Play interactive tour

Edit tour

Windows Analysis Report 7keerHhHvn.exe

Overview

General Information

Sample Name:	7keerHhHvn.exe
Analysis ID:	458550
MD5:	782783574d2d4b67666b77b686c2e673
SHA1:	8eeec0963fa7eaf3115335c03315ecc203babf9b
SHA256:	0d2aeb4a2f85b9bf8ae3990a3ddea5a242d0db5186263e3ccf2435bbc48ec478
Tags:	exeMalware
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

7keerHhHvn.exe (PID: 5616 cmdline: 'C:\Users\user\Desktop\7keerHhHvn.exe' MD5: 782783574D2D4B67666B77B686C2E673)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://onedrive.live.com/download?cid=6D6F7"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://onedrive.live.com/download?cid=6D6F7"}

Multi AV Scanner detection for submitted file

Show sources

Source: 7keerHhHvn.exe

Virustotal: Detection: 25%

Perma Link

Machine Learning detection for sample

Show sources

Source: 7keerHhHvn.exe

Joe Sandbox ML: detected

Source: 7keerHhHvn.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://onedrive.live.com/download?cid=6D6F7

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Code function: 0_2_004028BC GetAsyncKeyState,

0_2_004028BC

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D76825 NtAllocateVirtualMemory,	0_2_02D76825
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7687F NtAllocateVirtualMemory,	0_2_02D7687F
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D769A7 NtAllocateVirtualMemory,	0_2_02D769A7

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D76825	0_2_02D76825
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D794D7	0_2_02D794D7
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D792D3	0_2_02D792D3
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D76EDC	0_2_02D76EDC
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D798C4	0_2_02D798C4
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D714C4	0_2_02D714C4
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74ACE	0_2_02D74ACE
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D78ECA	0_2_02D78ECA
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D746CA	0_2_02D746CA
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73CF4	0_2_02D73CF4
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74AF4	0_2_02D74AF4
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7A0FC	0_2_02D7A0FC
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D730F8	0_2_02D730F8
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D72AEE	0_2_02D72AEE
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7AEBF	0_2_02D7AEBF
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D706BD	0_2_02D706BD
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D792BA	0_2_02D792BA
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D72AAE	0_2_02D72AAE
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D79E57	0_2_02D79E57
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7245B	0_2_02D7245B
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D72C58	0_2_02D72C58
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7AE46	0_2_02D7AE46
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73445	0_2_02D73445
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74C43	0_2_02D74C43
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7304D	0_2_02D7304D
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7687F	0_2_02D7687F
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7A478	0_2_02D7A478
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D75262	0_2_02D75262
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74817	0_2_02D74817
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7A015	0_2_02D7A015
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73219	0_2_02D73219
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73018	0_2_02D73018
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D71218	0_2_02D71218
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74234	0_2_02D74234
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74A23	0_2_02D74A23
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7082B	0_2_02D7082B
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D70FDD	0_2_02D70FDD
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D79BD9	0_2_02D79BD9
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D715C7	0_2_02D715C7
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D78DC3	0_2_02D78DC3
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73FC9	0_2_02D73FC9
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73BF4	0_2_02D73BF4
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D793FA	0_2_02D793FA
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73FF9	0_2_02D73FF9
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74FF9	0_2_02D74FF9
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D76FE2	0_2_02D76FE2
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D76D95	0_2_02D76D95
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D79D9A	0_2_02D79D9A
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D70F85	0_2_02D70F85
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73D83	0_2_02D73D83
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D79B89	0_2_02D79B89
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D76DB1	0_2_02D76DB1
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7AFBE	0_2_02D7AFBE
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7B3BA	0_2_02D7B3BA
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D745B8	0_2_02D745B8
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D747AE	0_2_02D747AE
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7ADAB	0_2_02D7ADAB
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7AF52	0_2_02D7AF52
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74551	0_2_02D74551
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7655D	0_2_02D7655D
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7AD47	0_2_02D7AD47
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D71174	0_2_02D71174
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D72D70	0_2_02D72D70
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74970	0_2_02D74970
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7417B	0_2_02D7417B
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74D78	0_2_02D74D78
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D71F6E	0_2_02D71F6E
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7156A	0_2_02D7156A
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74F07	0_2_02D74F07
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7090B	0_2_02D7090B
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7490B	0_2_02D7490B
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D74B36	0_2_02D74B36
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7AD35	0_2_02D7AD35
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D71331	0_2_02D71331
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D72B31	0_2_02D72B31
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73325	0_2_02D73325
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D79F2C	0_2_02D79F2C

Source: 7keerHhHvn.exe, 00000000.00000002.761350467.0000000002270000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 7keerHhHvn.exe
Source: 7keerHhHvn.exe, 00000000.00000002.760792159.0000000000423000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAbsurditiesun.exe vs 7keerHhHvn.exe
Source: 7keerHhHvn.exe	Binary or memory string: OriginalFilenameAbsurditiesun.exe vs 7keerHhHvn.exe

Source: 7keerHhHvn.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\7keerHhHvn.exe

File created: C:\Users\user\AppData\Local\Temp\~DF8F1F4DFF04104EF7.TMP

Jump to behavior

Source: 7keerHhHvn.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\7keerHhHvn.exe

File read: C:\$Recycle.Bin\S-1-5-21-3853321935-2125563209-4053062332-1002\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 7keerHhHvn.exe

Virustotal: Detection: 25%

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4a04656d-52aa-49de-8a09-cb178760e748}\InProcServer32

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_004066EE push edx; iretd		0_2_004066EF
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_00407D67 push es; ret		0_2_00407D68

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D70FDD		0_2_02D70FDD
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D70F85		0_2_02D70F85

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\7keerHhHvn.exe

RDTSC instruction interceptor: First address: 0000000002D76090 second address: 0000000002D76090 instructions: 0x00000000 rdtsc 0x00000002 mov eax, D06691AFh 0x00000007 xor eax, 51795B17h 0x0000000c sub eax, E89895FEh 0x00000011 sub eax, 988734B9h 0x00000016 cpuid 0x00000018 jmp 00007FDE10E500D6h 0x0000001a test bx, 62F2h 0x0000001f popad 0x00000020 call 00007FDE10E5008Ch 0x00000025 lfence 0x00000028 mov edx, 3126F457h 0x0000002d xor edx, A11635D2h 0x00000033 xor edx, 122A2AF9h 0x00000039 xor edx, FDE4EB68h 0x0000003f mov edx, dword ptr [edx] 0x00000041 lfence 0x00000044 ret 0x00000045 cmp dh, ch 0x00000047 sub edx, esi 0x00000049 ret 0x0000004a test ah, dh 0x0000004c pop ecx 0x0000004d add edi, edx 0x0000004f dec ecx 0x00000050 mov dword ptr [ebp+0000017Ch], 339F83C1h 0x0000005a sub dword ptr [ebp+0000017Ch], 00B60B54h 0x00000064 sub dword ptr [ebp+0000017Ch], 2594365Ah 0x0000006e add dword ptr [ebp+0000017Ch], F2AABDEDh 0x00000078 cmp ecx, dword ptr [ebp+0000017Ch] 0x0000007e jne 00007FDE10E4FFD4h 0x00000084 jmp 00007FDE10E500E2h 0x00000086 test ch, dh 0x00000088 mov dword ptr [ebp+00000274h], edi 0x0000008e mov edi, ecx 0x00000090 push edi 0x00000091 mov edi, dword ptr [ebp+00000274h] 0x00000097 call 00007FDE10E500F4h 0x0000009c call 00007FDE10E50108h 0x000000a1 lfence 0x000000a4 mov edx, 3126F457h 0x000000a9 xor edx, A11635D2h 0x000000af xor edx, 122A2AF9h 0x000000b5 xor edx, FDE4EB68h 0x000000bb mov edx, dword ptr [edx] 0x000000bd lfence 0x000000c0 ret 0x000000c1 mov esi, edx 0x000000c3 pushad 0x000000c4 rdtsc

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Code function: 0_2_02D73ED1 rdtsc

0_2_02D73ED1

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\7keerHhHvn.exe

Code function: 0_2_02D73ED1 rdtsc

0_2_02D73ED1

Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D75EA3 mov eax, dword ptr fs:[00000030h]	0_2_02D75EA3
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D78C1A mov eax, dword ptr fs:[00000030h]	0_2_02D78C1A
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73018 mov eax, dword ptr fs:[00000030h]	0_2_02D73018
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D73BF4 mov eax, dword ptr fs:[00000030h]	0_2_02D73BF4
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D79D9A mov eax, dword ptr fs:[00000030h]	0_2_02D79D9A
Source: C:\Users\user\Desktop\7keerHhHvn.exe	Code function: 0_2_02D7915A mov eax, dword ptr fs:[00000030h]	0_2_02D7915A

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: 7keerHhHvn.exe, 00000000.00000002.761089547.0000000000D80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture11	Security Software Discovery31	Remote Services	Input Capture11	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	File and Directory Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
7keerHhHvn.exe	26%	Virustotal		Browse
7keerHhHvn.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://onedrive.live.com/download?cid=6D6F7	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	458550
Start date:	03.08.2021
Start time:	14:35:22
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	7keerHhHvn.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.9% (good quality ratio 0.5%) Quality average: 7.6% Quality standard deviation: 17.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.460043863848558
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	7keerHhHvn.exe
File size:	143360
MD5:	782783574d2d4b67666b77b686c2e673
SHA1:	8eeec0963fa7eaf3115335c03315ecc203babf9b
SHA256:	0d2aeb4a2f85b9bf8ae3990a3ddea5a242d0db5186263e3ccf2435bbc48ec478
SHA512:	1e500c34d0a1cb7d53661a5759c9d1325a119d86813fd4204f6586b5bf5d16fbf774c694ab6ae367567c38fa38077dd8f1b47991245afa4b6ba5292b235839fa
SSDEEP:	3072:S5CCbi+/47tQatuMBmrBeMn5m4vvt6g58:Ai+/g/tuMQlzVntV
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...S..Q.....................0....................@................

