Play interactive tour

Edit tour

Windows Analysis Report SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Overview

General Information

Sample Name:	SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Analysis ID:	450598
MD5:	597eff6540780213008d384ca831852a
SHA1:	74fcaa7b00efdfc2056eb4651aea03c529d9bf8d
SHA256:	464e32b273ff94e18247402fec1445dceb07fe8ea16490038fa64b9a23672cf0
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe (PID: 5968 cmdline: 'C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe' MD5: 597EFF6540780213008D384CA831852A)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://andreameixueiro.com/karin_entmCGmZw1b;z"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000000.199329516.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
1.2.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/karin_entmCGmZw1b;z"}

Multi AV Scanner detection for submitted file

Show sources

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Virustotal: Detection: 20%

Perma Link

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://andreameixueiro.com/karin_entmCGmZw1b;z

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211812F NtAllocateVirtualMemory,	1_2_0211812F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02118299 NtAllocateVirtualMemory,	1_2_02118299
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211834D NtAllocateVirtualMemory,	1_2_0211834D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02118365 NtAllocateVirtualMemory,	1_2_02118365
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021181FD NtAllocateVirtualMemory,	1_2_021181FD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021181E5 NtAllocateVirtualMemory,	1_2_021181E5

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211812F	1_2_0211812F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113214	1_2_02113214
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211620D	1_2_0211620D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116231	1_2_02116231
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116225	1_2_02116225
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211427F	1_2_0211427F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114295	1_2_02114295
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114289	1_2_02114289
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C2AB	1_2_0211C2AB
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021142AD	1_2_021142AD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021162D5	1_2_021162D5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021162C9	1_2_021162C9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021162E1	1_2_021162E1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114351	1_2_02114351
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116379	1_2_02116379
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211B361	1_2_0211B361
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211636D	1_2_0211636D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116385	1_2_02116385
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211B3BD	1_2_0211B3BD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021143D5	1_2_021143D5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211B3F9	1_2_0211B3F9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021143E1	1_2_021143E1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021163E3	1_2_021163E3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02117010	1_2_02117010
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211401B	1_2_0211401B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211600D	1_2_0211600D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211B022	1_2_0211B022
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116025	1_2_02116025
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211702B	1_2_0211702B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114061	1_2_02114061
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116095	1_2_02116095
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114085	1_2_02114085
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021160B9	1_2_021160B9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116111	1_2_02116111
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114111	1_2_02114111
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211411D	1_2_0211411D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114109	1_2_02114109
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02117109	1_2_02117109
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114135	1_2_02114135
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211E156	1_2_0211E156
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116175	1_2_02116175
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116161	1_2_02116161
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116169	1_2_02116169
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021171B1	1_2_021171B1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021141D1	1_2_021141D1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021171C9	1_2_021171C9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021141F5	1_2_021141F5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C631	1_2_0211C631
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C625	1_2_0211C625
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C649	1_2_0211C649
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116695	1_2_02116695
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211568B	1_2_0211568B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021166B9	1_2_021166B9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C6BD	1_2_0211C6BD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C6C9	1_2_0211C6C9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116735	1_2_02116735
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C735	1_2_0211C735
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116729	1_2_02116729
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C759	1_2_0211C759
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C741	1_2_0211C741
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C7BD	1_2_0211C7BD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021177A8	1_2_021177A8
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021137D4	1_2_021137D4
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C7E1	1_2_0211C7E1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110407	1_2_02110407
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116431	1_2_02116431
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211643D	1_2_0211643D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116455	1_2_02116455
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110459	1_2_02110459
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114475	1_2_02114475
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113476	1_2_02113476
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116479	1_2_02116479
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211047D	1_2_0211047D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211447D	1_2_0211447D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110465	1_2_02110465
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021154B5	1_2_021154B5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021164DD	1_2_021164DD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021164F1	1_2_021164F1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021164E5	1_2_021164E5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021144E5	1_2_021144E5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116536	1_2_02116536
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211452D	1_2_0211452D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C598	1_2_0211C598
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021165C2	1_2_021165C2
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021165CD	1_2_021165CD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021165F1	1_2_021165F1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CA19	1_2_0211CA19
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113A1F	1_2_02113A1F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CA0D	1_2_0211CA0D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113A31	1_2_02113A31
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CA25	1_2_0211CA25
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A5B	1_2_02112A5B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113A5D	1_2_02113A5D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A40	1_2_02112A40
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DA43	1_2_0211DA43
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113A45	1_2_02113A45
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A79	1_2_02112A79
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116A7D	1_2_02116A7D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DA61	1_2_0211DA61
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113A9C	1_2_02113A9C
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A81	1_2_02112A81
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116A89	1_2_02116A89
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DA89	1_2_0211DA89
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A8D	1_2_02112A8D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113AB2	1_2_02113AB2
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CAA1	1_2_0211CAA1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CAAD	1_2_0211CAAD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211BAD3	1_2_0211BAD3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CAC5	1_2_0211CAC5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DAC7	1_2_0211DAC7
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DAF5	1_2_0211DAF5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110AE8	1_2_02110AE8
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211BB1D	1_2_0211BB1D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211BB05	1_2_0211BB05
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113B0D	1_2_02113B0D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112B0C	1_2_02112B0C
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110B33	1_2_02110B33
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110B3D	1_2_02110B3D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DB3D	1_2_0211DB3D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115B3F	1_2_02115B3F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116B21	1_2_02116B21
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116B2D	1_2_02116B2D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CB2D	1_2_0211CB2D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112B51	1_2_02112B51
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112B5D	1_2_02112B5D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DB5D	1_2_0211DB5D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DB47	1_2_0211DB47
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110B49	1_2_02110B49
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115B75	1_2_02115B75
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DB75	1_2_0211DB75
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110B61	1_2_02110B61
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112B69	1_2_02112B69
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115B69	1_2_02115B69
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211BB99	1_2_0211BB99
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DB9D	1_2_0211DB9D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115B8D	1_2_02115B8D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113BB1	1_2_02113BB1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DBB5	1_2_0211DBB5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113BBD	1_2_02113BBD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113BA6	1_2_02113BA6
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DBA9	1_2_0211DBA9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113BD5	1_2_02113BD5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110BD5	1_2_02110BD5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DBD5	1_2_0211DBD5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116BC9	1_2_02116BC9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DBCD	1_2_0211DBCD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DBF9	1_2_0211DBF9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116BFD	1_2_02116BFD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DBED	1_2_0211DBED
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C816	1_2_0211C816
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C85D	1_2_0211C85D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116875	1_2_02116875
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211A877	1_2_0211A877
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116869	1_2_02116869
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211688D	1_2_0211688D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C8FD	1_2_0211C8FD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116919	1_2_02116919
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211090F	1_2_0211090F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116931	1_2_02116931
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115920	1_2_02115920
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116925	1_2_02116925
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115959	1_2_02115959
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211594D	1_2_0211594D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C995	1_2_0211C995
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C989	1_2_0211C989
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021169B9	1_2_021169B9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C9A1	1_2_0211C9A1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021169F3	1_2_021169F3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116E25	1_2_02116E25
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CE41	1_2_0211CE41
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CEBD	1_2_0211CEBD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CED5	1_2_0211CED5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112ED9	1_2_02112ED9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CEC9	1_2_0211CEC9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116EF5	1_2_02116EF5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112EF9	1_2_02112EF9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CEED	1_2_0211CEED
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116F19	1_2_02116F19
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112F1D	1_2_02112F1D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116F01	1_2_02116F01
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116F0D	1_2_02116F0D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CF61	1_2_0211CF61
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211AF6A	1_2_0211AF6A
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116F8D	1_2_02116F8D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115C15	1_2_02115C15
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116C15	1_2_02116C15
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DC19	1_2_0211DC19
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116C09	1_2_02116C09
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115C09	1_2_02115C09
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DC0D	1_2_0211DC0D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116C21	1_2_02116C21
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DC25	1_2_0211DC25
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115C2D	1_2_02115C2D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02117C57	1_2_02117C57
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DC59	1_2_0211DC59
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DC71	1_2_0211DC71
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116CB5	1_2_02116CB5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211ACAC	1_2_0211ACAC
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116CCD	1_2_02116CCD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115CE5	1_2_02115CE5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DCE5	1_2_0211DCE5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DCED	1_2_0211DCED
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116D11	1_2_02116D11
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DD11	1_2_0211DD11
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116D75	1_2_02116D75
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DD9D	1_2_0211DD9D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DDB1	1_2_0211DDB1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DDA5	1_2_0211DDA5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211DDC9	1_2_0211DDC9

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280612420.00000000020C0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameReamusekbman.exe vs SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Binary or memory string: OriginalFilenameReamusekbman.exe vs SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

File created: C:\Users\user\AppData\Local\Temp\~DF0927D9F65CCD4BB7.TMP

Jump to behavior

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Virustotal: Detection: 20%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, type: SAMPLE
Source: Yara match	File source: 1.0.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000000.199329516.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0040662E push ebp; iretd	1_2_00406638
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110753 push edi; retf	1_2_0211076B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211076C push edi; retf	1_2_0211076B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211076C push edi; retf	1_2_02110790
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110791 push edi; retf	1_2_02110790

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113214	1_2_02113214
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211620D	1_2_0211620D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116231	1_2_02116231
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116225	1_2_02116225
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021162D5	1_2_021162D5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021162C9	1_2_021162C9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021162E1	1_2_021162E1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116379	1_2_02116379
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211636D	1_2_0211636D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116385	1_2_02116385
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021163E3	1_2_021163E3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211600D	1_2_0211600D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116025	1_2_02116025
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116095	1_2_02116095
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021160B9	1_2_021160B9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116111	1_2_02116111
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116175	1_2_02116175
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116161	1_2_02116161
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116169	1_2_02116169
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211568B	1_2_0211568B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021177A8	1_2_021177A8
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021137D4	1_2_021137D4
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02110407	1_2_02110407
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116431	1_2_02116431
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211643D	1_2_0211643D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116455	1_2_02116455
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116479	1_2_02116479
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021164DD	1_2_021164DD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021164F1	1_2_021164F1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021164E5	1_2_021164E5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02116536	1_2_02116536
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C598	1_2_0211C598
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021165C2	1_2_021165C2
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021165CD	1_2_021165CD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_021165F1	1_2_021165F1
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02113A1F	1_2_02113A1F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A5B	1_2_02112A5B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A40	1_2_02112A40
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A79	1_2_02112A79
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A81	1_2_02112A81
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112A8D	1_2_02112A8D
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211BAD3	1_2_0211BAD3
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02112B0C	1_2_02112B0C
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02115B3F	1_2_02115B3F
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211A877	1_2_0211A877
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02117878	1_2_02117878
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CE41	1_2_0211CE41
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CEBD	1_2_0211CEBD
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CED5	1_2_0211CED5
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CEC9	1_2_0211CEC9
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CEED	1_2_0211CEED
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CF79	1_2_0211CF79
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211CF61	1_2_0211CF61

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

RDTSC instruction interceptor: First address: 000000000211BB89 second address: 000000000211BB89 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	RDTSC instruction interceptor: First address: 000000000211BB89 second address: 000000000211BB89 instructions:
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	RDTSC instruction interceptor: First address: 000000000211B7D7 second address: 000000000211B73A instructions: 0x00000000 rdtsc 0x00000002 mov eax, E2C96E1Dh 0x00000007 add eax, F5135739h 0x0000000c add eax, 4CB33013h 0x00000011 xor eax, 248FF568h 0x00000016 cpuid 0x00000018 popad 0x00000019 cmp al, bl 0x0000001b call 00007F67F8BAD9A0h 0x00000020 lfence 0x00000023 mov edx, CF8A4B87h 0x00000028 xor edx, 92055ED3h 0x0000002e sub edx, 11EA7C92h 0x00000034 xor edx, 345A98D6h 0x0000003a mov edx, dword ptr [edx] 0x0000003c lfence 0x0000003f test eax, edx 0x00000041 cmp ebx, eax 0x00000043 cmp ch, ch 0x00000045 cmp dh, dh 0x00000047 jmp 00007F67F8BAD982h 0x00000049 test ecx, eax 0x0000004b test dx, cx 0x0000004e test ecx, 5A8CACB8h 0x00000054 cmp bh, 0000006Fh 0x00000057 ret 0x00000058 test ecx, edx 0x0000005a sub edx, esi 0x0000005c ret 0x0000005d test cx, cx 0x00000060 test dh, ch 0x00000062 test eax, ecx 0x00000064 add edi, edx 0x00000066 cmp cx, cx 0x00000069 dec dword ptr [ebp+000000F8h] 0x0000006f pushad 0x00000070 lfence 0x00000073 rdtsc
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	RDTSC instruction interceptor: First address: 000000000211B73A second address: 000000000211B7D7 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [ebp+000000F8h], 00000000h 0x00000012 jne 00007F67F8CB656Eh 0x00000014 cmp dx, cx 0x00000017 cmp dl, bl 0x00000019 call 00007F67F8CB6650h 0x0000001e call 00007F67F8CB6613h 0x00000023 lfence 0x00000026 mov edx, CF8A4B87h 0x0000002b xor edx, 92055ED3h 0x00000031 sub edx, 11EA7C92h 0x00000037 xor edx, 345A98D6h 0x0000003d mov edx, dword ptr [edx] 0x0000003f lfence 0x00000042 test eax, edx 0x00000044 cmp ebx, eax 0x00000046 cmp ch, ch 0x00000048 cmp dh, dh 0x0000004a jmp 00007F67F8CB65D2h 0x0000004c test ecx, eax 0x0000004e test dx, cx 0x00000051 test ecx, 5A8CACB8h 0x00000057 cmp bh, 0000006Fh 0x0000005a ret 0x0000005b mov esi, edx 0x0000005d pushad 0x0000005e rdtsc

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Code function: 1_2_0211812F rdtsc

1_2_0211812F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Code function: 1_2_0211812F rdtsc

1_2_0211812F

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211401B mov eax, dword ptr fs:[00000030h]	1_2_0211401B
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211B199 mov eax, dword ptr fs:[00000030h]	1_2_0211B199
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211C598 mov eax, dword ptr fs:[00000030h]	1_2_0211C598
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02117A5C mov eax, dword ptr fs:[00000030h]	1_2_02117A5C
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_02114B10 mov eax, dword ptr fs:[00000030h]	1_2_02114B10
Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	Code function: 1_2_0211A910 mov eax, dword ptr fs:[00000030h]	1_2_0211A910

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280321907.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280321907.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280321907.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe, 00000001.00000002.1280321907.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Code function: 1_2_0211D094 cpuid

1_2_0211D094

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	21%	Virustotal		Browse
SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe	9%	ReversingLabs

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://andreameixueiro.com/karin_entmCGmZw1b;z	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://andreameixueiro.com/karin_entmCGmZw1b;z	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	450598
Start date:	19.07.2021
Start time:	12:41:29
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Run name:	Suspected Instruction Hammering Hide Perf
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 8.5% (good quality ratio 3.1%) Quality average: 20.3% Quality standard deviation: 30.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Max analysis timeout: 600s exceeded, the analysis took too long Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information Report size exceeded maximum capacity and may have missing disassembly code.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.2291079634082305
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
File size:	241664
MD5:	597eff6540780213008d384ca831852a
SHA1:	74fcaa7b00efdfc2056eb4651aea03c529d9bf8d
SHA256:	464e32b273ff94e18247402fec1445dceb07fe8ea16490038fa64b9a23672cf0
SHA512:	c15389829bb474e00e8c60912a5c78ff7f5bc459e55bf984f5ce9f4e2478c005908d51d4a629708cb1f811f37213bd8c04a8b9fc68459ce666983cb767b80114
SSDEEP:	3072:v3BepJlZa/Qrp8XvPZFbzt2dQXty7gHJlZapGBR:piUQrOfKorHP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....?@P................. ...................0....@................

File Icon


Icon Hash:	f8fcd4ccf4e4e8d0

Static PE Info

General
Entrypoint:	0x4019b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x50403FEF [Fri Aug 31 04:39:11 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e9f7dd0da1a2a1266893e1ae4ef42b67

Entrypoint Preview

Instruction
push 00408AC8h
call 00007F67F8AE0DE5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov gs, word ptr [eax]
retf 5E45h
dec esp
dec esi
xchg eax, esp
or byte ptr [ecx+ebp-2Ah], bl
les ecx, fword ptr [edx-3Bh]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
je 00007F67F8AE0E29h
inc ecx
insb
imul edx, dword ptr [eax+4Ch], 45544E41h
push ebx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
xor dword ptr [ebx+ecx*8-05h], ebp
and bl, bh
xchg eax, ebp
add cl, byte ptr [ebp-67h]
dec esi
fcmovne st(0), st(3)
aam 4Eh
xor ecx, ecx
in al, dx
cmp byte ptr [ecx+3737A5A5h], dh
inc ebp
mov esp, 1EF3FCEAh
cdq
idiv dword ptr [ebx+33AD4F3Ah]
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push cs
jo 00007F67F8AE0DF2h
add byte ptr [esi+00000068h], bl
add eax, 6C656300h
jnc 00007F67F8AE0DF3h
or eax, 4D000C01h
jne 00007F67F8AE0E61h
outsb
imul esi, dword ptr [ebp+6Dh], 6C616D73h
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32194	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x6d26	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1a4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31804	0x32000	False	0.390200195312	data	6.38510729758	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x33000	0x1290	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x35000	0x6d26	0x7000	False	0.482107979911	data	5.46196518031	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3ae7e	0xea8	data
RT_ICON	0x3a5d6	0x8a8	data
RT_ICON	0x39f0e	0x6c8	data
RT_ICON	0x399a6	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x373fe	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x36356	0x10a8	data
RT_ICON	0x359ce	0x988	data
RT_ICON	0x35566	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x354f0	0x76	data
RT_VERSION	0x35240	0x2b0	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Socialbakers
InternalName	Reamusekbman
FileVersion	1.00
CompanyName	Socialbakers
LegalTrademarks	Socialbakers
ProductName	PLANTES
ProductVersion	1.00
OriginalFilename	Reamusekbman.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe PID: 5968 Parent PID: 5572

General

Start time:	12:42:15
Start date:	19/07/2021
Path:	C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe'
Imagebase:	0x400000
File size:	241664 bytes
MD5 hash:	597EFF6540780213008D384CA831852A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000000.199329516.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe PID: 5968 Parent PID: 5572 SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCOMMON

Executed Functions

Function 0211812F, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 195memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02118392

