Play interactive tour

Edit tour

Windows Analysis Report MWSW9nxmUK

Overview

General Information

Sample Name:	MWSW9nxmUK (renamed file extension from none to exe)
Analysis ID:	452531
MD5:	c937fc9ed4325e6ab24d49a3175f3a5c
SHA1:	00439295920e78ecac31d1dbf7eb67118d76299a
SHA256:	d54cafc1ca36d0ddd134f53d033ebbaaa490721d62d4168106a9b6c7cfa200ba
Tags:	32exetrojan
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE / OLE file has an invalid certificate

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

MWSW9nxmUK.exe (PID: 5060 cmdline: 'C:\Users\user\Desktop\MWSW9nxmUK.exe' MD5: C937FC9ED4325E6AB24D49A3175F3A5C)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: MWSW9nxmUK.exe	Virustotal: Detection: 44%			Perma Link
Source: MWSW9nxmUK.exe	ReversingLabs: Detection: 42%

Source: MWSW9nxmUK.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin

Source: MWSW9nxmUK.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: MWSW9nxmUK.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: MWSW9nxmUK.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: MWSW9nxmUK.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: MWSW9nxmUK.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: MWSW9nxmUK.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: MWSW9nxmUK.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: MWSW9nxmUK.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: MWSW9nxmUK.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: MWSW9nxmUK.exe	String found in binary or memory: https://www.digicert.com/CPS0

Source: MWSW9nxmUK.exe, 00000000.00000002.737092778.00000000007BA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD543B NtAllocateVirtualMemory,		0_2_02BD543B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD5540 NtAllocateVirtualMemory,		0_2_02BD5540

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD543B	0_2_02BD543B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD3684	0_2_02BD3684
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD3ED8	0_2_02BD3ED8
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD42C0	0_2_02BD42C0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD163B	0_2_02BD163B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD322C	0_2_02BD322C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD2228	0_2_02BD2228
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD1A21	0_2_02BD1A21
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD3A18	0_2_02BD3A18
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD421B	0_2_02BD421B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD1A78	0_2_02BD1A78
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD3A69	0_2_02BD3A69
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD3259	0_2_02BD3259
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD87BC	0_2_02BD87BC
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD6FAF	0_2_02BD6FAF
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD27A4	0_2_02BD27A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7BA4	0_2_02BD7BA4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD47A2	0_2_02BD47A2
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD23FF	0_2_02BD23FF
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD0BDC	0_2_02BD0BDC
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD47C8	0_2_02BD47C8
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD6B35	0_2_02BD6B35
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD832E	0_2_02BD832E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD3325	0_2_02BD3325
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD4712	0_2_02BD4712
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD770F	0_2_02BD770F
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD2379	0_2_02BD2379
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD6B7B	0_2_02BD6B7B
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD475F	0_2_02BD475F
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7F4E	0_2_02BD7F4E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD80A4	0_2_02BD80A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD28A0	0_2_02BD28A0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD048D	0_2_02BD048D
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD0889	0_2_02BD0889
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD80EF	0_2_02BD80EF
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD48E9	0_2_02BD48E9
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD38D1	0_2_02BD38D1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD80C6	0_2_02BD80C6
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD0CC3	0_2_02BD0CC3
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD8C36	0_2_02BD8C36
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD2C2A	0_2_02BD2C2A
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD841E	0_2_02BD841E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7077	0_2_02BD7077
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD4860	0_2_02BD4860
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD2455	0_2_02BD2455
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD0C54	0_2_02BD0C54
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD0C4C	0_2_02BD0C4C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD8C42	0_2_02BD8C42
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD15BD	0_2_02BD15BD
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD05B1	0_2_02BD05B1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD3D84	0_2_02BD3D84
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7D3E	0_2_02BD7D3E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD3D2C	0_2_02BD3D2C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD2518	0_2_02BD2518
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD0916	0_2_02BD0916
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD4912	0_2_02BD4912
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD5908	0_2_02BD5908
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD4105	0_2_02BD4105
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7D06	0_2_02BD7D06
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD517E	0_2_02BD517E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD0147	0_2_02BD0147
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD5D43	0_2_02BD5D43

Source: MWSW9nxmUK.exe

Static PE information: invalid certificate

Source: MWSW9nxmUK.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MWSW9nxmUK.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: MWSW9nxmUK.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: MWSW9nxmUK.exe, 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe
Source: MWSW9nxmUK.exe	Binary or memory string: OriginalFilenameInterrup.exe vs MWSW9nxmUK.exe

Source: MWSW9nxmUK.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe

File created: C:\Users\user\AppData\Local\Temp\~DF9A0B27BB2B5BB8A9.TMP

Jump to behavior

Source: MWSW9nxmUK.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: MWSW9nxmUK.exe	Virustotal: Detection: 44%
Source: MWSW9nxmUK.exe	ReversingLabs: Detection: 42%

Source: MWSW9nxmUK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Interrup.pdb source: MWSW9nxmUK.exe

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B12F5 push edx; ret	0_2_005B1321
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B1054 push edx; ret	0_2_005B1081
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B2854 push edx; ret	0_2_005B2881
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B4054 push edx; ret	0_2_005B4081
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B5854 push edx; ret	0_2_005B5881
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B7054 push edx; ret	0_2_005B7081
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B0843 push edx; ret	0_2_005B0871
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B2043 push edx; ret	0_2_005B2071
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B3843 push edx; ret	0_2_005B3871
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B5043 push edx; ret	0_2_005B5071
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B6844 push edx; ret	0_2_005B6871
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B0878 push edx; ret	0_2_005B08A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B6875 push edx; ret	0_2_005B68A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B2074 push edx; ret	0_2_005B20A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B3874 push edx; ret	0_2_005B38A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B5074 push edx; ret	0_2_005B50A1
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B0068 push edx; ret	0_2_005B0091
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B3063 push edx; ret	0_2_005B3091
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B1863 push edx; ret	0_2_005B1891
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B4863 push edx; ret	0_2_005B4891
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B6065 push edx; ret	0_2_005B6091
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B0818 push edx; ret	0_2_005B0841
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B3813 push edx; ret	0_2_005B3841
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B2013 push edx; ret	0_2_005B2041
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B5013 push edx; ret	0_2_005B5041
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B6814 push edx; ret	0_2_005B6841
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B0008 push edx; ret	0_2_005B0031
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B600D push edx; ret	0_2_005B6031
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B4803 push edx; ret	0_2_005B4831
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B3003 push edx; ret	0_2_005B3031
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_005B1803 push edx; ret	0_2_005B1831

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD27A4	0_2_02BD27A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD2379	0_2_02BD2379
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD28A0	0_2_02BD28A0
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7D3E	0_2_02BD7D3E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7503	0_2_02BD7503

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe

RDTSC instruction interceptor: First address: 0000000002BD8CAB second address: 0000000002BD8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F916C39C188h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	RDTSC instruction interceptor: First address: 0000000002BD8CAB second address: 0000000002BD8CAB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov dword ptr [ebp+00000253h], edx 0x00000010 mov edx, 83A23224h 0x00000015 cmp bh, ch 0x00000017 test ah, dh 0x00000019 xor edx, B23AA633h 0x0000001f xor edx, 5BA5550Bh 0x00000025 test ch, 00000068h 0x00000028 sub edx, 6A3DC11Ch 0x0000002e test cx, dx 0x00000031 cmp dword ptr [ebp+00000253h], edx 0x00000037 mov edx, dword ptr [ebp+00000253h] 0x0000003d jne 00007F916C39C188h 0x0000003f dec ebx 0x00000040 xor edx, edx 0x00000042 mov eax, ebx 0x00000044 test si, 634Bh 0x00000049 mov ecx, D06366DFh 0x0000004e test bx, cx 0x00000051 sub ecx, D6A7F971h 0x00000057 cmp ecx, ecx 0x00000059 xor ecx, 335F4321h 0x0000005f sub ecx, CAE42E4Bh 0x00000065 test ebx, edx 0x00000067 div ecx 0x00000069 pushad 0x0000006a rdtsc
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	RDTSC instruction interceptor: First address: 0000000002BD750B second address: 0000000002BD752A instructions: 0x00000000 rdtsc 0x00000002 mov eax, 4E5E24E1h 0x00000007 xor eax, 256A0EB4h 0x0000000c xor eax, 6B41C15Ch 0x00000011 xor eax, 0075EB08h 0x00000016 cpuid 0x00000018 popad 0x00000019 pushad 0x0000001a mov ecx, 000000F8h 0x0000001f rdtsc

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe

Code function: 0_2_02BD92BB rdtsc

0_2_02BD92BB

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe

Code function: 0_2_02BD92BB rdtsc

0_2_02BD92BB

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD2EF7 mov eax, dword ptr fs:[00000030h]	0_2_02BD2EF7
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD322C mov eax, dword ptr fs:[00000030h]	0_2_02BD322C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD3259 mov eax, dword ptr fs:[00000030h]	0_2_02BD3259
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD27A4 mov eax, dword ptr fs:[00000030h]	0_2_02BD27A4
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD6B69 mov eax, dword ptr fs:[00000030h]	0_2_02BD6B69
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD504C mov eax, dword ptr fs:[00000030h]	0_2_02BD504C
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7D3E mov eax, dword ptr fs:[00000030h]	0_2_02BD7D3E
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7106 mov eax, dword ptr fs:[00000030h]	0_2_02BD7106
Source: C:\Users\user\Desktop\MWSW9nxmUK.exe	Code function: 0_2_02BD7D06 mov eax, dword ptr fs:[00000030h]	0_2_02BD7D06