File Icon


Icon Hash:	c4e8c8cccce0e8e8

Static PE Info

General
Entrypoint:	0x4014b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x51ACB753 [Mon Jun 3 15:33:39 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fef384fc3a66a559dff455f07d497ca0

Entrypoint Preview

Instruction
push 00401F54h
call 00007FDE10A7E923h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax-67h], dl
sbb esi, dword ptr [ebx+4EFEB052h]
stosb
sbb cl, byte ptr [ecx+74h]
ret
test dword ptr [edx], esi
in al, dx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc ecx
add byte ptr [eax], ah
or byte ptr [ecx+00h], al
inc esi
popad
insb
jc 00007FDE10A7E995h
insb
jne 00007FDE10A7E99Fh
imul esi, dword ptr [eax+eax], 00000000h
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add bh, dl
movsb
add al, 03h
pop eax
movsd
test byte ptr [ebx-43h], 00000048h
dec eax
inc ebp
ror dl, 0000002Fh
and al, byte ptr [edx+6Eh]
mov al, 41h
fistp word ptr [ecx+43h]
xchg eax, edi
sti
push ebx
mov ebx, 3AE1F6F1h
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc al, 09h
add byte ptr [eax], al
wbinvd
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [ebp+4Fh], cl
inc ecx
dec esi
dec ecx
inc esi
add byte ptr [54000901h], cl
jne 00007FDE10A7E9A0h
insd
je 00007FDE10A7E994h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x206f4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x23000	0xc20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x190	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1fcec	0x20000	False	0.384429931641	data	6.7545432225	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x21000	0x11bc	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x23000	0xc20	0x1000	False	0.314453125	data	3.28015845724	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x23378	0x8a8	data
RT_GROUP_ICON	0x23364	0x14	data
RT_VERSION	0x230f0	0x274	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaR4Str, DllFunctionCall, _adj_fpatan, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaR8Str, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	Absurditiesun
FileVersion	1.00
CompanyName	Intersection Road
Comments	Intersection Road
ProductName	Unrapedb6
ProductVersion	1.00
OriginalFilename	Absurditiesun.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: 7keerHhHvn.exe PID: 5616 Parent PID: 5568

General

Start time:	14:36:30
Start date:	03/08/2021
Path:	C:\Users\user\Desktop\7keerHhHvn.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\7keerHhHvn.exe'
Imagebase:	0x400000
File size:	143360 bytes
MD5 hash:	782783574D2D4B67666B77B686C2E673
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 7keerHhHvn.exe PID: 5616 Parent PID: 5568 7keerHhHvn.exeCOMMON

Executed Functions

Function 02D76825, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 275memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(184E2E24,?,292225E7), ref: 02D76A36

Strings

%"), xrefs: 02D7696D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: %")
API String ID: 2167126740-4040776497
Opcode ID: e251f150dd8009eda7ce0d4c82daa565a36acb92bba18f4693e3c554202fe369
Instruction ID: da93daa0ae65bf7ff43f61d6a74bb089dfc52f0ac5cd64adb69275f6598541f7
Opcode Fuzzy Hash: e251f150dd8009eda7ce0d4c82daa565a36acb92bba18f4693e3c554202fe369
Instruction Fuzzy Hash: AE91AA716192468FDB25CE78CC817DEBBA2EF4A310F48512DD889CB352E339D846CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D7687F, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(184E2E24,?,292225E7), ref: 02D76A36

Strings

%"), xrefs: 02D7696D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: %")
API String ID: 2167126740-4040776497
Opcode ID: 15fe126a73c11d7d00eef491df125f4a00a0dd925405f02cd06193bddd049567
Instruction ID: e566c66719e7cfb2edfcd2a0ec039a1c2e049741b04e5a3821803fb136bfcdc1
Opcode Fuzzy Hash: 15fe126a73c11d7d00eef491df125f4a00a0dd925405f02cd06193bddd049567
Instruction Fuzzy Hash: 88517B3967A1225ECB25CE7C9C806DEBB62AB5A310F4C613DDC84DB597C336D50B9AC0

Uniqueness

Uniqueness Score: -1.00%

Function 02D769A7, Relevance: 1.6, APIs: 1, Instructions: 148memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(184E2E24,?,292225E7), ref: 02D76A36

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 2826e29c082e63ce735a965a79b4109e90fcac8b85a5bc96fc4b9a406e950bd6
Instruction ID: 292d0850417c4834019133db26e500cbd94c6ecb446382811091b32dfadbe64f
Opcode Fuzzy Hash: 2826e29c082e63ce735a965a79b4109e90fcac8b85a5bc96fc4b9a406e950bd6
Instruction Fuzzy Hash: 3E41DE396BF1221DCB16CD7D5C805DDAB61AB6A320F0CB03D9884CB9ABC22AD40B65D0

Uniqueness

Uniqueness Score: -1.00%

Function 004028BC, Relevance: 1.3, Strings: 1, Instructions: 8COMMON

Download Yara Rule

Strings

<(@, xrefs: 004028C7

Memory Dump Source

Source File: 00000000.00000002.760729739.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760713631.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760783815.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760792159.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: <(@
API String ID: 0-4189137628
Opcode ID: 854ea2ce09db3f9e10127e121eb418d098cf5d34699b5f469a218a40a45b8bf2
Instruction ID: 84dd5c788f114089ab07f8fa4e30c9533cb85419f053b1b3cccda8feee6a3e66
Opcode Fuzzy Hash: 854ea2ce09db3f9e10127e121eb418d098cf5d34699b5f469a218a40a45b8bf2
Instruction Fuzzy Hash: 08B012253A4101BAFA20E2544E069342381AA447C03388D37F401F11E0CBFCCC00853D

Uniqueness

Uniqueness Score: -1.00%

Function 00416800, Relevance: 246.6, APIs: 121, Strings: 19, Instructions: 1564COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00402CF0,00000002), ref: 00416922
#591.MSVBVM60(00000002), ref: 00416943
__vbaStrMove.MSVBVM60 ref: 00416951
__vbaStrCat.MSVBVM60(00402AB0,Inte,00000000), ref: 00416968
__vbaStrMove.MSVBVM60 ref: 00416972
__vbaStrCat.MSVBVM60(00402AB8,00000000), ref: 0041697E
__vbaStrMove.MSVBVM60 ref: 00416988
__vbaStrCat.MSVBVM60(00402AC0,00000000), ref: 00416994
__vbaStrMove.MSVBVM60 ref: 0041699E
__vbaStrCmp.MSVBVM60(00000000), ref: 004169A5
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 004169D3
__vbaFreeVar.MSVBVM60 ref: 004169E2
#535.MSVBVM60 ref: 004169F1
#554.MSVBVM60 ref: 004169F9
#648.MSVBVM60(0000000A), ref: 00416A1A
__vbaFreeVar.MSVBVM60 ref: 00416A26
_adj_fdiv_m64.MSVBVM60(425C0000), ref: 00416A56
__vbaFpI4.MSVBVM60(43530000,?,425C0000), ref: 00416A80
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402768,000002C0,?,425C0000), ref: 00416AB4
__vbaVarDup.MSVBVM60(?,425C0000), ref: 00416ADA
#645.MSVBVM60(00000002,00000000), ref: 00416AE8
__vbaStrMove.MSVBVM60(?,425C0000), ref: 00416AF6
__vbaFreeVar.MSVBVM60(?,425C0000), ref: 00416B08
__vbaSetSystemError.MSVBVM60(00000000), ref: 00416B16
#554.MSVBVM60(?,425C0000), ref: 00416B2F
#648.MSVBVM60(0000000A), ref: 00416B50
__vbaFreeVar.MSVBVM60(?,425C0000), ref: 00416B5C
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 00416B70
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 00416B98
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,0000013C), ref: 00416C02
__vbaFreeObj.MSVBVM60 ref: 00416C0E
__vbaVarDup.MSVBVM60 ref: 00416C62
#595.MSVBVM60(0000000A,00000000,?,?,?), ref: 00416C85
__vbaFreeVarList.MSVBVM60(00000004,0000000A,?,?,?), ref: 00416CA9
__vbaSetSystemError.MSVBVM60 ref: 00416CC0
__vbaRedim.MSVBVM60(00000080,00000001,?,00000011,00000001,000000E3,00000000), ref: 00416CEB
__vbaGenerateBoundsError.MSVBVM60 ref: 00416D0B
__vbaGenerateBoundsError.MSVBVM60 ref: 00416D18
__vbaGenerateBoundsError.MSVBVM60 ref: 00416D42
__vbaGenerateBoundsError.MSVBVM60 ref: 00416D4F
__vbaGenerateBoundsError.MSVBVM60 ref: 00416D79
__vbaGenerateBoundsError.MSVBVM60 ref: 00416D86
__vbaGenerateBoundsError.MSVBVM60 ref: 00416DB0
__vbaGenerateBoundsError.MSVBVM60 ref: 00416DBD
__vbaGenerateBoundsError.MSVBVM60 ref: 00416DE7
__vbaGenerateBoundsError.MSVBVM60 ref: 00416DF4
__vbaGenerateBoundsError.MSVBVM60 ref: 00416E1E
__vbaGenerateBoundsError.MSVBVM60 ref: 00416E2B
__vbaGenerateBoundsError.MSVBVM60 ref: 00416E55
__vbaGenerateBoundsError.MSVBVM60 ref: 00416E62
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 00416E84
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 00416EAC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,000000C8), ref: 00416EDC
__vbaFreeObj.MSVBVM60 ref: 00416EE8
#705.MSVBVM60(00000002,00000000), ref: 00416F0A
__vbaStrMove.MSVBVM60 ref: 00416F1B
__vbaFreeVar.MSVBVM60 ref: 00416F23
__vbaVarDup.MSVBVM60 ref: 00416F9B
#596.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00416FD2
__vbaStrMove.MSVBVM60 ref: 00416FE0
__vbaFreeVarList.MSVBVM60(00000007,00000002,?,?,?,?,?,?), ref: 00417015
__vbaStrToAnsi.MSVBVM60(?,splurge,00000000), ref: 00417031
__vbaStrToAnsi.MSVBVM60(?,Udskylningen8,00000000,00000000), ref: 00417041
__vbaSetSystemError.MSVBVM60(00000000,00000000,00000000), ref: 00417051
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041707B
__vbaOnError.MSVBVM60(00000000), ref: 00417B92
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 00417BAA
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 00417BD2
__vbaHresultCheckObj.MSVBVM60(00000000,00006878,00402B2C,00000140), ref: 00417C02
__vbaFreeObj.MSVBVM60 ref: 00417C0E
#571.MSVBVM60(000000A7), ref: 00417C19
__vbaSetSystemError.MSVBVM60(00000000), ref: 00417C25
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402798,000006F8), ref: 00417C5A
__vbaStrCopy.MSVBVM60 ref: 00417CF7
__vbaFreeStr.MSVBVM60 ref: 00417D51
__vbaStrCopy.MSVBVM60 ref: 00417D62
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402798,000006FC), ref: 00417DC9
__vbaFreeStr.MSVBVM60 ref: 00417DD5
__vbaStrCopy.MSVBVM60 ref: 00417E0E
__vbaFreeStr.MSVBVM60 ref: 00417E63
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402768,000002B4), ref: 00417E84
__vbaVarForInit.MSVBVM60(?,?,?,?,00000003,00000008), ref: 00417EE6
__vbaVarForNext.MSVBVM60(?,?,?), ref: 00417F08
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402798,00000700), ref: 00417F25
__vbaStrToAnsi.MSVBVM60(?,Saturnale,007C533E), ref: 00417F3C
__vbaSetSystemError.MSVBVM60(00000000), ref: 00417F4E
__vbaFreeStr.MSVBVM60 ref: 00417F6E
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 00417F8F
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 00417FB7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,000000C0), ref: 00417FE7
__vbaFreeObj.MSVBVM60 ref: 00417FF3
#535.MSVBVM60 ref: 00417FF9
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 00418013
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0041803B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,00000138), ref: 0041806B
__vbaFreeObj.MSVBVM60 ref: 00418077
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402768,00000254), ref: 0041809D
__vbaStrToAnsi.MSVBVM60(?,tenodynia,00564E24,006E96F2), ref: 004180B9
__vbaSetSystemError.MSVBVM60(0020D311,0062033C,00000000), ref: 004180D5
__vbaFreeStr.MSVBVM60 ref: 004180F5
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 00418116
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0041813E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,0000013C), ref: 004181AE
__vbaFreeObj.MSVBVM60 ref: 004181BE
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 004181D6
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 004181FE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,00000078), ref: 00418224
__vbaFreeObj.MSVBVM60 ref: 0041822C
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00418255
__vbaStrMove.MSVBVM60 ref: 00418260
__vbaFreeVar.MSVBVM60 ref: 0041826C
__vbaLateMemCall.MSVBVM60(?,O23LzRvYz94dcuxxifrC105,00000003), ref: 00418305
__vbaFreeVarList.MSVBVM60(00000002,?,?,004183F7), ref: 00418399
__vbaFreeVar.MSVBVM60 ref: 004183A5
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004183B8
__vbaFreeStr.MSVBVM60 ref: 004183C3
__vbaAryDestruct.MSVBVM60(00000000,005FFFC2), ref: 004183D6
__vbaFreeObj.MSVBVM60 ref: 004183DB
__vbaFreeStr.MSVBVM60 ref: 004183E4
__vbaFreeStr.MSVBVM60 ref: 004183EC
__vbaFreeStr.MSVBVM60 ref: 004183F4