Strings

&%F, xrefs: 02118548

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: &%F
API String ID: 2167126740-2740587206
Opcode ID: 3fe264aead40bf1ac246a9fd1ca55b65070f521ce84ade10588ba40a3dfd5f10
Instruction ID: f76380f6cb8b5948a8fc4f9fc9ec8ad776adf849d52ed3df873b41c4dbba5921
Opcode Fuzzy Hash: 3fe264aead40bf1ac246a9fd1ca55b65070f521ce84ade10588ba40a3dfd5f10
Instruction Fuzzy Hash: DA517875A943098FEF786E2498A53EF37A3EF56354F96803DDC8A4B201D7304582CB0A

Uniqueness

Uniqueness Score: -1.00%

Function 021181E5, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

&%F, xrefs: 02118548

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: &%F
API String ID: 0-2740587206
Opcode ID: 2a61fd2d8045ad5b49581120acde08502ddf4302b109d80c060af5cdd96c85ee
Instruction ID: 0c0c63f39a43d2a486bad0b42f3ad712d83ce95bd2496aa3cf1bc7e28ab7aba3
Opcode Fuzzy Hash: 2a61fd2d8045ad5b49581120acde08502ddf4302b109d80c060af5cdd96c85ee
Instruction Fuzzy Hash: 0D412672B44349CFEF746E6188913EE77E2AF56314F9A843DCC895B211D7308986CB06

Uniqueness

Uniqueness Score: -1.00%

Function 021181FD, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02118392

Strings

&%F, xrefs: 02118548

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: &%F
API String ID: 2167126740-2740587206
Opcode ID: 770309fa3e7b025d7b2d313da2335c5c5336954ab4c14e4a6bde6db035e0744a
Instruction ID: 5ff5ad75155521ac4d937f299a79aec2c78ac21978efacb7ff5ecf7e08bbb2b7
Opcode Fuzzy Hash: 770309fa3e7b025d7b2d313da2335c5c5336954ab4c14e4a6bde6db035e0744a
Instruction Fuzzy Hash: 3B412571B44349CFEF74AE6188913EE77E2AF66314F9A443DDC8A5B211D7304986CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02118299, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

&%F, xrefs: 02118548

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: &%F
API String ID: 0-2740587206
Opcode ID: 2eb57967900dcabb4ae9da02a567249951e2dd320d424dfcb2ccf2097f339fac
Instruction ID: 65d9ab7e8f5749eadf36e0a2af85295e198ed3d140bde9bb55ea16c2b91c0650
Opcode Fuzzy Hash: 2eb57967900dcabb4ae9da02a567249951e2dd320d424dfcb2ccf2097f339fac
Instruction Fuzzy Hash: 4331C372A54349DFEF75AE2198503EE77A2FF65314F56842DDC894B210D7308A86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 0211834D, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 71COMMON

Download Yara Rule

Strings

&%F, xrefs: 02118548

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: &%F
API String ID: 0-2740587206
Opcode ID: 0f970d11da6d1ce2da4ed1262fae49cee0e38e92dfcb91863e29bb3043009154
Instruction ID: c9f0845d7a1479f96c9ae73a336c081f2388e737a12c3da5e7603ea036706fe1
Opcode Fuzzy Hash: 0f970d11da6d1ce2da4ed1262fae49cee0e38e92dfcb91863e29bb3043009154
Instruction Fuzzy Hash: DC21E432694245CFEF759E6588507DE37A2BF5A314F9A843DDC898B210D7308682CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02118365, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02118392

Strings

&%F, xrefs: 02118548

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: &%F
API String ID: 2167126740-2740587206
Opcode ID: 56f24b2829fae647f8c179a827ac60fadebf881d941b948692376f04f32d0b0d
Instruction ID: 8ca988a94249a2d1fc70b96c32dbdacc9b02d5098e562660aa5a66e1942bf5a4
Opcode Fuzzy Hash: 56f24b2829fae647f8c179a827ac60fadebf881d941b948692376f04f32d0b0d
Instruction Fuzzy Hash: 74112732945345CFEB719F6184407CE3BA2FF5A314F99842DDC898B210D7308682CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00431E00, Relevance: 66.8, APIs: 37, Strings: 1, Instructions: 263COMMON

Download Yara Rule

APIs

#607.MSVBVM60(?,000000FF,?), ref: 00431E62
__vbaStrVarMove.MSVBVM60(?), ref: 00431E6C
__vbaStrMove.MSVBVM60 ref: 00431E7D
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00431E89
__vbaLenBstr.MSVBVM60(?), ref: 00431E96
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431EA5
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00431EB6
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 00431EC2
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00431ECD
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 00431EDB
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 00431EEB
#537.MSVBVM60(00000000,?,00000001), ref: 00431EFB
__vbaStrMove.MSVBVM60 ref: 00431F06
__vbaInStr.MSVBVM60(00000000,00000000), ref: 00431F0A
__vbaFreeStr.MSVBVM60 ref: 00431F1F
#537.MSVBVM60(00000000,?,00000001), ref: 00431F32
__vbaStrMove.MSVBVM60 ref: 00431F3D
__vbaInStr.MSVBVM60(00000000,00000000), ref: 00431F41
#616.MSVBVM60(?,-00000001), ref: 00431F55
__vbaStrMove.MSVBVM60 ref: 00431F60
__vbaFreeStr.MSVBVM60 ref: 00431F65
__vbaStrCat.MSVBVM60(00409E20), ref: 00431F79
__vbaStrMove.MSVBVM60 ref: 00431F80
__vbaStrCat.MSVBVM60(?,00000000), ref: 00431F87
__vbaStrMove.MSVBVM60 ref: 00431F8E
__vbaFreeStr.MSVBVM60 ref: 00431F93
__vbaErrorOverflow.MSVBVM60 ref: 00431FFB
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 00432071
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,00000014), ref: 0043209C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000110), ref: 004320CA
__vbaStrMove.MSVBVM60 ref: 004320D9
__vbaFreeObj.MSVBVM60 ref: 004320E2
#598.MSVBVM60 ref: 004320E8
__vbaStrCopy.MSVBVM60 ref: 004320F6

Strings

USERNAME, xrefs: 004320EE

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Move$Free$#537AnsiCheckErrorHresultListUnicode$#598#607#616BstrCopyNew2OverflowSystem
String ID: USERNAME
API String ID: 840069314-1047370299
Opcode ID: 98abaded3819448457fc8e2de2cd7a9c68cc0ccf42334d974409c0a4d972abfb
Instruction ID: 3e1be679c0f899b0f489a956c5e93e21d5b8713d4d3e8ae05c4dc1b8f8f4d0d5
Opcode Fuzzy Hash: 98abaded3819448457fc8e2de2cd7a9c68cc0ccf42334d974409c0a4d972abfb
Instruction Fuzzy Hash: 0591FF75900209AFCB04DFA5DD89DEFBBB8FF48700F10812AF605A72A5DB785945CB64

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD80, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 00432071
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,00000014), ref: 0043209C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000110), ref: 004320CA
__vbaStrMove.MSVBVM60 ref: 004320D9
__vbaFreeObj.MSVBVM60 ref: 004320E2
#598.MSVBVM60 ref: 004320E8
__vbaStrCopy.MSVBVM60 ref: 004320F6
__vbaHresultCheckObj.MSVBVM60(00000000,00401730,004091A0,0000074C), ref: 0043211D
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 00432129
__vbaFreeStr.MSVBVM60(00432167), ref: 00432160

Strings

USERNAME, xrefs: 004320EE

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#598CopyListMoveNew2
String ID: USERNAME
API String ID: 3664798572-1047370299
Opcode ID: fd7e87add5e759b9b8e2da88a297157256be3d6bf3fcb6a9c91454db83ca04df
Instruction ID: d37fa5c259a7c521f5af574b843ebce1ebbbcecd524bcb1ce23f290fb7a387e4
Opcode Fuzzy Hash: fd7e87add5e759b9b8e2da88a297157256be3d6bf3fcb6a9c91454db83ca04df
Instruction Fuzzy Hash: E0312371900205ABCB04DF95CD89EEEBBB4FF4C704F10802AF615B7291D7789905CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004019B0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004019B5

Strings

VB5!6&*, xrefs: 004019B0

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 1a086d5bf16f81fd9291c755d689b1bb151d5864a31b15e68f48bb950e7c90a2
Instruction ID: 026ec7011811c81fbed3cd22caf46f9a550679e3c692d7f5be09198d702175e5
Opcode Fuzzy Hash: 1a086d5bf16f81fd9291c755d689b1bb151d5864a31b15e68f48bb950e7c90a2
Instruction Fuzzy Hash: 5AD0A4A2A0E7C02ED307273488220812F345DA362030F08EBD0C0DF5B7D46C0848C326

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0211C598, Relevance: 9.5, Strings: 6, Instructions: 1951COMMON

Download Yara Rule

Strings

ZV&p, xrefs: 0211D272
aI>, xrefs: 0211681F
(L, xrefs: 021175B5
L)-b, xrefs: 0211631C
iEO, xrefs: 02110B21
a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: (L$L)-b$ZV&p$a#eT$iEO$aI>
API String ID: 0-2482760040
Opcode ID: 3a09e55ae1494616c012e219602e66e29ef6345f26f582758337a6f1738fb00e
Instruction ID: 5f63d1f69f0fc47d65de1cbc8830885a99e9b9fcc86d540769eb16d9f10d77af
Opcode Fuzzy Hash: 3a09e55ae1494616c012e219602e66e29ef6345f26f582758337a6f1738fb00e
Instruction Fuzzy Hash: CCF27D716443468FDF349E38CDA43DA7BA2AF56390F55823ECCD68B295D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02115B3F, Relevance: 6.1, Strings: 4, Instructions: 1140COMMON

Download Yara Rule

Strings

_ b2, xrefs: 02115BFC
aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C
L*H, xrefs: 02115D0F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L*H$L)-b$_ b2$aI>
API String ID: 0-3319191924
Opcode ID: 218ad779517c34426d371e12ec4e71aba2a7a5b8792b2ce3ae6c0399394b5093
Instruction ID: 201ae320e7458c491263808652a4b1657adfcb6769902be8558c1137d95374d6
Opcode Fuzzy Hash: 218ad779517c34426d371e12ec4e71aba2a7a5b8792b2ce3ae6c0399394b5093
Instruction Fuzzy Hash: 9592337164434ADFDB348E38C9A53DA77A2FF55390F95423EDC8A9B244D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021177A8, Relevance: 5.0, Strings: 3, Instructions: 1239COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C
iEO, xrefs: 02110B21

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$iEO$aI>
API String ID: 0-3725514886
Opcode ID: a69651c68944ddbc11062fe8d1008f4dc821c648633fa0c29f1e0ce453536fb9
Instruction ID: 8dcbbaf2fb624880fa9259d40fa5289e37c04face380391bd77aec8a6d8cdcdb
Opcode Fuzzy Hash: a69651c68944ddbc11062fe8d1008f4dc821c648633fa0c29f1e0ce453536fb9
Instruction Fuzzy Hash: A2A2747164434ADFCF349E348DA53DA7BA2BF55390F86423EDC8A9B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02110407, Relevance: 5.0, Strings: 3, Instructions: 1200COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C
Si, xrefs: 021107B5

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$Si$aI>
API String ID: 0-3394714570
Opcode ID: 44a3360c8b6d685e07f6f8acc3afe9b58b9827a0ab6df29ef246bee817696744
Instruction ID: 90af3c28ea1b0eb427aacbff574a34059011b65eceb8b7f92115bcc4bb36b3f2
Opcode Fuzzy Hash: 44a3360c8b6d685e07f6f8acc3afe9b58b9827a0ab6df29ef246bee817696744
Instruction Fuzzy Hash: BCA2557164434ADFDF349E348DA53DA77A2BF55390F96423EDC8A9B244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02113214, Relevance: 4.8, Strings: 3, Instructions: 1054COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C
#&vM, xrefs: 021132D7

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: #&vM$L)-b$aI>
API String ID: 0-226628541
Opcode ID: 2c0cd5db91dd32e893cb9f241799e19491b5380b06cf33860dbace1de13a8c91
Instruction ID: 2ea0e509ea8949137e681462128801806a9cd206a1839dd42fb99c8a56b35bf5
Opcode Fuzzy Hash: 2c0cd5db91dd32e893cb9f241799e19491b5380b06cf33860dbace1de13a8c91
Instruction Fuzzy Hash: 8582447164434A9FDB349E38CDA53EA77A2FF55390F85422EDC8A9B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211BAD3, Relevance: 3.8, Strings: 2, Instructions: 1283COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: c08250fa61d9b504dd66f755afaf136557ffc9bbbf4cc66733ae2ce808675b2a
Instruction ID: b2a7c119cd1e4e6f364354089112b3018bd76d69edb0713fac56e2c0e5997167
Opcode Fuzzy Hash: c08250fa61d9b504dd66f755afaf136557ffc9bbbf4cc66733ae2ce808675b2a
Instruction Fuzzy Hash: 50A2347164434ADFDF349E38CDA53DA77A2BF56390F95422ECC8A9B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02113A1F, Relevance: 3.7, Strings: 2, Instructions: 1236COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 7e851e56c54ada1831b21a0945254b19ebd4569a57db9f383a3d322607b83be1
Instruction ID: 6e213c37373e41cbefc6145796d715de14e672b0505fec67b2f85915c445bb77
Opcode Fuzzy Hash: 7e851e56c54ada1831b21a0945254b19ebd4569a57db9f383a3d322607b83be1
Instruction Fuzzy Hash: F0A2547164434ADFDB349E38CDA53DA77A2FF55390F86422EDC8A9B244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021137D4, Relevance: 3.7, Strings: 2, Instructions: 1151COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: f3fc6153241f68b30cb08153d055a6f451c1859306bd438abf485213d555fbfe
Instruction ID: 923b4ca1086fe631ecf4767cfacd7c2a939846136012a234ae7d36ef48301674
Opcode Fuzzy Hash: f3fc6153241f68b30cb08153d055a6f451c1859306bd438abf485213d555fbfe
Instruction Fuzzy Hash: 5392447164434A9FDF349E34CDA53EA77A2BF55390F86423EDC8A9B244D3308986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211600D, Relevance: 3.5, Strings: 2, Instructions: 953COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 611ae6862ceb30cfc6001066d46ab3092306e142eafa3859ce9055399b91ddd7
Instruction ID: dca301621e82ef6ae86415d31cd4b41f1485c72905f376c5643f19e421ea79ca
Opcode Fuzzy Hash: 611ae6862ceb30cfc6001066d46ab3092306e142eafa3859ce9055399b91ddd7
Instruction Fuzzy Hash: 2E72537164434A9FDB348E38CDA53DA7BA6FF55390F85422EDC8A9B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116025, Relevance: 3.4, Strings: 2, Instructions: 945COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 4669cb3f32ccde5398edf8ed805893cc40bf40a45e3e21725a5e8e562d0f4099
Instruction ID: 91dc9cc19209dd936fc5b43bdd5dc4495f73439e835ddf04723b8bfab1c5fa0a
Opcode Fuzzy Hash: 4669cb3f32ccde5398edf8ed805893cc40bf40a45e3e21725a5e8e562d0f4099
Instruction Fuzzy Hash: 1872547164434ADFDB349E38CDA53DA7BA2FF55390F85422EDC8A9B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116095, Relevance: 3.4, Strings: 2, Instructions: 933COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 4b5036decf20d850c1a454829c5481c1400db08771209d0b2be05d8dd82ad343
Instruction ID: a842e7179e2ec1f700f0ba6269fc4c7addcbe6dd852ab4c5242ef86892744a20
Opcode Fuzzy Hash: 4b5036decf20d850c1a454829c5481c1400db08771209d0b2be05d8dd82ad343
Instruction Fuzzy Hash: 7D72447164434ADFDB349E38CDA53DA77A6FF55390F85822EDC8A8B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021160B9, Relevance: 3.4, Strings: 2, Instructions: 920COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 341c9ea386dfeee5929d409e68553151d81f5b6e4a9cb52a4adbb1cfc9b1d7d1
Instruction ID: df61cbfa280732c3341df22d1efe0eba26c9df67825e67adf716575d6a4ee593
Opcode Fuzzy Hash: 341c9ea386dfeee5929d409e68553151d81f5b6e4a9cb52a4adbb1cfc9b1d7d1
Instruction Fuzzy Hash: 4472437164434ADFDB349E38CDA53DA77A2FF55390F85822EDC8A9B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116111, Relevance: 3.4, Strings: 2, Instructions: 915COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 14fed502030abbd2f3548ac9eead7bdc3928f9ce05e110da1e931b6fca5d076f
Instruction ID: 5e4c870bba8a49a0edb224e61cc07548cd8019a1a8a113b7ab20bdfc74b25e04
Opcode Fuzzy Hash: 14fed502030abbd2f3548ac9eead7bdc3928f9ce05e110da1e931b6fca5d076f
Instruction Fuzzy Hash: 6D72437164434ADFDB349E38CDA53DA77A2BF55390F95823EDC8A8B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116169, Relevance: 3.4, Strings: 2, Instructions: 908COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 411edf293c66ec20995168ed415ef3fb9c42f2d151ba8352820736ff92c28e56
Instruction ID: ae467b9ad9db20891e94141fa07aeace9617261f25c4e7e28cf783e8118f506c
Opcode Fuzzy Hash: 411edf293c66ec20995168ed415ef3fb9c42f2d151ba8352820736ff92c28e56
Instruction Fuzzy Hash: DD72457164434A9FDF349E34CDA53DA7BA2BF55390F95823EDC8A8B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116175, Relevance: 3.4, Strings: 2, Instructions: 906COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 11ce26cc4f43d1c2d86ce3129298c9dd064c97dd1e9e51f9e5f8ca8d65c6fe0f
Instruction ID: 5d5ab8f45e85bdcd1c393056437bbccd7ddc15fbc003961f99adc1a22baea095
Opcode Fuzzy Hash: 11ce26cc4f43d1c2d86ce3129298c9dd064c97dd1e9e51f9e5f8ca8d65c6fe0f
Instruction Fuzzy Hash: CA72457164434A9FDF349E38CDA53DA7BA2BF55390F95423EDC8A8B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116161, Relevance: 3.4, Strings: 2, Instructions: 900COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 0f5ac60bf363f7cce96cf79ee1ee3d799a8a74a16f2de7978db5a00490760443
Instruction ID: 41ef35cb4f393f04c7abb59fee241f0d9a10d4037932f7eed1ec43b22bfd47de
Opcode Fuzzy Hash: 0f5ac60bf363f7cce96cf79ee1ee3d799a8a74a16f2de7978db5a00490760443
Instruction Fuzzy Hash: 4072347164434A9FDB349E38CDA53DA7BA2BF55390F95423EDC8A8B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211620D, Relevance: 3.4, Strings: 2, Instructions: 880COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 2091bba98af4639137f8a9822c25bdd32eb4f20f8ed4f42d37e4e946fc3cbe1d
Instruction ID: eabe1e030665af22ce402892b1c1f53a20c197b31227f51cf3cdf211674f8ae4
Opcode Fuzzy Hash: 2091bba98af4639137f8a9822c25bdd32eb4f20f8ed4f42d37e4e946fc3cbe1d
Instruction Fuzzy Hash: 5362347164434ADFDB349E38CDA53DA77A2BF55390F95423EDC8A8B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116225, Relevance: 3.4, Strings: 2, Instructions: 873COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 7577efbbc2954edc534bc0ad91ff8dcf414a9c5296c6357532720ef5f8e497a9
Instruction ID: cfc2949a0a6580bcb0f945073987f5fba373a7acc9cfb043bdfd42aeced0e88b
Opcode Fuzzy Hash: 7577efbbc2954edc534bc0ad91ff8dcf414a9c5296c6357532720ef5f8e497a9
Instruction Fuzzy Hash: FC62447164434A9FDF349E38CDA53DA77A2BF55390F85823EDC8A8B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116231, Relevance: 3.4, Strings: 2, Instructions: 867COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: f2e4bef6c0b9a0b802339135ce364f97db78a881bbffa83e644cf2910f15c184
Instruction ID: 253c0ef23ce146ed5b4f9c0da2b82d77b4ce4f692329bc2e146357e3f64216be
Opcode Fuzzy Hash: f2e4bef6c0b9a0b802339135ce364f97db78a881bbffa83e644cf2910f15c184
Instruction Fuzzy Hash: AE62447164434ADFDB349E38CDA53DA77A2BF55390F85823EDC8A8B244D3318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021162C9, Relevance: 3.4, Strings: 2, Instructions: 851COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: de8d0f60a4b89abd2148a34bb769c6eb616b2edbe4e348ea85e2612993ef9095
Instruction ID: 749f837a8c806c3afed4a8e8b9405fb5137e3aaccf18763fba36369227fd2561
Opcode Fuzzy Hash: de8d0f60a4b89abd2148a34bb769c6eb616b2edbe4e348ea85e2612993ef9095
Instruction Fuzzy Hash: 2F62447164434A9FDF349E38CDA53DA77A2BF55390F85423EDC8A8B244D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211401B, Relevance: 3.3, Strings: 2, Instructions: 847COMMON

