Loading ...

Play interactive tourEdit tour

Windows Analysis Report F63V4i8eZU

Overview

General Information

Sample Name:F63V4i8eZU (renamed file extension from none to exe)
Analysis ID:450884
MD5:08730cdd286a4c9d46b38bb6545ac311
SHA1:001bb7b5b8d63e505661d7e4a178d08abe6bbad7
SHA256:cb2a2537987e45c8461d40a0ec6c24215920519257134db91dd1369ff5abf342
Tags:32exe
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected GuLoader
C2 URLs / IPs found in malware configuration
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Potentially malicious time measurement code found
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • F63V4i8eZU.exe (PID: 3528 cmdline: 'C:\Users\user\Desktop\F63V4i8eZU.exe' MD5: 08730CDD286A4C9D46B38BB6545AC311)
  • cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

    Sigma Overview

    No Sigma rule has matched

    Jbx Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: F63V4i8eZU.exeMalware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_QVwo"}
    Multi AV Scanner detection for submitted fileShow sources
    Source: F63V4i8eZU.exeVirustotal: Detection: 10%Perma Link
    Source: F63V4i8eZU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: F63V4i8eZU.exe

    Networking:

    barindex
    C2 URLs / IPs found in malware configurationShow sources
    Source: Malware configuration extractorURLs: https://kinmirai.org/wp-content/bin_QVwo
    Source: F63V4i8eZU.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
    Source: F63V4i8eZU.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
    Source: F63V4i8eZU.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
    Source: F63V4i8eZU.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
    Source: F63V4i8eZU.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
    Source: F63V4i8eZU.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
    Source: F63V4i8eZU.exeString found in binary or memory: http://ocsp.digicert.com0C
    Source: F63V4i8eZU.exeString found in binary or memory: http://ocsp.digicert.com0O
    Source: F63V4i8eZU.exeString found in binary or memory: http://www.digicert.com/CPS0
    Source: F63V4i8eZU.exeString found in binary or memory: https://www.digicert.com/CPS0
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess Stats: CPU usage > 98%
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D55BB NtAllocateVirtualMemory,0_2_021D55BB
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D5724 NtAllocateVirtualMemory,0_2_021D5724
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D55F6 NtAllocateVirtualMemory,0_2_021D55F6
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D55BB0_2_021D55BB
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D423F0_2_021D423F
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D82540_2_021D8254
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D5A460_2_021D5A46
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D42770_2_021D4277
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D42630_2_021D4263
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D5A840_2_021D5A84
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D22D50_2_021D22D5
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D2AD60_2_021D2AD6
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D2AFD0_2_021D2AFD
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D53590_2_021D5359
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D33A70_2_021D33A7
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D33EC0_2_021D33EC
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D10570_2_021D1057
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D58520_2_021D5852
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D78B20_2_021D78B2
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D48E80_2_021D48E8
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D28E20_2_021D28E2
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D513E0_2_021D513E
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D81380_2_021D8138
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D41280_2_021D4128
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D39200_2_021D3920
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D19CC0_2_021D19CC
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D06180_2_021D0618
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D2E2F0_2_021D2E2F
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D96260_2_021D9626
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D8E7C0_2_021D8E7C
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D968F0_2_021D968F
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D8ED80_2_021D8ED8
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7EFC0_2_021D7EFC
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D46E40_2_021D46E4
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D8F400_2_021D8F40
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D1FD90_2_021D1FD9
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7FF50_2_021D7FF5
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D2C5C0_2_021D2C5C
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D045E0_2_021D045E
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D3C4D0_2_021D3C4D
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D24700_2_021D2470
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D74880_2_021D7488
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D348A0_2_021D348A
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7CA50_2_021D7CA5
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D84A60_2_021D84A6
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D84E90_2_021D84E9
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D34EA0_2_021D34EA
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D35680_2_021D3568
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D05840_2_021D0584
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D8DB40_2_021D8DB4
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D35B00_2_021D35B0
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D2DA00_2_021D2DA0
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D25D40_2_021D25D4
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D55F60_2_021D55F6
    Source: F63V4i8eZU.exeStatic PE information: invalid certificate
    Source: F63V4i8eZU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: F63V4i8eZU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: F63V4i8eZU.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
    Source: F63V4i8eZU.exe, 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
    Source: F63V4i8eZU.exeBinary or memory string: OriginalFilenameISOL.exe vs F63V4i8eZU.exe
    Source: F63V4i8eZU.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    Source: classification engineClassification label: mal88.troj.evad.winEXE@1/0@0/0
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeFile created: C:\Users\user\AppData\Local\Temp\~DF8AE4137E60421BDA.TMPJump to behavior
    Source: F63V4i8eZU.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: F63V4i8eZU.exeVirustotal: Detection: 10%
    Source: F63V4i8eZU.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
    Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\ISOL.pdb source: F63V4i8eZU.exe

    Data Obfuscation:

    barindex
    Yara detected GuLoaderShow sources
    Source: Yara matchFile source: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, type: MEMORY
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_00406408 push es; ret 0_2_0040640F
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_00405D8C push es; ret 0_2_00405D8B
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02071833 push edx; ret 0_2_02071861
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02074205 push edx; ret 0_2_02074231
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02072A05 push edx; ret 0_2_02072A31
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02071205 push edx; ret 0_2_02071231
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02075A03 push edx; ret 0_2_02075A31
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02076214 push edx; ret 0_2_02076241
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02074A13 push edx; ret 0_2_02074A41
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02073213 push edx; ret 0_2_02073241
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02071A13 push edx; ret 0_2_02071A41
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02070218 push edx; ret 0_2_02070241
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02075225 push edx; ret 0_2_02075251
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02073A24 push edx; ret 0_2_02073A51
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02072224 push edx; ret 0_2_02072251
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02070A24 push edx; ret 0_2_02070A51
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02076A24 push edx; ret 0_2_02076A51
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02074233 push edx; ret 0_2_02074261
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02072A33 push edx; ret 0_2_02072A61
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02071233 push edx; ret 0_2_02071261
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02075A33 push edx; ret 0_2_02075A61
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02074A44 push edx; ret 0_2_02074A71
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02073244 push edx; ret 0_2_02073271
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02071A44 push edx; ret 0_2_02071A71
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02076244 push edx; ret 0_2_02076271
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02070248 push edx; ret 0_2_02070271
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02073A54 push edx; ret 0_2_02073A81
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02072254 push edx; ret 0_2_02072281
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02076A54 push edx; ret 0_2_02076A81
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02075253 push edx; ret 0_2_02075281
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_02070A58 push edx; ret 0_2_02070A81
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D423F 0_2_021D423F
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D5A46 0_2_021D5A46
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D4277 0_2_021D4277
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D4263 0_2_021D4263
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D5A84 0_2_021D5A84
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D2AD6 0_2_021D2AD6
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D2AFD 0_2_021D2AFD
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D33A7 0_2_021D33A7
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D5852 0_2_021D5852
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D78B2 0_2_021D78B2
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D28E2 0_2_021D28E2
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D513E 0_2_021D513E
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D4128 0_2_021D4128
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D3920 0_2_021D3920
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7EFC 0_2_021D7EFC
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D46E4 0_2_021D46E4
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D1FD9 0_2_021D1FD9
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D045E 0_2_021D045E
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D3C4D 0_2_021D3C4D
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D2470 0_2_021D2470
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7488 0_2_021D7488
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7CA5 0_2_021D7CA5
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D8DB4 0_2_021D8DB4
    Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000021D0182 second address: 00000000021D0182 instructions:
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000021D6E61 second address: 00000000021D6E61 instructions:
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000021D01B2 second address: 00000000021D01B2 instructions:
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000021D78FC second address: 00000000021D790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
    Tries to detect virtualization through RDTSC time measurementsShow sources
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000021D0182 second address: 00000000021D0182 instructions:
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000021D6E61 second address: 00000000021D6E61 instructions:
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000021D01B2 second address: 00000000021D01B2 instructions:
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000021D78FC second address: 00000000021D790A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b lfence 0x0000000e rdtsc
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeRDTSC instruction interceptor: First address: 00000000021D790A second address: 00000000021D79F6 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b mov esi, DCAAA67Fh 0x00000010 test dl, dl 0x00000012 xor esi, F2CCAB26h 0x00000018 test edx, edx 0x0000001a sub esi, 536EBD65h 0x00000020 test bh, ch 0x00000022 xor esi, DAF7BFF4h 0x00000028 test ecx, ecx 0x0000002a test bx, cx 0x0000002d add esi, 00001000h 0x00000033 test bx, ax 0x00000036 cmp cl, dl 0x00000038 cmp bx, dx 0x0000003b mov dword ptr [ebp+000001F8h], FC14852Ch 0x00000045 test ebx, ecx 0x00000047 xor dword ptr [ebp+000001F8h], 83A94D75h 0x00000051 xor dword ptr [ebp+000001F8h], AA3F6E81h 0x0000005b cmp ah, 00000015h 0x0000005e sub dword ptr [ebp+000001F8h], D581B6D8h 0x00000068 cmp esi, dword ptr [ebp+000001F8h] 0x0000006e je 00007F8568CA0D1Ah 0x00000074 mov dword ptr [ebp+00000204h], 67BCF0E4h 0x0000007e xor dword ptr [ebp+00000204h], E457B680h 0x00000088 xor dword ptr [ebp+00000204h], E04C2F31h 0x00000092 xor dword ptr [ebp+00000204h], 1C589955h 0x0000009c cmp ch, dh 0x0000009e cmp esi, dword ptr [ebp+00000204h] 0x000000a4 je 00007F8568CA0CE4h 0x000000aa test cl, dl 0x000000ac mov dword ptr [ebp+00000246h], eax 0x000000b2 mov eax, 03147A97h 0x000000b7 cmp ecx, ecx 0x000000b9 xor eax, 4F08C75Bh 0x000000be cmp cl, al 0x000000c0 sub eax, 1A91E3C1h 0x000000c5 sub eax, 318ADA0Bh 0x000000ca push eax 0x000000cb mov eax, dword ptr [ebp+00000246h] 0x000000d1 cmp bh, ah 0x000000d3 push 25819736h 0x000000d8 sub dword ptr [esp], 3CB652F7h 0x000000df xor dword ptr [esp], 3AF83707h 0x000000e6 pushad 0x000000e7 mov ebx, 000000DBh 0x000000ec rdtsc
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D423F rdtsc 0_2_021D423F
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