Strings

O23LzRvYz94dcuxxifrC105, xrefs: 004182FC
Paw7, xrefs: 00417E34
Betyngedes8, xrefs: 00417E03
Saturnale, xrefs: 00417F30
hjlpeklassens, xrefs: 00416BDE
Udskylningen8, xrefs: 00417035
LETTERFORM, xrefs: 00417CC2
Hemiageusia, xrefs: 0041804D
HYPASPIST, xrefs: 00416ABA
Macromastia, xrefs: 00418184
Grnseegnes, xrefs: 00418286
Overflyvningens, xrefs: 00417D3F
tenodynia, xrefs: 004180AD
Nubia, xrefs: 00417CE6
splurge, xrefs: 0041701F
SLEEVING, xrefs: 00417D57
Refuserende, xrefs: 00416F7B
Incarnant, xrefs: 00416C42
Inte, xrefs: 00416958

Memory Dump Source

Source File: 00000000.00000002.760729739.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760713631.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760783815.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760792159.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Error$CheckHresult$BoundsGenerate$Move$New2$System$List$Ansi$Copy$#535#554#648Destruct$#571#591#595#596#645#702#705CallConstruct2InitLateNextRedim_adj_fdiv_m64
String ID: Betyngedes8$Grnseegnes$HYPASPIST$Hemiageusia$Incarnant$Inte$LETTERFORM$Macromastia$Nubia$O23LzRvYz94dcuxxifrC105$Overflyvningens$Paw7$Refuserende$SLEEVING$Saturnale$Udskylningen8$hjlpeklassens$splurge$tenodynia
API String ID: 462913989-2394078402
Opcode ID: 39e942ed0e82d2b9ba66a65d50084819abccf68128297cf6d5e4e4d051b15eeb
Instruction ID: 61796747a290345acdd9cce58841a92a21937aee52f1ccf4a0467bf6d7a91c5c
Opcode Fuzzy Hash: 39e942ed0e82d2b9ba66a65d50084819abccf68128297cf6d5e4e4d051b15eeb
Instruction Fuzzy Hash: BCF22674E102189BCB14CF54C988BDEFBB5FF48300F1481AAE9196B361D771A986CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041A760, Relevance: 168.6, APIs: 89, Strings: 7, Instructions: 605COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041A7E5
__vbaAryConstruct2.MSVBVM60(?,00402DF4,00000003), ref: 0041A7F6
__vbaStrCat.MSVBVM60(00402D60,00402D58), ref: 0041A80C
__vbaStrMove.MSVBVM60 ref: 0041A819
__vbaStrCat.MSVBVM60(11:1,00000000), ref: 0041A821
__vbaStrMove.MSVBVM60 ref: 0041A82B
__vbaStrCat.MSVBVM60(00402D58,00000000), ref: 0041A833
#547.MSVBVM60(?,?), ref: 0041A853
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041A87B
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041A891
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041A8A7
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0041A8CB
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0041A8F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,000000E8), ref: 0041A92A
__vbaStrMove.MSVBVM60 ref: 0041A935
__vbaFreeObj.MSVBVM60 ref: 0041A941
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0041A959
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0041A981
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,00000130), ref: 0041A9AA
__vbaStrMove.MSVBVM60 ref: 0041A9B5
__vbaFreeObj.MSVBVM60 ref: 0041A9C1
#593.MSVBVM60(00000008), ref: 0041A9E2
__vbaFreeVar.MSVBVM60 ref: 0041A9F0
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0041AA08
__vbaCastObj.MSVBVM60(?,00402D8C,cimbrer), ref: 0041AA24
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AA32
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000040), ref: 0041AA4C
__vbaFreeObj.MSVBVM60 ref: 0041AA58
__vbaR4Str.MSVBVM60(00402D58), ref: 0041AA69
__vbaStrCat.MSVBVM60(00402D58,19:), ref: 0041AA8A
__vbaStrMove.MSVBVM60 ref: 0041AA97
__vbaStrCat.MSVBVM60(9:19,00000000), ref: 0041AA9F
__vbaStrMove.MSVBVM60 ref: 0041AAA9
#541.MSVBVM60(00000008,00000000), ref: 0041AAB3
__vbaStrVarMove.MSVBVM60(00000008), ref: 0041AAC0
__vbaStrMove.MSVBVM60 ref: 0041AACB
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041AADA
__vbaFreeVar.MSVBVM60 ref: 0041AAE9
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0041AB01
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0041AB2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,00000068), ref: 0041AB5D
__vbaFreeObj.MSVBVM60 ref: 0041AB65
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0041AB7D
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0041ABA5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,000000E0), ref: 0041ABCE
__vbaStrMove.MSVBVM60 ref: 0041ABD9
__vbaFreeObj.MSVBVM60 ref: 0041ABE5
__vbaVarDup.MSVBVM60 ref: 0041AC0B
#600.MSVBVM60(00000008,00000002), ref: 0041AC1A
__vbaFreeVar.MSVBVM60 ref: 0041AC28
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0041AC40
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0041AC6E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,00000050), ref: 0041AC99
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0041ACA0
__vbaFreeStr.MSVBVM60 ref: 0041ACB2
__vbaFreeObj.MSVBVM60 ref: 0041ACBE
#703.MSVBVM60(00000008,000000FF,000000FE,000000FE,000000FE), ref: 0041AD3F
__vbaStrMove.MSVBVM60 ref: 0041AD4A
__vbaFreeVar.MSVBVM60 ref: 0041AD56
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0041AD6E
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0041AD96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,000000E0), ref: 0041ADBF
__vbaStrMove.MSVBVM60 ref: 0041ADCA
__vbaFreeObj.MSVBVM60 ref: 0041ADD6
__vbaFpI4.MSVBVM60 ref: 0041ADE7
__vbaHresultCheckObj.MSVBVM60(00000000,001B8FEF,00402768,000002C8), ref: 0041AE23
#675.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000008,?), ref: 0041AE75
__vbaFpR8.MSVBVM60 ref: 0041AE7B
__vbaFreeVarList.MSVBVM60(00000002,00000008,?), ref: 0041AEAC
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0041AED0
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0041AEF8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,000000D0), ref: 0041AF21
__vbaStrMove.MSVBVM60 ref: 0041AF2C
__vbaFreeObj.MSVBVM60 ref: 0041AF38
#535.MSVBVM60 ref: 0041AF3E
#546.MSVBVM60(00000008), ref: 0041AF4D
__vbaVarMove.MSVBVM60 ref: 0041AF5C
#580.MSVBVM60(Drikkeautomat3,00000001), ref: 0041AF69
__vbaFreeStr.MSVBVM60(0041B021), ref: 0041AFD1
__vbaFreeStr.MSVBVM60 ref: 0041AFD6
__vbaFreeStr.MSVBVM60 ref: 0041AFDB
__vbaFreeVar.MSVBVM60 ref: 0041AFE0
__vbaFreeStr.MSVBVM60 ref: 0041AFE9
__vbaFreeStr.MSVBVM60 ref: 0041AFEE
__vbaFreeStr.MSVBVM60 ref: 0041AFF3
__vbaFreeStr.MSVBVM60 ref: 0041AFF8
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0041B00C
__vbaFreeObj.MSVBVM60 ref: 0041B015
__vbaFreeStr.MSVBVM60 ref: 0041B01E

Strings

11:1, xrefs: 0041A81C
19:, xrefs: 0041AA80
Drikkeautomat3, xrefs: 0041AF64
9:19, xrefs: 0041AA9A
ibolium, xrefs: 0041ABF7
H.2, xrefs: 0041ACD9
cimbrer, xrefs: 0041AA19

Memory Dump Source

Source File: 00000000.00000002.760729739.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760713631.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760783815.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760792159.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$List$#535#541#546#547#580#593#600#675#703CastConstruct2CopyDestruct
String ID: 11:1$19:$9:19$Drikkeautomat3$H.2$cimbrer$ibolium
API String ID: 1210936626-4072088996
Opcode ID: dfa522912c19ed985d1b3b8854b945d7104ab7c743a3a3fc12a21a7664d09c84
Instruction ID: e0955473a909bdd118f2304df0bb60d5535242a9b4a843d43a89be626dd17050
Opcode Fuzzy Hash: dfa522912c19ed985d1b3b8854b945d7104ab7c743a3a3fc12a21a7664d09c84
Instruction Fuzzy Hash: 82327D70900228AFCB14DF64DD88FAE7B79FB58704F10816AF509B72A0DB746989CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004014B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON

Download Yara Rule

C-Code - Quality: 58%

			_entry_(signed int __eax, void* __edx) {
				intOrPtr* _t4;

				_push("VB5!6&*"); // executed
				L004014AC(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t4 = __eax + 1;
				 *_t4 =  *_t4 + _t4;
				 *_t4 =  *_t4 + _t4;
				 *_t4 =  *_t4 + _t4;
				 *((intOrPtr*)(_t4 - 0x67)) =  *((intOrPtr*)(_t4 - 0x67)) + __edx;
				_push(_t4);
				asm("cdq");
				asm("sbb esi, [ebx+0x4efeb052]");
				asm("stosb");
				asm("sbb cl, [ecx+0x74]");
				return _t4;
			}

0x004014b4
0x004014b9
0x004014be
0x004014c0
0x004014c2
0x004014c4
0x004014c6
0x004014c8
0x004014c9
0x004014cb
0x004014cd
0x004014cf
0x004014d0
0x004014d1
0x004014d2
0x004014d8
0x004014d9
0x004014dc

APIs

#100.MSVBVM60(VB5!6&*), ref: 004014B9

Strings

VB5!6&*, xrefs: 004014B4

Memory Dump Source

Source File: 00000000.00000002.760729739.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760713631.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760783815.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760792159.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: f9a369825811fe3b073e14d52b67bba001dfce771bce519c4e6be976d96989b3
Instruction ID: 124524015ac70137d9850915aa5dd8ba8e14d9e4c930b32304e528de1f8bfc34
Opcode Fuzzy Hash: f9a369825811fe3b073e14d52b67bba001dfce771bce519c4e6be976d96989b3
Instruction Fuzzy Hash: E1E02B6595E3C10ECB23937989610A23F708D43A2430B01EBC6D0EF4B3D16C680ECB26