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: MWSW9nxmUK.exe, 00000000.00000002.737373795.0000000000E40000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\MWSW9nxmUK.exe

Code function: 0_2_02BD7337 cpuid

0_2_02BD7337

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery41	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
MWSW9nxmUK.exe	44%	Virustotal		Browse
MWSW9nxmUK.exe	43%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://kinmirai.org/wp-content/bin_inUIdCgQk163.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	452531
Start date:	22.07.2021
Start time:	14:52:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	MWSW9nxmUK (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 53% Number of executed functions: 8 Number of non-executed functions: 71
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.648392883751036
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	MWSW9nxmUK.exe
File size:	246888
MD5:	c937fc9ed4325e6ab24d49a3175f3a5c
SHA1:	00439295920e78ecac31d1dbf7eb67118d76299a
SHA256:	d54cafc1ca36d0ddd134f53d033ebbaaa490721d62d4168106a9b6c7cfa200ba
SHA512:	ff13a5d3bfd503e0f11c9d974a4ac88f965eec14cbf07723ac9ed425222aaa7c5871a6438cd7491fbd694424ebe4c8675dc076e81564204583336a2940e9a9d0
SSDEEP:	1536:HrnnnnnnnnnnnnnnnrKDnnnnnnnnnnnnnnnCnnnnnnnnnnnnnnXnnnnnnnnnnnnE:H6LVbA8nT1vnv9dnj6czcW
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L.....\S.................0...p......0........@....@................

File Icon


Icon Hash:	e8ccce8e8ececce8

Static PE Info

General
Entrypoint:	0x401330
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x535CB682 [Sun Apr 27 07:49:22 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	4e1e57f6de47f654992269152dd1e659

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Matri7@conn.Gru, CN=Characte2, OU=presolvep, O=Neapol8, L=styk, S=Laur, C=LC
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	7/21/2021 3:37:16 PM 7/21/2022 3:37:16 PM
Subject Chain	E=Matri7@conn.Gru, CN=Characte2, OU=presolvep, O=Neapol8, L=styk, S=Laur, C=LC
Version:	3
Thumbprint MD5:	79CF1ECF512D0016E6565DBDBB4BA3BB
Thumbprint SHA-1:	E4666F2B8BC7DC083B23415376F21E8E4C2CEB0D
Thumbprint SHA-256:	89E6F5909EC358780F7165075AE7073138BA8B7BE49CFEB5B401AF72BDC5E42B
Serial:	00

Entrypoint Preview

Instruction
push 0042F030h
call 00007F916C8F14D3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx+ebp], bh
dec edi
bound ecx, dword ptr [esi-7EB8CB92h]
bound edi, dword ptr [edx-44h]
pop edi
push cs
pop ds
int3
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [ecx], 50h
jc 00007F916C8F154Ch
jnc 00007F916C8F1547h
jc 00007F916C8F1555h
bound eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [edx+ecx*4+0000030Ah], ah
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
adc al, F3h
enter 5D60h, CBh
rol byte ptr [edx+08D6814Bh], 0000000Eh
cmp esi, dword ptr [ebp+06D99345h]
fmul dword ptr [ecx-0Dh]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33074	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x54c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3b058	0x1410
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x1100	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xf8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x324c0	0x33000	False	0.249516505821	data	4.59513440104	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x34000	0xb90	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x35000	0x54c4	0x6000	False	0.293294270833	data	4.11736046499	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x39e5c	0x668	dBase IV DBT of `.DBF, block length 1536, next free block index 40, next free block 4265541880, next used block 7936
RT_ICON	0x39b74	0x2e8	data
RT_ICON	0x3998c	0x1e8	data
RT_ICON	0x39864	0x128	GLS_BINARY_LSB_FIRST
RT_ICON	0x389bc	0xea8	data
RT_ICON	0x38114	0x8a8	data
RT_ICON	0x37a4c	0x6c8	data
RT_ICON	0x374e4	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x3643c	0x10a8	data
RT_ICON	0x35ab4	0x988	data
RT_ICON	0x3564c	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x355ac	0xa0	data
RT_VERSION	0x352d0	0x2dc	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Clicked
InternalName	Interrup
FileVersion	7.00
CompanyName	Clicked
LegalTrademarks	Clicked
Comments	Clicked
ProductName	Clicked
ProductVersion	7.00
FileDescription	Clicked
OriginalFilename	Interrup.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: MWSW9nxmUK.exe PID: 5060 Parent PID: 5768

General

Start time:	14:53:08
Start date:	22/07/2021
Path:	C:\Users\user\Desktop\MWSW9nxmUK.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\MWSW9nxmUK.exe'
Imagebase:	0x400000
File size:	246888 bytes
MD5 hash:	C937FC9ED4325E6AB24D49A3175F3A5C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: MWSW9nxmUK.exe PID: 5060 Parent PID: 5768 MWSW9nxmUK.exeCOMMON

Executed Functions

Function 02BD543B, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 152memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02BD560C

Strings

Nn!v, xrefs: 02BD54CD
Nn!v, xrefs: 02BD54D2

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Nn!v$Nn!v
API String ID: 2167126740-3115524940
Opcode ID: 015e8b0abd7920c631aa7676a07db578ad2d505ebb8099d48650eee19db3ed0f
Instruction ID: bdcd72e561f5d35bc9b9325a5b3fb333741fae1838ebd6eeec71fd5459742f77
Opcode Fuzzy Hash: 015e8b0abd7920c631aa7676a07db578ad2d505ebb8099d48650eee19db3ed0f
Instruction Fuzzy Hash: F65122B5A043599FDF709E64D8947CB77A1FF0A360F95442ADC88EB201E7309A858B42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5540, Relevance: 1.6, APIs: 1, Instructions: 99memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02BD560C

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e8bdcfc275e6778364334c2fb4197cbf67d1acc3f4010fbc314a5eac5104f51f
Instruction ID: 416ebb565354aac3f7a214c3a1e5301c6f132e888d9029cff4a262aa14c0fa92
Opcode Fuzzy Hash: e8bdcfc275e6778364334c2fb4197cbf67d1acc3f4010fbc314a5eac5104f51f
Instruction Fuzzy Hash: C731F2756183888FDB219F64DCA07EA7FB1FF4A364F684569DC898B202D330AA41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00430BE4, Relevance: 221.8, APIs: 116, Strings: 10, Instructions: 1298COMMON

Download Yara Rule

APIs

__vbaStrToAnsi.MSVBVM60(?,spearproof), ref: 00430D23
__vbaSetSystemError.MSVBVM60(00000000,?,spearproof), ref: 00430D34
__vbaFreeStr.MSVBVM60(00000000,?,spearproof), ref: 00430D53
#610.MSVBVM60(?,00000000,?,spearproof), ref: 00430D68
#552.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D7D
__vbaVarMove.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D8E
__vbaFreeVar.MSVBVM60(?,?,00000001,?,00000000,?,spearproof), ref: 00430D99
__vbaNew2.MSVBVM60(0042F964,00434454,?,?,00000001,?,00000000,?,spearproof), ref: 00430DB0
__vbaHresultCheckObj.MSVBVM60(00000000,02C4E8B4,0042F954,00000044), ref: 00430E7D
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00430EB6
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00430EC1
__vbaNew2.MSVBVM60(0042FCF0,00434010,00000000,?,spearproof), ref: 00430EDC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430EFC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000108), ref: 00430F25
__vbaStrToAnsi.MSVBVM60(?,?), ref: 00430F37
__vbaStrToAnsi.MSVBVM60(?,Laanemuligheder4,00000000,?,?), ref: 00430F49
__vbaSetSystemError.MSVBVM60(00000000,?,Laanemuligheder4,00000000,?,?), ref: 00430F5A
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,?,Laanemuligheder4,00000000,?,?), ref: 00430F8A
__vbaFreeObj.MSVBVM60(?), ref: 00430F98
__vbaNew2.MSVBVM60(0042F964,00434454,?), ref: 00430FBA
__vbaHresultCheckObj.MSVBVM60(00000000,02C4E8B4,0042F954,00000014), ref: 00430FE1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9AC,000000D0), ref: 00431010
__vbaStrMove.MSVBVM60(00000000,?,0042F9AC,000000D0), ref: 00431027
__vbaFreeObj.MSVBVM60(00000000,?,0042F9AC,000000D0), ref: 00431032
__vbaNew2.MSVBVM60(0042F964,00434454), ref: 00431049
__vbaHresultCheckObj.MSVBVM60(00000000,02C4E8B4,0042F954,0000001C), ref: 00431070
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9BC,0000005C,?,?,?,?,?), ref: 004310BC
__vbaStrMove.MSVBVM60(?,?,?,?,?), ref: 004310D4
__vbaFreeObj.MSVBVM60(?,?,?,?,?), ref: 004310DF
__vbaNew2.MSVBVM60(0042FCF0,00434010,?), ref: 004310F9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431114
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,000000F0), ref: 0043113D
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 0043114D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431168
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,000000E8), ref: 00431191
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 004311A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 004311BC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000130), ref: 004311E5
__vbaStrMove.MSVBVM60(00000000,00000000,0042F99C,00000130), ref: 004311FD
__vbaStrCopy.MSVBVM60(00000000,00000000,0042F99C,00000130), ref: 0043120D
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006F8), ref: 0043126F
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043128B
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000003,?,?,?), ref: 004312A7
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 004312BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004312D5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA04,00000110), ref: 004312FE
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 0043130E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431329
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,000000F8), ref: 00431354
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00431364
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043137F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA04,00000138), ref: 004313A8
__vbaStrCopy.MSVBVM60(00000000,00000000,0042FA04,00000138), ref: 004313B8
__vbaStrMove.MSVBVM60(00000000,00000000,0042FA04,00000138), ref: 004313D0
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006F8), ref: 00431432
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0043144E
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000003,?,?,?), ref: 0043146A
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 0043147D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431498
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000068), ref: 004314BB
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 004314CB
__vbaObjSet.MSVBVM60(?,00000000), ref: 004314E6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,00000060), ref: 00431509
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,00182DD5,?), ref: 004315A4
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00182DD5,?), ref: 004315B7
__vbaObjSet.MSVBVM60(?,00000000,?,00182DD5,?), ref: 004315D2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA2C,00000060,?,00182DD5,?), ref: 004315F5
__vbaFreeObj.MSVBVM60(?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043165C
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043166C
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431687
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000150,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316B0
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316C0
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316DB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000070,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004316FE
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043170E
__vbaObjSet.MSVBVM60(?,00000000,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431729
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,00000080,?,00518CAF,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431752
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,C,?,00518CAF,?,?,4B7FFB7C,?), ref: 004317CE
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004317E1
__vbaObjSet.MSVBVM60(?,00000000,?,4B7FFB7C,?,?,00182DD5,?), ref: 004317FC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,00000160,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431825
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431835
__vbaObjSet.MSVBVM60(?,00000000,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431850
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000080,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431879
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006FC,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431906
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043191B
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043192E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431949
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000070,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043196C
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 0043197C
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431997
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,000001C0,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319C0
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319D0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 004319EB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA54,000000D0,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431A14
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006FC,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AA1
__vbaFreeStr.MSVBVM60(?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AAC
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AC8
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431ADB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431AF6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000070,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431B19
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431B29
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5,?), ref: 00431B44
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000080,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431B6D
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,007F5A39,39BD99C0,?,?,?), ref: 00431BDE
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431BF1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C0C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA04,00000060,?,?,?), ref: 00431C2F
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C3F
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?), ref: 00431C5A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000170,?,?,?), ref: 00431C83
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5), ref: 00431C9B
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C,?,?,00182DD5), ref: 00431CAB
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0042F4A8,000006F8,?,?,?), ref: 00431D0D
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,4B7FFB7C), ref: 00431D22
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,00000000,?,?,?,?), ref: 00431D37