    Anti Debugging:

    barindex
    Found potential dummy code loops (likely to delay analysis)Show sources
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeProcess Stats: CPU usage > 90% for more than 60s
    Potentially malicious time measurement code foundShow sources
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D423F Start: 021D4BE7 End: 021D480D0_2_021D423F
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D5A46 Start: 021D5BED End: 021D480D0_2_021D5A46
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D4277 Start: 021D4BE7 End: 021D480D0_2_021D4277
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D4263 Start: 021D4BE7 End: 021D480D0_2_021D4263
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D33A7 Start: 021D4BE7 End: 021D480D0_2_021D33A7
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D5852 Start: 021D4BE7 End: 021D480D0_2_021D5852
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D513E Start: 021D4BE7 End: 021D480D0_2_021D513E
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D4128 Start: 021D4BE7 End: 021D480D0_2_021D4128
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D46E4 Start: 021D4BE7 End: 021D480D0_2_021D46E4
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D1FD9 Start: 021D4BE7 End: 021D480D0_2_021D1FD9
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D045E Start: 021D4BE7 End: 021D480D0_2_021D045E
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7488 Start: 021D4BE7 End: 021D480D0_2_021D7488
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7CA5 Start: 021D4BE7 End: 021D480D0_2_021D7CA5
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D8DB4 Start: 021D4BE7 End: 021D480D0_2_021D8DB4
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D423F rdtsc 0_2_021D423F
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D5201 mov eax, dword ptr fs:[00000030h]0_2_021D5201
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7365 mov eax, dword ptr fs:[00000030h]0_2_021D7365
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D33A7 mov eax, dword ptr fs:[00000030h]0_2_021D33A7
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D33EC mov eax, dword ptr fs:[00000030h]0_2_021D33EC
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D28E2 mov eax, dword ptr fs:[00000030h]0_2_021D28E2
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D7EFC mov eax, dword ptr fs:[00000030h]0_2_021D7EFC
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D348A mov eax, dword ptr fs:[00000030h]0_2_021D348A
    Source: C:\Users\user\Desktop\F63V4i8eZU.exeCode function: 0_2_021D6D92 mov eax, dword ptr fs:[00000030h]0_2_021D6D92
    Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
    Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmpBinary or memory string: Program Manager
    Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
    Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmpBinary or memory string: Progman
    Source: F63V4i8eZU.exe, 00000000.00000002.736824672.0000000000C50000.00000002.00000001.sdmpBinary or memory string: Progmanlock

    Mitre Att&ck Matrix

    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
    Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11OS Credential DumpingSecurity Software Discovery41Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
    Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothApplication Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
    Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
    Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

    Behavior Graph

    Hide Legend

    Legend:

    • Process
    • Signature
    • Created File
    • DNS/IP Info
    • Is Dropped
    • Is Windows Process
    • Number of created Registry Values
    • Number of created Files
    • Visual Basic
    • Delphi
    • Java
    • .Net C# or VB.NET
    • C, C++ or other language
    • Is malicious
    • Internet

    Screenshots

    Thumbnails

    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

    windows-stand

    Antivirus, Machine Learning and Genetic Malware Detection

    Initial Sample

    SourceDetectionScannerLabelLink
    F63V4i8eZU.exe10%VirustotalBrowse

    Dropped Files

    No Antivirus matches

    Unpacked PE Files

    No Antivirus matches

    Domains

    No Antivirus matches

    URLs

    SourceDetectionScannerLabelLink
    https://kinmirai.org/wp-content/bin_QVwo0%Avira URL Cloudsafe

    Domains and IPs

    Contacted Domains

    No contacted domains info

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://kinmirai.org/wp-content/bin_QVwotrue
    • Avira URL Cloud: safe
    unknown

    Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:33.0.0 White Diamond
    Analysis ID:450884
    Start date:19.07.2021
    Start time:20:11:12
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 7m 43s
    Hypervisor based Inspection enabled:false
    Report type:full
    Sample file name:F63V4i8eZU (renamed file extension from none to exe)
    Cookbook file name:default.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:34
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal88.troj.evad.winEXE@1/0@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:
    • Successful, ratio: 53%
    • Number of executed functions: 9
    • Number of non-executed functions: 55
    Cookbook Comments:
    • Adjust boot time
    • Enable AMSI
    • Override analysis time to 240s for sample files taking high CPU consumption
    Warnings:
    Show All
    • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
    • Not all processes where analyzed, report is missing behavior information

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASN

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    No created / dropped files found

    Static File Info

    General

    File type:PE32 executable (GUI) Intel 80386, for MS Windows
    Entropy (8bit):4.804431914533398
    TrID:
    • Win32 Executable (generic) a (10002005/4) 99.15%
    • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
    • Generic Win/DOS Executable (2004/3) 0.02%
    • DOS Executable Generic (2002/1) 0.02%
    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
    File name:F63V4i8eZU.exe
    File size:271464
    MD5:08730cdd286a4c9d46b38bb6545ac311
    SHA1:001bb7b5b8d63e505661d7e4a178d08abe6bbad7
    SHA256:cb2a2537987e45c8461d40a0ec6c24215920519257134db91dd1369ff5abf342
    SHA512:a6531eb4709af3e1270f1c4434d9abc87097e9f8d38c4ba5dc0ed61d7f469552de7259f638728fe71297d3748823064f75728e71df3531657a5aeb1952f412d8
    SSDEEP:1536:d/k1xdvMuWnLtmBcSa9O/C0UzIY+SpAkaYQryC7AfT/k1xD:5ktvMu8GcSaw/RQ80fDkz
    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L.....fI.................`..........<........p....@................

    File Icon

    Icon Hash:e8ccce8e8ececce8

    Static PE Info

    General

    Entrypoint:0x40133c
    Entrypoint Section:.text
    Digitally signed:true
    Imagebase:0x400000
    Subsystem:windows gui
    Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
    DLL Characteristics:
    Time Stamp:0x49669CB5 [Fri Jan 9 00:39:17 2009 UTC]
    TLS Callbacks:
    CLR (.Net) Version:
    OS Version Major:4
    OS Version Minor:0
    File Version Major:4
    File Version Minor:0
    Subsystem Version Major:4
    Subsystem Version Minor:0
    Import Hash:ce5c4ac311690d884b7f964e897cf716

    Authenticode Signature

    Signature Valid:false
    Signature Issuer:E=MIDLE@perkysex.Sta, CN=Tykho, OU=LRDAGSD, O=Oedogo, L=gener, S=Succuss7, C=FO
    Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
    Error Number:-2146762487
    Not Before, Not After
    • 7/19/2021 1:52:32 AM 7/19/2022 1:52:32 AM
    Subject Chain
    • E=MIDLE@perkysex.Sta, CN=Tykho, OU=LRDAGSD, O=Oedogo, L=gener, S=Succuss7, C=FO
    Version:3
    Thumbprint MD5:6B2F2AEC1CD19ADB58F69D332AA6EB10
    Thumbprint SHA-1:A168A0624017FAD1687EFD7218165EAAD0667521
    Thumbprint SHA-256:7B29D7974E330B45B5772C1F20898DB73558EAF4668727D08A94229F6C2C5A9A
    Serial:00