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02D76D95, Relevance: 7.3, Strings: 5, Instructions: 1095COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
R<, xrefs: 02D70ABD
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: #$42q5$9J_Z$R<$|ZU
API String ID: 2167126740-3689709888
Opcode ID: 2158b44078ced37fffd163467612162e97be951be3c34fcb8f6a84ae75e75232
Instruction ID: 9ab23d0e2929ceb9d34f8b08eed364baac1ab4766c678402f4fc4d86d4e29405
Opcode Fuzzy Hash: 2158b44078ced37fffd163467612162e97be951be3c34fcb8f6a84ae75e75232
Instruction Fuzzy Hash: 84A2DDB2604389DFDB749F28CD85BEA7BB2FF55340F458529DC899B210E7348A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02D78DC3, Relevance: 5.8, Strings: 4, Instructions: 753COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: 15d0329374b5452f9c0aaca06e35ee0e4617dcf367a085e108473f1aa7d6502c
Instruction ID: 161fbb34e9ea546c34d1041cc85771e98a0713d167e704d3e52eb5c325995faa
Opcode Fuzzy Hash: 15d0329374b5452f9c0aaca06e35ee0e4617dcf367a085e108473f1aa7d6502c
Instruction Fuzzy Hash: E162CCB66143899FCB748F38CD85BDA7BB2FF59310F458129EC899B211D3349A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02D745B8, Relevance: 5.7, Strings: 4, Instructions: 679COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: 019c4067d15e973c2f9e149d486a196bbf40a550b3f2a91c2a7c2b4e2d83837a
Instruction ID: 6d45522df4ab5389ad37f1f2a63757fd335e1f74534e16f9653471423b9e2fb4
Opcode Fuzzy Hash: 019c4067d15e973c2f9e149d486a196bbf40a550b3f2a91c2a7c2b4e2d83837a
Instruction Fuzzy Hash: 2452DEB66143899FDB748F38CD857DABBB2FF55310F458129DC899B210D3389A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02D79B89, Relevance: 5.7, Strings: 4, Instructions: 674COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: de356029860d214dc6408139fa6cac22f211f0c0c52c4cb1b0c69e738732de65
Instruction ID: 7719a1f8dfd49dadb7d9c624e63858ea37b0514cb06d278b780b8ae8bf45bbf1
Opcode Fuzzy Hash: de356029860d214dc6408139fa6cac22f211f0c0c52c4cb1b0c69e738732de65
Instruction Fuzzy Hash: 2352BCB26043899FDB748F39CD957DA7BB2FF49310F858119EC899B210D3749A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02D7B3BA, Relevance: 5.7, Strings: 4, Instructions: 663COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: fe86df891e9451a60ed44dd12e510caa6fb3ba831414334c8f4e27c3d77eb5f1
Instruction ID: 08ca56ec6a23fcfe158e01646af344ac7ad25cda0b8cf59ada7d2dcdb3bc340b
Opcode Fuzzy Hash: fe86df891e9451a60ed44dd12e510caa6fb3ba831414334c8f4e27c3d77eb5f1
Instruction Fuzzy Hash: BA52BCB26043899FDB748F39CD95BDA7BB2FF45350F858119EC899B210D3749A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02D70F85, Relevance: 5.7, Strings: 4, Instructions: 655COMMON

Download Yara Rule

Strings

Fz;P, xrefs: 02D7187F
}l?, xrefs: 02D71B3E
Hs<, xrefs: 02D71148
yp, xrefs: 02D711F8

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: Fz;P$Hs<$yp$}l?
API String ID: 2167126740-993634627
Opcode ID: b83bd5032c03fa8f294bbc53195f6e40be5e8672459ced38f3717f8d6a96299a
Instruction ID: d0faa68b41c99fada0bbaaf0f6793b1fe781796ae732cb4a95c5c43f6b5cb520
Opcode Fuzzy Hash: b83bd5032c03fa8f294bbc53195f6e40be5e8672459ced38f3717f8d6a96299a
Instruction Fuzzy Hash: 3A420072A04289DFDF349E69CD987EE37A6EF99350F55412ADC4D9B300E7348A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02D746CA, Relevance: 5.6, Strings: 4, Instructions: 637COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: f7e32bcd0a02b19f30fd725523575ae06eb07e6c81b5da1846166e7abfbf1b45
Instruction ID: 2f6d84d4919c9bff05aaa290eb631b754103a3f4e1c18b472f4da7c240541008
Opcode Fuzzy Hash: f7e32bcd0a02b19f30fd725523575ae06eb07e6c81b5da1846166e7abfbf1b45
Instruction Fuzzy Hash: 8A42CCB66143899FDB748F38CD85BDABBB2FF45310F458129DC899B610D3389A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02D747AE, Relevance: 5.6, Strings: 4, Instructions: 597COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: 97b9f791d0b1fe64a8e5ee506f3e92b8a8aa72f60020ce0d59c278fdd441ecb9
Instruction ID: 7d459aeea7405bac6413ef10079a46282c5b4fa2972a07d6568613a833bbc8fc
Opcode Fuzzy Hash: 97b9f791d0b1fe64a8e5ee506f3e92b8a8aa72f60020ce0d59c278fdd441ecb9
Instruction Fuzzy Hash: B642CBB66143899FDB748F38CD55BEA7BB2FF45310F458129EC899B210D3389A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02D74817, Relevance: 5.6, Strings: 4, Instructions: 592COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: d30501a28430df0ae975d0072e068380cf4b620a60f52e1016165cfe58c7ac65
Instruction ID: 337201dc948cd9069aa7571053972c4627b52c3681551be2c4f0961786dad6fc
Opcode Fuzzy Hash: d30501a28430df0ae975d0072e068380cf4b620a60f52e1016165cfe58c7ac65
Instruction Fuzzy Hash: 9642DDB66153899FCB748F38CD45BDABBB2FF45310F448129EC899B211D3389A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02D74970, Relevance: 5.5, Strings: 4, Instructions: 543COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: b4876a9a937a13220eb792c5221cd9e381080011763036de61327581d377a5f1
Instruction ID: 75d4ee7a5465578b60a8d83e7fce6b10770e65a38df3380fd1b7771a5355ff8b
Opcode Fuzzy Hash: b4876a9a937a13220eb792c5221cd9e381080011763036de61327581d377a5f1
Instruction Fuzzy Hash: B232FFB66153499FCB748F38CD857DABBB2FF55310F448129EC899B211E3389A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02D7490B, Relevance: 5.5, Strings: 4, Instructions: 517COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: 913597e914174d0cf03e583f47ef3accda647fa2b2f9b71d56f90eea921d330e
Instruction ID: 78d465ce17b9ad242b44712ec0099478de74fb4bf10fdbb937c41d6df13b63dd
Opcode Fuzzy Hash: 913597e914174d0cf03e583f47ef3accda647fa2b2f9b71d56f90eea921d330e
Instruction Fuzzy Hash: 7A32BBB26143899FDB748F38CD45BDA7BB2FF45310F458129EC899B210E3789A85CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02D74A23, Relevance: 5.5, Strings: 4, Instructions: 501COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: 15a9b69fc4ba7a66b130532866ff9dcb06f4b805747d08baa7347912e7c651c8
Instruction ID: f9bb347211035af835d33c0fdf84cfd59ebd51aed44e3012c8ffb6ee02095d08
Opcode Fuzzy Hash: 15a9b69fc4ba7a66b130532866ff9dcb06f4b805747d08baa7347912e7c651c8
Instruction Fuzzy Hash: 2922CCB66143899FCB748F38CD857DA7BB2FF55310F458219EC899B210E3749A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02D74B36, Relevance: 5.5, Strings: 4, Instructions: 485COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: e30b76688940fc85dfeafea4db30a5c8997c9e9316891277f2a6f88e00a82243
Instruction ID: 33e6f097b33ef96a65d994dafa4e0a09446d3986ed0206bddbc01294507a60b3
Opcode Fuzzy Hash: e30b76688940fc85dfeafea4db30a5c8997c9e9316891277f2a6f88e00a82243
Instruction Fuzzy Hash: 2E220EB66143499FCB748F38CD857DABBB2FF55310F448229DC899B211E3349A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02D74AF4, Relevance: 5.5, Strings: 4, Instructions: 480COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: 3fd357b31c6c2b755ab1ae4f1d6dd5f8ed24be606080fc20d6d382ac6407f23f
Instruction ID: 436ea97aedba54e631e6263ef910cac38921de5f437e66ef4d7be94855d32d39
Opcode Fuzzy Hash: 3fd357b31c6c2b755ab1ae4f1d6dd5f8ed24be606080fc20d6d382ac6407f23f
Instruction Fuzzy Hash: 5222EDB66143899FCB748F38CD457DA7BB2FF55310F448229DC899B210E3389A85CB82

Uniqueness

Uniqueness Score: -1.00%

Function 02D74ACE, Relevance: 5.5, Strings: 4, Instructions: 459COMMON

Download Yara Rule

Strings

|ZU, xrefs: 02D74BF5
42q5, xrefs: 02D74BD1
#, xrefs: 02D74C0E
9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: #$42q5$9J_Z$|ZU
API String ID: 0-3236545199
Opcode ID: db8bbf1dc4314cb9f35138e680a3eaf799e194ef420af96beafcb2105abe29cd
Instruction ID: 7c760326becf8ae6618b88f3e63311103632253791619f6811894895f6390def
Opcode Fuzzy Hash: db8bbf1dc4314cb9f35138e680a3eaf799e194ef420af96beafcb2105abe29cd
Instruction Fuzzy Hash: 9E12CCB66043899FDB748F38CD457EA7BB2FF45350F458219EC899B210E3789A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02D70FDD, Relevance: 4.2, Strings: 3, Instructions: 429COMMON

Download Yara Rule

Strings

Fz;P, xrefs: 02D7187F
Hs<, xrefs: 02D71148
yp, xrefs: 02D711F8

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Fz;P$Hs<$yp
API String ID: 0-4040894826
Opcode ID: 526264c5ab7132079b033908c655e9df452be439ed4ada93cb1e26a628da3bbe
Instruction ID: 99251ae3c26847096be8fe32a583e8bde0e3d9716d15a39b7c3f809de4198961
Opcode Fuzzy Hash: 526264c5ab7132079b033908c655e9df452be439ed4ada93cb1e26a628da3bbe
Instruction Fuzzy Hash: BDF1567261429ADFCB349E398C887EE77A2EF95350F48812ECC4D8B345D7348A85CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02D73018, Relevance: 3.2, Strings: 2, Instructions: 658COMMON

Download Yara Rule

Strings

R<, xrefs: 02D70ABD
(1c, xrefs: 02D73194

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (1c$R<
API String ID: 0-2891271855
Opcode ID: 3bf74c2f106d2173d04ed5066b8cec8b6275333d0464148e8a7a5e21f7013284
Instruction ID: 76b07af134f360f579204fab8542d95853c82dad8cdcbaf8669639f4fdda1395
Opcode Fuzzy Hash: 3bf74c2f106d2173d04ed5066b8cec8b6275333d0464148e8a7a5e21f7013284
Instruction Fuzzy Hash: 04428B71A04399DFDB64DF28C894BEAB7A5FF48310F45422ADC899B301E774AE41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D71174, Relevance: 2.9, Strings: 2, Instructions: 365COMMON