Strings

Grilleres, xrefs: 004313AD
4, xrefs: 0043157A
Laanemuligheder4, xrefs: 00430F3D
Sprogede6, xrefs: 00431894
Codi, xrefs: 00430E45
C, xrefs: 0043177B, 00431781
Lineality, xrefs: 00431202
REFUSIONSSALDOERS, xrefs: 00431CA0
CORANTO, xrefs: 00431CDD
spearproof, xrefs: 00430C3F

Memory Dump Source

Source File: 00000000.00000002.735019487.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.734992768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.735294986.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$New2$Free$List$Move$AnsiCopy$ErrorSystem$#552#610Late
String ID: C$CORANTO$Codi$Grilleres$Laanemuligheder4$Lineality$REFUSIONSSALDOERS$Sprogede6$spearproof$4
API String ID: 2238139552-805979028
Opcode ID: 9211011506b695b7bd76c49dbfaeb28e6d951072550a433e97e7a50f834fcfac
Instruction ID: 826766c42bc274266e05f58c4bffe4374de5413d5ec59807cf29563132c25aa5
Opcode Fuzzy Hash: 9211011506b695b7bd76c49dbfaeb28e6d951072550a433e97e7a50f834fcfac
Instruction Fuzzy Hash: F3B24EB0A00618AFDB20DB65DC45FEB77BCAF48345F0001EEB549E7191DB78AA458F68

Uniqueness

Uniqueness Score: -1.00%

Function 00432BF5, Relevance: 27.2, APIs: 18, Instructions: 164COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00432C47
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432C5F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432C77
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,000001C8), ref: 00432CB3
__vbaFreeObj.MSVBVM60 ref: 00432CBB
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432CD3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432CEB
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,00000000), ref: 00432D13
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432D2B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,00000150), ref: 00432D51
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9CC,000001EC), ref: 00432D80
__vbaFreeStr.MSVBVM60 ref: 00432D88
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432D99
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432DB4
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432DBE
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00432DC6
__vbaFreeStr.MSVBVM60(00432E0E,?,000000FF,000000FE,000000FE,000000FE), ref: 00432E00
__vbaFreeStr.MSVBVM60(00432E0E,?,000000FF,000000FE,000000FE,000000FE), ref: 00432E08

Memory Dump Source

Source File: 00000000.00000002.735019487.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.734992768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.735294986.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#704CopyListMove
String ID:
API String ID: 3420054063-0
Opcode ID: 4b43a4d9a90e59c437c887234cba9055fa8a06025569297198416df757f2c848
Instruction ID: 006ea33965333d6a547b93557ad78ec4a6fa81f9fb16f03b3a48719df9df0b6a
Opcode Fuzzy Hash: 4b43a4d9a90e59c437c887234cba9055fa8a06025569297198416df757f2c848
Instruction Fuzzy Hash: C8516271E00218ABCB00EFA6D985EDE7BB8AF08714F50416EF511F71E1DB78A905CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00401330, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6%*), ref: 00401335

Strings

VB5!6%*, xrefs: 00401330

Memory Dump Source

Source File: 00000000.00000002.735019487.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.734992768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.735294986.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6%*
API String ID: 1341478452-4246263594
Opcode ID: 31c332ee77c931514a8fdd1f3968ffa495fd20c23b1fabf680ba0c063111f381
Instruction ID: 8a4a1f984eeb0cb386edd053a70f91cc2a1c7a260cec5f098e50b8e2d0f38efc
Opcode Fuzzy Hash: 31c332ee77c931514a8fdd1f3968ffa495fd20c23b1fabf680ba0c063111f381
Instruction Fuzzy Hash: F071726241E3C18FD3038BB598696907FB1AE13228B1F45EBC4C1DF4B3D2AC185AD726

Uniqueness

Uniqueness Score: -1.00%

Function 005B12F5, Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.736600895.00000000005B0000.00000020.00000001.sdmp, Offset: 005B0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e2ad5f41b6e09edb21a3dd5713f17fd3a9c7da6a47782ae324563ef94771de
Instruction ID: 2b999c893abd9cd9278b80beb17407c92208aa024e3c58b99c6a5a69582c571f
Opcode Fuzzy Hash: d6e2ad5f41b6e09edb21a3dd5713f17fd3a9c7da6a47782ae324563ef94771de
Instruction Fuzzy Hash: D3D05E76309100BFD344C614CC45ADA7BE8EB86320F0884BDB588CB241E661EC414766

Uniqueness

Uniqueness Score: -1.00%

Function 0042F87C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.735019487.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.734992768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.735294986.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1a08582f802088a3e7ebfca93ae29b7cf9774c50990062dc4e71549542afd0e3
Instruction ID: 82818f6bf46d8e2a22889197847eea2ad4be05eea2f46d0fd68f2c1f665d88de
Opcode Fuzzy Hash: 1a08582f802088a3e7ebfca93ae29b7cf9774c50990062dc4e71549542afd0e3
Instruction Fuzzy Hash: 2CB01210384215DA5B00B254BE4162C51B092847C03F04C33F001D2290C728DC04C12E

Uniqueness

Uniqueness Score: -1.00%

Function 0042F8D4, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.735019487.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.734992768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.735294986.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e4cfa31ca8ea0d26cc9f9752528cdb6377ab42caf71e9a8128c3bcb3aa01244
Instruction ID: 3900d0fb5f16d21ef407b14c135bf39fb24e506fba1ae9614012bc2477a56b34
Opcode Fuzzy Hash: 0e4cfa31ca8ea0d26cc9f9752528cdb6377ab42caf71e9a8128c3bcb3aa01244
Instruction Fuzzy Hash: D1B012203940119A6B007264BC4262163A0A6813803E00C77F021D1290CB28EC04576D

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02BD0889, Relevance: 11.8, Strings: 8, Instructions: 1811COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
KJ$, xrefs: 02BD122A
Lms2, xrefs: 02BD0F75
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
Zs7#, xrefs: 02BD11E8
&/L, xrefs: 02BD4378
p,Bd, xrefs: 02BD14DE

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$KJ$$Lms2$QHwy$Zs7#$p,Bd$tp$vx
API String ID: 0-1759626601
Opcode ID: f98c57f9595dd422f2f48e44167de9a87ccc8ed69a93252a0a992e5a96aed0d0
Instruction ID: c45a58231efb34af7d9f1445de72afeb5e9365433f59c3da5b4b49d77e5b0bba
Opcode Fuzzy Hash: f98c57f9595dd422f2f48e44167de9a87ccc8ed69a93252a0a992e5a96aed0d0
Instruction Fuzzy Hash: D3E233716043499FDF349F38CD957DA7BA2EF95350F95822EDC898B254E3318A86CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02BD27A4, Relevance: 9.2, Strings: 6, Instructions: 1723COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
1Z, xrefs: 02BD2D18
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378
80,L, xrefs: 02BD284B