    Entrypoint Preview

    Instruction
    push 00432170h
    call 00007F8568A13723h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    xor byte ptr [eax], al
    add byte ptr [eax], al
    inc eax
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add bh, dl
    xor ebx, dword ptr [esi+54DBD587h]
    inc esp
    mov dword ptr [ebx], ebp
    sbb al, byte ptr [edx]
    mov edi, 0052F3B1h
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [ecx], al
    add byte ptr [eax], al
    add byte ptr [edx+00h], al
    push es
    push eax
    add dword ptr [ecx], 61h
    jnc 00007F8568A137A6h
    jc 00007F8568A1379Ch
    jnc 00007F8568A1379Dh
    add byte ptr [eax], al
    add ah, ah
    jbe 00007F8568A13739h
    add eax, dword ptr [eax]
    add byte ptr [eax], al
    add bh, bh
    int3
    xor dword ptr [eax], eax
    adc ecx, dword ptr [eax+03h]
    stosd
    cmp dword ptr [ecx+ecx*4-174BB90Fh], eax
    aas
    insb
    jmp 00007F84EB24EF85h
    jecxz 00007F8568A1375Ah
    dec eax
    sbb dl, byte ptr [ecx+738049FEh]
    fld qword ptr [edi+62h]
    out dx, eax
    jnbe 00007F8568A1372Fh
    cmp cl, byte ptr [edi-53h]
    xor ebx, dword ptr [ecx-48EE309Ah]
    or al, 00h
    stosb
    add byte ptr [eax-2Dh], ah
    xchg eax, ebx
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    add byte ptr [eax], al
    push eax
    or al, 03h
    add byte ptr [esi+0000007Bh], dl
    pop es
    add byte ptr [eax+6Fh], dl
    jnc 00007F8568A1379Bh
    je 00007F8568A1379Bh
    xor eax, 07010D00h
    add byte ptr [edi+72h], cl
    jc 00007F8568A13798h
    bound esi, dword ptr [edx]

    Data Directories

    NameVirtual AddressVirtual Size Is in Section
    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_IMPORT0x364a40x28.text
    IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x80e2.rsrc
    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
    IMAGE_DIRECTORY_ENTRY_SECURITY0x410500x1418
    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
    IMAGE_DIRECTORY_ENTRY_DEBUG0x11000x1c.text
    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
    IMAGE_DIRECTORY_ENTRY_IAT0x10000x100.text
    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

    Sections

    NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
    .text0x10000x359080x36000False0.261126482928data4.74357269576IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    .data0x370000xb900x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
    .rsrc0x380000x80e20x9000False0.31982421875data4.39996163411IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

    Resources

    NameRVASizeTypeLanguageCountry
    RT_ICON0x3fa7a0x668dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 4265541880, next used block 7936
    RT_ICON0x3f7920x2e8data
    RT_ICON0x3f5aa0x1e8data
    RT_ICON0x3f4820x128GLS_BINARY_LSB_FIRST
    RT_ICON0x3e5da0xea8data
    RT_ICON0x3dd320x8a8data
    RT_ICON0x3d66a0x6c8data
    RT_ICON0x3d1020x568GLS_BINARY_LSB_FIRST
    RT_ICON0x3a4fa0x2c08data
    RT_ICON0x394520x10a8data
    RT_ICON0x38aca0x988data
    RT_ICON0x386620x468GLS_BINARY_LSB_FIRST
    RT_GROUP_ICON0x385b40xaedata
    RT_VERSION0x383000x2b4dataEnglishUnited States

    Imports

    DLLImport
    MSVBVM60.DLL_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaR4Str, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

    Version Infos

    DescriptionData
    Translation0x0409 0x04b0
    LegalCopyrightOFF24
    InternalNameISOL
    FileVersion7.00
    CompanyNameOFF24
    LegalTrademarksOFF24
    CommentsOFF24
    ProductNameOFF24
    ProductVersion7.00
    FileDescriptionOFF24
    OriginalFilenameISOL.exe

    Possible Origin

    Language of compilation systemCountry where language is spokenMap
    EnglishUnited States

    Network Behavior

    No network behavior found

    Code Manipulations

    Statistics

    CPU Usage

    Click to jump to process

    Memory Usage

    Click to jump to process

    System Behavior

    General

    Start time:20:12:04
    Start date:19/07/2021
    Path:C:\Users\user\Desktop\F63V4i8eZU.exe
    Wow64 process (32bit):true
    Commandline:'C:\Users\user\Desktop\F63V4i8eZU.exe'
    Imagebase:0x400000
    File size:271464 bytes
    MD5 hash:08730CDD286A4C9D46B38BB6545AC311
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Visual Basic
    Yara matches:
    • Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Author: Joe Security
    Reputation:low

