fe61c6f2999605b9e967829
Opcode Fuzzy Hash: f3fc6153241f68b30cb08153d055a6f451c1859306bd438abf485213d555fbfe
Instruction Fuzzy Hash: 5492677160434ADFDF34AE34CD953EA77A2BF55394F95822EDC8A9B244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8600D, Relevance: 3.5, Strings: 2, Instructions: 953COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 611ae6862ceb30cfc6001066d46ab3092306e142eafa3859ce9055399b91ddd7
Instruction ID: d966d4d80a3c49187e6d547a3e67874c2227a6793e27b1dc151575303e68ea61
Opcode Fuzzy Hash: 611ae6862ceb30cfc6001066d46ab3092306e142eafa3859ce9055399b91ddd7
Instruction Fuzzy Hash: DF72457160430ADFDB349E34CDA53DA77A6FF55394F95822EDC8A9B244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86025, Relevance: 3.4, Strings: 2, Instructions: 945COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 4669cb3f32ccde5398edf8ed805893cc40bf40a45e3e21725a5e8e562d0f4099
Instruction ID: fb1aedda0a99fcada89ee04a317c6840d04382c737f5e07ad92e77e47d9d82f0
Opcode Fuzzy Hash: 4669cb3f32ccde5398edf8ed805893cc40bf40a45e3e21725a5e8e562d0f4099
Instruction Fuzzy Hash: 3372467160430ADFDB349E38CDA53DA77A6FF55394F95822EDC8A9B244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86095, Relevance: 3.4, Strings: 2, Instructions: 933COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 4b5036decf20d850c1a454829c5481c1400db08771209d0b2be05d8dd82ad343
Instruction ID: 38773d0bf25df2db831d9d4b2a144aba159c12cb25d41f44dd09051c8d00caa9
Opcode Fuzzy Hash: 4b5036decf20d850c1a454829c5481c1400db08771209d0b2be05d8dd82ad343
Instruction Fuzzy Hash: 5D72367160430ADFDB349E34CDA53DA77A6FF55394F95822EDC8A9B244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C860B9, Relevance: 3.4, Strings: 2, Instructions: 920COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 341c9ea386dfeee5929d409e68553151d81f5b6e4a9cb52a4adbb1cfc9b1d7d1
Instruction ID: 5029feb2c8b090fbf7ff5e3203542e33436a7a8275d2743c36c6c271370589f5
Opcode Fuzzy Hash: 341c9ea386dfeee5929d409e68553151d81f5b6e4a9cb52a4adbb1cfc9b1d7d1
Instruction Fuzzy Hash: AB72367160430ADFDB349E34CDA53DA77A6FF55394F95822EDC8A97244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86111, Relevance: 3.4, Strings: 2, Instructions: 915COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 14fed502030abbd2f3548ac9eead7bdc3928f9ce05e110da1e931b6fca5d076f
Instruction ID: 4015426bcde4783762e9bba0c75965b4e4a7fef0e2195a9a48c11705e88fa822
Opcode Fuzzy Hash: 14fed502030abbd2f3548ac9eead7bdc3928f9ce05e110da1e931b6fca5d076f
Instruction Fuzzy Hash: 2D72457160430ADFDB349E34CDA53DA77A6FF55394F95822EDC8A9B244D3308A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C86169, Relevance: 3.4, Strings: 2, Instructions: 908COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 411edf293c66ec20995168ed415ef3fb9c42f2d151ba8352820736ff92c28e56
Instruction ID: e69eff1521e5ffdb327382d78b545befedbb4e7a709908098a4c55bcbc099da7
Opcode Fuzzy Hash: 411edf293c66ec20995168ed415ef3fb9c42f2d151ba8352820736ff92c28e56
Instruction Fuzzy Hash: 3272467160434ADFDF349E34CDA53DA77A2BF55394F95822EDC8A9B244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86175, Relevance: 3.4, Strings: 2, Instructions: 906COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 11ce26cc4f43d1c2d86ce3129298c9dd064c97dd1e9e51f9e5f8ca8d65c6fe0f
Instruction ID: 3d23528e6612f7fc52f378d0ec33e09dc1301c12702db32e00d156aa71f3c970
Opcode Fuzzy Hash: 11ce26cc4f43d1c2d86ce3129298c9dd064c97dd1e9e51f9e5f8ca8d65c6fe0f
Instruction Fuzzy Hash: 7172467160434ADFDB349E34CDA53DA77A2BF55394F95822EDC8A8B244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86161, Relevance: 3.4, Strings: 2, Instructions: 900COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 0f5ac60bf363f7cce96cf79ee1ee3d799a8a74a16f2de7978db5a00490760443
Instruction ID: 8a838bc79e02c99964d6fe377c4a3aa9527c402fa21e314a3c11e3c12a46886c
Opcode Fuzzy Hash: 0f5ac60bf363f7cce96cf79ee1ee3d799a8a74a16f2de7978db5a00490760443
Instruction Fuzzy Hash: E572467160434ADFDB349E34CDA53DA77A2FF55394F95822EDC8A97244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8620D, Relevance: 3.4, Strings: 2, Instructions: 880COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 2091bba98af4639137f8a9822c25bdd32eb4f20f8ed4f42d37e4e946fc3cbe1d
Instruction ID: df8007dc8b477836da64c9f5939e0f588fb6a81e4cc6eda8c00e26fc2d784fb6
Opcode Fuzzy Hash: 2091bba98af4639137f8a9822c25bdd32eb4f20f8ed4f42d37e4e946fc3cbe1d
Instruction Fuzzy Hash: 7C62467560430ADFDB349E34CDA53DA77A2FF55394F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86225, Relevance: 3.4, Strings: 2, Instructions: 873COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 7577efbbc2954edc534bc0ad91ff8dcf414a9c5296c6357532720ef5f8e497a9
Instruction ID: 125a5e973c06b3ba3605bf6085c2525b2a9f7afdc656995015a0f41ef923f715
Opcode Fuzzy Hash: 7577efbbc2954edc534bc0ad91ff8dcf414a9c5296c6357532720ef5f8e497a9
Instruction Fuzzy Hash: 5262467160430ADFDF349E34CDA57DA77A2BF55394F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86231, Relevance: 3.4, Strings: 2, Instructions: 867COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: f2e4bef6c0b9a0b802339135ce364f97db78a881bbffa83e644cf2910f15c184
Instruction ID: 3376eb8194bf0443ddf40e08780b5be054cefb180cadbb6eb83b13d7b775467a
Opcode Fuzzy Hash: f2e4bef6c0b9a0b802339135ce364f97db78a881bbffa83e644cf2910f15c184
Instruction Fuzzy Hash: E462467160430ADFDF349E34CDA53DA77A2BF55394F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C862C9, Relevance: 3.4, Strings: 2, Instructions: 851COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: de8d0f60a4b89abd2148a34bb769c6eb616b2edbe4e348ea85e2612993ef9095
Instruction ID: 3cae0d3fb2cfeae7b5e9441210302326fcfb2453fb4fe1848e8f2d119d48e532
Opcode Fuzzy Hash: de8d0f60a4b89abd2148a34bb769c6eb616b2edbe4e348ea85e2612993ef9095
Instruction Fuzzy Hash: 2662477160430ADFDF349E38CDA57DA77A2BF55394F95822EDC8A97244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8401B, Relevance: 3.3, Strings: 2, Instructions: 847COMMON

Download Yara Rule

Strings

T', xrefs: 02C84138
O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: c4ba43dcad8e24382ef48593853547ee0891a4fc65f408e527f82b47f5618a34
Instruction ID: c916afe06f94e5e92d3859491a633b1fb3a752cd8aa8b5aede96a20d7f4bb987
Opcode Fuzzy Hash: c4ba43dcad8e24382ef48593853547ee0891a4fc65f408e527f82b47f5618a34
Instruction Fuzzy Hash: 0B62F17570474ADFDB38EE28CDA47EA73A2BF59354F85822EDC898B240D7319981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C862D5, Relevance: 3.3, Strings: 2, Instructions: 843COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 1547a191e91a9b2074f8c180bbe59a78493516142aeaae7ad2b535ba64a9db82
Instruction ID: 34f8a08de299eab21ef1a3af6620918717445d63fb6bb9b1e647ed5621dedf5f
Opcode Fuzzy Hash: 1547a191e91a9b2074f8c180bbe59a78493516142aeaae7ad2b535ba64a9db82
Instruction Fuzzy Hash: 4A62467160430ADFCF349E34CDA57DA77A2BF55394F95822EDC8A8B244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C862E1, Relevance: 3.3, Strings: 2, Instructions: 841COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F
L)-b, xrefs: 02C8631C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 6dc2b47e3b9d6980e78c5383fc7dce750017e723cc40c6cc3c752ce8f5039ca7
Instruction ID: b282c962a8c1d15a10b87a363be296f6640f8ff599260634f33c3c43e5243ecb
Opcode Fuzzy Hash: 6dc2b47e3b9d6980e78c5383fc7dce750017e723cc40c6cc3c752ce8f5039ca7
Instruction Fuzzy Hash: 8862467164430ADFCF309E34CDA57DA77A2BF55394F95822EDC8A8B244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C84061, Relevance: 3.0, Strings: 2, Instructions: 501COMMON

Download Yara Rule

Strings

T', xrefs: 02C84138
O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 05a481003796320607961823674fe4f82e0d68c5bbac9516830bc0c138e80749
Instruction ID: 52ae13a2e02f2165c358111f3876bcd83e7fe3f8473a3d80e90017f8cac8253d
Opcode Fuzzy Hash: 05a481003796320607961823674fe4f82e0d68c5bbac9516830bc0c138e80749
Instruction Fuzzy Hash: C012E07570474ADFDB389E28C8A47EAB7A2BF55354F85822DDC898B240D730A981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C84085, Relevance: 3.0, Strings: 2, Instructions: 494COMMON

Download Yara Rule

Strings

T', xrefs: 02C84138
O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 87ed16111988f97c84a4ca24bed7b6c21fb83b4654015e0c148e332fe77f9e3c
Instruction ID: 47b2d5d946e90e67f498995047b9ffff861a4396633957ec732a00e3d636ba6f
Opcode Fuzzy Hash: 87ed16111988f97c84a4ca24bed7b6c21fb83b4654015e0c148e332fe77f9e3c
Instruction Fuzzy Hash: 6F02DF7570474ADFDB389E28C9A4BEAB7A2BF55350F85822DDC898B240D731A981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C84111, Relevance: 3.0, Strings: 2, Instructions: 465COMMON

Download Yara Rule

Strings

T', xrefs: 02C84138
O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 46ad5c6c53aaad5ec47e1446b93850908063c28f432b4bada0eecd914fdf310f
Instruction ID: b1526b8d8a65cda2a979e6f55f2077b05f6e541dd7c5a34c9f6b1890c6bdf9e2
Opcode Fuzzy Hash: 46ad5c6c53aaad5ec47e1446b93850908063c28f432b4bada0eecd914fdf310f
Instruction Fuzzy Hash: D302E17570474ADFDB38DE28CDA47EAB7A2BF55350F85822DDC898B240D730A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C8411D, Relevance: 3.0, Strings: 2, Instructions: 460COMMON

Download Yara Rule

Strings

T', xrefs: 02C84138
O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 058975330c472ac4187f288c2a6e1cbbf1ca2ab818a65478af923d07bce13baa
Instruction ID: dbc000a133aed3eddcb1af2fa99aa073c38fc516f54be35b2d0f1713d28af30b
Opcode Fuzzy Hash: 058975330c472ac4187f288c2a6e1cbbf1ca2ab818a65478af923d07bce13baa
Instruction Fuzzy Hash: 5A02E17570474ADFDB38DF28C9A47EAB7A2BF55354F85822DDC898B240D730A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C84109, Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

T', xrefs: 02C84138
O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: c90b391340f6503f7805c675ed1fc93dfcc7df71aa0d9d6d3746396ed1d0521e
Instruction ID: 9546f31de06ef457c9fc77184499a93d3004a11d93a7e5a48bf5fc7cf6983532
Opcode Fuzzy Hash: c90b391340f6503f7805c675ed1fc93dfcc7df71aa0d9d6d3746396ed1d0521e
Instruction Fuzzy Hash: 8A02D17570474ADFDB38DE28CDA47EAB7A2BF55350F85822DDC898B240D731A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C84135, Relevance: 3.0, Strings: 2, Instructions: 452COMMON

Download Yara Rule

Strings

T', xrefs: 02C84138
O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 9293f5bd983cfab2a2c6fcfeb92d74115931f293eaddc98884aaf26ab982783f
Instruction ID: 4caa27bde3c4081e84ca4df880ce559b25fff81450c90d55c39c8976e7919daa
Opcode Fuzzy Hash: 9293f5bd983cfab2a2c6fcfeb92d74115931f293eaddc98884aaf26ab982783f
Instruction Fuzzy Hash: 0C02D17570074ADFDB38DF28C9A47EAB7A2BF55350F85822DDC898B240D731A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C80AE8, Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

}, xrefs: 02C80AFC
iEO, xrefs: 02C80B21

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: iEO$}
API String ID: 0-3220441400
Opcode ID: f5453683663ab14e3da5945cc007b7eb6a179161c4e1f7f3d016a8a7bfaf9581
Instruction ID: 0391a292d4052d8b82e941a273b77dc2296c0a898d1eb5caa991769a6cd46561
Opcode Fuzzy Hash: f5453683663ab14e3da5945cc007b7eb6a179161c4e1f7f3d016a8a7bfaf9581
Instruction Fuzzy Hash: 8A619B72A043068FDF306E3489943DF77A79F92794F96812EDCC6A3254D771898CCA42

Uniqueness

Uniqueness Score: -1.00%

Function 02C85B69, Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

L*H, xrefs: 02C85D0F
_ b2, xrefs: 02C85BFC

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L*H$_ b2
API String ID: 0-3788260093
Opcode ID: 368db256ce9f2d4cbdae1bded0f924e9180a122152ce78f8c416d135ed19ccdc
Instruction ID: d8e722e430607fabb419b004010277e3946d77c98dc71b9fa39501b7d37a178e
Opcode Fuzzy Hash: 368db256ce9f2d4cbdae1bded0f924e9180a122152ce78f8c416d135ed19ccdc
Instruction Fuzzy Hash: C9510371601348AFDF30DE298AD43DB37E2AF59344FD5853E8C4A87245C376A686CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02C85B75, Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

