Play interactive tour

Edit tour

Windows Analysis Report kGSHiWbgq9.exe

Overview

General Information

Sample Name:	kGSHiWbgq9.exe
Analysis ID:	457930
MD5:	27bf14807bc9d5cd2d823293f43c3a3a
SHA1:	08eeed11867aa351be0d6c48da283721ee6c0769
SHA256:	55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

kGSHiWbgq9.exe (PID: 5364 cmdline: 'C:\Users\user\Desktop\kGSHiWbgq9.exe' MD5: 27BF14807BC9D5CD2D823293F43C3A3A)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://101.99.94.119/WEALTH_PRUu"}

Multi AV Scanner detection for submitted file

Show sources

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Perma Link

Machine Learning detection for sample

Show sources

Source: kGSHiWbgq9.exe

Joe Sandbox ML: detected

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://101.99.94.119/WEALTH_PRUu

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465968 NtAllocateVirtualMemory,		0_2_02465968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465A62 NtAllocateVirtualMemory,		0_2_02465A62

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465968	0_2_02465968
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460211	0_2_02460211
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02464339	0_2_02464339
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024640B7	0_2_024640B7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024686DB	0_2_024686DB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024686F4	0_2_024686F4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465781	0_2_02465781
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0246443A	0_2_0246443A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024694D8	0_2_024694D8
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0246853B	0_2_0246853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024695C6	0_2_024695C6
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024685E7	0_2_024685E7
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024605A1	0_2_024605A1
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465A62	0_2_02465A62
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462A77	0_2_02462A77
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02467A7A	0_2_02467A7A
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460B59	0_2_02460B59
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460BDC	0_2_02460BDC
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02463BFF	0_2_02463BFF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462873	0_2_02462873
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02468802	0_2_02468802
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02461900	0_2_02461900
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0246891F	0_2_0246891F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02467E5C	0_2_02467E5C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460ED2	0_2_02460ED2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02461E99	0_2_02461E99
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462FD3	0_2_02462FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02468C2C	0_2_02468C2C
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02463CEF	0_2_02463CEF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02463CF2	0_2_02463CF2
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460CFA	0_2_02460CFA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465D78	0_2_02465D78
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462D3B	0_2_02462D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460DD5	0_2_02460DD5
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02461DA0	0_2_02461DA0
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02464DB6	0_2_02464DB6

Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: kGSHiWbgq9.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: kGSHiWbgq9.exe, 00000000.00000002.769800514.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe, 00000000.00000002.767741983.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe
Source: kGSHiWbgq9.exe	Binary or memory string: OriginalFilenamePAAKLDENDE.exe vs kGSHiWbgq9.exe

Source: kGSHiWbgq9.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF0A4DA332BC76A601.TMP

Jump to behavior

Source: kGSHiWbgq9.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: kGSHiWbgq9.exe

Virustotal: Detection: 21%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408873 push esp; ret	0_2_00408877
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_004088C0 push esp; ret	0_2_004088CB
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_004014E9 push es; ret	0_2_004014EA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408CB2 push esi; ret	0_2_00408CB3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0040891C push esi; retf	0_2_0040892F
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00407D36 pushad ; iretd	0_2_00407D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408672 push esi; ret	0_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00407E22 push ds; iretd	0_2_00407E27
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408624 push esp; ret	0_2_00408627
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408ADE push esi; retf	0_2_00408ADF
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_00408695 push esi; ret	0_2_00408677
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02466625 push ebp; iretd	0_2_02466637

Source: initial sample

Static PE information: section name: .text entropy: 7.07266809617

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460B59	0_2_02460B59
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460BDC	0_2_02460BDC
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462FD3	0_2_02462FD3
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460CFA	0_2_02460CFA
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462D3B	0_2_02462D3B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02460DD5	0_2_02460DD5

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002460298 second address: 0000000002460298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002467EAD second address: 0000000002467EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002469858 second address: 0000000002469858 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002460298 second address: 0000000002460298 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002467EAD second address: 0000000002467EAD instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002469858 second address: 0000000002469858 instructions:
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	RDTSC instruction interceptor: First address: 0000000002467CB5 second address: 0000000002467CB5 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 8D6257E7h 0x00000007 xor eax, D6E50CE5h 0x0000000c xor eax, CD304DCCh 0x00000011 add eax, 6948E933h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007F7834E0F173h 0x0000001e lfence 0x00000021 mov edx, 617AD252h 0x00000026 xor edx, 84973C64h 0x0000002c xor edx, 903C3D1Eh 0x00000032 xor edx, 0A2FD33Ch 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d cmp edx, 53D52FB7h 0x00000043 cmp ah, ch 0x00000045 test cl, bl 0x00000047 ret 0x00000048 jmp 00007F7834E0F169h 0x0000004d cmp ch, dh 0x0000004f sub edx, esi 0x00000051 ret 0x00000052 add edi, edx 0x00000054 dec dword ptr [ebp+000000F8h] 0x0000005a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000061 jne 00007F7834E0F06Ch 0x00000063 call 00007F7834E0F0C7h 0x00000068 call 00007F7834E0F194h 0x0000006d lfence 0x00000070 mov edx, 617AD252h 0x00000075 xor edx, 84973C64h 0x0000007b xor edx, 903C3D1Eh 0x00000081 xor edx, 0A2FD33Ch 0x00000087 mov edx, dword ptr [edx] 0x00000089 lfence 0x0000008c cmp edx, 53D52FB7h 0x00000092 cmp ah, ch 0x00000094 test cl, bl 0x00000096 ret 0x00000097 mov esi, edx 0x00000099 pushad 0x0000009a rdtsc

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 0_2_02460211 rdtsc

0_2_02460211

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe

Code function: 0_2_02460211 rdtsc

0_2_02460211

Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_024673B4 mov eax, dword ptr fs:[00000030h]	0_2_024673B4
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02463441 mov eax, dword ptr fs:[00000030h]	0_2_02463441
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_0246853B mov eax, dword ptr fs:[00000030h]	0_2_0246853B
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02465589 mov eax, dword ptr fs:[00000030h]	0_2_02465589
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02467898 mov eax, dword ptr fs:[00000030h]	0_2_02467898
Source: C:\Users\user\Desktop\kGSHiWbgq9.exe	Code function: 0_2_02462D3B mov eax, dword ptr fs:[00000030h]	0_2_02462D3B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: kGSHiWbgq9.exe, 00000000.00000002.769113256.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery41	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Software Packing1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	System Information Discovery31	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
kGSHiWbgq9.exe	22%	Virustotal		Browse
kGSHiWbgq9.exe	9%	ReversingLabs	Win32.Trojan.Vebzenpak
kGSHiWbgq9.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://101.99.94.119/WEALTH_PRUu	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://101.99.94.119/WEALTH_PRUu	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457930
Start date:	02.08.2021
Start time:	15:06:08
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 50s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	kGSHiWbgq9.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 7.4% (good quality ratio 3%) Quality average: 20.2% Quality standard deviation: 28.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.650522833717378
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	kGSHiWbgq9.exe
File size:	114688
MD5:	27bf14807bc9d5cd2d823293f43c3a3a
SHA1:	08eeed11867aa351be0d6c48da283721ee6c0769
SHA256:	55fd5769df0df23d4140a34d07dc2c833b43ac1060f4d0992bdd27316041c69a
SHA512:	c2bcd733a0bfd1b9e56b630e4fae6a45951a843946a389f8987c48a3b047ca9b9f74a5a01afc7d7589f156691220e474553229f485b6de4f902db566a6a0d245
SSDEEP:	1536:EAPGkc1ug6GUMu+Yg2WGI5XZ4QmiPYefCGk4H:X2bUMEWfXZiea
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......K.................@..........D........P....@................

