Play interactive tour

Edit tour

Windows Analysis Report Documentos de env#U00edo.exe

Overview

General Information

Sample Name:	Documentos de env#U00edo.exe
Analysis ID:	457991
MD5:	a60166d50572eedc2e44b327e4928324
SHA1:	0b5c5afd46ab950959dc1e5fda5520ddae0c51a4
SHA256:	8a714868cf6bea9d1a01154cc98fa33abbe75350f06cf26d31538ed0aba6a808
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Found potential dummy code loops (likely to delay analysis)

Initial sample is a PE file and has a suspicious name

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Documentos de env#U00edo.exe (PID: 5064 cmdline: 'C:\Users\user\Desktop\Documentos de env#U00edo.exe' MD5: A60166D50572EEDC2E44B327E4928324)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?exportC"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?exportC"}

Multi AV Scanner detection for submitted file

Show sources

Source: Documentos de env#U00edo.exe

Virustotal: Detection: 20%

Perma Link

Source: Documentos de env#U00edo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?exportC

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Code function: 1_2_004028B4 GetAsyncKeyState,

1_2_004028B4

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Documentos de env#U00edo.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Documentos de env#U00edo.exe

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B66544 NtAllocateVirtualMemory,	1_2_02B66544
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6668B NtAllocateVirtualMemory,	1_2_02B6668B
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B66232 NtAllocateVirtualMemory,	1_2_02B66232
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6624A NtAllocateVirtualMemory,	1_2_02B6624A
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6676B NtAllocateVirtualMemory,	1_2_02B6676B
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B665C3 NtAllocateVirtualMemory,	1_2_02B665C3

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B66544	1_2_02B66544
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B61EB2	1_2_02B61EB2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6AAB8	1_2_02B6AAB8
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60AA3	1_2_02B60AA3
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B646AC	1_2_02B646AC
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6AE95	1_2_02B6AE95
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B69A86	1_2_02B69A86
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6668B	1_2_02B6668B
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B63EFF	1_2_02B63EFF
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64EE8	1_2_02B64EE8
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B652E9	1_2_02B652E9
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B612C7	1_2_02B612C7
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6AACB	1_2_02B6AACB
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B66232	1_2_02B66232
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6523E	1_2_02B6523E
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60A1B	1_2_02B60A1B
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B62A00	1_2_02B62A00
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B62A59	1_2_02B62A59
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6624A	1_2_02B6624A
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B68FB1	1_2_02B68FB1
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B663A7	1_2_02B663A7
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6ABA9	1_2_02B6ABA9
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B68F91	1_2_02B68F91
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B62F9B	1_2_02B62F9B
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6ABFE	1_2_02B6ABFE
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B607FF	1_2_02B607FF
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B647FF	1_2_02B647FF
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60FFD	1_2_02B60FFD
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B607FA	1_2_02B607FA
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B613E3	1_2_02B613E3
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6333F	1_2_02B6333F
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B69B3D	1_2_02B69B3D
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6AB39	1_2_02B6AB39
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B63B25	1_2_02B63B25
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B63B16	1_2_02B63B16
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B62F02	1_2_02B62F02
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B62B6F	1_2_02B62B6F
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64B5B	1_2_02B64B5B
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60344	1_2_02B60344
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64C83	1_2_02B64C83
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64483	1_2_02B64483
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B63C8F	1_2_02B63C8F
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B608FD	1_2_02B608FD
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B614FD	1_2_02B614FD
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B69CFA	1_2_02B69CFA
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B610D7	1_2_02B610D7
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B698D4	1_2_02B698D4
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B634DF	1_2_02B634DF
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B640DB	1_2_02B640DB
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B630D9	1_2_02B630D9
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B690C7	1_2_02B690C7
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6B0C4	1_2_02B6B0C4
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6502D	1_2_02B6502D
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B69C15	1_2_02B69C15
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64402	1_2_02B64402
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64063	1_2_02B64063
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B62C61	1_2_02B62C61
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B69052	1_2_02B69052
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6AC5C	1_2_02B6AC5C
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B69DA9	1_2_02B69DA9
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B65195	1_2_02B65195
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64587	1_2_02B64587
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6B1EF	1_2_02B6B1EF
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B631E9	1_2_02B631E9
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64DC5	1_2_02B64DC5
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B665C3	1_2_02B665C3
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B621C0	1_2_02B621C0
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B611CE	1_2_02B611CE
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B695CE	1_2_02B695CE
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6A12E	1_2_02B6A12E
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B65D7B	1_2_02B65D7B
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6AD6D	1_2_02B6AD6D
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64954	1_2_02B64954
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6255F	1_2_02B6255F

Source: Documentos de env#U00edo.exe, 00000001.00000002.744472089.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamePROSODETICDEF.exe vs Documentos de env#U00edo.exe
Source: Documentos de env#U00edo.exe, 00000001.00000002.745396573.00000000021E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Documentos de env#U00edo.exe
Source: Documentos de env#U00edo.exe	Binary or memory string: OriginalFilenamePROSODETICDEF.exe vs Documentos de env#U00edo.exe

Source: Documentos de env#U00edo.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal92.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

File created: C:\Users\user\AppData\Local\Temp\~DFC591D959ED29C104.TMP

Jump to behavior

Source: Documentos de env#U00edo.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Documentos de env#U00edo.exe

Virustotal: Detection: 20%

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_00407E4C push ss; iretd	1_2_00407F03
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_00409055 push ss; ret	1_2_0040907F
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_004090A4 push ss; ret	1_2_004090B7
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_00406151 push ss; iretd	1_2_00406163
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_00407566 push edi; ret	1_2_00407567
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_00408D20 push ss; iretd	1_2_00408D2F
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_00409184 push ss; ret	1_2_00409193
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B66544 push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60AA3 push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60E8B push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B67AD1 push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60A1B push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6739C push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B67398 push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B607FF push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B607FA push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60B75 push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60B72 push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60344 push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60CAA push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60497 push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B608FD push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6B424 push edx; ret	1_2_02B6B42B
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B605AD push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B67984 push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6B1EF push eax; retf	1_2_02B67AF2
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B60D6F push eax; retf	1_2_02B67AF2

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B646AC	1_2_02B646AC
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B63EFF	1_2_02B63EFF
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B647FF	1_2_02B647FF
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B62F02	1_2_02B62F02
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64B5B	1_2_02B64B5B
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64C83	1_2_02B64C83
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64483	1_2_02B64483
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6B0C4	1_2_02B6B0C4
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64587	1_2_02B64587
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64DC5	1_2_02B64DC5
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B64954	1_2_02B64954

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 0000000002B6916B second address: 0000000002B6916B instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 0000000002B6AD54 second address: 0000000002B6AD54 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 0000000002B6916B second address: 0000000002B6916B instructions:
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	RDTSC instruction interceptor: First address: 0000000002B6AD54 second address: 0000000002B6AD54 instructions:

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Code function: 1_2_02B646AC rdtsc

1_2_02B646AC

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe

Code function: 1_2_02B646AC rdtsc

1_2_02B646AC

Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B69A86 mov eax, dword ptr fs:[00000030h]	1_2_02B69A86
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B68E55 mov eax, dword ptr fs:[00000030h]	1_2_02B68E55
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B63B25 mov eax, dword ptr fs:[00000030h]	1_2_02B63B25
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B63B16 mov eax, dword ptr fs:[00000030h]	1_2_02B63B16
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B62F02 mov eax, dword ptr fs:[00000030h]	1_2_02B62F02
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B65CA0 mov eax, dword ptr fs:[00000030h]	1_2_02B65CA0
Source: C:\Users\user\Desktop\Documentos de env#U00edo.exe	Code function: 1_2_02B6898D mov eax, dword ptr fs:[00000030h]	1_2_02B6898D

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Documentos de env#U00edo.exe, 00000001.00000002.745011893.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Documentos de env#U00edo.exe, 00000001.00000002.745011893.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Documentos de env#U00edo.exe, 00000001.00000002.745011893.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: Documentos de env#U00edo.exe, 00000001.00000002.745011893.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Documentos de env#U00edo.exe, 00000001.00000002.745011893.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture11	Security Software Discovery41	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery31	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Documentos de env#U00edo.exe	21%	Virustotal		Browse
Documentos de env#U00edo.exe	7%	ReversingLabs	Win32.Trojan.Mucc

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457991
Start date:	02.08.2021
Start time:	16:48:15
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Documentos de env#U00edo.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 5.1% (good quality ratio 2.3%) Quality average: 25% Quality standard deviation: 30.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.37444232902198
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Documentos de env#U00edo.exe
File size:	143360
MD5:	a60166d50572eedc2e44b327e4928324
SHA1:	0b5c5afd46ab950959dc1e5fda5520ddae0c51a4
SHA256:	8a714868cf6bea9d1a01154cc98fa33abbe75350f06cf26d31538ed0aba6a808
SHA512:	b3ff28a846c6f0c7f7d54ea3c485be76b76f1d49b497ea79c145b4d2e0b53806d6a254e2b7e6931612fc688874ec85b03e7c50f405f638a18b94394ad111d81c
SSDEEP:	3072:W5CFYJr2EF82w1+AG+TeMn5+oXdFv1x9:PHEbLEzhNFv
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...u.NY.....................0....................@................

File Icon


Icon Hash:	c4e8c8cccce0e8e8

Static PE Info

General
Entrypoint:	0x4014b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x594EF175 [Sat Jun 24 23:10:45 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fef384fc3a66a559dff455f07d497ca0

Entrypoint Preview

Instruction
push 00401EC0h
call 00007FF72089D153h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ah, ch
nop

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x204d4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0xc1c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1facc	0x20000	False	0.381553649902	data	6.66782218684	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x21000	0x11bc	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0xc1c	0x1000	False	0.313720703125	data	3.27540208335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x23374	0x8a8	data
RT_GROUP_ICON	0x23360	0x14	data
RT_VERSION	0x230f0	0x270	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaR8Str, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	PROSODETICDEF
FileVersion	1.00
CompanyName	Intersection Road
Comments	Intersection Road
ProductName	RONTGE
ProductVersion	1.00
OriginalFilename	PROSODETICDEF.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Documentos de env#U00edo.exe PID: 5064 Parent PID: 5556

General

Start time:	16:49:04
Start date:	02/08/2021
Path:	C:\Users\user\Desktop\Documentos de env#U00edo.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Documentos de env#U00edo.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	A60166D50572EEDC2E44B327E4928324
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Documentos de env#U00edo.exe PID: 5064 Parent PID: 5556 Documentos de env#U00edo.exeCOMMON

Executed Functions

Function 02B66544, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 442memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02B66805

Strings

!=K, xrefs: 02B6670A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: !=K
API String ID: 2167126740-3569861655
Opcode ID: cac451de40bd5f1d774491eda1ed082d426f25bd02f248fbc5effc1e59f12409
Instruction ID: 0926ff70fd5e3c76c2417dcb78720a17f2c5065cc4f4ce3bd0a87d09df24458d
Opcode Fuzzy Hash: cac451de40bd5f1d774491eda1ed082d426f25bd02f248fbc5effc1e59f12409
Instruction Fuzzy Hash: B3F135715043498FCB34AF78CC987EA7BA6FF48340F59446EED8A9B255D7348A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B6624A, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