L*H, xrefs: 02C85D0F
_ b2, xrefs: 02C85BFC

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L*H$_ b2
API String ID: 0-3788260093
Opcode ID: d98b312c2e07af7e2502fca3916ad4e29c72c670589f33bac83e4bbf7492af90
Instruction ID: 49d92bc02551aa0ce6e937dc0330f24c57c810da3565408d0b9e8570a31b6de1
Opcode Fuzzy Hash: d98b312c2e07af7e2502fca3916ad4e29c72c670589f33bac83e4bbf7492af90
Instruction Fuzzy Hash: 1C510171601348AFEF30DE298AD43DA36E2AF59348FD5813F8C4A87245C3769686CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02C85B8D, Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

L*H, xrefs: 02C85D0F
_ b2, xrefs: 02C85BFC

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: L*H$_ b2
API String ID: 0-3788260093
Opcode ID: 14e60c11b9f48330ff3392416aa8afa55a71082ec56c77a0c458a950b7a54fd4
Instruction ID: f718682b322b18159386d433cb2bf775860961878c65c982c46e25d6f1a1c2f1
Opcode Fuzzy Hash: 14e60c11b9f48330ff3392416aa8afa55a71082ec56c77a0c458a950b7a54fd4
Instruction Fuzzy Hash: C951EE71601348AFEF30DE298AD53DA36E2AF59344FD5853F8C4A8B245C376A685CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02C86379, Relevance: 2.1, Strings: 1, Instructions: 814COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 83278890046c835468dcb3696864f5f5022b06cc28214dc28923abef3939bd67
Instruction ID: bba521eeed8250d2a07108175fd4b9d87462ab1a607960edbbc635291d37bc11
Opcode Fuzzy Hash: 83278890046c835468dcb3696864f5f5022b06cc28214dc28923abef3939bd67
Instruction Fuzzy Hash: 2762457560430ADFDF30AE34CDA53DA77A2BF55394F95822EDC8A8B244D3348A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C86385, Relevance: 2.1, Strings: 1, Instructions: 812COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 1fb6533d0d2d35bd7ca07b4d0ce8df59de75092b98d735fbe795061567ba07c4
Instruction ID: 526fe8fe830ebedadfff98e35cbb27c28b710b145ae19b501be4547f64d750d1
Opcode Fuzzy Hash: 1fb6533d0d2d35bd7ca07b4d0ce8df59de75092b98d735fbe795061567ba07c4
Instruction Fuzzy Hash: E562357560434ADFDF30AE34CDA43DA77A6BF55394F95822EDC8A8B244D3348A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C8636D, Relevance: 2.1, Strings: 1, Instructions: 809COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 10bf4d550a477fe93602cbcc79f659cab9ed86c1e8eaad8d29ecd2cabe692100
Instruction ID: e8368a2ab9b321c4ac2d2f8024946c650e2da859882f98ed7ec04195aef0671c
Opcode Fuzzy Hash: 10bf4d550a477fe93602cbcc79f659cab9ed86c1e8eaad8d29ecd2cabe692100
Instruction Fuzzy Hash: 4952457560430ADFDF309E38CDA43DA77A6BF55394F95822EDC8A8B244D3348A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C863E3, Relevance: 2.1, Strings: 1, Instructions: 807COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 98372fae51f4b3f73d6396b809f714b4997c4d08fbf355f8d013b61125715887
Instruction ID: f483238c1aac51fbafae583243084f053cbd220bf277b0a766527ba5e4c24794
Opcode Fuzzy Hash: 98372fae51f4b3f73d6396b809f714b4997c4d08fbf355f8d013b61125715887
Instruction Fuzzy Hash: D652477560434ADFDF309E34CDA53DA77A2BF55394F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86431, Relevance: 2.0, Strings: 1, Instructions: 781COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 23acb3bade7dff5385c70365dff222119bb87f588c368faf7da3c2e114156c3e
Instruction ID: caee07f45737fe231c7a93f74cc810296619472943b592d4584161aff29910d8
Opcode Fuzzy Hash: 23acb3bade7dff5385c70365dff222119bb87f588c368faf7da3c2e114156c3e
Instruction Fuzzy Hash: 9252357564430ADFDF309E34CDA53DA77A2BF55394F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8643D, Relevance: 2.0, Strings: 1, Instructions: 779COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: f29b5e1283c1c5d60966ee52a8722e7a410c95e151c43d2fc46479989660573f
Instruction ID: 97dba1581f74ed6fce9eb5ac211fa5b08f5a521e569aad35176e31a37a535ce9
Opcode Fuzzy Hash: f29b5e1283c1c5d60966ee52a8722e7a410c95e151c43d2fc46479989660573f
Instruction Fuzzy Hash: B152357564430ADFDF309E34CDA53DA77A2BF55394F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86455, Relevance: 2.0, Strings: 1, Instructions: 768COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 712801cc2b8698896342e85108256aae4c438d67c61a9c764f5b67883d9506c2
Instruction ID: 15a4ecb8a522b7ff9ca11147dfce2cb408bfa108ceb460d7a2e84c9f01bccb2b
Opcode Fuzzy Hash: 712801cc2b8698896342e85108256aae4c438d67c61a9c764f5b67883d9506c2
Instruction Fuzzy Hash: 0452357564430ADFDF309E34CDA53DA77A2BF55394F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86479, Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 87c31667cf4a01e62c8fcfc47dc35eb8fbdc1fc9963842bac66c470fbd59bb25
Instruction ID: 677efa1121b5a6cb432a42e16efacf018e3287fb2e9e2559d3f381bb17d38c1e
Opcode Fuzzy Hash: 87c31667cf4a01e62c8fcfc47dc35eb8fbdc1fc9963842bac66c470fbd59bb25
Instruction Fuzzy Hash: 4152357564430ADFDF309E34CD953DA77A2FF55394F95822ADC8A8B244D3348A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86536, Relevance: 2.0, Strings: 1, Instructions: 758COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 62ff76b23b1c9d4cec95334166462a774fc8f0163b970914b7bb43bec6784706
Instruction ID: 863ade99a6c85013f7a955dda868c793999cdd051b2a16d2044461feebefbea2
Opcode Fuzzy Hash: 62ff76b23b1c9d4cec95334166462a774fc8f0163b970914b7bb43bec6784706
Instruction Fuzzy Hash: 1252457560434ADFDF309E34CD953DA7BA2FF55394F95822ADC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C864DD, Relevance: 2.0, Strings: 1, Instructions: 750COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: e3c0cded36cfd576773de15c3824b47a653cc4e393973645f3da6ad32ba962fa
Instruction ID: ca22a081a997ec887fcfec443856d99efacc6a0202e9dba19998d64629ab737f
Opcode Fuzzy Hash: e3c0cded36cfd576773de15c3824b47a653cc4e393973645f3da6ad32ba962fa
Instruction Fuzzy Hash: 3F52357564430ADFDB309E34CD953DA77A2FF55394F95822EDC8A8B244D3348A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C864E5, Relevance: 2.0, Strings: 1, Instructions: 749COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: c701a7900a853e090045693cb52a1d721ca98d6326f062561eaf5d07abf78cdb
Instruction ID: e7e95df9a03c6a3f63c2bdbd24f0a5a1576af3ebe0a43b99cde334866d09b6fa
Opcode Fuzzy Hash: c701a7900a853e090045693cb52a1d721ca98d6326f062561eaf5d07abf78cdb
Instruction Fuzzy Hash: 0352357564430ADFDF309E34CD953DA77A2BF55394F95822EDC8A8B244D3348A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C864F1, Relevance: 2.0, Strings: 1, Instructions: 745COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 83d185ad082e74f08442ca99eaf0adefb4ff9fc718c958d10cce1c01af636c9e
Instruction ID: f25b23c91bc6c9a6ed210852ac806aaa04841b8fc73f401890da8c032bf2cf9d
Opcode Fuzzy Hash: 83d185ad082e74f08442ca99eaf0adefb4ff9fc718c958d10cce1c01af636c9e
Instruction Fuzzy Hash: 9152347564430ADFDF309E34CD953DA77A2BF55394F95822EDC8A8B244D3348A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C865CD, Relevance: 2.0, Strings: 1, Instructions: 720COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 5becc6efa2f5b636474e80caaa260248928f9f53d74e733f162ca8b5a94fd95f
Instruction ID: e7ef49295d8b028b9a7ad9cd5823c7bc7a4ed66436ae91b8658d781f09cc605f
Opcode Fuzzy Hash: 5becc6efa2f5b636474e80caaa260248928f9f53d74e733f162ca8b5a94fd95f
Instruction Fuzzy Hash: B842357564430ADFDF309E38CD953DA77A2BF55394F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C865C2, Relevance: 2.0, Strings: 1, Instructions: 710COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 8e0f94e268feb4eedae5f87f1d8a3327c4fb807c14baaf848c8f9e33c9c6afc0
Instruction ID: 9edd14102d926847d639d9785d0aa79164fe9c3b3d3c279072aa075651a0c595
Opcode Fuzzy Hash: 8e0f94e268feb4eedae5f87f1d8a3327c4fb807c14baaf848c8f9e33c9c6afc0
Instruction Fuzzy Hash: 2742357564430ADFDF309E38CD953DA77A2BF55394F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C865F1, Relevance: 2.0, Strings: 1, Instructions: 705COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 6bb954ec830e13f73230a2d95cfe6adc35136513aeeecb4b11aa70a5abecea12
Instruction ID: b6bbe0bd46161aa1f7f263caf32b68e26f17602772ad3b8a81349c7e5abba3c0
Opcode Fuzzy Hash: 6bb954ec830e13f73230a2d95cfe6adc35136513aeeecb4b11aa70a5abecea12
Instruction Fuzzy Hash: 8342457560430ADFDF309E34CD953DA77A2BF55394F95822EDC8A8B244D3348A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86695, Relevance: 1.9, Strings: 1, Instructions: 674COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: cd8cbbe4ffc3eed50fb32255d4556049b3f700b1ce1144762a6141abecd783cd
Instruction ID: f603e8b63977dffcf22b9982c3fb7e0ed1fe75a422572be1f5c0caef0f46afa3
Opcode Fuzzy Hash: cd8cbbe4ffc3eed50fb32255d4556049b3f700b1ce1144762a6141abecd783cd
Instruction Fuzzy Hash: E442357564434ADFDF309E34CD943DA77A2BF55394F95822EDC8A8B244D3308A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C866B9, Relevance: 1.9, Strings: 1, Instructions: 663COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: fa3a011d30d40f07078ebdba792537262076a6487fd824114f6216af2362064c
Instruction ID: c9ecdb7517081513d432da8b84d5ffaac941197b14fdd1ba2dd2c516dee355e5
Opcode Fuzzy Hash: fa3a011d30d40f07078ebdba792537262076a6487fd824114f6216af2362064c
Instruction Fuzzy Hash: 3042357564434ADFDF309E34CD953DA77A2BF55394F95822ADC8A8B244D3308A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86729, Relevance: 1.9, Strings: 1, Instructions: 645COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 057fdb0e6925862affaaf6994db25d1235a2df93ab41b4afcfdd9410c9b300db
Instruction ID: 78f4921ac474abdd99db1269baf79f9b7d6e7350177292311f76e10f5c87fe0a
Opcode Fuzzy Hash: 057fdb0e6925862affaaf6994db25d1235a2df93ab41b4afcfdd9410c9b300db
Instruction Fuzzy Hash: DB323575644349DFDF309E34CDA47DA77A2BF55394F95822EDC8A8B244D3308A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C86735, Relevance: 1.9, Strings: 1, Instructions: 643COMMON

Download Yara Rule

Strings

aI>, xrefs: 02C8681F

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: c07c88b519fc1afd98294aeb6535e56697421d5cc429669d789204a7878587b1
Instruction ID: 0cf5f29c7e05618d0f1199b8c38997afa8cb5b80239d22d8ca5fe564774886c1
Opcode Fuzzy Hash: c07c88b519fc1afd98294aeb6535e56697421d5cc429669d789204a7878587b1
Instruction Fuzzy Hash: 42323575644349DFCF309E34CDA47DA77A2BF55394F95822EDC8A8B244D3308A8ACB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C82A5B, Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