Download Yara Rule

Strings

T', xrefs: 02114138
O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: c4ba43dcad8e24382ef48593853547ee0891a4fc65f408e527f82b47f5618a34
Instruction ID: 1ae7d5c539033c148425a35d11ff70df69f0106bf076504fc72d4acc842478af
Opcode Fuzzy Hash: c4ba43dcad8e24382ef48593853547ee0891a4fc65f408e527f82b47f5618a34
Instruction Fuzzy Hash: F8622E75B4074ADFDB28DE28CCA4BEA73A2BF59350F85423DDC998B240D7319981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 021162D5, Relevance: 3.3, Strings: 2, Instructions: 843COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 1547a191e91a9b2074f8c180bbe59a78493516142aeaae7ad2b535ba64a9db82
Instruction ID: 9f7c8e49e15ada80e099195908517013487fe6c4543db3852184b0ae6b6aad09
Opcode Fuzzy Hash: 1547a191e91a9b2074f8c180bbe59a78493516142aeaae7ad2b535ba64a9db82
Instruction Fuzzy Hash: DB62347164434A9FCF349E34CDA57DA7BA2BF55390F95423EDC8A8B244D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021162E1, Relevance: 3.3, Strings: 2, Instructions: 841COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F
L)-b, xrefs: 0211631C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L)-b$aI>
API String ID: 0-3981256006
Opcode ID: 6dc2b47e3b9d6980e78c5383fc7dce750017e723cc40c6cc3c752ce8f5039ca7
Instruction ID: 0c52a7b52297c3170a3a56f7e3710b73c96b5735b43c07b8dbdb31b720ae5e03
Opcode Fuzzy Hash: 6dc2b47e3b9d6980e78c5383fc7dce750017e723cc40c6cc3c752ce8f5039ca7
Instruction Fuzzy Hash: AE62347164434A9FDF349E34CDA57DA77A2BF55390F85423EDC8A8B244D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02114061, Relevance: 3.0, Strings: 2, Instructions: 501COMMON

Download Yara Rule

Strings

T', xrefs: 02114138
O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 05a481003796320607961823674fe4f82e0d68c5bbac9516830bc0c138e80749
Instruction ID: 0617bed08cc9a93cc29f8bff3f5aa83f44ef7bf7559613f46a3bd82a99b85de6
Opcode Fuzzy Hash: 05a481003796320607961823674fe4f82e0d68c5bbac9516830bc0c138e80749
Instruction Fuzzy Hash: 9C12037574474ADFDB28CF28CCA4BEAB7A2BF55750F85422DDC998B240D730A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02114085, Relevance: 3.0, Strings: 2, Instructions: 494COMMON

Download Yara Rule

Strings

T', xrefs: 02114138
O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 87ed16111988f97c84a4ca24bed7b6c21fb83b4654015e0c148e332fe77f9e3c
Instruction ID: ae8074af7f51ba7acb61ffee257032530f79cc9f6ad6534970e65195fbc529ed
Opcode Fuzzy Hash: 87ed16111988f97c84a4ca24bed7b6c21fb83b4654015e0c148e332fe77f9e3c
Instruction Fuzzy Hash: A802F27574074ADFDB28CF28CDA4BEAB7A2BF55750F85422DDC998B240D730A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02114111, Relevance: 3.0, Strings: 2, Instructions: 465COMMON

Download Yara Rule

Strings

T', xrefs: 02114138
O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 46ad5c6c53aaad5ec47e1446b93850908063c28f432b4bada0eecd914fdf310f
Instruction ID: f69d0591606bbce252ca85bff3f7ddd21e08b10850a0db84761848076c5ea156
Opcode Fuzzy Hash: 46ad5c6c53aaad5ec47e1446b93850908063c28f432b4bada0eecd914fdf310f
Instruction Fuzzy Hash: 2202247574074ADFDB28CF28CCA4BEAB7A2BF55750F85422DDC998B240D730A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0211411D, Relevance: 3.0, Strings: 2, Instructions: 460COMMON

Download Yara Rule

Strings

T', xrefs: 02114138
O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 058975330c472ac4187f288c2a6e1cbbf1ca2ab818a65478af923d07bce13baa
Instruction ID: fc1b36a7c65ca08923209edc471b27df55ac59a22eb71c0baf5daaf9c4bd93e4
Opcode Fuzzy Hash: 058975330c472ac4187f288c2a6e1cbbf1ca2ab818a65478af923d07bce13baa
Instruction Fuzzy Hash: 6E02127574074ADFDB28CF28CDA4BEAB7A2BF55750F85422DDC998B240D730A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02114109, Relevance: 3.0, Strings: 2, Instructions: 455COMMON

Download Yara Rule

Strings

T', xrefs: 02114138
O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: c90b391340f6503f7805c675ed1fc93dfcc7df71aa0d9d6d3746396ed1d0521e
Instruction ID: 6af150313904760308e906ae5f099e6722c5bf7fd525cc56cf4763753c3fd34a
Opcode Fuzzy Hash: c90b391340f6503f7805c675ed1fc93dfcc7df71aa0d9d6d3746396ed1d0521e
Instruction Fuzzy Hash: 1102127574074ADFDB28CE28CDA4BEAB7A2BF55750F85422DDC998B240D730A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02114135, Relevance: 3.0, Strings: 2, Instructions: 452COMMON

Download Yara Rule

Strings

T', xrefs: 02114138
O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O$T'
API String ID: 0-544317793
Opcode ID: 9293f5bd983cfab2a2c6fcfeb92d74115931f293eaddc98884aaf26ab982783f
Instruction ID: 1a982301624046279cc0b4e69bd0abd0c78a435c2df3efed94eefc63c1e45509
Opcode Fuzzy Hash: 9293f5bd983cfab2a2c6fcfeb92d74115931f293eaddc98884aaf26ab982783f
Instruction Fuzzy Hash: 6002127574174ADFDB28CF28CCA4BEAB7A2BF55750F85422DDC998B240D730A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02110AE8, Relevance: 2.7, Strings: 2, Instructions: 208COMMON

Download Yara Rule

Strings

}, xrefs: 02110AFC
iEO, xrefs: 02110B21

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: iEO$}
API String ID: 0-3220441400
Opcode ID: f5453683663ab14e3da5945cc007b7eb6a179161c4e1f7f3d016a8a7bfaf9581
Instruction ID: e569cf092b087b2004a92c1b158011261e4d1c330d0d2ee2ee1ce5bb970c0c5b
Opcode Fuzzy Hash: f5453683663ab14e3da5945cc007b7eb6a179161c4e1f7f3d016a8a7bfaf9581
Instruction Fuzzy Hash: BE619B71A453068FDF346E3489943DF7BA79F56790F96013EDCC693254D7318888CA42

Uniqueness

Uniqueness Score: -1.00%

Function 02115B69, Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

_ b2, xrefs: 02115BFC
L*H, xrefs: 02115D0F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L*H$_ b2
API String ID: 0-3788260093
Opcode ID: 368db256ce9f2d4cbdae1bded0f924e9180a122152ce78f8c416d135ed19ccdc
Instruction ID: d62704f5134cae4b75af8661c9ebb32219069bd40bf9a4f58f4f86906feab2eb
Opcode Fuzzy Hash: 368db256ce9f2d4cbdae1bded0f924e9180a122152ce78f8c416d135ed19ccdc
Instruction Fuzzy Hash: 8551DF71641349AFEF34CE69CAD53DA72E3AB99300FD4853A8C4A8B245C335E685CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02115B75, Relevance: 2.7, Strings: 2, Instructions: 166COMMON

Download Yara Rule

Strings

_ b2, xrefs: 02115BFC
L*H, xrefs: 02115D0F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L*H$_ b2
API String ID: 0-3788260093
Opcode ID: d98b312c2e07af7e2502fca3916ad4e29c72c670589f33bac83e4bbf7492af90
Instruction ID: 9e0360e41927d0078da36bd699759371852474c595a7cd3f94df9c09a5170e85
Opcode Fuzzy Hash: d98b312c2e07af7e2502fca3916ad4e29c72c670589f33bac83e4bbf7492af90
Instruction Fuzzy Hash: 5451DF71641349AFEB34CE69CAE53DA72E3AF99300FD4853A8C4A8B245C335D685CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02115B8D, Relevance: 2.7, Strings: 2, Instructions: 156COMMON

Download Yara Rule

Strings

_ b2, xrefs: 02115BFC
L*H, xrefs: 02115D0F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: L*H$_ b2
API String ID: 0-3788260093
Opcode ID: 14e60c11b9f48330ff3392416aa8afa55a71082ec56c77a0c458a950b7a54fd4
Instruction ID: f006651df870654697106a31226aaa194e5b5a43611d70befcefa419522f7b95
Opcode Fuzzy Hash: 14e60c11b9f48330ff3392416aa8afa55a71082ec56c77a0c458a950b7a54fd4
Instruction Fuzzy Hash: 3E51EE71641349AFEB34CE69CAD53DA72E2AF99300FD4853A9C4A8B245C335E685CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02116379, Relevance: 2.1, Strings: 1, Instructions: 814COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 83278890046c835468dcb3696864f5f5022b06cc28214dc28923abef3939bd67
Instruction ID: 44497aca639b9290aea74699a6f66e486baf3d4b94330941587e344ba1b6b854
Opcode Fuzzy Hash: 83278890046c835468dcb3696864f5f5022b06cc28214dc28923abef3939bd67
Instruction Fuzzy Hash: FB62347164434A9FDF349E34CDA53DA77A2BF55390F85823EDC8A8B244D3358986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116385, Relevance: 2.1, Strings: 1, Instructions: 812COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 1fb6533d0d2d35bd7ca07b4d0ce8df59de75092b98d735fbe795061567ba07c4
Instruction ID: 8dfe58b74fd82a51f04803cfb8d32c7cfcdb42e5309dd36b270eab64e24c1ede
Opcode Fuzzy Hash: 1fb6533d0d2d35bd7ca07b4d0ce8df59de75092b98d735fbe795061567ba07c4
Instruction Fuzzy Hash: E462347164434A9FDF349E34CDA43DA77A2BF55390F85823EDC8A8B244D3358A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211636D, Relevance: 2.1, Strings: 1, Instructions: 809COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 10bf4d550a477fe93602cbcc79f659cab9ed86c1e8eaad8d29ecd2cabe692100
Instruction ID: b08f2df8a958e3b69ab668cebd0542fd11b4335f136c09d4436f07925317b332
Opcode Fuzzy Hash: 10bf4d550a477fe93602cbcc79f659cab9ed86c1e8eaad8d29ecd2cabe692100
Instruction Fuzzy Hash: F352447164434A9FDF349E34CDA43DA77A2BF55390F85823EDC8A8B244D3358A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021163E3, Relevance: 2.1, Strings: 1, Instructions: 807COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 98372fae51f4b3f73d6396b809f714b4997c4d08fbf355f8d013b61125715887
Instruction ID: 5076e07ed42b70f9c00a83ef3900a2677ac22041bc941842df062e72412907fc
Opcode Fuzzy Hash: 98372fae51f4b3f73d6396b809f714b4997c4d08fbf355f8d013b61125715887
Instruction Fuzzy Hash: C352547164434ADFDB349E34CDA53DA7BA2BF55390F95823ECC8A8B244D3358986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116431, Relevance: 2.0, Strings: 1, Instructions: 781COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 23acb3bade7dff5385c70365dff222119bb87f588c368faf7da3c2e114156c3e
Instruction ID: 718787bf44d6f9ba35ac315ebe6bc19454779e000d17c98dbf5991d7083d19fc
Opcode Fuzzy Hash: 23acb3bade7dff5385c70365dff222119bb87f588c368faf7da3c2e114156c3e
Instruction Fuzzy Hash: 1552337164434A9FDF349E34CDA53DA77A2BF55390F95823EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211643D, Relevance: 2.0, Strings: 1, Instructions: 779COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: f29b5e1283c1c5d60966ee52a8722e7a410c95e151c43d2fc46479989660573f
Instruction ID: daa6c91be432ec883c454e515f0b79f0401d93d292e05ba8a80aed83195a6f1f
Opcode Fuzzy Hash: f29b5e1283c1c5d60966ee52a8722e7a410c95e151c43d2fc46479989660573f
Instruction Fuzzy Hash: E552347164434A9FDF349E34CDA53DA77A2BF55390F95823EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116455, Relevance: 2.0, Strings: 1, Instructions: 768COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 712801cc2b8698896342e85108256aae4c438d67c61a9c764f5b67883d9506c2
Instruction ID: 6e3d9b48d7256fe68e2a55cc886a9e2803f1d42c32f434f05cff688e6fc5cc57
Opcode Fuzzy Hash: 712801cc2b8698896342e85108256aae4c438d67c61a9c764f5b67883d9506c2
Instruction Fuzzy Hash: 8152247164434A9FDF349E34CDA53DA77A2BF55390F95823ADC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116479, Relevance: 2.0, Strings: 1, Instructions: 762COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 87c31667cf4a01e62c8fcfc47dc35eb8fbdc1fc9963842bac66c470fbd59bb25
Instruction ID: 4aab48207c470fd1c1d794ba2058a17adee30a14a8336532132b044245f8b46f
Opcode Fuzzy Hash: 87c31667cf4a01e62c8fcfc47dc35eb8fbdc1fc9963842bac66c470fbd59bb25
Instruction Fuzzy Hash: 1252247164434ADFDF349E34CDA53DA77A2BF55390F95823ADC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116536, Relevance: 2.0, Strings: 1, Instructions: 758COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 62ff76b23b1c9d4cec95334166462a774fc8f0163b970914b7bb43bec6784706
Instruction ID: 1c67a933a29c8818947fe74689d689d9b907673ad325c70498da72d18582bff3
Opcode Fuzzy Hash: 62ff76b23b1c9d4cec95334166462a774fc8f0163b970914b7bb43bec6784706
Instruction Fuzzy Hash: 9E52457164434ADFDF348E34CDA53DA7BA2FF55390F95822ADC868B244D3358A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021164DD, Relevance: 2.0, Strings: 1, Instructions: 750COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: e3c0cded36cfd576773de15c3824b47a653cc4e393973645f3da6ad32ba962fa
Instruction ID: 5302b852ce406b280d752b8d5a2a3c57aebe68d90df6ad3b52f1263b870964c1
Opcode Fuzzy Hash: e3c0cded36cfd576773de15c3824b47a653cc4e393973645f3da6ad32ba962fa
Instruction Fuzzy Hash: 1A52347164434A9FDB349E34CDA53DA77A2BF55390F95823EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021164E5, Relevance: 2.0, Strings: 1, Instructions: 749COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: c701a7900a853e090045693cb52a1d721ca98d6326f062561eaf5d07abf78cdb
Instruction ID: 9507277d5850f6bcf39b72a4b04e510e913318d5545f152e241d2d26a40943e0
Opcode Fuzzy Hash: c701a7900a853e090045693cb52a1d721ca98d6326f062561eaf5d07abf78cdb
Instruction Fuzzy Hash: AC52247164434A9FDF349E34CDA53DA77A2BF55390F95823EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021164F1, Relevance: 2.0, Strings: 1, Instructions: 745COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 83d185ad082e74f08442ca99eaf0adefb4ff9fc718c958d10cce1c01af636c9e
Instruction ID: e920794ea2f2d8a09524e52313d6eba99c0c974495252ed98324c3d8ee0b7796
Opcode Fuzzy Hash: 83d185ad082e74f08442ca99eaf0adefb4ff9fc718c958d10cce1c01af636c9e
Instruction Fuzzy Hash: 9752247164434A9FDB349E34CDA53DA77A2BF55390F95823ADC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021165CD, Relevance: 2.0, Strings: 1, Instructions: 720COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 5becc6efa2f5b636474e80caaa260248928f9f53d74e733f162ca8b5a94fd95f
Instruction ID: 30e4bbe1fb33022e6705d5eec9ef1f5c1501661bece25c9aa17cba7b4dbb801b
Opcode Fuzzy Hash: 5becc6efa2f5b636474e80caaa260248928f9f53d74e733f162ca8b5a94fd95f
Instruction Fuzzy Hash: 2A42247164434ADFDF349E34CDA53DA77A2BF55390F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021165C2, Relevance: 2.0, Strings: 1, Instructions: 710COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 8e0f94e268feb4eedae5f87f1d8a3327c4fb807c14baaf848c8f9e33c9c6afc0
Instruction ID: 4ee0b2f3e3ece94a36f5e3297ff7e2c52bdadb319ec0b9aab82263a8a5be2c59
Opcode Fuzzy Hash: 8e0f94e268feb4eedae5f87f1d8a3327c4fb807c14baaf848c8f9e33c9c6afc0
Instruction Fuzzy Hash: 9742347164434ADFDF348E34CDA53DA77A2BF55390F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021165F1, Relevance: 2.0, Strings: 1, Instructions: 705COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 6bb954ec830e13f73230a2d95cfe6adc35136513aeeecb4b11aa70a5abecea12
Instruction ID: be7f30a7ed4f98c97d1bc5e6eb6dda024bdd98ec13b9e621de7fb4be8163740b
Opcode Fuzzy Hash: 6bb954ec830e13f73230a2d95cfe6adc35136513aeeecb4b11aa70a5abecea12
Instruction Fuzzy Hash: C342347164434ADFDF349E34CDA53DA77A2BF55390F95822EDC8A8B244D3348A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116695, Relevance: 1.9, Strings: 1, Instructions: 674COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: cd8cbbe4ffc3eed50fb32255d4556049b3f700b1ce1144762a6141abecd783cd
Instruction ID: 529574709c56cc4efbab61a0180d222eafdfa59328d1f70d40a3790b2077f58f
Opcode Fuzzy Hash: cd8cbbe4ffc3eed50fb32255d4556049b3f700b1ce1144762a6141abecd783cd
Instruction Fuzzy Hash: D642347164434ADFDF348E34CDA53DA77A2BF55390F95822EDC8A8B244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021166B9, Relevance: 1.9, Strings: 1, Instructions: 663COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: fa3a011d30d40f07078ebdba792537262076a6487fd824114f6216af2362064c
Instruction ID: 604e16044b93215209b386d2e2cc66cd31c8eb8d31485a55e610fb3e5534f5cc
Opcode Fuzzy Hash: fa3a011d30d40f07078ebdba792537262076a6487fd824114f6216af2362064c
Instruction Fuzzy Hash: F242247164434ADFDF349E348DA57DA77A2FF55390F95822EDC8A8B244D3308A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116729, Relevance: 1.9, Strings: 1, Instructions: 645COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: 057fdb0e6925862affaaf6994db25d1235a2df93ab41b4afcfdd9410c9b300db
Instruction ID: bbaaf3b71ecaa773ebdfdafdb9055b605e57abfe993ac9b8f94d88a9034d3e9d
Opcode Fuzzy Hash: 057fdb0e6925862affaaf6994db25d1235a2df93ab41b4afcfdd9410c9b300db
Instruction Fuzzy Hash: 0B32237164434ADFDF349E348DA47DA77A6BF55390F85422EDC8A8B244D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02116735, Relevance: 1.9, Strings: 1, Instructions: 643COMMON