!=K, xrefs: 02B6670A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: !=K
API String ID: 2167126740-3569861655
Opcode ID: 5e66588759232461589e84d1c33e1929ba9064af1c9bb82d683b5d6ffc592a66
Instruction ID: 5bcdd5cdd2cade0976a81f655a87e44431c8fe4a876e906bf55f08eb821005b4
Opcode Fuzzy Hash: 5e66588759232461589e84d1c33e1929ba9064af1c9bb82d683b5d6ffc592a66
Instruction Fuzzy Hash: 6F9166765042488FCB389F35C8897EE7BAAFF44340F05446EDD8A9B616E7389A41CF01

Uniqueness

Uniqueness Score: -1.00%

Function 02B66232, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 167COMMON

Download Yara Rule

Strings

!=K, xrefs: 02B6670A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: !=K
API String ID: 0-3569861655
Opcode ID: 413ebd91a88ce08f5e233eafe3489b9c4413fe132727a207f138831fdae1cd20
Instruction ID: 077c0ca2dbe29d1f590af869661dd82b2f5f04a7e8070adf5c429fcbc5b449c0
Opcode Fuzzy Hash: 413ebd91a88ce08f5e233eafe3489b9c4413fe132727a207f138831fdae1cd20
Instruction Fuzzy Hash: EC5133765043088FCB389F35C8897E97FA6FF44340F1944AEC98A9B226E7349641CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B665C3, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 135memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02B66805

Strings

!=K, xrefs: 02B6670A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: !=K
API String ID: 2167126740-3569861655
Opcode ID: 7034879396c4b668a7b25bfefe4ed02236c8ff3b8e45679cfe23840ea8674a6b
Instruction ID: 8a3922ac0b695a0fa71599f32a637c5886f500c3f4f51a3d5ac0ed45dc836247
Opcode Fuzzy Hash: 7034879396c4b668a7b25bfefe4ed02236c8ff3b8e45679cfe23840ea8674a6b
Instruction Fuzzy Hash: F85123765043488FCB389F35C8897E97BE6FF44340F19446DC98A8B26AE7349641CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02B6668B, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 106memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02B66805

Strings

!=K, xrefs: 02B6670A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: !=K
API String ID: 2167126740-3569861655
Opcode ID: af756811e262665d7196d41fc99705ffdf6995253be8ea8804eed934137df911
Instruction ID: c2403c06738df645d2ceb236b17925af6da958071b84c94955289357ebaa900e
Opcode Fuzzy Hash: af756811e262665d7196d41fc99705ffdf6995253be8ea8804eed934137df911
Instruction Fuzzy Hash: 0F411FB16082449FDB759F35CC88BEEBBA2EF89300F1A446DDD899B266D3349541CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B6676B, Relevance: 1.6, APIs: 1, Instructions: 83memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02B66805

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 31ea51612244d5bf6cf85f7bfd2c7804a6b784459421fcc127d3b2ef3db6794d
Instruction ID: 21eb64ca5e80637ad5401f41b85aa85b87278feec44a6c8aa41540f21d9a4fc0
Opcode Fuzzy Hash: 31ea51612244d5bf6cf85f7bfd2c7804a6b784459421fcc127d3b2ef3db6794d
Instruction Fuzzy Hash: AD318F3650425D8FCB299F74C8893D9BFA6FF09348F1844AEDA4A9B266E734D650CB10

Uniqueness

Uniqueness Score: -1.00%

Function 004028B4, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

4(@, xrefs: 004028BF

Memory Dump Source

Source File: 00000001.00000002.744426508.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.744414671.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.744464205.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.744472089.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: 4(@
API String ID: 0-4154620772
Opcode ID: b8a56aba5a05f71fc31b5dbc77c7c380e0d94680a9c9d4cf64bca8aaee6517fd
Instruction ID: 8bed13631f8f5d11e92b6f9c15a11aedafa3a42afb1b2edabf6d20b87340f760
Opcode Fuzzy Hash: b8a56aba5a05f71fc31b5dbc77c7c380e0d94680a9c9d4cf64bca8aaee6517fd
Instruction Fuzzy Hash: 50B01225384001AAF220A2544E065303381A2187C0328CD3BF401F15E0CAB9CC00412D

Uniqueness

Uniqueness Score: -1.00%

Function 004165E0, Relevance: 244.8, APIs: 121, Strings: 18, Instructions: 1564COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00402CE8,00000002), ref: 00416702
#591.MSVBVM60(00000002), ref: 00416723
__vbaStrMove.MSVBVM60 ref: 00416731
__vbaStrCat.MSVBVM60(00402AA8,Inte,00000000), ref: 00416748
__vbaStrMove.MSVBVM60 ref: 00416752
__vbaStrCat.MSVBVM60(00402AB0,00000000), ref: 0041675E
__vbaStrMove.MSVBVM60 ref: 00416768
__vbaStrCat.MSVBVM60(00402AB8,00000000), ref: 00416774
__vbaStrMove.MSVBVM60 ref: 0041677E
__vbaStrCmp.MSVBVM60(00000000), ref: 00416785
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004167B3
__vbaFreeVar.MSVBVM60 ref: 004167C2
#535.MSVBVM60 ref: 004167D1
#554.MSVBVM60 ref: 004167D9
#648.MSVBVM60(0000000A), ref: 004167FA
__vbaFreeVar.MSVBVM60 ref: 00416806
_adj_fdiv_m64.MSVBVM60(425C0000), ref: 00416836
__vbaFpI4.MSVBVM60(43530000,?,425C0000), ref: 00416860
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402760,000002C0,?,425C0000), ref: 00416894
__vbaVarDup.MSVBVM60(?,425C0000), ref: 004168BA
#645.MSVBVM60(00000002,00000000), ref: 004168C8
__vbaStrMove.MSVBVM60(?,425C0000), ref: 004168D6
__vbaFreeVar.MSVBVM60(?,425C0000), ref: 004168E8
__vbaSetSystemError.MSVBVM60(00000000), ref: 004168F6
#554.MSVBVM60(?,425C0000), ref: 0041690F
#648.MSVBVM60(0000000A), ref: 00416930
__vbaFreeVar.MSVBVM60(?,425C0000), ref: 0041693C
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 00416950
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 00416978
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,0000013C), ref: 004169E2
__vbaFreeObj.MSVBVM60 ref: 004169EE
__vbaVarDup.MSVBVM60 ref: 00416A42
#595.MSVBVM60(0000000A,00000000,?,?,?), ref: 00416A65
__vbaFreeVarList.MSVBVM60(00000004,0000000A,?,?,?), ref: 00416A89
__vbaSetSystemError.MSVBVM60 ref: 00416AA0
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,000000E3,00000000), ref: 00416ACB
__vbaGenerateBoundsError.MSVBVM60 ref: 00416AEB
__vbaGenerateBoundsError.MSVBVM60 ref: 00416AF8
__vbaGenerateBoundsError.MSVBVM60 ref: 00416B22
__vbaGenerateBoundsError.MSVBVM60 ref: 00416B2F
__vbaGenerateBoundsError.MSVBVM60 ref: 00416B59
__vbaGenerateBoundsError.MSVBVM60 ref: 00416B66
__vbaGenerateBoundsError.MSVBVM60 ref: 00416B90
__vbaGenerateBoundsError.MSVBVM60 ref: 00416B9D
__vbaGenerateBoundsError.MSVBVM60 ref: 00416BC7
__vbaGenerateBoundsError.MSVBVM60 ref: 00416BD4
__vbaGenerateBoundsError.MSVBVM60 ref: 00416BFE
__vbaGenerateBoundsError.MSVBVM60 ref: 00416C0B
__vbaGenerateBoundsError.MSVBVM60 ref: 00416C35
__vbaGenerateBoundsError.MSVBVM60 ref: 00416C42
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 00416C64
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 00416C8C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,000000C8), ref: 00416CBC
__vbaFreeObj.MSVBVM60 ref: 00416CC8
#705.MSVBVM60(00000002,00000000), ref: 00416CEA
__vbaStrMove.MSVBVM60 ref: 00416CFB
__vbaFreeVar.MSVBVM60 ref: 00416D03
__vbaVarDup.MSVBVM60 ref: 00416D7B
#596.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00416DB2
__vbaStrMove.MSVBVM60 ref: 00416DC0
__vbaFreeVarList.MSVBVM60(00000007,00000002,?,?,?,?,?,?), ref: 00416DF5
__vbaStrToAnsi.MSVBVM60(?,splurge,00000000), ref: 00416E11
__vbaStrToAnsi.MSVBVM60(?,Udskylningen8,00000000,00000000), ref: 00416E21
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000), ref: 00416E31
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00416E5B
__vbaOnError.MSVBVM60(00000000), ref: 00417972
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041798A
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 004179B2
__vbaHresultCheckObj.MSVBVM60(00000000,00006878,00402B24,00000140), ref: 004179E2
__vbaFreeObj.MSVBVM60 ref: 004179EE
#571.MSVBVM60(000000A7), ref: 004179F9
__vbaSetSystemError.MSVBVM60(00000000), ref: 00417A05
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402790,000006F8), ref: 00417A3A
__vbaStrCopy.MSVBVM60 ref: 00417AD7
__vbaFreeStr.MSVBVM60 ref: 00417B31
__vbaStrCopy.MSVBVM60 ref: 00417B42
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402790,000006FC), ref: 00417BA9
__vbaFreeStr.MSVBVM60 ref: 00417BB5
__vbaStrCopy.MSVBVM60 ref: 00417BEE
__vbaFreeStr.MSVBVM60 ref: 00417C43
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402760,000002B4), ref: 00417C64
__vbaVarForInit.MSVBVM60(?,?,?,?,00000003,00000008), ref: 00417CC6
__vbaVarForNext.MSVBVM60(?,?,?), ref: 00417CE8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402790,00000700), ref: 00417D05
__vbaStrToAnsi.MSVBVM60(?,Saturnale,007C533E), ref: 00417D1C
__vbaSetSystemError.MSVBVM60(00000000), ref: 00417D2E
__vbaFreeStr.MSVBVM60 ref: 00417D4E
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 00417D6F
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 00417D97
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,000000C0), ref: 00417DC7
__vbaFreeObj.MSVBVM60 ref: 00417DD3
#535.MSVBVM60 ref: 00417DD9
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 00417DF3
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 00417E1B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,00000138), ref: 00417E4B
__vbaFreeObj.MSVBVM60 ref: 00417E57
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402760,00000254), ref: 00417E7D
__vbaStrToAnsi.MSVBVM60(?,tenodynia,00564E24,006E96F2), ref: 00417E99
__vbaSetSystemError.MSVBVM60(0020D311,0062033C,00000000), ref: 00417EB5
__vbaFreeStr.MSVBVM60 ref: 00417ED5
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 00417EF6
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 00417F1E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,0000013C), ref: 00417F8E
__vbaFreeObj.MSVBVM60 ref: 00417F9E
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 00417FB6
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 00417FDE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,00000078), ref: 00418004
__vbaFreeObj.MSVBVM60 ref: 0041800C
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00418035
__vbaStrMove.MSVBVM60 ref: 00418040
__vbaFreeVar.MSVBVM60 ref: 0041804C
__vbaLateMemCall.MSVBVM60(?,O23LzRvYz94dcuxxifrC105,00000003), ref: 004180E5
__vbaFreeVarList.MSVBVM60(00000002,?,?,004181D7), ref: 00418179
__vbaFreeVar.MSVBVM60 ref: 00418185
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 00418198
__vbaFreeStr.MSVBVM60 ref: 004181A3
__vbaAryDestruct.MSVBVM60(00000000,005FFFC2), ref: 004181B6
__vbaFreeObj.MSVBVM60 ref: 004181BB
__vbaFreeStr.MSVBVM60 ref: 004181C4
__vbaFreeStr.MSVBVM60 ref: 004181CC
__vbaFreeStr.MSVBVM60 ref: 004181D4