iEO, xrefs: 02C80B21

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: iEO
API String ID: 0-3111029432
Opcode ID: b7aebd9b4623e545d6532ac5276e35d9ad0a0e059ce9dbe45d9e7b702853ae14
Instruction ID: 068f1e6680d38fb7113c156497536c55ed08e2a192053cb1c8d6319bf9d4b3cf
Opcode Fuzzy Hash: b7aebd9b4623e545d6532ac5276e35d9ad0a0e059ce9dbe45d9e7b702853ae14
Instruction Fuzzy Hash: 88E19971A04346DFDF30AE788D947EB37A7AF96390F85812EDC8A97244D3718985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02C841D1, Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: ef794f2f18c7f6f6b4b315dce1ec547ae4f62383136b3a09e084e1260bafe447
Instruction ID: 4359513468b424b3926ebef9a76a61c9a7386987f0c3b3e432ca837ce6d0a150
Opcode Fuzzy Hash: ef794f2f18c7f6f6b4b315dce1ec547ae4f62383136b3a09e084e1260bafe447
Instruction Fuzzy Hash: 4EF1F07570074ADFDB38DE28CDA47EAB7A2BF55354F85822DDC898B240D731A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C841F5, Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: f4c9b9df25fe5509a403fc9afb870b62a1ea4a060c4178358df8976fdcc33ea0
Instruction ID: 7badf6a60a3be575656a309aba50d9ebb2d9bfd72ce6722f43bacf592e79a0a6
Opcode Fuzzy Hash: f4c9b9df25fe5509a403fc9afb870b62a1ea4a060c4178358df8976fdcc33ea0
Instruction Fuzzy Hash: 2AF1E07570074ADFDB38DE28CDA4BEA77A2BF55354F85822DDC898B240D731A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DA43, Relevance: 1.6, Strings: 1, Instructions: 393COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: b4b7aaf84cff93b8d20aca07eb3f4d82e17e106b55ced197efb58d1ed19bbeb2
Instruction ID: 5f14de91de237bbfd0bbb6f26abd2d8067b44a574c3d3e8e1d6181562aca4585
Opcode Fuzzy Hash: b4b7aaf84cff93b8d20aca07eb3f4d82e17e106b55ced197efb58d1ed19bbeb2
Instruction Fuzzy Hash: 07D15971604349DFDF38AE788DA43EE37A3AF95354F95812ADC4ACB214D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C84289, Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 4b0b316796cf9a127fd9ec59902aee3a2553e7b89bcce054a415e5b7721049e9
Instruction ID: bc647f9b47871384d16326ab38330c12a2a07b049c32c68214432021b2291612
Opcode Fuzzy Hash: 4b0b316796cf9a127fd9ec59902aee3a2553e7b89bcce054a415e5b7721049e9
Instruction Fuzzy Hash: C8E1227570074ADFDB38EE28CDA4BEA77A2BF55354F85822DDC898B240D7319A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C84295, Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 1ac400f5304103acf4c481e1b9ab22a5ea84a797c93603255754f4e4b117e9d7
Instruction ID: 32e2a8704ef1b7bffac8fc3c4b096d34a068e5ead366102f0863751d2d9212ca
Opcode Fuzzy Hash: 1ac400f5304103acf4c481e1b9ab22a5ea84a797c93603255754f4e4b117e9d7
Instruction Fuzzy Hash: F0E1227570478ADFDB38DE28CCA4BEA77A2BF45354F85822DDC898B240D7319A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C8427F, Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 824dd1e2c1f84eb4f02fddd11d9bd2b2d8d89c2c1525be2f8e4790c8f29c93f5
Instruction ID: 9042f57f1e59039127125d658ffe6f5db6a8d5d15674a6f7266321f8a3728370
Opcode Fuzzy Hash: 824dd1e2c1f84eb4f02fddd11d9bd2b2d8d89c2c1525be2f8e4790c8f29c93f5
Instruction Fuzzy Hash: 2EE1117570078ADFDB38DE28CDA4BEA77A2BF55354F85822DDC898B240D7319A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C625, Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 816514643a8a6e2bf3e00bd2666e13ee1ebbe483270ad931ac73fa75b8d13f5c
Instruction ID: ab9129ca074c9250ae6acd183b454a515e76a826ac2ff122c2b16a749884b0ee
Opcode Fuzzy Hash: 816514643a8a6e2bf3e00bd2666e13ee1ebbe483270ad931ac73fa75b8d13f5c
Instruction Fuzzy Hash: 15E123305083828EDB369E3889987DA7FD29F53364F59C2AACCD98F1D6D3358645C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C842AD, Relevance: 1.6, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 82830b3442513a34e879c51a19c256ff78792510fc694cc72e0e00f69bfcfccc
Instruction ID: 4794871ce8eb375e24683955a75c4d84d25653161749254beaf86ef8951921f5
Opcode Fuzzy Hash: 82830b3442513a34e879c51a19c256ff78792510fc694cc72e0e00f69bfcfccc
Instruction Fuzzy Hash: 75E1E17570074ADFDB38DE28CDA4BEA77A2BF55354F85822DDC898B240D7319A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C631, Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 73c8d7aed651a5e9754a2429ce32c122ef068d66671dd9e66bc686bed0de89fd
Instruction ID: dd8f3b96e6e2d58f3cee54fdd89e988866994bb7bdd20f51416406900a9f660f
Opcode Fuzzy Hash: 73c8d7aed651a5e9754a2429ce32c122ef068d66671dd9e66bc686bed0de89fd
Instruction Fuzzy Hash: BFE112305083828EDB369E3889987D67F929F53364F59C2AACCD98F1D6D3348645C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C649, Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 7ff19d9ca760e23d5264f507b72c7a32ff921b31c866e71d4634e9ebf25e793a
Instruction ID: c0dec8f528fd24fe57f491a9701ef2b861dcdc6ae7d303116e2e06bba76d3b75
Opcode Fuzzy Hash: 7ff19d9ca760e23d5264f507b72c7a32ff921b31c866e71d4634e9ebf25e793a
Instruction Fuzzy Hash: D8D112305083868EDB369E3889A87D67FD29F53364F59C2AACCD98F1D6D3348645C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C6BD, Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 5ee91177fbd28ea985e5c6d9bdf0a66dd88692d0726abd371371b18e855f1014
Instruction ID: c064b6f65b799264111ec63a47126d9cb74a020505e215fe50e225d192ccaff0
Opcode Fuzzy Hash: 5ee91177fbd28ea985e5c6d9bdf0a66dd88692d0726abd371371b18e855f1014
Instruction Fuzzy Hash: B3D101205083C68EDB369E3889987DA7FD29F53364F59C2AACCD98F1D6D3344646C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C84351, Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: a3c278c09171853f7c74d595d6024214df5f0bf7af920bd8b654fc112db38e7b
Instruction ID: ff9eb9bed2e55653058ad093297c74eca7841cd4ae3e59712b8269b1c30344ff
Opcode Fuzzy Hash: a3c278c09171853f7c74d595d6024214df5f0bf7af920bd8b654fc112db38e7b
Instruction Fuzzy Hash: CBD1017570074ADFDB38EE28CDA4BEA77A2BF59354F85822DDC898B240D7319A41CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C6C9, Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 9ad0d2d963cbad7784a101d449621528bacc4a816076ec2fead280001a4d4b4a
Instruction ID: a2b70817f85116f95f02c8cfd20931f0701dd00857023cc27fce242a015eb667
Opcode Fuzzy Hash: 9ad0d2d963cbad7784a101d449621528bacc4a816076ec2fead280001a4d4b4a
Instruction Fuzzy Hash: 34D111305083C68ECB369E3889987DA7F929F53364F59C2AACCD98F1D6D3344646C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C735, Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: e4123d340a36be770c52fc0b2c36bbea09890147e870581cd50e541e535b81d7
Instruction ID: c875a6cd3dc879b22177b04da3e0df9ae30a80a5dbff57fada89a2ff7f29a355
Opcode Fuzzy Hash: e4123d340a36be770c52fc0b2c36bbea09890147e870581cd50e541e535b81d7
Instruction Fuzzy Hash: 32C101305083C68ECB369E3889A87DA7F929F53364F59C2AACCD98F1D6D3744645C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C759, Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 3ce5da93de3019d426fb58675360fdee04ff41233986a126c804f040eb0da7ca
Instruction ID: c462c451d2c683826faa427806a25db0c368253f94e2a6120e50f7b7e7db3496
Opcode Fuzzy Hash: 3ce5da93de3019d426fb58675360fdee04ff41233986a126c804f040eb0da7ca
Instruction Fuzzy Hash: 26C101315083C68ECB369E3889987DA7FD29F53364F59C2AACC998F1D6D3344645C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C741, Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 89cd3e32377d10d63fe7f0fde821be7b93dc20363edf9365d151b22943d2a3d8
Instruction ID: a6f1d24503c69eeb72b1e7c777f81688949ef7fbaa9517ca62528ce171a5e123
Opcode Fuzzy Hash: 89cd3e32377d10d63fe7f0fde821be7b93dc20363edf9365d151b22943d2a3d8
Instruction Fuzzy Hash: CEC101305083C68ECB369E3889987DA7F929F53364F59C2AACCD98F1D6D3344645C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C843D5, Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: e074cc0be0b9b9c40093a8195ba187ee44cc97efc22c2dac91f09366810fc936
Instruction ID: a8cb5b96890dcfb3fef7bd63d216545a932268f867863ec82b480388d93f59c7
Opcode Fuzzy Hash: e074cc0be0b9b9c40093a8195ba187ee44cc97efc22c2dac91f09366810fc936
Instruction Fuzzy Hash: B9C1247560078ADFDB38EF28CDA4BEA77A2BF45354F85822DDC898B240D7319A41CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02C843E1, Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 46f7d8b533cc2a2a19ec7274a68cb565a05ed5345fba1f6ba6125c5d9223ee9b
Instruction ID: bc745ea1222d04fc37d6106b969616d8d83db7d9b2f0563ace087391c3086ef5
Opcode Fuzzy Hash: 46f7d8b533cc2a2a19ec7274a68cb565a05ed5345fba1f6ba6125c5d9223ee9b
Instruction Fuzzy Hash: 5BC1257560078ADFEB38EF28CDA4BEA77A2BF45354F85822DDC898B240D7319941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C7E1, Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: ae033feba62a43b2bb89aec9816ca5b2c65801145e2136a1597e2b7202ccdc2c
Instruction ID: d83472246aa5a460316bdaf5a54fdf49b16c6ab8c5220ef102b4949edcd04194
Opcode Fuzzy Hash: ae033feba62a43b2bb89aec9816ca5b2c65801145e2136a1597e2b7202ccdc2c
Instruction Fuzzy Hash: E9C10F305083C68ECB369E3889987DA7FD29F53264F59C2AACC998F1D6D3354649C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C7BD, Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 0798364f75e29edb34de6d4cad409a41d8ccb89632b7fcdc53d84d313548efb7
Instruction ID: 24138d7098188738c9f66eca56409ad896589418acb488b957664e08065ed6a8
Opcode Fuzzy Hash: 0798364f75e29edb34de6d4cad409a41d8ccb89632b7fcdc53d84d313548efb7
Instruction Fuzzy Hash: ABB132315083C68ECB369F3889987DA7FD29F53364F59C2AACC9A8F196D3344645C722

Uniqueness

Uniqueness Score: -1.00%

Function 02C854B5, Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

iEO, xrefs: 02C80B21

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: iEO
API String ID: 0-3111029432
Opcode ID: 1ee82db64c71ea255a7792e32800ca059d297fa6cadd4dd8accc1a69a359408b
Instruction ID: 9e8a4f454f456144396dd63d703705a994a718eaf485c23302bf519cdf664533
Opcode Fuzzy Hash: 1ee82db64c71ea255a7792e32800ca059d297fa6cadd4dd8accc1a69a359408b
Instruction Fuzzy Hash: 29A1BA76604306CFDF306E388D943EE37A7AF92794F96812EDC8693244D7718989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8447D, Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 0761478b3b39ce8dfa81eed02958260ec080cc65fadfe3a928bbda5dec5cf184
Instruction ID: 54bc8f68f9bee83ad184b11333d671de22de73201826f54a6d2f42c5982b6ce2
Opcode Fuzzy Hash: 0761478b3b39ce8dfa81eed02958260ec080cc65fadfe3a928bbda5dec5cf184
Instruction Fuzzy Hash: 9EB1247570034ADFEB38EF28C9A4BEA77A2BF55354F45822DDC898B240D7319941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02C84475, Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: f34575e31b28534861bde432b7c43eda9c665f782387c76cadb4d1ef2343ffdb
Instruction ID: be7ccf4f3e976859bee760f47fe57d06a750610fab11b40070f25d776b2b1c51
Opcode Fuzzy Hash: f34575e31b28534861bde432b7c43eda9c665f782387c76cadb4d1ef2343ffdb
Instruction Fuzzy Hash: BCB1247570038ADFEB38EF28C9A4BEA77A2BF55354F45822DDC899B240D7319941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DA89, Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 7626cac3d184d8b309c9c9aeb3c13a9eb6e2a8b19b7b38318f422c963bf80c1c
Instruction ID: 454e7a2a302e85137e847781a8e60ddf01df0a468eda89c5d298debbafd5226b
Opcode Fuzzy Hash: 7626cac3d184d8b309c9c9aeb3c13a9eb6e2a8b19b7b38318f422c963bf80c1c
Instruction Fuzzy Hash: EE915871604346CFDF38AE388DA03EA37A2AF95358F55812ADC8B8B255D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DA61, Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 5c427956cbf8e894d9b3b3d2cd8b794d47f91688826245e5f0a5d4c5f004c3e8
Instruction ID: 452211342ddc873a732a6b4e4d47e1ba4f1d45f57eccb2909c163fcd6565a86f
Opcode Fuzzy Hash: 5c427956cbf8e894d9b3b3d2cd8b794d47f91688826245e5f0a5d4c5f004c3e8
Instruction Fuzzy Hash: 37915A75504346CFDF38AE388DA43EA37A2AF95354F55812ADC8B8B255D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C844E5, Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: da8d12b5119d43900b36a3c62aa4aa796f50fe9202cafaeb48b55250e24a0dcd
Instruction ID: 429a312bf6989f07ec40fceae096ccb349337a6feea9ec2873d3b30193167bc8
Opcode Fuzzy Hash: da8d12b5119d43900b36a3c62aa4aa796f50fe9202cafaeb48b55250e24a0dcd
Instruction Fuzzy Hash: BDA1227570478ADFEB38EF28C9A4BEA77A2BF45354F45822DDC898B240D7319941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C8452D, Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