Download Yara Rule

Strings

aI>, xrefs: 0211681F

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: aI>
API String ID: 0-2190494086
Opcode ID: c07c88b519fc1afd98294aeb6535e56697421d5cc429669d789204a7878587b1
Instruction ID: c354770a71b02276cc0bf9b7127c76f5533cb7a9c768e09cc3ac95027c99d078
Opcode Fuzzy Hash: c07c88b519fc1afd98294aeb6535e56697421d5cc429669d789204a7878587b1
Instruction Fuzzy Hash: 4F32347164434ADFDF349E348DA47DA77B6BF55390F85822EDC8A8B244D3318A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02112A5B, Relevance: 1.7, Strings: 1, Instructions: 448COMMON

Download Yara Rule

Strings

iEO, xrefs: 02110B21

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: iEO
API String ID: 0-3111029432
Opcode ID: b7aebd9b4623e545d6532ac5276e35d9ad0a0e059ce9dbe45d9e7b702853ae14
Instruction ID: 2d7938e537ea012fccda6db9bbed1ec7a1e434d0cf0de56bb33abc9ce9ce2c52
Opcode Fuzzy Hash: b7aebd9b4623e545d6532ac5276e35d9ad0a0e059ce9dbe45d9e7b702853ae14
Instruction Fuzzy Hash: 0CE19771A44346DFDF349E7889A47DB3BA7AF6A390F85423EDC8997244D3318985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 021141D1, Relevance: 1.7, Strings: 1, Instructions: 427COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: ef794f2f18c7f6f6b4b315dce1ec547ae4f62383136b3a09e084e1260bafe447
Instruction ID: d9f525de39edf70e6674a80cf2ead0738f7808672ba286031872f1823bd7e8f7
Opcode Fuzzy Hash: ef794f2f18c7f6f6b4b315dce1ec547ae4f62383136b3a09e084e1260bafe447
Instruction Fuzzy Hash: 1EF1017574074ADFDB28CE28CDA4BEAB7A2BF15750F85422DDC998B240D731A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 021141F5, Relevance: 1.7, Strings: 1, Instructions: 412COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: f4c9b9df25fe5509a403fc9afb870b62a1ea4a060c4178358df8976fdcc33ea0
Instruction ID: f22961cf1e2604d6a911b578c2d5537c47a5003916e6ab8959286d8b847e00d8
Opcode Fuzzy Hash: f4c9b9df25fe5509a403fc9afb870b62a1ea4a060c4178358df8976fdcc33ea0
Instruction Fuzzy Hash: B7F1107574074ADFEB38CE28CCA4BEA77A2BF55750F85422DDC998B240D731A981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0211DA43, Relevance: 1.6, Strings: 1, Instructions: 393COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: b4b7aaf84cff93b8d20aca07eb3f4d82e17e106b55ced197efb58d1ed19bbeb2
Instruction ID: bff7801aee8b7d4e6714cf3eabe6a93b24fc3fc0e459da5c05f42dcb2393d6d9
Opcode Fuzzy Hash: b4b7aaf84cff93b8d20aca07eb3f4d82e17e106b55ced197efb58d1ed19bbeb2
Instruction Fuzzy Hash: 19D156716843498FDF38DE7899A43EE37A3AF95390F96413ADC4ACB254D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02114289, Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 4b0b316796cf9a127fd9ec59902aee3a2553e7b89bcce054a415e5b7721049e9
Instruction ID: 87a39c65d2864ec7548b3928efdefc4a0c9fddb00a48b239bc71ab334613c0c8
Opcode Fuzzy Hash: 4b0b316796cf9a127fd9ec59902aee3a2553e7b89bcce054a415e5b7721049e9
Instruction Fuzzy Hash: 07E1217574034ADFEB38CE28CCA4BEA77A2BF55750F89422DDC998B240D7319981CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02114295, Relevance: 1.6, Strings: 1, Instructions: 387COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 1ac400f5304103acf4c481e1b9ab22a5ea84a797c93603255754f4e4b117e9d7
Instruction ID: 20e77085d437a527ecc54dca9c71f07434c3520635cf5c1ef9c5e11d88f94627
Opcode Fuzzy Hash: 1ac400f5304103acf4c481e1b9ab22a5ea84a797c93603255754f4e4b117e9d7
Instruction Fuzzy Hash: A7E1237574074ADFDB38CE28CCA4BEA77A2BF55750F85422DDC998B240D7319981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0211427F, Relevance: 1.6, Strings: 1, Instructions: 382COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 824dd1e2c1f84eb4f02fddd11d9bd2b2d8d89c2c1525be2f8e4790c8f29c93f5
Instruction ID: 04c12e6ba3d5d65cf53ab27e5d70926ed5df2cdf4baae7c0737e7b7f1edcc0c5
Opcode Fuzzy Hash: 824dd1e2c1f84eb4f02fddd11d9bd2b2d8d89c2c1525be2f8e4790c8f29c93f5
Instruction Fuzzy Hash: F8E1337574034ACFEB38CE28CDA4BEA77A2BF55750F85422DDC998B240D7319981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0211C625, Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 816514643a8a6e2bf3e00bd2666e13ee1ebbe483270ad931ac73fa75b8d13f5c
Instruction ID: d61cfbe77d1b53585ab0e36f66175367bfeb3bd999d833f188d272adad935534
Opcode Fuzzy Hash: 816514643a8a6e2bf3e00bd2666e13ee1ebbe483270ad931ac73fa75b8d13f5c
Instruction Fuzzy Hash: 2FE134305883868ECB368E3889987DA7F925F53360F5982AACCE98F2D6D3358545C753

Uniqueness

Uniqueness Score: -1.00%

Function 021142AD, Relevance: 1.6, Strings: 1, Instructions: 376COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 82830b3442513a34e879c51a19c256ff78792510fc694cc72e0e00f69bfcfccc
Instruction ID: 826ffd30b4da6329b87ba93cff3478d56fed1d59bccf6f267e1872dde4be4cd2
Opcode Fuzzy Hash: 82830b3442513a34e879c51a19c256ff78792510fc694cc72e0e00f69bfcfccc
Instruction Fuzzy Hash: 59E1337574074ADFEB38CE28CCA4BEA77A2BF45750F89422DDC998B240D7319981CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0211C631, Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 73c8d7aed651a5e9754a2429ce32c122ef068d66671dd9e66bc686bed0de89fd
Instruction ID: d0830de0d1afa89e312f7bef751809a530941c05f1c409ead9eda3d97e39ed51
Opcode Fuzzy Hash: 73c8d7aed651a5e9754a2429ce32c122ef068d66671dd9e66bc686bed0de89fd
Instruction Fuzzy Hash: FFE124305883868EDB328F3889987DA7F925F53360F5982AACCE98F1D6D3348545C753

Uniqueness

Uniqueness Score: -1.00%

Function 0211C649, Relevance: 1.6, Strings: 1, Instructions: 365COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 7ff19d9ca760e23d5264f507b72c7a32ff921b31c866e71d4634e9ebf25e793a
Instruction ID: c19407bfe58e4ae4a7556071f2844fb81be59979e0349a58cdf08d1265f1636d
Opcode Fuzzy Hash: 7ff19d9ca760e23d5264f507b72c7a32ff921b31c866e71d4634e9ebf25e793a
Instruction Fuzzy Hash: 04D122305483868EDB328E3889A87DA7F929F57360F5982AACCE98F1D6D3348545C753

Uniqueness

Uniqueness Score: -1.00%

Function 0211C6BD, Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 5ee91177fbd28ea985e5c6d9bdf0a66dd88692d0726abd371371b18e855f1014
Instruction ID: 45832ddb81b135dd02e65fd3a6109061ef8c23b50ba62c6a241af0b1ef5d04d8
Opcode Fuzzy Hash: 5ee91177fbd28ea985e5c6d9bdf0a66dd88692d0726abd371371b18e855f1014
Instruction Fuzzy Hash: 48D103305883C68EDB328E3889987DA7FD25F17260F5A82AACCE98F1D6D3344546C753

Uniqueness

Uniqueness Score: -1.00%

Function 02114351, Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: a3c278c09171853f7c74d595d6024214df5f0bf7af920bd8b654fc112db38e7b
Instruction ID: 33af5f4291c47ae591d4fdcdb440ed0806a27247594461e29286f24115ca73ea
Opcode Fuzzy Hash: a3c278c09171853f7c74d595d6024214df5f0bf7af920bd8b654fc112db38e7b
Instruction Fuzzy Hash: CDD1327574074ADFEB38CE28CDA4BEA77A2BF09750F85422DDC998B280D7319941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0211C6C9, Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 9ad0d2d963cbad7784a101d449621528bacc4a816076ec2fead280001a4d4b4a
Instruction ID: 59c84ca979616742927fbf1f2009101e7f793b6aa224e503cad6432502ae45ff
Opcode Fuzzy Hash: 9ad0d2d963cbad7784a101d449621528bacc4a816076ec2fead280001a4d4b4a
Instruction Fuzzy Hash: 6DD123305883C68ECB328E3889987DA7F925F17360F5A82AACCE98F1D6D3344546C753

Uniqueness

Uniqueness Score: -1.00%

Function 0211C735, Relevance: 1.6, Strings: 1, Instructions: 334COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: e4123d340a36be770c52fc0b2c36bbea09890147e870581cd50e541e535b81d7
Instruction ID: 16b1b58fa83929a7f8558577e781020a4bab37967c4368a7a06f4983ba3f461e
Opcode Fuzzy Hash: e4123d340a36be770c52fc0b2c36bbea09890147e870581cd50e541e535b81d7
Instruction Fuzzy Hash: 04C113305883C68ECB328E3889987DA7F925F17360F5A82AACCE98F1D6D3744545C753

Uniqueness

Uniqueness Score: -1.00%

Function 0211C759, Relevance: 1.6, Strings: 1, Instructions: 331COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 3ce5da93de3019d426fb58675360fdee04ff41233986a126c804f040eb0da7ca
Instruction ID: 5e84e77cce32ee2f82a1e8eb755ba2af96608e4a3680a62f105a5944bb6da2ac
Opcode Fuzzy Hash: 3ce5da93de3019d426fb58675360fdee04ff41233986a126c804f040eb0da7ca
Instruction Fuzzy Hash: 67C111315883C68ECB328E3889987DA7FD25F13260F5A82AACCE98F1D6D3744546C753

Uniqueness

Uniqueness Score: -1.00%

Function 0211C741, Relevance: 1.6, Strings: 1, Instructions: 330COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 89cd3e32377d10d63fe7f0fde821be7b93dc20363edf9365d151b22943d2a3d8
Instruction ID: d0ce3e6286763c43576681e1ed5ed2f894e4fb78346e5c15be21ed238e25ade3
Opcode Fuzzy Hash: 89cd3e32377d10d63fe7f0fde821be7b93dc20363edf9365d151b22943d2a3d8
Instruction Fuzzy Hash: 22C112305883C68ECB328E3889987DA7F929F17360F5A82AACCE98F1D6D3744545C753

Uniqueness

Uniqueness Score: -1.00%

Function 021143D5, Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: e074cc0be0b9b9c40093a8195ba187ee44cc97efc22c2dac91f09366810fc936
Instruction ID: e8e0898ef98d79837d5d88d54a1625386768b23a0ad38a61332b4b1d32a73516
Opcode Fuzzy Hash: e074cc0be0b9b9c40093a8195ba187ee44cc97efc22c2dac91f09366810fc936
Instruction Fuzzy Hash: C8C1117564138A9FEB38CE28CDA4BEA77A2BF19750F85423DDC998B240D7319941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 021143E1, Relevance: 1.6, Strings: 1, Instructions: 323COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 46f7d8b533cc2a2a19ec7274a68cb565a05ed5345fba1f6ba6125c5d9223ee9b
Instruction ID: 9c793cdb8efbe51e4057e57237613b04d364c808270326e5afc24e0595600094
Opcode Fuzzy Hash: 46f7d8b533cc2a2a19ec7274a68cb565a05ed5345fba1f6ba6125c5d9223ee9b
Instruction Fuzzy Hash: 0EC1117564138ADFEB38CE28C9A4BEA77A2BF19750F85423DDC998B240D7319941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0211C7E1, Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: ae033feba62a43b2bb89aec9816ca5b2c65801145e2136a1597e2b7202ccdc2c
Instruction ID: 3754ddb6428c264407767d273d8b85d83a1192c1d8491354497da8d526d3b8b7
Opcode Fuzzy Hash: ae033feba62a43b2bb89aec9816ca5b2c65801145e2136a1597e2b7202ccdc2c
Instruction Fuzzy Hash: 03C110305883C68ECB328F3889987DA7FD29F13260F5A82AACCA98F1D6D3354545C753

Uniqueness

Uniqueness Score: -1.00%

Function 0211C7BD, Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 0798364f75e29edb34de6d4cad409a41d8ccb89632b7fcdc53d84d313548efb7
Instruction ID: 6508f957e726930179390b344cf7b44cb92fa5f971ac84017f3f3e39c7323ae9
Opcode Fuzzy Hash: 0798364f75e29edb34de6d4cad409a41d8ccb89632b7fcdc53d84d313548efb7
Instruction Fuzzy Hash: 98B142305883868ECB328F3889983DA7FD29F13360F5982AACC998F1D6D3344685C753

Uniqueness

Uniqueness Score: -1.00%

Function 021154B5, Relevance: 1.5, Strings: 1, Instructions: 296COMMON

Download Yara Rule

Strings

iEO, xrefs: 02110B21

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: iEO
API String ID: 0-3111029432
Opcode ID: 1ee82db64c71ea255a7792e32800ca059d297fa6cadd4dd8accc1a69a359408b
Instruction ID: da1040320ef557a660b0f5f8622ecdc188c44a69246ac4cc393e62502fe58913
Opcode Fuzzy Hash: 1ee82db64c71ea255a7792e32800ca059d297fa6cadd4dd8accc1a69a359408b
Instruction Fuzzy Hash: 96A1A975A44306CFDF346E3489947DE37A7AF96790F96013E9C8693284D73189C9CA42

Uniqueness

Uniqueness Score: -1.00%

Function 0211447D, Relevance: 1.5, Strings: 1, Instructions: 294COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 0761478b3b39ce8dfa81eed02958260ec080cc65fadfe3a928bbda5dec5cf184
Instruction ID: e9bd36c35b992a9621c8fb0235f117cce26dce198c26ccc4787c4b0b5b581c06
Opcode Fuzzy Hash: 0761478b3b39ce8dfa81eed02958260ec080cc65fadfe3a928bbda5dec5cf184
Instruction Fuzzy Hash: A5B1117574138A9FEB38CE28C9A4BEA77A2BF19750F85423DDC998B240D7319941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02114475, Relevance: 1.5, Strings: 1, Instructions: 286COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: f34575e31b28534861bde432b7c43eda9c665f782387c76cadb4d1ef2343ffdb
Instruction ID: 0e0d6a9b04407ffcc577d6307da60e09adb030d647396484818a8c6406aad64e
Opcode Fuzzy Hash: f34575e31b28534861bde432b7c43eda9c665f782387c76cadb4d1ef2343ffdb
Instruction Fuzzy Hash: E0B1217574138ADFEB38CE28C9A4BEA77A2BF19750F85423DDC998B240D7319941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0211DA89, Relevance: 1.5, Strings: 1, Instructions: 275COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 7626cac3d184d8b309c9c9aeb3c13a9eb6e2a8b19b7b38318f422c963bf80c1c
Instruction ID: 875919c94ef0656695358c53500694edf43ced65c097bfcf6c354f33bc7f9a99
Opcode Fuzzy Hash: 7626cac3d184d8b309c9c9aeb3c13a9eb6e2a8b19b7b38318f422c963bf80c1c
Instruction Fuzzy Hash: 1C917C71A44346CFDF38DE78D9B07EA37A2AF95350F56453ACC8A8B254D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211DA61, Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 5c427956cbf8e894d9b3b3d2cd8b794d47f91688826245e5f0a5d4c5f004c3e8
Instruction ID: 73dbc53dbbc2a2b0c06d968ab41eb1484932d60fee780aa1ac13432fc8d32f27
Opcode Fuzzy Hash: 5c427956cbf8e894d9b3b3d2cd8b794d47f91688826245e5f0a5d4c5f004c3e8
Instruction Fuzzy Hash: 9D917A71644346CFDF38DE7899B43EA37A2AF95390F96413ACC8A8B254D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021144E5, Relevance: 1.5, Strings: 1, Instructions: 264COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: da8d12b5119d43900b36a3c62aa4aa796f50fe9202cafaeb48b55250e24a0dcd
Instruction ID: 69f25e956d1099960d208032cf650b0b9f1d17aa47f44cee0a915734d4d87c77
Opcode Fuzzy Hash: da8d12b5119d43900b36a3c62aa4aa796f50fe9202cafaeb48b55250e24a0dcd
Instruction Fuzzy Hash: C1A1327574038ADFEB38DF28D9A4BEA77A2BF05750F89422DDC998B240D7319941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0211452D, Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