Download Yara Rule

Strings

Fz;P, xrefs: 02D7187F
yp, xrefs: 02D711F8

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Fz;P$yp
API String ID: 0-3100668206
Opcode ID: 3291fe13487877d7834098685733b4e62a4285581c35fdffe0e6e097619ee1d0
Instruction ID: 29f7b15dd70ee7de5745357d990e2599c55cf57184f0130358b4793cebfdca4e
Opcode Fuzzy Hash: 3291fe13487877d7834098685733b4e62a4285581c35fdffe0e6e097619ee1d0
Instruction Fuzzy Hash: 7ED18772A1435A9FCB349E758C847EE77A3EF95350F09812ECC8A9B345D3388946CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02D79D9A, Relevance: 1.9, Strings: 1, Instructions: 604COMMON

Download Yara Rule

Strings

R<, xrefs: 02D70ABD

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<
API String ID: 0-1254899179
Opcode ID: c316076de3f2ba2137e5523d908802888f9d3a7405ff80e0fbaffb386d4c3dd2
Instruction ID: 147c2450cd9ad8e381590826d2ca4a715a18379c98c98751fdc5d40cb7697307
Opcode Fuzzy Hash: c316076de3f2ba2137e5523d908802888f9d3a7405ff80e0fbaffb386d4c3dd2
Instruction Fuzzy Hash: EE42F7715083C58FDB35DF38C8987DA7BA2AF56310F45829EC8998F396E3358942CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02D74C43, Relevance: 1.7, Strings: 1, Instructions: 446COMMON

Download Yara Rule

Strings

9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 9J_Z
API String ID: 0-1744279888
Opcode ID: 424b494e19cd0224097f6736cbba8accf4b662c8355335ab7faff9cdefcb43c1
Instruction ID: 74d0400027cf616e8f89c8460ef4bb832585c742766d8eabf4932c40a6a2ca7f
Opcode Fuzzy Hash: 424b494e19cd0224097f6736cbba8accf4b662c8355335ab7faff9cdefcb43c1
Instruction Fuzzy Hash: 2A120F766143899FCB748E38CD85BDE7BB2FF59310F44812DEC899B255E3348A858B42

Uniqueness

Uniqueness Score: -1.00%

Function 02D74D78, Relevance: 1.7, Strings: 1, Instructions: 405COMMON

Download Yara Rule

Strings

9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 9J_Z
API String ID: 0-1744279888
Opcode ID: 61fbeb2a84afca4321a59571bb92680b99c983bf4cbc1fea87c4167182889034
Instruction ID: 633aa9c5ec002d96b30080e779847ed7c19850fc8c35d535454a9ec4925672d0
Opcode Fuzzy Hash: 61fbeb2a84afca4321a59571bb92680b99c983bf4cbc1fea87c4167182889034
Instruction Fuzzy Hash: B6F110B66153899FCB348E38CD857DA7BB2FF59310F44812DEC89DB251D3358A868B42

Uniqueness

Uniqueness Score: -1.00%

Function 02D7304D, Relevance: 1.6, Strings: 1, Instructions: 353COMMON

Download Yara Rule

Strings

(1c, xrefs: 02D73194

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (1c
API String ID: 0-1449613226
Opcode ID: 699e7a6d2175abc4e2ded540cb0b8e2f57cefeb4de4037199b09d7dd9f187fc3
Instruction ID: 2be5f43696760427e9cdbefc6dfb00aedd8b62a68bd906e36cd3faca8c15da28
Opcode Fuzzy Hash: 699e7a6d2175abc4e2ded540cb0b8e2f57cefeb4de4037199b09d7dd9f187fc3
Instruction Fuzzy Hash: 5FE1BB71A047899FDB68CF28C895BDAB7A2FF48310F45422EDC9C9B301D774AA51CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D71218, Relevance: 1.6, Strings: 1, Instructions: 345COMMON

Download Yara Rule

Strings

Fz;P, xrefs: 02D7187F

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Fz;P
API String ID: 0-2441382839
Opcode ID: 2befe0482de9fd1d39d425cc417423f9dd706d987f1d678d4c804b933a67ef61
Instruction ID: 5d178103aff8402abc5b4d2e35704090f4de791ac16799273617580a1ea257bd
Opcode Fuzzy Hash: 2befe0482de9fd1d39d425cc417423f9dd706d987f1d678d4c804b933a67ef61
Instruction Fuzzy Hash: DEC19972A0439A9FCB349E358D847EE77A3EF95350F09412ECC8A9B345D3348A45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02D74F07, Relevance: 1.6, Strings: 1, Instructions: 341COMMON

Download Yara Rule

Strings

9J_Z, xrefs: 02D74F6D

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 9J_Z
API String ID: 0-1744279888
Opcode ID: 897d09f62e9cba95cd2532bcb23e929f726a567fe99b277a800e0b5f1f1d2f29
Instruction ID: bc472f95a489e7ad1da7c9d2a94759bd82e281ad82d7a10364b334d9a8923610
Opcode Fuzzy Hash: 897d09f62e9cba95cd2532bcb23e929f726a567fe99b277a800e0b5f1f1d2f29
Instruction Fuzzy Hash: 6DE100B66152499FDB34CE38CC857DA7BB2FF58300F848129EC89CB255D3358A868B41

Uniqueness

Uniqueness Score: -1.00%

Function 02D730F8, Relevance: 1.6, Strings: 1, Instructions: 339COMMON

Download Yara Rule

Strings

(1c, xrefs: 02D73194

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: (1c
API String ID: 0-1449613226
Opcode ID: c4afcec75fc357163f72301563fceca03a92d9f4adbc9da3125295765d83ebf2
Instruction ID: 75cb07acdfd45c8e8d1ce657ad9a0f678640aa4edcdcb300275c8ef788a5bdf7
Opcode Fuzzy Hash: c4afcec75fc357163f72301563fceca03a92d9f4adbc9da3125295765d83ebf2
Instruction Fuzzy Hash: CBE1BD75A047569FCB28CF28C894BDAB7A1FF48310F48822EDC98DB701D774AA55DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D71331, Relevance: 1.6, Strings: 1, Instructions: 307COMMON

Download Yara Rule

Strings

Fz;P, xrefs: 02D7187F

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Fz;P
API String ID: 0-2441382839
Opcode ID: eebb14c93590db7a1bfd5cf60c1226df1f456acd9e92c4fd25996f43a687dfa3
Instruction ID: f05cd590c45c4f90313ba562b4e97dfb66fc6f2e15adf3e81dde65c2fba96eb3
Opcode Fuzzy Hash: eebb14c93590db7a1bfd5cf60c1226df1f456acd9e92c4fd25996f43a687dfa3
Instruction Fuzzy Hash: 5AB1AA3261425A9FCB34DE348C857EE77A2EF95350F08412ECC8D9B345D3388A46CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02D7417B, Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

R<, xrefs: 02D70ABD

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<
API String ID: 0-1254899179
Opcode ID: 1c7128e62330237b9ea3363009cd1bc00a02a5aa0b95f0f573974f97f8359239
Instruction ID: d77e64477b4c728799ddc28e8ecf0a58f04c00f7791e08d10352636d74ca9e22
Opcode Fuzzy Hash: 1c7128e62330237b9ea3363009cd1bc00a02a5aa0b95f0f573974f97f8359239
Instruction Fuzzy Hash: BEA12271A05388CFDB388F68D9957EA77B2AF48344F41422ECC8A5B740E7789E41CB46

Uniqueness

Uniqueness Score: -1.00%

Function 02D71F6E, Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

R<, xrefs: 02D70ABD

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<
API String ID: 0-1254899179
Opcode ID: d995684b434bc797baa700622a715113bdf7c4318bbdf43c01b892145f20073a
Instruction ID: 235d517dbc48812d6a6ef8c02c9e60796ea4ca997bbd96a556f09a639747da28
Opcode Fuzzy Hash: d995684b434bc797baa700622a715113bdf7c4318bbdf43c01b892145f20073a
Instruction Fuzzy Hash: 2BA1D171A04398DFCB249F28CC947EA77A5EF48300F45452EAC89AB250E7744E81CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02D7AD35, Relevance: 1.5, Strings: 1, Instructions: 233COMMON

Download Yara Rule

Strings

/, xrefs: 02D7B137

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-1245174789
Opcode ID: 1ba74e5ae4e468cdc207b9e2a1f7ed9deb141c9c9b3a73b91a36f7b9257d68e8
Instruction ID: b900e7dc14b8ab0cf6d4d118b25e53b444a6e0bb0887eaf622851fdd610b7524
Opcode Fuzzy Hash: 1ba74e5ae4e468cdc207b9e2a1f7ed9deb141c9c9b3a73b91a36f7b9257d68e8
Instruction Fuzzy Hash: E591DF31605289CFDB78DE29CD997DA7BB2EF95310F50812ADC4E8B315E3348A45CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02D72B31, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

WtR, xrefs: 02D72E16

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: WtR
API String ID: 0-940300173
Opcode ID: 9fe4f228e2ceae9157daa75d8f59ed68ab5b5b1e37768da540757852dbca4046
Instruction ID: 30e735c1fd359e91381f5de913346a7f3e777ab5ada09e3cd4ab33180a1423d7
Opcode Fuzzy Hash: 9fe4f228e2ceae9157daa75d8f59ed68ab5b5b1e37768da540757852dbca4046
Instruction Fuzzy Hash: 0E8127766192459FCB78CE288C547EF77E3AFD9310F08812E9C49CB396D7349A028A51

Uniqueness

Uniqueness Score: -1.00%

Function 02D72AAE, Relevance: 1.5, Strings: 1, Instructions: 222COMMON

Download Yara Rule

Strings

WtR, xrefs: 02D72E16

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: WtR
API String ID: 0-940300173
Opcode ID: e10d8baec66f2712028ace5934074e6f982ae2996fe85f54e725c74e962e2190
Instruction ID: 7d0dc68ae8cd0ef280ec4c9d2416c159e9af0882e9db2f0f3ae8696f5b22a7f7
Opcode Fuzzy Hash: e10d8baec66f2712028ace5934074e6f982ae2996fe85f54e725c74e962e2190
Instruction Fuzzy Hash: 0F81E071A143889FDB78CE28CC686EB77E6AFD8340F15852E9C498B354E7349A41CA51

Uniqueness

Uniqueness Score: -1.00%

Function 02D72AEE, Relevance: 1.5, Strings: 1, Instructions: 213COMMON

Download Yara Rule

Strings

WtR, xrefs: 02D72E16

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: WtR
API String ID: 0-940300173
Opcode ID: b7d0c08ed2b0e95078d9f9390ac5e03f1435f500912ed4e439517c5e62c6806d
Instruction ID: c35306f0e6e30153eb2cb1ddcb73a95d5bc37df2f14971757f1420b72a467a46
Opcode Fuzzy Hash: b7d0c08ed2b0e95078d9f9390ac5e03f1435f500912ed4e439517c5e62c6806d
Instruction Fuzzy Hash: E181C071A143489FDB78CE28CD687EB77E6AF99300F04852E9C898B354E7749A41CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02D714C4, Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