O, xrefs: 02C8457C

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 7e62babfa64d03998940a9c5c5aaf2d4066653cd629b11e10b5e684ce8891090
Instruction ID: ad3e5fc2ca7c910e8df898dbeec51d27bcfd887398bdd59ee5d949572d56b032
Opcode Fuzzy Hash: 7e62babfa64d03998940a9c5c5aaf2d4066653cd629b11e10b5e684ce8891090
Instruction Fuzzy Hash: 3EA1237560078ADFDB38EF38C9A4BEA77A2BF45354F45822DDC898B240D731A941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DAC7, Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: b7b903406ad721610c63cacfb8fe5b9773d9ee0a9da5a2089765d87578abe872
Instruction ID: 068d9114944aec3cf0c1812f50d184c3680e18a613d658d81e124376a84dc10a
Opcode Fuzzy Hash: b7b903406ad721610c63cacfb8fe5b9773d9ee0a9da5a2089765d87578abe872
Instruction Fuzzy Hash: 88916971604346CFDF38AE388DB47EA37A3AF96354F55812ADC8B8B255D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DB9D, Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 8780758c4a05f0e0924c3cdb93eb66fe7a5bbf383bf4edfea42dc5df7a41f924
Instruction ID: 534520aef8d86ef73e03a29666279ae44bbc0066136dbc5c7e573267e274f7b8
Opcode Fuzzy Hash: 8780758c4a05f0e0924c3cdb93eb66fe7a5bbf383bf4edfea42dc5df7a41f924
Instruction Fuzzy Hash: 6B914B35504345CFDF38AE388DA47EB37A2AF96354F95812ADC4A8B255D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DB5D, Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 8c556c6ecc44a7aef9989ed545ac11e8dcaebb101f732b5f13e500ea66e8b200
Instruction ID: 314a8d8d76296bec5d8426babb56cbd1cfd106b464165a72c6296a53f80a66cc
Opcode Fuzzy Hash: 8c556c6ecc44a7aef9989ed545ac11e8dcaebb101f732b5f13e500ea66e8b200
Instruction Fuzzy Hash: 3C915A31504345CFDF39AE38CDA47EB37A2AF96354F95812ADC8A8B255D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DAF5, Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 3a1efd74c2d500370b9eb5af46a57870a3e3d5be534328e09d1e0e33b4ecaeeb
Instruction ID: 38771f210cb63b569e4425653078388d43b436ce4ca1fdacbb2f62926505086b
Opcode Fuzzy Hash: 3a1efd74c2d500370b9eb5af46a57870a3e3d5be534328e09d1e0e33b4ecaeeb
Instruction Fuzzy Hash: FF916971504346CFDF38AE388DB43EA37A2AF95354F95812ADC8A8B255D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DB47, Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: f983ad9b9dbc7f44c8f57498dc2d9a09050f71fd9614c92487a2ea90592208c8
Instruction ID: 33244510941d837b210b539a049e9512ecdd040da896dcc41012b60a7aabb0c9
Opcode Fuzzy Hash: f983ad9b9dbc7f44c8f57498dc2d9a09050f71fd9614c92487a2ea90592208c8
Instruction Fuzzy Hash: 06916B71504345CFDF38AE38CDA43EB37A3AF95354F55812ADC8A8B255D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DBA9, Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: d0a125cfb71f1e411363f1fbb7d375388137b1eed4cc99c56c130753e06420b5
Instruction ID: 1794eaf635a16e92d92ded14606fbe640977823327710715578d1662c34d7016
Opcode Fuzzy Hash: d0a125cfb71f1e411363f1fbb7d375388137b1eed4cc99c56c130753e06420b5
Instruction Fuzzy Hash: 8D814B31504356CFDF38AE38CDA47EB37A2AF95354F55812ADC8A9F245D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DB75, Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 143dc2804877522583cf82592b8bc178ab2591daee03ca447fd411044021321f
Instruction ID: 2c8d6b790c114412476f01132b51bd283c42968c4d088fd8b4f0f6ead5613efb
Opcode Fuzzy Hash: 143dc2804877522583cf82592b8bc178ab2591daee03ca447fd411044021321f
Instruction Fuzzy Hash: 28814931504345CFDF38AE388DA47EA37A2AF95354F96812ADC8A8B255D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DBF9, Relevance: 1.5, Strings: 1, Instructions: 247COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 5ddafed952e38dcd890908ce12360ecfd7f49c569872ca8e317b209637f103a4
Instruction ID: 6380d2de7ab3c99ab6211da82437d89304781eecb47422ccec19188edd424f8a
Opcode Fuzzy Hash: 5ddafed952e38dcd890908ce12360ecfd7f49c569872ca8e317b209637f103a4
Instruction Fuzzy Hash: 82815931604355CFDF38AE38CDA47EB37A2AF96354F55812ADC8A8F255D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DBB5, Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 8fdc945fffb5d406d78404300e70c84643322aca373bf7d90639f025206f8848
Instruction ID: 086c9f6cf7f79f9eccbfc0f7d1c5edf53e546e3241210cc9a3327124ce62c573
Opcode Fuzzy Hash: 8fdc945fffb5d406d78404300e70c84643322aca373bf7d90639f025206f8848
Instruction Fuzzy Hash: 3F816C31504355CFDF39AE38CDA47EB37A2AF95354F95812ADC8A8F245D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DBED, Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 05311f6de4e0a7115c6fd0157d64218ab8032e5f1959bb66500d1daaa7c86403
Instruction ID: 5da07d2435436e1296dc2f8364c39155de246a1a7a6c667ca76bb70cb30c4895
Opcode Fuzzy Hash: 05311f6de4e0a7115c6fd0157d64218ab8032e5f1959bb66500d1daaa7c86403
Instruction Fuzzy Hash: 3A814A31604356CFDF39AE38CDA47EB37A2AF95354F55812ADC8A8F245D3308985CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DBD5, Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: b8658a586d34c1a9f9512dff6bec8599bdea0fae42dd0644f0b78813ae6449f6
Instruction ID: ac484a35d519cb941a9f0b750434b61d2f281caa4172f5221fd44c8e80256605
Opcode Fuzzy Hash: b8658a586d34c1a9f9512dff6bec8599bdea0fae42dd0644f0b78813ae6449f6
Instruction Fuzzy Hash: 9F815A31604355CFDF39AE38CDA47EB37A2AF96354F55812ADC8A8F255D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8DBCD, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

bhg, xrefs: 02C8DC01

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 3dbc525154272dfd943c96bc01e80ed3ec79f282132713329857a716e72d46b2
Instruction ID: f4321b27c926170d0edb2908714f1c5ef36d9a7fd72af961cf3634df33e5c855
Opcode Fuzzy Hash: 3dbc525154272dfd943c96bc01e80ed3ec79f282132713329857a716e72d46b2
Instruction Fuzzy Hash: 3B815B31604355CFDF38AE38CDA47EB37A2AF95354F95812ADC8A8F245D3308985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8568B, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

"i7, xrefs: 02C85720

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: "i7
API String ID: 0-1634374468
Opcode ID: a235018ffa1c9106ad1e4852b6fb5e7dcaa7714f2e36fd0ac596b049d000b476
Instruction ID: ba814a7b664c3363881c7c27f82467f70a770fb3de7d02d7f76c41d960f621fd
Opcode Fuzzy Hash: a235018ffa1c9106ad1e4852b6fb5e7dcaa7714f2e36fd0ac596b049d000b476
Instruction Fuzzy Hash: 7E7178B42003059FD724AE35C9A87EA77A2FF593A4F92C22DDC4A8B251D370C984CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CA0D, Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 28cf39a8a0690ce9488f7e9892a4a541bc26d48687eee57e0f4f7c289604014d
Instruction ID: e2642ce08309fb3a836c334300a97a17ed57b9dd8afcdfe64d0713759e8033d9
Opcode Fuzzy Hash: 28cf39a8a0690ce9488f7e9892a4a541bc26d48687eee57e0f4f7c289604014d
Instruction Fuzzy Hash: 4B6148705083858BCF3AAE348DA43EA7B92AF57364F55C1AACC8A8F246D7740745C726

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CA19, Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 84d456441833da8346a876775f03eb469ca8b399f7a3a0f418440c6a663c80cd
Instruction ID: e97eec8e2a69666df64680f00d731b23d3f01fd99fed97a20490e5793131be8d
Opcode Fuzzy Hash: 84d456441833da8346a876775f03eb469ca8b399f7a3a0f418440c6a663c80cd
Instruction Fuzzy Hash: EB6159305083858FCF3AAE3489A43EA7B92AF57364F55C1AACC8A8F246D7740745C727

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CA25, Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 595d3fdf8f2b33ae2c9713864f1184d69091b32f4271fc055bc01f5e97dd2372
Instruction ID: 1a5dee37b9d238c5169507b6d3c2653130cbe82bc4523b5fe1405482436655fd
Opcode Fuzzy Hash: 595d3fdf8f2b33ae2c9713864f1184d69091b32f4271fc055bc01f5e97dd2372
Instruction Fuzzy Hash: 1C6139705083858FCF3AAE3489A43EA7B92AF57364F55C1AACC8A8F246D7740745C726

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CAC5, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: a7a21a42b99cb1e4c5dbd48d591459e1001b33d42fad008aaf02ae4ebcb33b10
Instruction ID: cf50ea22eb8115048b6b6694d2f636d164aef661ba441fb1e3473119f845b0d6
Opcode Fuzzy Hash: a7a21a42b99cb1e4c5dbd48d591459e1001b33d42fad008aaf02ae4ebcb33b10
Instruction Fuzzy Hash: 9A5106305043858FCF35EE3889943E97BA2AF57364F54C1AACC9A8F245D7740745CB26

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CAA1, Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 0c73012c94791b2f2a47d55bdcc0829852e2feade797ebcd8e7809f4014c0d29
Instruction ID: c7f76aa40362c9033f5853e21a5c1ada91f3ffd28933feac3f0d7c183f887f9f
Opcode Fuzzy Hash: 0c73012c94791b2f2a47d55bdcc0829852e2feade797ebcd8e7809f4014c0d29
Instruction Fuzzy Hash: C65137305043858BCF39AE3489A43E97BA2AF57368F54C16ECC9A8F245D7740745CB26

Uniqueness

Uniqueness Score: -1.00%

Function 02C8CAAD, Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

a#eT, xrefs: 02C8CCB8

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: bc41698448eecbdcb80a7cc4507788c1f832140bfc18e494cd6820ad0a8e8ebe
Instruction ID: 1cde8ea3ef01009997b16e4ea23e53d4dd20d630afe779f445850f89ce126359
Opcode Fuzzy Hash: bc41698448eecbdcb80a7cc4507788c1f832140bfc18e494cd6820ad0a8e8ebe
Instruction Fuzzy Hash: 095127305043898FCF39AE348AA43E93BA2AF56364F54C16ECC8A8F245D7740745CB26

Uniqueness

Uniqueness Score: -1.00%

Function 02C80459, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

Si, xrefs: 02C807B5

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: Si
API String ID: 0-3827418516
Opcode ID: 250d0668b3eed54e68f22fb250813a06d32950da3d4dd32f613e66621ad7ab6a
Instruction ID: 8cfaad19a570c222e0fe78281ebfe7ea0472e46a056190f8cb1427fc54c06c86
Opcode Fuzzy Hash: 250d0668b3eed54e68f22fb250813a06d32950da3d4dd32f613e66621ad7ab6a
Instruction Fuzzy Hash: 04418C7A5043059BDF203A748D643EB37A39F862B4FD2462FCC96A7144E3348D8ACA53

Uniqueness

Uniqueness Score: -1.00%

Function 02C80465, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

Si, xrefs: 02C807B5

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: Si
API String ID: 0-3827418516
Opcode ID: 5f17c24ff712623d3801295fad02c28b3f73f8df34df5b14fd2f81d67dc312a9
Instruction ID: c9d69e1fbd98777f8978f4df0ec7a28139fc081acefeb51d94357a03c431e8cd
Opcode Fuzzy Hash: 5f17c24ff712623d3801295fad02c28b3f73f8df34df5b14fd2f81d67dc312a9
Instruction Fuzzy Hash: 4E416B765053059BDF203A758D643EB37A29F863A4FD2462FCC86A7144E3348D8ACA53

Uniqueness

Uniqueness Score: -1.00%

Function 02C8047D, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

Si, xrefs: 02C807B5

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: Si
API String ID: 0-3827418516
Opcode ID: 4d4597722c1683dc18494ddcf1f124dfc0fd30876e3622dff4ad0341813271be
Instruction ID: f2adc021b2715c6ab22aa11282180779cf0c6ee5b48c8cb4ba3d93668a2ee330
Opcode Fuzzy Hash: 4d4597722c1683dc18494ddcf1f124dfc0fd30876e3622dff4ad0341813271be
Instruction Fuzzy Hash: 084179765053069BDF203A758D653EB37A39F862A4FD2062FCC86A7144E3348C8ACA53

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B361, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

`, xrefs: 02C8B566

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: dd0e7020e78277c09dae0cc1379f8ba27fa3b48f40b81d9b8218d04b8ac9a702
Instruction ID: e1bf85dc7cecdbbdfb5224f2aac2985f7c68b562fc02dca5eeaac521c4d05edc
Opcode Fuzzy Hash: dd0e7020e78277c09dae0cc1379f8ba27fa3b48f40b81d9b8218d04b8ac9a702
Instruction Fuzzy Hash: B2417B76404749CBDF349D288D793DB23A3AFE2294FC6812ACC99C7195D3351A8ACB06

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B3F9, Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

`, xrefs: 02C8B566

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: ead3d8e056320efb0977b333a9961edfdb850d66008ff172d2783a0227491398
Instruction ID: 2e83a7931a6e3a657d08487788f80f4e309cdb761aa4f8446ad24cec05d1001c
Opcode Fuzzy Hash: ead3d8e056320efb0977b333a9961edfdb850d66008ff172d2783a0227491398
Instruction Fuzzy Hash: A8316D7544474DC7DF34AD2989B93DF23A3AFE1298FD2812ACC89C7184D7351A86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B3BD, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

`, xrefs: 02C8B566

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 584650d0a8e4d1cdc0881830f5643fa3b310be914d1041a12fa0b30cbabe29d6
Instruction ID: 8b5d2492c905447bdfc2b80cc60ec844c5e99b4aab6c7af750f01d23aa73a3fd
Opcode Fuzzy Hash: 584650d0a8e4d1cdc0881830f5643fa3b310be914d1041a12fa0b30cbabe29d6
Instruction Fuzzy Hash: 34316A71444749C7DF349D3989B93DB22A3AFE1294FD2812ACC89C7184D7354A86CF06

Uniqueness

Uniqueness Score: -1.00%

Function 02C86A89, Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b057446b50fa22a631b3f87d0ce4850f6237fb81d8c84e3bde2a86897720ceb
Instruction ID: 05c6f9f7a1291a6f654f1b5ba37c945dda42562378c0f1db0d9e251fd93fc5e7
Opcode Fuzzy Hash: 2b057446b50fa22a631b3f87d0ce4850f6237fb81d8c84e3bde2a86897720ceb
Instruction Fuzzy Hash: 12025775644349DFCF309E38CD947EA37A6BF55394F95822EDC8A9B244D3308A8ACB01