O, xrefs: 0211457C

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: O
API String ID: 0-878818188
Opcode ID: 7e62babfa64d03998940a9c5c5aaf2d4066653cd629b11e10b5e684ce8891090
Instruction ID: 181bb11f0f732cb2774f7122fb5ae38fc42344d84d083c5ee89d91686e0a3f63
Opcode Fuzzy Hash: 7e62babfa64d03998940a9c5c5aaf2d4066653cd629b11e10b5e684ce8891090
Instruction Fuzzy Hash: 8FA1317564038ADFDB38CF38D9A4BEA77A2BF09750F45422DDC998B240D731A941CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0211DAC7, Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: b7b903406ad721610c63cacfb8fe5b9773d9ee0a9da5a2089765d87578abe872
Instruction ID: a77c8817255b53832ccc3c895db29016c75e5f295dfe44b64224fd069e211583
Opcode Fuzzy Hash: b7b903406ad721610c63cacfb8fe5b9773d9ee0a9da5a2089765d87578abe872
Instruction Fuzzy Hash: E5918A71A44346CFDF38DE789DB47EA37A2AF55350F96413ACC8A8B254D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211DB9D, Relevance: 1.5, Strings: 1, Instructions: 257COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 8780758c4a05f0e0924c3cdb93eb66fe7a5bbf383bf4edfea42dc5df7a41f924
Instruction ID: ad82de8148f7e2e94928e9cea3106d23d071aac89e63d1b2f46e3c92bb7cc49f
Opcode Fuzzy Hash: 8780758c4a05f0e0924c3cdb93eb66fe7a5bbf383bf4edfea42dc5df7a41f924
Instruction Fuzzy Hash: 0D917B31644349CFDF389E78D9A47EA37A2EF56350F96413ACC8A8F244D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211DB5D, Relevance: 1.5, Strings: 1, Instructions: 256COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 8c556c6ecc44a7aef9989ed545ac11e8dcaebb101f732b5f13e500ea66e8b200
Instruction ID: 13c71cfaaef37667210f6601b35bc2138393f36568efdab25b0de17864e7a6b8
Opcode Fuzzy Hash: 8c556c6ecc44a7aef9989ed545ac11e8dcaebb101f732b5f13e500ea66e8b200
Instruction Fuzzy Hash: 4D917B31644349CFDF389E78C9A47EA37A2AF56350F96413ACC8A8F254D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211DAF5, Relevance: 1.5, Strings: 1, Instructions: 253COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 3a1efd74c2d500370b9eb5af46a57870a3e3d5be534328e09d1e0e33b4ecaeeb
Instruction ID: a9931f906888fb5c7cda823299fc91ddf8841b72ddd3957f2c49ee54fda4d7e5
Opcode Fuzzy Hash: 3a1efd74c2d500370b9eb5af46a57870a3e3d5be534328e09d1e0e33b4ecaeeb
Instruction Fuzzy Hash: D0917971A44346CFDF389E78C9B47EA37A2AF55390F96453ACC8A8B254D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211DB47, Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: f983ad9b9dbc7f44c8f57498dc2d9a09050f71fd9614c92487a2ea90592208c8
Instruction ID: 9db56ba5f6ab46d362be3613c3e29cc7a46a9712778d872fc2bd9f5eefb8ca55
Opcode Fuzzy Hash: f983ad9b9dbc7f44c8f57498dc2d9a09050f71fd9614c92487a2ea90592208c8
Instruction Fuzzy Hash: 58917B7164434ACFDF38DE78C9A47EA37A2AF55390F96413ACC8A8F254D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211DB3D, Relevance: 1.5, Strings: 1, Instructions: 249COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 6ebe891c9e3532ed71a1859d6664a13a7b5980efd84a660f50cf28d52617ea31
Instruction ID: 710fbadb255e5fed741e9440f28592a7b0c28afc0bae97c0ca18650600db15d7
Opcode Fuzzy Hash: 6ebe891c9e3532ed71a1859d6664a13a7b5980efd84a660f50cf28d52617ea31
Instruction Fuzzy Hash: 07916B7164434ACFDF389E78C9B47EA37A2AF55390F96453ACC8A8F254D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211DB75, Relevance: 1.5, Strings: 1, Instructions: 248COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 143dc2804877522583cf82592b8bc178ab2591daee03ca447fd411044021321f
Instruction ID: 6fd0521348f72f57849b9fc543892143296a3df70a796845b9592ec3535299b4
Opcode Fuzzy Hash: 143dc2804877522583cf82592b8bc178ab2591daee03ca447fd411044021321f
Instruction Fuzzy Hash: 60817A3164434ACFDF389E78C9A47EA37A2EF55390F96453ACC8A8F254D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211DBB5, Relevance: 1.5, Strings: 1, Instructions: 245COMMON

Download Yara Rule

Strings

bhg, xrefs: 0211DC01

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: bhg
API String ID: 0-2669674291
Opcode ID: 8fdc945fffb5d406d78404300e70c84643322aca373bf7d90639f025206f8848
Instruction ID: afeb1ec502f31220e5a4cb0c33e0dfe2758690bd16f766c1fbf340d740b46d19
Opcode Fuzzy Hash: 8fdc945fffb5d406d78404300e70c84643322aca373bf7d90639f025206f8848
Instruction Fuzzy Hash: CB815B31644346CFDF399E78DDA57EA37A2AF55390F96413ACC8A8F244D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0211568B, Relevance: 1.5, Strings: 1, Instructions: 215COMMON

Download Yara Rule

Strings

"i7, xrefs: 02115720

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: "i7
API String ID: 0-1634374468
Opcode ID: a235018ffa1c9106ad1e4852b6fb5e7dcaa7714f2e36fd0ac596b049d000b476
Instruction ID: 74b77e8dfae6df5ab5771d960cc870cb673f1a41e47c73cebe9dfbcbacaf5ef3
Opcode Fuzzy Hash: a235018ffa1c9106ad1e4852b6fb5e7dcaa7714f2e36fd0ac596b049d000b476
Instruction Fuzzy Hash: 747157B42403059FD7288E75C9A87DA77A3FF59390F92822DCC8A8B251D370C984CF52

Uniqueness

Uniqueness Score: -1.00%

Function 0211CA0D, Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 28cf39a8a0690ce9488f7e9892a4a541bc26d48687eee57e0f4f7c289604014d
Instruction ID: 40249446fd480000edb3aaa4ee4eea904f428dd83e2f7b8a9697f5905bfa8b58
Opcode Fuzzy Hash: 28cf39a8a0690ce9488f7e9892a4a541bc26d48687eee57e0f4f7c289604014d
Instruction Fuzzy Hash: B9615A705883858FCF369E348D943EA7B92AF173A0F5581BACC9A8F286D3350545CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0211CA19, Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 84d456441833da8346a876775f03eb469ca8b399f7a3a0f418440c6a663c80cd
Instruction ID: 2bbd68c5ab42112e2f7ae8d316120d84fb1fc69f1677c8109bbf78a00c2355d2
Opcode Fuzzy Hash: 84d456441833da8346a876775f03eb469ca8b399f7a3a0f418440c6a663c80cd
Instruction Fuzzy Hash: 506159705883858FCF369E3489A43EA7B92AF573A0F5581BACC8A8F286D3350545CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0211CA25, Relevance: 1.4, Strings: 1, Instructions: 180COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 595d3fdf8f2b33ae2c9713864f1184d69091b32f4271fc055bc01f5e97dd2372
Instruction ID: ef8e6c00489c787c4b77f8b4fba01e236c5f830136790676223bc3c60225919e
Opcode Fuzzy Hash: 595d3fdf8f2b33ae2c9713864f1184d69091b32f4271fc055bc01f5e97dd2372
Instruction Fuzzy Hash: D0616A305883858FCF369E3489A43EA7F92AF173A0F5581BACC8A8F186D3340545CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0211CAC5, Relevance: 1.4, Strings: 1, Instructions: 163COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: a7a21a42b99cb1e4c5dbd48d591459e1001b33d42fad008aaf02ae4ebcb33b10
Instruction ID: 713e264adc7f5f92e9106f026801d902cc633aa641307c0eb0285763ead432d9
Opcode Fuzzy Hash: a7a21a42b99cb1e4c5dbd48d591459e1001b33d42fad008aaf02ae4ebcb33b10
Instruction Fuzzy Hash: F35136305843898FCF35DE3889943ED7BA2AF163A0F5581AECC9A8F285D3740645CB67

Uniqueness

Uniqueness Score: -1.00%

Function 0211CAA1, Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 0c73012c94791b2f2a47d55bdcc0829852e2feade797ebcd8e7809f4014c0d29
Instruction ID: d617cfd24e32864d20e05f93ae42091a5e0230c485dd80c111b9454ca297a146
Opcode Fuzzy Hash: 0c73012c94791b2f2a47d55bdcc0829852e2feade797ebcd8e7809f4014c0d29
Instruction Fuzzy Hash: 205146305883898FCF359E3489A43EA7BA2AF173A0F55817ECC9A8F285D7340645CB57

Uniqueness

Uniqueness Score: -1.00%

Function 0211CAAD, Relevance: 1.4, Strings: 1, Instructions: 151COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: bc41698448eecbdcb80a7cc4507788c1f832140bfc18e494cd6820ad0a8e8ebe
Instruction ID: 718743973b1c819e43de5d01739f92818f6246f94d2e15f54433a1acca7ac1f3
Opcode Fuzzy Hash: bc41698448eecbdcb80a7cc4507788c1f832140bfc18e494cd6820ad0a8e8ebe
Instruction Fuzzy Hash: 945148305843898FCF359E348AA43EA3BA2AF163A0F55817ECC9A8F285D7344644CB57

Uniqueness

Uniqueness Score: -1.00%

Function 02110459, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

Si, xrefs: 021107B5

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: Si
API String ID: 0-3827418516
Opcode ID: 250d0668b3eed54e68f22fb250813a06d32950da3d4dd32f613e66621ad7ab6a
Instruction ID: de29674e1205a5ecde99c9173e206f2873b12dec16345cecea06509143bc472d
Opcode Fuzzy Hash: 250d0668b3eed54e68f22fb250813a06d32950da3d4dd32f613e66621ad7ab6a
Instruction Fuzzy Hash: 584188769443069FDF242E748D653EB3B639F862A0FD2063BCC9267144E33488C6CA53

Uniqueness

Uniqueness Score: -1.00%

Function 0211CB2D, Relevance: 1.4, Strings: 1, Instructions: 149COMMON

Download Yara Rule

Strings

a#eT, xrefs: 0211CCB8

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: a#eT
API String ID: 0-3965304268
Opcode ID: 09795f5dc2d1d258a7d6c50ecc95a9e87102b1ff823db4798a8a3822ca452067
Instruction ID: bd36b3872de39231590e371181761dd817082dd01969d41ca95031c1d55d1832
Opcode Fuzzy Hash: 09795f5dc2d1d258a7d6c50ecc95a9e87102b1ff823db4798a8a3822ca452067
Instruction Fuzzy Hash: E851343058438A8FCF359E3489A43EA7BA2EF163A0F55807ECC9A8F245D7344645CB67

Uniqueness

Uniqueness Score: -1.00%

Function 02110465, Relevance: 1.4, Strings: 1, Instructions: 146COMMON

Download Yara Rule

Strings

Si, xrefs: 021107B5

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: Si
API String ID: 0-3827418516
Opcode ID: 5f17c24ff712623d3801295fad02c28b3f73f8df34df5b14fd2f81d67dc312a9
Instruction ID: bf1874d5131a09a9b2f9be02869269da6a51901ed026db91017b961af2ac7109
Opcode Fuzzy Hash: 5f17c24ff712623d3801295fad02c28b3f73f8df34df5b14fd2f81d67dc312a9
Instruction Fuzzy Hash: CF4168669453069FDF242A748D653EB3B629F862A0FD3062BCC96A7144E33488C6CA53

Uniqueness

Uniqueness Score: -1.00%

Function 0211047D, Relevance: 1.4, Strings: 1, Instructions: 135COMMON

Download Yara Rule

Strings

Si, xrefs: 021107B5

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: Si
API String ID: 0-3827418516
Opcode ID: 4d4597722c1683dc18494ddcf1f124dfc0fd30876e3622dff4ad0341813271be
Instruction ID: 2006cc34fb31a4d5a5c582a9f20e9f57a4c792cbfd0bb9ee7945269987d327b8
Opcode Fuzzy Hash: 4d4597722c1683dc18494ddcf1f124dfc0fd30876e3622dff4ad0341813271be
Instruction Fuzzy Hash: CD41577694530A9FDF242A344D653EB3AA29F862A0FD3062FCC9667144E33488C6CA43

Uniqueness

Uniqueness Score: -1.00%

Function 0211B361, Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

`, xrefs: 0211B566

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: dd0e7020e78277c09dae0cc1379f8ba27fa3b48f40b81d9b8218d04b8ac9a702
Instruction ID: fb0f4ef749361727d6bd478c519afe6fc6cc868b58438fdb0005a4f2d7f59921
Opcode Fuzzy Hash: dd0e7020e78277c09dae0cc1379f8ba27fa3b48f40b81d9b8218d04b8ac9a702
Instruction Fuzzy Hash: 7E415B76448749CBDF348D298D793DB23A3AFA2290FD6813BCC9987195E3350686CB06

Uniqueness

Uniqueness Score: -1.00%

Function 0211B3F9, Relevance: 1.4, Strings: 1, Instructions: 107COMMON

Download Yara Rule

Strings

`, xrefs: 0211B566

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: ead3d8e056320efb0977b333a9961edfdb850d66008ff172d2783a0227491398
Instruction ID: f6365ea1a775e291d992ec859e76918ed0702465db9f01e7d58e232ad50c825f
Opcode Fuzzy Hash: ead3d8e056320efb0977b333a9961edfdb850d66008ff172d2783a0227491398
Instruction Fuzzy Hash: A0317C7144874DC7DF348D3989B93EF23A3AFA1294FD2413ACC9A87184E3350686CB06

Uniqueness

Uniqueness Score: -1.00%

Function 0211B3BD, Relevance: 1.4, Strings: 1, Instructions: 106COMMON

Download Yara Rule

Strings

`, xrefs: 0211B566

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 584650d0a8e4d1cdc0881830f5643fa3b310be914d1041a12fa0b30cbabe29d6
Instruction ID: 551f7755d87eac86eda858bcfa982f9a864f5f678355e7fb067235603dc91c3e
Opcode Fuzzy Hash: 584650d0a8e4d1cdc0881830f5643fa3b310be914d1041a12fa0b30cbabe29d6
Instruction Fuzzy Hash: 04315971588749CBDF348D3989B93DB32A3AFA1290FD2413BCC9A87194E3354686CF06

