Play interactive tour

Edit tour

Windows Analysis Report Fra FAC-ES101-2107-03806.doc.exe

Overview

General Information

Sample Name:	Fra FAC-ES101-2107-03806.doc.exe
Analysis ID:	501942
MD5:	18b804e21a3c1c80c195e7d20dc38477
SHA1:	9622e70cd6db56de3488e99cd18c5f51e54afb64
SHA256:	cbc14388711803d5a3f90396d4d33c9b3da952c37a5d919daed329cbd487c1b4
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Tries to detect virtualization through RDTSC time measurements

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses 32bit PE files

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

Fra FAC-ES101-2107-03806.doc.exe (PID: 812 cmdline: 'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe' MD5: 18B804E21A3C1C80C195E7D20DC38477)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlo"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo"}

Multi AV Scanner detection for submitted file

Show sources

Source: Fra FAC-ES101-2107-03806.doc.exe	Virustotal: Detection: 51%	Perma Link
Source: Fra FAC-ES101-2107-03806.doc.exe	Metadefender: Detection: 34%	Perma Link
Source: Fra FAC-ES101-2107-03806.doc.exe	ReversingLabs: Detection: 53%

Source: Fra FAC-ES101-2107-03806.doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downlo

Source: Fra FAC-ES101-2107-03806.doc.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000000.253125793.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe
Source: Fra FAC-ES101-2107-03806.doc.exe	Binary or memory string: OriginalFilenameSaarede3.exe vs Fra FAC-ES101-2107-03806.doc.exe

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_004016F4	0_2_004016F4
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_00401741	0_2_00401741
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_00401505	0_2_00401505
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B763	0_2_0212B763
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021274A7	0_2_021274A7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212AA13	0_2_0212AA13
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02124A14	0_2_02124A14
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02124E15	0_2_02124E15
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02128E1A	0_2_02128E1A
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212721C	0_2_0212721C
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02126205	0_2_02126205
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02129A0B	0_2_02129A0B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B20B	0_2_0212B20B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A609	0_2_0212A609
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212020D	0_2_0212020D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02124E0D	0_2_02124E0D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212363D	0_2_0212363D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02127A2B	0_2_02127A2B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212822F	0_2_0212822F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02120257	0_2_02120257
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212765B	0_2_0212765B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02129259	0_2_02129259
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125647	0_2_02125647
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02127244	0_2_02127244
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125E70	0_2_02125E70
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02126E85	0_2_02126E85
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212BABD	0_2_0212BABD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125AAB	0_2_02125AAB
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021266AF	0_2_021266AF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212AEDB	0_2_0212AEDB
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021252C5	0_2_021252C5
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02127EF3	0_2_02127EF3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021216F7	0_2_021216F7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212BEE1	0_2_0212BEE1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021296E6	0_2_021296E6
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02129AEF	0_2_02129AEF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02120319	0_2_02120319
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02126B03	0_2_02126B03
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02128B09	0_2_02128B09
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212630E	0_2_0212630E
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212AF31	0_2_0212AF31
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02124F35	0_2_02124F35
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A73B	0_2_0212A73B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212AB53	0_2_0212AB53
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02128F47	0_2_02128F47
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02127B4B	0_2_02127B4B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A349	0_2_0212A349
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212777F	0_2_0212777F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212537C	0_2_0212537C
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125F67	0_2_02125F67
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02120365	0_2_02120365
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B365	0_2_0212B365
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125768	0_2_02125768
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02128F97	0_2_02128F97
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A79E	0_2_0212A79E
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02128B89	0_2_02128B89
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212938F	0_2_0212938F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B78F	0_2_0212B78F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212BFBB	0_2_0212BFBB
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021213BC	0_2_021213BC
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021297D1	0_2_021297D1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021267D7	0_2_021267D7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125BC3	0_2_02125BC3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02129BC1	0_2_02129BC1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02127FCD	0_2_02127FCD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B7FD	0_2_0212B7FD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02124FE2	0_2_02124FE2
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021253E8	0_2_021253E8
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02128FEF	0_2_02128FEF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212AFEF	0_2_0212AFEF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02121417	0_2_02121417
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A001	0_2_0212A001
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02128805	0_2_02128805
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212180F	0_2_0212180F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212AC37	0_2_0212AC37
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125435	0_2_02125435
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212903B	0_2_0212903B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02129039	0_2_02129039
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A82F	0_2_0212A82F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02128C53	0_2_02128C53
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02127C57	0_2_02127C57
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212BC55	0_2_0212BC55
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125041	0_2_02125041
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02126446	0_2_02126446
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212587E	0_2_0212587E
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212707F	0_2_0212707F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212908F	0_2_0212908F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021214B2	0_2_021214B2
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02128CB2	0_2_02128CB2
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021228A1	0_2_021228A1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B8AA	0_2_0212B8AA
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02126CD3	0_2_02126CD3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021288D1	0_2_021288D1
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021278D8	0_2_021278D8
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021260C3	0_2_021260C3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021274CF	0_2_021274CF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125CF3	0_2_02125CF3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021290F3	0_2_021290F3
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021268F0	0_2_021268F0
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021278F6	0_2_021278F6
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021298EE	0_2_021298EE
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02125516	0_2_02125516
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B115	0_2_0212B115
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A91D	0_2_0212A91D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212350F	0_2_0212350F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02127523	0_2_02127523
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A12B	0_2_0212A12B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B95B	0_2_0212B95B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02129141	0_2_02129141
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212014A	0_2_0212014A
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A17F	0_2_0212A17F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212357C	0_2_0212357C
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212AD6F	0_2_0212AD6F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212196C	0_2_0212196C
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212719F	0_2_0212719F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02127D80	0_2_02127D80
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212598B	0_2_0212598B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021251AD	0_2_021251AD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021295AD	0_2_021295AD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021229D8	0_2_021229D8
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B9CF	0_2_0212B9CF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212BDF7	0_2_0212BDF7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021269E5	0_2_021269E5

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021274A7 NtAllocateVirtualMemory,	0_2_021274A7
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021274CF NtAllocateVirtualMemory,	0_2_021274CF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02127523 NtAllocateVirtualMemory,	0_2_02127523

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe

Process Stats: CPU usage > 98%

Source: Fra FAC-ES101-2107-03806.doc.exe	Virustotal: Detection: 51%
Source: Fra FAC-ES101-2107-03806.doc.exe	Metadefender: Detection: 34%
Source: Fra FAC-ES101-2107-03806.doc.exe	ReversingLabs: Detection: 53%

Source: Fra FAC-ES101-2107-03806.doc.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFFED7301E5AE2E1AD.TMP

Jump to behavior

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_00404871 pushfd ; ret	0_2_00404883
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_00404A8E push ebx; iretd	0_2_00404A5D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_00403901 push FFFFFF9Dh; ret	0_2_00403903
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02120739 pushfd ; ret	0_2_0212073B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02120365 push ebx; retn 665Dh	0_2_021204C4
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021237D6 push es; ret	0_2_021237DC
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02123BC2 push edx; retn 0010h	0_2_02123BBF
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02122C05 push ebp; ret	0_2_02122C10
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02124C56 push esi; retf	0_2_02124C59
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_021210D4 push 81EB8948h; ret	0_2_021210E2