Uniqueness

Uniqueness Score: -1.00%

Function 02C86A7D, Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae899c7c8065634da4583b1c69696b7249a0960aa691aaf7dc0f3b6e87dc5a54
Instruction ID: 5af4d7722182acc251628a459d24a3fa413c151a2cd46b2dd7c919e0e183cbdb
Opcode Fuzzy Hash: ae899c7c8065634da4583b1c69696b7249a0960aa691aaf7dc0f3b6e87dc5a54
Instruction Fuzzy Hash: FD025875644349DFCF309E38CD947EA37A6BF55394F95822EDC8A9B244D3308A8ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C86B2D, Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4662e426a4c974dc6f078ecd85431f37633e83e3133353826099bbd9be1d2645
Instruction ID: c5248e7ac881e3311c79f3bf649de4b5e751ac32a947b2cd478ea47c996396cd
Opcode Fuzzy Hash: 4662e426a4c974dc6f078ecd85431f37633e83e3133353826099bbd9be1d2645
Instruction Fuzzy Hash: 56022675644349DFCF309E38CD947EA37A6BF55394F95822EDC8A8B244D3318A8ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C86BFD, Relevance: .4, Instructions: 443COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7248d92ab9ec6935ab7bb10cb8149ade6510db75ba0f3a53fbd9553db4c0f7ee
Instruction ID: d7dc259a60930f182f616dba908275ebcfe7c118521d341d82db16ca6ccfb72d
Opcode Fuzzy Hash: 7248d92ab9ec6935ab7bb10cb8149ade6510db75ba0f3a53fbd9553db4c0f7ee
Instruction Fuzzy Hash: F8F13875244349DFCF349E38CD947EA37A6BF55394F95822EDC8A8B244D3318A8ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C86BC9, Relevance: .4, Instructions: 442COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 090bf7d4312791825229c01a806b9fb70d2f799f735150b98632c305d7b6ffb4
Instruction ID: ced8af1225c479a33ef23f8c995e706c771219c4a28abca8cb75e9ebce45e6f7
Opcode Fuzzy Hash: 090bf7d4312791825229c01a806b9fb70d2f799f735150b98632c305d7b6ffb4
Instruction Fuzzy Hash: FEF1497524434ADFCF309E38CD947DA77A6BF55394F95822EDC8A8B244D3318A8ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C83A45, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b2f31fbf75345dfe7fbd64fb20e2b86a230ebbdbb05a3cd4ef77781196b8d6
Instruction ID: 0b3e5d1076bea59fec34d0a21d24afaabb827d16fc5ba8845dfd21c6c33ba49b
Opcode Fuzzy Hash: e6b2f31fbf75345dfe7fbd64fb20e2b86a230ebbdbb05a3cd4ef77781196b8d6
Instruction Fuzzy Hash: 8C91F571604389DFDB34AE79DD643EA77B6AF95B94F95802EDCC997144C3308A82CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02C87010, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78625319891c41fc4ffc92f1061ece053d33711a913498af378fecdaed59f10
Instruction ID: 82936c69af40071eaa0a10f70515664a97b397f03394de93a4027be134fe7fda
Opcode Fuzzy Hash: c78625319891c41fc4ffc92f1061ece053d33711a913498af378fecdaed59f10
Instruction Fuzzy Hash: 8FA16A742443498FDF359E34CDA47EE37A2BF65394F94822DDC8A8B244D7318A8ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C83A31, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d9724f5fe56ee9f9a55b51e5129d3cf856878e3e271bacc7e890ddffbadc5a
Instruction ID: b1968e7a698b76d570031ddd4e111983d5ab15b277f8866285b5b4a3429a2061
Opcode Fuzzy Hash: d8d9724f5fe56ee9f9a55b51e5129d3cf856878e3e271bacc7e890ddffbadc5a
Instruction Fuzzy Hash: 9D910671604389DFDB30AE799D643EA77B6BF95B90F95802EDCC997144C3308982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02C83A5D, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a8b270096ef6acada18acb7964ad164fe847d80269d15a62a2259b6449d0fe
Instruction ID: 695975a6e37d5b9e6f78cb13bf8f6a6a302c8fb1f7f1d37480cc6c9aa8a8c6e2
Opcode Fuzzy Hash: 66a8b270096ef6acada18acb7964ad164fe847d80269d15a62a2259b6449d0fe
Instruction Fuzzy Hash: CB91F571604389DFDB34AE7999643EA77B6AFA5790F96802EDCC997144C3308986CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02C83A9C, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9ccd4afbc7961c64c900ce9a2d757240127ea794fe0b1d083e33ebff978290
Instruction ID: 672d96b55fb0e138a5cc8fb6fdf0324575e0ec8d9eed8cd76327d045130c3e93
Opcode Fuzzy Hash: 3b9ccd4afbc7961c64c900ce9a2d757240127ea794fe0b1d083e33ebff978290
Instruction Fuzzy Hash: 9C812772604389DFCF30AE79D9943EA77B6AF95B90F95806EDCC597104C3309982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C83AB2, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0537271e1acc0d6041dc516f0129d45e86e1cc35dd138eed34e82771f5e62b1
Instruction ID: 4c04d85517cbc2073f44af64f58d3509f5be2d36436ca9be7fa34fdfa565699c
Opcode Fuzzy Hash: c0537271e1acc0d6041dc516f0129d45e86e1cc35dd138eed34e82771f5e62b1
Instruction Fuzzy Hash: 15912672604389DFCB30AE79D9943EA77B6BF95B90F95806EDCC597104C3319982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C8702B, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67b452794c41a563d06ed51f9ca5e1e135f07870c5f89a62d3fe4ec75db744b
Instruction ID: 7746debd6fbc246b79468b768719998f6378dd1afaf24c8f64246787ef1b6443
Opcode Fuzzy Hash: f67b452794c41a563d06ed51f9ca5e1e135f07870c5f89a62d3fe4ec75db744b
Instruction Fuzzy Hash: 3D91377424434A8FDF359E34CDA47DA37A6BF69394F94422DDC8A8B244D7318A8ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 02C83B0D, Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6a3fe80276206a6ee8306beb8dbc16f3cabd67479f350eb233707bd17283ed
Instruction ID: 51f1493e3ecc09aab2963b7b5cceba3703d1802fcee648e4184175efa7fdb7be
Opcode Fuzzy Hash: 4d6a3fe80276206a6ee8306beb8dbc16f3cabd67479f350eb233707bd17283ed
Instruction Fuzzy Hash: 5B810571604389DFDB30AE39D9A43EA77B6BFA5790F95802EDC8597144C3309A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C83BA6, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52cbf930aaf496122c48cd39abf4137c2c76123bf54c4a6ce8fe340afd4f76d6
Instruction ID: c580b89fccfde636f463a909cb2c2df46527ed9debed63f13db306f00a2824b4
Opcode Fuzzy Hash: 52cbf930aaf496122c48cd39abf4137c2c76123bf54c4a6ce8fe340afd4f76d6
Instruction Fuzzy Hash: 5C812832604389DFDF30AE39D9547DA77B6BF95790F95802EDC8997144C3309982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02C82A40, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e46a50c1ecd4f01469e11048dcea284b8fb8813f8bc327860b0e0c14f2fba8
Instruction ID: 993fed2cb9ef6f7f2c47cb912a3e384f118e335abcff789bd2f9604d24fe047b
Opcode Fuzzy Hash: c3e46a50c1ecd4f01469e11048dcea284b8fb8813f8bc327860b0e0c14f2fba8
Instruction Fuzzy Hash: 7F714D75604386DFEF30AE79DC987DB37A6AF593A0F80412EDC899B244D7714E818712

Uniqueness

Uniqueness Score: -1.00%

Function 02C82A81, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a22c27569949072b101ab18c518fc05fa04ec410f4037e9f1dd8c6cfb6b6441
Instruction ID: a6c3203fd64fea7f10968723bfb675f4d02951c652783202c1fcf05fbffefa98
Opcode Fuzzy Hash: 7a22c27569949072b101ab18c518fc05fa04ec410f4037e9f1dd8c6cfb6b6441
Instruction Fuzzy Hash: D1715D75604386DFDF30AE79DC987DB37A6AF593A0F80412EDC899B244D7714A81C712

Uniqueness

Uniqueness Score: -1.00%

Function 02C82A8D, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2997f3ec6d1f80f09bda3628f449053c7ed07e9b7bb0366c21ef975d2d5103c
Instruction ID: 87e05c1cf9d04787a7696d1f7234e19333bd906ea3ae488dcc360ceefc76c974
Opcode Fuzzy Hash: b2997f3ec6d1f80f09bda3628f449053c7ed07e9b7bb0366c21ef975d2d5103c
Instruction Fuzzy Hash: EB715D75604386DFDF30AE79DC987DB37A6AF59390F80412EDC899B244D7714A81C712

Uniqueness

Uniqueness Score: -1.00%

Function 02C87109, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c5014b0ad37c3f2812c919d9ba913e731c2d9bd0d2173ea28e1af8326ae3bf
Instruction ID: f8d007a95b796760f776b5ad7c1329815eb6c5e617ec0eab51ab166fec227322
Opcode Fuzzy Hash: 84c5014b0ad37c3f2812c919d9ba913e731c2d9bd0d2173ea28e1af8326ae3bf
Instruction Fuzzy Hash: 63817A742453498FDF359E34CDA47EA37A2FF5A384F94822DDC8A8B244D7314A89CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02C82A79, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6690fd6e805d00fbf4c3513a13dfe1962ae3f78d33f7c40266ab68adee8885bb
Instruction ID: ff3cd5a0a3201d3f9e935aa474d355af240d8a70863dd726c9310e0799fe32d5
Opcode Fuzzy Hash: 6690fd6e805d00fbf4c3513a13dfe1962ae3f78d33f7c40266ab68adee8885bb
Instruction Fuzzy Hash: E0714A75604386DFEF30AE79DC987DB37A6AF593A0F80412EDC899B244D7718A81C712

Uniqueness

Uniqueness Score: -1.00%

Function 02C83BB1, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029157db7dbdf0bc79b63e721eb5be16122302863a7f470c317b8f8fd4d59ee4
Instruction ID: 3c6fe146f4a704a0d7410adaeb57aadd1f94003a0c8e528e843654fea89c56a1
Opcode Fuzzy Hash: 029157db7dbdf0bc79b63e721eb5be16122302863a7f470c317b8f8fd4d59ee4
Instruction Fuzzy Hash: F5711532204389DFDF30AE3999647EE77B6AF95B90F95846EDCC997104C3309982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02C83BBD, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc36b9b7cf8784583011d818f0c46d2bbddcf74e94aad4c34eb1c826e9a67cfd
Instruction ID: 3a4540e852d4985863ec65ec0bf8ab4a0ef7996a80d828c386b791593ce04883
Opcode Fuzzy Hash: fc36b9b7cf8784583011d818f0c46d2bbddcf74e94aad4c34eb1c826e9a67cfd
Instruction Fuzzy Hash: B4711532604389DFDF30AE39D9547EE77B6AFA5B90F95802EDCC997104C73099868B02

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BB05, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae8af74464b7edd24de20f1ea9026bcb25c9d4eb0e897d6cbe80a21c377cf38
Instruction ID: f9146a1494c2f115ae1452dd8fa1cbe36d1feb3dde89f44afd20832bfacec256
Opcode Fuzzy Hash: eae8af74464b7edd24de20f1ea9026bcb25c9d4eb0e897d6cbe80a21c377cf38
Instruction Fuzzy Hash: 06619A756043069FDB349D24DDA47EB77A3AF9A348F85812ECC8997208D3309D87CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02C83BD5, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07bfba08d5051714cfbd89649e07e17fe04623d25f3cb5a9b234846979534e11
Instruction ID: 03c31ec82a5edbcc3f5c95ad09ee710d48ba1bbaa77e38cfe816bae1292fe7b4
Opcode Fuzzy Hash: 07bfba08d5051714cfbd89649e07e17fe04623d25f3cb5a9b234846979534e11
Instruction Fuzzy Hash: 49711532604389DFDB30AE39D9547EE77B6BFA5B90F95802EDCC997104C73099828B02

Uniqueness

Uniqueness Score: -1.00%

Function 02C82B0C, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777158fac981908e7ae7269b9e0261f76cfedaee10258c5b32ec4b55b69d4113
Instruction ID: 7dd0d6dcfe20c61da478318fa03b46c9c3c2f2447733fcd372cb64faa88c8105
Opcode Fuzzy Hash: 777158fac981908e7ae7269b9e0261f76cfedaee10258c5b32ec4b55b69d4113
Instruction Fuzzy Hash: C4613D75A04386EFDF71AE79DC987DB37A6AF593A0F804129DC899B244D7314A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02C84B10, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b767c11c7ec86df9b1e65562e32bb86ca11c730a0e2a027b07fb5553d0b2ae0
Instruction ID: 510b91d0e094e89a6bcb1e288bb2d18d65ab7946e5e43986cc62374bdd5bee81
Opcode Fuzzy Hash: 1b767c11c7ec86df9b1e65562e32bb86ca11c730a0e2a027b07fb5553d0b2ae0
Instruction Fuzzy Hash: B561D371B04B56CFDB38AE29CC607EA73A2AF55390F85822DDC89D7240DB329D85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BB1D, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f603094b055dd82539af02ac55acbdb3e3c891aa3c493208fb46110222d5462
Instruction ID: 5bd178833e295ee90d68e7ec37dd55aa52ad8fb1e7a7ac9a423f015cbbef0871
Opcode Fuzzy Hash: 7f603094b055dd82539af02ac55acbdb3e3c891aa3c493208fb46110222d5462
Instruction Fuzzy Hash: E66189716043059FDB349D24DDA47EA77A3AF8A348F85812ECC8997608D3305E87CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02C80B49, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3162b882483988bd4f2b26c5cad095704684ee228dcb779d299430df4c56bcf4
Instruction ID: 8a456a5f3f4d88b839d98c7c785613f1bdc375d60e7506ade211a55b43e9aba2
Opcode Fuzzy Hash: 3162b882483988bd4f2b26c5cad095704684ee228dcb779d299430df4c56bcf4
Instruction Fuzzy Hash: 3451AA72A043068BDF306E3489943EB37A79FA2794F85412EDCC6A3654D771898CCA82

Uniqueness

Uniqueness Score: -1.00%

Function 02C871B1, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0a3fc1e4e4517849902b7e8034f138b07d524c761c2bfd50894f7d3bb22115
Instruction ID: e15ae1b8d21a127819666d70f1be67677fe42f1fbb9ecd29cf98ae8551925625
Opcode Fuzzy Hash: 6f0a3fc1e4e4517849902b7e8034f138b07d524c761c2bfd50894f7d3bb22115
Instruction Fuzzy Hash: D3614A35645349CFDF31AE34CC607DA37A2FF55394F548129DD8A9B144D7314A8ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C80B61, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f527525962b212a00c76ef76dfadb1f98315f9cd047eef889d27602a7524e3
Instruction ID: c1be5fb47322b9d74491d3a48df0f10bf3c6c2dfdc9ee84793500b53755e9e84
Opcode Fuzzy Hash: f3f527525962b212a00c76ef76dfadb1f98315f9cd047eef889d27602a7524e3
Instruction Fuzzy Hash: 1851BA72A053028BDF306E3889943DF37A79FA2794F85412EDCC6A3654D331898CCA82