Uniqueness

Uniqueness Score: -1.00%

Function 02116A89, Relevance: .5, Instructions: 496COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b057446b50fa22a631b3f87d0ce4850f6237fb81d8c84e3bde2a86897720ceb
Instruction ID: fae9392b53c2bdb5b1d702834b1920c851769756393111996c0a7c6147d3ac06
Opcode Fuzzy Hash: 2b057446b50fa22a631b3f87d0ce4850f6237fb81d8c84e3bde2a86897720ceb
Instruction Fuzzy Hash: 7002477164434ADFCF348E388DA47DA77A6BF55390F95423EDC8A9B284D3314A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02116A7D, Relevance: .5, Instructions: 491COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ae899c7c8065634da4583b1c69696b7249a0960aa691aaf7dc0f3b6e87dc5a54
Instruction ID: 44b4b6e5ace23a859592549df9dda6d2438787ca321161f25269a6d2eb51c473
Opcode Fuzzy Hash: ae899c7c8065634da4583b1c69696b7249a0960aa691aaf7dc0f3b6e87dc5a54
Instruction Fuzzy Hash: 8802377164434ADFCF348E388DA47DA77A6BF55390F95423EDC8A9B284D3318A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02116B2D, Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4662e426a4c974dc6f078ecd85431f37633e83e3133353826099bbd9be1d2645
Instruction ID: d896f2f9b8c5e60f996a0e65a25a3c82c1e693ea5ef130800d09717ed65ee9cb
Opcode Fuzzy Hash: 4662e426a4c974dc6f078ecd85431f37633e83e3133353826099bbd9be1d2645
Instruction Fuzzy Hash: 0D02157164434ADFCF349E38CDA47EA77A6BF55390F95422EDC8A8B244D3318A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02116B21, Relevance: .5, Instructions: 470COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dac4551bc4d5112d0ca64e6b8488e908a8de256e066409640644a15c1572841c
Instruction ID: 45d7b2f66ceccc0ccf49df2da3515a4a5f9f9754d7a56de108621aab53da4424
Opcode Fuzzy Hash: dac4551bc4d5112d0ca64e6b8488e908a8de256e066409640644a15c1572841c
Instruction Fuzzy Hash: 7A02157164434ADFCF349E38CDA47EA77A6BF55390F95422EDC8A8B244D3318A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02113A45, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6b2f31fbf75345dfe7fbd64fb20e2b86a230ebbdbb05a3cd4ef77781196b8d6
Instruction ID: 066a8f46dedc1f5149e5d776247ed301d1ab2fa334e00ccb829974b3cd6c1e45
Opcode Fuzzy Hash: e6b2f31fbf75345dfe7fbd64fb20e2b86a230ebbdbb05a3cd4ef77781196b8d6
Instruction Fuzzy Hash: 4B91023164434ADFDB349E3999643EA77B6AFA5790F96803EDCD997148D3308982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02117010, Relevance: .3, Instructions: 269COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c78625319891c41fc4ffc92f1061ece053d33711a913498af378fecdaed59f10
Instruction ID: e83284aa298371707b4dac7e49cda6a0225e19dedda8089aebacdc57d4448333
Opcode Fuzzy Hash: c78625319891c41fc4ffc92f1061ece053d33711a913498af378fecdaed59f10
Instruction Fuzzy Hash: F8A14A702853499FDF358E34CDA47DA37A6BF55390F94423DDC8A8B284D7314A86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02113A31, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8d9724f5fe56ee9f9a55b51e5129d3cf856878e3e271bacc7e890ddffbadc5a
Instruction ID: 617d060a532240f71c1b895b27188d9081d0ca8a21dbe660fca3b10ccf816582
Opcode Fuzzy Hash: d8d9724f5fe56ee9f9a55b51e5129d3cf856878e3e271bacc7e890ddffbadc5a
Instruction Fuzzy Hash: EE91033164434ADFDB349E3999643EA77B6AFA5790F96803EDCD997144D3308982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02113A5D, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66a8b270096ef6acada18acb7964ad164fe847d80269d15a62a2259b6449d0fe
Instruction ID: 0790332d50909c6dfda1512ec9379f2a7812135f2b5b2225a6863f2546bbec24
Opcode Fuzzy Hash: 66a8b270096ef6acada18acb7964ad164fe847d80269d15a62a2259b6449d0fe
Instruction Fuzzy Hash: FE91023164434ADFDB349E39D9643EA77B6AFA5790F96803EDCD997144D3308982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02113A9C, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b9ccd4afbc7961c64c900ce9a2d757240127ea794fe0b1d083e33ebff978290
Instruction ID: 06eaa161a7b8f436aa7c72f8bb66734f888c223b30c60fa7bba257c3b88d713b
Opcode Fuzzy Hash: 3b9ccd4afbc7961c64c900ce9a2d757240127ea794fe0b1d083e33ebff978290
Instruction Fuzzy Hash: 8481123264434ADFCB309E29D9A43EA77B6AFA5790F96403EDCD997144D3308982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02113AB2, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0537271e1acc0d6041dc516f0129d45e86e1cc35dd138eed34e82771f5e62b1
Instruction ID: ac07aa28ae08374a4fe520f2f75cc4a6d5f04fd2f983b70c37fa1e55c6b5969c
Opcode Fuzzy Hash: c0537271e1acc0d6041dc516f0129d45e86e1cc35dd138eed34e82771f5e62b1
Instruction Fuzzy Hash: AD912132644349DFCB309E39D9A43EA77B6AFA5790F96803EDCD997144D3308982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0211702B, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f67b452794c41a563d06ed51f9ca5e1e135f07870c5f89a62d3fe4ec75db744b
Instruction ID: 3dfb61b68e83b11756ffc1fd03dca59e39a4b543f0082381d4b2fe42eb36c21b
Opcode Fuzzy Hash: f67b452794c41a563d06ed51f9ca5e1e135f07870c5f89a62d3fe4ec75db744b
Instruction Fuzzy Hash: D391287028534A9FDF359E34CDA47DA37A6BF69390F84422DDD8A8B284D7314A86CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02113B0D, Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6a3fe80276206a6ee8306beb8dbc16f3cabd67479f350eb233707bd17283ed
Instruction ID: 37132a71ed34dc01ec2f31af085dbd35ced51508974c88b7b60bc54c7d27220a
Opcode Fuzzy Hash: 4d6a3fe80276206a6ee8306beb8dbc16f3cabd67479f350eb233707bd17283ed
Instruction Fuzzy Hash: 12811232644349DFDB349E39D9A43EA77B6AFA5790F96403EDC9997144D3308A82CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02112A40, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3e46a50c1ecd4f01469e11048dcea284b8fb8813f8bc327860b0e0c14f2fba8
Instruction ID: 32b177b16e60bf5b4e2a9c5f15b2f74113b565bc185796e3f5085d3734a35da1
Opcode Fuzzy Hash: c3e46a50c1ecd4f01469e11048dcea284b8fb8813f8bc327860b0e0c14f2fba8
Instruction Fuzzy Hash: CA717D75644356DFDF309E78DCA47DB3BA6AF593A0F80423EDC899B244D3314A818712

Uniqueness

Uniqueness Score: -1.00%

Function 02112A81, Relevance: .2, Instructions: 230COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a22c27569949072b101ab18c518fc05fa04ec410f4037e9f1dd8c6cfb6b6441
Instruction ID: 0049a525961291e009ee0e532f5e7c710caa2a7533a749bed316960dd1a3b29f
Opcode Fuzzy Hash: 7a22c27569949072b101ab18c518fc05fa04ec410f4037e9f1dd8c6cfb6b6441
Instruction Fuzzy Hash: ED718C75604386DFDF309E68DCA4BDB37A6AF593A0F80413EDC899B244D7714A81C712

Uniqueness

Uniqueness Score: -1.00%

Function 02112A8D, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b2997f3ec6d1f80f09bda3628f449053c7ed07e9b7bb0366c21ef975d2d5103c
Instruction ID: 23b00788f113fa15f919f2ff6fae6e4c1cf63085934308fb5bef301808f29703
Opcode Fuzzy Hash: b2997f3ec6d1f80f09bda3628f449053c7ed07e9b7bb0366c21ef975d2d5103c
Instruction Fuzzy Hash: D3716975604386DFDF309E68DCA47DB37A6AF593A0F80413EDC899B244D3718A81C712

Uniqueness

Uniqueness Score: -1.00%

Function 02117109, Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84c5014b0ad37c3f2812c919d9ba913e731c2d9bd0d2173ea28e1af8326ae3bf
Instruction ID: b88741de4ca35a8bee37504514b1eb091aea126262f70218a4f4c690d18f29b4
Opcode Fuzzy Hash: 84c5014b0ad37c3f2812c919d9ba913e731c2d9bd0d2173ea28e1af8326ae3bf
Instruction Fuzzy Hash: 9F81267168534A8FDF359E34CDA47DA3BA6BF5A390F84422DDD8A8B284C7314986CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02112A79, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6690fd6e805d00fbf4c3513a13dfe1962ae3f78d33f7c40266ab68adee8885bb
Instruction ID: 45711593559c521a4547a71d5914465c82274240e609016cc04078327c535064
Opcode Fuzzy Hash: 6690fd6e805d00fbf4c3513a13dfe1962ae3f78d33f7c40266ab68adee8885bb
Instruction Fuzzy Hash: 5B716A75604396DFDF309E68DCA47DB37A6AF593A0F80413EDC899B244D3318A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02113BB1, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 029157db7dbdf0bc79b63e721eb5be16122302863a7f470c317b8f8fd4d59ee4
Instruction ID: 1f8f3151f776f5fbe837e4ab55bd97a2d7e7c23fa1d64480cb73bd8750b0fb03
Opcode Fuzzy Hash: 029157db7dbdf0bc79b63e721eb5be16122302863a7f470c317b8f8fd4d59ee4
Instruction Fuzzy Hash: 7371123224434ADFDB349E3999647EA77B6AFA5790F96843EDCD997104C3309982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02113BBD, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc36b9b7cf8784583011d818f0c46d2bbddcf74e94aad4c34eb1c826e9a67cfd
Instruction ID: f233232e5ebb78a70b060f843c4935bf1a0ab8426706870b4a60e1e7a870bea2
Opcode Fuzzy Hash: fc36b9b7cf8784583011d818f0c46d2bbddcf74e94aad4c34eb1c826e9a67cfd
Instruction Fuzzy Hash: 6771133264434ADFDF349E29D9543EE77B6AFA5790F96803EDC9997104C33099868B02

Uniqueness

Uniqueness Score: -1.00%

Function 0211BB05, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eae8af74464b7edd24de20f1ea9026bcb25c9d4eb0e897d6cbe80a21c377cf38
Instruction ID: 8075962d38a9e0380e3837d30d357133479394fac0df3fe22b2e41cde05c2e51
Opcode Fuzzy Hash: eae8af74464b7edd24de20f1ea9026bcb25c9d4eb0e897d6cbe80a21c377cf38
Instruction Fuzzy Hash: 4A618A7164830A9FDB348D24DDA43EB7763AF9A344F86412ECC8957608D7304A87CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02112B0C, Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 777158fac981908e7ae7269b9e0261f76cfedaee10258c5b32ec4b55b69d4113
Instruction ID: b95cba89fdbd86b3443be6c9e81dd6fd6c8cccaf23ba76b4fce90cf0cd676307
Opcode Fuzzy Hash: 777158fac981908e7ae7269b9e0261f76cfedaee10258c5b32ec4b55b69d4113
Instruction Fuzzy Hash: 9E616D74A44396EFDF719E78DC987DB37A6AF593A0F844139DC889B244D3314A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02114B10, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b767c11c7ec86df9b1e65562e32bb86ca11c730a0e2a027b07fb5553d0b2ae0
Instruction ID: 2dea19d8b51d10d62eb27f2e7ea17a9211d14553194943312bcdf411c686d4c0
Opcode Fuzzy Hash: 1b767c11c7ec86df9b1e65562e32bb86ca11c730a0e2a027b07fb5553d0b2ae0
Instruction Fuzzy Hash: 4B61D375B04B569FDB389E28CC607EA33A2AF54790F85823DDC99D7240DB319985CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0211BB1D, Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f603094b055dd82539af02ac55acbdb3e3c891aa3c493208fb46110222d5462
Instruction ID: 61a2b1722cb6a0067fdcbe197faf9c7f61825d4d5d8746c3b2f4f0a5402e370e
Opcode Fuzzy Hash: 7f603094b055dd82539af02ac55acbdb3e3c891aa3c493208fb46110222d5462
Instruction Fuzzy Hash: 15618A716483069FDB348D34DDA47EB77A3AF8A344F86412ECC8997648D3304A87CB86

Uniqueness

Uniqueness Score: -1.00%

Function 02110B3D, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c7e1ad97026847e988b7a35e97b46dee00bb2ec2bbf677755dd6557b942dfd5
Instruction ID: 10e7b37f52dd87a006defa590d762dff0d89f41e91c76e5b3a52deed9830443f
Opcode Fuzzy Hash: 2c7e1ad97026847e988b7a35e97b46dee00bb2ec2bbf677755dd6557b942dfd5
Instruction Fuzzy Hash: D7519875A453068FCF349E348A947DE3BB79F66390F86013EDCC6A3254D3318889CA82

Uniqueness

Uniqueness Score: -1.00%

Function 02110B49, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3162b882483988bd4f2b26c5cad095704684ee228dcb779d299430df4c56bcf4
Instruction ID: d6370b11a8a8671883e1a5b3400a3a61ef2c7b9ec93e80900691cff3b2f2d014
Opcode Fuzzy Hash: 3162b882483988bd4f2b26c5cad095704684ee228dcb779d299430df4c56bcf4
Instruction Fuzzy Hash: F651B835A453068FCF346E3489943DB3BB39F66390F86013EDC86A3254D33288C8CA82

Uniqueness

Uniqueness Score: -1.00%

Function 021171B1, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f0a3fc1e4e4517849902b7e8034f138b07d524c761c2bfd50894f7d3bb22115
Instruction ID: ebd6e2256d6a9070a1b4e147020cb383278b8d9bf2e2cebae9a2793f3d0d0599
Opcode Fuzzy Hash: 6f0a3fc1e4e4517849902b7e8034f138b07d524c761c2bfd50894f7d3bb22115
Instruction Fuzzy Hash: 6761273168534A8FDF359E34CD607DA3BA6FF69390F844239DD8A9B284C7318986CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02110B33, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f896a034d9d120154bec3194f671c0d7b8fc2393c82ab2de5d1038fa10a51af2
Instruction ID: 92c3e5946a1847bb4c10a7dd628b992202997ce20f6ed824b1c9c2a5a8b85a32
Opcode Fuzzy Hash: f896a034d9d120154bec3194f671c0d7b8fc2393c82ab2de5d1038fa10a51af2
Instruction Fuzzy Hash: A751A971A453068FDF346E3489943DB3BB79F66390F86013EDCC6A3254D3328889CA82

Uniqueness

Uniqueness Score: -1.00%

Function 02110B61, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3f527525962b212a00c76ef76dfadb1f98315f9cd047eef889d27602a7524e3
Instruction ID: fc2e9f793edf7195dddc2bbaa6857dbb540b93d9b37fa992b0ef87e9314c7e50
Opcode Fuzzy Hash: f3f527525962b212a00c76ef76dfadb1f98315f9cd047eef889d27602a7524e3
Instruction Fuzzy Hash: F2519971A453068FDF345E3489947DF7BA79F66780F86013EDCC6A3654D7328888CA82

Uniqueness

Uniqueness Score: -1.00%

Function 02112B5D, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c020ac0fe07fdd5e7e1f6313d350929bef02f4115acaf4d834ce5c7879c062fc
Instruction ID: 88f93012e827196ef5bb0f0b687cab7aaeb9438029a6c8e46a331241319a83f4
Opcode Fuzzy Hash: c020ac0fe07fdd5e7e1f6313d350929bef02f4115acaf4d834ce5c7879c062fc
Instruction Fuzzy Hash: A9511A74644356DFDF319E78DC98BDB37A6AF593A0F84423ADC889B244D3718A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02112B69, Relevance: .2, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9311e0d7d0d0c20fe5266bfa77beccd39a72b1dd1f23e0d2d5ff152d5c1e3a75
Instruction ID: d17220be29a9b09c35f982417bc5c0933970d4d8ebdd86dd2d01e0b68e6be95e
Opcode Fuzzy Hash: 9311e0d7d0d0c20fe5266bfa77beccd39a72b1dd1f23e0d2d5ff152d5c1e3a75
Instruction Fuzzy Hash: E4512B74644356DFDF319E78DC98BDB37A6AF593A0F84413ADC889B244D3718981CB12

Uniqueness

Uniqueness Score: -1.00%

Function 021171C9, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af41ee9da9040ce2c1b05cc3b6c6b916f9d3128ecceb24f51fe01c2e336e058e
Instruction ID: fc38e1884eee67a5c4184aeeff5bee4a55d219ac3ace3a9351b860880d83c78e
Opcode Fuzzy Hash: af41ee9da9040ce2c1b05cc3b6c6b916f9d3128ecceb24f51fe01c2e336e058e
Instruction Fuzzy Hash: 7061073168534A8FDF319E34CDA47DA3BA6FF59390F844239DD8A9B284D7314986CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02112B51, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4c579a84154d880283dc177788d7d091ee086218f4bd9d4af7e1ca57f4fc391
Instruction ID: f8144305e9133a6c5375d86ca93032bb07796d3276a6cfe4ba6ec62a08e0fe22
Opcode Fuzzy Hash: a4c579a84154d880283dc177788d7d091ee086218f4bd9d4af7e1ca57f4fc391
Instruction Fuzzy Hash: D2512974644396DFDF319E78DC98BDB37A6AF593A0F84413ADC889B244D3318A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02113476, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0637bfc4f0cbec8ec5fd4ee42a0ea1f5b3aaea9630e9a117284783ccbf4bc5f6
Instruction ID: a9f40b137734addf5e8db5954924adf7d656a9af6de6e87c1e2529f60ac4d3fd
Opcode Fuzzy Hash: 0637bfc4f0cbec8ec5fd4ee42a0ea1f5b3aaea9630e9a117284783ccbf4bc5f6
Instruction Fuzzy Hash: 15518E72A8534A8FDF345E64CC647DA3763AFA5360FC9423ADC9997248D3314D86CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0211BB99, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 521bc37c1212f39f9724099338753d388e5fb16275f6d367b3344f35f2783f35
Instruction ID: d73383dd39437b4bd6884079c755579ae979e7305fbd889fd901a27a09d9ffe6
Opcode Fuzzy Hash: 521bc37c1212f39f9724099338753d388e5fb16275f6d367b3344f35f2783f35
Instruction Fuzzy Hash: 8D519A716483069FDB388E24DDA47EA73B3AF8A344F85412FCC8997608D3305A87CB46

Uniqueness

Uniqueness Score: -1.00%

Function 0211C2AB, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c334eaf61013a8b1398bf0828b60e09e18c34149225263298a2cf5654f86491
Instruction ID: cb190f8202323af683c76df0e038b8ccdea45c6f79fc54fcc4e6a3459dad1b39
Opcode Fuzzy Hash: 2c334eaf61013a8b1398bf0828b60e09e18c34149225263298a2cf5654f86491
Instruction Fuzzy Hash: E35124356443499FDF38AE749DA93EE77B6AF95350F96403ECC8AC7104C7314285CA06

Uniqueness

Uniqueness Score: -1.00%

Function 0211B022, Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1549aca3de66aed7db0a140a5f5feddda2efcae2804ed003b48e4d201a745ddf
Instruction ID: f89ca51cde0a899790474c09e6df3f791e6e8905ea460549f9f609310c8a6d54
Opcode Fuzzy Hash: 1549aca3de66aed7db0a140a5f5feddda2efcae2804ed003b48e4d201a745ddf
Instruction Fuzzy Hash: 0A51667168438A8FCF349E648DD47EE3BA7AFA5360F95003ADC5ACB114D77246C4CA06

Uniqueness

Uniqueness Score: -1.00%

Function 0211E156, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51e87571a2458e8bc09007af18838f2c37dfea95ab57b2543da81e09f127e7be
Instruction ID: 1b95b7c95965bb757002a36948143ed4d727d33967faf6eb0cb579487c848627
Opcode Fuzzy Hash: 51e87571a2458e8bc09007af18838f2c37dfea95ab57b2543da81e09f127e7be
Instruction Fuzzy Hash: 97516B3968038A9FDF34AE788EA43EE37A7AFA5350F99403ACC49CB144D7704685C709

Uniqueness

Uniqueness Score: -1.00%

Function 0211D094, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5389460a55b30468ab03a3a08963ffd724644f7785afc0162d62eed62473087b
Instruction ID: 992efb4aece66c60648193eb7c36726ecedd08d149c1b3ba230ddff54b9ebaa0
Opcode Fuzzy Hash: 5389460a55b30468ab03a3a08963ffd724644f7785afc0162d62eed62473087b
Instruction Fuzzy Hash: 2611AA26A443424FEB210DBC45983DAFAA3AF523A0F9A427FCCD25B1C5E3B54442C112

Uniqueness

Uniqueness Score: -1.00%

Function 0211B199, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb45655c3691c3d35e7c67f6dccb89ee254cbaa45ade4b4f9c710249362a641
Instruction ID: 0610605d89a5157522024b7de0f2717c2a0c39f82750d74ab470712acd36e0f7
Opcode Fuzzy Hash: bdb45655c3691c3d35e7c67f6dccb89ee254cbaa45ade4b4f9c710249362a641
Instruction Fuzzy Hash: 5D117574658345CFCB29DE29C8E8BD933A1BF5A700F8A8229CD098B301D730AA84CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02117A5C, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1280689497.0000000002110000.00000040.00000001.sdmp, Offset: 02110000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1da660b55933ce450b270a7752daaf66cf32dd91d9ad64cf309bd1348631535c
Instruction ID: 62812b591fe42f16be5d9978a7c0ea9127c47ed70715c9f2c0fd9f39fab41c6c
Opcode Fuzzy Hash: 1da660b55933ce450b270a7752daaf66cf32dd91d9ad64cf309bd1348631535c
Instruction Fuzzy Hash: 3BC092F76115809FFF42CA08C891B0473B0F714A54BA948D0E002CB791D324ED00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0040BCF1, Relevance: 46.8, APIs: 31, Instructions: 287COMMON