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: doc.exe

Static PE information: Fra FAC-ES101-2107-03806.doc.exe

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	RDTSC instruction interceptor: First address: 000000000040EF65 second address: 000000000040EF65 instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 cmp ecx, 1Eh 0x00000006 popad 0x00000007 cmp eax, 57h 0x0000000a cmp eax, 000000C1h 0x0000000f dec edi 0x00000010 pushfd 0x00000011 popfd 0x00000012 cmp ecx, 000000D3h 0x00000018 cmp edi, 00000000h 0x0000001b jne 00007FB154E0C83Dh 0x0000001d lfence 0x00000020 pushfd 0x00000021 popfd 0x00000022 pushad 0x00000023 nop 0x00000024 nop 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	RDTSC instruction interceptor: First address: 0000000002126DB3 second address: 0000000002126DB3 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 64E7D070h 0x00000007 sub eax, 19D506BDh 0x0000000c sub eax, 184D9669h 0x00000011 sub eax, 32C53349h 0x00000016 cpuid 0x00000018 popad 0x00000019 call 00007FB154E13023h 0x0000001e lfence 0x00000021 mov edx, 769F0153h 0x00000026 add edx, CDC36EF7h 0x0000002c xor edx, 603C6A45h 0x00000032 xor edx, 5BA01A1Bh 0x00000038 mov edx, dword ptr [edx] 0x0000003a lfence 0x0000003d ret 0x0000003e sub edx, esi 0x00000040 ret 0x00000041 pop ecx 0x00000042 add edi, edx 0x00000044 dec ecx 0x00000045 mov dword ptr [ebp+000001A4h], 79BB58DFh 0x0000004f xor dword ptr [ebp+000001A4h], A54EB3B1h 0x00000059 xor dword ptr [ebp+000001A4h], F12654D1h 0x00000063 test dx, cx 0x00000066 add dword ptr [ebp+000001A4h], D22C4041h 0x00000070 cmp ecx, dword ptr [ebp+000001A4h] 0x00000076 jne 00007FB154E12F2Ah 0x0000007c mov dword ptr [ebp+00000214h], ebx 0x00000082 jmp 00007FB154E13026h 0x00000084 test cx, D417h 0x00000089 mov ebx, ecx 0x0000008b push ebx 0x0000008c mov ebx, dword ptr [ebp+00000214h] 0x00000092 test dl, al 0x00000094 call 00007FB154E13044h 0x00000099 call 00007FB154E13044h 0x0000009e lfence 0x000000a1 mov edx, 769F0153h 0x000000a6 add edx, CDC36EF7h 0x000000ac xor edx, 603C6A45h 0x000000b2 xor edx, 5BA01A1Bh 0x000000b8 mov edx, dword ptr [edx] 0x000000ba lfence 0x000000bd ret 0x000000be mov esi, edx 0x000000c0 pushad 0x000000c1 rdtsc

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe

Code function: 0_2_02124A14 rdtsc

0_2_02124A14

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02124A14 mov eax, dword ptr fs:[00000030h]	0_2_02124A14
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212960F mov eax, dword ptr fs:[00000030h]	0_2_0212960F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02129B4A mov eax, dword ptr fs:[00000030h]	0_2_02129B4A
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212A79E mov eax, dword ptr fs:[00000030h]	0_2_0212A79E
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_02126BE9 mov eax, dword ptr fs:[00000030h]	0_2_02126BE9

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe

Code function: 0_2_02124A14 rdtsc

0_2_02124A14

Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B763 RtlAddVectoredExceptionHandler,	0_2_0212B763
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212BABD RtlAddVectoredExceptionHandler,	0_2_0212BABD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212BB9D RtlAddVectoredExceptionHandler,	0_2_0212BB9D
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B78F RtlAddVectoredExceptionHandler,	0_2_0212B78F
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B7FD RtlAddVectoredExceptionHandler,	0_2_0212B7FD
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212BC55 RtlAddVectoredExceptionHandler,	0_2_0212BC55
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B8AA RtlAddVectoredExceptionHandler,	0_2_0212B8AA
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B95B RtlAddVectoredExceptionHandler,	0_2_0212B95B
Source: C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe	Code function: 0_2_0212B9CF RtlAddVectoredExceptionHandler,	0_2_0212B9CF

Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Fra FAC-ES101-2107-03806.doc.exe, 00000000.00000002.781686584.0000000000C30000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Security Software Discovery21	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Virtualization/Sandbox Evasion11	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information11	NTDS	System Information Discovery11	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Fra FAC-ES101-2107-03806.doc.exe	51%	Virustotal		Browse
Fra FAC-ES101-2107-03806.doc.exe	34%	Metadefender		Browse
Fra FAC-ES101-2107-03806.doc.exe	54%	ReversingLabs	Win32.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	501942
Start date:	13.10.2021
Start time:	12:44:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 21s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Fra FAC-ES101-2107-03806.doc.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	28
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 19.7% (good quality ratio 11.9%) Quality average: 39.4% Quality standard deviation: 37.5%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 95.100.218.79, 95.100.216.89, 20.50.102.62, 20.82.210.154, 2.20.178.24, 2.20.178.33, 20.54.110.249, 40.112.88.60 Excluded domains from analysis (whitelisted): fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, neu-displaycatalogrp.useroor.bigcatalog.commerce.microsoft.com, ris-prod.trafficmanager.net, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.81188292947866
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Fra FAC-ES101-2107-03806.doc.exe
File size:	102400
MD5:	18b804e21a3c1c80c195e7d20dc38477
SHA1:	9622e70cd6db56de3488e99cd18c5f51e54afb64
SHA256:	cbc14388711803d5a3f90396d4d33c9b3da952c37a5d919daed329cbd487c1b4
SHA512:	21eade10fb00f4ef5356025ce037983b2e220835345b4bd141f1063367da309390caa83d9d822177bf5c3ef900c311a12afff2f9731787f0afb4c6f35576ffec
SSDEEP:	1536:tfD8AJkfjAx20HgXeyTftunugia21jbnD:tfeUxxAZnn/n
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L...(.KY.................P...0......x........`....@........