Strings

Udskylningen8, xrefs: 00416E15
Overflyvningens, xrefs: 00417B1F
SLEEVING, xrefs: 00417B37
Refuserende, xrefs: 00416D5B
Incarnant, xrefs: 00416A22
O23LzRvYz94dcuxxifrC105, xrefs: 004180DC
Hemiageusia, xrefs: 00417E2D
hjlpeklassens, xrefs: 004169BE
LETTERFORM, xrefs: 00417AA2
Nubia, xrefs: 00417AC6
splurge, xrefs: 00416DFF
Inte, xrefs: 00416738
Paw7, xrefs: 00417C14
Saturnale, xrefs: 00417D10
Grnseegnes, xrefs: 00418066
tenodynia, xrefs: 00417E8D
Betyngedes8, xrefs: 00417BE3
Macromastia, xrefs: 00417F64

Memory Dump Source

Source File: 00000001.00000002.744426508.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.744414671.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.744464205.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.744472089.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Error$CheckHresult$BoundsGenerate$Move$New2$System$List$Ansi$Copy$#535#554#648Destruct$#571#591#595#596#645#702#705CallConstruct2InitLateNextRedim_adj_fdiv_m64
String ID: Betyngedes8$Grnseegnes$Hemiageusia$Incarnant$Inte$LETTERFORM$Macromastia$Nubia$O23LzRvYz94dcuxxifrC105$Overflyvningens$Paw7$Refuserende$SLEEVING$Saturnale$Udskylningen8$hjlpeklassens$splurge$tenodynia
API String ID: 462913989-4207516842
Opcode ID: f783671562670f634208d63e3427a10c00befbcd1502bc517f7d6c67d868885b
Instruction ID: e4c08ad41a85223040b12e90f68b3420e6f32432705dfff16a26ceae491f31e8
Opcode Fuzzy Hash: f783671562670f634208d63e3427a10c00befbcd1502bc517f7d6c67d868885b
Instruction Fuzzy Hash: F2F22674E102189BCB14CF54C988BDDFBB5FF48304F1481AAE819AB361D774A986CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A540, Relevance: 168.6, APIs: 89, Strings: 7, Instructions: 605COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041A5C5
__vbaAryConstruct2.MSVBVM60(?,00402DEC,00000003), ref: 0041A5D6
__vbaStrCat.MSVBVM60(00402D58,00402D50), ref: 0041A5EC
__vbaStrMove.MSVBVM60 ref: 0041A5F9
__vbaStrCat.MSVBVM60(11:1,00000000), ref: 0041A601
__vbaStrMove.MSVBVM60 ref: 0041A60B
__vbaStrCat.MSVBVM60(00402D50,00000000), ref: 0041A613
#547.MSVBVM60(?,?), ref: 0041A633
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041A65B
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041A671
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041A687
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041A6AB
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0041A6D9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,000000E8), ref: 0041A70A
__vbaStrMove.MSVBVM60 ref: 0041A715
__vbaFreeObj.MSVBVM60 ref: 0041A721
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041A739
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0041A761
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,00000130), ref: 0041A78A
__vbaStrMove.MSVBVM60 ref: 0041A795
__vbaFreeObj.MSVBVM60 ref: 0041A7A1
#593.MSVBVM60(00000008), ref: 0041A7C2
__vbaFreeVar.MSVBVM60 ref: 0041A7D0
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041A7E8
__vbaCastObj.MSVBVM60(?,00402D84,cimbrer), ref: 0041A804
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041A812
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000040), ref: 0041A82C
__vbaFreeObj.MSVBVM60 ref: 0041A838
__vbaR4Str.MSVBVM60(00402D50), ref: 0041A849
__vbaStrCat.MSVBVM60(00402D50,19:), ref: 0041A86A
__vbaStrMove.MSVBVM60 ref: 0041A877
__vbaStrCat.MSVBVM60(9:19,00000000), ref: 0041A87F
__vbaStrMove.MSVBVM60 ref: 0041A889
#541.MSVBVM60(00000008,00000000), ref: 0041A893
__vbaStrVarMove.MSVBVM60(00000008), ref: 0041A8A0
__vbaStrMove.MSVBVM60 ref: 0041A8AB
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041A8BA
__vbaFreeVar.MSVBVM60 ref: 0041A8C9
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041A8E1
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0041A90F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,00000068), ref: 0041A93D
__vbaFreeObj.MSVBVM60 ref: 0041A945
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041A95D
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0041A985
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,000000E0), ref: 0041A9AE
__vbaStrMove.MSVBVM60 ref: 0041A9B9
__vbaFreeObj.MSVBVM60 ref: 0041A9C5
__vbaVarDup.MSVBVM60 ref: 0041A9EB
#600.MSVBVM60(00000008,00000002), ref: 0041A9FA
__vbaFreeVar.MSVBVM60 ref: 0041AA08
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041AA20
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0041AA4E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,00000050), ref: 0041AA79
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0041AA80
__vbaFreeStr.MSVBVM60 ref: 0041AA92
__vbaFreeObj.MSVBVM60 ref: 0041AA9E
#703.MSVBVM60(00000008,000000FF,000000FE,000000FE,000000FE), ref: 0041AB1F
__vbaStrMove.MSVBVM60 ref: 0041AB2A
__vbaFreeVar.MSVBVM60 ref: 0041AB36
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041AB4E
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0041AB76
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,000000E0), ref: 0041AB9F
__vbaStrMove.MSVBVM60 ref: 0041ABAA
__vbaFreeObj.MSVBVM60 ref: 0041ABB6
__vbaFpI4.MSVBVM60 ref: 0041ABC7
__vbaHresultCheckObj.MSVBVM60(00000000,001B8FEF,00402760,000002C8), ref: 0041AC03
#675.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000008,?), ref: 0041AC55
__vbaFpR8.MSVBVM60 ref: 0041AC5B
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041AC8C
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041ACB0
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0041ACD8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,000000D0), ref: 0041AD01
__vbaStrMove.MSVBVM60 ref: 0041AD0C
__vbaFreeObj.MSVBVM60 ref: 0041AD18
#535.MSVBVM60 ref: 0041AD1E
#546.MSVBVM60(00000008), ref: 0041AD2D
__vbaVarMove.MSVBVM60 ref: 0041AD3C
#580.MSVBVM60(Drikkeautomat3,00000001), ref: 0041AD49
__vbaFreeStr.MSVBVM60(0041AE01), ref: 0041ADB1
__vbaFreeStr.MSVBVM60 ref: 0041ADB6
__vbaFreeStr.MSVBVM60 ref: 0041ADBB
__vbaFreeVar.MSVBVM60 ref: 0041ADC0
__vbaFreeStr.MSVBVM60 ref: 0041ADC9
__vbaFreeStr.MSVBVM60 ref: 0041ADCE
__vbaFreeStr.MSVBVM60 ref: 0041ADD3
__vbaFreeStr.MSVBVM60 ref: 0041ADD8
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041ADEC
__vbaFreeObj.MSVBVM60 ref: 0041ADF5
__vbaFreeStr.MSVBVM60 ref: 0041ADFE

Strings

ibolium, xrefs: 0041A9D7
9:19, xrefs: 0041A87A
H.2, xrefs: 0041AAB9
Drikkeautomat3, xrefs: 0041AD44
11:1, xrefs: 0041A5FC
cimbrer, xrefs: 0041A7F9
19:, xrefs: 0041A860

Memory Dump Source

Source File: 00000001.00000002.744426508.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.744414671.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.744464205.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.744472089.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$List$#535#541#546#547#580#593#600#675#703CastConstruct2CopyDestruct
String ID: 11:1$19:$9:19$Drikkeautomat3$H.2$cimbrer$ibolium
API String ID: 1210936626-4072088996
Opcode ID: ff6fb8ee19ef01791662c34faf66879c70fd63f9a32cb30db5d5a388bc02175e
Instruction ID: 909453243100511c6c2c4cf55629f2f9ef0be1af5a0b03474a858ce6a86d04da
Opcode Fuzzy Hash: ff6fb8ee19ef01791662c34faf66879c70fd63f9a32cb30db5d5a388bc02175e
Instruction Fuzzy Hash: A7326C70900229AFCB14DF64DD88FAD7B78FB58704F10816AF549B72A0DB746A89CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004014B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON

Download Yara Rule

C-Code - Quality: 78%

			_entry_() {
				signed char _t46;
				intOrPtr* _t47;
				signed int _t50;
				intOrPtr* _t53;
				signed int _t54;
				void* _t55;
				void* _t56;
				void* _t58;
				intOrPtr* _t61;
				void* _t62;
				void* _t63;
				signed char _t65;
				void* _t66;
				void* _t70;
				intOrPtr* _t72;
				intOrPtr* _t73;
				void* _t79;
				signed int _t82;
				void* _t83;
				signed int _t84;
				signed int _t85;
				void* _t86;
				void* _t87;
				void* _t94;