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$1Z$80,L$QHwy$tp$vx
API String ID: 0-3433672908
Opcode ID: 8746eaf485f126c541830ba10943a42b367bf8c3d4364a57cac98e9119b9f96b
Instruction ID: 3a59a87664a04adb3ddb28e87827902ca607cc2a1e5a26419908d586794d4cc5
Opcode Fuzzy Hash: 8746eaf485f126c541830ba10943a42b367bf8c3d4364a57cac98e9119b9f96b
Instruction Fuzzy Hash: DBE20E71A0434A9FDB349F38CC957DA77A2FF49350F85822EDC899B244E7309A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02BD770F, Relevance: 8.5, Strings: 6, Instructions: 1046COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
ST, xrefs: 02BD796A
&/L, xrefs: 02BD4378
|JC, xrefs: 02BD7727

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$ST$tp$vx$|JC
API String ID: 0-1302285692
Opcode ID: f0822e4f6578cb5e64d8892734ebb4468996592517a0f7465c49e1c0c8773ed7
Instruction ID: 65cb4af6bc96ecd14f41525480dd8cbc0fca231ff945eb7d9b9898328e3da3f6
Opcode Fuzzy Hash: f0822e4f6578cb5e64d8892734ebb4468996592517a0f7465c49e1c0c8773ed7
Instruction Fuzzy Hash: 2C921E7160434A9FDB349F38C9957EA7BB2FF59350F95812EDC899B254E3308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3684, Relevance: 7.2, Strings: 5, Instructions: 953COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
7cHN, xrefs: 02BD929D
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$7cHN$QHwy$tp$vx
API String ID: 0-4093178063
Opcode ID: 0946aa364ee1723dc2d722b3d92dcea213a80ea412d66e870c07906766c228eb
Instruction ID: 1e6483f342f2b2bf6709db277defddd823a865eb7a8bdc9dfb4f32f7ad2b5a71
Opcode Fuzzy Hash: 0946aa364ee1723dc2d722b3d92dcea213a80ea412d66e870c07906766c228eb
Instruction Fuzzy Hash: 94822D7160434A9FDB74AF38C9957DA7BB2FF45350F95862EDC898B254E3308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2379, Relevance: 6.3, Strings: 4, Instructions: 1277COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: e7268e54f2bf8e6b69f6352f48633006abcd5cdde42f8557c9add2278f2f1211
Instruction ID: d011e070871da29c3ea32ef89250e14f952c8449c4040c50abdd43d21d2a7a81
Opcode Fuzzy Hash: e7268e54f2bf8e6b69f6352f48633006abcd5cdde42f8557c9add2278f2f1211
Instruction Fuzzy Hash: A6B22E716043499FDB34AF38C9957EA7BB2FF55350F95852EDC899B214E3308A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD8C36, Relevance: 6.1, Strings: 4, Instructions: 1072COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 884ee7d15a1baa9e4bb5dfe3a7d5725a04fc1bcf3a79c0c2986e43a3d876e050
Instruction ID: 4cd30fc28b5900bfe3d1a35e9f81ec58c9c1bd4001138ce55eeb2feecad8deb6
Opcode Fuzzy Hash: 884ee7d15a1baa9e4bb5dfe3a7d5725a04fc1bcf3a79c0c2986e43a3d876e050
Instruction Fuzzy Hash: 8F920E716043499FDB389F38C9957EA7BB2FF95350F55812EDC8A8B254D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6B35, Relevance: 5.9, Strings: 4, Instructions: 863COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 1d45648293244661561b2d3d37d8ec79665dd72c4a76d29907d7e4aa4aef00b6
Instruction ID: 8ce5c02e268afe2b3454bc7af9a96935ffaaacabd2bc3b5f9d0084c4bc036096
Opcode Fuzzy Hash: 1d45648293244661561b2d3d37d8ec79665dd72c4a76d29907d7e4aa4aef00b6
Instruction Fuzzy Hash: 77722E7160434A9FDB349F38C9957EA7BB2FF85350F95852EDC899B214E3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6FAF, Relevance: 5.9, Strings: 4, Instructions: 854COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: fd977d2032e5ba1b3177bcfb84b718d05736150479399dc4af382a0ba2b40c04
Instruction ID: ead20f509931a01d242ad532acaef85add526a25e8df68d573c3df4db87aac65
Opcode Fuzzy Hash: fd977d2032e5ba1b3177bcfb84b718d05736150479399dc4af382a0ba2b40c04
Instruction Fuzzy Hash: DB720D7160434A9FDB349F38C9957EA7BB2FF95350F95812DDC8A9B214E3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0147, Relevance: 5.8, Strings: 4, Instructions: 815COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 4d44d49f472f5a6e3ad2aa05f29eff41773924c0de3915346898908356a21fd2
Instruction ID: cf419a68f0c90fc9cdefc07f96503ebc7e299a129aa08df64232c5ff24167120
Opcode Fuzzy Hash: 4d44d49f472f5a6e3ad2aa05f29eff41773924c0de3915346898908356a21fd2
Instruction Fuzzy Hash: 05620D7160434A9FDB34AF38C9957EA7BB2FF55350F95812EDC899B214E3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7077, Relevance: 5.8, Strings: 4, Instructions: 808COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 0b2aaa42fbe990b98635236efd00e62da724e6d1b7e25de85c9da0ab09db2dda
Instruction ID: c6549c615a8652ef4f198bc5077976b9154c33d491e716df4883735e67fe430f
Opcode Fuzzy Hash: 0b2aaa42fbe990b98635236efd00e62da724e6d1b7e25de85c9da0ab09db2dda
Instruction Fuzzy Hash: A7621E7160434A9FDB349F38C9957EA7BB2FF85350F95812EDC899B254E3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3D2C, Relevance: 5.8, Strings: 4, Instructions: 791COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: 2d53cf38aa1b7cc67d15e788d4362335fe250b7ee80264a4a390b1683070fbe3
Instruction ID: 0a11aa9a2aed658bce3db5a93b3456918207cef8c19bb1280b38f3f38b891be7
Opcode Fuzzy Hash: 2d53cf38aa1b7cc67d15e788d4362335fe250b7ee80264a4a390b1683070fbe3
Instruction Fuzzy Hash: 5E621C7160434A9FDB349F38C9957EA7BB2FF85350F95852EDC899B214E3308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6B7B, Relevance: 5.8, Strings: 4, Instructions: 782COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: b3b9f2efdd79e04741844d40303aaf8c0fe6f796e05c28d01d82ccbade026427
Instruction ID: b610fea841c40970df328a34c8dda6e583952077fdb2bd595b208dcd674d31c3
Opcode Fuzzy Hash: b3b9f2efdd79e04741844d40303aaf8c0fe6f796e05c28d01d82ccbade026427
Instruction Fuzzy Hash: FD621C7160434A9FDB749F38C9957EA7BB2FF85350F95812EDC899B214E3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3ED8, Relevance: 5.7, Strings: 4, Instructions: 719COMMON

Download Yara Rule

Strings

tp, xrefs: 02BD3F96
vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$tp$vx
API String ID: 0-771500711
Opcode ID: f583a6ed3ddefa21f5a9b3fb1c6a3e140fac8041cdf52f1c3d32b7f73764ed49
Instruction ID: d8bca760110baf2057c41bb7b415b7fcd645348dbc721b0e71841e97ecd077f9
Opcode Fuzzy Hash: f583a6ed3ddefa21f5a9b3fb1c6a3e140fac8041cdf52f1c3d32b7f73764ed49
Instruction Fuzzy Hash: FD52EB7160434A9FDB349F38C9957EA7BB2FF85350F95852DDC899B214E3309A82CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4105, Relevance: 4.3, Strings: 3, Instructions: 590COMMON

Download Yara Rule

Strings

vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$vx
API String ID: 0-3759638386
Opcode ID: b4ec46abd5aeba52616e78cf1c29070db5fda69247e22f3cfb83bd62917940f9
Instruction ID: b8b1403dee3bdc2eb83709fae53d915b600bf3fc4b13212592c0136cf89892c6
Opcode Fuzzy Hash: b4ec46abd5aeba52616e78cf1c29070db5fda69247e22f3cfb83bd62917940f9
Instruction Fuzzy Hash: 5032FC7060434A9FDB74AF34C9957EA7BB2FF55350F85852EDC899B214E3308A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD421B, Relevance: 4.3, Strings: 3, Instructions: 557COMMON

Download Yara Rule

Strings

vx, xrefs: 02BD41FA
QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy$vx
API String ID: 0-3759638386
Opcode ID: 82387af514792abdbf3360930534cbe9a97c54d3845b6bfc4e6a93e142d3f210
Instruction ID: 8c35a1d15bb5598e7e85ea7cf8161976310fc80849353ba78fdb2e78d1483244
Opcode Fuzzy Hash: 82387af514792abdbf3360930534cbe9a97c54d3845b6bfc4e6a93e142d3f210
Instruction Fuzzy Hash: 3232EB7060438A9FDB74AF34C9957EA7BB2FF55350F85852DDC898B214E3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD42C0, Relevance: 3.0, Strings: 2, Instructions: 515COMMON

Download Yara Rule

Strings

QHwy, xrefs: 02BD433E
&/L, xrefs: 02BD4378

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &/L$QHwy
API String ID: 0-685307406
Opcode ID: 87c677c1e8dc425ae01e000005fbd6a0f1d619deeac4700936dceddaabb6a3b7
Instruction ID: 20da9c4dbd4a1d9bf9b01dfde2e558e0e59951050b953e20eaf41ea97df5519b
Opcode Fuzzy Hash: 87c677c1e8dc425ae01e000005fbd6a0f1d619deeac4700936dceddaabb6a3b7
Instruction Fuzzy Hash: CC22DA706043499FDB78AE34C9957EA7BB2FF95350F45852DDC8A8B214E3709A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0CC3, Relevance: 2.8, Strings: 2, Instructions: 333COMMON