File Icon


Icon Hash:	69e1c892f664c884

Static PE Info

General
Entrypoint:	0x401378
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x594BF828 [Thu Jun 22 17:02:32 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	669316531b5190f02843878b6ed87394

Entrypoint Preview

Instruction
push 00410384h
call 00007FB15496C115h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+esi*8-01239E7Dh], bl
inc ebp
inc esi
mov ecx, edx
out 90h, eax
mov eax, dword ptr [00E6209Fh]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+6Eh], cl
jbe 00007FB15496C18Bh
je 00007FB15496C187h
jc 00007FB15496C187h
xor dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
cmp byte ptr [ebx+59h], bl
out dx, al
mov edi, 4A47AB16h
stosb
fbld [esi-764BB8D2h]
ret
cmpsd
mov ch, 2Dh
push 00000025h
rcl byte ptr [esi-71DF64BCh], cl
out 29h, eax
and byte ptr [eax+40h], 0000003Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push ebx
in eax, dx
add byte ptr [eax], al
sbb eax, 00000009h
or byte ptr [eax], al
jc 00007FB15496C18Ch
jbe 00007FB15496C18Ah
jne 00007FB15496C195h
add byte ptr [44000E01h], cl
push esi
inc ebp
dec ebx
dec edi
dec esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150d4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x1cb2	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x134	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14588	0x15000	False	0.496163504464	data	6.24678665883	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0xd0c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x1cb2	0x2000	False	0.348510742188	data	3.76228374891	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x189b4	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors	English	United States
CUSTOM	0x180f6	0x8be	MS Windows icon resource - 1 icon, 32x32, 8 bits/pixel	English	United States
CUSTOM	0x17df8	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors, 4 bits/pixel	English	United States
RT_ICON	0x17550	0x8a8	data
RT_GROUP_ICON	0x1753c	0x14	data
RT_VERSION	0x171a0	0x39c	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaDateVar, _CIlog, __vbaErrorOverflow, __vbaFileOpen, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Collides Systems, Inc.
InternalName	Saarede3
FileVersion	4.00
CompanyName	Collides Systems, Inc.
LegalTrademarks	Collides Systems, Inc.
Comments	Collides Systems, Inc.
ProductName	Collides Systems, Inc.
ProductVersion	4.00
FileDescription	Collides Systems, Inc.
OriginalFilename	Saarede3.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Fra FAC-ES101-2107-03806.doc.exe PID: 812 Parent PID: 852

General

Start time:	12:45:11
Start date:	13/10/2021
Path:	C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Fra FAC-ES101-2107-03806.doc.exe'
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	18B804E21A3C1C80C195E7D20DC38477
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Fra FAC-ES101-2107-03806.doc.exe PID: 812 Parent PID: 852 Fra FAC-ES101-2107-03806.doc.exeCOMMON

Executed Functions

Function 0212B8AA, Relevance: 1.7, APIs: 1, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 769bf48bac94c403a8f4dc6164b4612241d57ef52c5f66c1d01d1fda9bff6b44
Instruction ID: a87f840bcfbc3cc1db7a8978c2a879d08c447a664089d9d642823f9ffb893c90
Opcode Fuzzy Hash: 769bf48bac94c403a8f4dc6164b4612241d57ef52c5f66c1d01d1fda9bff6b44
Instruction Fuzzy Hash: A871C276250245CFCBB68E38D9A57DB37A2EF48204F8A4436D84CDAA15D73A8A0DCF40

Uniqueness

Uniqueness Score: -1.00%

Function 021274A7, Relevance: 1.7, APIs: 1, Instructions: 209memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-7CB4B8D9,0000014C), ref: 021276A4

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 385e750e49141236519c49a66cb173bdd87365ac9fe8a5c6c4e737c8663990d6
Instruction ID: 90eec49031480170a56f19020f3cf4c7a5d47c5aa3529975c6981bf187263148
Opcode Fuzzy Hash: 385e750e49141236519c49a66cb173bdd87365ac9fe8a5c6c4e737c8663990d6
Instruction Fuzzy Hash: 03717876658390CFDB658F389C613DB7BA1EF09300F8A042DDC889B611D739894ACB81

Uniqueness

Uniqueness Score: -1.00%

Function 0212B78F, Relevance: 1.7, APIs: 1, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c64b3a70c9708bd2aa64b6a48b585084d14d6a294855ce42a76725ba3d4f336
Instruction ID: bb28ef6e51213ed9e6a8cf74d5c0ee69c2495d54bb0abac07767746f256b0862
Opcode Fuzzy Hash: 4c64b3a70c9708bd2aa64b6a48b585084d14d6a294855ce42a76725ba3d4f336
Instruction Fuzzy Hash: 33712672254255CFCF7ACE38D9947DA37B2EF88304F86403AD80D9BA18D7359A09CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0212B7FD, Relevance: 1.7, APIs: 1, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c82e98f4a797949155d62e2717bb69f1f9e0dc93e83f84ec8da45dd0cb8b577
Instruction ID: 86033de63a223793b6c828c119aa0cdaa2ccaafecc2cec5c23e53a8f19a3f912
Opcode Fuzzy Hash: 0c82e98f4a797949155d62e2717bb69f1f9e0dc93e83f84ec8da45dd0cb8b577
Instruction Fuzzy Hash: 03713871254259CFCF76CE38D9947DA37B2EF88308F86402AD80DDB618D7359A19CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0212B763, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e68e9420068b5ff9ee89f024426fc5b7f2404ef2b38e7525e8ad9b24c467811
Instruction ID: df26464577bed9c5327540f0a676e405dd6bddde38a36c121ae09afadd0f0c5b
Opcode Fuzzy Hash: 9e68e9420068b5ff9ee89f024426fc5b7f2404ef2b38e7525e8ad9b24c467811
Instruction Fuzzy Hash: D971F171544699CFDF79CE28C9947EA37A2EF88318F51812AE80D9F358D3319759CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0212B95B, Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584b0c07c985ab9fc461039f464d96dac3f60e5fae4b68246051d15451257649
Instruction ID: b3d8329355609841ebce000bf2778811d6f9d4c4fbf8e5aabc7c9b215e61eff4
Opcode Fuzzy Hash: 584b0c07c985ab9fc461039f464d96dac3f60e5fae4b68246051d15451257649
Instruction Fuzzy Hash: C2511471254259CFCBB6CE38D8947DA37B2EF88308F86442AD80DCBA15D3359A19CF41

Uniqueness

Uniqueness Score: -1.00%

Function 0212B9CF, Relevance: 1.7, APIs: 1, Instructions: 163COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 0212BCFF

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: cd8118f8ef245b75ab92c8bba323243544f84c8aabe76d48a3e78e1af5991c55
Instruction ID: ee1e7f66d46889cb2d2199b9f5647137500589b1ca4a029ef76299c1383ad51c
Opcode Fuzzy Hash: cd8118f8ef245b75ab92c8bba323243544f84c8aabe76d48a3e78e1af5991c55
Instruction Fuzzy Hash: 68510772250249CFCBB6CE38D9A47DB37B2EF88304F8A4426D84DCBA15D7359A19CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0212BABD, Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 0212BCFF

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 487bd7cfbfc620777db27ce039f2e54105002e56adbe255bedaf3bb703e808f1
Instruction ID: 46f51698729e10e0c90866ac4858c82023af59ad08c4f59d018f71e0e29bf7c5
Opcode Fuzzy Hash: 487bd7cfbfc620777db27ce039f2e54105002e56adbe255bedaf3bb703e808f1
Instruction Fuzzy Hash: C041E972250659CFCB75CE38D9947CB37B2EF88304F9A8026D84C8BA19D3359609CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02127523, Relevance: 1.6, APIs: 1, Instructions: 124memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-7CB4B8D9,0000014C), ref: 021276A4