File Icon


Icon Hash:	a5b595a595a5a5b5

Static PE Info

General
Entrypoint:	0x401144
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4B801CC3 [Sat Feb 20 17:32:51 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	5565993a5a9f2bfb76f28ab304be6bc1

Entrypoint Preview

Instruction
push 00406B54h
call 00007F7834A6B655h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx-2D91E317h], bh
sub eax, dword ptr [edx+312E8C4Dh]
cmp dword ptr [ecx+00414DE0h], edi
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx+4Fh], al
inc ebx
dec ebx
dec esi
inc ebp
pop ecx
inc ebp
push edx
dec esi
inc ebp
push ebx
add byte ptr [ebp+73h], ch
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
pop es
mov ebp, 63A526FFh
pushfd
inc edi
test byte ptr [eax], ah
arpl word ptr [edi-5FF889ACh], si
adc eax, B00EF4E9h
sbb edi, ecx
inc ebx
movsd
cmp byte ptr [esi], bl
insd
pop ecx
test byte ptr [eax-52B0C5E4h], 00000033h
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop ecx
add byte ptr [eax], al
cmp byte ptr [eax+00h], bl
add byte ptr [eax], al
or eax, dword ptr [eax]
push edx
inc ebp
push esp
dec ecx
dec esi
dec ecx
push ebx
push eax
dec edi
push edx
inc ecx
add byte ptr [53000F01h], cl
push esp
inc ebp

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x14b74	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x5b96	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x7c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x13df4	0x14000	False	0.649157714844	data	7.07266809617	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x115c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x5b96	0x6000	False	0.545694986979	data	6.03179178254	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1bcee	0xea8	data
RT_ICON	0x1b446	0x8a8	dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 1334943657, next used block 1336905122
RT_ICON	0x1aede	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x18936	0x25a8	data
RT_ICON	0x1788e	0x10a8	data
RT_ICON	0x17426	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x173cc	0x5a	data
RT_VERSION	0x171e0	0x1ec	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, _adj_fdiv_m64, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, _CIatan, _allmul, _CItan, _CIexp

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	PAAKLDENDE
FileVersion	1.00
OriginalFilename	PAAKLDENDE.exe
ProductName	CAMPHOUR

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: kGSHiWbgq9.exe PID: 5364 Parent PID: 5600

General

Start time:	15:07:02
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\kGSHiWbgq9.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\kGSHiWbgq9.exe'
Imagebase:	0x400000
File size:	114688 bytes
MD5 hash:	27BF14807BC9D5CD2D823293F43C3A3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: kGSHiWbgq9.exe PID: 5364 Parent PID: 5600 kGSHiWbgq9.exeCOMMON

Executed Functions

Function 02465A62, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 746memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-00000001A3861579), ref: 02465BA5

Strings

}W31, xrefs: 02464DD7
`~vG, xrefs: 02464FB1

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: `~vG$}W31
API String ID: 2167126740-4278674903
Opcode ID: 83eeea10594ebc07d13379abd501daa2b565abec8a2a0c66940287ac25e09fa9
Instruction ID: acdadc8ca6e60d126bbeee23e115c2c45cfabc23cac18703229b698146ee4d31
Opcode Fuzzy Hash: 83eeea10594ebc07d13379abd501daa2b565abec8a2a0c66940287ac25e09fa9
Instruction Fuzzy Hash: 1E62CDB26043899FDB749F29CD897EABBA2FF55300F45452EDC899B210D3709A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02465968, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-00000001A3861579), ref: 02465BA5

Strings

}W31, xrefs: 02464DD7
`~vG, xrefs: 02464FB1

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: `~vG$}W31
API String ID: 2167126740-4278674903
Opcode ID: bdb038aead7cde1b31969c9141ebf74346f74f31a6cdd63c2ebc47e7a8eb8203
Instruction ID: 53a4e25b760f5c3311d6baec1a75d4c2e6d17b8b252ac9882ad69da3856b5e71
Opcode Fuzzy Hash: bdb038aead7cde1b31969c9141ebf74346f74f31a6cdd63c2ebc47e7a8eb8203
Instruction Fuzzy Hash: EC41AEB1604385DFDB709F38CC85BEA77A2EF56324F44462EDC899B264D3309A81DB46

Uniqueness

Uniqueness Score: -1.00%

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 59%

			_entry_(signed int __eax, void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi) {
				intOrPtr* _t66;
				signed int _t67;
				signed int _t68;
				signed char _t69;
				signed int _t72;
				signed char _t74;
				signed char _t78;
				signed int _t79;
				signed int _t80;
				signed int _t83;
				void* _t88;
				intOrPtr* _t89;
				void* _t94;
				signed int* _t95;
				void* _t97;
				void* _t99;
				signed char _t102;
				signed int _t108;
				signed int _t109;
				signed char _t110;
				signed int _t112;
				void* _t118;
				signed int* _t119;
				void* _t124;
				intOrPtr* _t131;
				intOrPtr* _t132;
				void* _t138;
				void* _t139;
				signed int* _t145;
				signed int* _t147;
				signed int* _t149;
				signed int* _t151;
				void* _t154;
				void* _t155;
				intOrPtr* _t161;
				intOrPtr* _t163;
				void* _t165;
				intOrPtr* _t167;
				void* _t168;
				signed int _t181;
				void* _t182;
				signed int _t191;
				void* _t193;
				void* _t194;
				void* _t195;
				signed int _t196;
				intOrPtr* _t208;
				intOrPtr* _t209;
				signed int _t211;
				signed char _t216;
				intOrPtr* _t220;
				signed int _t225;