Uniqueness

Uniqueness Score: -1.00%

Function 02C82B5D, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c020ac0fe07fdd5e7e1f6313d350929bef02f4115acaf4d834ce5c7879c062fc
Instruction ID: c02fe231d3b6c4d781fcde11816d058f28b31499cadbcc2ced604ef53a2a8537
Opcode Fuzzy Hash: c020ac0fe07fdd5e7e1f6313d350929bef02f4115acaf4d834ce5c7879c062fc
Instruction Fuzzy Hash: DA512D74604386DFDF31AE79DC58BDB37A6AF593A0F84412ADC898B244D3714A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02C82B69, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9311e0d7d0d0c20fe5266bfa77beccd39a72b1dd1f23e0d2d5ff152d5c1e3a75
Instruction ID: 6cb75f43a620ad38769f7137dbd82208611029458c4c7abf287adcb9986ff363
Opcode Fuzzy Hash: 9311e0d7d0d0c20fe5266bfa77beccd39a72b1dd1f23e0d2d5ff152d5c1e3a75
Instruction Fuzzy Hash: 57513C74604386DFDF31AE79DC98BDB37A6AF59390F80412ADCC99B244D3718A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02C871C9, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af41ee9da9040ce2c1b05cc3b6c6b916f9d3128ecceb24f51fe01c2e336e058e
Instruction ID: 5fe836a56b99b0382a801900942dca2bdd8ffb6818cb2fc34601b17aa040e719
Opcode Fuzzy Hash: af41ee9da9040ce2c1b05cc3b6c6b916f9d3128ecceb24f51fe01c2e336e058e
Instruction Fuzzy Hash: E261373464434A8FCF31AE34CCA07DA3BA2FF59394F944129DD8A9B244D7318A8ACB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C82B51, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c579a84154d880283dc177788d7d091ee086218f4bd9d4af7e1ca57f4fc391
Instruction ID: 377806deff0579863339a159d5c984b4fac3b6bbe8cfd0a51fc5ec6fc33376ba
Opcode Fuzzy Hash: a4c579a84154d880283dc177788d7d091ee086218f4bd9d4af7e1ca57f4fc391
Instruction Fuzzy Hash: F6512C74604386DFDF31AE79DC98BDB37A6AF59390F84412ADCC99B244D3714A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02C83476, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0637bfc4f0cbec8ec5fd4ee42a0ea1f5b3aaea9630e9a117284783ccbf4bc5f6
Instruction ID: 168b59ad689e907b119ad19c4ca2095285a89b08cc3994e2b8eeea970319a242
Opcode Fuzzy Hash: 0637bfc4f0cbec8ec5fd4ee42a0ea1f5b3aaea9630e9a117284783ccbf4bc5f6
Instruction Fuzzy Hash: 0F515D72A4535A9BDF306E68CC647DA3363AFA5360FC9822ADC8D97244D7314D86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02C8BB99, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521bc37c1212f39f9724099338753d388e5fb16275f6d367b3344f35f2783f35
Instruction ID: 86968fafdc12afe49df294a75ceec632e8758e03e8f4fbe14f34794fa6fb1e34
Opcode Fuzzy Hash: 521bc37c1212f39f9724099338753d388e5fb16275f6d367b3344f35f2783f35
Instruction Fuzzy Hash: 5F5179716043459FDB349E25CDA47EA73A3AF89748F85812ECC8997608D3305A87CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02C80BD5, Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d190ce6beaf68a9e901ea3c6e4324c4862d5dda69c5a18bab766da3091ecb4
Instruction ID: eedd9bc4384996a393c00074d358fc0c218f764c49d37065dab7201275b99dc5
Opcode Fuzzy Hash: 61d190ce6beaf68a9e901ea3c6e4324c4862d5dda69c5a18bab766da3091ecb4
Instruction Fuzzy Hash: 54518832A043068BCF306E3489957EB7BA79F627D4F85412EDCC6A3644D771898DCA82

Uniqueness

Uniqueness Score: -1.00%

Function 02C8C2AB, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c334eaf61013a8b1398bf0828b60e09e18c34149225263298a2cf5654f86491
Instruction ID: e299309a1826df008c62bce04f3e96b4fac7aab7d58c937229548555a2aac990
Opcode Fuzzy Hash: 2c334eaf61013a8b1398bf0828b60e09e18c34149225263298a2cf5654f86491
Instruction Fuzzy Hash: 3D512335604349DFDF38AEB58DA93EE77A6AF95394F95802FCC8ACB104C7314685CA06

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B022, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1549aca3de66aed7db0a140a5f5feddda2efcae2804ed003b48e4d201a745ddf
Instruction ID: 830861f417051dc71180be2e0b459006a621659eb11f5fa05648fd499cfcf187
Opcode Fuzzy Hash: 1549aca3de66aed7db0a140a5f5feddda2efcae2804ed003b48e4d201a745ddf
Instruction Fuzzy Hash: 8651667160038A8FCF34AE648DD47EE37A7AFA5368F94802EDC4ACB114D7714A80DB45

Uniqueness

Uniqueness Score: -1.00%

Function 02C8E156, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e87571a2458e8bc09007af18838f2c37dfea95ab57b2543da81e09f127e7be
Instruction ID: 753cdb4bedc53abc9839aeeff074512b85e7b62922ff8200af1805ae3303d30d
Opcode Fuzzy Hash: 51e87571a2458e8bc09007af18838f2c37dfea95ab57b2543da81e09f127e7be
Instruction Fuzzy Hash: 535149396403899FDF34BE798EA43EE3366AFA6754F98803ADC49CB101D7704685CB09

Uniqueness

Uniqueness Score: -1.00%

Function 02C8D094, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5389460a55b30468ab03a3a08963ffd724644f7785afc0162d62eed62473087b
Instruction ID: b2b673174efad7bc15e24a4b9a3287101a02fa0436db4b51d0a5e8011a227fe4
Opcode Fuzzy Hash: 5389460a55b30468ab03a3a08963ffd724644f7785afc0162d62eed62473087b
Instruction Fuzzy Hash: 6611E235A043424FEB212D7C45D83D9F663AF93360F95C26FCCD2572C5E3A58542C212

Uniqueness

Uniqueness Score: -1.00%

Function 02C8B199, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb45655c3691c3d35e7c67f6dccb89ee254cbaa45ade4b4f9c710249362a641
Instruction ID: 149d59a16f0dab214b7eafa3b23236ecbf36efdd0f8ab5c92de58e58c6275512
Opcode Fuzzy Hash: bdb45655c3691c3d35e7c67f6dccb89ee254cbaa45ade4b4f9c710249362a641
Instruction Fuzzy Hash: 98113574614345CFCB25EE29C9E4BE973A1BF9A748F898229DD09CF315D730A981CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02C87A5C, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1170646169.0000000002C80000.00000040.00000001.sdmp, Offset: 02C80000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da660b55933ce450b270a7752daaf66cf32dd91d9ad64cf309bd1348631535c
Instruction ID: 62812b591fe42f16be5d9978a7c0ea9127c47ed70715c9f2c0fd9f39fab41c6c
Opcode Fuzzy Hash: 1da660b55933ce450b270a7752daaf66cf32dd91d9ad64cf309bd1348631535c
Instruction Fuzzy Hash: 3BC092F76115809FFF42CA08C891B0473B0F714A54BA948D0E002CB791D324ED00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCF1, Relevance: 46.8, APIs: 31, Instructions: 287COMMON

Download Yara Rule

APIs

#527.MSVBVM60(00409D90), ref: 0042CFC4
__vbaStrMove.MSVBVM60 ref: 0042CFCF
__vbaStrCmp.MSVBVM60(00409D98,00000000), ref: 0042CFDB
__vbaFreeStr.MSVBVM60 ref: 0042CFEE
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042D00F
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,00000014), ref: 0042D03A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,000000B8), ref: 0042D068
__vbaFreeObj.MSVBVM60 ref: 0042D06D
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042D085
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,00000014), ref: 0042D0AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000110), ref: 0042D0D0
__vbaStrMove.MSVBVM60 ref: 0042D0DB
__vbaFreeObj.MSVBVM60 ref: 0042D0E4
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D0FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D11C
__vbaFreeStr.MSVBVM60(0042D313), ref: 0042D30C

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#527
String ID:
API String ID: 487870899-0
Opcode ID: df558c1ea2a8b91382415ce9a12d200d5eb9527a7ecc0e3073d17a75ccaea11e
Instruction ID: 421e9747bc86155a6d00bcd6773833b1b678586a0f476ee49ed6e3c8e132e0df
Opcode Fuzzy Hash: df558c1ea2a8b91382415ce9a12d200d5eb9527a7ecc0e3073d17a75ccaea11e
Instruction Fuzzy Hash: 18A18D75A00218ABCB14DFA5DD48FEEB7B8FF48700F14816AF541B72A4DB789905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042DC70, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042DCDB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DCF4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,00000150), ref: 0042DD21
__vbaStrToAnsi.MSVBVM60(?,?,008039A4), ref: 0042DD38
__vbaSetSystemError.MSVBVM60(003989DE,00000000), ref: 0042DD4C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042DD6E
__vbaFreeObj.MSVBVM60 ref: 0042DD7A
#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042DDA3
__vbaStrMove.MSVBVM60 ref: 0042DDAE
__vbaFreeVar.MSVBVM60 ref: 0042DDBD
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042DDD2
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,00000014), ref: 0042DDF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000118), ref: 0042DE1D
__vbaI2I4.MSVBVM60 ref: 0042DE22
__vbaFreeObj.MSVBVM60 ref: 0042DE2B
__vbaVarDup.MSVBVM60 ref: 0042DE45
#666.MSVBVM60(?,00000002), ref: 0042DE53
__vbaVarMove.MSVBVM60 ref: 0042DE5F
__vbaFreeVar.MSVBVM60 ref: 0042DE68
__vbaFreeVar.MSVBVM60(0042DEBB), ref: 0042DEAB
__vbaFreeStr.MSVBVM60 ref: 0042DEB4

Strings

zS, xrefs: 0042DE6A
HENRIVENDE, xrefs: 0042DE37

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#666#702AnsiErrorListSystem
String ID: HENRIVENDE$zS
API String ID: 309366762-2729703279
Opcode ID: 73f3af9477cdb78b24042d14f0624148bd2da5a97b030ecdd2f9a78ee0593ede
Instruction ID: 7ad52f43169cb042ce831740d4e42ab7301fe4937213083156b9f9562543c489
Opcode Fuzzy Hash: 73f3af9477cdb78b24042d14f0624148bd2da5a97b030ecdd2f9a78ee0593ede
Instruction Fuzzy Hash: 9B514971900219AFCB04DFA5DD88EDEBBB8FF48705F10412AF516BB2A0DB745945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042D4F0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

__vbaCyStr.MSVBVM60(00409AD4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D538
__vbaFpCmpCy.MSVBVM60(00000000), ref: 0042D546
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042D566
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,00000014), ref: 0042D591
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000130), ref: 0042D5BF
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D5D0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D5D5
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042D5EE
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,00000014), ref: 0042D613
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,000000D0), ref: 0042D639
__vbaStrMove.MSVBVM60 ref: 0042D648
__vbaFreeObj.MSVBVM60 ref: 0042D64D
#531.MSVBVM60(kantatens), ref: 0042D658
__vbaFreeStr.MSVBVM60(0042D68A), ref: 0042D682
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D687

Strings

kantatens, xrefs: 0042D653

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$MoveNew2$#531
String ID: kantatens
API String ID: 1829431787-1394988495
Opcode ID: 0bf0b9d4c6896b2c53c78c2732274ffb473cdd5a3fd38dcfdd8a0f5071a0eb2b
Instruction ID: 2aa563af965ef9275586147fe00d723355200850cc740d6fb81f3cd38f104f15
Opcode Fuzzy Hash: 0bf0b9d4c6896b2c53c78c2732274ffb473cdd5a3fd38dcfdd8a0f5071a0eb2b
Instruction Fuzzy Hash: 82416070A00219ABCB04DF95DD89EDEBBB8FF4C704F10406AE505B72A1D778A945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004253F0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00425459
#515.MSVBVM60(?,?,00000002), ref: 00425476
__vbaVarTstNe.MSVBVM60(?,?), ref: 00425492
__vbaFreeVar.MSVBVM60 ref: 0042549E
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 004254CF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004254E8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A78,000000C0), ref: 00425512
__vbaLateMemCall.MSVBVM60(?,bJwKrGImpGgg9mRQCArwzZIt8,00000003), ref: 00425581
__vbaFreeObj.MSVBVM60 ref: 0042558D
__vbaFreeObj.MSVBVM60(004255D1), ref: 004255C1
__vbaFreeStr.MSVBVM60 ref: 004255CA

Strings

var, xrefs: 0042542A
Kricketbold2, xrefs: 004254BE
bJwKrGImpGgg9mRQCArwzZIt8, xrefs: 00425578

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#515CallCheckCopyHresultLateNew2
String ID: Kricketbold2$bJwKrGImpGgg9mRQCArwzZIt8$var
API String ID: 3144308283-2350849782
Opcode ID: c0dfb2e5c5369434526f721f375494887a5bb0ccd3966965ad60c4f2d4219c0b
Instruction ID: f41533b6bd4e7efb125514aaaa08caeaee6790a574f5e4bd7e7660171d97d2d9
Opcode Fuzzy Hash: c0dfb2e5c5369434526f721f375494887a5bb0ccd3966965ad60c4f2d4219c0b
Instruction Fuzzy Hash: 7E5149B0E10219DFCB04DF98CA48A9DFBB8FF48700F20816AE509B7294D7785A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0042D990, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0042D9EB
__vbaLenBstrB.MSVBVM60(00409DC8), ref: 0042D9F6
#680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,?,?,?), ref: 0042DA3F
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0042DA55
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042DA71
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,00000014), ref: 0042DA96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,000000C8), ref: 0042DAC3
__vbaFreeObj.MSVBVM60 ref: 0042DACC
__vbaVarDup.MSVBVM60 ref: 0042DAF8
#595.MSVBVM60(?,00000000,?,?,?), ref: 0042DB10
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042DB28
__vbaFreeStr.MSVBVM60(0042DB68), ref: 0042DB61

Strings

hjrekant, xrefs: 0042DAEA

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultList$#595#680BstrCopyNew2
String ID: hjrekant
API String ID: 4058102471-1475739938
Opcode ID: e1b75d68c638077e161484839b802f05e88e7e3f002468e655760ca039c16626
Instruction ID: 528b7d16acc9b0120cd20bbc4beafa916e448bb3fc521411f62fdd66739c3430
Opcode Fuzzy Hash: e1b75d68c638077e161484839b802f05e88e7e3f002468e655760ca039c16626
Instruction Fuzzy Hash: 9151E2B1D00259ABDB10DFD4D889EDEBFB8BF48700F10412AE505B72A5D7B46585CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042D7E0, Relevance: 22.6, APIs: 15, Instructions: 117COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D835
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D83D
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D852
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D871
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B24,000001C8), ref: 0042D890
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D899
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D8B2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D8CB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409DB4,00000100), ref: 0042D8EE
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042D8FE
__vbaI4Var.MSVBVM60(00000000), ref: 0042D908
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042D91B
__vbaFreeVar.MSVBVM60 ref: 0042D927
__vbaFreeStr.MSVBVM60(0042D962), ref: 0042D95A
__vbaFreeStr.MSVBVM60 ref: 0042D95F