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 15a4dc86ca58cebc70aadcf185796109479605d9f36f3a71fe53e1960977c8a6
Instruction ID: d661b0dc389cc5695f9c8d95d464e56f51ab105a3a8c1632fb0dbcb70fe0cf9f
Opcode Fuzzy Hash: 15a4dc86ca58cebc70aadcf185796109479605d9f36f3a71fe53e1960977c8a6
Instruction Fuzzy Hash: 0E41D5BA614245CFDB668E799C657DB36E6BF08300F8B0429DC4C9BA11D739894DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 021274CF, Relevance: 1.6, APIs: 1, Instructions: 103memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(-7CB4B8D9,0000014C), ref: 021276A4

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f891dd75473638020e00cbd88cec0c38dd2ea9e98249f48925249bcb763346d0
Instruction ID: ebfe74821bcb05f540402db05ca8c572ed8fa551e10a830709f36c21984e8a64
Opcode Fuzzy Hash: f891dd75473638020e00cbd88cec0c38dd2ea9e98249f48925249bcb763346d0
Instruction Fuzzy Hash: 8D41EF76A08394DFDB689F75CC657EA7BE5AF19300F46041DEC899B210D7309986CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0212BC55, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 0212BCFF

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: 5c94f645e5d14a6fabe9274ec9365617352d886a13a8e3c34aa5ef5e62f77c75
Instruction ID: ec35f012c86507ccc9ee622ce1f5da34c25658d4d889a5735421905a754e0e1d
Opcode Fuzzy Hash: 5c94f645e5d14a6fabe9274ec9365617352d886a13a8e3c34aa5ef5e62f77c75
Instruction Fuzzy Hash: A1112176254145CEDBAB8939AA653CB23729F48604FCF44368C4C9AE15DA2A990DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212BB9D, Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 0212BCFF

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID:
API String ID: 3310709589-0
Opcode ID: eb0cd00dc3a13f341f60ae9f87b3cb6b00277256b50dcbdf954dbbd5270ed6df
Instruction ID: 9b5ed2f9fd6a239009a20078c4a1e2c90e6d8bf57b21e333a3c530f67e5bfdc7
Opcode Fuzzy Hash: eb0cd00dc3a13f341f60ae9f87b3cb6b00277256b50dcbdf954dbbd5270ed6df
Instruction Fuzzy Hash: 9121AE70244798CFDB75DE24D9947CA77B2EF88318F60C126D9088F26AC331A656CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0212765B, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efd91b647c8a93dc831021d323bde065fbe6671e343996e16f0c16693c764c6c
Instruction ID: 550146a7a1dd7889941468a3b0721871f12d809d8addd2d05001ab02b575a8fc
Opcode Fuzzy Hash: efd91b647c8a93dc831021d323bde065fbe6671e343996e16f0c16693c764c6c
Instruction Fuzzy Hash: C1117F76651195CFDB628E399D526DA7BA6AF0D700F8A00269C0C97A21E73A881DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 004133A0, Relevance: 321.6, APIs: 161, Strings: 22, Instructions: 1312COMMON