				_push("VB5!6&*"); // executed
				L0040113E(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t66 = __eax + 1;
				 *_t66 =  *_t66 + _t66;
				 *_t66 =  *_t66 + _t66;
				 *_t66 =  *_t66 + _t66;
				 *((intOrPtr*)(__edx - 0x2d91e317)) =  *((intOrPtr*)(__edx - 0x2d91e317)) + __ebx;
				_t67 = _t66 -  *0x039CA936;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *__ecx =  *__ecx + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *((intOrPtr*)(__ebx + 0x4f)) =  *((intOrPtr*)(__ebx + 0x4f)) + _t67;
				_t88 = __ebx + 1 - 1;
				_pop(_t97);
				_push(0xd26e1ce9);
				 *((intOrPtr*)(_t182 + 0x76)) =  *((intOrPtr*)(_t182 + 0x76)) + _t97;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_t194 = _t193 - 1;
				 *_t67 =  *_t67 ^ _t67;
				es = _t88;
				asm("pushfd");
				asm("arpl [edi-0x5ff889ac], si");
				asm("adc eax, 0xb00ef4e9");
				asm("sbb edi, ecx");
				_t89 = _t88 + 1;
				asm("movsd");
				asm("insd");
				asm("cdq");
				asm("iretw");
				asm("adc [edi+0xaa000c], esi");
				asm("pushad");
				asm("rcl dword [ebx], cl");
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_pop(_t99);
				 *_t67 =  *_t67 + _t67;
				 *_t67 =  *_t67 + _t67;
				_t68 = _t67 |  *_t67;
				_push(0xd26e1ce9);
				_push(_t194);
				_push(_t89);
				_push(_t68);
				_push(0xd26e1ce9);
				_t102 = _t99 + 1;
				 *0x53000f01 =  *0x53000f01 + _t102;
				_push(_t194);
				_t195 = _t194 + 1;
				_t124 = __edi + 1;
				_push(0xd26e1ce9);
				_push(_t195);
				_push(0xd26e1ce9);
				_t196 = _t195 + 1;
				_push(0xd26e1ce9);
				_t181 = __esi - 0xffffffffffffffff + 1 - 1;
				_push(_t89);
				 *_t102 =  *_t102 + _t89;
				 *_t68 =  *_t68 + _t68;
				 *_t89 =  *_t89 + _t68;
				asm("ficom word [edi]");
				 *((intOrPtr*)(_t196 + _t181 * 2)) =  *((intOrPtr*)(_t196 + _t181 * 2)) + _t102;
				_push(_t124);
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				_push(es);
				 *_t68 =  *_t68 + 0xffffffffa4dc39d4;
				 *_t68 =  *_t68 ^ _t68;
				 *_t102 =  *_t102 + _t68;
				 *_t68 =  *_t68 + _t102;
				 *((intOrPtr*)(_t68 + 0x6600000e)) =  *((intOrPtr*)(_t68 + 0x6600000e)) + _t102;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				 *_t102 =  *_t102 + _t68;
				 *_t68 =  *_t68 + _t102;
				 *((intOrPtr*)(_t68 + 0xe000008)) =  *((intOrPtr*)(_t68 + 0xe000008)) + _t102;
				asm("sldt word [eax]");
				asm("adc [eax], dl");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 | _t68;
				ss = 0xb6000005;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 ^ 0xffffffffa4dc39d4;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				 *_t68 =  *_t68 + _t68;
				_push(ds);
				asm("sbb eax, 0x20200000");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				 *_t68 =  *_t68 + _t68;
				 *((char*)(0xffffffffa4dc39d4)) = 0;
				asm("adc [eax], dl");
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 & _t68;
				_push(0x6e000004);
				_push(_t89);
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 - _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 ^ _t68;
				 *_t68 =  *_t68 + _t68;
				asm("pushad");
				 *_t68 =  *_t68 + _t68;
				 *_t102 =  *_t102 + _t68;
				 *_t68 =  *_t68 + _t102;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 | _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				 *_t68 =  *_t68 + _t68;
				_pop(_t94);
				_t95 = _t94 + 1;
				_push(0x63a52703);
				_t118 = _t181;
				asm("outsd");
				_push(_t196);
				_push(_t181);
				_t131 = _t124 - 0xfffffffffffffffb;
				_t191 =  *(_t196 + 0xffffffffa4dc3a21) * 0x7d;
				if(_t191 < 0) {
					L17:
					_t102 = _t102 -  *_t131;
					_t216 = _t102;
					if(_t216 > 0) {
						goto L35;
					} else {
						asm("daa");
						asm("das");
						if(_t216 <= 0) {
							goto L36;
						} else {
							asm("aas");
							_t181 = _t181 &  *(_t68 + 0x4f);
							goto L20;
						}
					}
				} else {
					_t167 = _t131 - 1;
					_t208 = _t167;
					if(_t208 >= 0) {
						L15:
						_t167 = _t167 - 1;
						goto L16;
					} else {
						if(_t208 != 0) {
							L16:
							_t131 = _t167 - 1;
							goto L17;
						} else {
							_push(0x7f4f6c68);
							asm("popad");
							_push(0x4f);
							if(_t208 != 0) {
								L28:
								_t68 = _t68 - 0x51;
								_t102 = _t102 ^  *(_t167 + 0x10);
								goto L29;
							} else {
								_t167 = _t167 - 1;
								_t209 = _t167;
								if(_t209 == 0) {
									L27:
									asm("adc ecx, [edi+0x10]");
									_push(_t118);
									 *(_t167 + 0x11) =  *(_t167 + 0x11) & _t102;
									_push(_t118);
									goto L28;
								} else {
									if(_t209 > 0) {
										L20:
										_t165 = _t131 - 1;
										_push(es);
										 *[fs:edi+0x1f] =  *[fs:edi+0x1f] | _t102;
										goto L21;
									} else {
										if(_t209 == 0) {
											L29:
											_t168 = _t167 - 1;
											asm("adc [edx+0x25], ch");
											goto L30;
										} else {
											if(_t209 >= 0) {
												L21:
												_t163 = _t165 - 1;
												_pop(ds);
												asm("popad");
												_t102 = _t102 +  *((intOrPtr*)(_t163 + 2));
												if(_t102 < 0) {
													_t163 = _t163 - 1;
													_t220 = _t163;
													_push(ds);
													if(_t220 > 0) {
														_t163 = _t163 - 1;
														asm("sbb [esi+0x1b], ah");
													}
													asm("sbb cx, [edi+0x16]");
												}
												if(_t220 == 0) {
													_t167 = _t163 - 1;
													_t68 = _t68 - 0x74;
													goto L27;
												}
												goto L31;
											} else {
												_push(cs);
												if(_t209 >= 0) {
													goto L27;
												} else {
													_t163 = _t167 - 1;
													asm("pcmpgtb mm6, [ebx+0x4f]");
													_t83 = _t68 | 0x1f4f7973;
													if(_t83 < 0) {
														L32:
														if(_t225 >= 0) {
															goto L38;
														} else {
															goto L33;
														}
													} else {
														asm("sbb eax, [ebx]");
														ss = _t196;
														_push(ds);
														_push(_t83);
														_t102 = _t102 |  *_t181;
														asm("popad");
														asm("sbb al, 0x1b");
														_t167 = _t163 - 0xfffffffffffffffd;
														 *0xd26e1ce9 =  *0xd26e1ce9 | _t102;
														_t211 =  *0xd26e1ce9;
														if(_t211 != 0) {
															goto L29;
														} else {
															asm("sbb eax, [edi]");
															if(_t211 == 0) {
																L30:
																asm("daa");
																asm("daa");
																_t163 = _t168 -  *((intOrPtr*)(_t102 + 0x2d));
																L31:
																_t83 = _t68 - 0x2d732a4f;
																_t225 = _t83;
																goto L32;
															} else {
																asm("sbb [ebx+esi*2], ebx");
																asm("adc al, 0x65");
																_t163 = _t167;
																_push(ss);
																if(_t163 <= 0) {
																	L33:
																	_t163 = _t163 - 1;
																	if(_t163 < 0) {
																		L39:
																		asm("sbb [eax], bl");
																		asm("sbb [edi+0x2e], ecx");
																		asm("sbb [edi+ecx*2], al");
																		asm("movups [edi+0x2d], xmm1");
																		es = ss;
																		asm("adc [edi+0x26], cl");
																		_t132 = _t163;
																		_t69 = _t83 - 0x274f1309 + 0x00000013 & 0x314f111b;
																	} else {
																		 *(_t118 + 0x24) =  *(_t118 + 0x24) & _t181;
																		_t131 = _t163;
																		asm("daa");
																		_push(0x33);
																		L35:
																		_t131 = _t131 - 1;
																		asm("aaa");
																		asm("popad");
																		L36:
																		_t132 = _t131 - 1;
																		_t69 = _t68 & 0x00000074;
																		if(_t102 <  *((intOrPtr*)(_t132 + 0x24))) {
																			_t161 = _t132 - 1;
																			 *(_t161 + 0x18) =  *(_t161 + 0x18) | _t102;
																			_t83 = _t69 ^ 0x0000007f | 0x00000006;
																			ss = es;
																			asm("sbb [ebx], ecx");
																			_t163 = _t161;
																			_push(ss);
																			_push(cs);
																			asm("sbb [edi+0x13], ecx");
																			L38:
																			asm("adc ecx, [esi+edx]");
																			goto L39;
																		}
																	}
																} else {
																	_t68 = _t83 & 0x324f6c2e;
																	goto L15;
																}
															}
														}
													}
												}
											}
										}
									}
								}
							}
						}
					}
				}
				asm("adc [edi+0x31], ecx");
				asm("adc [ecx], dl");
				_t72 = _t69 - 0x0000002c + 0x0000004f ^ 0x274f0d33;
				asm("daa");
				asm("sbb cl, [edi+0x3d]");
				_t119 = _t118 -  *_t72;
				asm("adc al, 0x4f");
				_t74 = _t72 - 0x2d05284f &  *0xf224f2b;
				asm("daa");
				 *_t119 =  *_t119 & _t74;
				 *[ds:ebx] =  *[ds:ebx] | _t191;
				_t138 = _t132 - 0xfffffffffffffffc;
				_t139 = _t138 - 1;
				asm("adc al, 0x2d");
				asm("aaa");
				asm("sbb al, 0x25");
				_t108 = (_t102 -  *0xc244f2e -  *((intOrPtr*)(_t138 + 0x3c)) ^  *_t119) &  *(_t139 + 0x3c) &  *(_t139 + 0x22) &  *_t95;
				asm("sbb edi, [ebx]");
				 *[es:ecx] =  *[es:ecx] - _t108;
				 *0x2a394f2e =  *0x2a394f2e ^ _t196;
				_t78 = ((_t74 | 0x00000021) + 0x02354f24 ^ 0x00000008) & 0x2127394f;
				_t145 = _t139 - 0xfffffffffffffffc;
				 *0x36364f24 =  *0x36364f24 ^ _t196;
				_t109 = _t108 - _t145[0xd];
				asm("retf");
				asm("pushad");
				_t147 = _t145;
				asm("int 0x37");
				if(_t147 <= 0) {
					L46:
					asm("rol eax, 0x36");
					_t149 = _t147;
					asm("rcr dh, 0x3d");
					L47:
					asm("fidivr word [0x38d7d84f]");
					asm("out dx, eax");
					 *_t109 =  *_t109 >> 1;
					_t151 = _t149;
					L45:
					asm("fcmovu st0, st4");
					_pop(ss);
					_t147 = _t151 - 0xffffffffffffffff;
					asm("ffreep st0");
					_t109 = _t109 -  *((intOrPtr*)(_t147 - 0x25));
					 *_t147 =  *_t147 << 0x4f;
					asm("fstp1 st2");
					 *((intOrPtr*)(_t147 - 0x3f)) =  *((intOrPtr*)(_t147 - 0x3f)) - _t109;
					goto L46;
				}
				asm("int 0x4");
				_t79 = _t78 ^ 0x0000004f;
				asm("invalid");
				_t154 = _t147 - 1;
				asm("fist word [ebx]");
				_t110 = _t109 ^  *(_t154 - 0x36);
				asm("iretd");
				 *_t95 =  *_t95 ^ _t110;
				asm("daa");
				asm("daa");
				_t112 = _t110 -  *(_t154 - 0x36) ^  *(_t154 - 0x3c);
				 *(_t154 + 0x30) =  *(_t154 + 0x30) | _t112;
				asm("into");
				_t109 = _t112 &  *(_t154 - 0x3d);
				asm("retf");
				if(_t109 < 0) {
					goto L49;
				} else {
					asm("invalid");
					_t151 = _t154 - 1;
					asm("enter 0x17ca, 0x4f");
					asm("ffreep st5");
					asm("sbb al, 0x4f");
					goto L45;
				}
				while(1) {
					L49:
					_t155 = _t154 - 1;
					asm("invalid");
					 *(_t155 + 0x28) =  *(_t155 + 0x28) ^ _t109;
					_push(_t109);
					asm("int3");
					_t149 = _t155 - 1;
					_t80 = _t79 & 0x0000006e;
					asm("enter 0x3c4f, 0x67");
					asm("lds ecx, [edi+0x35]");
					if(_t80 != 0) {
						goto L47;
					}
					_t154 = _t149 - 1;
					_t79 = _t80 ^ 0x324fde63;
					if(_t79 != 0) {
						 *(_t154 - 7) =  *(_t154 - 7) ^ _t109;
						asm("stc");
						continue;
					}
					asm("int 0x71");
					asm("ror byte [edi-0x36], 0x77");
					asm("fimul dword [edi-0x21]");
					asm("fbstp tword [eax-0x2d]");
				}
				goto L47;
			}