Fz;P, xrefs: 02D7187F

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Fz;P
API String ID: 0-2441382839
Opcode ID: 47596d86e4fc05f01f7b6f960639bbec2b02fd9f66b0180468ea05240b2e899d
Instruction ID: 78c2a6bf392b657cf2cb38bc1ba163979748db00a249584a1f6b2a176f6668d9
Opcode Fuzzy Hash: 47596d86e4fc05f01f7b6f960639bbec2b02fd9f66b0180468ea05240b2e899d
Instruction Fuzzy Hash: 0E71557250468ADBCF349E6089897EE77A6EF51354F01852ECC4E9B304E7388A81CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02D7AD47, Relevance: 1.5, Strings: 1, Instructions: 205COMMON

Download Yara Rule

Strings

/, xrefs: 02D7B137

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-1245174789
Opcode ID: efddc1d6996211f584a4e02c822e4b240cf191e604224424b8c5d9cfc3e6fe0c
Instruction ID: c2ba37fa5201ee394ed1e072d593a79acfe2240f168a14441037f8d2b2158482
Opcode Fuzzy Hash: efddc1d6996211f584a4e02c822e4b240cf191e604224424b8c5d9cfc3e6fe0c
Instruction Fuzzy Hash: BF7125352062498FCB39DE39CC947DE7BA2AF95314F54C02ECC4ACB756D3389946CA91

Uniqueness

Uniqueness Score: -1.00%

Function 02D715C7, Relevance: 1.5, Strings: 1, Instructions: 203COMMON

Download Yara Rule

Strings

Fz;P, xrefs: 02D7187F

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Fz;P
API String ID: 0-2441382839
Opcode ID: 745ff185c078456ac09539104ef5c59ef8a9c8f4d10723314a083315c1505506
Instruction ID: d20b62ba7e9fe31ef646946efc98ae42e75c942e8dda62f2c0c7e248864337da
Opcode Fuzzy Hash: 745ff185c078456ac09539104ef5c59ef8a9c8f4d10723314a083315c1505506
Instruction Fuzzy Hash: 8361C9326582569FCF349E748D857EE7763EF62310F08442ECC899B245D3388D4AC742

Uniqueness

Uniqueness Score: -1.00%

Function 02D7ADAB, Relevance: 1.5, Strings: 1, Instructions: 201COMMON

Download Yara Rule

Strings

/, xrefs: 02D7B137

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-1245174789
Opcode ID: 6db8ac7a79ad981d36637b6e0bf9e53283f40b4517ee7ef486c3a92572192edd
Instruction ID: c2033a86bea5471392d4463603d673cabc31795d15c5742662b737789965febc
Opcode Fuzzy Hash: 6db8ac7a79ad981d36637b6e0bf9e53283f40b4517ee7ef486c3a92572192edd
Instruction Fuzzy Hash: 6B7124352062498FCB35DE39CC947DE7BA2AF95314F54C02ACC4ACB76AD3389946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D7AE46, Relevance: 1.4, Strings: 1, Instructions: 193COMMON

Download Yara Rule

Strings

/, xrefs: 02D7B137

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-1245174789
Opcode ID: 0ccfcf583677ff57dd0a9d1fc2df8e5b2972c5a8c6d45f8923a1f25176f0df8f
Instruction ID: df5a41b2b43189d61e56cbfcd15dd4e53f065b41cf3cd8672f5272482de3818a
Opcode Fuzzy Hash: 0ccfcf583677ff57dd0a9d1fc2df8e5b2972c5a8c6d45f8923a1f25176f0df8f
Instruction Fuzzy Hash: BD6145352162458FCB35DE39CC947DE7BA2AF95314F58C02ACC4ACB666D339D946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02D7156A, Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

Fz;P, xrefs: 02D7187F

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Fz;P
API String ID: 0-2441382839
Opcode ID: 301ab09dc4fbcfef00c262b915f8fc7969c15d88f988fc2b5f27a5f87a48423d
Instruction ID: 7e014fdad7b18c06b19b342b10a95d21c049701205aeec5bdf0a774d52cac075
Opcode Fuzzy Hash: 301ab09dc4fbcfef00c262b915f8fc7969c15d88f988fc2b5f27a5f87a48423d
Instruction Fuzzy Hash: CC717732904689DFDB349E7189997EE77A6EF92350F05452ECC8D9B304E7388E85CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02D706BD, Relevance: 1.4, Strings: 1, Instructions: 184COMMON

Download Yara Rule

Strings

R<, xrefs: 02D70ABD

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<
API String ID: 0-1254899179
Opcode ID: e16653855a1c0368dbcd162c7d591da13929936b2629e24d126b10a9fb8e4b8f
Instruction ID: 8eef1dd009716b680dbbff31d4f8de67952da22fe6550ca5ae2a5830f1aa7817
Opcode Fuzzy Hash: e16653855a1c0368dbcd162c7d591da13929936b2629e24d126b10a9fb8e4b8f
Instruction Fuzzy Hash: F261F071A04398CFCB64AF68C8847EA7BA5EF59340F51452EDC899B741E7708E82CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02D7AEBF, Relevance: 1.4, Strings: 1, Instructions: 182COMMON

Download Yara Rule

Strings

/, xrefs: 02D7B137

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-1245174789
Opcode ID: 2273eee8d96093bcf0f301ae54bb89d2ceab6e15c2b51e55e16f5c91a1e8b94c
Instruction ID: 283b5700189804a366660ce644ec9f717b39c9d2cbffca3f32aa6e6203132136
Opcode Fuzzy Hash: 2273eee8d96093bcf0f301ae54bb89d2ceab6e15c2b51e55e16f5c91a1e8b94c
Instruction Fuzzy Hash: D66157352162468FCB35DE39C8903DE7BA2AF95314F58C02ECC4ACB666D339D946CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02D72C58, Relevance: 1.4, Strings: 1, Instructions: 179COMMON

Download Yara Rule

Strings

WtR, xrefs: 02D72E16

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: WtR
API String ID: 0-940300173
Opcode ID: ba53c27f00aede11ab76a86f364187d105d3495a5d877dea7ebdb252d3bb40e6
Instruction ID: 662181ab92ba438ceb16de66c6669707877a0054c5390c8b682c26a4026331e7
Opcode Fuzzy Hash: ba53c27f00aede11ab76a86f364187d105d3495a5d877dea7ebdb252d3bb40e6
Instruction Fuzzy Hash: 1E5136767292559FCB38CE288C547EF77A3AFD9700F08812EDC49CB396D7349A068A51

Uniqueness

Uniqueness Score: -1.00%

Function 02D7AF52, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

/, xrefs: 02D7B137

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-1245174789
Opcode ID: d9164f40fa8ba3d31873c4483dd7ce7a29d4099aaf2da0d46f3c00e5bb02acbf
Instruction ID: 859f9fb280916774df6598fc658821d97fddc3423c6cc51ea1cb4865f11e028e
Opcode Fuzzy Hash: d9164f40fa8ba3d31873c4483dd7ce7a29d4099aaf2da0d46f3c00e5bb02acbf
Instruction Fuzzy Hash: 905148342162468FCB35DE38C8917DE7BA2AF55314F58D02ECC49CB66AD335D94ACB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D7245B, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

R<, xrefs: 02D70ABD

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: R<
API String ID: 2167126740-1254899179
Opcode ID: e7e768978864d96957593133e6a6f1fbbe2e7b847917d2da007250b2512d41bd
Instruction ID: 4e2b41624aef90bcd24ab2894da13ad42787d20f9c7e7767e8b6fcbecf7133c0
Opcode Fuzzy Hash: e7e768978864d96957593133e6a6f1fbbe2e7b847917d2da007250b2512d41bd
Instruction Fuzzy Hash: EB6102B5A003989FCB249F68CC907EA77A1EF09300F91452EDC8A9B740E7748E41CB96

Uniqueness

Uniqueness Score: -1.00%

Function 02D7AFBE, Relevance: 1.4, Strings: 1, Instructions: 164COMMON

Download Yara Rule

Strings

/, xrefs: 02D7B137

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: /
API String ID: 0-1245174789
Opcode ID: 852765774b8defb31db19f964ff80c0176f66fd358448bfad352f160e6cb8395
Instruction ID: 0196588e3e96f4e4082fd829e95d4654ab9e4641b45dceb9a637c70cc9686efb
Opcode Fuzzy Hash: 852765774b8defb31db19f964ff80c0176f66fd358448bfad352f160e6cb8395
Instruction Fuzzy Hash: 1B5156342562468FCB34DE38C8847DE7BB2AF55314F58D02ACC49CB66AD339C94ACA90

Uniqueness

Uniqueness Score: -1.00%

Function 02D7082B, Relevance: 1.4, Strings: 1, Instructions: 159COMMON

Download Yara Rule

Strings

R<, xrefs: 02D70ABD

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<
API String ID: 0-1254899179
Opcode ID: b2f6cf58e47023ca08041ff7694884521149ee97478a63732c4e18388349ce5d
Instruction ID: 90aa36c99d167740a778948f98b2af1533fc46a456d5bd1b95bec0c01ca504dc
Opcode Fuzzy Hash: b2f6cf58e47023ca08041ff7694884521149ee97478a63732c4e18388349ce5d
Instruction Fuzzy Hash: 95517B75A293658FCB14DE388C806EDBBB0AF19310F49552EDC86DB682D7358D46CBC2

Uniqueness

Uniqueness Score: -1.00%

Function 02D7090B, Relevance: 1.4, Strings: 1, Instructions: 134COMMON

Download Yara Rule

Strings

R<, xrefs: 02D70ABD

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R<
API String ID: 0-1254899179
Opcode ID: bd5004a3b056c045f721a738a0cca9ce8016c1aa4a2d193f036f9decf153e841
Instruction ID: da87c6684e1a80b7d5a0f59e52b14ebc921e6f09b8390fdb692f8ac8f6db148c
Opcode Fuzzy Hash: bd5004a3b056c045f721a738a0cca9ce8016c1aa4a2d193f036f9decf153e841
Instruction Fuzzy Hash: A6414A36A692759FCB14DE389C806ED7B609F19310F0D563DAC85DB682D735CD0687C1

Uniqueness

Uniqueness Score: -1.00%

Function 02D72D70, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

WtR, xrefs: 02D72E16

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: WtR
API String ID: 0-940300173
Opcode ID: ecbefd41f30fd0cbaf7de336f7c8cacc7da2022da72962154ba8437dc50cca63
Instruction ID: 9717419922cb1277d3d7e59089dc5b742be8fa1c94386537902a2379a0a9e08e
Opcode Fuzzy Hash: ecbefd41f30fd0cbaf7de336f7c8cacc7da2022da72962154ba8437dc50cca63
Instruction Fuzzy Hash: A94178366292554FCB28CD398C50ADFA7A3AFE9700F0C952D9C89CB296D734CA068990