Download Yara Rule

Strings

@88, xrefs: 02BD0CF5
Lms2, xrefs: 02BD0F75

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @88$Lms2
API String ID: 0-3966764761
Opcode ID: 4decc1277557a93ce0e2d16f42fe1cd6f1c3e1cd822581682b78ccfd629323cb
Instruction ID: e5452a7f82fa00123c50353b9d07772b8db46f2b59c2a1a1be1a2151c046ee10
Opcode Fuzzy Hash: 4decc1277557a93ce0e2d16f42fe1cd6f1c3e1cd822581682b78ccfd629323cb
Instruction Fuzzy Hash: 90C1C0315003469BDF349E788DA93DF7763EF96360F9A426ECC8997148E7328986C742

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1A21, Relevance: 2.7, Strings: 2, Instructions: 249COMMON

Download Yara Rule

Strings

->', xrefs: 02BD1A22
->', xrefs: 02BD1A27

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ->'$->'
API String ID: 0-620809635
Opcode ID: 8859ab9347352de6486357a13b118da7fc7e25112808db8f7c407c33ba8310f7
Instruction ID: 0d6c5c4d8b018e7e106df93a77644b08f21f16fa2f2c260fd85f3dd319433b81
Opcode Fuzzy Hash: 8859ab9347352de6486357a13b118da7fc7e25112808db8f7c407c33ba8310f7
Instruction Fuzzy Hash: C091F371A013489FDB359F28CD90BDF77A6EF99310F85442EEC899B204D3319A85CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0916, Relevance: 1.8, Strings: 1, Instructions: 536COMMON

Download Yara Rule

Strings

Lms2, xrefs: 02BD0F75

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Lms2
API String ID: 0-2085362527
Opcode ID: 51308c52b84d2a064add448bd57d355ef5fb253950022d93a03a67241d197ae3
Instruction ID: 9b6d7c932efe5ebb31ed6f974cf6fd7670cb08153be51b613472dc4ce701f57b
Opcode Fuzzy Hash: 51308c52b84d2a064add448bd57d355ef5fb253950022d93a03a67241d197ae3
Instruction Fuzzy Hash: 92128B7160434A9FDF349E788DA97EE37A3EF95350F99422ECC8987244E3318A46CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5908, Relevance: 1.8, Strings: 1, Instructions: 505COMMON

Download Yara Rule

Strings

kfz, xrefs: 02BD59B8

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: kfz
API String ID: 0-1680243779
Opcode ID: 7c6ab68da620841aea03fc74276b63acfa763286a69f3c29d4a9463f76f14d12
Instruction ID: aba81381062aa16a13568ebd0faf2205ddc3be2dce650e3f51384cc3e6fd116a
Opcode Fuzzy Hash: 7c6ab68da620841aea03fc74276b63acfa763286a69f3c29d4a9463f76f14d12
Instruction Fuzzy Hash: EF02527260434ADFDB34AE74CDA57EE7BB2AF55350F95456DDC8A8B201E3318982CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02BD87BC, Relevance: 1.6, Strings: 1, Instructions: 399COMMON

Download Yara Rule

Strings

0@x, xrefs: 02BD886E

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 0@x
API String ID: 0-938712303
Opcode ID: a8d82179bd2045ba68fc8fb3ad2913d9d61df141760d3e7fbc7e600e1e010587
Instruction ID: 006f4d4549342f6c9c591e864cd8cac49f7f69c4383a8a2ae6e9144014710e17
Opcode Fuzzy Hash: a8d82179bd2045ba68fc8fb3ad2913d9d61df141760d3e7fbc7e600e1e010587
Instruction Fuzzy Hash: 0BA179B16483449FE714AF38CC95BEA37A6EF16310F4901AED9C6C7212F3759882CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD28A0, Relevance: 1.6, Strings: 1, Instructions: 389COMMON

Download Yara Rule

Strings

1Z, xrefs: 02BD2D18

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1Z
API String ID: 0-1085126445
Opcode ID: 850812e986fd8c302a0903e7ddc3ecb26bf231615089db9a557cb0c2bb50453b
Instruction ID: 0feae2bfd26d910a6430823c2757fb1641a73383f4af55809ca2629961b4d7e6
Opcode Fuzzy Hash: 850812e986fd8c302a0903e7ddc3ecb26bf231615089db9a557cb0c2bb50453b
Instruction Fuzzy Hash: 5EE1CF72B007869FDB24CF28D894BDAB7A2FF49350F858229DC8C97741D771AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0BDC, Relevance: 1.6, Strings: 1, Instructions: 377COMMON

Download Yara Rule

Strings

Lms2, xrefs: 02BD0F75

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Lms2
API String ID: 0-2085362527
Opcode ID: 81197a82a793356f5dee2cbbde804992828fee068848ec98d60f3406d6df3708
Instruction ID: d24ac539948ded84d8e3b7816cf621e97d9d4b3d40424cc3078824033ea53332
Opcode Fuzzy Hash: 81197a82a793356f5dee2cbbde804992828fee068848ec98d60f3406d6df3708
Instruction Fuzzy Hash: E1D1C1316043469BDF349E7C8CA57DB37A3AF96360F99426ECC898B149E7314986C742

Uniqueness

Uniqueness Score: -1.00%

Function 02BD15BD, Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

/8', xrefs: 02BD15C8

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /8'
API String ID: 0-3619585105
Opcode ID: 1d0d2a361c5d06d41a64e2768df78d643094fe9993834c9de80c1669d1d45781
Instruction ID: 32cbbf333aac5ae4c48667536d606632d9da1fd7b7c7db5d3e22e400264d7da6
Opcode Fuzzy Hash: 1d0d2a361c5d06d41a64e2768df78d643094fe9993834c9de80c1669d1d45781
Instruction Fuzzy Hash: 45C19D7160878A9FDB319F38CC547EB7BA2AF56360F8942ADCCC98B245E3304546CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0C54, Relevance: 1.6, Strings: 1, Instructions: 342COMMON

Download Yara Rule

Strings

Lms2, xrefs: 02BD0F75

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Lms2
API String ID: 0-2085362527
Opcode ID: 81b2ee3cdbd22725429c15e79c28cb9a3fdd81719a0fc5186c861ed51dd918bf
Instruction ID: 8a391b03d4072be44e615729c78f00df8c72b7e00061ae34ae8feabc9bcf61ab
Opcode Fuzzy Hash: 81b2ee3cdbd22725429c15e79c28cb9a3fdd81719a0fc5186c861ed51dd918bf
Instruction Fuzzy Hash: 89C1BF315043469BDF349E788DA93DB77A3EF96360F99425ECC8987148E7318986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD0C4C, Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

Lms2, xrefs: 02BD0F75

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Lms2
API String ID: 0-2085362527
Opcode ID: 8f7793cb23869a38cc1798174e8fa500fbe7be7e0466a4371dcae05ae9f342c1
Instruction ID: e147c6a0eab35b879cdf3560cc2a3c7539798bdffde450ea849b63524451fb3a
Opcode Fuzzy Hash: 8f7793cb23869a38cc1798174e8fa500fbe7be7e0466a4371dcae05ae9f342c1
Instruction Fuzzy Hash: FDC1CE315003469BDF349E7C8DA93DB77A3EF96360F99425ECC8987148E731898AC742

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5D43, Relevance: 1.6, Strings: 1, Instructions: 315COMMON

Download Yara Rule

Strings

$EO, xrefs: 02BD5D48

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $EO
API String ID: 0-2138441739
Opcode ID: d4ac3de3a32bb47566cf54f4a3c2159ac423c46902df67b102f6303aec9ab074
Instruction ID: 00b244f59b788b099b7602dc6c97c646a49118b6cd8590219f57642ee75019ee
Opcode Fuzzy Hash: d4ac3de3a32bb47566cf54f4a3c2159ac423c46902df67b102f6303aec9ab074
Instruction Fuzzy Hash: 53B10074B003498FDB25AF74C8A17DA3BA7AF99310F94806EDC898B344EB35D981CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02BD322C, Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

M$!, xrefs: 02BD3451

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: M$!
API String ID: 0-1801001277
Opcode ID: 6b86ab6c6797689961e79a7621f7b001d05e7d4019f6d67ffb13a28ded03de95
Instruction ID: 63033a609b9d4ad2343aab230e92310186449001a5acbf59c3b455541767919a
Opcode Fuzzy Hash: 6b86ab6c6797689961e79a7621f7b001d05e7d4019f6d67ffb13a28ded03de95
Instruction Fuzzy Hash: 4AC15472A013449FDF359F38C8997EA77B2EF16350F99419EDC899B251E3348985CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7BA4, Relevance: 1.5, Strings: 1, Instructions: 276COMMON

Download Yara Rule

Strings

[2[T, xrefs: 02BD7C82

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: [2[T
API String ID: 0-804157235
Opcode ID: 0d4170137e384e2854fb76abbb7c209ff1f1566fd257b5cebaea0a2580257798
Instruction ID: 502f213cec625700f6222683b37efa9b7d453038b29188016d4d3f7f0a0f2e22
Opcode Fuzzy Hash: 0d4170137e384e2854fb76abbb7c209ff1f1566fd257b5cebaea0a2580257798
Instruction Fuzzy Hash: E491CB71A043499FEB246E78CDA53EB3BF2EF56350F85056ECC8697204E7718982CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3259, Relevance: 1.4, Strings: 1, Instructions: 188COMMON