0x00401144
0x00401149
0x0040114e
0x00401150
0x00401152
0x00401154
0x00401156
0x00401158
0x00401159
0x0040115b
0x0040115d
0x0040115f
0x00401165
0x00401171
0x00401173
0x00401175
0x00401177
0x00401179
0x0040117b
0x0040117d
0x0040117f
0x00401183
0x00401186
0x00401188
0x0040118c
0x00401190
0x00401192
0x00401194
0x00401196
0x00401198
0x0040119e
0x004011a3
0x004011a9
0x004011ae
0x004011b0
0x004011b1
0x004011b4
0x004011bd
0x004011be
0x004011c0
0x004011c6
0x004011c7
0x004011cd
0x004011cf
0x004011d1
0x004011d3
0x004011d5
0x004011d7
0x004011d9
0x004011db
0x004011dd
0x004011df
0x004011e1
0x004011e3
0x004011e5
0x004011e7
0x004011e9
0x004011eb
0x004011ed
0x004011ef
0x004011f4
0x004011f6
0x004011f8
0x004011fa
0x004011fe
0x004011ff
0x00401201
0x00401202
0x00401203
0x00401209
0x0040120b
0x0040120d
0x0040120e
0x0040120f
0x00401210
0x00401211
0x00401213
0x00401214
0x00401216
0x00401217
0x00401219
0x0040121c
0x0040121e
0x00401221
0x00401227
0x00401228
0x0040122a
0x0040122c
0x0040122e
0x0040122f
0x00401231
0x00401233
0x00401235
0x00401237
0x0040123d
0x0040123f
0x00401241
0x00401243
0x00401245
0x00401247
0x0040124d
0x00401250
0x00401252
0x00401254
0x00401256
0x0040125d
0x0040125e
0x00401260
0x00401262
0x00401264
0x00401266
0x0040126a
0x0040126c
0x0040126d
0x00401272
0x00401274
0x00401276
0x0040127a
0x0040127c
0x00401280
0x00401282
0x00401284
0x00401286
0x00401288
0x0040128d
0x0040128e
0x00401290
0x00401292
0x00401294
0x00401296
0x00401298
0x00401299
0x0040129b
0x0040129d
0x0040129f
0x004012a1
0x004012a3
0x004012a5
0x004012a7
0x004012a9
0x004012ab
0x004012ad
0x004012af
0x004012b1
0x004012b3
0x004012b5
0x004012b7
0x004012c1
0x004012c2
0x004012c4
0x004012c6
0x004012c8
0x004012c9
0x004012ca
0x004012cb
0x004012cc
0x004012d1
0x00401328
0x00401328
0x00401328
0x0040132a
0x00000000
0x0040132c
0x0040132c
0x0040132d
0x0040132e
0x00000000
0x00401330
0x00401330
0x00401331
0x00000000
0x00401334
0x0040132e
0x004012d3
0x004012d3
0x004012d3
0x004012d4
0x00401326
0x00401326
0x00000000
0x004012d6
0x004012d6
0x00401327
0x00401327
0x00000000
0x004012d8
0x004012d8
0x004012dd
0x004012de
0x004012e0
0x0040135c
0x0040135c
0x0040135e
0x00000000
0x004012e2
0x004012e2
0x004012e2
0x004012e4
0x00401352
0x00401352
0x00401355
0x00401356
0x00401359
0x00000000
0x004012e6
0x004012e6
0x00401337
0x00401337
0x00401338
0x00401339
0x00000000
0x004012e8
0x004012e8
0x0040135f
0x0040135f
0x00401360
0x00000000
0x004012ea
0x004012ea
0x0040133b
0x0040133b
0x0040133c
0x0040133d
0x0040133e
0x00401341
0x00401343
0x00401343
0x00401344
0x00401345
0x00401347
0x00401348
0x00401348
0x00401349
0x00401349
0x0040134d
0x0040134f
0x00401350
0x00000000
0x00401350
0x00000000
0x004012ec
0x004012ec
0x004012ed
0x00000000
0x004012ef
0x004012ef
0x004012f0
0x004012f4
0x004012f9
0x0040136d
0x0040136d
0x00000000
0x00000000
0x00000000
0x00000000
0x004012fb
0x004012fc
0x00401300
0x00401301
0x00401302
0x00401304
0x00401306
0x00401308
0x0040130a
0x0040130c
0x0040130c
0x0040130e
0x00000000
0x00401310
0x00401310
0x00401312
0x00401363
0x00401364
0x00401365
0x00401368
0x0040136a
0x0040136a
0x0040136a
0x00000000
0x00401314
0x00401314
0x00401318
0x0040131b
0x0040131c
0x0040131e
0x0040136f
0x0040136f
0x00401370
0x0040139e
0x004013a0
0x004013a2
0x004013a5
0x004013ad
0x004013b1
0x004013b2
0x004013b7
0x004013b8
0x00401373
0x00401374
0x00401377
0x00401378
0x00401379
0x0040137b
0x0040137b
0x0040137c
0x0040137d
0x0040137f
0x0040137f
0x00401380
0x00401385
0x00401387
0x0040138e
0x00401391
0x00401394
0x00401395
0x00401397
0x00401398
0x00401399
0x0040139a
0x0040139c
0x0040139c
0x00000000
0x0040139c
0x00401385
0x00401320
0x00401320
0x00000000
0x00401325
0x0040131e
0x00401312
0x0040130e
0x004012f9
0x004012ed
0x004012ea
0x004012e8
0x004012e6
0x004012e4
0x004012e0
0x004012d6
0x004012d4
0x004013ba
0x004013bd
0x004013c4
0x004013c9
0x004013ca
0x004013cd
0x004013d2
0x004013e0
0x004013e6
0x004013e8
0x004013ec
0x004013ef
0x004013f7
0x00401405
0x00401408
0x00401409
0x0040140c
0x00401415
0x00401418
0x0040141c
0x00401422
0x00401427
0x00401428
0x0040142e
0x00401434
0x00401435
0x00401437
0x00401438
0x0040143a
0x0040148b
0x0040148c
0x0040148f
0x00401490
0x00401491
0x00401491
0x00401498
0x00401499
0x0040149b
0x00401477
0x00401478
0x0040147a
0x0040147f
0x00401480
0x00401482
0x00401485
0x00401488
0x0040148a
0x00000000
0x0040148a
0x0040143c
0x0040143e
0x00401440
0x00401443
0x00401444
0x00401446
0x0040144c
0x0040144d
0x00401451
0x00401455
0x00401456
0x0040145e
0x00401461
0x00401462
0x00401465
0x00401466
0x00000000
0x00401468
0x00401468
0x0040146f
0x00401470
0x00401474
0x00401476
0x00000000
0x00401476
0x004014b7
0x004014b7
0x004014b7
0x004014b8
0x004014ba
0x004014bd
0x004014be
0x004014bf
0x004014c0
0x004014c2
0x004014c6
0x004014c9
0x00000000
0x00000000
0x004014cb
0x004014cc
0x004014d1
0x004014b2
0x004014b5
0x00000000
0x004014b6
0x004014d4
0x004014d6
0x004014da
0x004014dc
0x004014dc
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401149