				_push("VB5!6&*"); // executed
				L004014AC(); // executed
				 *_t46 =  *_t46 + _t46;
				 *_t46 =  *_t46 + _t46;
				 *_t46 =  *_t46 + _t46;
				 *_t46 =  *_t46 ^ _t46;
				 *_t46 =  *_t46 + _t46;
				_t47 = _t46 + 1;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				 *_t47 =  *_t47 + _t47;
				asm("invalid");
				asm("out 0x9d, al");
				asm("invalid");
				_t56 = _t55 + 1;
				_t50 = _t47 + _t65 - 0x00000001 ^  *_t65;
				 *_t50 =  *_t50 + _t50;
				 *_t50 =  *_t50 + _t50;
				 *_t65 =  *_t65 + _t50;
				 *_t50 =  *_t50 + _t50;
				 *_t65 =  *_t65 + _t50;
				 *_t50 =  *_t50 & _t65;
				_t66 = _t65 + 1;
				 *((intOrPtr*)(_t66 + 0x4e)) =  *((intOrPtr*)(_t66 + 0x4e)) + _t66;
				_t87 = _t86 + 1;
				_push(_t56);
				_t82 = _t79 + 1;
				_t84 = _t83 + 1;
				 *_t50 =  *_t50 + _t50;
				 *_t50 =  *_t50 + _t50;
				 *_t50 =  *_t50 + _t50;
				 *_t50 =  *_t50 + _t50;
				 *_t50 =  *_t50 + _t50;
				_t58 = _t56 + 1 + _t56 + 1;
				asm("int3");
				 *_t50 =  *_t50 ^ _t50;
				 *((intOrPtr*)(_t58 - 0x6413177e)) =  *((intOrPtr*)(_t58 - 0x6413177e)) + _t66 + 1;
				asm("retf");
				asm("repne inc esp");
				 *_t82 = _t50;
				 *_t82 = _t70;
				asm("lodsd");
				asm("int 0x17");
				 *((intOrPtr*)(_t73 + 0x61)) =  *((intOrPtr*)(_t73 + 0x61)) + _t82;
				[tword [ebp-0x38] = _t94;
				_t53 = _t70 -  *((intOrPtr*)(0x486ef003 + _t84 * 8));
				asm("stosb");
				 *((intOrPtr*)(_t53 - 0x2d)) =  *((intOrPtr*)(_t53 - 0x2d)) + _t53;
				_t54 = _t58 - 0x00000001 ^  *0xFFFFFFFFB711CF8D;
				_t61 = _t53;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *_t54 =  *_t54 + _t54;
				 *0x27 =  *0x27 & 0x00000027;
				 *_t54 =  *_t54 + _t54;
				asm("sbb al, 0x9");
				 *_t54 =  *_t54 + _t54;
				 *_t73 =  *_t73 + _t54;
				 *0x000000C3 =  *((intOrPtr*)(0xc3)) + 0x27;
				_t72 = _t50 - 1;
				_t85 = _t84 + 1;
				_push(_t72);
				 *0x4d000f01 =  *0x4d000f01 + 0x27;
				asm("popad");
				asm("popad");
				asm("outsb");
				if( *0x4d000f01 < 0) {
					_t85 =  *(_t82 + 0x6e) * 0x75737465;
					asm("sbb [ecx], eax");
					 *_t72 =  *_t72 + _t54;
					_t54 = _t54 & _t82;
					 *_t54 =  *_t54 | _t54;
					 *((intOrPtr*)(_t87 + _t82 * 2)) =  *((intOrPtr*)(_t87 + _t82 * 2)) + 0x26;
					 *((intOrPtr*)(_t82 + 8)) =  *((intOrPtr*)(_t82 + 8)) + _t61;
					 *((intOrPtr*)(0x26)) =  *((intOrPtr*)(0x26)) + _t54;
					 *((intOrPtr*)(0x26)) =  *((intOrPtr*)(0x26)) + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 & _t54;
					 *((intOrPtr*)(0x26)) =  *((intOrPtr*)(0x26)) + _t54;
					 *_t54 =  *_t54 + 0x26;
					 *((intOrPtr*)(_t54 + 0x16000008)) =  *((intOrPtr*)(_t54 + 0x16000008)) + 0x26;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + 0x26;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 | _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *((char*)(_t54 + _t54)) =  *((char*)(_t54 + _t54));
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *((intOrPtr*)(0x26)) =  *((intOrPtr*)(0x26)) + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					_t61 = _t61 -  *_t82;
					 *((intOrPtr*)(_t61 + 0x1c)) =  *((intOrPtr*)(_t61 + 0x1c)) + _t54;
					 *_t54 =  *_t54 - _t54;
					asm("sbb al, 0x43");
					asm("sbb al, 0x0");
					_t73 = _t73 + 3;
				}
				_push(ds);
				 *_t82 =  *_t82 + _t61;
				_push(ds);
				 *_t61 =  *_t61 + 0x26;
				_push(ds);
				 *((intOrPtr*)(_t61 + 0x1c)) =  *((intOrPtr*)(_t61 + 0x1c)) + _t54;
				_t62 = _t61 + 1;
				 *((intOrPtr*)(_t62 + _t54 * 2)) =  *((intOrPtr*)(_t62 + _t54 * 2)) + _t62;
				_t63 = _t62 + 1;
				 *((intOrPtr*)(_t63 + 0x43)) =  *((intOrPtr*)(_t63 + 0x43)) + _t54;
				 *((intOrPtr*)(_t73 + 0x49)) =  *((intOrPtr*)(_t73 + 0x49)) + _t54;
				_t44 = _t72 - 0x36ffc400;
				 *_t44 =  *((intOrPtr*)(_t72 - 0x36ffc400)) + _t63 + 1;
				_push(_t85);
				if ( *_t44 != 0) goto L3;
				asm("insb");
				goto [far dword [eax+eax-0x1];
			}

0x004014b4
0x004014b9
0x004014be
0x004014c0
0x004014c2
0x004014c4
0x004014c6
0x004014c8
0x004014c9
0x004014cb
0x004014cd
0x004014d2
0x004014d4
0x004014db
0x004014dd
0x004014de
0x004014e1
0x004014e3
0x004014e5
0x004014e7
0x004014e9
0x004014ec
0x004014ee
0x004014ef
0x004014f2
0x004014f3
0x004014f7
0x004014f8
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401506
0x00401508
0x0040150e
0x0040150f
0x00401511
0x00401514
0x00401516
0x00401517
0x00401523
0x00401526
0x00401532
0x00401534
0x00401535
0x00401538
0x00401538
0x00401539
0x0040153b
0x0040153d
0x0040153f
0x00401541
0x00401543
0x00401545
0x00401547
0x00401549
0x0040154b
0x0040154d
0x0040154f
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155d
0x0040155f
0x00401561
0x00401563
0x00401565
0x00401567
0x0040156b
0x0040156c
0x0040156d
0x0040156f
0x00401575
0x00401576
0x00401577
0x00401578
0x0040157b
0x00401584
0x00401586
0x00401589
0x0040158b
0x0040158d
0x00401591
0x00401597
0x00401599
0x0040159b
0x0040159d
0x0040159f
0x004015a1
0x004015a3
0x004015a9
0x004015ab
0x004015ad
0x004015af
0x004015b1
0x004015b3
0x004015b6
0x004015b8
0x004015ba
0x004015bc
0x004015be
0x004015c0
0x004015c4
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015ce
0x004015d0
0x004015d2
0x004015d4
0x004015d6
0x004015d9
0x004015db
0x004015de
0x004015e0
0x004015e2
0x004015e5
0x004015e5
0x004015e6
0x004015e7
0x004015e9
0x004015eb
0x004015ed
0x004015ef
0x004015f2
0x004015f3
0x004015f6
0x004015f7
0x004015fb
0x004015ff
0x004015ff
0x00401605
0x00401606
0x00401608
0x00401609

APIs

#100.MSVBVM60(VB5!6&*), ref: 004014B9

Strings

VB5!6&*, xrefs: 004014B4

Memory Dump Source

Source File: 00000001.00000002.744426508.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.744414671.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.744464205.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.744472089.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 8ba42b81d6a47f2b44c5daa672e46beb96d6d31edf32e3f0ff5818dc0f27a2cb
Instruction ID: a1e096108a358111b45c2f772bd30ef35b25cbbd47652a829be4c8ce85879649
Opcode Fuzzy Hash: 8ba42b81d6a47f2b44c5daa672e46beb96d6d31edf32e3f0ff5818dc0f27a2cb
Instruction Fuzzy Hash: FED0B62489E3C00EE30322714C211492FB04D2366030B00E7D480DA0F3D06C080A8336

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B60FFD, Relevance: 9.2, Strings: 7, Instructions: 461COMMON

Download Yara Rule

Strings

"{, xrefs: 02B61157
qr, xrefs: 02B61730
mw, xrefs: 02B61234
"o, xrefs: 02B61862
r9un, xrefs: 02B61641
h_, xrefs: 02B611BF
"2=, xrefs: 02B6160A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: "2=$r9un$"o$"{$h_$mw$qr
API String ID: 0-2509075175
Opcode ID: 88d4a57b56bde3acf01fa37ccd2d0d8f23ba30358d6d17d9b88f74874bc1e5b6
Instruction ID: 8ba2bebe576dac55023bf0291a4b390629eb5742f20802dc592fe170222fcfff
Opcode Fuzzy Hash: 88d4a57b56bde3acf01fa37ccd2d0d8f23ba30358d6d17d9b88f74874bc1e5b6
Instruction Fuzzy Hash: 5F02FF71A042899FDF34DE68CD987EE37A2EF88350F54402ADC4D9B740DB394A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B610D7, Relevance: 9.1, Strings: 7, Instructions: 346COMMON

Download Yara Rule

Strings

"{, xrefs: 02B61157
qr, xrefs: 02B61730
mw, xrefs: 02B61234
"o, xrefs: 02B61862
r9un, xrefs: 02B61641
h_, xrefs: 02B611BF
"2=, xrefs: 02B6160A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: "2=$r9un$"o$"{$h_$mw$qr
API String ID: 0-2509075175
Opcode ID: de7f92e89d8e9c66755495e0d98e70c5eb03923aca6921525b7c965767bc17f2
Instruction ID: bcdc2184e54f9af49e21d39ffada1e405e4d7fe63b761c21182a9e6f678786ea
Opcode Fuzzy Hash: de7f92e89d8e9c66755495e0d98e70c5eb03923aca6921525b7c965767bc17f2
Instruction Fuzzy Hash: D5D1FF71A047498FDF389E688D997EA7BA2EF84340F18406EDC4E9B654C7388A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B611CE, Relevance: 6.6, Strings: 5, Instructions: 308COMMON

Download Yara Rule

Strings

qr, xrefs: 02B61730
mw, xrefs: 02B61234
"o, xrefs: 02B61862
r9un, xrefs: 02B61641
"2=, xrefs: 02B6160A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: "2=$r9un$"o$mw$qr
API String ID: 0-1500751994
Opcode ID: c84b607b0c49491e7a9984793435724f43e1d20c775f3828b2471a4dbbe794db
Instruction ID: da49701e084cff66264dac27d2eefbe99781a56def49c2eac12f1500f0072fa5
Opcode Fuzzy Hash: c84b607b0c49491e7a9984793435724f43e1d20c775f3828b2471a4dbbe794db
Instruction Fuzzy Hash: D2C1FF71A043888FDF38DE688D997EE7BA2EF94340F05406EDD4E9B654C7344A41CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02B612C7, Relevance: 5.3, Strings: 4, Instructions: 280COMMON

Download Yara Rule

Strings

qr, xrefs: 02B61730
"o, xrefs: 02B61862
r9un, xrefs: 02B61641
"2=, xrefs: 02B6160A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: "2=$r9un$"o$qr
API String ID: 0-2700084748
Opcode ID: 655ba95306c4912bc984b50b07b2f33400cf05838ef97cf74939b1e7f4181c6d
Instruction ID: 85afa9c19b04a023f4dddea918696148e50b1f6e9c78017920f283fafcd85404
Opcode Fuzzy Hash: 655ba95306c4912bc984b50b07b2f33400cf05838ef97cf74939b1e7f4181c6d
Instruction Fuzzy Hash: DDB100719046488FCF38DE688D997EE7BA2EF94340F49406EDC4E8B754C7398A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B613E3, Relevance: 5.2, Strings: 4, Instructions: 226COMMON

Download Yara Rule

Strings

qr, xrefs: 02B61730
"o, xrefs: 02B61862
r9un, xrefs: 02B61641
"2=, xrefs: 02B6160A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: "2=$r9un$"o$qr
API String ID: 0-2700084748
Opcode ID: 5179c4d6894ff0aac4f53e8ccc158db9b79c23f57ee9a6fa54b69d61ddc97f80
Instruction ID: 9d766ab574ba47e9a04eedbe9f05bccc5cb0145a2f11cbfd7cb56caf8f7d67b0
Opcode Fuzzy Hash: 5179c4d6894ff0aac4f53e8ccc158db9b79c23f57ee9a6fa54b69d61ddc97f80
Instruction Fuzzy Hash: FA912F759046488FCF389E788D8D7EE7BA2EF94344F18805EDD4E8B654C7388A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B614FD, Relevance: 5.2, Strings: 4, Instructions: 184COMMON

Download Yara Rule

Strings

qr, xrefs: 02B61730
"o, xrefs: 02B61862
r9un, xrefs: 02B61641
"2=, xrefs: 02B6160A