Download Yara Rule

APIs

#646.MSVBVM60(?), ref: 0041349F
__vbaStrMove.MSVBVM60 ref: 004134AD
__vbaStrCmp.MSVBVM60(rebninger,00000000), ref: 004134B9
__vbaFreeStr.MSVBVM60 ref: 004134CE
__vbaFreeVar.MSVBVM60 ref: 004134DA
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 004134FB
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00413523
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,000000B8), ref: 00413553
__vbaFreeObj.MSVBVM60 ref: 0041355F
#541.MSVBVM60(0000000A,15:15:15), ref: 00413571
__vbaStrVarMove.MSVBVM60(0000000A), ref: 0041357E
__vbaStrMove.MSVBVM60 ref: 00413589
__vbaFreeVar.MSVBVM60 ref: 00413595
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 004135AD
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 004135D5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,00000070), ref: 004135FF
__vbaFreeObj.MSVBVM60 ref: 0041360B
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00413623
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,0000001C), ref: 0041364B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410F30,00000060), ref: 004136B4
__vbaFreeObj.MSVBVM60 ref: 004136C0
__vbaStrToAnsi.MSVBVM60(?,MEG), ref: 004136D2
__vbaSetSystemError.MSVBVM60(00000000), ref: 004136E0
__vbaFreeStr.MSVBVM60 ref: 004136EC
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 0041371A
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00413742
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,00000068), ref: 0041376C
__vbaFreeObj.MSVBVM60 ref: 00413778
#610.MSVBVM60(0000000A), ref: 00413785
#552.MSVBVM60(?,0000000A,00000001), ref: 0041379B
__vbaVarMove.MSVBVM60 ref: 004137AD
__vbaFreeVar.MSVBVM60 ref: 004137B9
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 004137D1
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 004137F9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,0000013C), ref: 00413868
__vbaFreeObj.MSVBVM60 ref: 00413874
__vbaLateMemCall.MSVBVM60(?,Ytf0FfwBKC98,00000003), ref: 00413903
__vbaSetSystemError.MSVBVM60(000BC9FA), ref: 00413918
#612.MSVBVM60(0000000A), ref: 00413931
__vbaStrVarMove.MSVBVM60(0000000A), ref: 0041393E
__vbaStrMove.MSVBVM60 ref: 00413952
__vbaFreeVar.MSVBVM60 ref: 0041395A
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00413973
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 004139A1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,00000110), ref: 004139D5
__vbaStrMove.MSVBVM60 ref: 004139EA
__vbaFreeObj.MSVBVM60 ref: 004139F8
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00413A0D
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00413A35
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,00000108), ref: 00413A61
__vbaFreeObj.MSVBVM60 ref: 00413A69
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00413A7E
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000044), ref: 00413B7A
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00413BC3
__vbaFreeVar.MSVBVM60 ref: 00413BCF
__vbaStrToAnsi.MSVBVM60(?,finmekaniker), ref: 00413BE6
__vbaSetSystemError.MSVBVM60(00000000), ref: 00413BF4
__vbaFreeStr.MSVBVM60 ref: 00413C00
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00413C2E
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00413C56
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,00000068), ref: 00413C80
__vbaFreeObj.MSVBVM60 ref: 00413C8C
#610.MSVBVM60(0000000A), ref: 00413C99
#552.MSVBVM60(?,0000000A,00000001), ref: 00413CAF
__vbaVarMove.MSVBVM60 ref: 00413CBE
__vbaFreeVar.MSVBVM60 ref: 00413CCA
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00413CE2
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00413D0A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,0000013C), ref: 00413D79
__vbaFreeObj.MSVBVM60 ref: 00413D85
__vbaLateMemCall.MSVBVM60(?,iApzbb76Ji65,00000003), ref: 00413E11
__vbaSetSystemError.MSVBVM60(0059E365,00231721), ref: 00413E30
#702.MSVBVM60(0000000A,000000FF,000000FE,000000FE,000000FE), ref: 00413E65
__vbaStrMove.MSVBVM60 ref: 00413E79
__vbaFreeVar.MSVBVM60 ref: 00413E81
#611.MSVBVM60 ref: 00413E87
__vbaStrMove.MSVBVM60 ref: 00413E92
#610.MSVBVM60(00000002), ref: 00413E9B
#552.MSVBVM60(?,00000002,00000001), ref: 00413EB1
__vbaVarMove.MSVBVM60 ref: 00413EC0
__vbaFreeVar.MSVBVM60 ref: 00413ECC
_adj_fdiv_m64.MSVBVM60 ref: 00413EF5
__vbaFpI4.MSVBVM60(432A0000,?,43110000), ref: 00413F26
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,004108E4,000002C0,?,43110000), ref: 00413F5A
__vbaStrCopy.MSVBVM60(?,43110000), ref: 00413F6B
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00413F79
__vbaSetSystemError.MSVBVM60(00707257,003ED390,?), ref: 00413F97
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00413FAD
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00413FDE
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00414006
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,000000D8), ref: 00414036
__vbaStrMove.MSVBVM60 ref: 0041404B
__vbaFreeObj.MSVBVM60 ref: 00414057
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 0041406F
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00414097
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,000000F0), ref: 004140C7
__vbaStrMove.MSVBVM60 ref: 004140DF
__vbaFreeObj.MSVBVM60 ref: 004140EB
#610.MSVBVM60(0000000A), ref: 004140F8
#552.MSVBVM60(?,0000000A,00000001), ref: 0041410E
__vbaVarMove.MSVBVM60 ref: 00414120
__vbaFreeVar.MSVBVM60 ref: 0041412C
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00414144
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,0000001C), ref: 0041416C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410F30,00000064), ref: 00414198
__vbaFreeObj.MSVBVM60 ref: 004141A4
__vbaStrToAnsi.MSVBVM60(?,Undeviousness), ref: 004141BC
__vbaStrToAnsi.MSVBVM60(?,charbocle,00000000), ref: 004141CB
__vbaSetSystemError.MSVBVM60(00000000), ref: 004141D5
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004141EB
#594.MSVBVM60(0000000A), ref: 00414225
__vbaFreeVar.MSVBVM60 ref: 00414231
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00414249
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00414277
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,000000B8), ref: 004142AB
__vbaFreeObj.MSVBVM60 ref: 004142B3
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 004142CB
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 004142F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,000000E0), ref: 0041431F
__vbaStrMove.MSVBVM60 ref: 00414333
__vbaFreeObj.MSVBVM60 ref: 0041433F
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00414357
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,0000001C), ref: 0041437F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410F30,00000060), ref: 004143DF
__vbaFreeObj.MSVBVM60 ref: 004143EB
__vbaStrCopy.MSVBVM60 ref: 0041442C
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,00410914,000006F8), ref: 00414465
__vbaFreeStr.MSVBVM60 ref: 00414477
__vbaStrCopy.MSVBVM60 ref: 00414498
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,00410914,000006F8), ref: 004144D1
__vbaFreeStr.MSVBVM60 ref: 004144DD
__vbaStrCopy.MSVBVM60 ref: 004144FE
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,00410914,000006F8), ref: 00414537
__vbaFreeStr.MSVBVM60 ref: 00414543
__vbaStrCopy.MSVBVM60 ref: 00414564
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,00410914,000006F8), ref: 0041459D
__vbaFreeStr.MSVBVM60 ref: 004145A9
__vbaStrCopy.MSVBVM60 ref: 004145CA
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,00410914,000006F8), ref: 00414603
__vbaFreeStr.MSVBVM60 ref: 0041460F
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,004108E4,000002B4), ref: 0041462C
__vbaVarAdd.MSVBVM60(0000000A,?,?), ref: 0041466A
__vbaVarMove.MSVBVM60 ref: 00414671
#598.MSVBVM60 ref: 00414677
__vbaVarTstLt.MSVBVM60(00000002,?), ref: 00414698
__vbaFreeVar.MSVBVM60(00414771), ref: 00414702
__vbaFreeStr.MSVBVM60 ref: 0041470D
__vbaFreeStr.MSVBVM60 ref: 00414712
__vbaFreeObj.MSVBVM60 ref: 0041471D
__vbaFreeStr.MSVBVM60 ref: 00414722
__vbaFreeVar.MSVBVM60 ref: 00414727
__vbaFreeStr.MSVBVM60 ref: 0041472C
__vbaFreeVar.MSVBVM60 ref: 00414731
__vbaFreeObj.MSVBVM60 ref: 00414736
__vbaFreeStr.MSVBVM60 ref: 0041473E
__vbaFreeObj.MSVBVM60 ref: 00414746
__vbaFreeStr.MSVBVM60 ref: 0041474E
__vbaFreeStr.MSVBVM60 ref: 00414756

Strings

extralegal, xrefs: 00413D3A
Organophone2, xrefs: 00414479
Ytf0FfwBKC98, xrefs: 004138E6
rebninger, xrefs: 004134B4
Valutareservernes, xrefs: 0041440D
Wrp, xrefs: 00413C08
Commutual, xrefs: 004145AB
MEG, xrefs: 004136CC
Crepey, xrefs: 004138A7
15:15:15, xrefs: 0041356B
Undeviousness, xrefs: 004141B6
Hypnotizabilities, xrefs: 00414545
liquidated, xrefs: 00413F60
problemsgende, xrefs: 004143AF
finmekaniker, xrefs: 00413BDE
Syndromerne5, xrefs: 00413DB8
GAARDES, xrefs: 00413ABA
CLAMATORES, xrefs: 004144DF
SEMIMALIGNANT, xrefs: 0041367B
Scopulousness, xrefs: 00413829
charbocle, xrefs: 004141C5
iApzbb76Ji65, xrefs: 00413DF7

Memory Dump Source

Source File: 00000000.00000002.781420338.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781411599.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781452214.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781462619.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$CopyErrorSystem$Ansi$#552#610$Late$CallList$#541#594#598#611#612#646#702_adj_fdiv_m64
String ID: 15:15:15$CLAMATORES$Commutual$Crepey$GAARDES$Hypnotizabilities$MEG$Organophone2$SEMIMALIGNANT$Scopulousness$Syndromerne5$Undeviousness$Valutareservernes$Wrp$Ytf0FfwBKC98$charbocle$extralegal$finmekaniker$iApzbb76Ji65$liquidated$problemsgende$rebninger
API String ID: 2302085476-689379688
Opcode ID: 79d9ba20a04ffe715e059dda3e0e82f74a8f7bee04e18ce0dfd75af609f94ed7
Instruction ID: 1c304254fe2d28e1ca28c502bdada2c338b5c7042b73a952b7fcbb46b834d031
Opcode Fuzzy Hash: 79d9ba20a04ffe715e059dda3e0e82f74a8f7bee04e18ce0dfd75af609f94ed7
Instruction Fuzzy Hash: 77C27E70900219AFCB24DF24DD89BD9BBB5FB58301F1085AAE14EB72A0DB745AC5CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00401378, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6"*), ref: 0040137D