Strings

VB5!6&*, xrefs: 00401144

Memory Dump Source

Source File: 00000000.00000002.767685628.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.767667144.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.767727896.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.767741983.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: f7f0828d82d24344c24e667637b7ee2946cc307b89bd8ee84dc4efd9063d70f6
Instruction ID: 897156f5bccbea118947c71d059ed2fd519cf5942bc0f0e3fc105f14373928e3
Opcode Fuzzy Hash: f7f0828d82d24344c24e667637b7ee2946cc307b89bd8ee84dc4efd9063d70f6
Instruction Fuzzy Hash: 1A11CA5604F3C64FC30B8B718C656917FB0AE13659B0A02EBD9C2CE4E7D619099AC772

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02460BDC, Relevance: 6.9, Strings: 5, Instructions: 636COMMON

Download Yara Rule

Strings

Vk, xrefs: 024612D0
7_D, xrefs: 02460F96
b#ao, xrefs: 02461251
>oU, xrefs: 02460F0E
*D,[, xrefs: 02461628

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: *D,[$7_D$Vk$b#ao$>oU
API String ID: 2167126740-2613622489
Opcode ID: 7d22a617759d878bf1742af363549b738686426a49a6d1fc76e1f7072c65d4bb
Instruction ID: 181175cab6dc9f634d90c9d661ffe2861cbb7d2e54f76e46969d49167af3b262
Opcode Fuzzy Hash: 7d22a617759d878bf1742af363549b738686426a49a6d1fc76e1f7072c65d4bb
Instruction Fuzzy Hash: 32420171A043898FDB349F39C8887EE7BA2AF49350F45422EDC8D9B754D7358A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02460B59, Relevance: 6.7, Strings: 5, Instructions: 437COMMON

Download Yara Rule

Strings

^, xrefs: 02460B54, 02460BCD
Vk, xrefs: 024612D0
7_D, xrefs: 02460F96
b#ao, xrefs: 02461251
>oU, xrefs: 02460F0E

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 7_D$Vk$b#ao$>oU$^
API String ID: 2167126740-147858774
Opcode ID: 280948abde40cb725b023d77b65736f383a6c48d32d70a09d1ea190c0f81498b
Instruction ID: 65fc882d2732671a22f5d3aede9820a527a0fa5cdb8debfaf02eb0211b4630ad
Opcode Fuzzy Hash: 280948abde40cb725b023d77b65736f383a6c48d32d70a09d1ea190c0f81498b
Instruction Fuzzy Hash: 7A021171A042899FDF389F39C8487EE7BA2AF49310F45422EDC8E9B744D7354A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02460CFA, Relevance: 5.4, Strings: 4, Instructions: 399COMMON

Download Yara Rule

Strings

Vk, xrefs: 024612D0
7_D, xrefs: 02460F96
b#ao, xrefs: 02461251
>oU, xrefs: 02460F0E

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7_D$Vk$b#ao$>oU
API String ID: 0-3891533994
Opcode ID: f63411aba9187d809a0247caf7f66c21c79f4f4213279f956d57207e6dafb9be
Instruction ID: 92f03c7dcc7c0c16dff82e4062118cdbf1afa890ebdd796d11270dda753c8310
Opcode Fuzzy Hash: f63411aba9187d809a0247caf7f66c21c79f4f4213279f956d57207e6dafb9be
Instruction Fuzzy Hash: 94F10171A042899FDF749F39C8887EE7BA2AF49310F85422EDC8D9B744C7355A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02460DD5, Relevance: 5.4, Strings: 4, Instructions: 359COMMON

Download Yara Rule

Strings

Vk, xrefs: 024612D0
7_D, xrefs: 02460F96
b#ao, xrefs: 02461251
>oU, xrefs: 02460F0E

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7_D$Vk$b#ao$>oU
API String ID: 0-3891533994
Opcode ID: 9dd2a59d18d586fdc7786bc758f616dfaf12e26e0966a4a8a3912dce5d29e1c9
Instruction ID: 1a96f76d5170639e807ed7829c8d3a64091d5b2c2859f3d36cdf5e8f9cbc49cc
Opcode Fuzzy Hash: 9dd2a59d18d586fdc7786bc758f616dfaf12e26e0966a4a8a3912dce5d29e1c9
Instruction Fuzzy Hash: F8E11F71A082858FDB749F39C8887EE7BA2AF49310F85421FDC8E9B754C7358985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02460ED2, Relevance: 5.3, Strings: 4, Instructions: 302COMMON

Download Yara Rule

Strings

Vk, xrefs: 024612D0
7_D, xrefs: 02460F96
b#ao, xrefs: 02461251
>oU, xrefs: 02460F0E

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 7_D$Vk$b#ao$>oU
API String ID: 0-3891533994
Opcode ID: ab005d9b50fdaeda949c15355d2a079ad5b1618611aacea372105dcc19c2b48c
Instruction ID: 1585d4ce303e55e2db8bb60ed23daa7f05dabc9be9524a786da57ef2f106fa48
Opcode Fuzzy Hash: ab005d9b50fdaeda949c15355d2a079ad5b1618611aacea372105dcc19c2b48c
Instruction Fuzzy Hash: D6C11071A04289CBDF749F3988487EF7BA2AF49310F85421EDC8D9B794C7358985CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02462873, Relevance: 3.5, Strings: 2, Instructions: 983COMMON

Download Yara Rule

Strings

}W31, xrefs: 02464DD7
`~vG, xrefs: 02464FB1

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: 7dbdb606efaecdd0f2469e608fc948e617a90887d687998abe2866bc757f0812
Instruction ID: 0337fdaad0cb6f9404fe9d51027d6350de00c02ecaa412e99f213ddba86e3ad5
Opcode Fuzzy Hash: 7dbdb606efaecdd0f2469e608fc948e617a90887d687998abe2866bc757f0812
Instruction Fuzzy Hash: E2920FB26043899FDB749F39CD897EA7BA2FF54300F45412EDC899B610D3709A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02467A7A, Relevance: 3.2, Strings: 2, Instructions: 650COMMON

Download Yara Rule

Strings

}W31, xrefs: 02464DD7
`~vG, xrefs: 02464FB1

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: bad7d08c3ee245bcbcc24156b36c8cba69cb4b3ccc14614b782dd11a97c8b9fc
Instruction ID: 12d0f893d2fe25809c6e20929ec1b1f665baaa12396e0b06e69a9b1d27a29ebe
Opcode Fuzzy Hash: bad7d08c3ee245bcbcc24156b36c8cba69cb4b3ccc14614b782dd11a97c8b9fc
Instruction Fuzzy Hash: 1B52DBB26043899FDB749F29CD89BDABBA2FF54300F45412EDD899B210D3749A85CF42

Uniqueness

Uniqueness Score: -1.00%

Function 0246443A, Relevance: 3.1, Strings: 2, Instructions: 633COMMON

Download Yara Rule

Strings

}W31, xrefs: 02464DD7
`~vG, xrefs: 02464FB1

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: bc5e0bf1bda241e8ba8462a8369d8269dbbb86872499976e756c2a3454c1fd15
Instruction ID: fff21bdbdfc371c91db3d697e9b7bd35f04e440e1c580a7637c318fdb629a48b
Opcode Fuzzy Hash: bc5e0bf1bda241e8ba8462a8369d8269dbbb86872499976e756c2a3454c1fd15
Instruction Fuzzy Hash: 7852CAB26043899FDB749F29CD89BDABBB2FF54300F45412EDD899B210D3749A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 024605A1, Relevance: 2.8, Strings: 2, Instructions: 292COMMON

Download Yara Rule

Strings

^, xrefs: 02460B54
^=b, xrefs: 02460AB9

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^=b$^
API String ID: 0-3094246518
Opcode ID: deaf2557a27b36bc94b8274b818d3191b54155084386dfae5ec306bb7f2c4d4d
Instruction ID: 445865c6a3dbb62e9a7f7bc989d82b472e58b21535e4eb12e0b9ea8585a686de
Opcode Fuzzy Hash: deaf2557a27b36bc94b8274b818d3191b54155084386dfae5ec306bb7f2c4d4d
Instruction Fuzzy Hash: CBB12372604348DFDB24AF79CC847EAB7A2EF59350F56402EDC899B314D7708E858B46

Uniqueness

Uniqueness Score: -1.00%

Function 02465781, Relevance: 2.8, Strings: 2, Instructions: 284COMMON

Download Yara Rule

Strings

^, xrefs: 02460B54
^=b, xrefs: 02460AB9

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^=b$^
API String ID: 0-3094246518
Opcode ID: 058624cc0189bbd7e4c56df21123679dec006719bdb6b9ae1e1a7a6ad0a68401
Instruction ID: 07d089bb0408fe83aab54fb36a672e8685b301045da0a7776b40dfb079f2c017
Opcode Fuzzy Hash: 058624cc0189bbd7e4c56df21123679dec006719bdb6b9ae1e1a7a6ad0a68401
Instruction Fuzzy Hash: F3B11372904344DFDB249F75CC887EBBBA2EF58350F56442EDC89AB214D7708E868B46

Uniqueness

Uniqueness Score: -1.00%

Function 02460211, Relevance: 2.8, Strings: 2, Instructions: 259COMMON

Download Yara Rule

Strings

^, xrefs: 02460B54
^=b, xrefs: 02460AB9

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ^=b$^
API String ID: 0-3094246518
Opcode ID: 961a2d9f6a6579fe8d9cff2c3e3f27d330cd04cbdbe2e402388aa3fbf9b29e8c
Instruction ID: b8d8fc2b719d9971131035cfa9c4d40b4b387a6c46ec72438e53df1edf171104
Opcode Fuzzy Hash: 961a2d9f6a6579fe8d9cff2c3e3f27d330cd04cbdbe2e402388aa3fbf9b29e8c
Instruction Fuzzy Hash: ECA13472504345DFDB24AF65CC887EEBBA2EF58310F16442EDC899B314C7708E868B42

Uniqueness

Uniqueness Score: -1.00%

Function 02464DB6, Relevance: 2.7, Strings: 2, Instructions: 241COMMON

Download Yara Rule

Strings

}W31, xrefs: 02464DD7
`~vG, xrefs: 02464FB1

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `~vG$}W31
API String ID: 0-4278674903
Opcode ID: dc2ee1fa3613c0033070e5dd20e0d7fd31854d792063ffe4b79069b18bffd051
Instruction ID: d72eae90463b10a64298b13adbc1895bdd1483171536423b2fa8195eee1b9b20
Opcode Fuzzy Hash: dc2ee1fa3613c0033070e5dd20e0d7fd31854d792063ffe4b79069b18bffd051
Instruction Fuzzy Hash: 81B1CDB2644389DFDF758F68DD88BEA37A2BF58340F44412ADD4D9B250D7709A848F42

Uniqueness

Uniqueness Score: -1.00%

Function 02465D78, Relevance: 1.5, Strings: 1, Instructions: 283COMMON

Download Yara Rule

Strings

G(J, xrefs: 024660ED

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: G(J
API String ID: 2167126740-847150595
Opcode ID: 02fa72410816c3f1408772e731ef643bf826d782703a826cea2e7961c4c21f2b
Instruction ID: dcce533adf1ab3f8ea1f27b9eb56623fff8e29b31e9e323a2a71573b4b259c19
Opcode Fuzzy Hash: 02fa72410816c3f1408772e731ef643bf826d782703a826cea2e7961c4c21f2b
Instruction Fuzzy Hash: 04C1CE71A0438A9FCB749F25DD58BEE7BA6FF08350F45452EDD89AB610D7308A40CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02467E5C, Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

HyuA, xrefs: 02467EC6

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: HyuA
API String ID: 0-2002190500
Opcode ID: 357ea02670d2617d2e23eff69a58288935f1764217c0474b24886776f9703e0e
Instruction ID: 681937b327506b145a926445711f18adbf231305114d18d3a65a01a3370b0113
Opcode Fuzzy Hash: 357ea02670d2617d2e23eff69a58288935f1764217c0474b24886776f9703e0e
Instruction Fuzzy Hash: 2F81D172A046599BDB34CE29C8997EB77A2EF88304F55412FDC0A9B740D7309E84CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02463CF2, Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

@EAa, xrefs: 02463E14

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @EAa
API String ID: 0-534177664
Opcode ID: bebc784fe25d7a59788192a24dad418890df63f69fbf34c826860e3b20986b7c
Instruction ID: 6f836c51377c0deee86b4b86c6e77218c810277fc88a9a345b628fa69ebabd1d
Opcode Fuzzy Hash: bebc784fe25d7a59788192a24dad418890df63f69fbf34c826860e3b20986b7c
Instruction Fuzzy Hash: 6851FEB1600388DFD764CF29D8987DABBA0FF1A360F14825AD859CF261D7709A85CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02463CEF, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

@EAa, xrefs: 02463E14

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID: @EAa
API String ID: 0-534177664
Opcode ID: f8dfa1c7380c3a607f374aafd8ec8a59c20149095fa84d831f405997bf456b30
Instruction ID: 1f7075c7893a60f30202f77d7a2884d9346615b1a2375a35a5f28e4f7b620bc1
Opcode Fuzzy Hash: f8dfa1c7380c3a607f374aafd8ec8a59c20149095fa84d831f405997bf456b30
Instruction Fuzzy Hash: CB41DFB56002899FD7B4CF29C9987DA7BA5FF09390F44811AD849CB225D7709A80CF91

Uniqueness

Uniqueness Score: -1.00%

Function 0246853B, Relevance: .7, Instructions: 696COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: badc7194156f3a5bfd1f112055c5712277dfc906ff09fcbcfc9a052c240d7f1d
Instruction ID: d24e82c16ffff0f9ec839b9b6a8de2d875d83988f22193ae40d0a0138e058bb1
Opcode Fuzzy Hash: badc7194156f3a5bfd1f112055c5712277dfc906ff09fcbcfc9a052c240d7f1d
Instruction Fuzzy Hash: E252F4719083858FDB35DF38C8987EABBE2AF56310F49816ECC998F296D3748545CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02462D3B, Relevance: .5, Instructions: 542COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3568c3b45448841e2bd9a4a130c370bbe1b9835c981409a4cc035b55c2e37678
Instruction ID: bf6c52090b889e44d86e3ca8444461afad7fe42fce436b3ed438961059aa076c
Opcode Fuzzy Hash: 3568c3b45448841e2bd9a4a130c370bbe1b9835c981409a4cc035b55c2e37678
Instruction Fuzzy Hash: EB2278716043899FDB68CF28C884BEAB7E5FF49350F45422EEC9D9B300D770AA408B91

Uniqueness

Uniqueness Score: -1.00%

Function 024685E7, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d42cda8d890c161df6133b8b63ac57525b88c41c7aff055999cf532d2ae868
Instruction ID: 947c3a02c82e6101657c74693e5c7dddaaab476a61861b2fe4bec0a2f2b2b3d0
Opcode Fuzzy Hash: 32d42cda8d890c161df6133b8b63ac57525b88c41c7aff055999cf532d2ae868
Instruction Fuzzy Hash: 97B1B1615083C58EDB36CF38889C7E67FE26F13364F4982AAC8998F2D6D3358549C716

Uniqueness

Uniqueness Score: -1.00%

Function 024686DB, Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70a9e8a19f72cd1f48c93bc0fe0b2c1c87dd375362c33e2adc05b6407b5a9028
Instruction ID: fb96b913c2d7747e1d28947b2a802c596dde30d448c9d766bd42c779365783e7
Opcode Fuzzy Hash: 70a9e8a19f72cd1f48c93bc0fe0b2c1c87dd375362c33e2adc05b6407b5a9028
Instruction Fuzzy Hash: 1591AE715083858ADF35CF38C89C7EA7BE2AF12354F4982AACC998F296D3358549C716

Uniqueness

Uniqueness Score: -1.00%

Function 024686F4, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d152c6b1d3714421e75616208b7cd777573d2a0128bdcbd6f84df866b441e9c3
Instruction ID: 3c35d808e6c50bdd1f667cecac7b4bcdf6ad691dbf2604149c29c083b11a5bd7
Opcode Fuzzy Hash: d152c6b1d3714421e75616208b7cd777573d2a0128bdcbd6f84df866b441e9c3
Instruction Fuzzy Hash: EE91D2715083C58ADF35CF38C89C7EA7BE2AF12350F4982AACC999F296D3358149C716

Uniqueness

Uniqueness Score: -1.00%

Function 02462FD3, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69d78ff428987fee85755337f898de08400f705c3150fc45985f007e99f860d8
Instruction ID: cc43cafbeab52d727fad63b11a28d04166495f20c86f9e7964e2502384336aa9
Opcode Fuzzy Hash: 69d78ff428987fee85755337f898de08400f705c3150fc45985f007e99f860d8
Instruction Fuzzy Hash: F8818B7560439A9FDB68CF28C984BEAB7E1FF09350F14422EEC5D97201D771AA50CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02468802, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c54cc7a59c8ec043e5e694acadb6420223f3d26dc749ec3e5e451cdc85efd7ac
Instruction ID: 6c98a3568ff5eeaded57c452aa5aa557a87ee29bdb627fbce2653d697d6d9655
Opcode Fuzzy Hash: c54cc7a59c8ec043e5e694acadb6420223f3d26dc749ec3e5e451cdc85efd7ac
Instruction Fuzzy Hash: EE81B4715083858BDF35CE38C8987EB7BE1AF12350F4981AACC999F38AD3358549CB52

Uniqueness

Uniqueness Score: -1.00%

Function 024694D8, Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b95e6ca7c0cd9cfb7071aa5c2daa2dd236ffff7edbf45633bdc181b0cee99a5
Instruction ID: b4b00e6e37641446093780d53ba120a9cfb35ca2e735d310546d494a34361f77
Opcode Fuzzy Hash: 0b95e6ca7c0cd9cfb7071aa5c2daa2dd236ffff7edbf45633bdc181b0cee99a5
Instruction Fuzzy Hash: D771D371A106858FDB79CE78C9987DA37A3BF89310F51822ACC0DCB758D370DA458B92

Uniqueness

Uniqueness Score: -1.00%

Function 02461900, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 0c107451566f3ff61c323fdbdaf3384779d14198e563c0770428e7b98185fe6b
Instruction ID: d477b6e79d4e047fb53eefad7c17bcbb49fdd8ad64bd25c850e343f73f06917e
Opcode Fuzzy Hash: 0c107451566f3ff61c323fdbdaf3384779d14198e563c0770428e7b98185fe6b
Instruction Fuzzy Hash: 13614A312087C65BD7269F3DCC987EABFA6BF06324F49429EC88D8B292C3711545CB52