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2$CallLateList
String ID:
API String ID: 244069345-0
Opcode ID: 48c59141a9711ab758ab85e1659ed870cecbf5170d4f5ad65f5db97ef2c46b59
Instruction ID: 68c5a20009e61a82da8980dc6a8dcd6d7516772f9fd5461ec031769d98698f1d
Opcode Fuzzy Hash: 48c59141a9711ab758ab85e1659ed870cecbf5170d4f5ad65f5db97ef2c46b59
Instruction Fuzzy Hash: 7D413CB5D00219ABCB04DF94DD88EDEBBB8FB08304F10443AF955B7264D6789945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00425600, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425655
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042565D
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 00425671
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,00000014), ref: 0042569C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000118), ref: 004256CA
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004256CF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004256D8
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 004256F1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042570A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A78,000000C8), ref: 00425731
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042573C
__vbaFreeStr.MSVBVM60(00425764), ref: 0042575C
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425761

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2
String ID:
API String ID: 336985134-0
Opcode ID: 704c3ca0139c0089c0f919b269df0b02999ba018dc7a951a8ea584454d2a13f5
Instruction ID: b92202306912b8ce4498fe6f3c470eddfeaad781b54ea9fb7205f9906e1ddf00
Opcode Fuzzy Hash: 704c3ca0139c0089c0f919b269df0b02999ba018dc7a951a8ea584454d2a13f5
Instruction Fuzzy Hash: 64413D74A40619ABCB04DF95DD84EEEBBB8FF98714F148026E505B72A0CA785941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042D330, Relevance: 18.1, APIs: 12, Instructions: 117COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D37D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D39C
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D3B8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D3D1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,00000130), ref: 0042D3F4
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042D423
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042D42D
__vbaStrMove.MSVBVM60 ref: 0042D438
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409994,000001EC), ref: 0042D458
__vbaFreeStr.MSVBVM60 ref: 0042D461
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0042D475
__vbaFreeVar.MSVBVM60 ref: 0042D481

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMoveNew2$CallLateList
String ID:
API String ID: 3081447974-0
Opcode ID: fd2b5b61a87c7bcf3591fc30d45c76a019f2e60e8bfab091327a436863dab25d
Instruction ID: 2f43b567f44992a7474b8345ca10955fbf0f080be75abf41ea491f4b7a57122c
Opcode Fuzzy Hash: fd2b5b61a87c7bcf3591fc30d45c76a019f2e60e8bfab091327a436863dab25d
Instruction Fuzzy Hash: 23414DB4A00204AFCB04DFA4DD49F9EBBB8FB48701F10456AF545F7261D638A945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424890, Relevance: 15.1, APIs: 10, Instructions: 107COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004248D9
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 004248F2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424911
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042492D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424946
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,000000F0), ref: 00424969
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409994,000001EC), ref: 004249A9
__vbaFreeStr.MSVBVM60 ref: 004249B2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004249C2
__vbaFreeStr.MSVBVM60(004249F9), ref: 004249F2

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$CopyList
String ID:
API String ID: 4130517723-0
Opcode ID: 427849cdfefcaa55277ff0a650838870c5c6ab0d2655cb29ba28bad2fbaaee30
Instruction ID: 338438950e02a625ab3ed8cab48cefff4596053f2cb2433649627209077afe9e
Opcode Fuzzy Hash: 427849cdfefcaa55277ff0a650838870c5c6ab0d2655cb29ba28bad2fbaaee30
Instruction Fuzzy Hash: F6416FB4A00215AFCB04DFA4DD49FAEBBB8FF48700F10416AF905E7265D7789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425790, Relevance: 13.5, APIs: 9, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004257D0
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004257D8
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004257E0
__vbaCyStr.MSVBVM60(00409AD4,?,?,?,?,?,?,?,00401746), ref: 004257E7
__vbaFpCmpCy.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00401746), ref: 004257F5
#569.MSVBVM60(0000002F,?,?,?,?,?,?,?,?,00401746), ref: 00425801
__vbaFreeStr.MSVBVM60(00425823,?,?,?,?,?,?,?,?,00401746), ref: 00425816
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 0042581B
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425820

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CopyFree$#569
String ID:
API String ID: 3911904416-0
Opcode ID: 6b575aff054f52151198c77736227529b7a502063764041e31cd2767e68cb6ee
Instruction ID: 8c23326ed8f7c633dd7ab1d4564fa65d66f3dd3eb216fe8efc0d39cec2beacab
Opcode Fuzzy Hash: 6b575aff054f52151198c77736227529b7a502063764041e31cd2767e68cb6ee
Instruction Fuzzy Hash: 7E111B70D0125E9BCB00EFA4EE45AEEBFB8EF08700F10416AA505B31A4DB746A45CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 00424B40, Relevance: 12.1, APIs: 8, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010), ref: 00424B84
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424B9D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A4,000001CC), ref: 00424C24
__vbaFreeObj.MSVBVM60 ref: 00424C33
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 00424C48
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424C61
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,000001C8), ref: 00424C88
__vbaFreeObj.MSVBVM60 ref: 00424C97

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: a3998834bc430794f83a5eae03db131e8960b67bfe6a6c340241cca19f98b418
Instruction ID: d6ccf8d8d40f68528009283c94b7c9ee0550a54f59a22daff56c3d83598b0a26
Opcode Fuzzy Hash: a3998834bc430794f83a5eae03db131e8960b67bfe6a6c340241cca19f98b418
Instruction Fuzzy Hash: 514162B4A012059FCB08DFA9D989A9ABBF4FF48704F10846AE505E7355D7389901CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004251A0, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

#672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 00425201
__vbaFpR8.MSVBVM60 ref: 00425207
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 00425230
__vbaHresultCheckObj.MSVBVM60(00000000,021FE9C4,00409A04,0000001C), ref: 00425255
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409A24,0000005C), ref: 00425299
__vbaStrMove.MSVBVM60 ref: 004252AC
__vbaFreeObj.MSVBVM60 ref: 004252B5
__vbaFreeStr.MSVBVM60(004252EE), ref: 004252E7

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#672MoveNew2
String ID:
API String ID: 2213023555-0
Opcode ID: adce031423edc3c2442dfe91bd481cc1439345b0a7028bb6873e716229a5ecab
Instruction ID: 2222302b068474269bef2d73df15d22b6c0f4bba6f5c43484c368cecfb7a7bd3
Opcode Fuzzy Hash: adce031423edc3c2442dfe91bd481cc1439345b0a7028bb6873e716229a5ecab
Instruction Fuzzy Hash: 86314F70900609EBCB10DF95DD48B9EBBB8FF99740F20805AF505B72A4C7789941CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00431CB0, Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431CF4
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D13
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A4,000001C8), ref: 00431D52
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D61
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D76
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D8F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,00000088), ref: 00431DB2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431DC1

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: c34afd28d7952d34c5328901ab9c25194399eaaea1dc284c49e274c64b1b76aa
Instruction ID: 8e1ef24ae030d6c177eceba90c465ca712c2948b9e01b76952a328ae610c7fb9
Opcode Fuzzy Hash: c34afd28d7952d34c5328901ab9c25194399eaaea1dc284c49e274c64b1b76aa
Instruction Fuzzy Hash: A131A474A402059FCB04DFA5C989F9A7BB8FF0C701F108529F545E73A5D7389901CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424A20, Relevance: 12.1, APIs: 8, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424A6C
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424A74
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424A89
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424AA2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,00000220), ref: 00424AE5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424AEE
__vbaFreeStr.MSVBVM60(00424B16,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B0E
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B13

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Copy$CheckHresultNew2
String ID:
API String ID: 1874231197-0
Opcode ID: 04e29ac4a031fa013ebe189aeb620e89624a347daf8b852e045f06208db45e73
Instruction ID: a89d8fdef33f0de0a511d469acc9284bfe3104ecbf7f728fe8891e970c8faece
Opcode Fuzzy Hash: 04e29ac4a031fa013ebe189aeb620e89624a347daf8b852e045f06208db45e73
Instruction Fuzzy Hash: CD215175E00219DFCB04DFA9D989A9EBBB8FF4C300F10816AE515A7265C778A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00424E90, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00424E90(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _t19;
				intOrPtr* _t21;
				intOrPtr* _t23;
				void* _t26;
				intOrPtr* _t28;
				intOrPtr* _t38;
				void* _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				_t43 = _t42 - 0x28;
				_v16 = _t43;
				_v12 = 0x401208;
				_v8 = 0;
				_t19 = _a4;
				 *((intOrPtr*)( *_t19 + 4))(_t19, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t39);
				_t21 =  *0x433010; // 0x48ff68
				_v28 = 0;
				_v32 = 0;
				if(_t21 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t21 =  *0x433010; // 0x48ff68
				}
				_t23 =  &_v32;
				__imp____vbaObjSet(_t23,  *((intOrPtr*)( *_t21 + 0x354))(_t21));
				_t28 = _t43 - 0x10;
				 *_t28 = 0xa;
				_t38 = _t23;
				 *((intOrPtr*)(_t28 + 4)) = _v44;
				 *((intOrPtr*)(_t28 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t28 + 0xc)) = _v36;
				_t26 =  *((intOrPtr*)( *_t38 + 0x1ec))(_t38, L"PHACOCELE");
				asm("fclex");
				if(_t26 < 0) {
					__imp____vbaHresultCheckObj(_t26, _t38, 0x409994, 0x1ec);
				}
				__imp____vbaFreeObj();
				_v28 = 0x2be5;
				_push(0x424f69);
				return _t26;
			}

0x00424e93
0x00424ea2
0x00424ea9
0x00424eaf
0x00424eb2
0x00424ebb
0x00424ebe
0x00424ec4
0x00424ec7
0x00424ece
0x00424ed1
0x00424ed4
0x00424ee0
0x00424ee6
0x00424ee6
0x00424ef5
0x00424ef9
0x00424f02
0x00424f09
0x00424f0e
0x00424f12
0x00424f1a
0x00424f26
0x00424f29
0x00424f2f
0x00424f33
0x00424f41
0x00424f41
0x00424f4a
0x00424f50
0x00424f57
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424EE0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424EF9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409994,000001EC), ref: 00424F41
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424F4A

Strings

+, xrefs: 00424F50
PHACOCELE, xrefs: 00424F20

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: PHACOCELE$+
API String ID: 1645334062-1228347243
Opcode ID: 4d1c63fe1bd7e7c7275c4a49612e155c1636a6df5f18212697fca796735d4e2c
Instruction ID: c07b849c513be16a07adf2aa5f9d26272c629c32cb7bd96357dfce5810ec3e31
Opcode Fuzzy Hash: 4d1c63fe1bd7e7c7275c4a49612e155c1636a6df5f18212697fca796735d4e2c
Instruction Fuzzy Hash: D92180B4A00304AFCB04DF99D989B9ABBF8FB88300F10806AF515E7291C7789901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00425930, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00425987
#687.MSVBVM60(?,?), ref: 00425995
__vbaDateVar.MSVBVM60(?), ref: 0042599F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004259B1

Strings

7-7-7, xrefs: 00425979
Lu, xrefs: 004259BA

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#687DateFreeList
String ID: 7-7-7$Lu
API String ID: 3303533072-1249225327
Opcode ID: 6245efcda413e39e9270e31898f19b129ea382ddc484f5b2443dba14f6557b46
Instruction ID: ce99caddad7a59bca6aa9ca99a4ab6ee82fecd9b7f5801bfdfbeef89fb7c03f7
Opcode Fuzzy Hash: 6245efcda413e39e9270e31898f19b129ea382ddc484f5b2443dba14f6557b46
Instruction Fuzzy Hash: F011D6B5C10228EBCB00DFD8DD89ADEBBB8FB48B04F14811AF501A7654D7B85549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004250F0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

#669.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 0042512A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425135
__vbaStrCmp.MSVBVM60(Distriktsbladet6,00000000,?,?,?,?,?,?,?,00401746), ref: 00425141
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425153
#568.MSVBVM60(0000003C,?,?,?,?,?,?,?,00401746), ref: 00425160

Strings

Distriktsbladet6, xrefs: 0042513C

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#568#669FreeMove
String ID: Distriktsbladet6
API String ID: 2447501155-846783287
Opcode ID: 0d43f69c6f8277c67fde6910b648ecc09a0eec26ade652ca687f33148b4ba87b
Instruction ID: 40341f63e31b649ac5d81cfe9586fce8e6a321f6243a3dec9ce25f7ac10c7110
Opcode Fuzzy Hash: 0d43f69c6f8277c67fde6910b648ecc09a0eec26ade652ca687f33148b4ba87b
Instruction Fuzzy Hash: 3D01A275D00214ABC7009F64DD49BBEBBB8EF44B00F508166F942F36A0C7384945CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00424FA0, Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00424FE3
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 00424FFC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425015
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A4,000001CC), ref: 0042509C
__vbaFreeObj.MSVBVM60 ref: 004250A5
__vbaFreeStr.MSVBVM60(004250C7), ref: 004250C0

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: c57dd0fd31dfa5a9de0977fd0c62cec7cdab3f47cc5778dee31f38b867b8ceee
Instruction ID: 0ade94da89b41b4eab9646647c1f63100d07748614dd5f68b1c491f5be6b4fe0
Opcode Fuzzy Hash: c57dd0fd31dfa5a9de0977fd0c62cec7cdab3f47cc5778dee31f38b867b8ceee
Instruction Fuzzy Hash: 2131F8B4A012159FCB04DFA9D989A9ABBF4FF49700F10C06AE509AB365D7389902CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00424D80, Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DC3
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DDC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DF5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A4,000001C8), ref: 00424E38
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E41
__vbaFreeStr.MSVBVM60(00424E62,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E5B