Strings

VB5!6"*, xrefs: 00401378

Memory Dump Source

Source File: 00000000.00000002.781420338.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781411599.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781452214.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781462619.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6"*
API String ID: 1341478452-2992194029
Opcode ID: efa01524d1ce90f041e4a2a4286d13ef7a76f819ec84eaf4d32bdd3d30e97f44
Instruction ID: cf7f46a24b368f2ff2db7bd26f914864ab1aa1424bd4d67f6afc2004ee2fd92a
Opcode Fuzzy Hash: efa01524d1ce90f041e4a2a4286d13ef7a76f819ec84eaf4d32bdd3d30e97f44
Instruction Fuzzy Hash: 7C21C9A584E7D01FD70387759C246A23FB49B63228B4A02EBC1D5CF1F3D268488AC367

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02129039, Relevance: 5.8, Strings: 4, Instructions: 791COMMON

Download Yara Rule

Strings

\, xrefs: 0212563F
62"o, xrefs: 02126C08
>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: \$*)=/$62"o$>!2%
API String ID: 0-698282559
Opcode ID: 02b697110cc5133ec3da173cbcab16e0aadfa4762a28977a05e184058bda2cc7
Instruction ID: 8bf02ae484a86bce046271416daa6ad1ae1ec7e230c7e0b8084b6f5c6e852256
Opcode Fuzzy Hash: 02b697110cc5133ec3da173cbcab16e0aadfa4762a28977a05e184058bda2cc7
Instruction Fuzzy Hash: AB722FB16443899FDB788F39CD957DA7BB2FF99300F458129EC898B210C3319A99CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02125435, Relevance: 4.4, Strings: 3, Instructions: 670COMMON

Download Yara Rule

Strings

\, xrefs: 0212563F
>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: \$*)=/$>!2%
API String ID: 0-3250720396
Opcode ID: b0fbd2a466e384e2cd5194428772da45a0cfdbb87601e41dc60ffb7f7289bdf4
Instruction ID: 22011072844b19911fbc7c7d4f92082c55b845d1df9c31bfaf49e801821bf49b
Opcode Fuzzy Hash: b0fbd2a466e384e2cd5194428772da45a0cfdbb87601e41dc60ffb7f7289bdf4
Instruction Fuzzy Hash: B8521EB16443899FDB788F39CD95BDA7BB2FF98300F558129EC899B214C3309A95CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02125516, Relevance: 4.4, Strings: 3, Instructions: 659COMMON

Download Yara Rule

Strings

\, xrefs: 0212563F
>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: \$*)=/$>!2%
API String ID: 0-3250720396
Opcode ID: f5a436ede49ed2ce9c1639165d6a9fba092e4f70c2986434b1cd66fd554feeba
Instruction ID: f84a36873b18aa066d8c20600281fd4449852d151c4086c1ceb4777970f6d49d
Opcode Fuzzy Hash: f5a436ede49ed2ce9c1639165d6a9fba092e4f70c2986434b1cd66fd554feeba
Instruction Fuzzy Hash: 1A52EBB26443899FDB748F39CD857DA7BB2FF88300F558129EC899B614C3319A99CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02125647, Relevance: 3.1, Strings: 2, Instructions: 596COMMON

Download Yara Rule

Strings

>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *)=/$>!2%
API String ID: 0-2481962024
Opcode ID: b42825dd0b30718ed1f812fdb57c2bb05b94de77b27907195b5074263b20ac78
Instruction ID: 33f299586ee8475e97b16b0c5afc95daa0c961cbc95a9316ff69650fef9530d0
Opcode Fuzzy Hash: b42825dd0b30718ed1f812fdb57c2bb05b94de77b27907195b5074263b20ac78
Instruction Fuzzy Hash: 8342DCB2644389DFDB748F39CD957DA7BB2FF88300F558129EC899B214C3319A998B41

Uniqueness

Uniqueness Score: -1.00%

Function 02125768, Relevance: 3.0, Strings: 2, Instructions: 540COMMON

Download Yara Rule

Strings

>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *)=/$>!2%
API String ID: 0-2481962024
Opcode ID: 6d91bd4e0505427aeb7889479b2c62f16dc8886c830f196c8584b4a3bcf290f9
Instruction ID: d43d73257559bd7288abc5e317ca135ed4c08a263e8b7af3a48aab716cfc297d
Opcode Fuzzy Hash: 6d91bd4e0505427aeb7889479b2c62f16dc8886c830f196c8584b4a3bcf290f9
Instruction Fuzzy Hash: 4632D9B26443899FDB748F39CD857DA7BB2FF48300F558129EC899B210D3359A998B42

Uniqueness

Uniqueness Score: -1.00%

Function 0212A79E, Relevance: 3.0, Strings: 2, Instructions: 510COMMON

Download Yara Rule

Strings

62"o, xrefs: 02126C08
\bP4, xrefs: 0212A7B9

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 62"o$\bP4
API String ID: 0-3096241085
Opcode ID: d8788e70a6d3913a22801e78b816f6e2649453e101bbae77c6e71a6d758005e0
Instruction ID: de796dcce5666949e1001ac229d78234aa500c2ac3bf48bfc935a2a598059450
Opcode Fuzzy Hash: d8788e70a6d3913a22801e78b816f6e2649453e101bbae77c6e71a6d758005e0
Instruction Fuzzy Hash: 40222C7194C3D58FCB75CF38C8987DABFA2AF56320F49829AD8994F296D3308549C712

Uniqueness

Uniqueness Score: -1.00%

Function 0212587E, Relevance: 3.0, Strings: 2, Instructions: 500COMMON

Download Yara Rule

Strings

>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *)=/$>!2%
API String ID: 0-2481962024
Opcode ID: de6b9351f7ca75eacdd62fe4c5a3319d2aa613ae4c73c12ce5de86bef79e3ba1
Instruction ID: 6d5633052150e501bad8f7ea0dc9b088ee03abe6c04e952d60355b4c502e9add
Opcode Fuzzy Hash: de6b9351f7ca75eacdd62fe4c5a3319d2aa613ae4c73c12ce5de86bef79e3ba1
Instruction Fuzzy Hash: AC22EAB2644389DFDB748E39CD957DA7BB2FF48300F464129EC889B610D3359A99CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0212598B, Relevance: 3.0, Strings: 2, Instructions: 462COMMON

Download Yara Rule

Strings

>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *)=/$>!2%
API String ID: 0-2481962024
Opcode ID: e630e56183cc5dadfc5649f8f8cc00c0974117820b114760e68bba5efa47dd48
Instruction ID: 6366dd248cbe86e3e61ed7a9051fb394be29ded72e5d0172f1a65e02ff24cddb
Opcode Fuzzy Hash: e630e56183cc5dadfc5649f8f8cc00c0974117820b114760e68bba5efa47dd48
Instruction Fuzzy Hash: BD12FE72644389DFDB748E39CD997DA37B2FF48300F564129ED889B210D3319A99CB42