Download Yara Rule

Strings

M$!, xrefs: 02BD3451

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: M$!
API String ID: 0-1801001277
Opcode ID: a662118fcd3fd0baa38fc30aab846062d2292b323e48d3eb421dd7f79bda4a08
Instruction ID: 4d4d3dca48cd1a54ce8f9750ddf7479619f42f4e7dcb1d93980f8b4392a9b8e1
Opcode Fuzzy Hash: a662118fcd3fd0baa38fc30aab846062d2292b323e48d3eb421dd7f79bda4a08
Instruction Fuzzy Hash: 0E6145729053458FCF289F34C869BEA77B3AF15350F9A419EDC899B262D3318985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2C2A, Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

1Z, xrefs: 02BD2D18

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 1Z
API String ID: 0-1085126445
Opcode ID: fa4634c50492804967462932e109a4581b8f89dbc5c0d7f13cd84a6ad4ba8950
Instruction ID: acef27eb66847bbf36be1e2fa2efba394f40295ddfde00641fa8230dbf5d9e9d
Opcode Fuzzy Hash: fa4634c50492804967462932e109a4581b8f89dbc5c0d7f13cd84a6ad4ba8950
Instruction Fuzzy Hash: 1951E272600386DFDB34DF38D9907CA77A2FF09360F958229DC5897251D771AA51CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3325, Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

M$!, xrefs: 02BD3451

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: M$!
API String ID: 0-1801001277
Opcode ID: 0ed9a1a5a13030ad2946c3eea10e19539bf0496341f8ebd47157184f553c46c9
Instruction ID: 728c011ac874b78ae83d8b3c67de59f761da578988e505dc9067747eafac1edc
Opcode Fuzzy Hash: 0ed9a1a5a13030ad2946c3eea10e19539bf0496341f8ebd47157184f553c46c9
Instruction Fuzzy Hash: B3516672E11359CFCF348E3488657EA3BB3AF5A360F99015EDC8E9B211D3305A858B41

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7337, Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

`, xrefs: 02BD734A

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: fef4388c06ffdddc4d5a9c6bfec5223495b70529f1dc59f701c6f1b3f5706e0a
Instruction ID: 74fb8b487166fcd400349ed8fcd31f4033b8741cc21bcdf9988193619eab860c
Opcode Fuzzy Hash: fef4388c06ffdddc4d5a9c6bfec5223495b70529f1dc59f701c6f1b3f5706e0a
Instruction Fuzzy Hash: 991134351483CD8FDF388E24CC293DA7762AF66344F5640AD8C8E9B102D7341786DB40

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7503, Relevance: 1.3, Strings: 1, Instructions: 18COMMON

Download Yara Rule

Strings

$^N, xrefs: 02BD750D

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: $^N
API String ID: 0-2705847047
Opcode ID: 7abd2ccefdddf70b19a4969173953bab863de77e667584601ab399795d58fa23
Instruction ID: 0e41a367a29fa9fac4604bf9d7a76914cbf61d55e2c1c1e2d968bd84257bb0a3
Opcode Fuzzy Hash: 7abd2ccefdddf70b19a4969173953bab863de77e667584601ab399795d58fa23
Instruction Fuzzy Hash: 3AD022D1A903230497B226346605AF26483DB83378B7486F02C0A4E64BFC88CD08B442

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7D3E, Relevance: .7, Instructions: 695COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f82d8df1c72f9f4b8ba57a30bd10e4ed9019207fdfdc7525b3291b07e4c558b
Instruction ID: 5f3bf9c269d1ece2e597c103ca06a1d326f6059564c125e12682d897248d7cc4
Opcode Fuzzy Hash: 5f82d8df1c72f9f4b8ba57a30bd10e4ed9019207fdfdc7525b3291b07e4c558b
Instruction Fuzzy Hash: 635229716043858FDF35DF38C8947DA7BE2AF56360F4982AACC898F296D7348546CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7D06, Relevance: .4, Instructions: 355COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419d449f522ff3e9cca7773e4f822835c571b647ccf21ab0d02b445774dafdd8
Instruction ID: 61d4159fd1add4a7b490cfe15f2239c7232882a1e59a6f965f62942b3c3522ed
Opcode Fuzzy Hash: 419d449f522ff3e9cca7773e4f822835c571b647ccf21ab0d02b445774dafdd8
Instruction Fuzzy Hash: A1E1F3715087868FCB25DF38C8987DA7BA1AF56360F49C29AC8D98F2D7D3348545C712

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4712, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84363423a5a6cbcde9744c990ce3f4a4712a87a73469c2b3d27908138689b2bb
Instruction ID: 2d90f9012abc6bd74f9d1bc17b43a6cddd0ba6b42abf8a9c9f26b0c821debd22
Opcode Fuzzy Hash: 84363423a5a6cbcde9744c990ce3f4a4712a87a73469c2b3d27908138689b2bb
Instruction Fuzzy Hash: 3DB1A6716053898FDF759E25CC957DE3BB2FF58310F94812ADD898A214E7318A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD47C8, Relevance: .3, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac812b4cc9e531aac81d85bc0742524e657549492c245a2de194454e26e3001
Instruction ID: 681ba367becc5434cd51ee18b1a33b13b4d57ad66bcd72ac7af03556c6b3f5ba
Opcode Fuzzy Hash: 3ac812b4cc9e531aac81d85bc0742524e657549492c245a2de194454e26e3001
Instruction Fuzzy Hash: 42B195716053898FDFB59F24CD997DE3BB2FF58310F94812ADD898A214E7318A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD475F, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c3203b7a5f65f5d3cc0ac1a01c8a4f822f4c157d7faea61451f97883e2cc9a8
Instruction ID: 269159f3c1ad40f22a4423a9a4b13e40b983550afd4a935f7ed4a647ef61a0a1
Opcode Fuzzy Hash: 2c3203b7a5f65f5d3cc0ac1a01c8a4f822f4c157d7faea61451f97883e2cc9a8
Instruction Fuzzy Hash: 9EB197716053898FDB749F39CD957DE7BB2FF54350F98812ADD898A224E7318A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02BD47A2, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e3d69319fad712e52e684d442d791dd70626d38063511ff0ceb5201062c6de9
Instruction ID: 4a706eb57121df78a2770033e9162cbece4d45c2ff1dbf622d161a4a75e5152b
Opcode Fuzzy Hash: 1e3d69319fad712e52e684d442d791dd70626d38063511ff0ceb5201062c6de9
Instruction Fuzzy Hash: 71B197716053898FDFB49F25CD957DE3BB2FF54350F94812ADD898A224E7318A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD048D, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e0989577e9f0a3f4aaad36853043f5d12b16cf069b6a87e84823042ef51d11
Instruction ID: 2647a7cdebae87bfecf017dfe7b933238fb5887defd2ce14935c20ae82b72891
Opcode Fuzzy Hash: d6e0989577e9f0a3f4aaad36853043f5d12b16cf069b6a87e84823042ef51d11
Instruction Fuzzy Hash: B3816876A043499FDB24AF78CCA53DA77F2AF46350F55462EDC89D7210E7708981CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4860, Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37e1918b087bc17287b9ba8a58576b19ac005c6bf89ae8aa912b9ede718a0dd2
Instruction ID: 30adc5728346e6b85bb9e1481f21b2a3ee3ca928d3dd2de96c6250d7c0cef609
Opcode Fuzzy Hash: 37e1918b087bc17287b9ba8a58576b19ac005c6bf89ae8aa912b9ede718a0dd2
Instruction Fuzzy Hash: 4EA196706053898FDFB49F24CD957DE3BB2FF54350F94812ADD898A214E7318A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD4912, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a534e4a8918e90edb021247a63deed68053798050b6e33af97792d414381210
Instruction ID: 07d44757c6d9fd49669a9e1251863b85238ad2d34deb534f7920a88867284d49
Opcode Fuzzy Hash: 8a534e4a8918e90edb021247a63deed68053798050b6e33af97792d414381210
Instruction Fuzzy Hash: 2BA1A9706053898FDBB49F39CD957DE3BB2FF58350F58802ADD898A214E7308A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02BD8C42, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7379a23292a111c8e090c9fb8fc8091aeb0583ca5809fb1bce47d693263d1b66
Instruction ID: df0b9128cfde61d6d04e03442e8e2fff7d6ec3ad93e3ca3972782290ee0f5a48
Opcode Fuzzy Hash: 7379a23292a111c8e090c9fb8fc8091aeb0583ca5809fb1bce47d693263d1b66
Instruction Fuzzy Hash: 60812271A00745CFDF399E78C9A53E97BA3FF85360F65812ECC4A8B250D3349A86CA15