Uniqueness

Uniqueness Score: -1.00%

Function 02D78ECA, Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

dXU, xrefs: 02D78ECE

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: dXU
API String ID: 0-2720300462
Opcode ID: 750a7ab7387054d886d3c3df2f5c380ffd83b302cfb30927ac4069e3312b981f
Instruction ID: e7d13431db74ba7b864a896c5dd98803dbf0b79f07db9d1c6f31531e5d2eabc4
Opcode Fuzzy Hash: 750a7ab7387054d886d3c3df2f5c380ffd83b302cfb30927ac4069e3312b981f
Instruction Fuzzy Hash: FB412275645389AFDB758E798C887CB77B2AF59350F608029DC8DCB305E3348901EB62

Uniqueness

Uniqueness Score: -1.00%

Function 02D79BD9, Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

8, xrefs: 02D79C88

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 8
API String ID: 0-406019892
Opcode ID: 119e413d30fc7d97e1589d9e5088d6f299c8596edf12b3fbb911afe0e16878f1
Instruction ID: 81d86bf9f3e806a15478501ba112c8363f52125974a64cd3f478334993f4312d
Opcode Fuzzy Hash: 119e413d30fc7d97e1589d9e5088d6f299c8596edf12b3fbb911afe0e16878f1
Instruction Fuzzy Hash: 28318F36609349CBCF34CE79C9E07E773A2AF5A304F95812E994E9B305E6349842C656

Uniqueness

Uniqueness Score: -1.00%

Function 02D74FF9, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08d05458a2f2c14dd6176df11d201f47fd8fef1f68b72d180a8a8ff53c1d687
Instruction ID: fc2eda5574e2039940f265d42d0fcf79b8a6f118484a1bdb9a121e439a49237b
Opcode Fuzzy Hash: d08d05458a2f2c14dd6176df11d201f47fd8fef1f68b72d180a8a8ff53c1d687
Instruction Fuzzy Hash: B2D10EB66152489FDB398E38CC857DA7BB2FF49300F44812DEC89CB255D7398A868B41

Uniqueness

Uniqueness Score: -1.00%

Function 02D73219, Relevance: .3, Instructions: 306COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c6411cf916e285256ccf5aca7c70e9bac3721f0ef4e16ff2ba478f1b29a6644
Instruction ID: 133d649f9993d63f0b55597eebcf4d19481607ddfee770b9e527c16d570d74f4
Opcode Fuzzy Hash: 9c6411cf916e285256ccf5aca7c70e9bac3721f0ef4e16ff2ba478f1b29a6644
Instruction Fuzzy Hash: 93C1BF756082559FCB38CF28CC95BDAB7A2FF49310F48822EDC89DB312D7359A059B90

Uniqueness

Uniqueness Score: -1.00%

Function 02D79E57, Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 813e3403a62075098b470c1003e882e689ed654f0a05c6a785af56c2f67f9b8b
Instruction ID: 87002274ae54e3a210149340a6e0c6113c5acd992063ef34d18bb2137f9563d0
Opcode Fuzzy Hash: 813e3403a62075098b470c1003e882e689ed654f0a05c6a785af56c2f67f9b8b
Instruction Fuzzy Hash: B6B1B5211483C68ECB26CF3888887DABFD15F12224F4DC299C8998F2E7D3358506C756

Uniqueness

Uniqueness Score: -1.00%

Function 02D73325, Relevance: .2, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 86cc4307eb5fc321e1442fe4f41e5cb782656b75069711781b754c5987b42289
Instruction ID: f91d4ee47b1633f92d3fd691fbf8ba074fb45646282e7dbf56752ea704dfbe0d
Opcode Fuzzy Hash: 86cc4307eb5fc321e1442fe4f41e5cb782656b75069711781b754c5987b42289
Instruction Fuzzy Hash: F1A1CD756082559FCB28DF28CC95BDAB7A2FF48310F48422EDC89CB312D775AA05DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D76DB1, Relevance: .2, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 8b81c9ba70b562f4dcefc7ed9bacedd504dd157c33944359e7305c60911577f2
Instruction ID: caab9b29cd532cf336bdeae667b397afccc15feb6562ce4786f60a72dda463c5
Opcode Fuzzy Hash: 8b81c9ba70b562f4dcefc7ed9bacedd504dd157c33944359e7305c60911577f2
Instruction Fuzzy Hash: 85916672645386CFDB308E39CC807EEB7A2BF95300F48842DDC89AB255E7358A46CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02D792BA, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3922334b3ace89af12b70a7157e27f3b1e27dda6b411c49553e2b1ce3770a0c6
Instruction ID: 7c9cda064c4a8a89af454ab871f55d4bf2f21c9135946b69908efd7889dafb5c
Opcode Fuzzy Hash: 3922334b3ace89af12b70a7157e27f3b1e27dda6b411c49553e2b1ce3770a0c6
Instruction Fuzzy Hash: 21911272A04389DFDB308E69C9A43DA77A2EF55350F55022ECC4A9B744E7349E81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02D79F2C, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22884b74c7280d19313592098ce730953c0e87bda402926cff17518d1baad3b0
Instruction ID: d5650ac9deb9c8c76de20c09474ad46f6a13d1d6fa7c706b4a88c6826816297e
Opcode Fuzzy Hash: 22884b74c7280d19313592098ce730953c0e87bda402926cff17518d1baad3b0
Instruction Fuzzy Hash: C19108355483C68ECB35DF388C987DABBA19F12320F48C2A9C8998F2DBD3358506C756

Uniqueness

Uniqueness Score: -1.00%

Function 02D75262, Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29bfdded46858b9c0148f985b7aae2ef9caa434e112010ddf3b29109333ef246
Instruction ID: e390d088c266e96b38fc186d18323287cbdd139a3dad3af0ed5a84bfd90556f4
Opcode Fuzzy Hash: 29bfdded46858b9c0148f985b7aae2ef9caa434e112010ddf3b29109333ef246
Instruction Fuzzy Hash: 659112766552489FCB398E38CC847DE7BB2FF58300F48812DEC4D8B255D7398A468B81

Uniqueness

Uniqueness Score: -1.00%

Function 02D73BF4, Relevance: .2, Instructions: 209COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd939ba9bcdc3c018dc2942f95ea610963f365185796fea2ad1ddaafbd4ae29b
Instruction ID: 1415b637de831d1ddd186dda964fceb3c019904d6205cdc6ca73e6fa47971222
Opcode Fuzzy Hash: bd939ba9bcdc3c018dc2942f95ea610963f365185796fea2ad1ddaafbd4ae29b
Instruction Fuzzy Hash: 7491FD71605389DFDB74AF28C988BDABBB1FF19310F958129DC899B315E3349A40CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02D73445, Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84f17e289e43649797c2d6de2ba763c382e344f425859a3c6607f3081b68e33c
Instruction ID: eb3190eb226e6e87ed31712e63623a7937432b7df122975a306c0508d3fde054
Opcode Fuzzy Hash: 84f17e289e43649797c2d6de2ba763c382e344f425859a3c6607f3081b68e33c
Instruction Fuzzy Hash: 6271C1756142569FCB28CF28DC957DAB7A2FF48310F08822DDC89DB302D774AA15DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D76EDC, Relevance: .2, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cd1e03699d84cbde3d65fd229b387cc2a0283816a4c158e2125b4f8a4c7094
Instruction ID: ba9f2ecc32697701567eea06846c94916a20885d90a2a1cd4c418c758f8848b2
Opcode Fuzzy Hash: 64cd1e03699d84cbde3d65fd229b387cc2a0283816a4c158e2125b4f8a4c7094
Instruction Fuzzy Hash: 5E6135766553568FDB34CE38CC807EEB762BF95310F08842D9C89AB656E7348A42DB90

Uniqueness

Uniqueness Score: -1.00%

Function 02D7A015, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ebc6ee66009c8bfb0f78a1097ede592150d785022cf1fa294712709a9beba2a
Instruction ID: e1c19fc1ad2d42dff1b0fe5efb2805056aedeaef777452ff27e6075bc3afe9fd
Opcode Fuzzy Hash: 6ebc6ee66009c8bfb0f78a1097ede592150d785022cf1fa294712709a9beba2a
Instruction Fuzzy Hash: 337149351182868ECF35DE388C847EEBBA29F26320F48D26DCC858F29BD3358506C756

Uniqueness

Uniqueness Score: -1.00%

Function 02D7655D, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd0a8a39a4b3cbef7957e9f466893287fd3bd258db9614ec641da7e367d09ad
Instruction ID: bf08108cd13a91cb2546de9269bdc4bf536cafbbe930c6c45cdf829b5c9c65ce
Opcode Fuzzy Hash: 0cd0a8a39a4b3cbef7957e9f466893287fd3bd258db9614ec641da7e367d09ad
Instruction Fuzzy Hash: 70511271A053889FDB74DE28C999BEB77B2EF99350F90811ADC499B304E3348941CB22

Uniqueness

Uniqueness Score: -1.00%

Function 02D792D3, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f5d482129b7497f16a41d6027f03e2e32873af0ebbee8458f4d075386a537d7
Instruction ID: 70a6cd129f28f2f96b2ae1e81331b6bb2de2bf17e94960e323baf9f212bfa119
Opcode Fuzzy Hash: 9f5d482129b7497f16a41d6027f03e2e32873af0ebbee8458f4d075386a537d7
Instruction Fuzzy Hash: B15124725192569FCB30CE788C942DEBB72EF58310F48522ECC89DB686D335DA4AC781

Uniqueness

Uniqueness Score: -1.00%

Function 02D76FE2, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de093d9c4b204f8fcbd3093091d69a742a7c5766c48b8ae8c4747e8f4cbaeb23
Instruction ID: 41ba3af2954adb728b68d7f6b1b21c06990eac6f7a2afc9e3618b63c4be399a8
Opcode Fuzzy Hash: de093d9c4b204f8fcbd3093091d69a742a7c5766c48b8ae8c4747e8f4cbaeb23
Instruction Fuzzy Hash: 8951577655A3578FDB34CE388C807EEB761AF55310F08943D8C89EB646E3358A06DB80

Uniqueness

Uniqueness Score: -1.00%

Function 02D7A0FC, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f042edb1aa50f984a75779c2b4c38d8a2ae41d3fcd6264d0fdc08decbbc6f2e3
Instruction ID: abe186030679ea9c372cd4bc7e43ead74038436275c998c273025c709646ca2a
Opcode Fuzzy Hash: f042edb1aa50f984a75779c2b4c38d8a2ae41d3fcd6264d0fdc08decbbc6f2e3
Instruction Fuzzy Hash: 465129345182868DCF35DE388C847DDBBA29F66320F48D26DC8958F29BD3368507C655