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: "2=$r9un$"o$qr
API String ID: 0-2700084748
Opcode ID: b046ff2ee7495b3971b56dbdf44a51545def2650bfc8857f2833a17bf1a6336c
Instruction ID: 7f25725e61a8e46a4d3f79cd28b382f8e836df3fee91a2c80e6d33888c566d16
Opcode Fuzzy Hash: b046ff2ee7495b3971b56dbdf44a51545def2650bfc8857f2833a17bf1a6336c
Instruction Fuzzy Hash: 4F711F728046488FCF38DE78898D7EE7BA2EF54340F19845ED94E87A54D7348A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B63B25, Relevance: 2.7, Strings: 2, Instructions: 151COMMON

Download Yara Rule

Strings

+t+, xrefs: 02B6B1E4
xJn, xrefs: 02B63BD0

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: +t+$xJn
API String ID: 0-1002364099
Opcode ID: 371100b5be8daa9ed01ff7ec0638a640e6d3e130ea2c5ce5c5b9c7882715919d
Instruction ID: 9ec57f4e59c4f83f044f7b656696a014b61068c5f31afc2bcf400abc4e26eca7
Opcode Fuzzy Hash: 371100b5be8daa9ed01ff7ec0638a640e6d3e130ea2c5ce5c5b9c7882715919d
Instruction Fuzzy Hash: 4551DD72804348CFCB349F74C85A7DA7BB2FF44354F1A859ACC5A6B625E3348A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B63B16, Relevance: 2.6, Strings: 2, Instructions: 140COMMON

Download Yara Rule

Strings

+t+, xrefs: 02B6B1E4
xJn, xrefs: 02B63BD0

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: +t+$xJn
API String ID: 0-1002364099
Opcode ID: b40e2a5a1ffa4da43a9f489a8243ec5faafdc5dc85c44f38e8cc721f28b3b6ee
Instruction ID: 888990b198c1fc6816dd0ce6d16f252fe129634f7e2776c20956073e57a21c1f
Opcode Fuzzy Hash: b40e2a5a1ffa4da43a9f489a8243ec5faafdc5dc85c44f38e8cc721f28b3b6ee
Instruction Fuzzy Hash: CB511E72908344CFCB74DF24C859BDAB7B2FF44310F1A819ACC99AB650D3744A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B62F02, Relevance: 2.6, Strings: 1, Instructions: 1312COMMON

Download Yara Rule

Strings

?, xrefs: 02B648F6

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-3428610318
Opcode ID: 3b2d262311eb74f2690b60943ff953ca83a9d1796c9ed5cc7676c9c70b3f2599
Instruction ID: 135cbbf8694ef0c63b6ac93800156fbb4b33fd56bb20e7c24ba7236260a8b2cc
Opcode Fuzzy Hash: 3b2d262311eb74f2690b60943ff953ca83a9d1796c9ed5cc7676c9c70b3f2599
Instruction Fuzzy Hash: 6CC2CCB1604389DFDB74DF28CC98BEAB7A2FF48350F558129DD899B210D7349A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B6B0C4, Relevance: 2.0, Strings: 1, Instructions: 740COMMON

Download Yara Rule

Strings

?, xrefs: 02B648F6

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-3428610318
Opcode ID: 46aabd4cb30e93aeac677c483b9a08d9e32d9d282f21bea50eaf71eea4c73299
Instruction ID: dfa31cebe6fb51b6c15e28ea17e0ee75c4b8ea97f5018894b3d5e94aff094bd9
Opcode Fuzzy Hash: 46aabd4cb30e93aeac677c483b9a08d9e32d9d282f21bea50eaf71eea4c73299
Instruction Fuzzy Hash: 3E62FBB260438A9FDB748F38CD997EA7BB2FF58350F554129DD8A9B210D3349A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B63EFF, Relevance: 1.9, Strings: 1, Instructions: 689COMMON

Download Yara Rule

Strings

?, xrefs: 02B648F6

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-3428610318
Opcode ID: a998f8ece2c78228b83adb617b853396ac5c8ec52e38986130be5bc4d288e427
Instruction ID: 61622c4fd1341ecec24d534e359c41967213405ba0499e90c32e1b182ee1d095
Opcode Fuzzy Hash: a998f8ece2c78228b83adb617b853396ac5c8ec52e38986130be5bc4d288e427
Instruction Fuzzy Hash: 5B52FAB16043899FDB748F29CD997EABBB2FF49310F458129DD899B210D3349A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02B64483, Relevance: 1.9, Strings: 1, Instructions: 681COMMON

Download Yara Rule

Strings

?, xrefs: 02B648F6

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-3428610318
Opcode ID: b21007bddae854e9b1acde195dcf89b32c34be9e59c2c0ed1be4bb0d23fc9cdd
Instruction ID: d4ab90d496874f1863248441a1e173ab1f9e9a3c2d8c53d10ea73aef1f7a0be2
Opcode Fuzzy Hash: b21007bddae854e9b1acde195dcf89b32c34be9e59c2c0ed1be4bb0d23fc9cdd
Instruction Fuzzy Hash: EA52FBB26003899FDB748F38CD997EA7BB2FF48350F558129DD899B210D3349A91CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B64587, Relevance: 1.9, Strings: 1, Instructions: 645COMMON

Download Yara Rule

Strings

?, xrefs: 02B648F6

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-3428610318
Opcode ID: 8f00ba730c17f06d7c87a7ed09ff52b3a07107daa5a4a275c613def1ea38c6da
Instruction ID: 96eca7804ba10084bc7f202288049b48aefc97c74e910be92297bc06f63dd383
Opcode Fuzzy Hash: 8f00ba730c17f06d7c87a7ed09ff52b3a07107daa5a4a275c613def1ea38c6da
Instruction Fuzzy Hash: 2A52EBB26003899FDB748F38CD997EABBB2FF58350F454129DD8A9B210D3349A91CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B646AC, Relevance: 1.8, Strings: 1, Instructions: 600COMMON

Download Yara Rule

Strings

?, xrefs: 02B648F6

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-3428610318
Opcode ID: 057b0d12b4294442fbc577ca5108fa72847645384b391af0d5e3d9e7816cb5ff
Instruction ID: e0feb0fec5c943553c2f257899f951dad67b26946ce5a22c644d286df6455332
Opcode Fuzzy Hash: 057b0d12b4294442fbc577ca5108fa72847645384b391af0d5e3d9e7816cb5ff
Instruction Fuzzy Hash: 9942EAB2A043899FDB748F38CD997EA7BB2FF48350F458129DD899B210D3349A91CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B647FF, Relevance: 1.8, Strings: 1, Instructions: 546COMMON

Download Yara Rule

Strings

?, xrefs: 02B648F6

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?
API String ID: 0-3428610318
Opcode ID: 1944cec5849a1e8d707268980e8bfe27c7f5634153dedd0b67e57d35ded68e1e
Instruction ID: 46fad6fa03f0fad1505f11b4ca952f454e0617af760f8d93365aa27063f4915a
Opcode Fuzzy Hash: 1944cec5849a1e8d707268980e8bfe27c7f5634153dedd0b67e57d35ded68e1e
Instruction Fuzzy Hash: A732FAB26043899FDB748F38CD897EA7BB2FF18350F558129DD8A9B210D3349A91CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B69A86, Relevance: 1.8, Strings: 1, Instructions: 511COMMON

Download Yara Rule

Strings

a)v , xrefs: 02B65D62

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: a)v
API String ID: 0-3611937965
Opcode ID: bcadd8ecae84a81a4f43014e96b2728b9110eaf2ea5c807c4919f769ed77677e
Instruction ID: 3aedfa3a6795d8f42492175f00168860b4905f39e36ec42b7fa26043107e6f2a
Opcode Fuzzy Hash: bcadd8ecae84a81a4f43014e96b2728b9110eaf2ea5c807c4919f769ed77677e
Instruction Fuzzy Hash: 5A22D5315083C58FDF75CF38C8987EA7BE2AF52350F49829AC8998F29AD3749645C712

Uniqueness

Uniqueness Score: -1.00%

Function 02B6B1EF, Relevance: 1.7, Strings: 1, Instructions: 419COMMON

Download Yara Rule

Strings

a)v , xrefs: 02B65D62

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: a)v
API String ID: 0-3611937965
Opcode ID: 387d6bf6c30ff2aead556779f940cbb98bf77c40e4d5af5a72db79fc6950955b
Instruction ID: 77632db2a987b74720d0cbca02c74e48011982ad63b34cd71ee0e0e12ef6a6ec
Opcode Fuzzy Hash: 387d6bf6c30ff2aead556779f940cbb98bf77c40e4d5af5a72db79fc6950955b
Instruction Fuzzy Hash: F5F175325043498FCB389F78C8993EA7BA2FF44384F5945AEDC8A97355D7308A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B6AAB8, Relevance: 1.5, Strings: 1, Instructions: 261COMMON

Download Yara Rule

Strings

R<~v, xrefs: 02B6AE88

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<~v
API String ID: 0-1709933744
Opcode ID: bea9e29560403b2a523e139137b63abed4adc4b884385ceedb7ab1ff143ff5bb
Instruction ID: 1374e09a277981a13cd96f0fe3764dec72d26aa20b18068997fd0791997358b5
Opcode Fuzzy Hash: bea9e29560403b2a523e139137b63abed4adc4b884385ceedb7ab1ff143ff5bb
Instruction Fuzzy Hash: 65A1EE3160028ACFEF74EE78CD987EA37A2EF85350F51416ACD4ADB204D7358A85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B6AACB, Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

R<~v, xrefs: 02B6AE88

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<~v
API String ID: 0-1709933744
Opcode ID: 2988698184841ad756ac6954e47fbb0c027b74073d927187338383355b2b9bdc
Instruction ID: afa3ccea937552b569d8fde9f4c08612c7171c49beef1662c4539f5a01877724
Opcode Fuzzy Hash: 2988698184841ad756ac6954e47fbb0c027b74073d927187338383355b2b9bdc
Instruction Fuzzy Hash: E281113260034ACFDF78EE78C8A83EA3BA2FF45344F55416ACD469B215D7358641CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B6AB39, Relevance: 1.5, Strings: 1, Instructions: 202COMMON

Download Yara Rule

Strings

R<~v, xrefs: 02B6AE88

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<~v
API String ID: 0-1709933744
Opcode ID: 047d5a8a777f12cafe4efae67f0065cd085068be0596e1ec13507b676f40a4ad
Instruction ID: 3be4ef5437700f03db1286f2bdbc1eed0b1c66dbd6a617d44dbbe3bdd8249180
Opcode Fuzzy Hash: 047d5a8a777f12cafe4efae67f0065cd085068be0596e1ec13507b676f40a4ad
Instruction Fuzzy Hash: 7581203260034ACFDF38EE78C8983EA3BA2FF44354F55416ACD4A9B215C7358681CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B6ABA9, Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

R<~v, xrefs: 02B6AE88

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<~v
API String ID: 0-1709933744
Opcode ID: a2b2dbda374cc6021d4ea3c9a94cada37cdfa0bc002c58020fd8fbd0d9f8f6da
Instruction ID: 43ba2b16241e6499520bcc3a982e9e811f5410e30c6d322ac3bb9519ce4467b4
Opcode Fuzzy Hash: a2b2dbda374cc6021d4ea3c9a94cada37cdfa0bc002c58020fd8fbd0d9f8f6da
Instruction Fuzzy Hash: 75710F3664038ACFEF74EE78C8983EA3BA2FF45344F55416ACD4A9B215C7348681CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B6ABFE, Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