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: 1f0a2ce6c4d22cf9b4595b08ef734b5213cb04d81a267dc3c34c583316932962
Instruction ID: ff67800850578e2c00da1b047b15bb5caf9f6950deec009865795ebb7826fe1d
Opcode Fuzzy Hash: 1f0a2ce6c4d22cf9b4595b08ef734b5213cb04d81a267dc3c34c583316932962
Instruction Fuzzy Hash: B7216074A40205DFCB04DF99D989AAABBB8FF48300F10806AF515E72A5C7389941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00425AF0, Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425B33
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425B4C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425B65
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,000001AC,?,?,?,?,?,?,?,?,00401746), ref: 00425B88
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425B91
__vbaFreeStr.MSVBVM60(00425BB2,?,?,?,?,?,?,?,?,00401746), ref: 00425BAB

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: c6dbd533dfb2d7a710166714471a83aa1eeb5aa0aa0cb80df9ca8f1d61a70886
Instruction ID: dbfc71b838495f9492a5a142e97161b05e2ac8341ced7ed5361450e3d2157e4d
Opcode Fuzzy Hash: c6dbd533dfb2d7a710166714471a83aa1eeb5aa0aa0cb80df9ca8f1d61a70886
Instruction Fuzzy Hash: D5117C74A00204AFCB04DFA5DA49EAEBBB8FF49701F104466F556E72A0C7386942CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00425840, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00425840(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _t17;
				intOrPtr* _t19;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t41;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				_t41 = _t40 - 0x24;
				_v16 = _t41;
				_v12 = 0x401290;
				_v8 = 0;
				_t17 = _a4;
				 *((intOrPtr*)( *_t17 + 4))(_t17, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t37);
				_t19 =  *0x433010; // 0x48ff68
				_v28 = 0;
				if(_t19 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t19 =  *0x433010; // 0x48ff68
				}
				_t21 =  &_v28;
				__imp____vbaObjSet(_t21,  *((intOrPtr*)( *_t19 + 0x358))(_t19));
				_t26 = _t41 - 0x10;
				 *_t26 = 0xa;
				_t36 = _t21;
				 *((intOrPtr*)(_t26 + 4)) = _v40;
				 *((intOrPtr*)(_t26 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t26 + 0xc)) = _v32;
				_t24 =  *((intOrPtr*)( *_t36 + 0x1ec))(_t36, L"Rubedity");
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t36, 0x409af0, 0x1ec);
				}
				__imp____vbaFreeObj();
				_push(0x42590f);
				return _t24;
			}

0x00425843
0x00425852
0x00425859
0x0042585f
0x00425862
0x0042586b
0x0042586e
0x00425874
0x00425877
0x0042587e
0x00425881
0x0042588d
0x00425893
0x00425893
0x004258a2
0x004258a6
0x004258af
0x004258b6
0x004258bb
0x004258bf
0x004258c7
0x004258d3
0x004258d6
0x004258dc
0x004258e0
0x004258ee
0x004258ee
0x004258f7
0x004258fd
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042588D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004258A6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409AF0,000001EC), ref: 004258EE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004258F7

Strings

Rubedity, xrefs: 004258CD

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Rubedity
API String ID: 1645334062-1230464931
Opcode ID: dcf7fc36bda819c952aca0877bce80e0ef6706ab58ebe64fb48dea84d441ead6
Instruction ID: 599cb8a2a290bf45e56a98dd7853ec6981ff99bf77f36e5b80ca1d81cc44e1d1
Opcode Fuzzy Hash: dcf7fc36bda819c952aca0877bce80e0ef6706ab58ebe64fb48dea84d441ead6
Instruction Fuzzy Hash: 252190B4A40304EFCB04DFA9D989B9ABBF8FB49700F108466F505E72A5C6789941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004247A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

#660.MSVBVM60(?,?,?,00000001,00000001), ref: 00424801
__vbaVarTstNe.MSVBVM60(?,?), ref: 00424819
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 0042482F
#532.MSVBVM60(RESTARTED), ref: 00424842

Strings

RESTARTED, xrefs: 0042483D

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#532#660FreeList
String ID: RESTARTED
API String ID: 675845651-3446605417
Opcode ID: 1523762df500dd22366c65129d370094b3d151d54b7c4f3c5af350ccb99b7d8a
Instruction ID: 128117873ed13954bc14587738954aa8213de49fb0a4d79105f5425fa6d98a24
Opcode Fuzzy Hash: 1523762df500dd22366c65129d370094b3d151d54b7c4f3c5af350ccb99b7d8a
Instruction Fuzzy Hash: C21129B5850268EBDB00DF94DD89FDEBBB8FB48704F50421AF501B2290D7B815088BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00425C60, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425CA4
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425CBD
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425CD6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,00000140,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425CFD
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D0C

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckErrorFreeHresultNew2
String ID:
API String ID: 3750743295-0
Opcode ID: 799eb9120ed1bcb9eae0894af69a300f9c59ba34b70742c3d7d403f1e75d9cdc
Instruction ID: 33ff4c81103d161e933f814578e97179de6dd2e55feac707fbe8ed5e237c59ff
Opcode Fuzzy Hash: 799eb9120ed1bcb9eae0894af69a300f9c59ba34b70742c3d7d403f1e75d9cdc
Instruction Fuzzy Hash: 71216D74A00204AFCB00DF96DE48A9EBBF8FF88700F10846AF451F72A0C77859018FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424CD0, Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424D0A
#546.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424D14
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424D20
__vbaFreeVar.MSVBVM60(00424D58), ref: 00424D48
__vbaFreeStr.MSVBVM60 ref: 00424D51

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#546CopyMove
String ID:
API String ID: 2278598164-0
Opcode ID: 1ebfea73f915207e331b69a771995b06bef028f10292e047847378e054feb93d
Instruction ID: c9f5a0120824c94824b1b965db052293f16892c2b490fd6d06a586418b1496a8
Opcode Fuzzy Hash: 1ebfea73f915207e331b69a771995b06bef028f10292e047847378e054feb93d
Instruction Fuzzy Hash: 70010870C00249ABCF04DFA4D948ADEBBB8FB08701F108426E511B7164EB382505CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0042D6B0, Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0042D6B0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t43;
				intOrPtr* _t47;
				intOrPtr* _t60;
				void* _t61;
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;

				_t64 = _t63 - 0xc;
				 *[fs:0x0] = _t64;
				_t65 = _t64 - 0x44;
				_v16 = _t65;
				_v12 = 0x4016a8;
				_v8 = 0;
				_t31 = _a4;
				 *((intOrPtr*)( *_t31 + 4))(_t31, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t61);
				_t33 =  *0x433010; // 0x48ff68
				_v28 = 0;
				if(_t33 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t33 =  *0x433010; // 0x48ff68
				}
				_t35 =  &_v28;
				__imp____vbaObjSet(_t35,  *((intOrPtr*)( *_t33 + 0x3b4))(_t33));
				_t66 = _t65 - 0x10;
				_t60 = _t35;
				_t43 = _t66;
				 *_t43 = 0xa;
				_v44 = 0xa;
				 *((intOrPtr*)(_t43 + 4)) = _v72;
				 *((intOrPtr*)(_t43 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t43 + 0xc)) = _v64;
				_t67 = _t66 - 0x10;
				_t47 = _t67;
				 *_t47 = 0xa;
				 *((intOrPtr*)(_t47 + 4)) = _v56;
				 *((intOrPtr*)(_t47 + 8)) = 0x80020004;
				_v36 = 0x80020004;
				 *((intOrPtr*)(_t47 + 0xc)) = _v48;
				_t40 = _t67 - 0x10;
				 *_t40 = _v44;
				 *((intOrPtr*)(_t40 + 4)) = _v40;
				 *((intOrPtr*)(_t40 + 8)) = _v36;
				 *((intOrPtr*)(_t40 + 0xc)) = _v32;
				_t41 =  *((intOrPtr*)( *_t60 + 0x1d0))(_t60, 0x46e36000);
				asm("fclex");
				if(_t41 < 0) {
					__imp____vbaHresultCheckObj(_t41, _t60, 0x409b24, 0x1d0);
				}
				__imp____vbaFreeObj();
				asm("wait");
				_push(0x42d7bf);
				return _t41;
			}

0x0042d6b3
0x0042d6c2
0x0042d6c9
0x0042d6cf
0x0042d6d2
0x0042d6db
0x0042d6de
0x0042d6e4
0x0042d6e7
0x0042d6ee
0x0042d6f1
0x0042d6fd
0x0042d703
0x0042d703
0x0042d712
0x0042d716
0x0042d71c
0x0042d71f
0x0042d721
0x0042d72a
0x0042d72c
0x0042d732
0x0042d73c
0x0042d742
0x0042d745
0x0042d748
0x0042d74f
0x0042d754
0x0042d757
0x0042d75a
0x0042d760
0x0042d76c
0x0042d76e
0x0042d773
0x0042d77e
0x0042d782
0x0042d785
0x0042d78b
0x0042d78f
0x0042d79d
0x0042d79d
0x0042d7a6
0x0042d7ac
0x0042d7ad
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D6FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D716
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B24,000001D0), ref: 0042D79D
__vbaFreeObj.MSVBVM60 ref: 0042D7A6

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 1a758cf11ae9d8a6b0c8196ae5049f2d36f4e6c013b60a63323aa8f2330ad7de
Instruction ID: ee10ccefcdad81d953b980179fda6709ed118dab8f089c4ff3467a9e1573247c
Opcode Fuzzy Hash: 1a758cf11ae9d8a6b0c8196ae5049f2d36f4e6c013b60a63323aa8f2330ad7de
Instruction Fuzzy Hash: 7D310AB4E002149FCB04DFA9D985A9ABBF5FF4C700F24C46AE509AB355D7399801CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042DB90, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,00401746), ref: 0042DBE0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 0042DBF9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,000001A8,?,?,?,?,?,?,?,?,00401746), ref: 0042DC1C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 0042DC25

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 18e8ac6ff0ea40d7319838fef3383b0b124b441af15a76e1f2351ce22381eaa0
Instruction ID: e8ea1c709b733db828dd63d75d6591c1c46fe1939c887ba964b5bc70d0057945
Opcode Fuzzy Hash: 18e8ac6ff0ea40d7319838fef3383b0b124b441af15a76e1f2351ce22381eaa0
Instruction Fuzzy Hash: 0D118C74E40204AFC704DFA6DD49B9AFBBCFF59701F608426F851E72A0CB785901CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425A10, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00425A10(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t28;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				_v16 = _t32 - 0x18;
				_v12 = 0x4012b0;
				_v8 = 0;
				_t14 = _a4;
				 *((intOrPtr*)( *_t14 + 4))(_t14, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t29);
				_t16 =  *0x433010; // 0x48ff68
				_v28 = 0;
				_v32 = 0;
				if(_t16 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t16 =  *0x433010; // 0x48ff68
				}
				_t18 =  &_v32;
				__imp____vbaObjSet(_t18,  *((intOrPtr*)( *_t16 + 0x378))(_t16));
				_t28 = _t18;
				_t19 =  *((intOrPtr*)( *_t28 + 0x21c))(_t28);
				asm("fclex");
				if(_t19 < 0) {
					__imp____vbaHresultCheckObj(_t19, _t28, 0x409984, 0x21c);
				}
				__imp____vbaFreeObj();
				_v28 = 0x4c22e;
				_push(0x425ac4);
				return _t19;
			}

0x00425a13
0x00425a22
0x00425a2f
0x00425a32
0x00425a3b
0x00425a3e
0x00425a44
0x00425a47
0x00425a4e
0x00425a51
0x00425a54
0x00425a60
0x00425a66
0x00425a66
0x00425a75
0x00425a79
0x00425a7f
0x00425a84
0x00425a8a
0x00425a8e
0x00425a9c
0x00425a9c
0x00425aa5
0x00425aab
0x00425ab2
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425A60
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425A79
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,0000021C,?,?,?,?,?,?,?,?,00401746), ref: 00425A9C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425AA5

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 7fafe13a814fd48cb021992bed8575568b4eb61dc5bba588954973085b8c3dc3
Instruction ID: bea6e947b0b3abca56de27fa394f6553d1dcd80fa9f38220b484598879b95b5f
Opcode Fuzzy Hash: 7fafe13a814fd48cb021992bed8575568b4eb61dc5bba588954973085b8c3dc3
Instruction Fuzzy Hash: D81191B8A40604AFC700DF95D989F9AFBB8FF58701F208566F551E72A1C77859018B98

Uniqueness

Uniqueness Score: -1.00%

Function 00425320, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00425320(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				void* _t17;
				intOrPtr* _t26;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				_v16 = _t30 - 0x14;
				_v12 = 0x401250;
				_v8 = 0;
				_t12 = _a4;
				 *((intOrPtr*)( *_t12 + 4))(_t12, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t27);
				_t14 =  *0x433010; // 0x48ff68
				_v28 = 0;
				if(_t14 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t14 =  *0x433010; // 0x48ff68
				}
				_t16 =  &_v28;
				__imp____vbaObjSet(_t16,  *((intOrPtr*)( *_t14 + 0x338))(_t14));
				_t26 = _t16;
				_t17 =  *((intOrPtr*)( *_t26 + 0x1ac))(_t26);
				asm("fclex");
				if(_t17 < 0) {
					__imp____vbaHresultCheckObj(_t17, _t26, 0x409a34, 0x1ac);
				}
				__imp____vbaFreeObj();
				_push(0x4253ca);
				return _t17;
			}

0x00425323
0x00425332
0x0042533f
0x00425342
0x0042534b
0x0042534e
0x00425354
0x00425357
0x0042535e
0x00425361
0x0042536d
0x00425373
0x00425373
0x00425382
0x00425386
0x0042538c
0x00425391
0x00425397
0x0042539b
0x004253a9
0x004253a9
0x004253b2
0x004253b8
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,00401746), ref: 0042536D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401746), ref: 00425386
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,000001AC,?,?,?,?,?,?,?,00401746), ref: 004253A9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004253B2

Memory Dump Source

Source File: 00000000.00000002.1169731276.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1169725751.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1169779318.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1169784377.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: be717cc0b179ccdec314acfc5436d78a73d667bcaa62ee4d86c373b69614fe4e
Instruction ID: b9d364111fb4df84e864426dd9556a9d71603b9f56e7f9ce1eb5f72fbdd78bc2
Opcode Fuzzy Hash: be717cc0b179ccdec314acfc5436d78a73d667bcaa62ee4d86c373b69614fe4e
Instruction Fuzzy Hash: D511CE75A40200AFC700EFA5CD89F9ABBBCFF49701F104466F942E32A0C77859018BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe PID: 7052 Parent PID: 6000

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe PID: 7052 Parent PID: 6000 SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCOMMON