Play interactive tour

Edit tour

Windows Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.11013.25640

Overview

General Information

Sample Name:	SecuriteInfo.com.__vbaHresultCheckObj.11013.25640 (renamed file extension from 25640 to exe)
Analysis ID:	451415
MD5:	c6066a473750ed5ad023d20ce532c8c8
SHA1:	b2c181c008fd857b0f0122dbfd05d4193654ccc2
SHA256:	932f31e907302148994f479eafe8dfbf203537491bbd586c43190c59afa248ff
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.__vbaHresultCheckObj.11013.exe (PID: 6556 cmdline: 'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe' MD5: C6066A473750ED5AD023D20CE532C8C8)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://andreameixueiro.com/IRANSAT_Vsidob74.bin"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000001.00000000.653822220.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
1.0.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
1.2.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://andreameixueiro.com/IRANSAT_Vsidob74.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

ReversingLabs: Detection: 30%

Machine Learning detection for sample

Show sources

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Joe Sandbox ML: detected

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://andreameixueiro.com/IRANSAT_Vsidob74.bin

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228274 NtAllocateVirtualMemory,	1_2_02228274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222827B NtAllocateVirtualMemory,	1_2_0222827B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228306 NtAllocateVirtualMemory,	1_2_02228306
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022283BF NtAllocateVirtualMemory,	1_2_022283BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222840D NtAllocateVirtualMemory,	1_2_0222840D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228487 NtAllocateVirtualMemory,	1_2_02228487

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228274	1_2_02228274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DE22	1_2_0222DE22
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223E26	1_2_02223E26
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223E36	1_2_02223E36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CA3F	1_2_0222CA3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CE00	1_2_0222CE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EA01	1_2_0222EA01
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CA17	1_2_0222CA17
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222626C	1_2_0222626C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220A71	1_2_02220A71
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220A77	1_2_02220A77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222827B	1_2_0222827B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DE43	1_2_0222DE43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222124F	1_2_0222124F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226E50	1_2_02226E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221A57	1_2_02221A57
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222725B	1_2_0222725B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D25D	1_2_0222D25D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227EAB	1_2_02227EAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220AB2	1_2_02220AB2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223EB5	1_2_02223EB5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022266BD	1_2_022266BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221680	1_2_02221680
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DE80	1_2_0222DE80
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221A89	1_2_02221A89
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CE96	1_2_0222CE96
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BE97	1_2_0222BE97
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226A9C	1_2_02226A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022232E5	1_2_022232E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022212E9	1_2_022212E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226EEF	1_2_02226EEF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DEF2	1_2_0222DEF2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220ED0	1_2_02220ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CAD5	1_2_0222CAD5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221B27	1_2_02221B27
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226327	1_2_02226327
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220B2C	1_2_02220B2C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B36	1_2_02223B36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DF36	1_2_0222DF36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B04	1_2_02226B04
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227B0E	1_2_02227B0E
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222171F	1_2_0222171F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223F6F	1_2_02223F6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222E772	1_2_0222E772
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CB77	1_2_0222CB77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226742	1_2_02226742
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DF4F	1_2_0222DF4F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C350	1_2_0222C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C750	1_2_0222C750
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BF51	1_2_0222BF51
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022213AA	1_2_022213AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022217BF	1_2_022217BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C783	1_2_0222C783
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CF8C	1_2_0222CF8C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B8D	1_2_02223B8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222678D	1_2_0222678D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222B791	1_2_0222B791
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B91	1_2_02226B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226F9B	1_2_02226F9B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DFE3	1_2_0222DFE3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022263E7	1_2_022263E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022287F0	1_2_022287F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220BC2	1_2_02220BC2
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BBCE	1_2_0222BBCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221BD7	1_2_02221BD7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220FDB	1_2_02220FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02222BDE	1_2_02222BDE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223C37	1_2_02223C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222143F	1_2_0222143F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C05	1_2_02226C05
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BC08	1_2_0222BC08
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C010	1_2_0222C010
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CC1F	1_2_0222CC1F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02222C1C	1_2_02222C1C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226866	1_2_02226866
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222086C	1_2_0222086C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221874	1_2_02221874
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220C4A	1_2_02220C4A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C84F	1_2_0222C84F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C453	1_2_0222C453
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222305E	1_2_0222305E
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222705F	1_2_0222705F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C45F	1_2_0222C45F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BCB6	1_2_0222BCB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022230B9	1_2_022230B9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221083	1_2_02221083
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EC92	1_2_0222EC92
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226497	1_2_02226497
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222E097	1_2_0222E097
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C95	1_2_02226C95
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022210EB	1_2_022210EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022268E9	1_2_022268E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022214EF	1_2_022214EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223CF6	1_2_02223CF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022208FA	1_2_022208FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C8FB	1_2_0222C8FB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CCFF	1_2_0222CCFF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CCCB	1_2_0222CCCB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022260D4	1_2_022260D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221925	1_2_02221925
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D33	1_2_02223D33
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD3F	1_2_0222DD3F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD02	1_2_0222DD02
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227104	1_2_02227104
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD0F	1_2_0222DD0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226D63	1_2_02226D63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DD78	1_2_0222DD78
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BD42	1_2_0222BD42
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D43	1_2_02223D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226545	1_2_02226545
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222CD55	1_2_0222CD55
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02225D5F	1_2_02225D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D1B1	1_2_0222D1B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223DB6	1_2_02223DB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022271B4	1_2_022271B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222DDBB	1_2_0222DDBB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C993	1_2_0222C993
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226991	1_2_02226991
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222159A	1_2_0222159A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222619D	1_2_0222619D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022215E1	1_2_022215E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022265ED	1_2_022265ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226DFE	1_2_02226DFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C9FF	1_2_0222C9FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BDFC	1_2_0222BDFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022219C3	1_2_022219C3
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223DC9	1_2_02223DC9

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Binary or memory string: OriginalFilenameObject.exe vs SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

File created: C:\Users\user\AppData\Local\Temp\~DF934512EC1FF84EF0.TMP

Jump to behavior

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

ReversingLabs: Detection: 30%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, type: SAMPLE
Source: Yara match	File source: 1.0.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 1.2.SecuriteInfo.com.__vbaHresultCheckObj.11013.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000001.00000000.653822220.0000000000401000.00000020.00020000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0040663B push ebp; iretd	1_2_00406645
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE10 push esi; retf	1_2_0222EE5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE60 push esi; retf	1_2_0222EE63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE64 push esi; retf	1_2_0222EE67
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE68 push esi; retf	1_2_0222EE6B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE6C push esi; retf	1_2_0222EE6F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE70 push esi; retf	1_2_0222EE73
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE74 push esi; retf	1_2_0222EE77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE78 push esi; retf	1_2_0222EE77
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EE5C push esi; retf	1_2_0222EE5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EEAD push esi; retf	1_2_0222EE5B
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228AF9 push ebp; retf	1_2_02228B0F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222EC92 push esi; retf	1_2_0222EE5B

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02228274 NtAllocateVirtualMemory,	1_2_02228274
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222626C	1_2_0222626C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222124F	1_2_0222124F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226E50	1_2_02226E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D25D	1_2_0222D25D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022266BD	1_2_022266BD
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221680	1_2_02221680
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BE97	1_2_0222BE97
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226A9C	1_2_02226A9C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022232E5	1_2_022232E5
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022212E9	1_2_022212E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D2FF	1_2_0222D2FF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220ED0	1_2_02220ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226327	1_2_02226327
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B36	1_2_02223B36
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B04	1_2_02226B04
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222171F	1_2_0222171F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222E772	1_2_0222E772
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226742	1_2_02226742
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C350	1_2_0222C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BF51	1_2_0222BF51
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D3A4	1_2_0222D3A4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022213AA	1_2_022213AA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D3A8	1_2_0222D3A8
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022217BF	1_2_022217BF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223B8D	1_2_02223B8D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222678D	1_2_0222678D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226B91	1_2_02226B91
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022263E7	1_2_022263E7
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BBCE	1_2_0222BBCE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02220FDB	1_2_02220FDB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223C37	1_2_02223C37
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222143F	1_2_0222143F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C05	1_2_02226C05
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BC08	1_2_0222BC08
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C010	1_2_0222C010
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226866	1_2_02226866
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222086C	1_2_0222086C
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222B846	1_2_0222B846
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BCB6	1_2_0222BCB6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02221083	1_2_02221083
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226497	1_2_02226497
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226C95	1_2_02226C95
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022210EB	1_2_022210EB
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022268E9	1_2_022268E9
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022214EF	1_2_022214EF
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223CF6	1_2_02223CF6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022208FA	1_2_022208FA
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022260D4	1_2_022260D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D33	1_2_02223D33
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226D63	1_2_02226D63
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BD42	1_2_0222BD42
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02223D43	1_2_02223D43
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226545	1_2_02226545
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02225D5F	1_2_02225D5F
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222D1B1	1_2_0222D1B1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226991	1_2_02226991
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222159A	1_2_0222159A
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222619D	1_2_0222619D
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022215E1	1_2_022215E1
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_022265ED	1_2_022265ED
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02226DFE	1_2_02226DFE
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222BDFC	1_2_0222BDFC

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3DF second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B409 second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007F0104364A0Eh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007F0104364A09h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007F0104364950h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3B8 second address: 000000000222B3B8 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222E29D second address: 000000000222E29D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C060 second address: 000000000222C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3DF second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a xor edx, AD6145DAh 0x00000010 cmp bh, dh 0x00000012 test bh, ah 0x00000014 xor edx, 12B119F7h 0x0000001a test bx, dx 0x0000001d cmp ecx, ecx 0x0000001f xor edx, D2104AFFh 0x00000025 test ebx, edx 0x00000027 mov ebx, edx 0x00000029 pushad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B409 second address: 000000000222B409 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl edx, 05h 0x0000000d add edx, ebx 0x0000000f movzx ebx, byte ptr [esi] 0x00000012 cmp bh, dh 0x00000014 add edx, ebx 0x00000016 xor edx, 09D23C6Ah 0x0000001c jmp 00007F0104364A0Eh 0x0000001e push ss 0x0000001f pop ss 0x00000020 jmp 00007F0104364A09h 0x00000022 add esi, 02h 0x00000025 mov word ptr [ebp+00000271h], bx 0x0000002c mov bx, word ptr [esi] 0x0000002f cmp bx, 0000h 0x00000033 mov bx, word ptr [ebp+00000271h] 0x0000003a jne 00007F0104364950h 0x00000040 mov ebx, edx 0x00000042 pushad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222B3B8 second address: 000000000222B3B8 instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222E29D second address: 000000000222E29D instructions:
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C060 second address: 000000000222C075 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov edx, 9D78574Ah 0x0000000f pushad 0x00000010 mov edx, 000000F5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C075 second address: 000000000222C0A1 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 xor edx, 2F78EC29h 0x00000009 xor edx, 66DC7D09h 0x0000000f cmp cx, cx 0x00000012 cmp bx, cx 0x00000015 add edx, 2B23399Ah 0x0000001b cmp bl, bl 0x0000001d cmp dword ptr [edi+14h], edx 0x00000020 mov edx, dword ptr [ebp+000001CDh] 0x00000026 je 00007F01043649F6h 0x00000028 pushad 0x00000029 lfence 0x0000002c rdtsc
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	RDTSC instruction interceptor: First address: 000000000222C0A1 second address: 000000000222BD95 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b jmp 00007F0104E2E8B8h 0x00000010 jmp 00007F0104E2ECE2h 0x00000012 cmp bx, bx 0x00000015 add esi, 00001000h 0x0000001b test bh, ah 0x0000001d test ch, ch 0x0000001f mov dword ptr [ebp+000001CEh], esi 0x00000025 mov esi, D1CB123Dh 0x0000002a test ax, bx 0x0000002d xor esi, 9D079601h 0x00000033 cmp bl, al 0x00000035 xor esi, 6EEE3B7Fh 0x0000003b test ax, ax 0x0000003e sub esi, 2221CF43h 0x00000044 test bl, bl 0x00000046 cmp dword ptr [ebp+000001CEh], esi 0x0000004c mov esi, dword ptr [ebp+000001CEh] 0x00000052 je 00007F0104E2F5D7h 0x00000058 test ah, ch 0x0000005a test ax, 00005041h 0x0000005e mov dword ptr [ebp+00000218h], esi 0x00000064 cmp cl, FFFFFFB9h 0x00000067 mov esi, 1CDCD8D0h 0x0000006c jmp 00007F0104E2ECE6h 0x0000006e test bx, cx 0x00000071 cmp edx, ecx 0x00000073 xor esi, 8DEA0809h 0x00000079 test edi, 1851CFE8h 0x0000007f cmp ch, bh 0x00000081 xor esi, 46C5E00Dh 0x00000087 pushad 0x00000088 mov ebx, 000000B2h 0x0000008d rdtsc

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Code function: 1_2_02228274 rdtsc

1_2_02228274

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Code function: 1_2_02228274 rdtsc

1_2_02228274

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222AA71 mov eax, dword ptr fs:[00000030h]	1_2_0222AA71
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222B2B6 mov eax, dword ptr fs:[00000030h]	1_2_0222B2B6
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C350 mov eax, dword ptr fs:[00000030h]	1_2_0222C350
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C750 mov eax, dword ptr fs:[00000030h]	1_2_0222C750
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_0222C783 mov eax, dword ptr fs:[00000030h]	1_2_0222C783
Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	Code function: 1_2_02227C90 mov eax, dword ptr fs:[00000030h]	1_2_02227C90

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe, 00000001.00000002.1185657895.0000000000CE0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Code function: 1_2_0222B4B5 cpuid

1_2_0222B4B5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	30%	ReversingLabs	Win32.Trojan.GuLoader
SecuriteInfo.com.__vbaHresultCheckObj.11013.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://andreameixueiro.com/IRANSAT_Vsidob74.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://andreameixueiro.com/IRANSAT_Vsidob74.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	451415
Start date:	20.07.2021
Start time:	16:06:38
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	SecuriteInfo.com.__vbaHresultCheckObj.11013.25640 (renamed file extension from 25640 to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 21.7% (good quality ratio 8.3%) Quality average: 20.8% Quality standard deviation: 30.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe VT rate limit hit for: /opt/package/joesandbox/database/analysis/451415/sample/SecuriteInfo.com.__vbaHresultCheckObj.11013.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.2543149496955905
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
File size:	241664
MD5:	c6066a473750ed5ad023d20ce532c8c8
SHA1:	b2c181c008fd857b0f0122dbfd05d4193654ccc2
SHA256:	932f31e907302148994f479eafe8dfbf203537491bbd586c43190c59afa248ff
SHA512:	eb1bc3dfd845ba94e4e936b48dda25fff41fb59267593eb82facf9e92688ec5c0ed81d8db69855d5e39563ab8449466b3e7cb28ba1eb25c045481283293a6a3b
SSDEEP:	3072:Or3BepJlZa/X16SU2Aara5K8EyrNRlu2mHJlZapGBR:OFiUXI15KHyrDMHP
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....B.O................. ...................0....@................

File Icon


Icon Hash:	f8fcd4ccf4e4e8d0

Static PE Info

General
Entrypoint:	0x4019b0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4FA642B9 [Sun May 6 09:22:01 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e9f7dd0da1a2a1266893e1ae4ef42b67

Entrypoint Preview

Instruction
push 00408AD0h
call 00007F0104EAF655h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+64h], dl
pop esp
in eax, B8h
dec esp
pushad
inc edx
xchg eax, ebp
sbb al, A7h
rcr dword ptr [edi+0014C50Ah], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [esi], ch
dec edi
jo 00007F0104EAF6D6h
imul ebp, dword ptr [edi+41h], 45444F50h
dec ebp
inc ecx
dec edi
inc edx
add byte ptr [ebp+6Fh], cl
or eax, 0000000Ah
add bh, bh
int3
xor dword ptr [eax], eax
xor ecx, esp
rcr dword ptr [esi-0F04F7E5h], 48h
cdq

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32524	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x6d12	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1a4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31b94	0x32000	False	0.394462890625	data	6.41394682438	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x33000	0x1290	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x35000	0x6d12	0x7000	False	0.482003348214	data	5.46106000111	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3ae6a	0xea8	data
RT_ICON	0x3a5c2	0x8a8	data
RT_ICON	0x39efa	0x6c8	data
RT_ICON	0x39992	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x373ea	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x36342	0x10a8	data
RT_ICON	0x359ba	0x988	data
RT_ICON	0x35552	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x354dc	0x76	data
RT_VERSION	0x35240	0x29c	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaCyStr, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, __vbaVar2Vec, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Socialbakers
InternalName	Object
FileVersion	1.00
CompanyName	Socialbakers
LegalTrademarks	Socialbakers
ProductName	APODEMAOB
ProductVersion	1.00
OriginalFilename	Object.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe PID: 6556 Parent PID: 5768

General

Start time:	16:07:30
Start date:	20/07/2021
Path:	C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\SecuriteInfo.com.__vbaHresultCheckObj.11013.exe'
Imagebase:	0x400000
File size:	241664 bytes
MD5 hash:	C6066A473750ED5AD023D20CE532C8C8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000001.00000000.653822220.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: SecuriteInfo.com.vbaHresultCheckObj.11013.exe PID: 6556 Parent PID: 5768 SecuriteInfo.com.vbaHresultCheckObj.11013.exeCOMMON

Executed Functions

Function 02228274, Relevance: 20.6, APIs: 1, Strings: 10, Instructions: 1326memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-1C65D34E), ref: 02228504

Strings

XY), xrefs: 022282E6
dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: $#$4a$5}T$XY)$]|g$dw7g$tXmG$WE$iw$A
API String ID: 2167126740-1023261390
Opcode ID: 8b1b8bb0745650c4e77ba2b7ec07557c65156ed7186eadfd2e0141735b481dd0
Instruction ID: 0d7da7df45ab2fa8d958c2d502b29e8945e9a2c5ff3765ff408e8896aeaf019d
Opcode Fuzzy Hash: 8b1b8bb0745650c4e77ba2b7ec07557c65156ed7186eadfd2e0141735b481dd0
Instruction Fuzzy Hash: 90A2AA7161431ADFDF349E78CDA43EA37A2EF16350F85412EDC8A97248D3728989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0222827B, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 226memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-1C65D34E), ref: 02228504

Strings

XY), xrefs: 022282E6

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID: XY)
API String ID: 2167126740-937109081
Opcode ID: 28ba171bb3c8c9b5578850a08fa7dae60e5cc8c069d15444186985299b4adeeb
Instruction ID: 6b84d571e59d2fed6a75d4d42035246a22141ff8335a606d9277cee3e4a4522b
Opcode Fuzzy Hash: 28ba171bb3c8c9b5578850a08fa7dae60e5cc8c069d15444186985299b4adeeb
Instruction Fuzzy Hash: EA717B71A202699FCF309E64C8947EE37B2AF553A0F49409DDCC55F219D3354986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02228306, Relevance: 1.7, APIs: 1, Instructions: 200memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-1C65D34E), ref: 02228504

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: c43801916458773064c7318fcc2aa59491d12821eb3a1fe5c927234057bbc197
Instruction ID: 400b7d4713c03a21a4b575928b31525e667104024fa83dc844f52202aa546cbc
Opcode Fuzzy Hash: c43801916458773064c7318fcc2aa59491d12821eb3a1fe5c927234057bbc197
Instruction Fuzzy Hash: 30615A71A252699FCF309E74C8947EE37B2AF463A0F49409DDCC55F219D3314986CB82

Uniqueness

Uniqueness Score: -1.00%

Function 022283BF, Relevance: 1.7, APIs: 1, Instructions: 167memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-1C65D34E), ref: 02228504

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 32c65aae8e3c1f615c80f32c17e05efd1f83e8554142b9d547af4df22d94fb52
Instruction ID: 97e9aa3f6cc78bafda990425f2b39c159c78a1a92ab76fd107b0518560dceb9d
Opcode Fuzzy Hash: 32c65aae8e3c1f615c80f32c17e05efd1f83e8554142b9d547af4df22d94fb52
Instruction Fuzzy Hash: 4D514875A212A99FCF319E78C8A87EE37B2BF453A0F49409DDC845F215C3354A86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0222840D, Relevance: 1.6, APIs: 1, Instructions: 142memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-1C65D34E), ref: 02228504

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ee2af7145452633df5dbb1adcdec9413e384c75f09001e9e664f1de1022bda5a
Instruction ID: 4bd59bb2675c1b24f76e6975df9afd0c28cc8afd595aded9746d49dedea771ca
Opcode Fuzzy Hash: ee2af7145452633df5dbb1adcdec9413e384c75f09001e9e664f1de1022bda5a
Instruction Fuzzy Hash: 1D414635A243A99FCB319E68CC947DA37B2BF09390F59006DDC849F205C3318A46CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02228487, Relevance: 1.6, APIs: 1, Instructions: 133memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-1C65D34E), ref: 02228504

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d1000e5565cad91fdc62b50e59026c3a74746de3bfe1c7ffafbb71fd78b54cbe
Instruction ID: 9804a528ed8d6aba27fe99c488d18563d394dca17a8a149fc9e3a63f9720dbed
Opcode Fuzzy Hash: d1000e5565cad91fdc62b50e59026c3a74746de3bfe1c7ffafbb71fd78b54cbe
Instruction Fuzzy Hash: 9D411435E212A99FCF318E78C8A47DE37A2BF4A3A0F59409DDC845F216C7355946CB81

Uniqueness

Uniqueness Score: -1.00%

Function 00432190, Relevance: 68.5, APIs: 37, Strings: 2, Instructions: 263COMMON

Download Yara Rule

APIs

#607.MSVBVM60(?,000000FF,?), ref: 004321F2
__vbaStrVarMove.MSVBVM60(?), ref: 004321FC
__vbaStrMove.MSVBVM60 ref: 0043220D
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00432219
__vbaLenBstr.MSVBVM60(?), ref: 00432226
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00432235
__vbaStrToAnsi.MSVBVM60(?,?,00000000), ref: 00432246
__vbaSetSystemError.MSVBVM60(00000000,?,00000000), ref: 00432252
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0043225D
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000), ref: 0043226B
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000), ref: 0043227B
#537.MSVBVM60(00000000,?,00000001), ref: 0043228B
__vbaStrMove.MSVBVM60 ref: 00432296
__vbaInStr.MSVBVM60(00000000,00000000), ref: 0043229A
__vbaFreeStr.MSVBVM60 ref: 004322AF
#537.MSVBVM60(00000000,?,00000001), ref: 004322C2
__vbaStrMove.MSVBVM60 ref: 004322CD
__vbaInStr.MSVBVM60(00000000,00000000), ref: 004322D1
#616.MSVBVM60(?,-00000001), ref: 004322E5
__vbaStrMove.MSVBVM60 ref: 004322F0
__vbaFreeStr.MSVBVM60 ref: 004322F5
__vbaStrCat.MSVBVM60(00409E30), ref: 00432309
__vbaStrMove.MSVBVM60 ref: 00432310
__vbaStrCat.MSVBVM60(?,00000000), ref: 00432317
__vbaStrMove.MSVBVM60 ref: 0043231E
__vbaFreeStr.MSVBVM60 ref: 00432323
__vbaErrorOverflow.MSVBVM60 ref: 0043238B
__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 00432401
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,00000014), ref: 0043242C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD0,00000110), ref: 0043245A
__vbaStrMove.MSVBVM60 ref: 00432469
__vbaFreeObj.MSVBVM60 ref: 00432472
#598.MSVBVM60 ref: 00432478
__vbaStrCopy.MSVBVM60 ref: 00432486

Strings

d#C, xrefs: 004323C9, 004323D9, 00432496, 004324AB
USERNAME, xrefs: 0043247E

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Move$Free$#537AnsiCheckErrorHresultListUnicode$#598#607#616BstrCopyNew2OverflowSystem
String ID: USERNAME$d#C
API String ID: 840069314-3593120005
Opcode ID: 722374fc566f88c45b8daf1579878edec6af140c34fe2de2d031d79e69464f21
Instruction ID: aa7d77db195924b2dd8039463dd9cce117f84e81cabaed7d7b454d867bd2a00b
Opcode Fuzzy Hash: 722374fc566f88c45b8daf1579878edec6af140c34fe2de2d031d79e69464f21
Instruction Fuzzy Hash: D991FF75900209AFCB04DFA5DD89DEFBBB8FF48700F10812AF605A72A5DB785945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD94, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 103COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 00432401
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,00000014), ref: 0043242C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD0,00000110), ref: 0043245A
__vbaStrMove.MSVBVM60 ref: 00432469
__vbaFreeObj.MSVBVM60 ref: 00432472
#598.MSVBVM60 ref: 00432478
__vbaStrCopy.MSVBVM60 ref: 00432486
__vbaHresultCheckObj.MSVBVM60(00000000,00401730,004091B4,0000074C), ref: 004324AD
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 004324B9
__vbaFreeStr.MSVBVM60(004324F7), ref: 004324F0

Strings

d#C, xrefs: 004323C9, 004323D9, 00432496, 004324AB
USERNAME, xrefs: 0043247E

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#598CopyListMoveNew2
String ID: USERNAME$d#C
API String ID: 3664798572-3593120005
Opcode ID: 3294174a3de28a5725b21b0bbbf451c7a58d05041c95ff2c24546d9ab4e732d5
Instruction ID: 0a9023b98a3c42d0d34dd61a9307b82df67471229fa2303a55092126b1704809
Opcode Fuzzy Hash: 3294174a3de28a5725b21b0bbbf451c7a58d05041c95ff2c24546d9ab4e732d5
Instruction Fuzzy Hash: 7D310171900205ABCB04DF95CD89EEEBBB8FF5C704F10802AF615B7291D7789945CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 004019B0, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 154COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004019B5

Strings

VB5!6&*, xrefs: 004019B0

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: ff35563d00a2ebc9287d877ec35ecfc7986bac2578973f6f6af715311fcc79f0
Instruction ID: 26f937dbe5c6593083995dadc1cce31f19a858a097af3aa7c40e0e598f91791d
Opcode Fuzzy Hash: ff35563d00a2ebc9287d877ec35ecfc7986bac2578973f6f6af715311fcc79f0
Instruction Fuzzy Hash: E551A9A254E7C1AFC3039B7098222817FB0AE1322470B4AEBC4C1DF4B3E2595D19C776

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02220FDB, Relevance: 18.7, Strings: 13, Instructions: 2465COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
kW`Z, xrefs: 02221485
eN7Q, xrefs: 02227BF7
A, xrefs: 022267F8
mr7M, xrefs: 0222223A
tXmG, xrefs: 022265D8
5}T, xrefs: 0222728E
$#, xrefs: 022268D4
0zBi, xrefs: 02221C8E
iw, xrefs: 0222658F
WE, xrefs: 02226515
]|g, xrefs: 02226971
4a, xrefs: 0222662E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$0zBi$4a$5}T$]|g$dw7g$eN7Q$kW`Z$mr7M$tXmG$WE$iw$A
API String ID: 0-3159333358
Opcode ID: 58e773440813d07f4df72d0168e45dcd34b068cba0aa8160d735c04a4c499a6a
Instruction ID: 501394f38ea809263a038815c2685625d66551918736f6e35953137800b5d59f
Opcode Fuzzy Hash: 58e773440813d07f4df72d0168e45dcd34b068cba0aa8160d735c04a4c499a6a
Instruction Fuzzy Hash: 5413BC7161435A9FDF349E78CDA43EE37A3AF56350F95422ECC8997248D3728989CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0222C350, Relevance: 15.8, Strings: 11, Instructions: 2071COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
)Cq, xrefs: 0222CBA7
iw, xrefs: 0222658F
loM, xrefs: 0222C3F3
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$)Cq$4a$5}T$]|g$dw7g$tXmG$WE$iw$loM$A
API String ID: 0-629999665
Opcode ID: 35af9b22662228534a412901fd3853e555ae388b8d8b29cf8cf109dd98035020
Instruction ID: 972092004aa6189fb15d458e4aed1095e7a26c65e175b00851a4547c279e1dae
Opcode Fuzzy Hash: 35af9b22662228534a412901fd3853e555ae388b8d8b29cf8cf109dd98035020
Instruction Fuzzy Hash: 05F2BE716143569FDF349E78CDA43DA77A3AF12350F85822ECCCA8B299D3758589CB02

Uniqueness

Uniqueness Score: -1.00%

Function 022232E5, Relevance: 13.9, Strings: 10, Instructions: 1381COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
EjYA, xrefs: 022233E5
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$EjYA$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-2693317436
Opcode ID: 3ac9e486fd5acad3547163995f053560465d4326f5c7c1b40b98079d876e4912
Instruction ID: 7d2feb7ae072ee163eee533d0da8101bf6d21a176c0a4493d489314c8dc87aaa
Opcode Fuzzy Hash: 3ac9e486fd5acad3547163995f053560465d4326f5c7c1b40b98079d876e4912
Instruction Fuzzy Hash: 31B2AB7160431A9FDF349E78CDA43EA77A3EF52350F85412EDC8A97248D3768989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0222BBCE, Relevance: 13.0, Strings: 9, Instructions: 1774COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: 2850e6817b64933f843f63f7be3ed00ddf4453284869d4d411ef29638f153975
Instruction ID: 909c586795c087b398fc85ffe1780da753e9105b52aee3dd840f18e49c5880d5
Opcode Fuzzy Hash: 2850e6817b64933f843f63f7be3ed00ddf4453284869d4d411ef29638f153975
Instruction Fuzzy Hash: 5BD2AC7161431AAFDF349E78CDA43EA77A3EF11390F85412EDC8A97148D3768989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022208FA, Relevance: 12.7, Strings: 9, Instructions: 1431COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: 81ff75e50e6d59d78008aed4b150d549662e8b851697f1f1f046fe1e94911b07
Instruction ID: a7065557ae84dafa2dcd3bf694cfd79b0e2926c7a6ae0ba43a9ae9c91b422d56
Opcode Fuzzy Hash: 81ff75e50e6d59d78008aed4b150d549662e8b851697f1f1f046fe1e94911b07
Instruction Fuzzy Hash: B7B2887161431ADFDF349E78C9A43EA77A3EF55350F85422EDC8A97248D3328989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0222E772, Relevance: 12.5, Strings: 9, Instructions: 1287COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: 6126a2d21d9f7aa2869d8ca50e7587f82231f1d6df7deb80f99395bd5903a8d2
Instruction ID: 83e77806f93d529a5bf281c849dcc67f5561336d9afce27da7377baf922f0ba4
Opcode Fuzzy Hash: 6126a2d21d9f7aa2869d8ca50e7587f82231f1d6df7deb80f99395bd5903a8d2
Instruction Fuzzy Hash: 79A2897161431AAFDF349E78CDA43DA77A3EF16350F85422EDC8A97248D3368985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02225D5F, Relevance: 12.5, Strings: 9, Instructions: 1218COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: 7e4a9638904f3f39ebb83d7097fe5e5997997843658a01096180902506496bf7
Instruction ID: cc3f81d61ecbb1e37fa71bdfb946f70b9628c62348fcd92709bc44c86aecba78
Opcode Fuzzy Hash: 7e4a9638904f3f39ebb83d7097fe5e5997997843658a01096180902506496bf7
Instruction Fuzzy Hash: 2F92AA7160435AAFDF349E78CDA43EA77A2FF16350F85422DDC8A97248D3728985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0222086C, Relevance: 12.4, Strings: 9, Instructions: 1109COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: 504bd7ffc72ba58166c20e6e05af4d23d5054dcf52f133809e09f57e90dbe71b
Instruction ID: 74018c6e61c943d373d7b42b317e6849feadb77bf1eda625d0f76d0bfdec7e93
Opcode Fuzzy Hash: 504bd7ffc72ba58166c20e6e05af4d23d5054dcf52f133809e09f57e90dbe71b
Instruction Fuzzy Hash: EF82887160430A9FDF349E78CDA43EA77A3EF16350F85422EDC8A97248D3768985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022260D4, Relevance: 12.3, Strings: 9, Instructions: 1075COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: 1725c7cd62519450d9e9d5f73f3754e0f5f21372a2aa2f2cad3754261228b5f3
Instruction ID: 27402e3c77a73b99d0947777d1e22a63bb07f96e03ff65bdd1be124a0463f50a
Opcode Fuzzy Hash: 1725c7cd62519450d9e9d5f73f3754e0f5f21372a2aa2f2cad3754261228b5f3
Instruction Fuzzy Hash: A182787160434A9FDF349E78CDA43DA77A2FF16350F85422DDC8A97248D3768985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0222619D, Relevance: 12.3, Strings: 9, Instructions: 1028COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: fe532ac69a3bd1d62b740ed2300023288a842d3addb964860c6b487d23aeb4c2
Instruction ID: 9da47e4b206571905048b6e354c82d5c29a16bda49d1d000bdfca0f421ddb984
Opcode Fuzzy Hash: fe532ac69a3bd1d62b740ed2300023288a842d3addb964860c6b487d23aeb4c2
Instruction Fuzzy Hash: 3182877160434A9FDF349E78CDA43DA77A2FF16390F85422EDC8A97248D3768985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0222626C, Relevance: 12.2, Strings: 9, Instructions: 987COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: 2534abbbafe145a183923b3f90f063913d6e22c8dc972a3c24dd4cbd9b884de2
Instruction ID: 8dbf43b86b81aed2420fda74c30c1bef714c18ad2a4f34d52f9fe72f7cfd9deb
Opcode Fuzzy Hash: 2534abbbafe145a183923b3f90f063913d6e22c8dc972a3c24dd4cbd9b884de2
Instruction Fuzzy Hash: AA72767160435A9FDF349E78CDA43DA77A2FF16390F85422DDC8A97248D3328989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02226327, Relevance: 12.2, Strings: 9, Instructions: 952COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: 413135b4721aa9933b8ba7bd1b18701c838b669e86f759bd7efc12d19de8ce00
Instruction ID: 00243564f75ba51e891f5c4cf65e181417eaa82d50b2a11e06e311e116345f57
Opcode Fuzzy Hash: 413135b4721aa9933b8ba7bd1b18701c838b669e86f759bd7efc12d19de8ce00
Instruction Fuzzy Hash: 6772767160435A9FDF349E78CDA43DA77A2FF16390F85422EDC8A97248D3728985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022263E7, Relevance: 12.2, Strings: 9, Instructions: 920COMMON

Download Yara Rule

Strings

dw7g, xrefs: 02226418
iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$dw7g$tXmG$WE$iw$A
API String ID: 0-466558514
Opcode ID: 428a4568fe1c4a95523725714ee655094d4ca33d61ea037c4765ffdfff337e63
Instruction ID: cfc9e975ca26d4680d411ff633b860d886416325963fefda6bd6238a5fa318fd
Opcode Fuzzy Hash: 428a4568fe1c4a95523725714ee655094d4ca33d61ea037c4765ffdfff337e63
Instruction Fuzzy Hash: 7D72877160435A9FDF349E78CDA43DA37A2EF16390F85422EDC8A97248D3728985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02226497, Relevance: 10.9, Strings: 8, Instructions: 886COMMON

Download Yara Rule

Strings

iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
WE, xrefs: 02226515
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$tXmG$WE$iw$A
API String ID: 0-3393883339
Opcode ID: 1e9997f080b6f0bdfeb2b8000ddbfede7715f3ec07c7a74180b555647317fb0f
Instruction ID: b33ed10b949f454b43efe96db8bd9c7aff74c8ad8713cee27fcbec0aaa9a8b49
Opcode Fuzzy Hash: 1e9997f080b6f0bdfeb2b8000ddbfede7715f3ec07c7a74180b555647317fb0f
Instruction Fuzzy Hash: 7962877160435AAFDF349E78CDA43DA37A2FF16350F85412DDC8A9B248D3768989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02226545, Relevance: 9.6, Strings: 7, Instructions: 845COMMON

Download Yara Rule

Strings

iw, xrefs: 0222658F
A, xrefs: 022267F8
]|g, xrefs: 02226971
tXmG, xrefs: 022265D8
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$tXmG$iw$A
API String ID: 0-2208431610
Opcode ID: 2162ed05d867dbd657af617c334fd65187337aec1078ee8143ea013d36770c3a
Instruction ID: d3c8d7463b80d0c493d8e39a21fa9e796867a63da03c27d527fd5f674103b723
Opcode Fuzzy Hash: 2162ed05d867dbd657af617c334fd65187337aec1078ee8143ea013d36770c3a
Instruction Fuzzy Hash: 2862987161435AAFDF349E78CDA43DA77A2FF16350F85412ECC8A97204D3768989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022265ED, Relevance: 7.1, Strings: 5, Instructions: 821COMMON

Download Yara Rule

Strings

A, xrefs: 022267F8
]|g, xrefs: 02226971
4a, xrefs: 0222662E
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$4a$5}T$]|g$A
API String ID: 0-1642544609
Opcode ID: 224deecbdca69bb4a33e2f15034b27716a6a6a22ee94045b7121393412af80f0
Instruction ID: cde092259152741d62cac07a3002b50d9d865b6d4afe44129e0afd33cfa581cb
Opcode Fuzzy Hash: 224deecbdca69bb4a33e2f15034b27716a6a6a22ee94045b7121393412af80f0
Instruction Fuzzy Hash: FD52877160435AAFDF349E78CDA43DA77A2FF16350F85412DDC8A9B208D3768989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022266BD, Relevance: 5.8, Strings: 4, Instructions: 775COMMON

Download Yara Rule

Strings

A, xrefs: 022267F8
]|g, xrefs: 02226971
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$5}T$]|g$A
API String ID: 0-3781842100
Opcode ID: eaf2ed7a171f1280d9c21cee69b3baed68387b01111a091a44b167e205b9dfb7
Instruction ID: 2cee3ae5abdabb9b29dd33855190a4818c7a77aeebb73668908de13b6385f143
Opcode Fuzzy Hash: eaf2ed7a171f1280d9c21cee69b3baed68387b01111a091a44b167e205b9dfb7
Instruction Fuzzy Hash: 0252787161434AAFDF349E78CDA43DA77A2FF15350F85412DDC8A8B144D3728A89CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02226742, Relevance: 5.8, Strings: 4, Instructions: 757COMMON

Download Yara Rule

Strings

A, xrefs: 022267F8
]|g, xrefs: 02226971
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$5}T$]|g$A
API String ID: 0-3781842100
Opcode ID: 26e81c5763ff731c111a9ea780eaacfbde246c38ac7076f78c602a0609e104e2
Instruction ID: 916acb90b50a5483da4b8e1b4730c3807444ddf20d9ab78514120b9793de4291
Opcode Fuzzy Hash: 26e81c5763ff731c111a9ea780eaacfbde246c38ac7076f78c602a0609e104e2
Instruction Fuzzy Hash: 3E52667161434A9FDF349E78CEA53DA77A2FF16350F85412DDC8A9B204D3728A89CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0222678D, Relevance: 5.7, Strings: 4, Instructions: 738COMMON

Download Yara Rule

Strings

A, xrefs: 022267F8
]|g, xrefs: 02226971
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$5}T$]|g$A
API String ID: 0-3781842100
Opcode ID: 4b7dd10f3e8101bf7bc1c573ba7cc1ab543e7768fc537f0e1ef0810a5671d48b
Instruction ID: edd29068da25faf04f06f6a81c4f74cca0f555670f0bd13935ed00a9618ff155
Opcode Fuzzy Hash: 4b7dd10f3e8101bf7bc1c573ba7cc1ab543e7768fc537f0e1ef0810a5671d48b
Instruction Fuzzy Hash: 5C42667161434A9FDF349E78CEA43DA77A2FF16350F85412DDC8A9B108D3728A89CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02220ED0, Relevance: 4.5, Strings: 3, Instructions: 744COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
kW`Z, xrefs: 02221485
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q$kW`Z
API String ID: 0-2492613549
Opcode ID: 22f5ade36283b2f3d105985a2a2a7276164e095d1cdf71371c4f0bef4e884584
Instruction ID: 2917253892a8effdb09781768f80f564dac8425f672a722708b20479832012fd
Opcode Fuzzy Hash: 22f5ade36283b2f3d105985a2a2a7276164e095d1cdf71371c4f0bef4e884584
Instruction Fuzzy Hash: 7B42F231A0439A9FDF309EB88D603DF37B3AF56390F95412ACC899B149D7764989CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02226866, Relevance: 4.4, Strings: 3, Instructions: 683COMMON

Download Yara Rule

Strings

]|g, xrefs: 02226971
5}T, xrefs: 0222728E
$#, xrefs: 022268D4

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: $#$5}T$]|g
API String ID: 0-439164371
Opcode ID: fc874d5270f4910fa4408e5fd6c76f9f0cad160d6734026ee3942f11aa91f30f
Instruction ID: dc1bfa0d0159fcc43909eb9e9ed01f88421e813c70085bfce7fe2a37f3905bbd
Opcode Fuzzy Hash: fc874d5270f4910fa4408e5fd6c76f9f0cad160d6734026ee3942f11aa91f30f
Instruction Fuzzy Hash: 8042467164435AEFDF349E78CEA53DA77A2BF16340F85412DDC8A97204D3728A89CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02221083, Relevance: 4.4, Strings: 3, Instructions: 653COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
kW`Z, xrefs: 02221485
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q$kW`Z
API String ID: 0-2492613549
Opcode ID: a8bb344a7674d909397617a6952c65f1336c4a03a70a6be04613f517b7a67ec4
Instruction ID: ff31cf4f682454e1e3a796c1005878247575ba42fb709de2cab6e7528e8ee470
Opcode Fuzzy Hash: a8bb344a7674d909397617a6952c65f1336c4a03a70a6be04613f517b7a67ec4
Instruction Fuzzy Hash: 3422D031A0436A9FDF309EB88DA03DE37A3AF56350F95412ACC89D7249D7764A89CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022210EB, Relevance: 4.4, Strings: 3, Instructions: 644COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
kW`Z, xrefs: 02221485
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q$kW`Z
API String ID: 0-2492613549
Opcode ID: 6c6207032a3635f30834ecd0ae7e6c700a043701ef55fe6a3a0835452e847777
Instruction ID: 43bcd57eb04ecb00df44268ce9069ca78e5b5af8545930beac130a69e4f4eb37
Opcode Fuzzy Hash: 6c6207032a3635f30834ecd0ae7e6c700a043701ef55fe6a3a0835452e847777
Instruction Fuzzy Hash: EC22D231A0435A9FDF309EB8CDA47DF37A3AF56350F95412ACC899B149D7324989CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0222124F, Relevance: 4.3, Strings: 3, Instructions: 575COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
kW`Z, xrefs: 02221485
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q$kW`Z
API String ID: 0-2492613549
Opcode ID: 53ab3070ab74bcc15c9329192939acd66553fbf76c35f8a5013485c45c8c5181
Instruction ID: 58ab347039fba46a86a4398ad3f4530d5f961f26b6471c204796ea04ebb60fa1
Opcode Fuzzy Hash: 53ab3070ab74bcc15c9329192939acd66553fbf76c35f8a5013485c45c8c5181
Instruction Fuzzy Hash: 6012C131A0435A9FDF309EB88D607DF37A3AF563A0F99422ECC899B149D7364985CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022212E9, Relevance: 4.3, Strings: 3, Instructions: 547COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
kW`Z, xrefs: 02221485
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q$kW`Z
API String ID: 0-2492613549
Opcode ID: 7b90050c375208aece7c344a8ee00095f773de1e613fb30223a3e5bc8d1db2c6
Instruction ID: c55aa553425688e2e354c8db8f1fa35155b44ad5f5396e3514a1095f64cc365f
Opcode Fuzzy Hash: 7b90050c375208aece7c344a8ee00095f773de1e613fb30223a3e5bc8d1db2c6
Instruction Fuzzy Hash: 1912B031A0435A9FDF308E788D607DF37A3AF563A0F99422ECC899B149D7764989CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022213AA, Relevance: 4.3, Strings: 3, Instructions: 510COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
kW`Z, xrefs: 02221485
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q$kW`Z
API String ID: 0-2492613549
Opcode ID: 81fd4bfaea9439f2681ca1da84ccfba9f45db87cdfe89d66b0f4357edf302e91
Instruction ID: 9954b294edaad57e8dda9737d7fbdeba79a1222c4909ead094e46edd97a219d8
Opcode Fuzzy Hash: 81fd4bfaea9439f2681ca1da84ccfba9f45db87cdfe89d66b0f4357edf302e91
Instruction Fuzzy Hash: BA02C131A0436A9FDF308EB88D547DF37A3AF56360F99422ECC899B149D7724989CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0222143F, Relevance: 4.2, Strings: 3, Instructions: 482COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
kW`Z, xrefs: 02221485
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q$kW`Z
API String ID: 0-2492613549
Opcode ID: e355bb4d51afc56e835e3278227af14872a5663b9b8a484640bf793cf7a73b9d
Instruction ID: 659673528522f166898f92d321a2e61376a590d5b01ccf35161b3b252a18e13d
Opcode Fuzzy Hash: e355bb4d51afc56e835e3278227af14872a5663b9b8a484640bf793cf7a73b9d
Instruction Fuzzy Hash: D8F1C031A0436A9FDF308EB88D647DF3763AF56360F99422ECC899B149C7764989CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022268E9, Relevance: 3.2, Strings: 2, Instructions: 670COMMON

Download Yara Rule

Strings

]|g, xrefs: 02226971
5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T$]|g
API String ID: 0-1035669616
Opcode ID: 5a3f8400abc97820a90ccf86fd6de41f6319b564080c8447a2a00008cf8af38a
Instruction ID: c22eb3d2ab1e64a3a023d9562cdeba0b48f96525ac3f6bb8cacd15eb4821e3b7
Opcode Fuzzy Hash: 5a3f8400abc97820a90ccf86fd6de41f6319b564080c8447a2a00008cf8af38a
Instruction Fuzzy Hash: 2C32677165434ADFDF349E78CDA43DA37A2BF56350F85412DDC8A9B208D3728A89CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02226B91, Relevance: 3.1, Strings: 2, Instructions: 601COMMON

Download Yara Rule

Strings

H, xrefs: 02226BB6
5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T$H
API String ID: 0-623112098
Opcode ID: 9cb7b2e300d5b903768aad4a477727ea41083c2c5ffb0000aeeb5cb29f2545be
Instruction ID: 332d634183c05ececebacea8797974fea2a857f6bdc582c99d252d43e5bd3c99
Opcode Fuzzy Hash: 9cb7b2e300d5b903768aad4a477727ea41083c2c5ffb0000aeeb5cb29f2545be
Instruction Fuzzy Hash: BF2274716143599FDF349E78CAA43DA37A2FF16390F45412EDCCA9B148D3728A89CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022214EF, Relevance: 3.0, Strings: 2, Instructions: 454COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: 06ff7aa797a42712bdcf9041b60f12fdf39f418d659d1ff0fe4992668caeccfe
Instruction ID: 424d13fce1d8a2621fa819de9fad8f473c5543d88351ed658fcee6f4592ba6b6
Opcode Fuzzy Hash: 06ff7aa797a42712bdcf9041b60f12fdf39f418d659d1ff0fe4992668caeccfe
Instruction Fuzzy Hash: 9AF1C131A1436A9FDF308EB88DA47DF37A3AF46350F99422ECC899B149C7754989CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022215E1, Relevance: 2.9, Strings: 2, Instructions: 421COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: 92bd385c38e6aef634e72483cb9eb936abed620f0e4ba9412ad50e9e900ba392
Instruction ID: 2452d2e8dec2571edcf9d33f85b15832c327068659775ab084dfe541f1e01206
Opcode Fuzzy Hash: 92bd385c38e6aef634e72483cb9eb936abed620f0e4ba9412ad50e9e900ba392
Instruction Fuzzy Hash: 77E1C03161436AAFDB308EB88D947DF37A2AF43350F95422ECC899B189D7724989CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0222159A, Relevance: 2.9, Strings: 2, Instructions: 414COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: 1dee6b3850e42c19ce21c3a8ee3e7a2da82cf89d6eea169d4c16cd2fac395d4a
Instruction ID: c2addad43af69e93a1ac4d344902768804c91ccb43e5b52c69f8b2c1023106fa
Opcode Fuzzy Hash: 1dee6b3850e42c19ce21c3a8ee3e7a2da82cf89d6eea169d4c16cd2fac395d4a
Instruction Fuzzy Hash: B4E1C231A1436A9FDF308EB88D547DF3763AF42360F99422ECC899B189C7764989CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02221680, Relevance: 2.9, Strings: 2, Instructions: 382COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: f7db8e44cb758122501c3d71a6308542666d1860590f24c0a6ffa36fadaf40aa
Instruction ID: b0b5cb61eb0ca57acb493352b24fe72ef47c6f88a690f8915c821605e83f5e91
Opcode Fuzzy Hash: f7db8e44cb758122501c3d71a6308542666d1860590f24c0a6ffa36fadaf40aa
Instruction Fuzzy Hash: A4D1E431A1436A9FDF308EB88D943DF37A3AF42350F95426ECC899B189C7724989CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0222171F, Relevance: 2.9, Strings: 2, Instructions: 352COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: c30dba148ed5695c6dd93cb78d61e9303793f1ac9c3aeee77c2ff3fd6f98f8bf
Instruction ID: 3a73f5ed44c9e69f0df7c2200150c997cae7e3c92c9df93ce77eb0be3dbf58fb
Opcode Fuzzy Hash: c30dba148ed5695c6dd93cb78d61e9303793f1ac9c3aeee77c2ff3fd6f98f8bf
Instruction Fuzzy Hash: E2C1C131A1436A9FDF308EB88D943DF37A3AF42360F95826ECC895B189C7364589CB41

Uniqueness

Uniqueness Score: -1.00%

Function 022217BF, Relevance: 2.8, Strings: 2, Instructions: 319COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: 5ec276e2e1319a6e93d8b95a5a1abc29ec597edd37d58d661bd5ae15e63b43d7
Instruction ID: e3ef81d133ae120ead0ab9e13905b6bfb18048fe4ab11119e0a6e75c66c3ff87
Opcode Fuzzy Hash: 5ec276e2e1319a6e93d8b95a5a1abc29ec597edd37d58d661bd5ae15e63b43d7
Instruction Fuzzy Hash: EFB1B031A1476A9FDF308EB88D943DE7763AF43360F95826ECC855B18AC7364589CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02221874, Relevance: 2.8, Strings: 2, Instructions: 287COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: b68e1470957351919f79777b03db28921a3466c275e44fcf56e888286e89d09f
Instruction ID: 3f554d4b208eb67be3541fc403b6229fcaf08b19e02b89c789d53b784a0fde3f
Opcode Fuzzy Hash: b68e1470957351919f79777b03db28921a3466c275e44fcf56e888286e89d09f
Instruction Fuzzy Hash: 95A18E3161479A9FDF308EB88D947EE7763AF43350F94826ECC859B18AC7364589CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02221925, Relevance: 2.8, Strings: 2, Instructions: 265COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: f2e7965ec7e7f0e81eb6d55687811a2a9d147568df99898b0fc315c97581cc88
Instruction ID: 962f92b6d65cb563a05bd062372f5686bf5aa70ef8a9f5bb95891d0591467eb5
Opcode Fuzzy Hash: f2e7965ec7e7f0e81eb6d55687811a2a9d147568df99898b0fc315c97581cc88
Instruction Fuzzy Hash: FB918F3161879A9FDB318EB8CD947DF7BA3AF42360F94825ECC854B18AC7364589CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02221A57, Relevance: 2.7, Strings: 2, Instructions: 232COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: 3842b34e976f86bf1c4e334cf30df44071f7acf7d621fd4ffff31d73bc97ac7d
Instruction ID: ce159d4ca58782ed90e5478495183e0b86bc36971a89125a5cfc280d035b17cd
Opcode Fuzzy Hash: 3842b34e976f86bf1c4e334cf30df44071f7acf7d621fd4ffff31d73bc97ac7d
Instruction Fuzzy Hash: 2281A231A1879A9FDB318EB88D947DE7B62BF43320F94826DCC994B18BC7364549C741

Uniqueness

Uniqueness Score: -1.00%

Function 022219C3, Relevance: 2.7, Strings: 2, Instructions: 231COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: 9455dfd3055ce3cb1f60fb130860ae213fc313043671e648b644de3d7b697f14
Instruction ID: 3fc91d3e4496dc6f87b88b3a47f39ac423a6a6314721d09b9bce5aabfe4674b3
Opcode Fuzzy Hash: 9455dfd3055ce3cb1f60fb130860ae213fc313043671e648b644de3d7b697f14
Instruction Fuzzy Hash: EF814E31A1879A9FDB318E788D947DF7B62BF43360F94825ECC854B18AC7364589CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02221A89, Relevance: 2.7, Strings: 2, Instructions: 200COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: 73b234a4556f18d9e210da892d2bc6ee0f577a8dc5da62188d6213057ce65631
Instruction ID: 9f582feb3e194eaf38790c6074d84069d4aece07723bdfeb7566a619379b0ac7
Opcode Fuzzy Hash: 73b234a4556f18d9e210da892d2bc6ee0f577a8dc5da62188d6213057ce65631
Instruction Fuzzy Hash: 56717E31A1879A9FDF318E7889947DE7B62BF43360F94826ECCD54B18AC7360549CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02221B27, Relevance: 2.7, Strings: 2, Instructions: 169COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: 28d9c62cf048e522e216625bba8a8411bcab0d700c18d4157ee2cea6cf73b060
Instruction ID: 013be83ae0891ad1499937af248a4561495ea3906b3a17c5ab0c32dad3a1dd16
Opcode Fuzzy Hash: 28d9c62cf048e522e216625bba8a8411bcab0d700c18d4157ee2cea6cf73b060
Instruction Fuzzy Hash: 00514B31A187DAAFDB318E7889647DE7B62BF43360F94829DCC954F08AC7325549CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02221BD7, Relevance: 2.6, Strings: 2, Instructions: 132COMMON

Download Yara Rule

Strings

0zBi, xrefs: 02221C8E
eN7Q, xrefs: 02227BF7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 0zBi$eN7Q
API String ID: 0-3339816079
Opcode ID: d67bfe0398dacc5bb5ef3f2544837857864fb81e691f7f05bfaff0d8d3903277
Instruction ID: 7d1c982a401ef6768eab307e24dee6a4fe0a9e791997bf8c2ad6e9d64ec2b6b1
Opcode Fuzzy Hash: d67bfe0398dacc5bb5ef3f2544837857864fb81e691f7f05bfaff0d8d3903277
Instruction Fuzzy Hash: D5512830A18BCAAEDB318E78C9547DEBB62BF43360F58829DCC954B08AC73515498741

Uniqueness

Uniqueness Score: -1.00%

Function 0222B4B5, Relevance: 2.6, Strings: 2, Instructions: 112COMMON

Download Yara Rule

Strings

`, xrefs: 0222B6DE
1,, xrefs: 0222B6C1

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: `$1,
API String ID: 0-1801784198
Opcode ID: b7903d1842553b65acb71889ed2cba3b1e0adfd885caa3500894004bca88454b
Instruction ID: 455becb9fefd5b1002af118d5f7c71b6661a78a0059a09973158fa2373177a2e
Opcode Fuzzy Hash: b7903d1842553b65acb71889ed2cba3b1e0adfd885caa3500894004bca88454b
Instruction Fuzzy Hash: 7F318B756203669BEF385DBC8AA83F933E69F85364F91412FCC4B4B18CC776054A8101

Uniqueness

Uniqueness Score: -1.00%

Function 0222C750, Relevance: 2.0, Strings: 1, Instructions: 701COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: ad7fb1a5d62effe9cf730b209e5065ce90b663a3402efb0c7d72020b251805b7
Instruction ID: a5d2061c4ad0488529aea7204088b307dec192f616fdcb3bfba119b8c33207bd
Opcode Fuzzy Hash: ad7fb1a5d62effe9cf730b209e5065ce90b663a3402efb0c7d72020b251805b7
Instruction Fuzzy Hash: 48329E305143969FDB319F78C9A43DB7BE39F52360F8A826ACCC59B19AD3358589C702

Uniqueness

Uniqueness Score: -1.00%

Function 02226991, Relevance: 1.9, Strings: 1, Instructions: 641COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: 8f01e68fdd8fb4ee6d9c1c64788f30b38fdfc6f34fa29871a7be27ba64958ccb
Instruction ID: 8cc4e32cd93badeb8c83c3fbc5b799d87843fb3d2d02fe3099afcd8e9e0c7f93
Opcode Fuzzy Hash: 8f01e68fdd8fb4ee6d9c1c64788f30b38fdfc6f34fa29871a7be27ba64958ccb
Instruction Fuzzy Hash: 30325771654359DFDF349E78CDA83DA37A2EF16350F85412DDC8A9B244D3728A89CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02226A9C, Relevance: 1.8, Strings: 1, Instructions: 591COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: 4645115a2cf119f4cbadd4e7e4c0175f79771e7068121004fc7e19a4fcb96dfe
Instruction ID: b56eff232f39a505ef1cd655cededaa7805f9b5fb6df5635f1fc615c185e1d72
Opcode Fuzzy Hash: 4645115a2cf119f4cbadd4e7e4c0175f79771e7068121004fc7e19a4fcb96dfe
Instruction Fuzzy Hash: 9622687165435ADFDF359E78CDA43DA37A2EF16340F85412DDC8A9B244D3728A89CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02226B04, Relevance: 1.8, Strings: 1, Instructions: 576COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: 51128fe92646585c80dd3ec9736f09c30c52a8eeb1521199be6897a7afea1d6b
Instruction ID: 1c318536027db17665944f5439fbb5fe97903a0369dea065de544365f08ac998
Opcode Fuzzy Hash: 51128fe92646585c80dd3ec9736f09c30c52a8eeb1521199be6897a7afea1d6b
Instruction Fuzzy Hash: 062267716543599FDF359E78CDA43DA37A2FF16380F85412DDC8A9B248D3728A89CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02226C05, Relevance: 1.8, Strings: 1, Instructions: 536COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: 5db80115a1754f6306f23bf696b424821747d54e18074c6b2f7e3b92579aa9fe
Instruction ID: f1e34dcf6680a80f89c57b49874aa91098c2d4eb16530e77ad218564f5fc51d8
Opcode Fuzzy Hash: 5db80115a1754f6306f23bf696b424821747d54e18074c6b2f7e3b92579aa9fe
Instruction Fuzzy Hash: 1C1277716543499FDF349E78CEA43DA37A2FF16350F85412DDC8A9B248D3728A89CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02226C95, Relevance: 1.8, Strings: 1, Instructions: 510COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: fadf92bd1415832e23bc215490a926319af0da6d63c9b2ba2af9d5d20afebff3
Instruction ID: 598387788a1ba2044bd3f2bb9e594ab7bd8728160aca7cfc56aa2ec4d1f10ed7
Opcode Fuzzy Hash: fadf92bd1415832e23bc215490a926319af0da6d63c9b2ba2af9d5d20afebff3
Instruction Fuzzy Hash: 98127671654349AFDF359E78CEA43DA37A2FF16380F85412DDC8A9B244D3768A89CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222C783, Relevance: 1.7, Strings: 1, Instructions: 488COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: efd2e235e285c231cbcbd961ed62031bcff40842bbdec7c1c982f6df5f74a616
Instruction ID: 1200edf02a884c22b78ee3af6255ed803e52b3b0569aa61eb47026e5f7533809
Opcode Fuzzy Hash: efd2e235e285c231cbcbd961ed62031bcff40842bbdec7c1c982f6df5f74a616
Instruction Fuzzy Hash: 6E026C315143968FDF31CE78C8A47DA7BA25F53260F99C2AACCD58F1AAD331854AC702

Uniqueness

Uniqueness Score: -1.00%

Function 02226D63, Relevance: 1.7, Strings: 1, Instructions: 471COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: 51290460a01d2d56893fc6d185f7016ebc456de5a1fd2c8f5e5d4b05f27eeca9
Instruction ID: 9bd33c5832f2929cbfbee53b247c85712e5fc1fdf879748344da9792ba30fe6c
Opcode Fuzzy Hash: 51290460a01d2d56893fc6d185f7016ebc456de5a1fd2c8f5e5d4b05f27eeca9
Instruction Fuzzy Hash: 4B025371654349AFEF359E78CEA43DA37A2FF16390F85402DDC8A9B114D3768A89CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222DD02, Relevance: 1.7, Strings: 1, Instructions: 467COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 54fec6d144475c4ea08456084b30537e0da6470258ef40d7903399c9deb9976e
Instruction ID: 7686273d4499f9dc10ef8508f42d29de8740e557e7cbc4145b892bd877074cc3
Opcode Fuzzy Hash: 54fec6d144475c4ea08456084b30537e0da6470258ef40d7903399c9deb9976e
Instruction Fuzzy Hash: 01F1AF75610316DFDF34AE7889603EA37E3EF55390F86812ECC8A9B158D7328989CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02226DFE, Relevance: 1.7, Strings: 1, Instructions: 447COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: 8d31a3722283c57ce506d8c957c7a66ea23463ee472cdce1abe3e303ad512cb6
Instruction ID: 42ef94f7af93ee850e4b1de230ecd82ecf0814a4f5cd5b8a94e21322aa42fd22
Opcode Fuzzy Hash: 8d31a3722283c57ce506d8c957c7a66ea23463ee472cdce1abe3e303ad512cb6
Instruction Fuzzy Hash: FAF16571654359AFEF359E78CEA43DA37A2FF16390F85002DDC8A9B114D3768A89CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222C84F, Relevance: 1.7, Strings: 1, Instructions: 443COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: 49840bda498fe784c0f33958c13b3d94271e7c05972778ffe8f14a3b39ef945c
Instruction ID: 5573c13da937112d74aed30c750af4f8202e270fa3c1f7cb3d4aa47f3859a20f
Opcode Fuzzy Hash: 49840bda498fe784c0f33958c13b3d94271e7c05972778ffe8f14a3b39ef945c
Instruction Fuzzy Hash: 4DF15C215143D69EDF318A7888A87DB7B925F53270F8AC2ABCCD58F1EBD365414AC702

Uniqueness

Uniqueness Score: -1.00%

Function 02226E50, Relevance: 1.7, Strings: 1, Instructions: 440COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: e29218f5f8b7fb7c81cf295ac906a933041f6f2ecffa3f9810c30ac315794f2c
Instruction ID: 80e112812b284ee0cfc34f4aa9b771d606f9fb50a0ecc31f16d41fb61c4138ab
Opcode Fuzzy Hash: e29218f5f8b7fb7c81cf295ac906a933041f6f2ecffa3f9810c30ac315794f2c
Instruction Fuzzy Hash: 17F15471254359AFEF359E78CEA43DA37A2FF16380F45012DDC8A9B158D3768A89CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222C8FB, Relevance: 1.7, Strings: 1, Instructions: 408COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: 75a38f7486ef18de9bc496b72adce61d2edf9f9335237795ed6aefed53050acb
Instruction ID: 1c41175b5a8fbeb6d25f44472497c570e8ad7e32383085f6deeb706f87a39a1b
Opcode Fuzzy Hash: 75a38f7486ef18de9bc496b72adce61d2edf9f9335237795ed6aefed53050acb
Instruction Fuzzy Hash: 99E13B215183D65EDF318A7888A87DB7B925F53270F8AC2AACCD58F1EBD365414AC312

Uniqueness

Uniqueness Score: -1.00%

Function 02226EEF, Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: 75319e5bf3824978f7ac0dd2cf4a3c38af9232c15c85382ec73702411599f94c
Instruction ID: 48c99d3266ca37869bba5fd51b18b749963642564a3a6f78e91fb68b6fce2540
Opcode Fuzzy Hash: 75319e5bf3824978f7ac0dd2cf4a3c38af9232c15c85382ec73702411599f94c
Instruction Fuzzy Hash: B9E14471654359AFEF359E78CEA43DA37A2FF15390F89412DDC899B118D3328A89CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02226F9B, Relevance: 1.6, Strings: 1, Instructions: 375COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: 88a3f733e47deacb7067fe01af74990442d5c3bee5c9d61e3064855b83ead891
Instruction ID: 771a460cfb98fb969241c54f75af771adad9aac18009a2886d0f15297db3b9fb
Opcode Fuzzy Hash: 88a3f733e47deacb7067fe01af74990442d5c3bee5c9d61e3064855b83ead891
Instruction Fuzzy Hash: 2FD15471614399AFEF359E68CEA43DA3772FF15390F89412DDC899B118D3728A89CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222C993, Relevance: 1.6, Strings: 1, Instructions: 373COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: e7522f993adba53fc055788eb4d56980f34ec965ac690a2206f3f3ee7d498063
Instruction ID: 5ec5e8aff0f375c9307a717ca351a07cfe517fe9246c2f0cb86f7cfb8e3a193b
Opcode Fuzzy Hash: e7522f993adba53fc055788eb4d56980f34ec965ac690a2206f3f3ee7d498063
Instruction Fuzzy Hash: 53D16C205143968EDF31CA7888A87DB7BE25F52360F8AC2ABCCD58F19BD375414AC702

Uniqueness

Uniqueness Score: -1.00%

Function 0222CA3F, Relevance: 1.6, Strings: 1, Instructions: 344COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: 5b52637dac5e6f824e21a2dd718730e4d03d4f7f99096fc9008ae4c1ffad157c
Instruction ID: 8a16e150e3d67952a36b3ea7a3fa34163df722eb920250787ee27a8a83a792a4
Opcode Fuzzy Hash: 5b52637dac5e6f824e21a2dd718730e4d03d4f7f99096fc9008ae4c1ffad157c
Instruction Fuzzy Hash: CAC16B305143969EDF318E7889A43DF7BA29F523A0F89C2ABCCD58F19AD335414AC702

Uniqueness

Uniqueness Score: -1.00%

Function 0222C9FF, Relevance: 1.6, Strings: 1, Instructions: 343COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: be37ef6fbcc8135c0ea3678b3cbf1c2f049846671930e82226890bcb107d9d46
Instruction ID: 54774ba8721bbcea74cd942b89194d0b9f9d475c9568a70240e2c16bde36586f
Opcode Fuzzy Hash: be37ef6fbcc8135c0ea3678b3cbf1c2f049846671930e82226890bcb107d9d46
Instruction Fuzzy Hash: B8C16E205143969ADF31DE7889A43DB7BE25F13360F89C2ABCCD98F19AD375414AC702

Uniqueness

Uniqueness Score: -1.00%

Function 0222705F, Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: f4012c4da0568205ef351e5cba8679586ab7e79c77ad9a11f6a0d484e6ec3e03
Instruction ID: 845e2ffd2a8ab689374f92f2fb7f38441ba0df81e1bd88852ccf6e77c63631ec
Opcode Fuzzy Hash: f4012c4da0568205ef351e5cba8679586ab7e79c77ad9a11f6a0d484e6ec3e03
Instruction Fuzzy Hash: B4C14471A14359AFEF359E68CEA43DA3772FF15390F89412DDC899B108D3728A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0222CA17, Relevance: 1.6, Strings: 1, Instructions: 336COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: 882f629f52b80b6a3f18641587be49079dd24ea2510d0ec2bf9a579c34150e63
Instruction ID: 96bd741b67d7d7e4f657fed4faee93a1a39d02a0682c2da86ed50a78e27012da
Opcode Fuzzy Hash: 882f629f52b80b6a3f18641587be49079dd24ea2510d0ec2bf9a579c34150e63
Instruction Fuzzy Hash: A4C16C205143969ADF31DE7889A43DB7BE25F13360F89C2ABCCD98F19AD375814AC702

Uniqueness

Uniqueness Score: -1.00%

Function 02227104, Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: d5b3e18fc323b2e887f067d8f772a057b8013f95deb5f724afe0bf9467d87a1c
Instruction ID: 6746b6221e6735dcb8c7d90dca1d0f291d69b53cb06d57c74ef05fbf1f753d54
Opcode Fuzzy Hash: d5b3e18fc323b2e887f067d8f772a057b8013f95deb5f724afe0bf9467d87a1c
Instruction Fuzzy Hash: 93B12271A1434AAFDF359E68CEA47DA3762FF15390F88412DDC899B208D3768A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0222CAD5, Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: e96417c071623eb9073f74c812a3d104c0b048429f601a3cbbbfd4ec06ba680b
Instruction ID: f6a5d8a031154a373f76cb01ebe7b89e32efce44e8466f5e789ac86a7dd8ad38
Opcode Fuzzy Hash: e96417c071623eb9073f74c812a3d104c0b048429f601a3cbbbfd4ec06ba680b
Instruction Fuzzy Hash: ECB16C319543968ADF318E7889A43DF7BA29F52360F9981ABCC859F19ED3314146C742

Uniqueness

Uniqueness Score: -1.00%

Function 022271B4, Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: 72c2db12411d35d94e7d71a1b8f8534b65dc0f476cc08cb551606ae34eb566b9
Instruction ID: 0e23157eafb8625b334828f273fed9d10f1bf0bb6bcd524af241639fa9d3e5c4
Opcode Fuzzy Hash: 72c2db12411d35d94e7d71a1b8f8534b65dc0f476cc08cb551606ae34eb566b9
Instruction Fuzzy Hash: DFB1557161434AAFDF359E78CEA47DA3762FF16390F88012DDC899B109D3768A85CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0222CB77, Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

)Cq, xrefs: 0222CBA7

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: )Cq
API String ID: 0-3091574488
Opcode ID: c6903d6a36c9a4d84fa105796ebb365a2d7838955eb83823bd7fa51ed542def6
Instruction ID: 9f2ebdb11fd134ac6909bb22075dffcae48344b8d338783e80f8010db1ec696b
Opcode Fuzzy Hash: c6903d6a36c9a4d84fa105796ebb365a2d7838955eb83823bd7fa51ed542def6
Instruction Fuzzy Hash: D9A149709543968ACF35DE7889A43DF7BA2AF523A0F9981ABCC858F19ED3314146C742

Uniqueness

Uniqueness Score: -1.00%

Function 0222DD3F, Relevance: 1.5, Strings: 1, Instructions: 274COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 7a1e7dfcbe5487d0d63141de970f006530892a3fb8c777cb2ebb7177bd80e884
Instruction ID: f91dbe6799a65f6c607172c0900892650e1d0fa4bbd28220b02d479cf86c750c
Opcode Fuzzy Hash: 7a1e7dfcbe5487d0d63141de970f006530892a3fb8c777cb2ebb7177bd80e884
Instruction Fuzzy Hash: DA91CD71A20716DFDF349D78C9A43E637A3AF56390F4A812ACC4A9F258D7329589C701

Uniqueness

Uniqueness Score: -1.00%

Function 0222DD0F, Relevance: 1.5, Strings: 1, Instructions: 272COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 53043dd70395f38a57942e61e33a1457cbc3485606a8aa75bfcc7272d9f864b8
Instruction ID: 31e01174dea772034ced57bf2804495af53ed4b3236b26b82605158809426fb2
Opcode Fuzzy Hash: 53043dd70395f38a57942e61e33a1457cbc3485606a8aa75bfcc7272d9f864b8
Instruction Fuzzy Hash: D291DD71B20716DFDF349D78C9A43E637A3AF56390F4A812ACC4A9F258D7329589CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222DD78, Relevance: 1.5, Strings: 1, Instructions: 271COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 6c79bafb63fccc4c19c96c24c3336f5ab50412e5096b801bbdcc102e2b832a0e
Instruction ID: 2cf0ace5325de6d1f2e6f4fc8f1cbf1b23255c1cafc9ea5dc9a1027ee17e1aa3
Opcode Fuzzy Hash: 6c79bafb63fccc4c19c96c24c3336f5ab50412e5096b801bbdcc102e2b832a0e
Instruction Fuzzy Hash: 9591DE71B20716DFDF349D78C8A43E637A3AF56390F4A802ACC4A8F258D7329589CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222DDBB, Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 3202d9f13e9b8a3657e04e744f21d5ea067da110cc0afe83dc823c5a54312aaa
Instruction ID: fbeaa3a985d5805c95c87878381b627b2a7ebd5b47a2d18aa0a02f9df0c7f14b
Opcode Fuzzy Hash: 3202d9f13e9b8a3657e04e744f21d5ea067da110cc0afe83dc823c5a54312aaa
Instruction Fuzzy Hash: E391DE71A20316DFDF349D78C9A43E637A3BF56390F4A802ACC4A9F258D7329589CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222725B, Relevance: 1.5, Strings: 1, Instructions: 260COMMON

Download Yara Rule

Strings

5}T, xrefs: 0222728E

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 5}T
API String ID: 0-837928554
Opcode ID: eddf8392f55fc1a8526d83c56f56a5daf3c47d25923b86a6463a32e715e50101
Instruction ID: 365221b78d7ccf2395833ff39aedc817a91eb1174887c0625e040ac64a99cf83
Opcode Fuzzy Hash: eddf8392f55fc1a8526d83c56f56a5daf3c47d25923b86a6463a32e715e50101
Instruction Fuzzy Hash: 169123B065434AAFEF359E78CEA47DA3762FF15390F84412DDC8A9B148D3768A85CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0222DE43, Relevance: 1.5, Strings: 1, Instructions: 251COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 71be853376c8d6fd02bff3e57217233cd86166984b71cd293a41f72c0867c62e
Instruction ID: 4d1da11195582c4491300c098c328991ec520bd20327a507e7a835825f37085e
Opcode Fuzzy Hash: 71be853376c8d6fd02bff3e57217233cd86166984b71cd293a41f72c0867c62e
Instruction Fuzzy Hash: 4E91CD71A10719DFDF349E78C9A43E637A3BF55390F4A802ACC4A9F258D7329589CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0222DE80, Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: fbc73760fce92588b9a7db5ad580c27ca34c72077f11d96b186bd2a4c6250875
Instruction ID: e17fcb438ac50aa868c0d44df7763b4ebfa7cc29d46277bee3a8027331f2c02b
Opcode Fuzzy Hash: fbc73760fce92588b9a7db5ad580c27ca34c72077f11d96b186bd2a4c6250875
Instruction Fuzzy Hash: D291CE31A10715DFDF349E78C9A43E637A3BF56350F4A812ACC4A9F258D7329589CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0222DE22, Relevance: 1.5, Strings: 1, Instructions: 240COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 83a230cc0f0d2d0c61f29cb8e462be1367c06f765b3b477464f1e97adf120d63
Instruction ID: c80c2fc73af877578a514f4de9c41d2ca94f187e0abbc31d6ecb463cff1d425b
Opcode Fuzzy Hash: 83a230cc0f0d2d0c61f29cb8e462be1367c06f765b3b477464f1e97adf120d63
Instruction Fuzzy Hash: 0881AD71610316DFDF389D78C9A43E637A3AF56390F5A812ACC0A9F258D732D588CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0222DEF2, Relevance: 1.5, Strings: 1, Instructions: 238COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 9d46d9f7015e41f4a6f83574997472d37f3c3785fd4a6fe8b63b11a60ffde30e
Instruction ID: d4080d459c2bde132a8a44feba169782fbdb3b2bc4ed186d95d1ecfc3cba1979
Opcode Fuzzy Hash: 9d46d9f7015e41f4a6f83574997472d37f3c3785fd4a6fe8b63b11a60ffde30e
Instruction Fuzzy Hash: F381BD31A10719DFDF349E78C9A43E637A3AF46390F4A812ACC4A9F258D7329589CB40

Uniqueness

Uniqueness Score: -1.00%

Function 0222DF4F, Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: ad0ebcc89c9fcabca523d90e2af99b2293d73ab454af23ccc008e8097e624d6d
Instruction ID: e6474bfc41a2db36ba9ad9a8fc5ca8e865c0b805f474f83bba60b28a4f1fc88b
Opcode Fuzzy Hash: ad0ebcc89c9fcabca523d90e2af99b2293d73ab454af23ccc008e8097e624d6d
Instruction Fuzzy Hash: E181AB71A1071A9FDF349E78C9A43E637A3AF95390F4A802ACC4A9F258D7329585CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02222BDE, Relevance: 1.5, Strings: 1, Instructions: 224COMMON

Download Yara Rule

Strings

4, xrefs: 02222DFD

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: 27efd40fddf6c5ad053ffa7c8fcff5e91d98b907771aff98b2541475dbe3657f
Instruction ID: 3fbfaab52dd61777ba6d335518228440734efd699bf18208c21cc4ea11a4bc8c
Opcode Fuzzy Hash: 27efd40fddf6c5ad053ffa7c8fcff5e91d98b907771aff98b2541475dbe3657f
Instruction Fuzzy Hash: F37137B1704359DFDB348E28CD917EF37B7AF95360F90412EEC898B258D7768A458A02

Uniqueness

Uniqueness Score: -1.00%

Function 0222DF36, Relevance: 1.5, Strings: 1, Instructions: 218COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 3f0ebe086300e1c9391d938d28aeda84b987bbee2cb35b726a47fa4b2fea0c45
Instruction ID: 68aef9b04cc7933b81d977515fb25ac4a7a263d12d1c085ace0476ee1f750d8c
Opcode Fuzzy Hash: 3f0ebe086300e1c9391d938d28aeda84b987bbee2cb35b726a47fa4b2fea0c45
Instruction Fuzzy Hash: 5371CE71610716DFDF389E78C9A03E637A3AF56350F5A812ACC0A9F258D732D589CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02222C1C, Relevance: 1.5, Strings: 1, Instructions: 212COMMON

Download Yara Rule

Strings

4, xrefs: 02222DFD

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: 4
API String ID: 0-4088798008
Opcode ID: d13c8d1ff6e45dc860296892da0e68bda3a2990e89c58468378f23294918ec14
Instruction ID: a70a76975f341eae97eb2b020036b7c27615f4128c3604c1d07ec7f366bde13f
Opcode Fuzzy Hash: d13c8d1ff6e45dc860296892da0e68bda3a2990e89c58468378f23294918ec14
Instruction Fuzzy Hash: CA715871A043999FDB308E28CD957EF37B2AF953A0F90412EEC894B119C7764A858B02

Uniqueness

Uniqueness Score: -1.00%

Function 0222DFE3, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: 60522431ca8e734c2f4c59c9dd0c132ac6f6567f0e5d6c296596800a028c2cee
Instruction ID: b20f76d080bfe393b13707f8454e4719c5e3df4f6a3f53d60780cd6f08b886e6
Opcode Fuzzy Hash: 60522431ca8e734c2f4c59c9dd0c132ac6f6567f0e5d6c296596800a028c2cee
Instruction Fuzzy Hash: 6E71CC31A103199FDF389E78C8A47E737A3BF95350F4A806ACC0A5F258D7329585C741

Uniqueness

Uniqueness Score: -1.00%

Function 0222E097, Relevance: 1.4, Strings: 1, Instructions: 166COMMON

Download Yara Rule

Strings

+', xrefs: 0222E180

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: +'
API String ID: 0-4070297908
Opcode ID: b1565b888cce4fbf705721c8a776e2601fc669aa040cf464ede6749bf7f8f79b
Instruction ID: 8f2898c8304aeac31b01b40cf493cfd97fbbef9afeec16356b46d85228efb8d3
Opcode Fuzzy Hash: b1565b888cce4fbf705721c8a776e2601fc669aa040cf464ede6749bf7f8f79b
Instruction Fuzzy Hash: 89517B32A102199FDF349E74C8A47EA37B3BF89350F5A816ACC0A5F258D7319585CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02223B36, Relevance: .5, Instructions: 511COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b7bc680300132fd7ac6580d9b18161399137d18caef800b7afc51d75bc2f184b
Instruction ID: 63dab786d33fd23fc7716e33ae89455e767dc1998586f0938ee4ebe3681d2027
Opcode Fuzzy Hash: b7bc680300132fd7ac6580d9b18161399137d18caef800b7afc51d75bc2f184b
Instruction Fuzzy Hash: 6A028C75A14316AFDB349E78C9A03EB37A3EF51390F85402EDCCA97148D7318989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 022287F0, Relevance: .4, Instructions: 363COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47d6e60d3564e8dcf48c940a1a423aef662c4391364fde5d7b601b8a79e7d882
Instruction ID: ac3ccd463563176258c49a856069293542b83ceeda22bb63fb6aa746130029da
Opcode Fuzzy Hash: 47d6e60d3564e8dcf48c940a1a423aef662c4391364fde5d7b601b8a79e7d882
Instruction Fuzzy Hash: D1C15A75A2035A9FDB20AE74C9643EF37A3AF51390FC5812DCC865B149D7358989CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02223B8D, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08977e7f172a7970cf0a68a142f059b173ce4374a92ef4981b438c28079655e
Instruction ID: 378503a5cc7780aa2eae0b59d5646c8068f6f2087ffb6bf94574e23b625d239f
Opcode Fuzzy Hash: d08977e7f172a7970cf0a68a142f059b173ce4374a92ef4981b438c28079655e
Instruction Fuzzy Hash: 94A15C36A2435A9FDF34CE78C8A47EA37B2AF45390F84406DDC898B259D7318A85CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222B791, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04442e8edc3ab93ef0af1aebffb3c853aad36f61625ef76681b012ebb76ad133
Instruction ID: 90b455a9e5ce1f6d113b404e2b1f7a552c3deda4c5871da5eb0e5407e9445bed
Opcode Fuzzy Hash: 04442e8edc3ab93ef0af1aebffb3c853aad36f61625ef76681b012ebb76ad133
Instruction Fuzzy Hash: FA817D75A20326AFDB246E7889603EE37A3DF51390FD6412ECCC697148D77649CDC642

Uniqueness

Uniqueness Score: -1.00%

Function 02227B0E, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3029376854a203af979890779b225ab7131dbd0e1ce849aea7ee5aa4c2887c1b
Instruction ID: 5c09bfc4570d8f3bff1999562f7b29d7eb973c7c3b5653eae29d00acb4e14efa
Opcode Fuzzy Hash: 3029376854a203af979890779b225ab7131dbd0e1ce849aea7ee5aa4c2887c1b
Instruction Fuzzy Hash: 70817C75A10326AFDB246E7489703EB37A3AF51390FD6812ECCC697148D73649CDC642

Uniqueness

Uniqueness Score: -1.00%

Function 02223C37, Relevance: .3, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 430b8869b8cd2f878dcf937253d6eca8c168daa8ad0f35577507c51f89437a5f
Instruction ID: bbde5c27038de6c6e9dd1f2e120306c12959470eaaea7686638d67d2ec85e93c
Opcode Fuzzy Hash: 430b8869b8cd2f878dcf937253d6eca8c168daa8ad0f35577507c51f89437a5f
Instruction Fuzzy Hash: A4913B76A2435A9FDF34DE78C8A47EE37B2AF45390F84405DEC898B248D7318685C705

Uniqueness

Uniqueness Score: -1.00%

Function 0222BC08, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a6559de2f5ca4dc244cfc50740818ce86fe3c2a844c82bdb623789b12ed1264
Instruction ID: 166a82c2587d3fbde0a528d9579dd963f0cdba18010db88efe4cdcf7beea6763
Opcode Fuzzy Hash: 1a6559de2f5ca4dc244cfc50740818ce86fe3c2a844c82bdb623789b12ed1264
Instruction Fuzzy Hash: 94819A72A503569FDB305EA889A53EB77A3AF123A0F96412BCCC557108D33659C9CB83

Uniqueness

Uniqueness Score: -1.00%

Function 0222EA01, Relevance: .2, Instructions: 246COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 906b1df1ba7bfad0db92de8d1b863314babc4c5d3df0918f23e7323367949500
Instruction ID: 0009684e9f44f3cf75304bf7bc4cdae309cfa06403af18a799bd2a819e96d352
Opcode Fuzzy Hash: 906b1df1ba7bfad0db92de8d1b863314babc4c5d3df0918f23e7323367949500
Instruction Fuzzy Hash: 63818D74A10316AFDB246E7489643EB77B3EF51390FC6412ECCC697098D77589C9CA42

Uniqueness

Uniqueness Score: -1.00%

Function 0222CC1F, Relevance: .2, Instructions: 244COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84836776fa8daf334745a0d9ea0377380ba6a0e04fdade06098fb36c289c0123
Instruction ID: 6bb6a51123df8c626a86257026c7e1368e8f140ced317b223ca0a242aea49552
Opcode Fuzzy Hash: 84836776fa8daf334745a0d9ea0377380ba6a0e04fdade06098fb36c289c0123
Instruction Fuzzy Hash: FB816E709543969ACF35CE7889A43DF7BA2AF523A0F95C1ABCC858F19ED3314146C742

Uniqueness

Uniqueness Score: -1.00%

Function 0222EC92, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fe8be5c1cdcc0417cedbb12ddcb03d4603d8735cae9675a2210ceb57767096b
Instruction ID: 41da5122f34989453e053a689cf6f70e86b7fce64e191482f9cb85ef78de6a8a
Opcode Fuzzy Hash: 6fe8be5c1cdcc0417cedbb12ddcb03d4603d8735cae9675a2210ceb57767096b
Instruction Fuzzy Hash: 5E61D1328285A69EE706C62CE8591DDBFA2FA8362131602DDD481DF12FC353599ED781

Uniqueness

Uniqueness Score: -1.00%

Function 02220A77, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ef2d7591aed7a3ebdd4c6d8dbff31b445dcd7dba2dd433f8caedc84c3f8c974
Instruction ID: a620cb93c5de4acbd0bdd4b249aae8db5103d5b737628535b6cf3d0180761de2
Opcode Fuzzy Hash: 5ef2d7591aed7a3ebdd4c6d8dbff31b445dcd7dba2dd433f8caedc84c3f8c974
Instruction Fuzzy Hash: 6B712775A1032A9FDB246E7885643EB77A3AF91390F86812DCCC667058D73549C9CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02223D33, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c734aa1d8ee62514729bc0eb40546f5234d6cccec1f88efb4dca1b332c4bee05
Instruction ID: c7a920eddb72c13c3fb5a5628f15a7806c08912457e4c0b77052cd31c80d1113
Opcode Fuzzy Hash: c734aa1d8ee62514729bc0eb40546f5234d6cccec1f88efb4dca1b332c4bee05
Instruction Fuzzy Hash: 42714B76A2435AAFDF34DE78C8A47EE37A2BF45360F85401EDD898B249D7318589CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0222BDFC, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4a18d73296e0adff9bdf965b640565666e4db7c71c008715566270f71c1e540
Instruction ID: 780490d44466e89bfa42787d5b9ccf8c56901afc673699ed72e141aee923cfbf
Opcode Fuzzy Hash: f4a18d73296e0adff9bdf965b640565666e4db7c71c008715566270f71c1e540
Instruction Fuzzy Hash: 6D716775A503569FDF309EA8C9A53EE77A2EF513A0F82412ECCC15B109D3365A86CB43

Uniqueness

Uniqueness Score: -1.00%

Function 0222BF51, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 117c9862291b2d235adb01be3ce259abf25f6d1382f62a21526a1edf3321241b
Instruction ID: b38ad2b994c75e72f0aa47cdc68d128ea00ea8bb8da8471538403773c7cabd70
Opcode Fuzzy Hash: 117c9862291b2d235adb01be3ce259abf25f6d1382f62a21526a1edf3321241b
Instruction Fuzzy Hash: F3715875A503569FDF309EA8C9A53EE77A2EF513A0F92012ECCC15B109D3365A86CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0222BD42, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1594dc7aff9ac549452d26a34331cde3e2c9f565b03c8ef10a721bb48d83bdeb
Instruction ID: f3e218decfdf6ae53455e7234bb7df4bff705b3f64a807dabe6facf2c2c0c943
Opcode Fuzzy Hash: 1594dc7aff9ac549452d26a34331cde3e2c9f565b03c8ef10a721bb48d83bdeb
Instruction Fuzzy Hash: B0715875A503569FDB309EA8C9A53EE77A2AF513A0F92012ECCC15B109D3365A85CB43

Uniqueness

Uniqueness Score: -1.00%

Function 0222BCB6, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 041d936a81d49be7235e46b08ac480ee08526f016241d89f43e1e15b00fb6700
Instruction ID: e17321fda1223d2bb9ba08bc804f1d9b832fa89df1344a19c94c30cd5d743b69
Opcode Fuzzy Hash: 041d936a81d49be7235e46b08ac480ee08526f016241d89f43e1e15b00fb6700
Instruction Fuzzy Hash: 28616875A503569FDB309EA8C9E53EE77A2EF513A0F92012ECCC157109D3365AC5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02223CF6, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0199228e361e7f0b7c36e36ef664a7878f9df7782279c770c5a8cdf4ca8eea36
Instruction ID: 708db39bf7d6e4bcda4feb9c58d98fb4c55066332f6a4872c993ae183fa7b1c0
Opcode Fuzzy Hash: 0199228e361e7f0b7c36e36ef664a7878f9df7782279c770c5a8cdf4ca8eea36
Instruction Fuzzy Hash: 63713B76A2435AAFDF349E78C8A47EE37A3BF45360F85401EDD898B248D7318A85C701

Uniqueness

Uniqueness Score: -1.00%

Function 02223D43, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a687cc68051f6e787354cde47f500442273e10040dba67a78a343c5a55a71841
Instruction ID: 967d108474fa01a03e69467f2464047fa7c0761e199cf3614f380023bb8d9434
Opcode Fuzzy Hash: a687cc68051f6e787354cde47f500442273e10040dba67a78a343c5a55a71841
Instruction Fuzzy Hash: 65712C76A2435AAFDF349E78C8A47EA37A2AF45350F85401DED89CB248D731C689C701

Uniqueness

Uniqueness Score: -1.00%

Function 0222BE97, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 685fd94129cd54d2eac2c0d0e1ff9b0562e952086c9e3e4e0a8d3856af996cad
Instruction ID: 40e9fa8b368b40179d76e213dd09adfca8e4276612d5093a4646dccb0b4ccfd8
Opcode Fuzzy Hash: 685fd94129cd54d2eac2c0d0e1ff9b0562e952086c9e3e4e0a8d3856af996cad
Instruction Fuzzy Hash: 05616775A503569FDF309EA8C9A53EE77A2AF513A0F92012ECCC15B109D3365A86CB43

Uniqueness

Uniqueness Score: -1.00%

Function 0222C010, Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9a1631a757167759dc9a562316a7548fb44b37b53e2e5cb1a0e134bb9841520
Instruction ID: 9f87627d3ed2c71391a5d2324927d3a74fbffe35d9be6182f95c7b2b2328bf1b
Opcode Fuzzy Hash: d9a1631a757167759dc9a562316a7548fb44b37b53e2e5cb1a0e134bb9841520
Instruction Fuzzy Hash: 0C616775A50356AFDB309EA8C9A53EE77A2AF413A0F92012ECCC557109D3365AC6CB43

Uniqueness

Uniqueness Score: -1.00%

Function 0222CCCB, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94d73a25821d93b950e8ca959844e47a647031e21439884e0c0a3d10cb571e38
Instruction ID: b44afb72cbe3e87fb83cf7547b662bf14fcfe6b1ab61ceb462d90be609142606
Opcode Fuzzy Hash: 94d73a25821d93b950e8ca959844e47a647031e21439884e0c0a3d10cb571e38
Instruction Fuzzy Hash: C5715D709543968ACF35CE7889A43EF7BA2AF423A0F96C1ABCC868F19DD3314145C752

Uniqueness

Uniqueness Score: -1.00%

Function 02220A71, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e639f54ae198875cc25a4a570d4d2bb26caba483515f55644353d00a5f1ed9a
Instruction ID: 52987f9df34080d22c5edfdffbd552f5c08fd75d720aa7e783b8743de31b43a7
Opcode Fuzzy Hash: 9e639f54ae198875cc25a4a570d4d2bb26caba483515f55644353d00a5f1ed9a
Instruction Fuzzy Hash: 1F615C74A14326AFDB246E7885603EB77B3EF61390FC6412ECCC6A7058D73649C9CA42

Uniqueness

Uniqueness Score: -1.00%

Function 02220AB2, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eabb4468bcec9557599542216a0c9e271e78493bd0408e310ef2c5bd780d33a
Instruction ID: 0c142086024b232ef82a50a83fd71189859c899a1f0f8b229cd3d10ee9fb0136
Opcode Fuzzy Hash: 4eabb4468bcec9557599542216a0c9e271e78493bd0408e310ef2c5bd780d33a
Instruction Fuzzy Hash: 7E616A74A103269FDB246E788A603EB77A3EF51390FC6412ECCC697158D73589C9CA42

Uniqueness

Uniqueness Score: -1.00%

Function 0222CD55, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd6f3948c8e669c225bf0bc130d30b2c5437a0763218d121068ac6a4502d7392
Instruction ID: a4e9c346025168346fd38863d9f4486d9687057462f0da542802ba709f9682d0
Opcode Fuzzy Hash: dd6f3948c8e669c225bf0bc130d30b2c5437a0763218d121068ac6a4502d7392
Instruction Fuzzy Hash: 67717E709143958ECF35CE7489A43DF7BA2AF42360F99C1ABCC868F199D3314145C752

Uniqueness

Uniqueness Score: -1.00%

Function 02220B2C, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68821a68525cac64c81a4f56db92d0d6148e965574e017921106625bc87fc91
Instruction ID: b0fbe9f49911972916557e5f677a661e8af1d998b3a3dece8b696e3b65601027
Opcode Fuzzy Hash: d68821a68525cac64c81a4f56db92d0d6148e965574e017921106625bc87fc91
Instruction Fuzzy Hash: F7515735A1432A9FDB246E7885643EB77A3EF91390F8A812ECCC6A7058D73149C9C742

Uniqueness

Uniqueness Score: -1.00%

Function 0222CCFF, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11b1bfc0d25919ff6e2f077ff4700bfdd5e3d9d269a648f276d949e85bf81ec
Instruction ID: 7c96ea0460066e41084bc0cd69bbf48e6ac9314d79f171a9f76a2c7057382b50
Opcode Fuzzy Hash: b11b1bfc0d25919ff6e2f077ff4700bfdd5e3d9d269a648f276d949e85bf81ec
Instruction Fuzzy Hash: A7618B745503968ACF35DE7889A43EF7BA29F023A0F96827BCC868F19DD3324149C712

Uniqueness

Uniqueness Score: -1.00%

Function 02223DC9, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ebdb1eb4c93a988fca631a908fb107247cb75321df077048b6e8b247c66bebf
Instruction ID: 42772197eeb18bcd747b507bf0712669a37ca919fe16e791425a24948bd2916c
Opcode Fuzzy Hash: 0ebdb1eb4c93a988fca631a908fb107247cb75321df077048b6e8b247c66bebf
Instruction Fuzzy Hash: 28513A72A2435A9FDF349E78C8A47EE37B3AF45350F85441EDC898B254D7318985CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02223E26, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be796d0eb4b8b0dbdaaef12f41cae7402ae747711b48c7c4bf5c6db8cd632b66
Instruction ID: 91e5199ee9b147a0331f69d0c0cd031def49abe23fa9381a20ca03612fd9dd0f
Opcode Fuzzy Hash: be796d0eb4b8b0dbdaaef12f41cae7402ae747711b48c7c4bf5c6db8cd632b66
Instruction Fuzzy Hash: 27514D72A2435AAFDF349E78C8A07EE37B2AF45350F84441EDD898B255D771C689CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0222CE00, Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e20fd457a73ebd2d2057459e5919a14f08d4fd07a2a6faf328c4d99fe2950c
Instruction ID: fdc107a5b065cdb2f691abdfe9be53e21dd57f72708d47e3fd15e851783447e6
Opcode Fuzzy Hash: 90e20fd457a73ebd2d2057459e5919a14f08d4fd07a2a6faf328c4d99fe2950c
Instruction Fuzzy Hash: 4C517B709103968ECF35DE7889A43EF77B2AF563A0F95C16BCC868F15AD33141458742

Uniqueness

Uniqueness Score: -1.00%

Function 02223DB6, Relevance: .2, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d5aec9211073c6754d062c7c8302b55b671af74f165e081598c2687037159e3
Instruction ID: b4e4346cf56cacb873b0b5db2c5871647b1f378156867f3137aecab78b861b74
Opcode Fuzzy Hash: 6d5aec9211073c6754d062c7c8302b55b671af74f165e081598c2687037159e3
Instruction Fuzzy Hash: E8514E7662435AAFDF349E7888A17EA37B2BF45350F85001EDD89CB154D7718689CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02223E36, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ac287a1824f747a073f816b9534ceb7dc95cc0b51f29828216e004999715d5a
Instruction ID: c56b60a9134421db9c5cbb23a6af612c186db5425e9f02e046e969236159c1d8
Opcode Fuzzy Hash: 2ac287a1824f747a073f816b9534ceb7dc95cc0b51f29828216e004999715d5a
Instruction Fuzzy Hash: 8F515F7662835AAFDF349E78C8A17EE37B2AF45350F84041EDD89CB254D7718689CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02220BC2, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fe676ab2b80fbe4f67d79e83ad3c3ac28cf52a0ca1bc5150bfb133b635e632
Instruction ID: bf72b6daeb11d461e0ddf63dab05b6c70c7082e345c0e26e823b24e0d87c7094
Opcode Fuzzy Hash: a0fe676ab2b80fbe4f67d79e83ad3c3ac28cf52a0ca1bc5150bfb133b635e632
Instruction Fuzzy Hash: 30513834A1435A9FDB246E7885603EF37A3EF513A0F99802ECCC6A7198D73549C9C742

Uniqueness

Uniqueness Score: -1.00%

Function 0222D1B1, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 390fa4a9e4a51e479e68907dad31f9fe90ef5bf749c4308b517b9417fed6417d
Instruction ID: e37993e6bbfef32acbbfd1daa4ab345a129986e6855e9d743f52b1fa48046304
Opcode Fuzzy Hash: 390fa4a9e4a51e479e68907dad31f9fe90ef5bf749c4308b517b9417fed6417d
Instruction Fuzzy Hash: 04516C31A153959FDF348DB8C5A83EF3B63AF52370F54416ACC868B159D3768485CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02223EB5, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd14093ab7bd48c81c4a827c33dd56cfc77b173618bb55e9e300c1f00d61ad0e
Instruction ID: 315e63a633297120dc0c6ef9dbd95bd20834097062d784e8047237dfcb8a5ffa
Opcode Fuzzy Hash: bd14093ab7bd48c81c4a827c33dd56cfc77b173618bb55e9e300c1f00d61ad0e
Instruction Fuzzy Hash: 0E414632E2435A9FDB309E7888A07EA37A3AF453A0F89445EDCC58B159D7318586CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0222CE96, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c00d9d3f8720192e3f9cfbc623007379d5fa78b6e0712ff306ed203b212407be
Instruction ID: 8616340ec50024d7eef8c1a9041927d65d4599a7c73fb9c08b9e65776595c10b
Opcode Fuzzy Hash: c00d9d3f8720192e3f9cfbc623007379d5fa78b6e0712ff306ed203b212407be
Instruction Fuzzy Hash: E341897496034A8BDF34DE7889A43EF37B2AF513A0F95C06ACC869F15ED33181898702

Uniqueness

Uniqueness Score: -1.00%

Function 0222B846, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3343772f00d07aed74f81aec3bcab9104ea54afdb96b9cfd26f2aa9c8421cab
Instruction ID: a89ec3628ab5c4e37bfc34a86e72f9026f91e154a7b5304446f4909dc83b5fbb
Opcode Fuzzy Hash: e3343772f00d07aed74f81aec3bcab9104ea54afdb96b9cfd26f2aa9c8421cab
Instruction Fuzzy Hash: 4A417934A2576ADEDF309EB489447DD33A39F45710F90813BDC59CBA48DB368688CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02220C4A, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26513cc3b758ce546b28202420d9c3ead6db484302b92a5e7180d379a349d95a
Instruction ID: 5a822b7e69d5bef1f7e8d8965a745cc407af2829bfa52b25d8177b194f0c210f
Opcode Fuzzy Hash: 26513cc3b758ce546b28202420d9c3ead6db484302b92a5e7180d379a349d95a
Instruction Fuzzy Hash: 9E416834614366AFCB146E7889603EE37B3EF91390FD6412DCCC6A7589C731898DC642

Uniqueness

Uniqueness Score: -1.00%

Function 0222D25D, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e22a89b97174899e72a702d579ad17cfef238f43a869af5acca7d43548279f27
Instruction ID: 4b6c69d79266c3b9ce00640ea29963824a61f3c07dca15d99d26412f420db3ad
Opcode Fuzzy Hash: e22a89b97174899e72a702d579ad17cfef238f43a869af5acca7d43548279f27
Instruction Fuzzy Hash: B8416831E147959EDF348EB8C5A83EF7B62AF52370F58816ECC864B189C3754485CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0222305E, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dafb49459914210d054a355abde3211dc7dd6316eeb711180afea6b99f19f2c9
Instruction ID: 20ed5868fd31d699202b93c71d0f85cd4c9b38bd44e8b37b3571d491d97d0357
Opcode Fuzzy Hash: dafb49459914210d054a355abde3211dc7dd6316eeb711180afea6b99f19f2c9
Instruction Fuzzy Hash: 0F412532A183589FDF749F6488917DE7BA3AF51780F96001EDCCAA7244C735498ACB47

Uniqueness

Uniqueness Score: -1.00%

Function 022230B9, Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a413935d538bdf2b6aa9e20dd0bd233a11b381a2dd399d76187bbd5e48af4464
Instruction ID: ad93fcc5a1f14be0293e4d854b03e684aa6f304137c3c4785db592f3505ed57d
Opcode Fuzzy Hash: a413935d538bdf2b6aa9e20dd0bd233a11b381a2dd399d76187bbd5e48af4464
Instruction Fuzzy Hash: 28412232A292589FCF349EB488957EE3BA3AF51380F8A005EDCC59B155C73509CACB47

Uniqueness

Uniqueness Score: -1.00%

Function 0222C45F, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d3b1f4c3870241cb5b44558a09a87935e52a98fd137f4a820c8357c2500432a7
Instruction ID: 4b0881af0bde62cc594d49f09ec0a6965e61b536a735658956970d68f8eba26c
Opcode Fuzzy Hash: d3b1f4c3870241cb5b44558a09a87935e52a98fd137f4a820c8357c2500432a7
Instruction Fuzzy Hash: 5331C370A152498EDF789E78C9A93FF37A2BF51360F4A406FDC869B015C7200085C706

Uniqueness

Uniqueness Score: -1.00%

Function 0222D2FF, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff3c6700c9aee03624b8ffa68bfdc9803ae3c5f3b6d89d05863adc598fd2bc03
Instruction ID: 823fc701907eba030b85c6def4c85c3207b85b47546b82e7cb5ae1750c8ece02
Opcode Fuzzy Hash: ff3c6700c9aee03624b8ffa68bfdc9803ae3c5f3b6d89d05863adc598fd2bc03
Instruction Fuzzy Hash: 2C313431E257899EDF318A74C5A83EF7B52BF523B0F5981AACC864B19987390085CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02223F6F, Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cacd947554927c4aac5a02ca7a653588e254ebd18dab9d4052f0063345e1e85
Instruction ID: 2574d02c074dfd05dc32bd236f3def80fb6c9d84bbdcc5ba854e241ff41078d9
Opcode Fuzzy Hash: 8cacd947554927c4aac5a02ca7a653588e254ebd18dab9d4052f0063345e1e85
Instruction Fuzzy Hash: 76316776A683069FDF746E7888A17DA33A3AF51390F85091EDCC987598D3708685CB03

Uniqueness

Uniqueness Score: -1.00%

Function 0222CF8C, Relevance: .1, Instructions: 80COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a17c9140c1ae33bc93a8fd2e6eb3dd9699527f82f2cb426d618ae1f5ebd5fcc
Instruction ID: 1f069df8b90adf6546fa0652096349430b2f4b4c06da8ab83913d7d27862d2a9
Opcode Fuzzy Hash: 2a17c9140c1ae33bc93a8fd2e6eb3dd9699527f82f2cb426d618ae1f5ebd5fcc
Instruction Fuzzy Hash: 33314774410346CBCF34DE6489957DF73B1AF51380F55C12ACC5AEB16ED33282498A16

Uniqueness

Uniqueness Score: -1.00%

Function 0222C453, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 891b981537720dd6e3991a63fa621c088a97619f3d009516e49d2c0248015f03
Instruction ID: bbcb9d783dd87dccb93674c453fdaf9e75f0db0ac501897f66aa8b24a28f4bd8
Opcode Fuzzy Hash: 891b981537720dd6e3991a63fa621c088a97619f3d009516e49d2c0248015f03
Instruction Fuzzy Hash: CB21F17461931ACFEF7C9EB489B93FE37A2AF52210F86402FDC8B97054C7214588CA06

Uniqueness

Uniqueness Score: -1.00%

Function 02227EAB, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df3953c54b9e598ada7369b13afd2db4b25c4803b8efa801c5263c0f7fcc449
Instruction ID: f2f548468fe86fb18059b23fcab376ab464d54a55c17891ed4daf9b2e95ee3a5
Opcode Fuzzy Hash: 0df3953c54b9e598ada7369b13afd2db4b25c4803b8efa801c5263c0f7fcc449
Instruction Fuzzy Hash: ED21237160C309DFEB289E7496E57EB7BB2AF91380F46452EDCCA67148D7710884C682

Uniqueness

Uniqueness Score: -1.00%

Function 0222D3A8, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beca5161b0f5525ffa027564b6a3b219e89ae3efb796a5b0b78aab5d83ead59b
Instruction ID: dd1503bced166d378d05ca92603baf2881d766cf7208cd9f7f08cf1ec73f434b
Opcode Fuzzy Hash: beca5161b0f5525ffa027564b6a3b219e89ae3efb796a5b0b78aab5d83ead59b
Instruction Fuzzy Hash: FA21F631E257894FDF319A7884AC3DFBB62AF52370F6986DEC8D54B09AC7244086C706

Uniqueness

Uniqueness Score: -1.00%

Function 0222B2B6, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce8060b3d21516958254f0891cea70dd9ab359cd4f2ad3e840c92c4e290256f
Instruction ID: 325161303eff0b652bb21b69c95ca67a5a298153ca5ff8ce2be7018393108c30
Opcode Fuzzy Hash: 3ce8060b3d21516958254f0891cea70dd9ab359cd4f2ad3e840c92c4e290256f
Instruction Fuzzy Hash: FD11CE3572539ADFCB30CF54CA88BDA77B1AF69314F05802ADC099F328C3719A44CA56

Uniqueness

Uniqueness Score: -1.00%

Function 0222D3A4, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dfef7eccc660e0255deefecf16de32e5693983a191410282289c16223f999381
Instruction ID: 6a993b1a8e2a45d5054a0f53aa447211a01a450345452ca0e27835659ed74755
Opcode Fuzzy Hash: dfef7eccc660e0255deefecf16de32e5693983a191410282289c16223f999381
Instruction Fuzzy Hash: D4014835A147859FDF715A7884A83DEBA52AF03230F64436E8CDA46099D36540CAC612

Uniqueness

Uniqueness Score: -1.00%

Function 02227C90, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 814e6c2e9c65135c7e15724eabc666dfb6c3c1334c1d6696ad7140e51798c39b
Instruction ID: 897d5839386d813881e3d0a2c61549569c926647b8189f153a7f0d9462db8f1c
Opcode Fuzzy Hash: 814e6c2e9c65135c7e15724eabc666dfb6c3c1334c1d6696ad7140e51798c39b
Instruction Fuzzy Hash: 11C08C773402808FF300CE04D0C1B8033E6FB11A80FD40490E002CB351C31CEC40CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0222AA71, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1187236932.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD05, Relevance: 46.8, APIs: 31, Instructions: 287COMMON

Download Yara Rule

APIs

#527.MSVBVM60(00409D9C), ref: 0042D354
__vbaStrMove.MSVBVM60 ref: 0042D35F
__vbaStrCmp.MSVBVM60(00409DA4,00000000), ref: 0042D36B
__vbaFreeStr.MSVBVM60 ref: 0042D37E
__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 0042D39F
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,00000014), ref: 0042D3CA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD0,000000B8), ref: 0042D3F8
__vbaFreeObj.MSVBVM60 ref: 0042D3FD
__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 0042D415
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,00000014), ref: 0042D43A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD0,00000110), ref: 0042D460
__vbaStrMove.MSVBVM60 ref: 0042D46B
__vbaFreeObj.MSVBVM60 ref: 0042D474
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 0042D48D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D4AC
__vbaFreeStr.MSVBVM60(0042D6A3), ref: 0042D69C

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#527
String ID:
API String ID: 487870899-0
Opcode ID: fbb017bda8f357f829c28af835974d4f64e789195ea80360dffeb1476b58bb64
Instruction ID: 14a71a2fae43ec80ead1f6ca01ed03be4ae6fbf0c2417186dd14edb7adbaea4e
Opcode Fuzzy Hash: fbb017bda8f357f829c28af835974d4f64e789195ea80360dffeb1476b58bb64
Instruction Fuzzy Hash: 23A18E75A40218ABCB14DFA5DD48FEEB7B8FF48700F10802AF545B72A4DA789905CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0042E000, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A198,00433010), ref: 0042E06B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042E084
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409998,00000150), ref: 0042E0B1
__vbaStrToAnsi.MSVBVM60(?,?,008039A4), ref: 0042E0C8
__vbaSetSystemError.MSVBVM60(003989DE,00000000), ref: 0042E0DC
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042E0FE
__vbaFreeObj.MSVBVM60 ref: 0042E10A
#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0042E133
__vbaStrMove.MSVBVM60 ref: 0042E13E
__vbaFreeVar.MSVBVM60 ref: 0042E14D
__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 0042E162
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,00000014), ref: 0042E187
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD0,00000118), ref: 0042E1AD
__vbaI2I4.MSVBVM60 ref: 0042E1B2
__vbaFreeObj.MSVBVM60 ref: 0042E1BB
__vbaVarDup.MSVBVM60 ref: 0042E1D5
#666.MSVBVM60(?,00000002), ref: 0042E1E3
__vbaVarMove.MSVBVM60 ref: 0042E1EF
__vbaFreeVar.MSVBVM60 ref: 0042E1F8
__vbaFreeVar.MSVBVM60(0042E24B), ref: 0042E23B
__vbaFreeStr.MSVBVM60 ref: 0042E244

Strings

HENRIVENDE, xrefs: 0042E1C7
zS, xrefs: 0042E1FA

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#666#702AnsiErrorListSystem
String ID: HENRIVENDE$zS
API String ID: 309366762-2729703279
Opcode ID: e395d39e8ef67e93add44e61c9daa9431378031ad5af46853227d218db6ca622
Instruction ID: 7e45d74ae4498e9b9519bc54fa4310a97ea21067498bc3d34e76067c2ac92694
Opcode Fuzzy Hash: e395d39e8ef67e93add44e61c9daa9431378031ad5af46853227d218db6ca622
Instruction Fuzzy Hash: 62517971900219EBCB04DFA5DD88EDEBBB8FF48705F10412AF516B72A0DB785945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042D880, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 127COMMON

Download Yara Rule

APIs

__vbaCyStr.MSVBVM60(00409AE4,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D8C8
__vbaFpCmpCy.MSVBVM60(00000000), ref: 0042D8D6
__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 0042D8F6
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,00000014), ref: 0042D921
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD0,00000130), ref: 0042D94F
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D960
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042D965
__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 0042D97E
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,00000014), ref: 0042D9A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD0,000000D0), ref: 0042D9C9
__vbaStrMove.MSVBVM60 ref: 0042D9D8
__vbaFreeObj.MSVBVM60 ref: 0042D9DD
#531.MSVBVM60(kantatens), ref: 0042D9E8
__vbaFreeStr.MSVBVM60(0042DA1A), ref: 0042DA12
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042DA17

Strings

kantatens, xrefs: 0042D9E3

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$MoveNew2$#531
String ID: kantatens
API String ID: 1829431787-1394988495
Opcode ID: 8ca27c1585515ba90080f376a30a52e676a7577b906d5d8bc9b6eb5398b22469
Instruction ID: a1526c568ac6dcfa32d65b0dec8755816bcecbfaaf88af05bd4abc7ac18fbe29
Opcode Fuzzy Hash: 8ca27c1585515ba90080f376a30a52e676a7577b906d5d8bc9b6eb5398b22469
Instruction Fuzzy Hash: 9D413171A00219ABCB04DF95DD89EDEBBB8FF48704F10406AF541B72A1D7789945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00425780, Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004257E9
#515.MSVBVM60(?,?,00000002), ref: 00425806
__vbaVarTstNe.MSVBVM60(?,?), ref: 00425822
__vbaFreeVar.MSVBVM60 ref: 0042582E
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 0042585F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425878
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A8C,000000C0), ref: 004258A2
__vbaLateMemCall.MSVBVM60(?,bJwKrGImpGgg9mRQCArwzZIt8,00000003), ref: 00425911
__vbaFreeObj.MSVBVM60 ref: 0042591D
__vbaFreeObj.MSVBVM60(00425961), ref: 00425951
__vbaFreeStr.MSVBVM60 ref: 0042595A

Strings

Kricketbold2, xrefs: 0042584E
var, xrefs: 004257BA
bJwKrGImpGgg9mRQCArwzZIt8, xrefs: 00425908

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#515CallCheckCopyHresultLateNew2
String ID: Kricketbold2$bJwKrGImpGgg9mRQCArwzZIt8$var
API String ID: 3144308283-2350849782
Opcode ID: c931b629f424bef2af2f8e8de9d89ffb047e394e30194dacd80ed27067718ba0
Instruction ID: 1b9abb197d1f43649793e63d0f8f314111d99fb9c2aa8227e104d5cfc277b1f3
Opcode Fuzzy Hash: c931b629f424bef2af2f8e8de9d89ffb047e394e30194dacd80ed27067718ba0
Instruction Fuzzy Hash: 0F5138B4D00218DFCB04DF98DA48A9EFBB8FF48700F10816AE549B7290D7785A45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0042DD20, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 140COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0042DD7B
__vbaLenBstrB.MSVBVM60(00409DD4), ref: 0042DD86
#680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,?,?,?), ref: 0042DDCF
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0042DDE5
__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 0042DE01
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,00000014), ref: 0042DE26
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD0,000000C8), ref: 0042DE53
__vbaFreeObj.MSVBVM60 ref: 0042DE5C
__vbaVarDup.MSVBVM60 ref: 0042DE88
#595.MSVBVM60(?,00000000,?,?,?), ref: 0042DEA0
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0042DEB8
__vbaFreeStr.MSVBVM60(0042DEF8), ref: 0042DEF1

Strings

hjrekant, xrefs: 0042DE7A

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultList$#595#680BstrCopyNew2
String ID: hjrekant
API String ID: 4058102471-1475739938
Opcode ID: d57a40ba6d4205c40034d7dedcc54633928b3449dd2d2c6e3de628f3abfe80c7
Instruction ID: 66e50bd8efda03fd5eeca248d11d387e2d2c3ef6f4e54e4c84995b5b3cf5f7d1
Opcode Fuzzy Hash: d57a40ba6d4205c40034d7dedcc54633928b3449dd2d2c6e3de628f3abfe80c7
Instruction Fuzzy Hash: 3451F3B1D00219ABDB10DF98D889ADEBFB8FF58700F10412AF505BB265D7B45585CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042DB70, Relevance: 22.6, APIs: 15, Instructions: 117COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042DBC5
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042DBCD
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 0042DBE2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DC01
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B34,000001C8), ref: 0042DC20
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042DC29
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 0042DC42
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DC5B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409DC0,00000100), ref: 0042DC7E
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042DC8E
__vbaI4Var.MSVBVM60(00000000), ref: 0042DC98
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042DCAB
__vbaFreeVar.MSVBVM60 ref: 0042DCB7
__vbaFreeStr.MSVBVM60(0042DCF2), ref: 0042DCEA
__vbaFreeStr.MSVBVM60 ref: 0042DCEF

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2$CallLateList
String ID:
API String ID: 244069345-0
Opcode ID: 6a42a6992834842b2067c28bff929ef73f8a9baf4c13c14082d07ee7b91ca232
Instruction ID: 2f82123779a5b853257a1f312b98e86c0d3e932c0296710310ea1305478d02e5
Opcode Fuzzy Hash: 6a42a6992834842b2067c28bff929ef73f8a9baf4c13c14082d07ee7b91ca232
Instruction Fuzzy Hash: F9412EB5D00218ABCB04DF95DD88EDEBBB8FB48304F10442AF555F7264D6786945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00425990, Relevance: 19.6, APIs: 13, Instructions: 113COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004259E5
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004259ED
__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 00425A01
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,00000014), ref: 00425A2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409AD0,00000118), ref: 00425A5A
__vbaI2I4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425A5F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425A68
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 00425A81
__vbaObjSet.MSVBVM60(?,00000000), ref: 00425A9A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A8C,000000C8), ref: 00425AC1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425ACC
__vbaFreeStr.MSVBVM60(00425AF4), ref: 00425AEC
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425AF1

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2
String ID:
API String ID: 336985134-0
Opcode ID: 055b3dd573d30a35f67603ec61f541ef51758a56867364abbcfc7526678079c2
Instruction ID: bc7ee395adfe0d158ce374556251d570cd681e8fff2429d84ed52fa9eea7699b
Opcode Fuzzy Hash: 055b3dd573d30a35f67603ec61f541ef51758a56867364abbcfc7526678079c2
Instruction Fuzzy Hash: 5D416D74E00218AFCB04DF95DD85EEEBBB8FF58700F148126E501B72A0C6789902CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0042D6C0, Relevance: 18.1, APIs: 12, Instructions: 117COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A198,00433010), ref: 0042D70D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D72C
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 0042D748
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042D761
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,00000130), ref: 0042D784
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0042D7B3
__vbaStrVarMove.MSVBVM60(00000000), ref: 0042D7BD
__vbaStrMove.MSVBVM60 ref: 0042D7C8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A8,000001EC), ref: 0042D7E8
__vbaFreeStr.MSVBVM60 ref: 0042D7F1
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0042D805
__vbaFreeVar.MSVBVM60 ref: 0042D811

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultMoveNew2$CallLateList
String ID:
API String ID: 3081447974-0
Opcode ID: 72620c0ddd028a05ef741f6fd609140189dbaa0bd3feb3798a710d45d9a9600a
Instruction ID: 30768c3d2f56132b8393af16fc882615d708e5611d8896534ffaa971923de7de
Opcode Fuzzy Hash: 72620c0ddd028a05ef741f6fd609140189dbaa0bd3feb3798a710d45d9a9600a
Instruction Fuzzy Hash: A2414CB4E00204AFCB04DFA4DD89F9EBBB8FB48701F10452AF545F7261D6389A45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424C20, Relevance: 15.1, APIs: 10, Instructions: 107COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00424C69
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 00424C82
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424CA1
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 00424CBD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424CD6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409998,000000F0), ref: 00424CF9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A8,000001EC), ref: 00424D39
__vbaFreeStr.MSVBVM60 ref: 00424D42
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00424D52
__vbaFreeStr.MSVBVM60(00424D89), ref: 00424D82

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$CopyList
String ID:
API String ID: 4130517723-0
Opcode ID: 3a87404ae2ace394f9b50a1d3ee987b7a3149dc99de5ef2dcad645ef04b3be0d
Instruction ID: 891aa9ec259e83f0246fe4cd396e06e249b69bc44dffdfd4b4eb9107ca8a2b2e
Opcode Fuzzy Hash: 3a87404ae2ace394f9b50a1d3ee987b7a3149dc99de5ef2dcad645ef04b3be0d
Instruction Fuzzy Hash: E2418FB4A40215AFCB04DFA9DD49FAEBBB8FF48701F10416AF505E7251D7789901CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425B20, Relevance: 13.5, APIs: 9, Instructions: 47COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425B60
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425B68
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425B70
__vbaCyStr.MSVBVM60(00409AE4,?,?,?,?,?,?,?,00401746), ref: 00425B77
__vbaFpCmpCy.MSVBVM60(00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425B85
#569.MSVBVM60(0000002F,?,?,?,?,?,?,?,?,00401746), ref: 00425B91
__vbaFreeStr.MSVBVM60(00425BB3,?,?,?,?,?,?,?,?,00401746), ref: 00425BA6
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425BAB
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425BB0

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CopyFree$#569
String ID:
API String ID: 3911904416-0
Opcode ID: f9758af6f18c87d78a8e8dea8b96864528dd92be97ff4677fe735b66d24fd0e4
Instruction ID: e9920d99f72fcebf3945656f4e3d9a4a9960d3dc1ce1abce1a4144f718779823
Opcode Fuzzy Hash: f9758af6f18c87d78a8e8dea8b96864528dd92be97ff4677fe735b66d24fd0e4
Instruction Fuzzy Hash: D7110C70D0125E9BCB00DFA4EE45AAE7FB8EB08700F10416AA505B35A4DB746A45CFE5

Uniqueness

Uniqueness Score: -1.00%

Function 00424ED0, Relevance: 12.1, APIs: 8, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A198,00433010), ref: 00424F14
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424F2D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099B8,000001CC), ref: 00424FB4
__vbaFreeObj.MSVBVM60 ref: 00424FC3
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 00424FD8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00424FF1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409998,000001C8), ref: 00425018
__vbaFreeObj.MSVBVM60 ref: 00425027

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 0f176dd25510c34355ef2ad34446cdf672a2bf88fd64e2d4287f92682765b2f0
Instruction ID: 5e22e0e61d9357e9580becebff7e0f5051d361d261befb1fc821e7244af43a69
Opcode Fuzzy Hash: 0f176dd25510c34355ef2ad34446cdf672a2bf88fd64e2d4287f92682765b2f0
Instruction Fuzzy Hash: 014140B4A403049FCB08DF69D989A9ABBF4FF4D701F10846AE505E7355D7389901CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00425530, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

#672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 00425591
__vbaFpR8.MSVBVM60 ref: 00425597
__vbaNew2.MSVBVM60(00409A28,004333CC), ref: 004255C0
__vbaHresultCheckObj.MSVBVM60(00000000,0217E9C4,00409A18,0000001C), ref: 004255E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00409A38,0000005C), ref: 00425629
__vbaStrMove.MSVBVM60 ref: 0042563C
__vbaFreeObj.MSVBVM60 ref: 00425645
__vbaFreeStr.MSVBVM60(0042567E), ref: 00425677

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#672MoveNew2
String ID:
API String ID: 2213023555-0
Opcode ID: 4b2f6ed7f378f8bf3db4659254b66350d0ed64f6b8e29f079d6c6b50b6086e29
Instruction ID: fc694674283523334836c45caa29438cd46073ed11baad089abfe5311505727a
Opcode Fuzzy Hash: 4b2f6ed7f378f8bf3db4659254b66350d0ed64f6b8e29f079d6c6b50b6086e29
Instruction Fuzzy Hash: 00315E70A00609ABCB10DF95DD88B9EFBB8FF98701F20805AF505B7265C7789941CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00432040, Relevance: 12.1, APIs: 8, Instructions: 92COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00432084
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004320A3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099B8,000001C8), ref: 004320E2
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004320F1
__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00432106
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0043211F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,00000088), ref: 00432142
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00432151

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: fd1943453f87995b6a5a6ca647268e0c8c1792bda2ae1ce715ce539b1fdaf8da
Instruction ID: 5651a1a76ca876088d60c9a967b783800e7aebdcbc4724e2462ff5fa8f915471
Opcode Fuzzy Hash: fd1943453f87995b6a5a6ca647268e0c8c1792bda2ae1ce715ce539b1fdaf8da
Instruction Fuzzy Hash: D431A278A403049BCB18DF68CE89F9A7BB8BB4C701F10852AF545E7395D7789901CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00424DB0, Relevance: 12.1, APIs: 8, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424DFC
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E04
__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E19
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E32
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409998,00000220), ref: 00424E75
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E7E
__vbaFreeStr.MSVBVM60(00424EA6,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424E9E
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00424EA3

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$Copy$CheckHresultNew2
String ID:
API String ID: 1874231197-0
Opcode ID: 1372a579f735cb124bb73eca514d331c8a3fcfe6e06eafe50d0dbe8073d65a37
Instruction ID: e50cf624e90fd41ca7fb79ce3f447bf29aeb8a2110359f8e3fcddc3e1f4793ae
Opcode Fuzzy Hash: 1372a579f735cb124bb73eca514d331c8a3fcfe6e06eafe50d0dbe8073d65a37
Instruction Fuzzy Hash: 4A215175E00219DFCB04DFA9D989A9EBBB8FF4D300F10806AE515E72A5C7789941CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00425220, Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 64
COMMON

Download Yara Rule

C-Code - Quality: 20%

			E00425220(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr* _t19;
				intOrPtr* _t21;
				intOrPtr* _t23;
				void* _t26;
				intOrPtr* _t28;
				intOrPtr* _t38;
				void* _t39;
				void* _t41;
				intOrPtr _t42;
				intOrPtr _t43;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				_t43 = _t42 - 0x28;
				_v16 = _t43;
				_v12 = 0x401208;
				_v8 = 0;
				_t19 = _a4;
				 *((intOrPtr*)( *_t19 + 4))(_t19, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t39);
				_t21 =  *0x433010; // 0x65ff40
				_v28 = 0;
				_v32 = 0;
				if(_t21 == 0) {
					__imp____vbaNew2(0x40a198, 0x433010);
					_t21 =  *0x433010; // 0x65ff40
				}
				_t23 =  &_v32;
				__imp____vbaObjSet(_t23,  *((intOrPtr*)( *_t21 + 0x354))(_t21));
				_t28 = _t43 - 0x10;
				 *_t28 = 0xa;
				_t38 = _t23;
				 *((intOrPtr*)(_t28 + 4)) = _v44;
				 *((intOrPtr*)(_t28 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t28 + 0xc)) = _v36;
				_t26 =  *((intOrPtr*)( *_t38 + 0x1ec))(_t38, L"PHACOCELE");
				asm("fclex");
				if(_t26 < 0) {
					__imp____vbaHresultCheckObj(_t26, _t38, 0x4099a8, 0x1ec);
				}
				__imp____vbaFreeObj();
				_v28 = 0x2be5;
				_push(0x4252f9);
				return _t26;
			}

0x00425223
0x00425232
0x00425239
0x0042523f
0x00425242
0x0042524b
0x0042524e
0x00425254
0x00425257
0x0042525e
0x00425261
0x00425264
0x00425270
0x00425276
0x00425276
0x00425285
0x00425289
0x00425292
0x00425299
0x0042529e
0x004252a2
0x004252aa
0x004252b6
0x004252b9
0x004252bf
0x004252c3
0x004252d1
0x004252d1
0x004252da
0x004252e0
0x004252e7
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425270
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425289
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099A8,000001EC), ref: 004252D1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004252DA

Strings

+, xrefs: 004252E0
PHACOCELE, xrefs: 004252B0

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: PHACOCELE$+
API String ID: 1645334062-1228347243
Opcode ID: b741845d0d282b280b88ac01b4c34ebb624cd1b2ac3f9971169edb902d368e1e
Instruction ID: 46ea55d17eca8606d1d3aa260241d35ce94f60538e002062bc4ac07cfb7414fb
Opcode Fuzzy Hash: b741845d0d282b280b88ac01b4c34ebb624cd1b2ac3f9971169edb902d368e1e
Instruction Fuzzy Hash: 162180B4A00204EBCB04DF99D989B9ABFB8FB49301F24856AF505E7291C3789901CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00425CC0, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 49COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00425D17
#687.MSVBVM60(?,?), ref: 00425D25
__vbaDateVar.MSVBVM60(?), ref: 00425D2F
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00425D41

Strings

Lu, xrefs: 00425D4A
7-7-7, xrefs: 00425D09

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#687DateFreeList
String ID: 7-7-7$Lu
API String ID: 3303533072-1249225327
Opcode ID: 810fe1f82e118da02142200907acfa411541c0d9c6e8b29759e928342858a2e3
Instruction ID: a6b9fe8999432a4eb3cefc37c694d5651e99369c3e3261b4236ad36f82ba9321
Opcode Fuzzy Hash: 810fe1f82e118da02142200907acfa411541c0d9c6e8b29759e928342858a2e3
Instruction Fuzzy Hash: CB11D6B5D10228EBCB10DFD4ED89ADEBBB8FB48B04F04811AF501A7654D7B85509CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00425480, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

#669.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004254BA
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004254C5
__vbaStrCmp.MSVBVM60(Distriktsbladet6,00000000,?,?,?,?,?,?,?,00401746), ref: 004254D1
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 004254E3
#568.MSVBVM60(0000003C,?,?,?,?,?,?,?,00401746), ref: 004254F0

Strings

Distriktsbladet6, xrefs: 004254CC

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#568#669FreeMove
String ID: Distriktsbladet6
API String ID: 2447501155-846783287
Opcode ID: 3ee8c7ef4afd436e6532c1e0fc7bf5b464bc70496264a3d7f7583142bc854a46
Instruction ID: 00c7940432ea8eb40d9723c910c14d38321075c210b8504928d7248c3f756362
Opcode Fuzzy Hash: 3ee8c7ef4afd436e6532c1e0fc7bf5b464bc70496264a3d7f7583142bc854a46
Instruction Fuzzy Hash: D201A275D00214AFC700AF64DD49AAEBBB8EB48B00F508126F942F36A0CB7C4945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00425330, Relevance: 9.1, APIs: 6, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00425373
__vbaNew2.MSVBVM60(0040A198,00433010), ref: 0042538C
__vbaObjSet.MSVBVM60(?,00000000), ref: 004253A5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099B8,000001CC), ref: 0042542C
__vbaFreeObj.MSVBVM60 ref: 00425435
__vbaFreeStr.MSVBVM60(00425457), ref: 00425450

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: 49e70ba8c8afb1c82fbf557084badf509740b1d2141cb1442825b70d9efb7534
Instruction ID: 0344242de61fe53406f49412cb68df6be1d9a5d543a77c1f2b3bd0dd8fa356f9
Opcode Fuzzy Hash: 49e70ba8c8afb1c82fbf557084badf509740b1d2141cb1442825b70d9efb7534
Instruction Fuzzy Hash: 2C31F8B4A00214DFCB04DFA9D989A9ABBF4FF49701F10C06AE509AB365D7389942CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00425110, Relevance: 9.1, APIs: 6, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425153
__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042516C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425185
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004099B8,000001C8), ref: 004251C8
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004251D1
__vbaFreeStr.MSVBVM60(004251F2,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004251EB

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: f4194e63e995c6258bea027ab735b1c88e2c5395d91bd88452c86c306c752d3a
Instruction ID: a44dc7262d0ae149cf8d4db52e1a71d0467e7e6ee6e86509bb42985e6721d803
Opcode Fuzzy Hash: f4194e63e995c6258bea027ab735b1c88e2c5395d91bd88452c86c306c752d3a
Instruction Fuzzy Hash: 24215C74E40204ABCB04DFA9D989BAABBB8FF49301F10806AF515E72A5C7389941CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00425E80, Relevance: 9.1, APIs: 6, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425EC3
__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425EDC
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425EF5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,000001AC,?,?,?,?,?,?,?,?,00401746), ref: 00425F18
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425F21
__vbaFreeStr.MSVBVM60(00425F42,?,?,?,?,?,?,?,?,00401746), ref: 00425F3B

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: 74011ef2dfd11b113210728b3df8c252d8eb443cb564b1d57bdd9ebed1531e63
Instruction ID: f4cc3a8f1551724f99f3634f43a13943e301c89f275b1a79cc67260845060ce9
Opcode Fuzzy Hash: 74011ef2dfd11b113210728b3df8c252d8eb443cb564b1d57bdd9ebed1531e63
Instruction Fuzzy Hash: 3A118E74A40204EFCB04DFA5DA49AAEBBB8FF49701F104466F556E72A0C7385902CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00425BD0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E00425BD0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _t17;
				intOrPtr* _t19;
				intOrPtr* _t21;
				void* _t24;
				intOrPtr* _t26;
				intOrPtr* _t36;
				void* _t37;
				void* _t39;
				intOrPtr _t40;
				intOrPtr _t41;

				_t40 = _t39 - 0xc;
				 *[fs:0x0] = _t40;
				_t41 = _t40 - 0x24;
				_v16 = _t41;
				_v12 = 0x401290;
				_v8 = 0;
				_t17 = _a4;
				 *((intOrPtr*)( *_t17 + 4))(_t17, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t37);
				_t19 =  *0x433010; // 0x65ff40
				_v28 = 0;
				if(_t19 == 0) {
					__imp____vbaNew2(0x40a198, 0x433010);
					_t19 =  *0x433010; // 0x65ff40
				}
				_t21 =  &_v28;
				__imp____vbaObjSet(_t21,  *((intOrPtr*)( *_t19 + 0x358))(_t19));
				_t26 = _t41 - 0x10;
				 *_t26 = 0xa;
				_t36 = _t21;
				 *((intOrPtr*)(_t26 + 4)) = _v40;
				 *((intOrPtr*)(_t26 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t26 + 0xc)) = _v32;
				_t24 =  *((intOrPtr*)( *_t36 + 0x1ec))(_t36, L"Rubedity");
				asm("fclex");
				if(_t24 < 0) {
					__imp____vbaHresultCheckObj(_t24, _t36, 0x409b00, 0x1ec);
				}
				__imp____vbaFreeObj();
				_push(0x425c9f);
				return _t24;
			}

0x00425bd3
0x00425be2
0x00425be9
0x00425bef
0x00425bf2
0x00425bfb
0x00425bfe
0x00425c04
0x00425c07
0x00425c0e
0x00425c11
0x00425c1d
0x00425c23
0x00425c23
0x00425c32
0x00425c36
0x00425c3f
0x00425c46
0x00425c4b
0x00425c4f
0x00425c57
0x00425c63
0x00425c66
0x00425c6c
0x00425c70
0x00425c7e
0x00425c7e
0x00425c87
0x00425c8d
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425C1D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425C36
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B00,000001EC), ref: 00425C7E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00425C87

Strings

Rubedity, xrefs: 00425C5D

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Rubedity
API String ID: 1645334062-1230464931
Opcode ID: 6cc04f521c14daaf4e42834b82cc5630273f2e3bcc186cbc7c10621da4efc24c
Instruction ID: ebf1c3ad00f245701d71bfd7d9ec8066368ea19d768adfae76b4f1c5ff04961f
Opcode Fuzzy Hash: 6cc04f521c14daaf4e42834b82cc5630273f2e3bcc186cbc7c10621da4efc24c
Instruction Fuzzy Hash: 9221A2B4A00304EFCB04DFA9D989B9ABFF8FB49700F108466F505EB295D7789941CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00424B30, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

#660.MSVBVM60(?,?,?,00000001,00000001), ref: 00424B91
__vbaVarTstNe.MSVBVM60(?,?), ref: 00424BA9
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 00424BBF
#532.MSVBVM60(RESTARTED), ref: 00424BD2

Strings

RESTARTED, xrefs: 00424BCD

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$#532#660FreeList
String ID: RESTARTED
API String ID: 675845651-3446605417
Opcode ID: 386a2a2be68d275fa71e86c439e5064b7ebab8c005a8fe12ca1b4af4465a3163
Instruction ID: 71c9cfa2c6910f95144ef729da81415600d6779018bdeb9c4028c7c584f829b7
Opcode Fuzzy Hash: 386a2a2be68d275fa71e86c439e5064b7ebab8c005a8fe12ca1b4af4465a3163
Instruction Fuzzy Hash: CA1129B1840228EBDB00DF94DD89FEEBBB8FB48B01F54421AF505B2690D7B815498B65

Uniqueness

Uniqueness Score: -1.00%

Function 00425FF0, Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

__vbaOnError.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00426034
__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042604D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401746), ref: 00426066
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,00000140,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042608D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042609C

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckErrorFreeHresultNew2
String ID:
API String ID: 3750743295-0
Opcode ID: b39906d193deb8b0c671670e966ab98d08714995eb5eeb593f8e2d9a76f7dfb5
Instruction ID: a2c947db23abfa5e4cfade029d7da5af53a6353778d5136733df2e57556cb937
Opcode Fuzzy Hash: b39906d193deb8b0c671670e966ab98d08714995eb5eeb593f8e2d9a76f7dfb5
Instruction Fuzzy Hash: 3B216D74A40214ABCB15DFA6CE48B9EBBB8FF89700F10446AF555F72A0C7785901CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00425060, Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 0042509A
#546.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004250A4
__vbaVarMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401746), ref: 004250B0
__vbaFreeVar.MSVBVM60(004250E8), ref: 004250D8
__vbaFreeStr.MSVBVM60 ref: 004250E1

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$Free$#546CopyMove
String ID:
API String ID: 2278598164-0
Opcode ID: 4bb0f5dbf40012bc1b91ff54a72086aff2a80e7642506d1246a88ca76fcfa356
Instruction ID: b414a4f7ab0d7e2303d75b23041ec0ed2b8f52ce27d3caab52162d66f9ddbaa2
Opcode Fuzzy Hash: 4bb0f5dbf40012bc1b91ff54a72086aff2a80e7642506d1246a88ca76fcfa356
Instruction Fuzzy Hash: 32010870C00209ABCF04DFA4D948ADEBBB8FB08701F108426E511B6164EB382505CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 0042DA40, Relevance: 6.1, APIs: 4, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 19%

			E0042DA40(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr* _t31;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t40;
				void* _t41;
				intOrPtr* _t43;
				intOrPtr* _t47;
				intOrPtr* _t60;
				void* _t61;
				void* _t63;
				intOrPtr _t64;
				intOrPtr _t65;
				intOrPtr* _t66;
				intOrPtr* _t67;

				_t64 = _t63 - 0xc;
				 *[fs:0x0] = _t64;
				_t65 = _t64 - 0x44;
				_v16 = _t65;
				_v12 = 0x4016a8;
				_v8 = 0;
				_t31 = _a4;
				 *((intOrPtr*)( *_t31 + 4))(_t31, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t61);
				_t33 =  *0x433010; // 0x65ff40
				_v28 = 0;
				if(_t33 == 0) {
					__imp____vbaNew2(0x40a198, 0x433010);
					_t33 =  *0x433010; // 0x65ff40
				}
				_t35 =  &_v28;
				__imp____vbaObjSet(_t35,  *((intOrPtr*)( *_t33 + 0x3b4))(_t33));
				_t66 = _t65 - 0x10;
				_t60 = _t35;
				_t43 = _t66;
				 *_t43 = 0xa;
				_v44 = 0xa;
				 *((intOrPtr*)(_t43 + 4)) = _v72;
				 *((intOrPtr*)(_t43 + 8)) = 0x80020004;
				 *((intOrPtr*)(_t43 + 0xc)) = _v64;
				_t67 = _t66 - 0x10;
				_t47 = _t67;
				 *_t47 = 0xa;
				 *((intOrPtr*)(_t47 + 4)) = _v56;
				 *((intOrPtr*)(_t47 + 8)) = 0x80020004;
				_v36 = 0x80020004;
				 *((intOrPtr*)(_t47 + 0xc)) = _v48;
				_t40 = _t67 - 0x10;
				 *_t40 = _v44;
				 *((intOrPtr*)(_t40 + 4)) = _v40;
				 *((intOrPtr*)(_t40 + 8)) = _v36;
				 *((intOrPtr*)(_t40 + 0xc)) = _v32;
				_t41 =  *((intOrPtr*)( *_t60 + 0x1d0))(_t60, 0x46e36000);
				asm("fclex");
				if(_t41 < 0) {
					__imp____vbaHresultCheckObj(_t41, _t60, 0x409b34, 0x1d0);
				}
				__imp____vbaFreeObj();
				asm("wait");
				_push(0x42db4f);
				return _t41;
			}

0x0042da43
0x0042da52
0x0042da59
0x0042da5f
0x0042da62
0x0042da6b
0x0042da6e
0x0042da74
0x0042da77
0x0042da7e
0x0042da81
0x0042da8d
0x0042da93
0x0042da93
0x0042daa2
0x0042daa6
0x0042daac
0x0042daaf
0x0042dab1
0x0042daba
0x0042dabc
0x0042dac2
0x0042dacc
0x0042dad2
0x0042dad5
0x0042dad8
0x0042dadf
0x0042dae4
0x0042dae7
0x0042daea
0x0042daf0
0x0042dafc
0x0042dafe
0x0042db03
0x0042db0e
0x0042db12
0x0042db15
0x0042db1b
0x0042db1f
0x0042db2d
0x0042db2d
0x0042db36
0x0042db3c
0x0042db3d
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A198,00433010), ref: 0042DA8D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042DAA6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409B34,000001D0), ref: 0042DB2D
__vbaFreeObj.MSVBVM60 ref: 0042DB36

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 091e61738650c1b3dde35ff8eb4f9c65e61fb4084e9d77683973606c178f67ba
Instruction ID: b281422ac3f56f9cba510459408849f7afdb00c5015f9964386950ae9b7e4af6
Opcode Fuzzy Hash: 091e61738650c1b3dde35ff8eb4f9c65e61fb4084e9d77683973606c178f67ba
Instruction Fuzzy Hash: 19311AB4E002049FCB04DFA8D989A9ABBF5FF4C700F20C06AE509AB355D738A801CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0042DF20, Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,00401746), ref: 0042DF70
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 0042DF89
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,000001A8,?,?,?,?,?,?,?,?,00401746), ref: 0042DFAC
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 0042DFB5

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: fc3937152ff4eb8605e172a7a0c6aae526dea46cf0d64874ea0caf90375153dd
Instruction ID: 20f421597672cec5281c91f9df1e3c8553df92afb70ada12a224b02c676d8648
Opcode Fuzzy Hash: fc3937152ff4eb8605e172a7a0c6aae526dea46cf0d64874ea0caf90375153dd
Instruction Fuzzy Hash: 57118F74E40204ABC714DFA9DE49B9EBBB8FF59701F204426F452E72A0C77859418B99

Uniqueness

Uniqueness Score: -1.00%

Function 00425DA0, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00425DA0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t28;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				_v16 = _t32 - 0x18;
				_v12 = 0x4012b0;
				_v8 = 0;
				_t14 = _a4;
				 *((intOrPtr*)( *_t14 + 4))(_t14, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t29);
				_t16 =  *0x433010; // 0x65ff40
				_v28 = 0;
				_v32 = 0;
				if(_t16 == 0) {
					__imp____vbaNew2(0x40a198, 0x433010);
					_t16 =  *0x433010; // 0x65ff40
				}
				_t18 =  &_v32;
				__imp____vbaObjSet(_t18,  *((intOrPtr*)( *_t16 + 0x378))(_t16));
				_t28 = _t18;
				_t19 =  *((intOrPtr*)( *_t28 + 0x21c))(_t28);
				asm("fclex");
				if(_t19 < 0) {
					__imp____vbaHresultCheckObj(_t19, _t28, 0x409998, 0x21c);
				}
				__imp____vbaFreeObj();
				_v28 = 0x4c22e;
				_push(0x425e54);
				return _t19;
			}

0x00425da3
0x00425db2
0x00425dbf
0x00425dc2
0x00425dcb
0x00425dce
0x00425dd4
0x00425dd7
0x00425dde
0x00425de1
0x00425de4
0x00425df0
0x00425df6
0x00425df6
0x00425e05
0x00425e09
0x00425e0f
0x00425e14
0x00425e1a
0x00425e1e
0x00425e2c
0x00425e2c
0x00425e35
0x00425e3b
0x00425e42
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,?,00401746), ref: 00425DF0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401746), ref: 00425E09
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409998,0000021C,?,?,?,?,?,?,?,?,00401746), ref: 00425E2C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401746), ref: 00425E35

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: ca0f8a672997cba4123571f8086038a347f6d479e58b036e35180e4680468f46
Instruction ID: b0bd67a03bd76815071e56c727c2fc5f537f9f08caafd4be5a2b1798ed5b139e
Opcode Fuzzy Hash: ca0f8a672997cba4123571f8086038a347f6d479e58b036e35180e4680468f46
Instruction Fuzzy Hash: 5A1191B8A40604ABC700DF95D949F9AFBB8FF59701F20846AF455E72A1C77859018B98

Uniqueness

Uniqueness Score: -1.00%

Function 004256B0, Relevance: 6.1, APIs: 4, Instructions: 51
COMMON

Download Yara Rule

C-Code - Quality: 17%

			E004256B0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				intOrPtr* _t12;
				intOrPtr* _t14;
				intOrPtr* _t16;
				void* _t17;
				intOrPtr* _t26;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				_v16 = _t30 - 0x14;
				_v12 = 0x401250;
				_v8 = 0;
				_t12 = _a4;
				 *((intOrPtr*)( *_t12 + 4))(_t12, __edi, __esi, __ebx,  *[fs:0x0], 0x401746, _t27);
				_t14 =  *0x433010; // 0x65ff40
				_v28 = 0;
				if(_t14 == 0) {
					__imp____vbaNew2(0x40a198, 0x433010);
					_t14 =  *0x433010; // 0x65ff40
				}
				_t16 =  &_v28;
				__imp____vbaObjSet(_t16,  *((intOrPtr*)( *_t14 + 0x338))(_t14));
				_t26 = _t16;
				_t17 =  *((intOrPtr*)( *_t26 + 0x1ac))(_t26);
				asm("fclex");
				if(_t17 < 0) {
					__imp____vbaHresultCheckObj(_t17, _t26, 0x409a48, 0x1ac);
				}
				__imp____vbaFreeObj();
				_push(0x42575a);
				return _t17;
			}

0x004256b3
0x004256c2
0x004256cf
0x004256d2
0x004256db
0x004256de
0x004256e4
0x004256e7
0x004256ee
0x004256f1
0x004256fd
0x00425703
0x00425703
0x00425712
0x00425716
0x0042571c
0x00425721
0x00425727
0x0042572b
0x00425739
0x00425739
0x00425742
0x00425748
0x00000000

APIs

__vbaNew2.MSVBVM60(0040A198,00433010,?,?,?,?,?,?,?,00401746), ref: 004256FD
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401746), ref: 00425716
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00409A48,000001AC,?,?,?,?,?,?,?,00401746), ref: 00425739
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401746), ref: 00425742

Memory Dump Source

Source File: 00000001.00000002.1181676924.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1181664871.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1181867913.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1181876551.0000000000435000.00000002.00020000.sdmp Download File

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: e97fe0c22d9778790d55df613fae70895d0c6c9ec19433f1bbaf9e2ae33702f7
Instruction ID: fce2386ab8b01fa680f9ce55e85c104538a6b7e8adaa9f709b2ceaca214defae
Opcode Fuzzy Hash: e97fe0c22d9778790d55df613fae70895d0c6c9ec19433f1bbaf9e2ae33702f7
Instruction Fuzzy Hash: 1A11A074A40200EFC700EFA5DD89B9ABBB8FB89701F104426F542E72A0C6785901CB98

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report SecuriteInfo.com.__vbaHresultCheckObj.11013.25640

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe PID: 6556 Parent PID: 5768

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: SecuriteInfo.com.__vbaHresultCheckObj.11013.exe PID: 6556 Parent PID: 5768 SecuriteInfo.com.__vbaHresultCheckObj.11013.exeCOMMON

Analysis Process: SecuriteInfo.com.vbaHresultCheckObj.11013.exe PID: 6556 Parent PID: 5768 SecuriteInfo.com.vbaHresultCheckObj.11013.exeCOMMON