Uniqueness

Uniqueness Score: -1.00%

Function 02BD48E9, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a19dd81fd21b226961219a819fa6fae0afdba0573459631496ee139f99b71b0
Instruction ID: c42c204c1a511661ff4be25989908a2ae30747e111aded68c5379fe8bbde9d0d
Opcode Fuzzy Hash: 9a19dd81fd21b226961219a819fa6fae0afdba0573459631496ee139f99b71b0
Instruction Fuzzy Hash: E8A1A7706053898FDBB59F39CD957DE7BB2FF58350F58842ADD898A214E7308A81CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02BD23FF, Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbc7e236d11d80962cb90cd59f1138b224c9ebf65dca2abe17c10d9cc9b4ce78
Instruction ID: cdbe5f383ae89dd36a6c7c75c43d963ac8f1551b9f25fa08f20cde097761dc09
Opcode Fuzzy Hash: dbc7e236d11d80962cb90cd59f1138b224c9ebf65dca2abe17c10d9cc9b4ce78
Instruction Fuzzy Hash: A68102716083899FDB349F28D8543EEB7E2EF95310F95447EEC8A97241D7309A86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7F4E, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5171c8334189c00f21411413a0dd421c9e7c3051079d6c9418fa2090561a7b09
Instruction ID: 175f85badf0134579b8ea8187d2b57f727b81ccfd7269f0949c3eba01c65ce27
Opcode Fuzzy Hash: 5171c8334189c00f21411413a0dd421c9e7c3051079d6c9418fa2090561a7b09
Instruction Fuzzy Hash: A581F6715043C58FCF35CF3898A47EA7BA1AF56360F4983ADC89A8F286E7358541CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2EF7, Relevance: .2, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea13a42c57d636ca3cff0a26ec025f06585ece3f3bf6f9243fe770aa63fd7b8
Instruction ID: 744750b0d21b218e7a53e04147e617063f59d25138e709c022d939a8fe90c975
Opcode Fuzzy Hash: aea13a42c57d636ca3cff0a26ec025f06585ece3f3bf6f9243fe770aa63fd7b8
Instruction Fuzzy Hash: 7F61F371B40659DFDB348E28CCA07DA77E2FF45310F99816AEC48AB344E7349D858B80

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2455, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00274ef138eb723b928bf0ded89fb7a2bb62f6aa9ce4e5a058b0895f9823da06
Instruction ID: 1e5e3f255309b5320684ac1467d0e04cee11d813ad1f1d0e0b761a55826b8fee
Opcode Fuzzy Hash: 00274ef138eb723b928bf0ded89fb7a2bb62f6aa9ce4e5a058b0895f9823da06
Instruction Fuzzy Hash: AA61FF716043899FDB349F28D9643EA77A2EF95310F95407EAC8EDB244D7308A86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02BD05B1, Relevance: .2, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9063d224057fbabbf4c369b302a0ef3c6913cb5cd0e129926b3a9149a28b44d3
Instruction ID: 11b2191c32c8e17b6d23979bf7e38e5f2e1681ef874b06b204935522e1592194
Opcode Fuzzy Hash: 9063d224057fbabbf4c369b302a0ef3c6913cb5cd0e129926b3a9149a28b44d3
Instruction Fuzzy Hash: F4517976A04315DFDB246E78CC613EA7BB2AF56360F590A6DDCD5C7200E3718982CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2518, Relevance: .2, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22eb534dd5e0afdfaf5406c750823696b056dab4a061b267fe35b930f4971711
Instruction ID: e6614bf5d0c381c2c2f7d5ee98466b8698990fdfd9deb3b7e5556a86c55e3dea
Opcode Fuzzy Hash: 22eb534dd5e0afdfaf5406c750823696b056dab4a061b267fe35b930f4971711
Instruction Fuzzy Hash: 185136766442899FCF348E38DC603EA77A3AF85320FA5053EAC5EC7245D7709E42CA15

Uniqueness

Uniqueness Score: -1.00%

Function 02BD1A78, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 816513b41f483079833b902bff62bd920586250a5b3a0141946ebb59520b4f67
Instruction ID: c0e4fb8abeddccac0db0ac25bf3c171bdb0720a553861bed5de9eff8f2b55bfd
Opcode Fuzzy Hash: 816513b41f483079833b902bff62bd920586250a5b3a0141946ebb59520b4f67
Instruction Fuzzy Hash: F4510372A053588FCB359F28CD64BDE7BA2BF99760F86052DDC8DA7200D3319A41CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02BD80A4, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d20da4d3af8f087b45d18d037624093526d3dfd6ffb998e90fe3d0473beeacaf
Instruction ID: 689c581b1f9546b2026d5c90314762f8261cd054a5125ce9e493f8a82b8ac5fb
Opcode Fuzzy Hash: d20da4d3af8f087b45d18d037624093526d3dfd6ffb998e90fe3d0473beeacaf
Instruction Fuzzy Hash: 2F5107715087C98FCF35DF3498A87EA7BA1EF26361F44829DC88A8E286E7354145CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3A18, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e95eb92afd3799edb4a42943fde9e10bb2446b892686d9b8820b2b7e050d26ab
Instruction ID: 0611f7b377ebac1fa947281864bd4bd2ad6da3aa92e2a4a4983d77d9cdae85ad
Opcode Fuzzy Hash: e95eb92afd3799edb4a42943fde9e10bb2446b892686d9b8820b2b7e050d26ab
Instruction Fuzzy Hash: 725104726057408FDB30CE2A89D13DA77F3AF88700F9846AEC84E8B205D336A581CF06

Uniqueness

Uniqueness Score: -1.00%

Function 02BD163B, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be56e0571451d356beeeb4413e8465e7867a145a5b1182a4ddb6e90f709934f
Instruction ID: 0f1592677d2e8c060b88dec2d179918cb5b3dc97f78143d8ddcc3c213886c307
Opcode Fuzzy Hash: 4be56e0571451d356beeeb4413e8465e7867a145a5b1182a4ddb6e90f709934f
Instruction Fuzzy Hash: 04510420509BC79BD7229F3C88197E7BF61AF43364F8983DD88984B196D3355546C782

Uniqueness

Uniqueness Score: -1.00%

Function 02BD80C6, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b62e8b07eba8ac5c5f70aa7849d5570c560046a81ec4528034d712c217d5f5c
Instruction ID: c37bec76b724a4bbd861b7aeb4a961cd23d7af1ea1595de8d6bdb0e26a11e7c2
Opcode Fuzzy Hash: 9b62e8b07eba8ac5c5f70aa7849d5570c560046a81ec4528034d712c217d5f5c
Instruction Fuzzy Hash: 5A5119715083898FCF35DF349CA47E67BA1EF26361F44829DD88E8E286E7354541CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02BD80EF, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fee0e77f9429489db36a746eaf61f560021145739d4caaa542e9be68710563b7
Instruction ID: aa3b629393b38c0ffcd179531d37b0550f3f9a39cd4ddf57b9ccea85726f74bf
Opcode Fuzzy Hash: fee0e77f9429489db36a746eaf61f560021145739d4caaa542e9be68710563b7
Instruction Fuzzy Hash: C551C5715083C98FCF75DF3898A47DA7BA1EF16360F48829DC88E8E286E7344545CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3A69, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aaef29a3f240763d16a94f8fa319912192dbc2b7e5de2f79e43fe868d855d568
Instruction ID: 8d0168cfb9a3baea8530d3ccef77ebf1c66fb272b71080a576f552ced10648c2
Opcode Fuzzy Hash: aaef29a3f240763d16a94f8fa319912192dbc2b7e5de2f79e43fe868d855d568
Instruction Fuzzy Hash: 7F41CF726057449FDF30CE2A89957DA77F3AF88704F98466AC84D9B205D336AA81CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02BD832E, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7431c47b043478a39067bcfc2b890f24fb73e2fceb593a8ca8fd274ceb86fc
Instruction ID: f34e1fd8e259e131250da39b9b523de86c7553d26580e94d08aea36c00884bc9
Opcode Fuzzy Hash: 3d7431c47b043478a39067bcfc2b890f24fb73e2fceb593a8ca8fd274ceb86fc
Instruction Fuzzy Hash: 62415A76508385DBDF34DE38C9D5BEA3BA3AF85354F088069CC499F249E3319642CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02BD517E, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2be1c52b4a6179c95d4887121b7e37563b231aad3a57f5eb19063ba4e79b1c7
Instruction ID: 4bced2aa136e288fa4da051c535976434980d3ed8a098811ea4471d381cc6e06
Opcode Fuzzy Hash: e2be1c52b4a6179c95d4887121b7e37563b231aad3a57f5eb19063ba4e79b1c7
Instruction Fuzzy Hash: 8C312675A143468FDB28DE28C561BDB77F2AF86390F41841E9C8BA7650DB368A41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2228, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef3c7fdd781630ed164e77781e3edc6705980aa24f598744d7aa1dfc7fc79347
Instruction ID: ffbb26ab981886d505273a7ad05b934feccda4e4ac1acbf5cf1416aca236582f
Opcode Fuzzy Hash: ef3c7fdd781630ed164e77781e3edc6705980aa24f598744d7aa1dfc7fc79347
Instruction Fuzzy Hash: 40210231248348AFDB60AF708894BEF77A7BF44390F96001DECC997120E7345A86CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02BD38D1, Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24e47d3d9d285bbb9d0e759e86b58d03cdb2c27fd5c59be7cd631b574f131e00
Instruction ID: 0c54c5f6cedf129e3c3f7bc171d2734a05682b73193b9526d886688d07a00dcd
Opcode Fuzzy Hash: 24e47d3d9d285bbb9d0e759e86b58d03cdb2c27fd5c59be7cd631b574f131e00
Instruction Fuzzy Hash: AD31D7706083958BDF76CFB8C5D8BCA7BD0AF06218F0982ADCC998A597E3358145CB03

Uniqueness

Uniqueness Score: -1.00%

Function 02BD841E, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1177fd78c677d8f7e93db0af80f187fa88576a35c51b50e60cbaccc4260fbc53
Instruction ID: fd1f57e358f4a00b9d9f60b0f55b2cc71c24afa984147a58e8949262c3c25356
Opcode Fuzzy Hash: 1177fd78c677d8f7e93db0af80f187fa88576a35c51b50e60cbaccc4260fbc53
Instruction Fuzzy Hash: 14213372508385DBDF349F3888857EABB63AF42354F4980A9C889DF185D7319246CB22