Uniqueness

Uniqueness Score: -1.00%

Function 02D794D7, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 81c7b3f3e2c88f0079acab948c98b2e8920991368a23aa2b6591583042bc196e
Instruction ID: ffd8ae53f414599c673dde3829c5c937fa38663fa06db2e0dbb16639a273b2df
Opcode Fuzzy Hash: 81c7b3f3e2c88f0079acab948c98b2e8920991368a23aa2b6591583042bc196e
Instruction Fuzzy Hash: 8F511172619256DFCB34CE29CC906DEB772EF48310F48522E8C49DB696C335AA46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02D793FA, Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 10c80eda1db6cbb984f85dba49aed72cb0fc15489c648682cffa8803ff72d665
Instruction ID: d507bf16a07562c72123655a956b44505748459a39f65d8d14dc0655895be67d
Opcode Fuzzy Hash: 10c80eda1db6cbb984f85dba49aed72cb0fc15489c648682cffa8803ff72d665
Instruction Fuzzy Hash: CB511172619256DFCB30CE298C906DEB772AF58310F48522E8C49DB696C335AA46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02D73D83, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1922670a66681ba71a33228c420f61ba891836e567a975625f4d1a9c22082991
Instruction ID: 741cafe2d92dec8ae82b5588b74810c63f5c9bb12dac9583c443584b89348f84
Opcode Fuzzy Hash: 1922670a66681ba71a33228c420f61ba891836e567a975625f4d1a9c22082991
Instruction Fuzzy Hash: A4417D3536A3569FDB20DD3D8CC06DEBB61AF19320F88553D9CC4DB18BD33589069592

Uniqueness

Uniqueness Score: -1.00%

Function 02D74234, Relevance: .1, Instructions: 129COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20f60b723948fb893c15841c7f679243a20c4666d669e3a89cbcb136f56c1d03
Instruction ID: 80befa2c3a328bbac912b976367f7c8f67baf15f5818723e8cdfa121a2123318
Opcode Fuzzy Hash: 20f60b723948fb893c15841c7f679243a20c4666d669e3a89cbcb136f56c1d03
Instruction Fuzzy Hash: 66419D366563458FCB35CE69C8C16DA77B3BF89314F4C813E8C4A9B686D378E906D680

Uniqueness

Uniqueness Score: -1.00%

Function 02D7A478, Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 539efdbfa02fa4e18ae332f33a71f4d9c7e8e7529a65437c251628ae67e02f59
Instruction ID: fc2024a744e33093151c6d5364560d5b9078d1548a27afa25833111f268677fc
Opcode Fuzzy Hash: 539efdbfa02fa4e18ae332f33a71f4d9c7e8e7529a65437c251628ae67e02f59
Instruction Fuzzy Hash: FF412E3666C2914ECB25CD3988952DDAB729F62224F0CA53DC8C5CF6DBD739C50BC690

Uniqueness

Uniqueness Score: -1.00%

Function 02D73CF4, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9549859ee12533850402bbf6468128816a85962a70abf92b4c428d6760ad6c0b
Instruction ID: 2b7714275a5fcce440ef8b35c87874f318ad98725599e54873e78325249eb49c
Opcode Fuzzy Hash: 9549859ee12533850402bbf6468128816a85962a70abf92b4c428d6760ad6c0b
Instruction Fuzzy Hash: 99414471605388DFDB30AE39DEC47DAB7B1EF09350F90442ADD88AB208D3344A41CB06

Uniqueness

Uniqueness Score: -1.00%

Function 02D73FF9, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 036729575421a1225e2df4a482d41054b96c9a48df8098e4102278092e4c5e2c
Instruction ID: 4f122432b72c2c566a018f135edc57f2e2fdd66956150fa3e52ede2928a04741
Opcode Fuzzy Hash: 036729575421a1225e2df4a482d41054b96c9a48df8098e4102278092e4c5e2c
Instruction Fuzzy Hash: C231963526D2924ECF36CD7C4884ADAAF615B17224F4C93AD8CD5CF5EBD726900B8682

Uniqueness

Uniqueness Score: -1.00%

Function 02D73ED1, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f15ee6942137a615992d6488f34b7363f188ef50957af0589eb6ed02569e2c5
Instruction ID: 1e1d2577e6a753233b96d68ddbba7f1bf8379107aa87ac3ed3914f8aa624d4c0
Opcode Fuzzy Hash: 6f15ee6942137a615992d6488f34b7363f188ef50957af0589eb6ed02569e2c5
Instruction Fuzzy Hash: B521A43D27A1225DC711ED7D4C809DDEB21AF6A225F4CA03D9C84DB99BC729990B51D0

Uniqueness

Uniqueness Score: -1.00%

Function 02D798C4, Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47ee6ae051b003e2de22931c1ed44416e613ff4cddd62a630698d1d5ab279354
Instruction ID: 70b16ab762e58744d881faf6a6c83e634abb490cb44e1eba3df32b10a8502c1b
Opcode Fuzzy Hash: 47ee6ae051b003e2de22931c1ed44416e613ff4cddd62a630698d1d5ab279354
Instruction Fuzzy Hash: 362159B25142488BDF388E78CCA46EB7692EF98340F41812FD90BA7358EB758941CA52

Uniqueness

Uniqueness Score: -1.00%

Function 02D73FC9, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d11b027904ef70adf0b877f81c80d4e7558308331d7359ea5bf730138ecdbf9
Instruction ID: e291bc64ad363987a3e3e7ad9588892c59efe60f312b1e35408164ff558ba1c3
Opcode Fuzzy Hash: 8d11b027904ef70adf0b877f81c80d4e7558308331d7359ea5bf730138ecdbf9
Instruction Fuzzy Hash: 992173301087858BDF76CE78C888BD67BA1AF06324F58839DCCA94E2EBE7355542C746

Uniqueness

Uniqueness Score: -1.00%

Function 02D74551, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ecc0780188640d9f03e80b586550dfcdd6933e04a01b301f85871861640ad04
Instruction ID: 82fdcc8f1a6b60d592bcece5ca8e541e521e81c73134fbd2f3300dce16a9b02a
Opcode Fuzzy Hash: 1ecc0780188640d9f03e80b586550dfcdd6933e04a01b301f85871861640ad04
Instruction Fuzzy Hash: D911BFB66093899FCB209E7988D97CE77AABB1D200F824029AE8997205D3345E008B15

Uniqueness

Uniqueness Score: -1.00%

Function 02D7915A, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76d561f9085078dd4386f24ea2c3d5a838437030e73d1718fd6ff72ad116d0c7
Instruction ID: a02bb3df118520db29f9e08f5456e2ce7c45655f7a3ad8c6246d6103bb9900b7
Opcode Fuzzy Hash: 76d561f9085078dd4386f24ea2c3d5a838437030e73d1718fd6ff72ad116d0c7
Instruction Fuzzy Hash: 030104757056488FE738DF19C994ADA73A7AF99344F808069E809CB324E734DE54CA15

Uniqueness

Uniqueness Score: -1.00%

Function 02D75EA3, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 02D78C1A, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.763490129.0000000002D70000.00000040.00000001.sdmp, Offset: 02D70000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baff1c3952350fd9ea67b4079668dddf862004f26d24f5a43bdd96e8119711e5
Instruction ID: 52dcc9ccb72dfddff0f6c3a0492acddae6cac3ea1ee9156ea5c87b89998eb81d
Opcode Fuzzy Hash: baff1c3952350fd9ea67b4079668dddf862004f26d24f5a43bdd96e8119711e5
Instruction Fuzzy Hash: 25B002756516408FCA56CE09C291F4573A5BB45A90B425494A4119BA12C265E900CA11

Uniqueness

Uniqueness Score: -1.00%

Function 004200C0, Relevance: 101.9, APIs: 56, Strings: 2, Instructions: 417COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420121
__vbaStrCat.MSVBVM60(00404234,0040422C), ref: 00420131
__vbaStrMove.MSVBVM60 ref: 00420142
__vbaI4Str.MSVBVM60(00000000), ref: 00420145
#537.MSVBVM60(00000000), ref: 0042014C
__vbaStrMove.MSVBVM60 ref: 00420157
__vbaStrCmp.MSVBVM60(00402D1C,00000000), ref: 0042015F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00420179
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0042019D
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 004201C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,00000108), ref: 004201F6
__vbaFreeObj.MSVBVM60 ref: 004201FB
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 00420213
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 00420238
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,00000130), ref: 0042025E
__vbaStrMove.MSVBVM60 ref: 00420269
__vbaFreeObj.MSVBVM60 ref: 00420272
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0042028A
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 004202AF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,00000118), ref: 004202D5
__vbaFreeObj.MSVBVM60 ref: 004202DA
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 004202F2
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,0000001C), ref: 00420317
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D20,00000064), ref: 00420339
__vbaFreeObj.MSVBVM60 ref: 0042033E
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 0042035E
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 00420383
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,00000070), ref: 004203A3
__vbaFreeObj.MSVBVM60 ref: 004203A8
__vbaStrCat.MSVBVM60(00404244,0040423C), ref: 004203B8
__vbaStrMove.MSVBVM60 ref: 004203C9
#514.MSVBVM60(?,00000002), ref: 004203D1
__vbaStrMove.MSVBVM60 ref: 004203DC
__vbaStrCmp.MSVBVM60(00402AC0,00000000), ref: 004203E4
__vbaFreeStr.MSVBVM60 ref: 004203F7
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 00420418
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000014), ref: 0042043D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B2C,0000013C), ref: 00420484
__vbaFreeObj.MSVBVM60 ref: 0042048D
#539.MSVBVM60(?,00000001,00000001,00000001), ref: 0042049D
__vbaStrVarMove.MSVBVM60(?), ref: 004204A7
__vbaStrMove.MSVBVM60 ref: 004204B8
__vbaFreeVar.MSVBVM60 ref: 004204BD
#706.MSVBVM60(00000001,00000000,00000000), ref: 004204C9
__vbaStrMove.MSVBVM60 ref: 004204D4
__vbaNew2.MSVBVM60(00402B1C,00421390), ref: 004204E9
__vbaHresultCheckObj.MSVBVM60(00000000,02D8ED94,00402B0C,00000038,?,?,?,?,?,?,?,?), ref: 00420553
__vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 00420561
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 0042056F
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00420578
__vbaFreeStr.MSVBVM60(004205E3), ref: 004205C0
__vbaFreeStr.MSVBVM60 ref: 004205C5
__vbaFreeStr.MSVBVM60 ref: 004205CA
__vbaFreeStr.MSVBVM60 ref: 004205CF
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 004205D7
__vbaFreeStr.MSVBVM60 ref: 004205E0

Strings

UNANTAGONISINGS, xrefs: 00420461
Lovndringen3, xrefs: 0042050D

Memory Dump Source

Source File: 00000000.00000002.760729739.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.760713631.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.760783815.0000000000421000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.760792159.0000000000423000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#514#537#539#706CopyDestructListVar2
String ID: Lovndringen3$UNANTAGONISINGS
API String ID: 3105435306-1607536084
Opcode ID: 18a799860c20d628c9f602df2d85c1174a7d4f9e2080f41d31cabdf5191a2e3e
Instruction ID: 553ec837acc77b255f3519f7e34fc370a8be9e4dd0e01870f29d84b7010a1418
Opcode Fuzzy Hash: 18a799860c20d628c9f602df2d85c1174a7d4f9e2080f41d31cabdf5191a2e3e
Instruction Fuzzy Hash: CDE1A371E40218AFCB14DFA4DD89EAEBBB8FF58300F60402AF505B72A1DB746945CB58

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report 7keerHhHvn.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: 7keerHhHvn.exe PID: 5616 Parent PID: 5568

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 7keerHhHvn.exe PID: 5616 Parent PID: 5568 7keerHhHvn.exeCOMMON

Function 004014B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16
COMMON