R<~v, xrefs: 02B6AE88

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<~v
API String ID: 0-1709933744
Opcode ID: 94951b02ac45f6956ed76bfb41aebaffad3fff827d243fd9e4a32f7139af3249
Instruction ID: 99ff0c48895faa516f7ed4419f27a896d2cf615f0e1f37f57397a66343c9f912
Opcode Fuzzy Hash: 94951b02ac45f6956ed76bfb41aebaffad3fff827d243fd9e4a32f7139af3249
Instruction Fuzzy Hash: CE71FF3664034ACFDF78EE78C8983EA3BA2FF45344F55416ACD4A9B215D3348681CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B6AC5C, Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

R<~v, xrefs: 02B6AE88

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<~v
API String ID: 0-1709933744
Opcode ID: 527fb30d7757b71f934e8c89e14575adbc2a2d9384d9f27da104578487f65f48
Instruction ID: f9293d95c37bee7bf8a6bf7446856db3135350cb5c31b924c14d5dcff689222f
Opcode Fuzzy Hash: 527fb30d7757b71f934e8c89e14575adbc2a2d9384d9f27da104578487f65f48
Instruction Fuzzy Hash: 5C71EE366402498FDF78EE78C8983EA3BA2FF45344F65416ACD4A9B215C7348681CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B6AD6D, Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

R<~v, xrefs: 02B6AE88

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<~v
API String ID: 0-1709933744
Opcode ID: 806d2663740351fee690217966c0aa976f910b9841f47215ce9ec18af0c9c426
Instruction ID: 3abaf87d4e7444520aebdb977b243884300ca9f428e09b79ae868eb393647930
Opcode Fuzzy Hash: 806d2663740351fee690217966c0aa976f910b9841f47215ce9ec18af0c9c426
Instruction Fuzzy Hash: DC51FF36540349CFDB74EF78C8983EA3BA1FF44394F2545AACE4A9B219C3358641CB62

Uniqueness

Uniqueness Score: -1.00%

Function 02B621C0, Relevance: 1.4, Strings: 1, Instructions: 129COMMON

Download Yara Rule

Strings

ld~a, xrefs: 02B6803C

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: ld~a
API String ID: 2167126740-2489577965
Opcode ID: 3740327261bec565055e1ea338e101489cad92cae24f8a760fe4d3752ed80bc0
Instruction ID: fbdd71d140b2a66227f54c635fa714a4ff3f07dc8083d1adf57588374e48f006
Opcode Fuzzy Hash: 3740327261bec565055e1ea338e101489cad92cae24f8a760fe4d3752ed80bc0
Instruction Fuzzy Hash: 1B4157715483449FCB28AF3489986FA7BA2FF54300F46056EECCA9B212C7348985CF16

Uniqueness

Uniqueness Score: -1.00%

Function 02B63C8F, Relevance: 1.4, Strings: 1, Instructions: 102COMMON

Download Yara Rule

Strings

+t+, xrefs: 02B6B1E4

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: +t+
API String ID: 0-425030245
Opcode ID: eac652e783a1af2a90298d9dca996e79160afa01c8d74be68082ffa4c22b6965
Instruction ID: 6bc53b6dcbbd1c339e39c180abfc70bb0479cdfdbf6cc0ca2cb835551f0d493a
Opcode Fuzzy Hash: eac652e783a1af2a90298d9dca996e79160afa01c8d74be68082ffa4c22b6965
Instruction Fuzzy Hash: 9C412072908354CFDB709F68CC187EEB7B2AF48310F16851A8C99AB644E3344A818F92

Uniqueness

Uniqueness Score: -1.00%

Function 02B695CE, Relevance: 1.3, Strings: 1, Instructions: 82COMMON

Download Yara Rule

Strings

a)v , xrefs: 02B65D62

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: a)v
API String ID: 0-3611937965
Opcode ID: f439d461b54dd9dbf5602f8bf317de89adb3c55a62167c984bf7cae408a2496d
Instruction ID: 2eec70949df7a5e058fc9cc662de31b8a2e890ca54eed2a6584056547f2ace53
Opcode Fuzzy Hash: f439d461b54dd9dbf5602f8bf317de89adb3c55a62167c984bf7cae408a2496d
Instruction Fuzzy Hash: C8314B32A44746DBDB388E788D997FA37B2EF91340F51812EDC8A97658D3364A41CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02B663A7, Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

\zH9, xrefs: 02B6645C

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: \zH9
API String ID: 0-2656882565
Opcode ID: 400905447182f289a5440256429062ecab06ebe387c7da819cc812acaa0e585a
Instruction ID: 05005cfeb9e89c5236d6bf6a3e150c53971f1bf6664f9df05504e67b07239f82
Opcode Fuzzy Hash: 400905447182f289a5440256429062ecab06ebe387c7da819cc812acaa0e585a
Instruction Fuzzy Hash: 6721ED72518201DBCBA4AE38C9297AAB7F5FF60244F82081DDCCAD7220D7758981CB03

Uniqueness

Uniqueness Score: -1.00%

Function 02B698D4, Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

Nt, xrefs: 02B69913

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Nt
API String ID: 0-2018231633
Opcode ID: e944235bcc46257fe1aa180f58aaff2aeba702f044459b8600252eefdc972822
Instruction ID: 1f40a0af2b51b487002d71f24e8d3931596d7597d509ee24c8da223add58338b
Opcode Fuzzy Hash: e944235bcc46257fe1aa180f58aaff2aeba702f044459b8600252eefdc972822
Instruction Fuzzy Hash: 9121C03560878ACBCB349F38C8D43EA73E1FF1A740F884259D9969F652E7749681CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02B64954, Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2cac68d3257307b3364303c55a74b850e955ebdde973cdaa2cff3537b50bb8f
Instruction ID: 4d6f1cdccfcbf2da3d8bfe3bb1b2167b742f2113a51ee2c12d98a48647c5c189
Opcode Fuzzy Hash: c2cac68d3257307b3364303c55a74b850e955ebdde973cdaa2cff3537b50bb8f
Instruction Fuzzy Hash: DA22FAB2604389DFDB748F28CD99BEA7BB2FF19350F454129DD899B210D3359A90CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B64B5B, Relevance: .4, Instructions: 410COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b65af7b38485d2a0ee40c4a63b4b8126ac628819036237e27cc8ed4c1333dff0
Instruction ID: a14217330228e50f6c5708129380f1147ccc6591f7d34d1c59c1dbdb4d58efdf
Opcode Fuzzy Hash: b65af7b38485d2a0ee40c4a63b4b8126ac628819036237e27cc8ed4c1333dff0
Instruction Fuzzy Hash: B802EAB2604389DFDB748F38CD99BEA3BA2FF19350F454129DD8A9B211D7358A81CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02B62F9B, Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 761f7713353dc1574db25fe5d1cb01f7844839c116671ecf912eb19b64a39db2
Instruction ID: bd94e9982fca0582357066fd59b7085f28567f30604b93923b8834e73fc0e232
Opcode Fuzzy Hash: 761f7713353dc1574db25fe5d1cb01f7844839c116671ecf912eb19b64a39db2
Instruction Fuzzy Hash: 33E19971A0474A9FDB78DF28C899BEAB7E1FF08340F44826ADD4997341D730AA518B90

Uniqueness

Uniqueness Score: -1.00%

Function 02B64C83, Relevance: .4, Instructions: 362COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9532d8760264506d5c88a6c1d9a1b6c7b4cdb360444cae2a6622374ee45fc0d6
Instruction ID: 211f75d926afa7b6ec7e9dabf42c1be75e8dc76c4cf8ff47e82ba79198f271cd
Opcode Fuzzy Hash: 9532d8760264506d5c88a6c1d9a1b6c7b4cdb360444cae2a6622374ee45fc0d6
Instruction Fuzzy Hash: B3E1D8B2604389DFDB758F38CD99BEA3BB2FF18350F454129DD8A8B210D7358A818B51

Uniqueness

Uniqueness Score: -1.00%

Function 02B607FF, Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc6f43037a64fd8353b9c82cca50b20e0b5aaedd97f8371b76759ecb3997184
Instruction ID: 86fe9dd414cea6c26551a8bad23eaa88727bde724322e3ba7a7d65103d7c9d61
Opcode Fuzzy Hash: ebc6f43037a64fd8353b9c82cca50b20e0b5aaedd97f8371b76759ecb3997184
Instruction Fuzzy Hash: 26D164329043498FCB34AF78C8993EA7BA2FF04384F5945AEED4A97355D7348A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B607FA, Relevance: .3, Instructions: 325COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 429a938cc7c1e310660d0338577fbd918b8183245d9dcdb53a90c291d1cb40da
Instruction ID: 1f8ef5f2a831112a044e1852c5a16b3e4629a1c3e381886a0edf5ff029577256
Opcode Fuzzy Hash: 429a938cc7c1e310660d0338577fbd918b8183245d9dcdb53a90c291d1cb40da
Instruction Fuzzy Hash: 0BC156715043498FCB34AF78C8987FA7BA2EF44380F5945AEED4A97354D7348A81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02B630D9, Relevance: .3, Instructions: 314COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 52bebf734f35aba0073a248f9cfc821313a8198e8683805a1b539f40d954afb6
Instruction ID: ff749b01782b6f5199a27219c8ef83f5c4ca18af66241a6e917b79c0fb7dcb00
Opcode Fuzzy Hash: 52bebf734f35aba0073a248f9cfc821313a8198e8683805a1b539f40d954afb6
Instruction Fuzzy Hash: 31C1CC71A0478A9FDB38DF28C899BEA77E1FF08340F58416ADC499B341D734AA458B91

Uniqueness

Uniqueness Score: -1.00%

Function 02B64DC5, Relevance: .3, Instructions: 311COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f51313c7004e9b2e4ab33f2e879ba4b6d8565f8f9590fabf4fbfac1f38222e8
Instruction ID: dd5249e8e800585842219e0a770d6f7863ec3d1912d34636c1db69a88409b9a4
Opcode Fuzzy Hash: 4f51313c7004e9b2e4ab33f2e879ba4b6d8565f8f9590fabf4fbfac1f38222e8
Instruction Fuzzy Hash: 9ED1C8726043899FDB75DF38CD99BEA3BB2FF18350F444129DD8A8B215E7348A918B11