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3D84, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53447adcc2597f5d09f7d14f8fbc5d27f57589e44d075274ee34e5b4f546ad5f
Instruction ID: 2db710dda045d44aae91be7523b6c01bf607bb366a7ec41f806e57ee046e321b
Opcode Fuzzy Hash: 53447adcc2597f5d09f7d14f8fbc5d27f57589e44d075274ee34e5b4f546ad5f
Instruction Fuzzy Hash: 631123725443148FCB686F3489623EEB7F6EF06780F46451DECD6A7280D33049888B83

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7106, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90ffe0555d254d947e14d687c02eb1b258e8a4230dfe6f4af41fa780d80347f6
Instruction ID: d74aa68d08fc1da82c428b11f55dd707af69999d2c0941b39d7a84c40b92a1a5
Opcode Fuzzy Hash: 90ffe0555d254d947e14d687c02eb1b258e8a4230dfe6f4af41fa780d80347f6
Instruction Fuzzy Hash: 0F115E3165425ACFDB34DF18C894BDAB3A6BF15B14F8540AAD94CDB214D730AA84DB60

Uniqueness

Uniqueness Score: -1.00%

Function 02BD92BB, Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7a5613cb2749d7199bc7e08115f28c959c089e24f1213ae22cf85f0202de3f3
Instruction ID: 83cad20e546be65fa1cd72aba4b9901c10c3489d5b04f9dc40bc32624e8f2a47
Opcode Fuzzy Hash: f7a5613cb2749d7199bc7e08115f28c959c089e24f1213ae22cf85f0202de3f3
Instruction Fuzzy Hash: B3D0230E74050D0D3A5005F85B95387B9DB9F931907F0C029C25593005D85DD3A5D4B5

Uniqueness

Uniqueness Score: -1.00%

Function 02BD504C, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92bb562e77a43175a078add7583b01ddce9d739d5cc74ca3e919f93824f3e310
Instruction ID: 6682de81b510e56234623ee8faa750cec3f52fff5b2b661f310518eaad6beb98
Opcode Fuzzy Hash: 92bb562e77a43175a078add7583b01ddce9d739d5cc74ca3e919f93824f3e310
Instruction Fuzzy Hash: 47C048B27405809FEA02CE18CA81B4473B2AB65A88B4A48D0E4028B692E324EE00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6B69, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.745965954.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6272081b924cc0520a84a7928bef81a9e8b0ab88ce8fcd5f3fb1f35c65d0513b
Instruction ID: 42b303bc188979856c4e877d788fe827723275c7d554067cdf8c2c8365824780
Opcode Fuzzy Hash: 6272081b924cc0520a84a7928bef81a9e8b0ab88ce8fcd5f3fb1f35c65d0513b
Instruction Fuzzy Hash: C1B00279655A409FDA95CB19C194E4077A4B745A50B515490E4119BB15C264E904CA50

Uniqueness

Uniqueness Score: -1.00%

Function 00432954, Relevance: 39.2, APIs: 26, Instructions: 198COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004329AC
__vbaNew2.MSVBVM60(0042F964,00434454), ref: 004329C3
__vbaHresultCheckObj.MSVBVM60(00000000,02C4E8B4,0042F954,00000014), ref: 004329E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432A18
__vbaStrMove.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432A26
__vbaFreeObj.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432A2E
#560.MSVBVM60(?), ref: 00432A3E
__vbaFreeVar.MSVBVM60(?), ref: 00432A54
__vbaNew2.MSVBVM60(0042F964,00434454,?), ref: 00432A74
__vbaHresultCheckObj.MSVBVM60(00000000,02C4E8B4,0042F954,00000014), ref: 00432A94
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432ABD
__vbaStrMove.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432ACB
__vbaFreeObj.MSVBVM60(00000000,?,0042F9AC,00000130), ref: 00432AD3
__vbaNew2.MSVBVM60(0042F964,00434454), ref: 00432AEA
__vbaObjVar.MSVBVM60(?), ref: 00432AFB
__vbaObjSetAddref.MSVBVM60(?,00000000,?), ref: 00432B05
__vbaHresultCheckObj.MSVBVM60(00000000,02C4E8B4,0042F954,00000010), ref: 00432B1C
__vbaFreeObj.MSVBVM60(00000000,02C4E8B4,0042F954,00000010), ref: 00432B24
__vbaNew2.MSVBVM60(0042FCF0,00434010,?), ref: 00432B3C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432B54
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000198), ref: 00432B7A
__vbaFreeObj.MSVBVM60(00000000,00000000,0042F99C,00000198), ref: 00432B88
__vbaFreeStr.MSVBVM60(00432BCE), ref: 00432BB0
__vbaFreeStr.MSVBVM60(00432BCE), ref: 00432BB8
__vbaFreeStr.MSVBVM60(00432BCE), ref: 00432BC0
__vbaFreeVar.MSVBVM60(00432BCE), ref: 00432BC8

Memory Dump Source

Source File: 00000000.00000002.735019487.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.734992768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.735294986.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#560AddrefCopy
String ID:
API String ID: 4235209719-0
Opcode ID: dc94613d244f8cc90b82b270987e0c3f68574467d8f4b31c05f9ea13f7054625
Instruction ID: e0a53f085f6a5ed97cc7650860fd447c48f529b9b77e63bf8bd6ac0d90ec1ae0
Opcode Fuzzy Hash: dc94613d244f8cc90b82b270987e0c3f68574467d8f4b31c05f9ea13f7054625
Instruction Fuzzy Hash: 95618070E00219ABCB14FFA6D985EDEBBB8AF08304F50447EF115F71A1DA786909CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00432743, Relevance: 28.7, APIs: 19, Instructions: 151COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 0043278F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004327A7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FB58,00000134), ref: 004327E3
__vbaFreeObj.MSVBVM60(00000000,00000000,0042FB58,00000134), ref: 004327EB
#696.MSVBVM60(0042FB6C), ref: 004327F5
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB6C), ref: 0043281B
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB6C), ref: 00432825
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,0042FB6C), ref: 0043282D
__vbaNew2.MSVBVM60(0042FCF0,00434010,?,000000FF,000000FE,000000FE,000000FE,0042FB6C), ref: 00432845
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043285D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,00000170), ref: 00432883
#529.MSVBVM60(00000002), ref: 0043289D
__vbaFreeObj.MSVBVM60(00000002), ref: 004328A5
__vbaFreeVar.MSVBVM60(00000002), ref: 004328AD
__vbaNew2.MSVBVM60(0042FCF0,00434010,0042FB6C), ref: 004328C5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004328DD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F9DC,00000058), ref: 004328FD
__vbaFreeObj.MSVBVM60(00000000,00000000,0042F9DC,00000058), ref: 0043290B
__vbaFreeStr.MSVBVM60(00432939), ref: 00432933

Memory Dump Source

Source File: 00000000.00000002.735019487.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.734992768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.735294986.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#529#696#704Move
String ID:
API String ID: 640063502-0
Opcode ID: 0f76bd054df706205ed51dec6e9ed3ee306bdeff0ddcb91e7331c7555fbdb1d0
Instruction ID: 1e2ff1b58aed05f94dc31783988c8574996fb186c0df54be1a7295b641757b08
Opcode Fuzzy Hash: 0f76bd054df706205ed51dec6e9ed3ee306bdeff0ddcb91e7331c7555fbdb1d0
Instruction Fuzzy Hash: EF512B70A00218ABCB14EBA6DD85FEE77B8AF18704F50027EF511F71E1D77869058A68

Uniqueness

Uniqueness Score: -1.00%

Function 00432E33, Relevance: 24.2, APIs: 16, Instructions: 172COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0042F964,00434454), ref: 00432E7B
__vbaHresultCheckObj.MSVBVM60(00000000,02C4E8B4,0042F954,00000014), ref: 00432E9F
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432EC8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432EE0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA54,0000013C), ref: 00432F06
__vbaHresultCheckObj.MSVBVM60(00000000,?,0042F9AC,0000013C), ref: 00432F35
__vbaFreeStr.MSVBVM60 ref: 00432F3D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432F4E
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432F69
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432F81
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042F99C,000001D0), ref: 00432FB9
__vbaFreeObj.MSVBVM60 ref: 00432FC1
__vbaNew2.MSVBVM60(0042FCF0,00434010), ref: 00432FD9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432FF1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0042FA04,00000078), ref: 00433011
__vbaFreeObj.MSVBVM60 ref: 0043301F

Memory Dump Source

Source File: 00000000.00000002.735019487.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.734992768.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.735294986.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.735306594.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List
String ID:
API String ID: 3473554973-0
Opcode ID: d8fc1e97a8124da63c7165a91673e195d5dd7a13890d36ae498410e8abec7654
Instruction ID: 90094902804c8d869a39f63203a35e52884b7f5142c287b24208c0286d162330
Opcode Fuzzy Hash: d8fc1e97a8124da63c7165a91673e195d5dd7a13890d36ae498410e8abec7654
Instruction Fuzzy Hash: B0516070A00214ABCB14EFA6DD86FEF77B8AF19704F50046AF510F7191D6B8A9058B68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report MWSW9nxmUK

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: MWSW9nxmUK.exe PID: 5060 Parent PID: 5768

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: MWSW9nxmUK.exe PID: 5060 Parent PID: 5768 MWSW9nxmUK.exeCOMMON