Uniqueness

Uniqueness Score: -1.00%

Function 024695C6, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d4f69e530b87711bdc2af47ed320e619497e4c8738294dbf5fc24864a64ccb
Instruction ID: 58fd3b8c8f5d1df66ea185ce71693ab80e434feb1e80deb8d15c4ce66e4a6fd0
Opcode Fuzzy Hash: c8d4f69e530b87711bdc2af47ed320e619497e4c8738294dbf5fc24864a64ccb
Instruction Fuzzy Hash: FA61D271A006848FDB39CE68C9987DA77A3BF89310F55C22ACC0DDB758D370DA458B92

Uniqueness

Uniqueness Score: -1.00%

Function 02463441, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f44942bab911701621c5b2707fe8b231395bcd8d7302cea63d41ddbb78e1ed
Instruction ID: 993db48b239603806fa990f3d6488d2ab33071be42f9205ddb7f0ca92d974872
Opcode Fuzzy Hash: 73f44942bab911701621c5b2707fe8b231395bcd8d7302cea63d41ddbb78e1ed
Instruction Fuzzy Hash: 3151ACB1A042949FDB649F28CC84BEA77E6FF49710F45412EEC99CB310D7309D458B82

Uniqueness

Uniqueness Score: -1.00%

Function 02461DA0, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20cd7f838c2c399771881acf17bb095032327195a07410a6ddac533b149d07e7
Instruction ID: 2debc61403e394aa06f5cb28b6f2c76f32143b16e706d03d13e9b8d3e3f63155
Opcode Fuzzy Hash: 20cd7f838c2c399771881acf17bb095032327195a07410a6ddac533b149d07e7
Instruction Fuzzy Hash: 3251CB76A04298AFCB34CE29CC54BEE77E6AF98340F46412AEC4CEB610D7705E45CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02461E99, Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d903e196d1a77e06caa362852e834474d1722d8d3cf3bcd7d1eda1d757427391
Instruction ID: e7022981723784dfd82b9a14585fe8ef3baf98d512ad8fd5d873bbba0db60fde
Opcode Fuzzy Hash: d903e196d1a77e06caa362852e834474d1722d8d3cf3bcd7d1eda1d757427391
Instruction Fuzzy Hash: 7251CD76A04298AFCB34CE29CC14BDE77A6AF98350F46412AEC4CEB610D7705E458B91

Uniqueness

Uniqueness Score: -1.00%

Function 024640B7, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1944b071c0b9ad6cb29e36e68911162b2672ce53d925434ae825b0b95ede70a
Instruction ID: b9f81eb065dc8e73ab22bfb8f741366e40362eb18885a791f359e0a2c53216db
Opcode Fuzzy Hash: c1944b071c0b9ad6cb29e36e68911162b2672ce53d925434ae825b0b95ede70a
Instruction Fuzzy Hash: E751D736605344CFDB74CE6ACAA57EB77E3AF98340F99812ACC494B704D374A6428711

Uniqueness

Uniqueness Score: -1.00%

Function 02462A77, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95d92cf37e4b4cedc3369a403a8af7f8beef7af3960c28c153781cde82822bc7
Instruction ID: 434af1ee7afaec197e1644567b4823b9b2ce9fcf1695cf2fdd3b2992288948a8
Opcode Fuzzy Hash: 95d92cf37e4b4cedc3369a403a8af7f8beef7af3960c28c153781cde82822bc7
Instruction Fuzzy Hash: 6E41F632508388AFEB34DE659C597FEBBA6EF95310F55001EDC898B601C7B05A81CB53

Uniqueness

Uniqueness Score: -1.00%

Function 02463BFF, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d0d8cb8f45b45677d85e202ebf3f7ed91970e8ea84fe42c1372b25850ee9ab4
Instruction ID: e8ab0e71e18254526751b50cff72dafb4d1bf6da7f47b4788446c36a294267c9
Opcode Fuzzy Hash: 3d0d8cb8f45b45677d85e202ebf3f7ed91970e8ea84fe42c1372b25850ee9ab4
Instruction Fuzzy Hash: B741B175A043899FDF749E39DD887EA7BA2EF48310F81442BEC88DB645C7318A41CA46

Uniqueness

Uniqueness Score: -1.00%

Function 0246891F, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fb7e58d247ccaddce3f004ea839c770cbd46380bf4da2c5f9c979d04a7e12f1
Instruction ID: df824fa59a20c78941cd39b7d494f4a72e3fe942354b1cb7f13c9a7af59e9f35
Opcode Fuzzy Hash: 6fb7e58d247ccaddce3f004ea839c770cbd46380bf4da2c5f9c979d04a7e12f1
Instruction Fuzzy Hash: 3D51B4729483848BDF79CF38C8983EB7BA1AF56350F45816ACC899F349D3348545C766

Uniqueness

Uniqueness Score: -1.00%

Function 02468C2C, Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3979e021ec42b1eab24740f0a9b7472aaf688e5640a37c2dbd419da152df4932
Instruction ID: c3b77181f150a0bc42b6384382200455653943bc30c294da7b4557bc0dcbb7f8
Opcode Fuzzy Hash: 3979e021ec42b1eab24740f0a9b7472aaf688e5640a37c2dbd419da152df4932
Instruction Fuzzy Hash: 4E4158319053958BDF758E7489AD3FB7BA2AF46240F05816FCC868B745D370464AC762

Uniqueness

Uniqueness Score: -1.00%

Function 02464339, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e164ed57c3a3467471cb07b325d6d9deadb749a7e2ffbcf7627c77b8cd98c899
Instruction ID: 0302b827f611f9f7836cbf4d21ee227ef3bc9b4a30c133a0386b350ce70bab49
Opcode Fuzzy Hash: e164ed57c3a3467471cb07b325d6d9deadb749a7e2ffbcf7627c77b8cd98c899
Instruction Fuzzy Hash: 3A01AD3A8093109FC70C7E71895AAAABBE1BF12304F87481DDCC2A2820D33059C9CF43

Uniqueness

Uniqueness Score: -1.00%

Function 02467898, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddaf7c65e72ce01bd5ce92f6025a78758458cf09adf806ed9f545b7f8277c1d1
Instruction ID: b4bc1c308e4fd112c875e739d749d6f47efab5a99d7a343a53d113f5386344e7
Opcode Fuzzy Hash: ddaf7c65e72ce01bd5ce92f6025a78758458cf09adf806ed9f545b7f8277c1d1
Instruction Fuzzy Hash: E401D6B5A512949FDB71CF18D888BEAB3E1FF1C714F05856AE9199B311D3309E40CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02465589, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d623111d86762eb24377d814acc21f671ddf9c63aa473290ef7768a21f1cdae2
Instruction ID: c3c0329933c535c8ab8d9fbdceddaae54231673f2d0a871587ee904072db9e9d
Opcode Fuzzy Hash: d623111d86762eb24377d814acc21f671ddf9c63aa473290ef7768a21f1cdae2
Instruction Fuzzy Hash: 4CC092FA2026C09FFF0ADB08C491B4073A0FB44B88B0804D0E402CFB12C324E900CA08

Uniqueness

Uniqueness Score: -1.00%

Function 024673B4, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.770527143.0000000002460000.00000040.00000001.sdmp, Offset: 02460000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report kGSHiWbgq9.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: kGSHiWbgq9.exe PID: 5364 Parent PID: 5600

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: kGSHiWbgq9.exe PID: 5364 Parent PID: 5600 kGSHiWbgq9.exeCOMMON

Executed Functions

Function 02465A62, Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 746memorynativeCOMMON

Function 02465968, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113memorynativeCOMMON

Function 00401144, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53
COMMON