Uniqueness

Uniqueness Score: -1.00%

Function 02125AAB, Relevance: 2.9, Strings: 2, Instructions: 405COMMON

Download Yara Rule

Strings

>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *)=/$>!2%
API String ID: 0-2481962024
Opcode ID: 29ca3d1e4dcaa3d6dcfb9e8786813b39af3d7a28c2866512ecd2b3e5478fa0da
Instruction ID: 4103181ced84207be1e99aa78ed7ff7b6174c4ec66e97d35c5a73f8683be1062
Opcode Fuzzy Hash: 29ca3d1e4dcaa3d6dcfb9e8786813b39af3d7a28c2866512ecd2b3e5478fa0da
Instruction Fuzzy Hash: 4702FDB6644388DFDF758E39CD857DA3BB6FF48300F564129ED889B220C7359A898B41

Uniqueness

Uniqueness Score: -1.00%

Function 021214B2, Relevance: 2.9, Strings: 2, Instructions: 362COMMON

Download Yara Rule

Strings

=C, xrefs: 02121808
ug, xrefs: 02121775

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: =C$ug
API String ID: 0-1472808493
Opcode ID: bad4f2838f440e787fade8256137f95f0114edda95a295c09a3070296bae7c0e
Instruction ID: 3353eb0e7d493e67ac7798bd42eebd5aa638e6cd690a0c2a1f39e751237dc855
Opcode Fuzzy Hash: bad4f2838f440e787fade8256137f95f0114edda95a295c09a3070296bae7c0e
Instruction Fuzzy Hash: 63B18A76559195DFC7169B3898A62D73BB2EF05200BDE447EE88C8BD03DB2A441ECF81

Uniqueness

Uniqueness Score: -1.00%

Function 02125BC3, Relevance: 2.9, Strings: 2, Instructions: 359COMMON

Download Yara Rule

Strings

>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *)=/$>!2%
API String ID: 0-2481962024
Opcode ID: 9d5e085a34f27b2b0cc8925577fe8369dd2c991618596b20eaf34d02258d3efa
Instruction ID: f87ba6610738b7ca638852adbc188fb4400a0160b1478ab4ff0ba7064b641494
Opcode Fuzzy Hash: 9d5e085a34f27b2b0cc8925577fe8369dd2c991618596b20eaf34d02258d3efa
Instruction Fuzzy Hash: E3E1EEB6644388DFDF758E39CC857DA3BB6FF48300F964029DD889B224D7319A898B41

Uniqueness

Uniqueness Score: -1.00%

Function 02125CF3, Relevance: 2.8, Strings: 2, Instructions: 327COMMON

Download Yara Rule

Strings

>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *)=/$>!2%
API String ID: 0-2481962024
Opcode ID: 9ee07be51e630798034f284b0e3249fc5e8e16704afb5bc31c12c9009d833161
Instruction ID: 57947fad240872e3b2ce92879b992396105bda0edc87e5da9d7428b474eae7c3
Opcode Fuzzy Hash: 9ee07be51e630798034f284b0e3249fc5e8e16704afb5bc31c12c9009d833161
Instruction Fuzzy Hash: 85D1CDB2644388DFDB758E39DC867DA3BB6FF58300F564429DD898B220C7319A99CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02125E70, Relevance: 2.7, Strings: 2, Instructions: 239COMMON

Download Yara Rule

Strings

>!2%, xrefs: 0212609E
*)=/, xrefs: 02125EE5

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *)=/$>!2%
API String ID: 0-2481962024
Opcode ID: 253a5470f87640dd59bbdcb27115e353b2726ac99bc43ab9f9c385deeac60aa4
Instruction ID: 1764eed369890e72f43fc4784fab7a77f60c7f0527ae155c3cf86c79959c1499
Opcode Fuzzy Hash: 253a5470f87640dd59bbdcb27115e353b2726ac99bc43ab9f9c385deeac60aa4
Instruction Fuzzy Hash: F8B1B9B16443889FDF758F29CC86BDA7BB2FF58300F158129ED888B224C7319A568B01

Uniqueness

Uniqueness Score: -1.00%

Function 021278D8, Relevance: 1.6, Strings: 1, Instructions: 308COMMON

Download Yara Rule

Strings

11P, xrefs: 02127D00

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 11P
API String ID: 0-2747324567
Opcode ID: 61dd93d35fce0bf3ee848f93029d4c3c431b453ca5a093f8db56f193bb84e515
Instruction ID: 1c73445eb28c98816ad16fea217fcb4f4efcfe565a15cbbd69ab0bb5afe216ec
Opcode Fuzzy Hash: 61dd93d35fce0bf3ee848f93029d4c3c431b453ca5a093f8db56f193bb84e515
Instruction Fuzzy Hash: 75D1EB726443999FDF749F28CD90BEE77B2EF98340F51402AEC0A9B240E7318A55CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02120319, Relevance: 1.5, Strings: 1, Instructions: 262COMMON

Download Yara Rule

Strings

?g}Q, xrefs: 0212C00D

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?g}Q
API String ID: 0-1114213527
Opcode ID: 4ea4eb1ca869feee09993833f8f8c893ae84639365e7343607381f2e54abb24b
Instruction ID: 3876c96bf123ce445b140decbc31336f3a16537d9099ef57bf62ce8aba8e9f68
Opcode Fuzzy Hash: 4ea4eb1ca869feee09993833f8f8c893ae84639365e7343607381f2e54abb24b
Instruction Fuzzy Hash: 3881CEB915025ACFC7525F78C8A139A7BF3FF59200F9B445AD8888AE12D736885ECF41

Uniqueness

Uniqueness Score: -1.00%

Function 021278F6, Relevance: 1.5, Strings: 1, Instructions: 242COMMON

Download Yara Rule

Strings

11P, xrefs: 02127D00

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 11P
API String ID: 0-2747324567
Opcode ID: ea7a2fb69013540fb4bf01d9c0a3abf2f875bab66018bf2ae758d77d7fc04343
Instruction ID: e897148fcd186b925628b831295567449f69f1b3aaccf79124f4901f2e5e8d89
Opcode Fuzzy Hash: ea7a2fb69013540fb4bf01d9c0a3abf2f875bab66018bf2ae758d77d7fc04343
Instruction Fuzzy Hash: 84A1CE72644399CFDF748E38DD917EE37B2AF94340F8A402A9C499B640E7314A49CF51

Uniqueness

Uniqueness Score: -1.00%

Function 02125F67, Relevance: 1.5, Strings: 1, Instructions: 231COMMON

Download Yara Rule

Strings

>!2%, xrefs: 0212609E

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: >!2%
API String ID: 0-2924215407
Opcode ID: e5e6f4cc3b9011ba86deee5a09891c5b2b751368bd95290f2ac8ab12fd79fd29
Instruction ID: 2d92220ed51241e68a06bd6d8e81c4196a911c68b3a0e9e896590f0c83571d27
Opcode Fuzzy Hash: e5e6f4cc3b9011ba86deee5a09891c5b2b751368bd95290f2ac8ab12fd79fd29
Instruction Fuzzy Hash: 5391CAB1240289CFDB758E39DD96BCA3BB7FF48300F5A8129ED4C8A610D7358A598B40