Download Yara Rule

APIs

#527.MSVBVM60(00409D90), ref: 0042CFC4
__vbaStrMove.MSVBVM60 ref: 0042CFCF
__vbaStrCmp.MSVBVM60(00409D98,00000000), ref: 0042CFDB
__vbaFreeStr.MSVBVM60 ref: 0042CFEE
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042D00F
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,00000014), ref: 0042D03A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,000000B8), ref: 0042D068
__vbaFreeObj.MSVBVM60 ref: 0042D06D
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042D085
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,00000014), ref: 0042D0AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000110), ref: 0042D0D0
__vbaStrMove.MSVBVM60 ref: 0042D0DB
__vbaFreeObj.MSVBVM60 ref: 0042D0E4
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D0FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D11C
__vbaFreeStr.MSVBVM60(0042D313), ref: 0042D30C

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#527
String ID:
API String ID: 487870899-0
Opcode ID: df558c1ea2a8b91382415ce9a12d200d5eb9527a7ecc0e3073d17a75ccaea11e
Instruction ID: 421e9747bc86155a6d00bcd6773833b1b678586a0f476ee49ed6e3c8e132e0df
Opcode Fuzzy Hash: df558c1ea2a8b91382415ce9a12d200d5eb9527a7ecc0e3073d17a75ccaea11e
Instruction Fuzzy Hash: 18A18D75A00218ABCB14DFA5DD48FEEB7B8FF48700F14816AF541B72A4DB789905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042DC70, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042DCDB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DCF4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,00000150), ref: 0042DD21
__vbaStrToAnsi.MSVBVM60(?,?,008039A4), ref: 0042DD38
__vbaSetSystemError.MSVBVM60(003989DE,00000000), ref: 0042DD4C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042DD6E
__vbaFreeObj.MSVBVM60 ref: 0042DD7A
#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042DDA3
__vbaStrMove.MSVBVM60 ref: 0042DDAE
__vbaFreeVar.MSVBVM60 ref: 0042DDBD
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042DDD2
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,00000014), ref: 0042DDF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000118), ref: 0042DE1D
__vbaI2I4.MSVBVM60 ref: 0042DE22
__vbaFreeObj.MSVBVM60 ref: 0042DE2B
__vbaVarDup.MSVBVM60 ref: 0042DE45
#666.MSVBVM60(?,00000002), ref: 0042DE53
__vbaVarMove.MSVBVM60 ref: 0042DE5F
__vbaFreeVar.MSVBVM60 ref: 0042DE68
__vbaFreeVar.MSVBVM60(0042DEBB), ref: 0042DEAB
__vbaFreeStr.MSVBVM60 ref: 0042DEB4

Strings

zS, xrefs: 0042DE6A
HENRIVENDE, xrefs: 0042DE37

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#666#702AnsiErrorListSystem
String ID: HENRIVENDE$zS
API String ID: 309366762-2729703279
Opcode ID: 73f3af9477cdb78b24042d14f0624148bd2da5a97b030ecdd2f9a78ee0593ede
Instruction ID: 7ad52f43169cb042ce831740d4e42ab7301fe4937213083156b9f9562543c489
Opcode Fuzzy Hash: 73f3af9477cdb78b24042d14f0624148bd2da5a97b030ecdd2f9a78ee0593ede
Instruction Fuzzy Hash: 9B514971900219AFCB04DFA5DD88EDEBBB8FF48705F10412AF516BB2A0DB745945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042D4F0, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

__vbaCyStr.MSVBVM60(00409AD4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D538
__vbaFpCmpCy.MSVBVM60(00000000), ref: 0042D546
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042D566
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,00000014), ref: 0042D591
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000130), ref: 0042D5BF
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D5D0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D5D5
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042D5EE
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,00000014), ref: 0042D613
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,000000D0), ref: 0042D639
__vbaStrMove.MSVBVM60 ref: 0042D648
__vbaFreeObj.MSVBVM60 ref: 0042D64D
#531.MSVBVM60(kantatens), ref: 0042D658
__vbaFreeStr.MSVBVM60(0042D68A), ref: 0042D682
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D687

Strings

kantatens, xrefs: 0042D653

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$MoveNew2$#531
String ID: kantatens
API String ID: 1829431787-1394988495
Opcode ID: 0bf0b9d4c6896b2c53c78c2732274ffb473cdd5a3fd38dcfdd8a0f5071a0eb2b
Instruction ID: 2aa563af965ef9275586147fe00d723355200850cc740d6fb81f3cd38f104f15
Opcode Fuzzy Hash: 0bf0b9d4c6896b2c53c78c2732274ffb473cdd5a3fd38dcfdd8a0f5071a0eb2b
Instruction Fuzzy Hash: 82416070A00219ABCB04DF95DD89EDEBBB8FF4C704F10406AE505B72A1D778A945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004253F0, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00425459
#515.MSVBVM60(?,?,00000002), ref: 00425476
__vbaVarTstNe.MSVBVM60(?,?), ref: 00425492
__vbaFreeVar.MSVBVM60 ref: 0042549E
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 004254CF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004254E8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A78,000000C0), ref: 00425512
__vbaLateMemCall.MSVBVM60(?,bJwKrGImpGgg9mRQCArwzZIt8,00000003), ref: 00425581
__vbaFreeObj.MSVBVM60 ref: 0042558D
__vbaFreeObj.MSVBVM60(004255D1), ref: 004255C1
__vbaFreeStr.MSVBVM60 ref: 004255CA

Strings

bJwKrGImpGgg9mRQCArwzZIt8, xrefs: 00425578
Kricketbold2, xrefs: 004254BE
var, xrefs: 0042542A

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#515CallCheckCopyHresultLateNew2
String ID: Kricketbold2$bJwKrGImpGgg9mRQCArwzZIt8$var
API String ID: 3144308283-2350849782
Opcode ID: c0dfb2e5c5369434526f721f375494887a5bb0ccd3966965ad60c4f2d4219c0b
Instruction ID: f41533b6bd4e7efb125514aaaa08caeaee6790a574f5e4bd7e7660171d97d2d9
Opcode Fuzzy Hash: c0dfb2e5c5369434526f721f375494887a5bb0ccd3966965ad60c4f2d4219c0b
Instruction Fuzzy Hash: 7E5149B0E10219DFCB04DF98CA48A9DFBB8FF48700F20816AE509B7294D7785A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0042D990, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0042D9EB
__vbaLenBstrB.MSVBVM60(00409DC8), ref: 0042D9F6
#680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,?,?,?), ref: 0042DA3F
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0042DA55
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 0042DA71
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,00000014), ref: 0042DA96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,000000C8), ref: 0042DAC3
__vbaFreeObj.MSVBVM60 ref: 0042DACC
__vbaVarDup.MSVBVM60 ref: 0042DAF8
#595.MSVBVM60(?,00000000,?,?,?), ref: 0042DB10
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042DB28
__vbaFreeStr.MSVBVM60(0042DB68), ref: 0042DB61

Strings

hjrekant, xrefs: 0042DAEA

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultList$#595#680BstrCopyNew2
String ID: hjrekant
API String ID: 4058102471-1475739938
Opcode ID: e1b75d68c638077e161484839b802f05e88e7e3f002468e655760ca039c16626
Instruction ID: 528b7d16acc9b0120cd20bbc4beafa916e448bb3fc521411f62fdd66739c3430
Opcode Fuzzy Hash: e1b75d68c638077e161484839b802f05e88e7e3f002468e655760ca039c16626
Instruction Fuzzy Hash: 9151E2B1D00259ABDB10DFD4D889EDEBFB8BF48700F10412AE505B72A5D7B46585CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042D7E0, Relevance: 22.6, APIs: 15, Instructions: 117COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D835
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D83D
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D852
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D871
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B24,000001C8), ref: 0042D890
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D899
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D8B2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D8CB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409DB4,00000100), ref: 0042D8EE
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042D8FE
__vbaI4Var.MSVBVM60(00000000), ref: 0042D908
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042D91B
__vbaFreeVar.MSVBVM60 ref: 0042D927
__vbaFreeStr.MSVBVM60(0042D962), ref: 0042D95A
__vbaFreeStr.MSVBVM60 ref: 0042D95F

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2$CallLateList
String ID:
API String ID: 244069345-0
Opcode ID: 48c59141a9711ab758ab85e1659ed870cecbf5170d4f5ad65f5db97ef2c46b59
Instruction ID: 68c5a20009e61a82da8980dc6a8dcd6d7516772f9fd5461ec031769d98698f1d
Opcode Fuzzy Hash: 48c59141a9711ab758ab85e1659ed870cecbf5170d4f5ad65f5db97ef2c46b59
Instruction Fuzzy Hash: 7D413CB5D00219ABCB04DF94DD88EDEBBB8FB08304F10443AF955B7264D6789945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00425600, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425655
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042565D
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 00425671
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,00000014), ref: 0042569C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AC0,00000118), ref: 004256CA
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004256CF
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004256D8
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 004256F1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042570A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A78,000000C8), ref: 00425731
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042573C
__vbaFreeStr.MSVBVM60(00425764), ref: 0042575C
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425761

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2
String ID:
API String ID: 336985134-0
Opcode ID: 704c3ca0139c0089c0f919b269df0b02999ba018dc7a951a8ea584454d2a13f5
Instruction ID: b92202306912b8ce4498fe6f3c470eddfeaad781b54ea9fb7205f9906e1ddf00
Opcode Fuzzy Hash: 704c3ca0139c0089c0f919b269df0b02999ba018dc7a951a8ea584454d2a13f5
Instruction Fuzzy Hash: 64413D74A40619ABCB04DF95DD84EEEBBB8FF98714F148026E505B72A0CA785941CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042D330, Relevance: 18.1, APIs: 12, Instructions: 117COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D37D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D39C
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D3B8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D3D1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,00000130), ref: 0042D3F4
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042D423
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042D42D
__vbaStrMove.MSVBVM60 ref: 0042D438
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409994,000001EC), ref: 0042D458
__vbaFreeStr.MSVBVM60 ref: 0042D461
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0042D475
__vbaFreeVar.MSVBVM60 ref: 0042D481

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMoveNew2$CallLateList
String ID:
API String ID: 3081447974-0
Opcode ID: fd2b5b61a87c7bcf3591fc30d45c76a019f2e60e8bfab091327a436863dab25d
Instruction ID: 2f43b567f44992a7474b8345ca10955fbf0f080be75abf41ea491f4b7a57122c
Opcode Fuzzy Hash: fd2b5b61a87c7bcf3591fc30d45c76a019f2e60e8bfab091327a436863dab25d
Instruction Fuzzy Hash: 23414DB4A00204AFCB04DFA4DD49F9EBBB8FB48701F10456AF545F7261D638A945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424890, Relevance: 15.1, APIs: 10, Instructions: 107COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004248D9
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 004248F2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424911
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042492D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424946
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,000000F0), ref: 00424969
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409994,000001EC), ref: 004249A9
__vbaFreeStr.MSVBVM60 ref: 004249B2
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004249C2
__vbaFreeStr.MSVBVM60(004249F9), ref: 004249F2

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$CopyList
String ID:
API String ID: 4130517723-0
Opcode ID: 427849cdfefcaa55277ff0a650838870c5c6ab0d2655cb29ba28bad2fbaaee30
Instruction ID: 338438950e02a625ab3ed8cab48cefff4596053f2cb2433649627209077afe9e
Opcode Fuzzy Hash: 427849cdfefcaa55277ff0a650838870c5c6ab0d2655cb29ba28bad2fbaaee30
Instruction Fuzzy Hash: F6416FB4A00215AFCB04DFA4DD49FAEBBB8FF48700F10416AF905E7265D7789945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425790, Relevance: 13.5, APIs: 9, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004257D0
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004257D8
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004257E0
__vbaCyStr.MSVBVM60(00409AD4,?,?,?,?,?,?,?,00401746), ref: 004257E7
__vbaFpCmpCy.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00401746), ref: 004257F5
#569.MSVBVM60(0000002F,?,?,?,?,?,?,?,?,00401746), ref: 00425801
__vbaFreeStr.MSVBVM60(00425823,?,?,?,?,?,?,?,?,00401746), ref: 00425816
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 0042581B
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425820

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CopyFree$#569
String ID:
API String ID: 3911904416-0
Opcode ID: 6b575aff054f52151198c77736227529b7a502063764041e31cd2767e68cb6ee
Instruction ID: 8c23326ed8f7c633dd7ab1d4564fa65d66f3dd3eb216fe8efc0d39cec2beacab
Opcode Fuzzy Hash: 6b575aff054f52151198c77736227529b7a502063764041e31cd2767e68cb6ee
Instruction Fuzzy Hash: 7E111B70D0125E9BCB00EFA4EE45AEEBFB8EF08700F10416AA505B31A4DB746A45CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 00424B40, Relevance: 12.1, APIs: 8, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010), ref: 00424B84
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424B9D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A4,000001CC), ref: 00424C24
__vbaFreeObj.MSVBVM60 ref: 00424C33
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 00424C48
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424C61
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,000001C8), ref: 00424C88
__vbaFreeObj.MSVBVM60 ref: 00424C97

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: a3998834bc430794f83a5eae03db131e8960b67bfe6a6c340241cca19f98b418
Instruction ID: d6ccf8d8d40f68528009283c94b7c9ee0550a54f59a22daff56c3d83598b0a26
Opcode Fuzzy Hash: a3998834bc430794f83a5eae03db131e8960b67bfe6a6c340241cca19f98b418
Instruction Fuzzy Hash: 514162B4A012059FCB08DFA9D989A9ABBF4FF48704F10846AE505E7355D7389901CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004251A0, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

#672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 00425201
__vbaFpR8.MSVBVM60 ref: 00425207
__vbaNew2.MSVBVM60(00409A14,004333CC), ref: 00425230
__vbaHresultCheckObj.MSVBVM60(00000000,0298E9C4,00409A04,0000001C), ref: 00425255
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409A24,0000005C), ref: 00425299
__vbaStrMove.MSVBVM60 ref: 004252AC
__vbaFreeObj.MSVBVM60 ref: 004252B5
__vbaFreeStr.MSVBVM60(004252EE), ref: 004252E7

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#672MoveNew2
String ID:
API String ID: 2213023555-0
Opcode ID: adce031423edc3c2442dfe91bd481cc1439345b0a7028bb6873e716229a5ecab
Instruction ID: 2222302b068474269bef2d73df15d22b6c0f4bba6f5c43484c368cecfb7a7bd3
Opcode Fuzzy Hash: adce031423edc3c2442dfe91bd481cc1439345b0a7028bb6873e716229a5ecab
Instruction Fuzzy Hash: 86314F70900609EBCB10DF95DD48B9EBBB8FF99740F20805AF505B72A4C7789941CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00431CB0, Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431CF4
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D13
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A4,000001C8), ref: 00431D52
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D61
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D76
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431D8F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,00000088), ref: 00431DB2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00431DC1

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: c34afd28d7952d34c5328901ab9c25194399eaaea1dc284c49e274c64b1b76aa
Instruction ID: 8e1ef24ae030d6c177eceba90c465ca712c2948b9e01b76952a328ae610c7fb9
Opcode Fuzzy Hash: c34afd28d7952d34c5328901ab9c25194399eaaea1dc284c49e274c64b1b76aa
Instruction Fuzzy Hash: A131A474A402059FCB04DFA5C989F9A7BB8FF0C701F108529F545E73A5D7389901CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00424A20, Relevance: 12.1, APIs: 8, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424A6C
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424A74
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424A89
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424AA2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,00000220), ref: 00424AE5
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424AEE
__vbaFreeStr.MSVBVM60(00424B16,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B0E
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424B13

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Copy$CheckHresultNew2
String ID:
API String ID: 1874231197-0
Opcode ID: 04e29ac4a031fa013ebe189aeb620e89624a347daf8b852e045f06208db45e73
Instruction ID: a89d8fdef33f0de0a511d469acc9284bfe3104ecbf7f728fe8891e970c8faece
Opcode Fuzzy Hash: 04e29ac4a031fa013ebe189aeb620e89624a347daf8b852e045f06208db45e73
Instruction Fuzzy Hash: CD215175E00219DFCB04DFA9D989A9EBBB8FF4C300F10816AE515A7265C778A941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00424E90, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00424E90(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _t19;
				intOrPtr* _t21;
				intOrPtr* _t23;
				void* _t26;
				intOrPtr* _t28;
				intOrPtr* _t38;
				void* _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				_t43 = _t42 - 0x28;
				_v16 = _t43;
				_v12 = 0x401208;
				_v8 = 0;
				_t19 = _a4;
				 *((intOrPtr*)( *_t19 + 4))(_t19, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t39);
				_t21 =  *0x433010; // 0x4bff70
				_v28 = 0;
				_v32 = 0;
				if(_t21 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t21 =  *0x433010; // 0x4bff70
				}
				_t23 =  &_v32;
				__imp____vbaObjSet(_t23,  *((intOrPtr*)( *_t21 + 0x354))(_t21));
				_t28 = _t43 - 0x10;
				 *_t28 = 0xa;
				_t38 = _t23;
				 *((intOrPtr*)(_t28 + 4)) = _v44;
				 *((intOrPtr*)(_t28 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t28 + 0xc)) = _v36;
				_t26 =  *((intOrPtr*)( *_t38 + 0x1ec))(_t38, L"PHACOCELE");
				asm("fclex");
				if(_t26 < 0) {
					__imp____vbaHresultCheckObj(_t26, _t38, 0x409994, 0x1ec);
				}
				__imp____vbaFreeObj();
				_v28 = 0x2be5;
				_push(0x424f69);
				return _t26;
			}

0x00424e93
0x00424ea2
0x00424ea9
0x00424eaf
0x00424eb2
0x00424ebb
0x00424ebe
0x00424ec4
0x00424ec7
0x00424ece
0x00424ed1
0x00424ed4
0x00424ee0
0x00424ee6
0x00424ee6
0x00424ef5
0x00424ef9
0x00424f02
0x00424f09
0x00424f0e
0x00424f12
0x00424f1a
0x00424f26
0x00424f29
0x00424f2f
0x00424f33
0x00424f41
0x00424f41
0x00424f4a
0x00424f50
0x00424f57
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424EE0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424EF9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409994,000001EC), ref: 00424F41
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424F4A

Strings

+, xrefs: 00424F50
PHACOCELE, xrefs: 00424F20

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: PHACOCELE$+
API String ID: 1645334062-1228347243
Opcode ID: 4d1c63fe1bd7e7c7275c4a49612e155c1636a6df5f18212697fca796735d4e2c
Instruction ID: c07b849c513be16a07adf2aa5f9d26272c629c32cb7bd96357dfce5810ec3e31
Opcode Fuzzy Hash: 4d1c63fe1bd7e7c7275c4a49612e155c1636a6df5f18212697fca796735d4e2c
Instruction Fuzzy Hash: D92180B4A00304AFCB04DF99D989B9ABBF8FB88300F10806AF515E7291C7789901CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00425930, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00425987
#687.MSVBVM60(?,?), ref: 00425995
__vbaDateVar.MSVBVM60(?), ref: 0042599F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004259B1

Strings

Lu, xrefs: 004259BA
7-7-7, xrefs: 00425979

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#687DateFreeList
String ID: 7-7-7$Lu
API String ID: 3303533072-1249225327
Opcode ID: 6245efcda413e39e9270e31898f19b129ea382ddc484f5b2443dba14f6557b46
Instruction ID: ce99caddad7a59bca6aa9ca99a4ab6ee82fecd9b7f5801bfdfbeef89fb7c03f7
Opcode Fuzzy Hash: 6245efcda413e39e9270e31898f19b129ea382ddc484f5b2443dba14f6557b46
Instruction Fuzzy Hash: F011D6B5C10228EBCB00DFD8DD89ADEBBB8FB48B04F14811AF501A7654D7B85549CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004250F0, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

#669.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 0042512A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425135
__vbaStrCmp.MSVBVM60(Distriktsbladet6,00000000,?,?,?,?,?,?,?,00401746), ref: 00425141
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425153
#568.MSVBVM60(0000003C,?,?,?,?,?,?,?,00401746), ref: 00425160

Strings

Distriktsbladet6, xrefs: 0042513C

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#568#669FreeMove
String ID: Distriktsbladet6
API String ID: 2447501155-846783287
Opcode ID: 0d43f69c6f8277c67fde6910b648ecc09a0eec26ade652ca687f33148b4ba87b
Instruction ID: 40341f63e31b649ac5d81cfe9586fce8e6a321f6243a3dec9ce25f7ac10c7110
Opcode Fuzzy Hash: 0d43f69c6f8277c67fde6910b648ecc09a0eec26ade652ca687f33148b4ba87b
Instruction Fuzzy Hash: 3D01A275D00214ABC7009F64DD49BBEBBB8EF44B00F508166F942F36A0C7384945CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00424FA0, Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00424FE3
__vbaNew2.MSVBVM60(0040A184,00433010), ref: 00424FFC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425015
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A4,000001CC), ref: 0042509C
__vbaFreeObj.MSVBVM60 ref: 004250A5
__vbaFreeStr.MSVBVM60(004250C7), ref: 004250C0

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: c57dd0fd31dfa5a9de0977fd0c62cec7cdab3f47cc5778dee31f38b867b8ceee
Instruction ID: 0ade94da89b41b4eab9646647c1f63100d07748614dd5f68b1c491f5be6b4fe0
Opcode Fuzzy Hash: c57dd0fd31dfa5a9de0977fd0c62cec7cdab3f47cc5778dee31f38b867b8ceee
Instruction Fuzzy Hash: 2131F8B4A012159FCB04DFA9D989A9ABBF4FF49700F10C06AE509AB365D7389902CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00424D80, Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DC3
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DDC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DF5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A4,000001C8), ref: 00424E38
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E41
__vbaFreeStr.MSVBVM60(00424E62,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E5B

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: 1f0a2ce6c4d22cf9b4595b08ef734b5213cb04d81a267dc3c34c583316932962
Instruction ID: ff67800850578e2c00da1b047b15bb5caf9f6950deec009865795ebb7826fe1d
Opcode Fuzzy Hash: 1f0a2ce6c4d22cf9b4595b08ef734b5213cb04d81a267dc3c34c583316932962
Instruction Fuzzy Hash: B7216074A40205DFCB04DF99D989AAABBB8FF48300F10806AF515E72A5C7389941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00425AF0, Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425B33
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425B4C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425B65
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,000001AC,?,?,?,?,?,?,?,?,00401746), ref: 00425B88
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425B91
__vbaFreeStr.MSVBVM60(00425BB2,?,?,?,?,?,?,?,?,00401746), ref: 00425BAB

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: c6dbd533dfb2d7a710166714471a83aa1eeb5aa0aa0cb80df9ca8f1d61a70886
Instruction ID: dbfc71b838495f9492a5a142e97161b05e2ac8341ced7ed5361450e3d2157e4d
Opcode Fuzzy Hash: c6dbd533dfb2d7a710166714471a83aa1eeb5aa0aa0cb80df9ca8f1d61a70886
Instruction Fuzzy Hash: D5117C74A00204AFCB04DFA5DA49EAEBBB8FF49701F104466F556E72A0C7386942CF99

Uniqueness

Uniqueness Score: -1.00%

Function 00425840, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00425840(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _t17;
				intOrPtr* _t19;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t41;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				_t41 = _t40 - 0x24;
				_v16 = _t41;
				_v12 = 0x401290;
				_v8 = 0;
				_t17 = _a4;
				 *((intOrPtr*)( *_t17 + 4))(_t17, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t37);
				_t19 =  *0x433010; // 0x4bff70
				_v28 = 0;
				if(_t19 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t19 =  *0x433010; // 0x4bff70
				}
				_t21 =  &_v28;
				__imp____vbaObjSet(_t21,  *((intOrPtr*)( *_t19 + 0x358))(_t19));
				_t26 = _t41 - 0x10;
				 *_t26 = 0xa;
				_t36 = _t21;
				 *((intOrPtr*)(_t26 + 4)) = _v40;
				 *((intOrPtr*)(_t26 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t26 + 0xc)) = _v32;
				_t24 =  *((intOrPtr*)( *_t36 + 0x1ec))(_t36, L"Rubedity");
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t36, 0x409af0, 0x1ec);
				}
				__imp____vbaFreeObj();
				_push(0x42590f);
				return _t24;
			}

0x00425843
0x00425852
0x00425859
0x0042585f
0x00425862
0x0042586b
0x0042586e
0x00425874
0x00425877
0x0042587e
0x00425881
0x0042588d
0x00425893
0x00425893
0x004258a2
0x004258a6
0x004258af
0x004258b6
0x004258bb
0x004258bf
0x004258c7
0x004258d3
0x004258d6
0x004258dc
0x004258e0
0x004258ee
0x004258ee
0x004258f7
0x004258fd
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042588D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004258A6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409AF0,000001EC), ref: 004258EE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004258F7

Strings

Rubedity, xrefs: 004258CD

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Rubedity
API String ID: 1645334062-1230464931
Opcode ID: dcf7fc36bda819c952aca0877bce80e0ef6706ab58ebe64fb48dea84d441ead6
Instruction ID: 599cb8a2a290bf45e56a98dd7853ec6981ff99bf77f36e5b80ca1d81cc44e1d1
Opcode Fuzzy Hash: dcf7fc36bda819c952aca0877bce80e0ef6706ab58ebe64fb48dea84d441ead6
Instruction Fuzzy Hash: 252190B4A40304EFCB04DFA9D989B9ABBF8FB49700F108466F505E72A5C6789941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004247A0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

#660.MSVBVM60(?,?,?,00000001,00000001), ref: 00424801
__vbaVarTstNe.MSVBVM60(?,?), ref: 00424819
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 0042482F
#532.MSVBVM60(RESTARTED), ref: 00424842

Strings

RESTARTED, xrefs: 0042483D

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#532#660FreeList
String ID: RESTARTED
API String ID: 675845651-3446605417
Opcode ID: 1523762df500dd22366c65129d370094b3d151d54b7c4f3c5af350ccb99b7d8a
Instruction ID: 128117873ed13954bc14587738954aa8213de49fb0a4d79105f5425fa6d98a24
Opcode Fuzzy Hash: 1523762df500dd22366c65129d370094b3d151d54b7c4f3c5af350ccb99b7d8a
Instruction Fuzzy Hash: C21129B5850268EBDB00DF94DD89FDEBBB8FB48704F50421AF501B2290D7B815088BA5

Uniqueness

Uniqueness Score: -1.00%

Function 00425C60, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425CA4
__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425CBD
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425CD6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,00000140,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425CFD
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425D0C

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckErrorFreeHresultNew2
String ID:
API String ID: 3750743295-0
Opcode ID: 799eb9120ed1bcb9eae0894af69a300f9c59ba34b70742c3d7d403f1e75d9cdc
Instruction ID: 33ff4c81103d161e933f814578e97179de6dd2e55feac707fbe8ed5e237c59ff
Opcode Fuzzy Hash: 799eb9120ed1bcb9eae0894af69a300f9c59ba34b70742c3d7d403f1e75d9cdc
Instruction Fuzzy Hash: 71216D74A00204AFCB00DF96DE48A9EBBF8FF88700F10846AF451F72A0C77859018FA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424CD0, Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424D0A
#546.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424D14
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424D20
__vbaFreeVar.MSVBVM60(00424D58), ref: 00424D48
__vbaFreeStr.MSVBVM60 ref: 00424D51

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#546CopyMove
String ID:
API String ID: 2278598164-0
Opcode ID: 1ebfea73f915207e331b69a771995b06bef028f10292e047847378e054feb93d
Instruction ID: c9f5a0120824c94824b1b965db052293f16892c2b490fd6d06a586418b1496a8
Opcode Fuzzy Hash: 1ebfea73f915207e331b69a771995b06bef028f10292e047847378e054feb93d
Instruction Fuzzy Hash: 70010870C00249ABCF04DFA4D948ADEBBB8FB08701F108426E511B7164EB382505CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0042D6B0, Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0042D6B0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t43;
				intOrPtr* _t47;
				intOrPtr* _t60;
				void* _t61;
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;

				_t64 = _t63 - 0xc;
				 *[fs:0x0] = _t64;
				_t65 = _t64 - 0x44;
				_v16 = _t65;
				_v12 = 0x4016a8;
				_v8 = 0;
				_t31 = _a4;
				 *((intOrPtr*)( *_t31 + 4))(_t31, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t61);
				_t33 =  *0x433010; // 0x4bff70
				_v28 = 0;
				if(_t33 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t33 =  *0x433010; // 0x4bff70
				}
				_t35 =  &_v28;
				__imp____vbaObjSet(_t35,  *((intOrPtr*)( *_t33 + 0x3b4))(_t33));
				_t66 = _t65 - 0x10;
				_t60 = _t35;
				_t43 = _t66;
				 *_t43 = 0xa;
				_v44 = 0xa;
				 *((intOrPtr*)(_t43 + 4)) = _v72;
				 *((intOrPtr*)(_t43 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t43 + 0xc)) = _v64;
				_t67 = _t66 - 0x10;
				_t47 = _t67;
				 *_t47 = 0xa;
				 *((intOrPtr*)(_t47 + 4)) = _v56;
				 *((intOrPtr*)(_t47 + 8)) = 0x80020004;
				_v36 = 0x80020004;
				 *((intOrPtr*)(_t47 + 0xc)) = _v48;
				_t40 = _t67 - 0x10;
				 *_t40 = _v44;
				 *((intOrPtr*)(_t40 + 4)) = _v40;
				 *((intOrPtr*)(_t40 + 8)) = _v36;
				 *((intOrPtr*)(_t40 + 0xc)) = _v32;
				_t41 =  *((intOrPtr*)( *_t60 + 0x1d0))(_t60, 0x46e36000);
				asm("fclex");
				if(_t41 < 0) {
					__imp____vbaHresultCheckObj(_t41, _t60, 0x409b24, 0x1d0);
				}
				__imp____vbaFreeObj();
				asm("wait");
				_push(0x42d7bf);
				return _t41;
			}

0x0042d6b3
0x0042d6c2
0x0042d6c9
0x0042d6cf
0x0042d6d2
0x0042d6db
0x0042d6de
0x0042d6e4
0x0042d6e7
0x0042d6ee
0x0042d6f1
0x0042d6fd
0x0042d703
0x0042d703
0x0042d712
0x0042d716
0x0042d71c
0x0042d71f
0x0042d721
0x0042d72a
0x0042d72c
0x0042d732
0x0042d73c
0x0042d742
0x0042d745
0x0042d748
0x0042d74f
0x0042d754
0x0042d757
0x0042d75a
0x0042d760
0x0042d76c
0x0042d76e
0x0042d773
0x0042d77e
0x0042d782
0x0042d785
0x0042d78b
0x0042d78f
0x0042d79d
0x0042d79d
0x0042d7a6
0x0042d7ac
0x0042d7ad
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010), ref: 0042D6FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D716
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B24,000001D0), ref: 0042D79D
__vbaFreeObj.MSVBVM60 ref: 0042D7A6

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 1a758cf11ae9d8a6b0c8196ae5049f2d36f4e6c013b60a63323aa8f2330ad7de
Instruction ID: ee10ccefcdad81d953b980179fda6709ed118dab8f089c4ff3467a9e1573247c
Opcode Fuzzy Hash: 1a758cf11ae9d8a6b0c8196ae5049f2d36f4e6c013b60a63323aa8f2330ad7de
Instruction Fuzzy Hash: 7D310AB4E002149FCB04DFA9D985A9ABBF5FF4C700F24C46AE509AB355D7399801CF95

Uniqueness

Uniqueness Score: -1.00%

Function 0042DB90, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,00401746), ref: 0042DBE0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 0042DBF9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,000001A8,?,?,?,?,?,?,?,?,00401746), ref: 0042DC1C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 0042DC25

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 18e8ac6ff0ea40d7319838fef3383b0b124b441af15a76e1f2351ce22381eaa0
Instruction ID: e8ea1c709b733db828dd63d75d6591c1c46fe1939c887ba964b5bc70d0057945
Opcode Fuzzy Hash: 18e8ac6ff0ea40d7319838fef3383b0b124b441af15a76e1f2351ce22381eaa0
Instruction Fuzzy Hash: 0D118C74E40204AFC704DFA6DD49B9AFBBCFF59701F608426F851E72A0CB785901CAA9

Uniqueness

Uniqueness Score: -1.00%

Function 00425A10, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00425A10(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t28;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				_v16 = _t32 - 0x18;
				_v12 = 0x4012b0;
				_v8 = 0;
				_t14 = _a4;
				 *((intOrPtr*)( *_t14 + 4))(_t14, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t29);
				_t16 =  *0x433010; // 0x4bff70
				_v28 = 0;
				_v32 = 0;
				if(_t16 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t16 =  *0x433010; // 0x4bff70
				}
				_t18 =  &_v32;
				__imp____vbaObjSet(_t18,  *((intOrPtr*)( *_t16 + 0x378))(_t16));
				_t28 = _t18;
				_t19 =  *((intOrPtr*)( *_t28 + 0x21c))(_t28);
				asm("fclex");
				if(_t19 < 0) {
					__imp____vbaHresultCheckObj(_t19, _t28, 0x409984, 0x21c);
				}
				__imp____vbaFreeObj();
				_v28 = 0x4c22e;
				_push(0x425ac4);
				return _t19;
			}

0x00425a13
0x00425a22
0x00425a2f
0x00425a32
0x00425a3b
0x00425a3e
0x00425a44
0x00425a47
0x00425a4e
0x00425a51
0x00425a54
0x00425a60
0x00425a66
0x00425a66
0x00425a75
0x00425a79
0x00425a7f
0x00425a84
0x00425a8a
0x00425a8e
0x00425a9c
0x00425a9c
0x00425aa5
0x00425aab
0x00425ab2
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425A60
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425A79
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409984,0000021C,?,?,?,?,?,?,?,?,00401746), ref: 00425A9C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425AA5

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 7fafe13a814fd48cb021992bed8575568b4eb61dc5bba588954973085b8c3dc3
Instruction ID: bea6e947b0b3abca56de27fa394f6553d1dcd80fa9f38220b484598879b95b5f
Opcode Fuzzy Hash: 7fafe13a814fd48cb021992bed8575568b4eb61dc5bba588954973085b8c3dc3
Instruction Fuzzy Hash: D81191B8A40604AFC700DF95D989F9AFBB8FF58701F208566F551E72A1C77859018B98

Uniqueness

Uniqueness Score: -1.00%

Function 00425320, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E00425320(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				void* _t17;
				intOrPtr* _t26;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				_v16 = _t30 - 0x14;
				_v12 = 0x401250;
				_v8 = 0;
				_t12 = _a4;
				 *((intOrPtr*)( *_t12 + 4))(_t12, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t27);
				_t14 =  *0x433010; // 0x4bff70
				_v28 = 0;
				if(_t14 == 0) {
					__imp____vbaNew2(0x40a184, 0x433010);
					_t14 =  *0x433010; // 0x4bff70
				}
				_t16 =  &_v28;
				__imp____vbaObjSet(_t16,  *((intOrPtr*)( *_t14 + 0x338))(_t14));
				_t26 = _t16;
				_t17 =  *((intOrPtr*)( *_t26 + 0x1ac))(_t26);
				asm("fclex");
				if(_t17 < 0) {
					__imp____vbaHresultCheckObj(_t17, _t26, 0x409a34, 0x1ac);
				}
				__imp____vbaFreeObj();
				_push(0x4253ca);
				return _t17;
			}

0x00425323
0x00425332
0x0042533f
0x00425342
0x0042534b
0x0042534e
0x00425354
0x00425357
0x0042535e
0x00425361
0x0042536d
0x00425373
0x00425373
0x00425382
0x00425386
0x0042538c
0x00425391
0x00425397
0x0042539b
0x004253a9
0x004253a9
0x004253b2
0x004253b8
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A184,00433010,?,?,?,?,?,?,?,00401746), ref: 0042536D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401746), ref: 00425386
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A34,000001AC,?,?,?,?,?,?,?,00401746), ref: 004253A9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004253B2

Memory Dump Source

Source File: 00000001.00000002.1279452529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1279434276.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1279535108.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1279546764.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: be717cc0b179ccdec314acfc5436d78a73d667bcaa62ee4d86c373b69614fe4e
Instruction ID: b9d364111fb4df84e864426dd9556a9d71603b9f56e7f9ce1eb5f72fbdd78bc2
Opcode Fuzzy Hash: be717cc0b179ccdec314acfc5436d78a73d667bcaa62ee4d86c373b69614fe4e
Instruction Fuzzy Hash: D511CE75A40200AFC700EFA5CD89F9ABBBCFF49701F104466F942E32A0C77859018BA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe PID: 5968 Parent PID: 5572

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exe PID: 5968 Parent PID: 5572 SOCAR Petroleum S.A Romania ordin urgent nr. 21199.exeCOMMON