    Disassembly

    Code Analysis

    Reset < >

      Executed Functions

      APIs
      • NtAllocateVirtualMemory.NTDLL(BB1801DD,?,-0164C694), ref: 021D57D8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID: ['o$['o$d#.;
      • API String ID: 2167126740-1926718925
      • Opcode ID: 074f00d28653c1fc3f1d420250a108ea7158b9e1d3a7a54f13effa19b07ac7dc
      • Instruction ID: a83a3395146b557e358bcd71cfe8dc498145f925825b71e22588ad81a81843cf
      • Opcode Fuzzy Hash: 074f00d28653c1fc3f1d420250a108ea7158b9e1d3a7a54f13effa19b07ac7dc
      • Instruction Fuzzy Hash: 36C1987554438ACFCF309F78CC947CE7BA6AF56360F55422ACC88AB254D3318A82CB42
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • NtAllocateVirtualMemory.NTDLL(BB1801DD,?,-0164C694), ref: 021D57D8
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID: ['o$d#.;
      • API String ID: 2167126740-3747953398
      • Opcode ID: 72ad2ba2d7af9975c583de5a1ca6f69860fef2968fa931e1f0fda0653ee2df69
      • Instruction ID: 5fbdbf574fba1d3d24c1c35ed2744ae667947161fe44eba420015a32c9e793c5
      • Opcode Fuzzy Hash: 72ad2ba2d7af9975c583de5a1ca6f69860fef2968fa931e1f0fda0653ee2df69
      • Instruction Fuzzy Hash: 6751677168538A9FDF305E38CCD47CA7BA2AF06364F95012ADDC99B254C7318A85CB52
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • NtAllocateVirtualMemory.NTDLL(BB1801DD,?,-0164C694), ref: 021D57D8
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID: AllocateMemoryVirtual
      • String ID:
      • API String ID: 2167126740-0
      • Opcode ID: 8b3636b0c2a87304280a478d432459c8fed812da173ee5d10c369c1bdc8278ad
      • Instruction ID: f367aa44951bd6e54bd271eeb407e0f7668145435afd42419b0b611ad0ca77c8
      • Opcode Fuzzy Hash: 8b3636b0c2a87304280a478d432459c8fed812da173ee5d10c369c1bdc8278ad
      • Instruction Fuzzy Hash: 3231577558138A9FDF308E6CCC907C97BA2EF46364F95012ADD84AB254C3329E46CB51
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • __vbaR4Str.MSVBVM60(00432A78), ref: 00433DFC
      • #554.MSVBVM60(00432A78), ref: 00433E0C
      • __vbaNew2.MSVBVM60(00432E58,00437010,00432A78), ref: 00433E29
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433E44
      • __vbaNew2.MSVBVM60(00432E58,00437010,?,00000000), ref: 00433E76
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433E91
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432A7C,00000140), ref: 00433EBA
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00432A7C,000001EC), ref: 00433EFA
      • __vbaFreeStr.MSVBVM60(00000000,?,00432A7C,000001EC), ref: 00433F05
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00433F1A
      • __vbaNew2.MSVBVM60(00432E58,00437010), ref: 00433F35
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433F50
      • __vbaFreeVar.MSVBVM60(00435B5B,00432A78), ref: 00435B08
      • __vbaFreeObj.MSVBVM60(00435B5B,00432A78), ref: 00435B13
      • __vbaFreeStr.MSVBVM60(00435B5B,00432A78), ref: 00435B1E
      • __vbaFreeStr.MSVBVM60(00435B5B,00432A78), ref: 00435B29
      • __vbaFreeVar.MSVBVM60(00435B5B,00432A78), ref: 00435B34
      • __vbaFreeObj.MSVBVM60(00435B5B,00432A78), ref: 00435B3F
      • __vbaFreeStr.MSVBVM60(00435B5B,00432A78), ref: 00435B4A
      • __vbaFreeStr.MSVBVM60(00435B5B,00432A78), ref: 00435B55
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.735114355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.735085772.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.735376614.0000000000437000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$New2$CheckHresult$#554List
      • String ID: C$CORANTO$Codi$Grilleres$Laanemuligheder4$Lineality$Omgangstonerne$REFUSIONSSALDOERS$Sprogede6$spearproof$4
      • API String ID: 3761024827-697076054
      • Opcode ID: 27d4f620e5fba3d4c7e161b3bbb2dccca980c19b9d8e3f20b6a5daa943645fa5
      • Instruction ID: bd0c1d6ad94a74c5871d8ba3f2097774cba6e73f2ec625d9880cd3a328ac6e92
      • Opcode Fuzzy Hash: 27d4f620e5fba3d4c7e161b3bbb2dccca980c19b9d8e3f20b6a5daa943645fa5
      • Instruction Fuzzy Hash: C4C25EB0900618ABDB24DF65CC85FDA77BCAF48345F0004EEF649E7191DB78AA458F68
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 0043607C
      • __vbaNew2.MSVBVM60(00432E58,00437010), ref: 00436094
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004360AC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432B54,000001C8), ref: 004360E8
      • __vbaFreeObj.MSVBVM60 ref: 004360F0
      • __vbaNew2.MSVBVM60(00432E58,00437010), ref: 00436108
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00436120
      • __vbaNew2.MSVBVM60(00432E58,00437010,?,00000000), ref: 00436148
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00436160
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432AC0,00000150), ref: 00436186
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432A7C,000001EC), ref: 004361B5
      • __vbaFreeStr.MSVBVM60 ref: 004361BD
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004361CE
      • #704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 004361E9
      • __vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 004361F3
      • __vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 004361FB
      • __vbaFreeStr.MSVBVM60(00436243,?,000000FF,000000FE,000000FE,000000FE), ref: 00436235
      • __vbaFreeStr.MSVBVM60(00436243,?,000000FF,000000FE,000000FE,000000FE), ref: 0043623D
      Memory Dump Source
      • Source File: 00000000.00000002.735114355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.735085772.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.735376614.0000000000437000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresultNew2$#704CopyListMove
      • String ID:
      • API String ID: 3420054063-0
      • Opcode ID: 14956b380f47dfcd526e1756110fe76c003054edd8d8c30e260bd7c30db82f2f
      • Instruction ID: c2b152d032338bdd77122e506a0afc5b34821d89a53441c4a08c87cdb7937c6a
      • Opcode Fuzzy Hash: 14956b380f47dfcd526e1756110fe76c003054edd8d8c30e260bd7c30db82f2f
      • Instruction Fuzzy Hash: 105184B0D00208ABDB15EFA5C946FDE7BB8EF08704F10556AF911F71E1DB7899058B98
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.735114355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.735085772.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.735376614.0000000000437000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: #100
      • String ID: VB5!6%*
      • API String ID: 1341478452-4246263594
      • Opcode ID: f712cf622c938b2cbae39ab0d2a932892ed0acb0062c62dcb30f367af30ec1e5
      • Instruction ID: 5793f95fec8df907642285fdb756138edf12c7e63357855cb5fceee2480244c5
      • Opcode Fuzzy Hash: f712cf622c938b2cbae39ab0d2a932892ed0acb0062c62dcb30f367af30ec1e5
      • Instruction Fuzzy Hash: 3F8165A684E3D14FD74357B498656913FB0AE23228B0E45EBC4C1DF4F3E268590AC776
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737172378.0000000002070000.00000020.00000001.sdmp, Offset: 02070000, based on PE: false
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 098c3f7be726bf481260920fed6c53b8c9b2fc50cdb0b5d81479239bdb32a7e2
      • Instruction ID: f6507fb68abfe1afe3fd4b799bb556221d21629efd13cc1050de611649a05630
      • Opcode Fuzzy Hash: 098c3f7be726bf481260920fed6c53b8c9b2fc50cdb0b5d81479239bdb32a7e2
      • Instruction Fuzzy Hash: 3CD05B7170E2809FD3099B245D166D63FF4EF47211B0905EAE548CF653E114DC414356
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.735114355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.735085772.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.735376614.0000000000437000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp Download File
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 18f49d4499d2ec82b37731feb5ec659c196098ded253e07094a99c3a058d6d2f
      • Instruction ID: a956f24684b2d012e9f945aedb0b6ad417416ae2d4fc2db1115a96aa7b6e94a9
      • Opcode Fuzzy Hash: 18f49d4499d2ec82b37731feb5ec659c196098ded253e07094a99c3a058d6d2f
      • Instruction Fuzzy Hash: 83B012B03CC0019A571052589F416273180DB4C380F303C73F081D12D0CAA8DC00E67E
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.735114355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.735085772.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.735376614.0000000000437000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp Download File
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 47d3063a6d14f0b32ab9d9e21c1000db0a95b81a1357a444287b411619b38d65
      • Instruction ID: 957533cfb4f7852be80f59392d6aae586ba08de7857f948f2a58ec6ad40ab074
      • Opcode Fuzzy Hash: 47d3063a6d14f0b32ab9d9e21c1000db0a95b81a1357a444287b411619b38d65
      • Instruction Fuzzy Hash: B0B012303880059F673072646E4242932C0A3493907206C73F451F21A0D6ACFD00872D
      Uniqueness

      Uniqueness Score: -1.00%

      Non-executed Functions

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$Q+E7$W&]X$['o$hy"m$=)$}K
      • API String ID: 0-4052390709
      • Opcode ID: fd8eaf0edcb92bacfc6da0fcda795e26fdbd5791d620c52783f53a38e26c8a90
      • Instruction ID: b9938c45b2e87d937f445dc3f83db1733e58f224bd0067b5a9e0b10d9da9c48a
      • Opcode Fuzzy Hash: fd8eaf0edcb92bacfc6da0fcda795e26fdbd5791d620c52783f53a38e26c8a90
      • Instruction Fuzzy Hash: 52E23272A4034ADFDB349F28CC947DA77A2FF99350F55822DDC899B210D7309A86CB81
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$7/^$AucB$E^$W&]X$hy"m$}K
      • API String ID: 0-525004745
      • Opcode ID: 67ac8fd5ffb487c5f99244f34249aee7dfe4fa33e319e8aeeb05deec36c7d9c8
      • Instruction ID: 20542da88ca9151fa5830c5bbd60b9eddf9401f01868998a4e624afc9c19fbc6
      • Opcode Fuzzy Hash: 67ac8fd5ffb487c5f99244f34249aee7dfe4fa33e319e8aeeb05deec36c7d9c8
      • Instruction Fuzzy Hash: A3A2127264034ADFDF349E38CD547EA77B2AF96350F96822DDC899B254D3308A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$['o$hy"m$}K
      • API String ID: 0-2336096873
      • Opcode ID: 3d36c10f71c4a401be78cbd66d222ef79c54a3d31b7264bc7839c153fd34c556
      • Instruction ID: 7560e81caf3af97661b3939aede16afcaea156c2e8d92d7fda8c1076459a8e66
      • Opcode Fuzzy Hash: 3d36c10f71c4a401be78cbd66d222ef79c54a3d31b7264bc7839c153fd34c556
      • Instruction Fuzzy Hash: 2AA2327660034ADFDF349E38CD547DA77B2BF56350F968229DC899B254D3308A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$(T\y$,ln$AucB$E^$W&]X$['o$}K
      • API String ID: 0-831456003
      • Opcode ID: 0ecb4f590014e548bbb64468598435e990bdafe6ff0f5eee5a8e5968c1c176d7
      • Instruction ID: fa46bb7062a1bb877258813ac8e1d1eb624817678c25cc11438e52dfc96fbf22
      • Opcode Fuzzy Hash: 0ecb4f590014e548bbb64468598435e990bdafe6ff0f5eee5a8e5968c1c176d7
      • Instruction Fuzzy Hash: 1B92227260034ADFDF349E38CD947DA7BA2BF95350F96822DDC899B254D3309A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$hy"m$}K
      • API String ID: 0-168667913
      • Opcode ID: 26b5e69293432543eb006e2a3cf7b5661b7a06fd5fcec754d3187f02e69182b6
      • Instruction ID: e2f2f20126e4e8ce72077c40b8835a7911d5589eee51a21995fcb388c098a659
      • Opcode Fuzzy Hash: 26b5e69293432543eb006e2a3cf7b5661b7a06fd5fcec754d3187f02e69182b6
      • Instruction Fuzzy Hash: F5A2537264034A9FDF349E38CD547DA77B2BF96350F96822EDC899B254D3308A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$`$}K
      • API String ID: 0-2659085442
      • Opcode ID: 393bc5a110c31ee30ffd2e73853e53a81fe3eb0b8957b2f8587debef17defd1c
      • Instruction ID: 4f8865ea2078667d2df2f5a7f7e6817a6d21dc1d97dd2fa7d81cb114d295ad64
      • Opcode Fuzzy Hash: 393bc5a110c31ee30ffd2e73853e53a81fe3eb0b8957b2f8587debef17defd1c
      • Instruction Fuzzy Hash: B072107260034ADFDF349E38CD547EA7BA2BF96350F96822DDC899B254D3305A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$}K
      • API String ID: 0-871991043
      • Opcode ID: 4810d04877191036c092c87fa11fb8baab8d37e3ccbc1efbb39771e87f1b599c
      • Instruction ID: 9ee2e9a1be95dddc851c8d5ebca03d849f56526e6606fb5e4738a1080d03f79e
      • Opcode Fuzzy Hash: 4810d04877191036c092c87fa11fb8baab8d37e3ccbc1efbb39771e87f1b599c
      • Instruction Fuzzy Hash: 1692217264034ADFDF349E38CD943EA77B2BF96350F568229DC899B254D3309A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$}K
      • API String ID: 0-871991043
      • Opcode ID: 920aeefab2b404f74333f1eca041e7ec0e9a134edf326dcb69eb8581e85e208f
      • Instruction ID: 3833fbac429274ac7a5ee27e2abf6d723ebf9a5d008cb22b6763657d5275088e
      • Opcode Fuzzy Hash: 920aeefab2b404f74333f1eca041e7ec0e9a134edf326dcb69eb8581e85e208f
      • Instruction Fuzzy Hash: 2292317160034ADFDF349E38CD547EA77A2BF96350F96822DDC8A9B254D3308A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$}K
      • API String ID: 0-871991043
      • Opcode ID: 3bcf6fe68b2839a5ebab125c4c1995163b9dada0cc34df06276b9bb26e22e2b0
      • Instruction ID: 4eb8342dc32d22ae93a54453bb3e2a391bc59a9db1e49145b29e527612128594
      • Opcode Fuzzy Hash: 3bcf6fe68b2839a5ebab125c4c1995163b9dada0cc34df06276b9bb26e22e2b0
      • Instruction Fuzzy Hash: 4382427260034ADFDF349E28CD943EA77B2BF95350F96822DDC899B254D3305A86CB42
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$}K
      • API String ID: 0-871991043
      • Opcode ID: 64f7e960b819eaa252ab03d6132667c2d2a32da044ea59e0f48a176a7bd71e7e
      • Instruction ID: 8478e499236560cc2d20f7a53a530c474584842736ff88d79761df8e2dff8be7
      • Opcode Fuzzy Hash: 64f7e960b819eaa252ab03d6132667c2d2a32da044ea59e0f48a176a7bd71e7e
      • Instruction Fuzzy Hash: 6772207260034ADFDF349E28CD543EA7BB2BF96350F96822DDC899B254D3344A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$}K
      • API String ID: 0-871991043
      • Opcode ID: 472dee3211e41679e1ea7f8e1d5b4c12aabab0314477a17d20b6c40481e5369c
      • Instruction ID: 75acc7452343e58a700a51cfe79552e5d8b7373eb8b64b7c1e928604fc94ca9f
      • Opcode Fuzzy Hash: 472dee3211e41679e1ea7f8e1d5b4c12aabab0314477a17d20b6c40481e5369c
      • Instruction Fuzzy Hash: BC721F7260034A9FDF349E38CD547EA7BB2BF96350F96822DDC899B254D3305A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$}K
      • API String ID: 0-871991043
      • Opcode ID: 13ae85de1a0bc56fb2974770a3a5c73c4d750d63718b3d66df5bfa8d4a6201b0
      • Instruction ID: 4c8c69293dbec2b1702d8444cbb437e72f2452da2e6ab42909ae0896920ca3f9
      • Opcode Fuzzy Hash: 13ae85de1a0bc56fb2974770a3a5c73c4d750d63718b3d66df5bfa8d4a6201b0
      • Instruction Fuzzy Hash: B572207260034ADFDF349E388D547EA7BB2BF96350F96822DDC899B254D3344A86CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X$}K
      • API String ID: 0-871991043
      • Opcode ID: 250d1b1479c23e0e900ca9decff1b271db316a09fed03c9f1bdc296cea642aca
      • Instruction ID: 79fa832f02da38fa4942f54cc8359fe510fa512cb2f8afbad4917c94ed9daf75
      • Opcode Fuzzy Hash: 250d1b1479c23e0e900ca9decff1b271db316a09fed03c9f1bdc296cea642aca
      • Instruction Fuzzy Hash: 3652217260034A9FDF349E38CD547EA7BA2FF96350F56822DDC899B254D3309A85CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X
      • API String ID: 0-2385884179
      • Opcode ID: e5346b2bc0790a6cd3fbd2fca0cb11d86139cd430d812cd26a0ffb9fa75be0ee
      • Instruction ID: 2e78876573ef9ead9d5c904bbd65be5ed226dc977b768e86c1d3a16b17e7e2f0
      • Opcode Fuzzy Hash: e5346b2bc0790a6cd3fbd2fca0cb11d86139cd430d812cd26a0ffb9fa75be0ee
      • Instruction Fuzzy Hash: 4042107160034ADFDF349E38CD947EA7BA2BF56350F96822DDC8A9B254D3309A85CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X
      • API String ID: 0-2385884179
      • Opcode ID: 0ac0dd8713f03a48249c2728d75288ae51070bc1d0fffbcf40ca7e6c06c47bfd
      • Instruction ID: af6c4b6a5c4cf106cc7f8934ed121a04f6601fa60849f622b479962dd4b14481
      • Opcode Fuzzy Hash: 0ac0dd8713f03a48249c2728d75288ae51070bc1d0fffbcf40ca7e6c06c47bfd
      • Instruction Fuzzy Hash: 1842207260034ADFDF349E38CD953EA7BA2BF56350F56822DDC8A9B254D3309A85CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: %Vj$,ln$AucB$E^$W&]X
      • API String ID: 0-2385884179
      • Opcode ID: 876a375d459f0e37249107546513bbb42d1802b1cd51a05d415817e79e1f9945
      • Instruction ID: 95816a4a0a23954cb5aab377e2746122cc7f9f94964b4f23c697ee435f154249
      • Opcode Fuzzy Hash: 876a375d459f0e37249107546513bbb42d1802b1cd51a05d415817e79e1f9945
      • Instruction Fuzzy Hash: D542207160034ADFDF349E38CD943EA7BA2BF56350F96822DDC8A9B254D3309A85CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: ,ln$E^
      • API String ID: 0-1778308355
      • Opcode ID: acbd81977048ac7c13bbce602d4778289007c14d23e095166e5785e55c64413b
      • Instruction ID: 94785f17ad058b1b68e85acba12e30b7719eb693fd7a70c809b9818408b09151
      • Opcode Fuzzy Hash: acbd81977048ac7c13bbce602d4778289007c14d23e095166e5785e55c64413b
      • Instruction Fuzzy Hash: 86F16572A0038ADFDF359E28CD943DE37A2FF9A350F568229DC899B254D3708A45CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: 1/L$['o
      • API String ID: 0-130772953
      • Opcode ID: 8e86444c51f5b409f4b7606d5f14054e307680dd08d466b76704e2a42ae98ab0
      • Instruction ID: 76745f7ec820280b791a702b0de2be695ec78707248c72cfe582848f7ffe14e9
      • Opcode Fuzzy Hash: 8e86444c51f5b409f4b7606d5f14054e307680dd08d466b76704e2a42ae98ab0
      • Instruction Fuzzy Hash: 96E15972944356CFDF309E78C9947DE77E6AF59310F55412ECC89AB244D3319A82CB82
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: ,ln$E^
      • API String ID: 0-1778308355
      • Opcode ID: 7c09a580bcb2a6c00290e33909d8e3a98ea0ac570dbf892007339deea054180e
      • Instruction ID: 0c1003c07ef865c38a07ea8f336c5d95d04dc0e3c900dbe3fc553a5fe3924018
      • Opcode Fuzzy Hash: 7c09a580bcb2a6c00290e33909d8e3a98ea0ac570dbf892007339deea054180e
      • Instruction Fuzzy Hash: 0AD15375A4038ADFDF358E28CD847DA37A2FF9A350F558229DC8D9B264D3709A45CB40
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: hy"m
      • API String ID: 0-273090794
      • Opcode ID: 0f63d67cdb9cb07ede33ff423ae4fef3239868324ab0eaf5ca2251b4719a2790
      • Instruction ID: 83f04cedcb20af27353b64b04a094e9584f7f23691138409546ae43552849ac1
      • Opcode Fuzzy Hash: 0f63d67cdb9cb07ede33ff423ae4fef3239868324ab0eaf5ca2251b4719a2790
      • Instruction Fuzzy Hash: 49523B716483858FDB31CF38C8987DA7BE2AF56360F5982AECC998F296D3348546C711
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: =)
      • API String ID: 0-3429581902
      • Opcode ID: cbd87e8e6dfc23023b30be0b5fe61e0656966e0224e2e414654294c121222a18
      • Instruction ID: 6ae0f955aa3c69c150d8562919195830632b64c872e8582f0019de0f303b35ac
      • Opcode Fuzzy Hash: cbd87e8e6dfc23023b30be0b5fe61e0656966e0224e2e414654294c121222a18
      • Instruction Fuzzy Hash: F2E11171A4474ADFDB34CF28CC94BDAB7A2FF49310F55822ADC999B241D7309A81CB81
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: =)
      • API String ID: 0-3429581902
      • Opcode ID: 8f421129951cbc81729f875ac030b43521bc86a6b6d27185ab7c1bb5e36a3977
      • Instruction ID: 3ad7d6c812b3429bafec8c252a1b845af35d5f731538eca51ee7c98d8a0f77fe
      • Opcode Fuzzy Hash: 8f421129951cbc81729f875ac030b43521bc86a6b6d27185ab7c1bb5e36a3977
      • Instruction Fuzzy Hash: A7D10072A4474ADFDB34CF68CC94BDA77A2FF49310F558229DC999B201D7309A81CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: hy"m
      • API String ID: 0-273090794
      • Opcode ID: 7dff86784a369b199480d0610011df9dd7bfde76fa502b709b6470a70be03854
      • Instruction ID: 84293c4c2c961b246fa133d9b22701a5c8fc7279781518d8a501fa5861dbd5c0
      • Opcode Fuzzy Hash: 7dff86784a369b199480d0610011df9dd7bfde76fa502b709b6470a70be03854
      • Instruction Fuzzy Hash: 10A156716403459FDB309F38C984BCA7BA2FF56360F94422ADC9A9B255D3748981CF51
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: 7/^
      • API String ID: 0-1988782630
      • Opcode ID: 8da31c8563c295e59fbcca9d74182f600c3d9dc63ea8e0d3364b23ed0941c1be
      • Instruction ID: b96eb70f1d705d31fdb700fce962f6eab18b931268430f58a45b268a1a60c2af
      • Opcode Fuzzy Hash: 8da31c8563c295e59fbcca9d74182f600c3d9dc63ea8e0d3364b23ed0941c1be
      • Instruction Fuzzy Hash: 69A1307164438ADFEF349E74CD547EA37A3EF963A0F55812DCC499B254E3318A858B02
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: =)
      • API String ID: 0-3429581902
      • Opcode ID: 04a05b539b7adbc0fa5832467a149e52d7e7e0fe1b0b4777b5c2506da99069d5
      • Instruction ID: 231ebdc570970e7c48d57746daa6d378fac91edb06b8b7298c24b3fb356e1c12
      • Opcode Fuzzy Hash: 04a05b539b7adbc0fa5832467a149e52d7e7e0fe1b0b4777b5c2506da99069d5
      • Instruction Fuzzy Hash: 0DA1137264078ADFCB34CF68CC94BCA77A1FF19350F55422ADCA89B241D7309A45CB91
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: =)
      • API String ID: 0-3429581902
      • Opcode ID: 3d97fafd9ca53fe93d08906f92186a92acc880ee1f9dd89e19583bf1765e77a8
      • Instruction ID: 53e87aa9c6295140437e1be1b90c517208998de04b29d6b45fe9560e392926a9
      • Opcode Fuzzy Hash: 3d97fafd9ca53fe93d08906f92186a92acc880ee1f9dd89e19583bf1765e77a8
      • Instruction Fuzzy Hash: 4071027164074ADFCB24CF68CC847CAB7B1FF49350F15822ADCA89B201D730A955CB91
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: ['o
      • API String ID: 0-4065391802
      • Opcode ID: 2bf720b733716d8b61a4fac3aef44b76da8046eeb4864204859c4b6b73ac7a3c
      • Instruction ID: ef8901e72b0d195d681636bddde207581ee230ccdd27fb9a4207edbedd65a20c
      • Opcode Fuzzy Hash: 2bf720b733716d8b61a4fac3aef44b76da8046eeb4864204859c4b6b73ac7a3c
      • Instruction Fuzzy Hash: 2A518B7654435ACFDF20EE78CC547DE7BA6AF6A350F45422ECD88AB254D3318942CB82
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: =)
      • API String ID: 0-3429581902
      • Opcode ID: 271fc9b1f8e6ba168cfa9938fd7a924b6dd648987390fe6c5ea2fa910fe55da6
      • Instruction ID: 9b21193297e2649655715e9953c57cc35ba67b3abdf45a66ce5d2070278ebcf7
      • Opcode Fuzzy Hash: 271fc9b1f8e6ba168cfa9938fd7a924b6dd648987390fe6c5ea2fa910fe55da6
      • Instruction Fuzzy Hash: AD51047260031ACFDB24DF68D8847CAB7A1FF48350F65462ADC699B200D770AA56CB92
      Uniqueness

      Uniqueness Score: -1.00%

      Strings
      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID: ['o
      • API String ID: 0-4065391802
      • Opcode ID: 96fe7f661459a2d18cdb173c0729dcd2c0de579df9d576509b6255ec489f484c
      • Instruction ID: 46998906a9ba70f69a09d679b5996b6b6fbd786ce63a0ef06f3d95d03768dad8
      • Opcode Fuzzy Hash: 96fe7f661459a2d18cdb173c0729dcd2c0de579df9d576509b6255ec489f484c
      • Instruction Fuzzy Hash: AE415C7254435ACFDF20EE74CC447DE7BA6AF55750F45022DDD88A7254E3319A41CB82
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: e09bf2be12a5b70f5daed4ac4191edee65a9b756bffc85fce5b26b4d83be8cd8
      • Instruction ID: 432c63051ddd0e9978fb039a9e901fd95f46958a546d3fe33ddcfae107d88a92
      • Opcode Fuzzy Hash: e09bf2be12a5b70f5daed4ac4191edee65a9b756bffc85fce5b26b4d83be8cd8
      • Instruction Fuzzy Hash: 9BC1B3615483C68ECB328F3888A87D67BE16F57324F4AC2AECCA94F1D6D3358546C712
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a42642523e067b70f3fec414e16948697637aa547d8f3d16e1411f782a9bc6f7
      • Instruction ID: f1c72e4f50e349b466b4b2f0d5fba76ae07df59913fbc20702550332267b493d
      • Opcode Fuzzy Hash: a42642523e067b70f3fec414e16948697637aa547d8f3d16e1411f782a9bc6f7
      • Instruction Fuzzy Hash: 6E81ED755483968FCF758E389CA43DB7BE1AF56360F8A82AECC999F285C3344642C711
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 33f9e0ebf9850324b2158460acd6276316ac3702205dc59793511d5eec97f652
      • Instruction ID: e62870486df72df9f28db17512040daffd26e9500d5d0304806a4ed8f640004f
      • Opcode Fuzzy Hash: 33f9e0ebf9850324b2158460acd6276316ac3702205dc59793511d5eec97f652
      • Instruction Fuzzy Hash: 0D613975A483899FDF308E78CD547CB37A3AF86360F95822E9C9D97245D3354A82CB02
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1af95ca7a6c5f00a911cdd40e719a399346c39c5b3d597a4f64b531fc4ed4c3f
      • Instruction ID: 8473a301b47bdee46f068e9e102698b41b199b707192449b329a88e608641117
      • Opcode Fuzzy Hash: 1af95ca7a6c5f00a911cdd40e719a399346c39c5b3d597a4f64b531fc4ed4c3f
      • Instruction Fuzzy Hash: 5C710174244384DFDB249F34CD987EA77A6BF55350F86856ECC9A8B166D3308681CF12
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 39eb6ee351e7c635a8d61c046c36b9f8b32ecf7eb78663e8b5f95c40eb72d7f8
      • Instruction ID: 86851690e97f09036a7251c6b36c536d32a80aa7fc470f6406314bef9b7b0a09
      • Opcode Fuzzy Hash: 39eb6ee351e7c635a8d61c046c36b9f8b32ecf7eb78663e8b5f95c40eb72d7f8
      • Instruction Fuzzy Hash: 516159766007599FDB309E698DA4BDB37A7BF99350F86412EDC8DAB244C3314A82CB41
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c09d11f7c3361c3d3b1b7d23ce6d8c74ba91107bf81e59fcf1331641b9b6ffee
      • Instruction ID: 4faa8744688c45ec5de581e1874c877c8825bb66b8e1e2d53e1e97d2ba090189
      • Opcode Fuzzy Hash: c09d11f7c3361c3d3b1b7d23ce6d8c74ba91107bf81e59fcf1331641b9b6ffee
      • Instruction Fuzzy Hash: 95610F74644344DFDB28AF34C9997EA77E2BF55350F96842DCC9A8B265D3308A81CE12
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: b403f43420a8fb87bbdd390d4d1407bf38c4a3aef4b9e2dd0018f6d4c03d5078
      • Instruction ID: 41aa801f74f0429813b5b7de9a2e36a0629f1a26c816da8d6c722858ae0424b7
      • Opcode Fuzzy Hash: b403f43420a8fb87bbdd390d4d1407bf38c4a3aef4b9e2dd0018f6d4c03d5078
      • Instruction Fuzzy Hash: CA514274644384DFDB24AF34CD587EA77E2BF55350F86852DCCAA8B265D3308681CB12
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 032c79ddc2ee51964d4f863eca761253e93081c64eb2a2f9a04196cb1ea54d7e
      • Instruction ID: 9d0f2b43679435f55cbf3914cd2cf01cd101b34b1d9e9ca08201be163dacc37f
      • Opcode Fuzzy Hash: 032c79ddc2ee51964d4f863eca761253e93081c64eb2a2f9a04196cb1ea54d7e
      • Instruction Fuzzy Hash: 13518E75A48389CFDF32CE34C9983DA7BA2AF42264F5A816ACC4A5F249D3708607C711
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6bf5a25dfb1a6ddcf61e0c88ca5f28afd4007fafefacf1709d79d22334cfc97e
      • Instruction ID: 94388729f3f45acb96c4026abcb0f39e1a88ced3d4622289b635f754f38c81f1
      • Opcode Fuzzy Hash: 6bf5a25dfb1a6ddcf61e0c88ca5f28afd4007fafefacf1709d79d22334cfc97e
      • Instruction Fuzzy Hash: 76512831644306CFDF399F79C9A43EA37A6AF5A360F56812ACC49CB254D730C941CB51
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 41ee31e3db439c3963f97d37c849a0feebb063ca248257dd33e226f4cb632a1d
      • Instruction ID: 40fd150e69395f713cd60efb02512f9676c33bcfb7e7cf9f214cdd76e699a2c3
      • Opcode Fuzzy Hash: 41ee31e3db439c3963f97d37c849a0feebb063ca248257dd33e226f4cb632a1d
      • Instruction Fuzzy Hash: D4512170644388DFDB34AF34CD987EE77A6BF95340F95852EDC9A8B255D3304682CA12
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: ab5b593fdeb03f3cb64310ca2efc7ab2600ed4a75ed1906340360dbd5c518509
      • Instruction ID: 838e830a90c77b718744b45ea0bf7c70e3361bd3883e16514ec60914df19c286
      • Opcode Fuzzy Hash: ab5b593fdeb03f3cb64310ca2efc7ab2600ed4a75ed1906340360dbd5c518509
      • Instruction Fuzzy Hash: FB511070644384DFDB34AF348D997EE77A2BF95340F95842DDC9A8B255D3304A82CA12
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 31bcdfef7001e02c17eeb6e8a1636a3998bb62d05051f60790ad94681b79e017
      • Instruction ID: ce206506123245ea1706a1ba6b595d156b91914d5cf83651c6b1233b4bb1bafc
      • Opcode Fuzzy Hash: 31bcdfef7001e02c17eeb6e8a1636a3998bb62d05051f60790ad94681b79e017
      • Instruction Fuzzy Hash: 64515E75648389CBDF31CE78CD983DF76A3AF51264F99826ACC8A5F149C37086478711
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 6055afd4e9a16b7d058b99bf49443805e6a1cb69b769d769349178d92b60468a
      • Instruction ID: 20431d3cd53c47cf4c243438670745d94e27c340a3016e794077c6c5b453a302
      • Opcode Fuzzy Hash: 6055afd4e9a16b7d058b99bf49443805e6a1cb69b769d769349178d92b60468a
      • Instruction Fuzzy Hash: 0151473164030ACFDF35AF39C9A43DA37B6EF9A360F55802ACC488B254C3318945CB81
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a07309e59d108e276fcd0ac04a9db91a4331f12871539fb90d37b78266b37245
      • Instruction ID: 860a57c97675e7afc4e99afd852bf1268b256017c04c34e2a1fa315b236d69f5
      • Opcode Fuzzy Hash: a07309e59d108e276fcd0ac04a9db91a4331f12871539fb90d37b78266b37245
      • Instruction Fuzzy Hash: 65511675948395CFCF758F3898A93DB7BA1AF16350F4A826ECC999F185C3344642CB21
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: a9848b3ea9db15de34b777a1eba86420b78863f53ed6cb7daf6f08da8c97938d
      • Instruction ID: 0d153d74321a0c710d6793893c5b171b048834fff1cd82e6c3546538739f04dc
      • Opcode Fuzzy Hash: a9848b3ea9db15de34b777a1eba86420b78863f53ed6cb7daf6f08da8c97938d
      • Instruction Fuzzy Hash: C351273164030ACFDF35AF39C9A83DA33B6EF5A360F56802ADC498B254D3359985CB81
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 62bbd873e0b1906834dfba7d6494b2423fe610375ff8661cd027ff600885ef8f
      • Instruction ID: e7a1e3a4fbe94dfd771d5c8c759c632a87dacb2e63884126b4362cdf07f82da8
      • Opcode Fuzzy Hash: 62bbd873e0b1906834dfba7d6494b2423fe610375ff8661cd027ff600885ef8f
      • Instruction Fuzzy Hash: DA21757659A78AEBCF79EC3D44485C27F9ACA8A78431580ACE4C195803EF24900BD3C4
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1e6573a184d527d6e821d38597f533c88f3373f19207059329ee824ed8e8187d
      • Instruction ID: 30bd90c6e7ff6566f1a6538055b9a22b59dadc0b0c543cf64f4b70cbbe02df75
      • Opcode Fuzzy Hash: 1e6573a184d527d6e821d38597f533c88f3373f19207059329ee824ed8e8187d
      • Instruction Fuzzy Hash: EA310530148BCA6ADB36CB3C89597DB7FA26F02350F8943AE8C988B5D6D3325149C742
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: bcb2196100474df74df31c9003a01e7d483da4ab5204ee398d46120c6424bb15
      • Instruction ID: 165ba6a9712e1bf5e3862d3eb65b39b42ae4d6b31f1d853b687b06748fad82d4
      • Opcode Fuzzy Hash: bcb2196100474df74df31c9003a01e7d483da4ab5204ee398d46120c6424bb15
      • Instruction Fuzzy Hash: 4711A07129E7976B9DAACD3984486C7BFD19E03EC4336666ECCE1B1003DF6180539249
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 7e6bfcd5a887b7eb4ed72812a494473c1a006ca3ee591c2ffa251baa8128514c
      • Instruction ID: 3ab43995c1b0356f6f6554c27a84b4bbe9a01d26414f32ea6cac89f37f724a21
      • Opcode Fuzzy Hash: 7e6bfcd5a887b7eb4ed72812a494473c1a006ca3ee591c2ffa251baa8128514c
      • Instruction Fuzzy Hash: 6431B1B564434AEFCF709E78DC947CB37A6AF49340FC1002AAD4C5B201D37459418B52
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 1b6895e3330d421d5caf3c48b7076ef6b84e038e21670ca2df23d97e05465089
      • Instruction ID: 52fd6500775ffee9b4ac9168d6fdbae382dd78cf7b91ada135f9df1adacf0a3f
      • Opcode Fuzzy Hash: 1b6895e3330d421d5caf3c48b7076ef6b84e038e21670ca2df23d97e05465089
      • Instruction Fuzzy Hash: 7921CE711043449FEB688E758E457DF73EBAF90B50F52C21DDC8487104E7344982CB52
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: c272e1b52335a12eba2d9d8ec2ede4dbaab89e106051450c6399221247d7ebda
      • Instruction ID: 0fa6c51c7c4acdd79104e4708f09c675a391b792c5ea5cd288009c4bb6070f28
      • Opcode Fuzzy Hash: c272e1b52335a12eba2d9d8ec2ede4dbaab89e106051450c6399221247d7ebda
      • Instruction Fuzzy Hash: BE11A134B80799CFCB30DE18DAE9BC677A4BF09790F46862ADD444F251D334AA41CB50
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 5efbd6579910367751106a789e4ef4c631927697f2bb646973fb01a6b87b08fa
      • Instruction ID: 036aebd1f574a1f212160349a984223cc880f9bacdd99a70ae63a02a0e3c1389
      • Opcode Fuzzy Hash: 5efbd6579910367751106a789e4ef4c631927697f2bb646973fb01a6b87b08fa
      • Instruction Fuzzy Hash: 3AB092B62415808FEF02CF0CC881B4073A0FB18648B0804D0E402CF712C224E901CB04
      Uniqueness

      Uniqueness Score: -1.00%

      Memory Dump Source
      • Source File: 00000000.00000002.737783934.00000000021D0000.00000040.00000001.sdmp, Offset: 021D0000, based on PE: false
      Yara matches
      Similarity
      • API ID:
      • String ID:
      • API String ID:
      • Opcode ID: 793cb0d300ecf20d0a70746fe0481f52d32e9e157eea558e033299c5b4c46f2d
      • Instruction ID: 1d82c90f88aecb6a5547d418ad842fc1c93742d7b0a4ea960099cc6345ad6a1f
      • Opcode Fuzzy Hash: 793cb0d300ecf20d0a70746fe0481f52d32e9e157eea558e033299c5b4c46f2d
      • Instruction Fuzzy Hash: 7EB00275651644CFCE55CF09C1D0E8073B5F755750F4154D0E41187B12C265E904CA10
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • __vbaStrCopy.MSVBVM60 ref: 00435DE1
      • __vbaNew2.MSVBVM60(00432B1C,00437454), ref: 00435DF8
      • __vbaHresultCheckObj.MSVBVM60(00000000,02B2E8B4,00432B0C,00000014), ref: 00435E1D
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00432B64,00000130), ref: 00435E4D
      • __vbaStrMove.MSVBVM60(00000000,?,00432B64,00000130), ref: 00435E5B
      • __vbaFreeObj.MSVBVM60(00000000,?,00432B64,00000130), ref: 00435E63
      • #560.MSVBVM60(?), ref: 00435E73
      • __vbaFreeVar.MSVBVM60(?), ref: 00435E89
      • __vbaNew2.MSVBVM60(00432B1C,00437454,?), ref: 00435EA9
      • __vbaHresultCheckObj.MSVBVM60(00000000,02B2E8B4,00432B0C,00000014), ref: 00435EC9
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00432B64,00000130), ref: 00435EF2
      • __vbaStrMove.MSVBVM60(00000000,?,00432B64,00000130), ref: 00435F00
      • __vbaFreeObj.MSVBVM60(00000000,?,00432B64,00000130), ref: 00435F08
      • __vbaNew2.MSVBVM60(00432B1C,00437454), ref: 00435F1F
      • __vbaObjVar.MSVBVM60(?), ref: 00435F30
      • __vbaObjSetAddref.MSVBVM60(?,00000000,?), ref: 00435F3A
      • __vbaHresultCheckObj.MSVBVM60(00000000,02B2E8B4,00432B0C,00000010), ref: 00435F51
      • __vbaFreeObj.MSVBVM60(00000000,02B2E8B4,00432B0C,00000010), ref: 00435F59
      • __vbaNew2.MSVBVM60(00432E58,00437010,?), ref: 00435F71
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00435F89
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432B54,00000198), ref: 00435FAF
      • __vbaFreeObj.MSVBVM60(00000000,00000000,00432B54,00000198), ref: 00435FBD
      • __vbaFreeStr.MSVBVM60(00436003), ref: 00435FE5
      • __vbaFreeStr.MSVBVM60(00436003), ref: 00435FED
      • __vbaFreeStr.MSVBVM60(00436003), ref: 00435FF5
      • __vbaFreeVar.MSVBVM60(00436003), ref: 00435FFD
      Memory Dump Source
      • Source File: 00000000.00000002.735114355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.735085772.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.735376614.0000000000437000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresult$New2$Move$#560AddrefCopy
      • String ID:
      • API String ID: 4235209719-0
      • Opcode ID: 5be56b42979d9dd5a927bbc6d41b95245710a7cae9aa7f57d35aaab33f472a55
      • Instruction ID: 3b7c6a7082ed6d5caf0e07785bdb5cdda417a893f126922d5917dbfb2bb099db
      • Opcode Fuzzy Hash: 5be56b42979d9dd5a927bbc6d41b95245710a7cae9aa7f57d35aaab33f472a55
      • Instruction Fuzzy Hash: 716163B0D00209ABCB14EFA6D896DDEBBB8EF08308F10547EF505B71A1DB786905CB58
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • __vbaNew2.MSVBVM60(00432E58,00437010), ref: 00435BC4
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00435BDC
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432CB4,00000134), ref: 00435C18
      • __vbaFreeObj.MSVBVM60(00000000,00000000,00432CB4,00000134), ref: 00435C20
      • #696.MSVBVM60(00432CC8), ref: 00435C2A
      • #704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00432CC8), ref: 00435C50
      • __vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00432CC8), ref: 00435C5A
      • __vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,00432CC8), ref: 00435C62
      • __vbaNew2.MSVBVM60(00432E58,00437010,?,000000FF,000000FE,000000FE,000000FE,00432CC8), ref: 00435C7A
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00435C92
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432B54,00000170), ref: 00435CB8
      • #529.MSVBVM60(00000002), ref: 00435CD2
      • __vbaFreeObj.MSVBVM60(00000002), ref: 00435CDA
      • __vbaFreeVar.MSVBVM60(00000002), ref: 00435CE2
      • __vbaNew2.MSVBVM60(00432E58,00437010,00432CC8), ref: 00435CFA
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00435D12
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432AC0,00000058), ref: 00435D32
      • __vbaFreeObj.MSVBVM60(00000000,00000000,00432AC0,00000058), ref: 00435D40
      • __vbaFreeStr.MSVBVM60(00435D6E), ref: 00435D68
      Memory Dump Source
      • Source File: 00000000.00000002.735114355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.735085772.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.735376614.0000000000437000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$Free$CheckHresultNew2$#529#696#704Move
      • String ID:
      • API String ID: 640063502-0
      • Opcode ID: 88301517bef34d76a84d0226b7f24497e3021ccb4c134fb68c63f3568f8bb481
      • Instruction ID: 5165dfc377d7d784b5eec4e2caed1fb2a65e9c7280b15a8edc693b008c14b3a3
      • Opcode Fuzzy Hash: 88301517bef34d76a84d0226b7f24497e3021ccb4c134fb68c63f3568f8bb481
      • Instruction Fuzzy Hash: FE513DB0900218ABDB14EFA5CD4AFDE77B8BF08708F10152EF451F72E1DB7899058A68
      Uniqueness

      Uniqueness Score: -1.00%

      APIs
      • __vbaNew2.MSVBVM60(00432B1C,00437454), ref: 004362B0
      • __vbaHresultCheckObj.MSVBVM60(00000000,02B2E8B4,00432B0C,00000014), ref: 004362D4
      • __vbaNew2.MSVBVM60(00432E58,00437010), ref: 004362FD
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00436315
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432AB0,0000013C), ref: 0043633B
      • __vbaHresultCheckObj.MSVBVM60(00000000,?,00432B64,0000013C), ref: 0043636A
      • __vbaFreeStr.MSVBVM60 ref: 00436372
      • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00436383
      • __vbaNew2.MSVBVM60(00432E58,00437010), ref: 0043639E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 004363B6
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432B54,000001D0), ref: 004363EE
      • __vbaFreeObj.MSVBVM60 ref: 004363F6
      • __vbaNew2.MSVBVM60(00432E58,00437010), ref: 0043640E
      • __vbaObjSet.MSVBVM60(?,00000000), ref: 00436426
      • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432B9C,00000078), ref: 00436446
      • __vbaFreeObj.MSVBVM60 ref: 00436454
      Memory Dump Source
      • Source File: 00000000.00000002.735114355.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
      • Associated: 00000000.00000002.735085772.0000000000400000.00000002.00020000.sdmp Download File
      • Associated: 00000000.00000002.735376614.0000000000437000.00000004.00020000.sdmp Download File
      • Associated: 00000000.00000002.735395303.0000000000438000.00000002.00020000.sdmp Download File
      Similarity
      • API ID: __vba$CheckHresult$FreeNew2$List
      • String ID:
      • API String ID: 3473554973-0
      • Opcode ID: 919737f2287dd065c68b7eac0cb11d5a36b928e1cfec81915a279ef823490485
      • Instruction ID: 0ff9b7d547b48083905c1b4c5cdad697c9dd1a14bd55a9bb3e192b840794aee6
      • Opcode Fuzzy Hash: 919737f2287dd065c68b7eac0cb11d5a36b928e1cfec81915a279ef823490485
      • Instruction Fuzzy Hash: CF5193B0900205ABDB11EFA6CD46FAF77B8EF19704F10542AF950B7191D778A505CB68
      Uniqueness

      Uniqueness Score: -1.00%