Uniqueness

Uniqueness Score: -1.00%

Function 02B608FD, Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa28171d00a98241112782eb0bfcd4193cf224761b429c5d568d19db5d94718e
Instruction ID: 72d04f2310b4059b116aabec2ae4345e7efbfca045f074d888fb226f783425f3
Opcode Fuzzy Hash: aa28171d00a98241112782eb0bfcd4193cf224761b429c5d568d19db5d94718e
Instruction Fuzzy Hash: 1CB1443690434D8FCB34AF78C8993EA3BA6FF04384F1945AADD4A97315D7348A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B64EE8, Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0e37aef41fc050335b36a0d9dfc0c9b3468b35d94eb619a9f99e4e47092136d
Instruction ID: 702e5c6bcd7f13c0c3312633f22f854dc7f039177856e3f5ee5526a4b7390064
Opcode Fuzzy Hash: b0e37aef41fc050335b36a0d9dfc0c9b3468b35d94eb619a9f99e4e47092136d
Instruction Fuzzy Hash: E3B1CA726003899FDF75CF68CD99BEA3BA2FF18350F54412ADD8A8B215D3359A91CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02B60A1B, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7e080f491ba3469f1e5788daf4d706d73960153f93a14a1b6ba82eadcd62234
Instruction ID: a89be310f7a00ec167ae092a419c57ba8d1ab0be70c9196b00b43f6a3fba1bc8
Opcode Fuzzy Hash: a7e080f491ba3469f1e5788daf4d706d73960153f93a14a1b6ba82eadcd62234
Instruction Fuzzy Hash: DBA1217650034D8FCB34EF38C8997EA7BA6FF04384F1845AADD4A97615E7348A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B631E9, Relevance: .3, Instructions: 264COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c590c0bef3844f9f835f5f41bc6569536a31ca6c1db23e925ee337a1291cb432
Instruction ID: 867e46b5a5f849cf20cb75cae815eb0601ce2f3ed720ef0b377a21aab489be3e
Opcode Fuzzy Hash: c590c0bef3844f9f835f5f41bc6569536a31ca6c1db23e925ee337a1291cb432
Instruction Fuzzy Hash: 99B1CD71A0074ADFDB38DF38C899BEA77E1FF08340F5881AADC499B241D7309A548B90

Uniqueness

Uniqueness Score: -1.00%

Function 02B69B3D, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14751bd8249dc465bb79e87978fdce02cc4d7cd44b108607d5f52520a2d2991e
Instruction ID: a05acac1b2676667363982626e8d9f1a2e1028ff865aef69f8917ba60b814153
Opcode Fuzzy Hash: 14751bd8249dc465bb79e87978fdce02cc4d7cd44b108607d5f52520a2d2991e
Instruction Fuzzy Hash: AFB1B2354087C58ECB26CF38C89C7957FE2AF12260F49C2DAC8994F2ABD7748645C712

Uniqueness

Uniqueness Score: -1.00%

Function 02B60AA3, Relevance: .2, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ce47b0aa5a10dac1de0720b26f4ff94c25431bb517b92c73aecdd3b7596b89e
Instruction ID: 0ea9f24c2c06a1e902ce20bad8320d77e63dd48bb135eb4d3dd5acd1a84e28fe
Opcode Fuzzy Hash: 4ce47b0aa5a10dac1de0720b26f4ff94c25431bb517b92c73aecdd3b7596b89e
Instruction Fuzzy Hash: 4E9154765043498FCF30EF28C8987EA7BA6EF44394F1845AAEC4A97215D7348A81CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B6502D, Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c3330da0741cd65326ffb29359bfa8f299562102c0c60d31689a6057f723b09
Instruction ID: 415f055e52b29f9a668552f3f22436f50933f224faaddba7734d3a826b24ac2b
Opcode Fuzzy Hash: 0c3330da0741cd65326ffb29359bfa8f299562102c0c60d31689a6057f723b09
Instruction Fuzzy Hash: 0591D9716403899FDB79CF38CD99BDA3BA2FF08350F544169DE8A8B215D3398A91CB10

Uniqueness

Uniqueness Score: -1.00%

Function 02B68F91, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a94b1648f5483ae0e4c8b032b68fe59e2ce97f1418af5cbb41752a0f6d9e9f0b
Instruction ID: 8f5717580b1b6ee71fbd28be09c6957d4e2c07a370979333cc29aa54ad1881ac
Opcode Fuzzy Hash: a94b1648f5483ae0e4c8b032b68fe59e2ce97f1418af5cbb41752a0f6d9e9f0b
Instruction Fuzzy Hash: 6B813372A087499FDB30CF68C8A97FA77A2EF49340F55006EDC4E8B244D734AA84CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02B69C15, Relevance: .2, Instructions: 211COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62016ace7a1d7d445dced5fc69d943474fed6b245ec0cdff71208ae48f28f225
Instruction ID: 6b98e7f805d2e2631fb42e0c0192028c4bd5958d5ecad51a75b0281291a664bf
Opcode Fuzzy Hash: 62016ace7a1d7d445dced5fc69d943474fed6b245ec0cdff71208ae48f28f225
Instruction Fuzzy Hash: 3B91C6354487858FCF358F38889D7D57FA2EF52350F4982EAC89A8F29AD3748645CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02B6333F, Relevance: .2, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b95e7b4d0135d45ab5e6477617288ce6b0ad930e6fe47e9be781e29cbdcf584b
Instruction ID: 85cbc02fb8b25b020c4a0566d348d932aa47a1dfe359d3425668591fdc622f51
Opcode Fuzzy Hash: b95e7b4d0135d45ab5e6477617288ce6b0ad930e6fe47e9be781e29cbdcf584b
Instruction Fuzzy Hash: EE81B17560075A9FDB38DF38C899BEA7BE1FF08300F5881AADD4987245D730AA55CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B62A00, Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc74ce97ac118b8739caa4be283c95c14474f2dc3da185c8e2e7534ef6b8aef0
Instruction ID: ebc1176c5b797253ee2ac02e86a77ce34ff034d4e6a7b944aeae42defeaebc93
Opcode Fuzzy Hash: fc74ce97ac118b8739caa4be283c95c14474f2dc3da185c8e2e7534ef6b8aef0
Instruction Fuzzy Hash: BD811F76A083899FDBB4DE38C9597DE37E6EF58310F01851AEC8CEB241D3349A408B51

Uniqueness

Uniqueness Score: -1.00%

Function 02B62A59, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48e605f24c77854e04279bb61d7c2855e374148b2afa785ae69eb0665119c31a
Instruction ID: 3ae710a26dc3760921ec979c1a91c00ca97fd644275267e734be3ab83911c908
Opcode Fuzzy Hash: 48e605f24c77854e04279bb61d7c2855e374148b2afa785ae69eb0665119c31a
Instruction Fuzzy Hash: 8D71EC36A043499FCB74DE38C9597DE3BAAFF48340F04452AED49DB245E334DA808B51

Uniqueness

Uniqueness Score: -1.00%

Function 02B61EB2, Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a49076db285f41a9b49a1afc9b735252513809595caabaa37d1e91f1ccb4e088
Instruction ID: 224e27548a5a00c5e74411fdaef172f239b3c54902a50814a334584ea64a4149
Opcode Fuzzy Hash: a49076db285f41a9b49a1afc9b735252513809595caabaa37d1e91f1ccb4e088
Instruction Fuzzy Hash: A971F072A042889FDB309F69CD487EE77A2EF88350F46402AED8C8B310C7759A41CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B69CFA, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01514b9496ec7df7d3c9bedb87049b8a7eb689e0ba4486d215ca76c66f8e0359
Instruction ID: df6fd094208be25e6f34f2a2773a492c5e3c2d12242b70f20cf45c0a0ef1f3fe
Opcode Fuzzy Hash: 01514b9496ec7df7d3c9bedb87049b8a7eb689e0ba4486d215ca76c66f8e0359
Instruction Fuzzy Hash: 9971B3364487898FCF359F78C8997E97FA1EF51350F4981EAC85A8F24AD3389641CB21

Uniqueness

Uniqueness Score: -1.00%

Function 02B65195, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a55cbb91c2c789e8c79ef87519943d3f05fe0c462d061ee998e1519fc3cfaac2
Instruction ID: cb6fac3057552633995ce4f1fa44405dc72e2b6852ecc2b0aa6de5d1844f86fc
Opcode Fuzzy Hash: a55cbb91c2c789e8c79ef87519943d3f05fe0c462d061ee998e1519fc3cfaac2
Instruction Fuzzy Hash: A961B87564028D9FDB79CF28CD9ABDE3BA6FF08340F140169EE4A8A215D7359A50CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B62B6F, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58f5383a0feb557e81014d570672c91412b246e619e497f1054f19228a6f50e
Instruction ID: e641080fad5f1c39668b22ffb212d9acf47762d627e0f72bca1e9ffa2c4c4782
Opcode Fuzzy Hash: e58f5383a0feb557e81014d570672c91412b246e619e497f1054f19228a6f50e
Instruction Fuzzy Hash: F651E076A0438D8FCB34CF3889597DA3BA6EF58300F04456EDD4ADB256E3349A408B11

Uniqueness

Uniqueness Score: -1.00%

Function 02B68FB1, Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f408334081b14d225138e24dc6f6c6bc531688c713be7b418643c410cc0575e0
Instruction ID: 531ca9ad3a79d78763e06c5b9d14c95cd284011a5415a1108e8dae462fa9f65b
Opcode Fuzzy Hash: f408334081b14d225138e24dc6f6c6bc531688c713be7b418643c410cc0575e0
Instruction Fuzzy Hash: 9B51F43690471D9FCB348F78C9AA7EA3BA6FF14380F15416ADC4A9B644D730DA84CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B64063, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8cf0a0db9edb554b59d9473066822c7f8d3d1445bf02392e065d0c24bc388c
Instruction ID: e788f21c64263501c8eb77e32e0dc87e01647554a6b8a5dddd4555e56df23381
Opcode Fuzzy Hash: ad8cf0a0db9edb554b59d9473066822c7f8d3d1445bf02392e065d0c24bc388c
Instruction Fuzzy Hash: C851F1726047449FDB34CE2AD9E87EB77F2EBA8740F58452EC94E8BA40C734A641CB01

Uniqueness

Uniqueness Score: -1.00%

Function 02B60344, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e59e65922b97568e80e0d2e20ac87b89f67de2a36e690c6adb9fc9e16aedbc4a
Instruction ID: b6ef39c066cd5162e84bdf7e9230b9f53bb0eeef76e714877d4ddb880f0d4fa0
Opcode Fuzzy Hash: e59e65922b97568e80e0d2e20ac87b89f67de2a36e690c6adb9fc9e16aedbc4a
Instruction Fuzzy Hash: 6E5176364043098FCB28AF7889997F97F92FF14354F4449AEDD865362AE7348A40CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02B64402, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43dca86cdd38f160a9788297d2a94e7c896e2669cd89169c0f950c8dc954ccf8
Instruction ID: 545af7efaacf75dda0675b0ce2bcc2702537fee2128a704cf0320f3788608112
Opcode Fuzzy Hash: 43dca86cdd38f160a9788297d2a94e7c896e2669cd89169c0f950c8dc954ccf8
Instruction Fuzzy Hash: C051EDB16043499FCB649F39CC5ABEABBA2BF89300F05421DDD8A9B250D3345685CF46

Uniqueness

Uniqueness Score: -1.00%

Function 02B69DA9, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42f8a7cf07d330e5d8417286375d3d566a95499459c53fd273e9e130f8b74b23
Instruction ID: 8c2bfa4c9b3a3ef6c27ae7a4f4a777a115f6287d0957605b09a6b5f75195bff1
Opcode Fuzzy Hash: 42f8a7cf07d330e5d8417286375d3d566a95499459c53fd273e9e130f8b74b23
Instruction Fuzzy Hash: BA51F1754583C58ACF758F7888987E97BA1EF12310F4981AAC8998F28AD3799641CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02B690C7, Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21d6bb4b1d8c4b408c0e06fd236a5b30904718ade07fe39bfe1f2a2de71e2673
Instruction ID: df8dc6b09d259e8f6dc3338c6b7365d974d854ab988098f82c76e80e80a59cba
Opcode Fuzzy Hash: 21d6bb4b1d8c4b408c0e06fd236a5b30904718ade07fe39bfe1f2a2de71e2673
Instruction Fuzzy Hash: 9351D23650465D9FCB34CF38C8AA7EA7BB2FF24380F19456ADC4A8B644D7309A84CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B6523E, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 103d056a3aaf235232fd85279053ea894bb0f5a1f184448ac786c9023ccd995d
Instruction ID: 58bd01eab29ea9656173380b9b061fa188bbea7958a20eb553aec694b3c5fd38
Opcode Fuzzy Hash: 103d056a3aaf235232fd85279053ea894bb0f5a1f184448ac786c9023ccd995d
Instruction Fuzzy Hash: 7851A7B1640289DFDF7ACF28CD95BEE3BB2FF08350F040129ED898A215C3399A508B50

Uniqueness

Uniqueness Score: -1.00%

Function 02B6A12E, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e58f07995a52504fa268180977927144cd9f938e938a899da3e50075e16d8662
Instruction ID: bd7d78f4b815488f5aee14a1f05fa9876b368c8d1f379f07d0598ae9293c25cc
Opcode Fuzzy Hash: e58f07995a52504fa268180977927144cd9f938e938a899da3e50075e16d8662
Instruction Fuzzy Hash: 6951D5766043899FCF35CE3488C93DA3BA6FF91344F1486AACC599B65ED3348642CB21

Uniqueness

Uniqueness Score: -1.00%

Function 02B634DF, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e58db1fca0fa1a35b756c12f6e1b56903f58ae3b2d7b4e6e9eca60b313b1366
Instruction ID: e3498ecf00313404087091a246fd173244c7f05ad7fa461adc0896544430b480
Opcode Fuzzy Hash: 2e58db1fca0fa1a35b756c12f6e1b56903f58ae3b2d7b4e6e9eca60b313b1366
Instruction Fuzzy Hash: F4517AB160074ADFDB64CF68D8C9BEAB7A1BF08300F548269DD589B201D334AA148B91

Uniqueness

Uniqueness Score: -1.00%

Function 02B640DB, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4704cf84a100711eddaaf3cccebaf1d5b78b2c3c93d3a21efaaf565850b30e8
Instruction ID: 3faec6bbee4dd188485fcf83abd14e2e69f70f252ab17d2b677cdcce1cbf0a6a
Opcode Fuzzy Hash: a4704cf84a100711eddaaf3cccebaf1d5b78b2c3c93d3a21efaaf565850b30e8
Instruction Fuzzy Hash: A64104329047498FCB34CE7A98D93EA3BF2FBA8384F59467FC94A87645C7309641CA10

Uniqueness

Uniqueness Score: -1.00%

Function 02B6255F, Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 190989106a0423d9d88b30630e829516e6e6595f106eb643ab04f25154ca7d84
Instruction ID: d62cdb0b7e7d422a9a857f091affd1cedf887714886ae70f8d0216e6d25a24d5
Opcode Fuzzy Hash: 190989106a0423d9d88b30630e829516e6e6595f106eb643ab04f25154ca7d84
Instruction Fuzzy Hash: EC41E272210248DFCB70AF69CC98BEA37A2FF58700F558419DD9C8B261D7398A85CB05

Uniqueness

Uniqueness Score: -1.00%

Function 02B69052, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c7a8c90c332312930af7918e1680c9f2778fc02096bab102d80af0b7845bdc
Instruction ID: 02982f950e8777179e43a5948e54f8f58c5bfefef3789e5dba9d220023fd2dea
Opcode Fuzzy Hash: 20c7a8c90c332312930af7918e1680c9f2778fc02096bab102d80af0b7845bdc
Instruction Fuzzy Hash: 67411132608659AFDB74CF38C9A97EA77B2EF55340F15012ADC4EDB244C334AA84CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B652E9, Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa7ba899c50de90073f3cc74394ab0542d869a29fa6d733a4eb3d6d03ada777
Instruction ID: b477b458426df2745190952004d53fad91e009a85acd4244f6788364eb09ff40
Opcode Fuzzy Hash: 0fa7ba899c50de90073f3cc74394ab0542d869a29fa6d733a4eb3d6d03ada777
Instruction Fuzzy Hash: 1B41A97564074D9FCB79DF38C99A7CE3BA2FF04340F14456ADE4A8A226D3349A51CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B6AE95, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec2a615abd42f9ac6c8a7df8141576324ba3fe9c1dfef3e8475fd2b36bece37f
Instruction ID: ee365218ad14cbff775944783d9ce45cb72cedb0011e5c47b64c0a985b1934d0
Opcode Fuzzy Hash: ec2a615abd42f9ac6c8a7df8141576324ba3fe9c1dfef3e8475fd2b36bece37f
Instruction Fuzzy Hash: EC41063594034D8FDB35EF3488993DA3FA2FF40294F1945AACE4697219D335CA42CB60

Uniqueness

Uniqueness Score: -1.00%

Function 02B65D7B, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5c6d3a06211d2e02d0d62734279dbd5e56de414da8710d7b30a51c04952f61
Instruction ID: cac5d23de341bd5450bd74f63206b8f89c7d23e18867e5421e91e4f2d039d4b9
Opcode Fuzzy Hash: 9c5c6d3a06211d2e02d0d62734279dbd5e56de414da8710d7b30a51c04952f61
Instruction Fuzzy Hash: B541C17060468A8FDF74EE289D5C7EE36A2EF80750F90816ACD1DCB200DB398681CF06

Uniqueness

Uniqueness Score: -1.00%

Function 02B62C61, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dee600b7924ddb8c40f2d50f189348612b6530be4cc7469c0f91503617051f7
Instruction ID: 9f05b5f340b24a2f6182efb6dd2e1b9e30dd095e636982c927593d6ab8990955
Opcode Fuzzy Hash: 2dee600b7924ddb8c40f2d50f189348612b6530be4cc7469c0f91503617051f7
Instruction Fuzzy Hash: BE41DF3A94438D8FCB74DF78899A3CA3BA5FF14240F04496ADE8AD7216D334CB408B61

Uniqueness

Uniqueness Score: -1.00%

Function 02B68E55, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b65dbc424545db3222756733f2fa5ed5f81dfc20afa4241797b512fc14bc38c
Instruction ID: e7676588f6a0f82d934a4a3c10af2940d117b4331c075cf289b09c6d7b627d7f
Opcode Fuzzy Hash: 2b65dbc424545db3222756733f2fa5ed5f81dfc20afa4241797b512fc14bc38c
Instruction Fuzzy Hash: 68014B74211284CFCB74CF18C9D8AEA73B1BF99350F11806AE90A8B361D734AA01DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02B65CA0, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 02B6898D, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.748823935.0000000002B60000.00000040.00000001.sdmp, Offset: 02B60000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f84bbf5ac4b1f52860dc617b197b7169fb7004d7de0e900cbc69e5fb681edac9
Instruction ID: ed3ef1cdfb3c2142d98170f7bba5d0ecf9c8083f6f68053bb722e70878a3bad3
Opcode Fuzzy Hash: f84bbf5ac4b1f52860dc617b197b7169fb7004d7de0e900cbc69e5fb681edac9
Instruction Fuzzy Hash: B8B002792516408FC655CE19C195F8173A5BB45A50B915594E81187B11D269E9008950

Uniqueness

Uniqueness Score: -1.00%

Function 0041FEA0, Relevance: 101.9, APIs: 56, Strings: 2, Instructions: 417COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041FF01
__vbaStrCat.MSVBVM60(0040422C,00404224), ref: 0041FF11
__vbaStrMove.MSVBVM60 ref: 0041FF22
__vbaI4Str.MSVBVM60(00000000), ref: 0041FF25
#537.MSVBVM60(00000000), ref: 0041FF2C
__vbaStrMove.MSVBVM60 ref: 0041FF37
__vbaStrCmp.MSVBVM60(00402D14,00000000), ref: 0041FF3F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041FF59
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041FF7D
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0041FFA8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,00000108), ref: 0041FFD6
__vbaFreeObj.MSVBVM60 ref: 0041FFDB
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0041FFF3
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 00420018
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,00000130), ref: 0042003E
__vbaStrMove.MSVBVM60 ref: 00420049
__vbaFreeObj.MSVBVM60 ref: 00420052
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0042006A
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0042008F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,00000118), ref: 004200B5
__vbaFreeObj.MSVBVM60 ref: 004200BA
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 004200D2
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,0000001C), ref: 004200F7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D18,00000064), ref: 00420119
__vbaFreeObj.MSVBVM60 ref: 0042011E
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 0042013E
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 00420163
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,00000070), ref: 00420183
__vbaFreeObj.MSVBVM60 ref: 00420188
__vbaStrCat.MSVBVM60(0040423C,00404234), ref: 00420198
__vbaStrMove.MSVBVM60 ref: 004201A9
#514.MSVBVM60(?,00000002), ref: 004201B1
__vbaStrMove.MSVBVM60 ref: 004201BC
__vbaStrCmp.MSVBVM60(00402AB8,00000000), ref: 004201C4
__vbaFreeStr.MSVBVM60 ref: 004201D7
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 004201F8
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000014), ref: 0042021D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B24,0000013C), ref: 00420264
__vbaFreeObj.MSVBVM60 ref: 0042026D
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 0042027D
__vbaStrVarMove.MSVBVM60(?), ref: 00420287
__vbaStrMove.MSVBVM60 ref: 00420298
__vbaFreeVar.MSVBVM60 ref: 0042029D
#706.MSVBVM60(00000001,00000000,00000000), ref: 004202A9
__vbaStrMove.MSVBVM60 ref: 004202B4
__vbaNew2.MSVBVM60(00402B14,00421390), ref: 004202C9
__vbaHresultCheckObj.MSVBVM60(00000000,0223ED94,00402B04,00000038,?,?,?,?,?,?,?,?), ref: 00420333
__vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00420341
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0042034F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00420358
__vbaFreeStr.MSVBVM60(004203C3), ref: 004203A0
__vbaFreeStr.MSVBVM60 ref: 004203A5
__vbaFreeStr.MSVBVM60 ref: 004203AA
__vbaFreeStr.MSVBVM60 ref: 004203AF
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004203B7
__vbaFreeStr.MSVBVM60 ref: 004203C0

Strings

Lovndringen3, xrefs: 004202ED
UNANTAGONISINGS, xrefs: 00420241

Memory Dump Source

Source File: 00000001.00000002.744426508.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.744414671.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.744464205.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.744472089.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#514#537#539#706CopyDestructListVar2
String ID: Lovndringen3$UNANTAGONISINGS
API String ID: 3105435306-1607536084
Opcode ID: 6f136368a3214a748e2a5152ac2d932fa1d0acf23e3cbe2e14b872c1e024ca5a
Instruction ID: ee658ddb9bf2d247c84b98adcba05174215b30c03423817b7f1b520eb49f3866
Opcode Fuzzy Hash: 6f136368a3214a748e2a5152ac2d932fa1d0acf23e3cbe2e14b872c1e024ca5a
Instruction Fuzzy Hash: D6E18171E40214AFDB14DFA4DD89EADBBB8FF58704F20402AF505B72A0DB746945CB68

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Documentos de env#U00edo.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Documentos de env#U00edo.exe PID: 5064 Parent PID: 5556

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Documentos de env#U00edo.exe PID: 5064 Parent PID: 5556 Documentos de env#U00edo.exeCOMMON

Executed Functions

Function 004014B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13
COMMON