Uniqueness

Uniqueness Score: -1.00%

Function 02127A2B, Relevance: 1.4, Strings: 1, Instructions: 190COMMON

Download Yara Rule

Strings

11P, xrefs: 02127D00

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 11P
API String ID: 0-2747324567
Opcode ID: f994e3f4ac1104cec44df748deffe6133b57e0dda19da19bd9c87779ca3cc778
Instruction ID: 3d66dba049333269ce398dd5daf5ce50cc8f12f7357743a9ff41b9d0698fe311
Opcode Fuzzy Hash: f994e3f4ac1104cec44df748deffe6133b57e0dda19da19bd9c87779ca3cc778
Instruction Fuzzy Hash: D571D172244399CFDB758E38DD917EF37B6AF49300F8A442E9C499BA40E7314A49CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0212537C, Relevance: 1.4, Strings: 1, Instructions: 176COMMON

Download Yara Rule

Strings

\, xrefs: 0212563F

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: \
API String ID: 0-4110156661
Opcode ID: 500f8a5c6f19ed679e998120fe453e5392107b5ad30294bcfea1f696d62c19ac
Instruction ID: 09dfc0b92405c2b387c0a8a7c4918effb382ddf3ba5afdf619797a737d7a7911
Opcode Fuzzy Hash: 500f8a5c6f19ed679e998120fe453e5392107b5ad30294bcfea1f696d62c19ac
Instruction Fuzzy Hash: 34610FB16043899FDF788E29CDA5BEB3BA3AF99340F55811EEC4E8B244C73106498B45

Uniqueness

Uniqueness Score: -1.00%

Function 02127B4B, Relevance: 1.4, Strings: 1, Instructions: 144COMMON

Download Yara Rule

Strings

11P, xrefs: 02127D00

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 11P
API String ID: 0-2747324567
Opcode ID: c07eea39619c34790c982e520d371b7220cdea878ed14d0f2b5c0aa70b14ca56
Instruction ID: 2df780f984fe5fd9b08b9453f72d9cfeec08c6ad2d23c039192bee1800555350
Opcode Fuzzy Hash: c07eea39619c34790c982e520d371b7220cdea878ed14d0f2b5c0aa70b14ca56
Instruction Fuzzy Hash: 4E51DE7618438ACFDB758F78CD917EB77B2AF54700F8A442A8C489B911E3354A49CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02127EF3, Relevance: 1.4, Strings: 1, Instructions: 128COMMON

Download Yara Rule

Strings

s@s, xrefs: 021280F8

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: s@s
API String ID: 0-3170803381
Opcode ID: 8dd7c6acab65c545e0c0c20fcd2f5d7962603ac7766b072881a617b7fb2b59b0
Instruction ID: 9772ee239c1734b55244c730583717fa4d678a660a43d6daaaeaf3c728c8b056
Opcode Fuzzy Hash: 8dd7c6acab65c545e0c0c20fcd2f5d7962603ac7766b072881a617b7fb2b59b0
Instruction Fuzzy Hash: B04161B4A402868FDB55EF78D4517DA37E3AFA8240FA54029AC4D87B44DB348859CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02124A14, Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

H8C&, xrefs: 02124A90

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: H8C&
API String ID: 0-1556447965
Opcode ID: f73a48b7b21b013efff714364be8d93d7ac9f99404ea035292a023cd3f0b0553
Instruction ID: 023c1e9d71814b3a1c193be7e67a2bde2a4a19a27cb2957066617b4b7544dbb2
Opcode Fuzzy Hash: f73a48b7b21b013efff714364be8d93d7ac9f99404ea035292a023cd3f0b0553
Instruction Fuzzy Hash: A741387A154654CFC766CF38984A7D277B1EF08200F9E846DC89D9BA03D779494ECB80

Uniqueness

Uniqueness Score: -1.00%

Function 02127FCD, Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

s@s, xrefs: 021280F8

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: s@s
API String ID: 0-3170803381
Opcode ID: 0f7fce6e3bd8931ce3fdd837c82767f30752c012bd5fa18e1e69bb8434511080
Instruction ID: 5f74084463d3c8e35c69a0ab2a62bec1c701cda34522bd8dd56902a4eea2c29a
Opcode Fuzzy Hash: 0f7fce6e3bd8931ce3fdd837c82767f30752c012bd5fa18e1e69bb8434511080
Instruction Fuzzy Hash: 273172B5A402868FDB55DF3894617CB36E3AF68240F9A40295C4D87F44DB35885DCFD1

Uniqueness

Uniqueness Score: -1.00%

Function 02124E0D, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

62"o, xrefs: 02126C08

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 62"o
API String ID: 0-2840884086
Opcode ID: 1d26c7071c3619096f0a994e0eea47eaf79f5a5b30d9dfa8c85f9e59f86b9aa4
Instruction ID: c83153011825820fae883430b355a5193fe82c37b7a489fcff2ff792be75afcf
Opcode Fuzzy Hash: 1d26c7071c3619096f0a994e0eea47eaf79f5a5b30d9dfa8c85f9e59f86b9aa4
Instruction Fuzzy Hash: 8241053124C3C58BDF75CF7C8884BD67B91AB46224F4882AED8998E69BE7314525C742

Uniqueness

Uniqueness Score: -1.00%

Function 02127C57, Relevance: 1.3, Strings: 1, Instructions: 93COMMON

Download Yara Rule

Strings

11P, xrefs: 02127D00

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 11P
API String ID: 0-2747324567
Opcode ID: e8ad746842f5da44bb271d44cf0245bd8e6b38db1366de0dffe0df5ee447f580
Instruction ID: ce147d3463640f7abf48ce4d5cd62818961d7f5cc816caf83bd52c6df7facf19
Opcode Fuzzy Hash: e8ad746842f5da44bb271d44cf0245bd8e6b38db1366de0dffe0df5ee447f580
Instruction Fuzzy Hash: EA319E7629428ACFDFB58E38DD917EB33B6AF44600F8A44399C0C9A940E7364A09DF51

Uniqueness

Uniqueness Score: -1.00%

Function 021298EE, Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

A*un, xrefs: 02129989

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: A*un
API String ID: 0-3480543902
Opcode ID: 8075de53259e1c49ec8f7c2f707ce69b0d539fa286cedea9b0be68bdb624d7f9
Instruction ID: ca5f45731f1bc58e773c3349987a3ef792b999596aeff8ba4d188322915c87f1
Opcode Fuzzy Hash: 8075de53259e1c49ec8f7c2f707ce69b0d539fa286cedea9b0be68bdb624d7f9
Instruction Fuzzy Hash: F421C1A76512C9CFDF724A3C59A63D62BA15B19200FDF086B8CCC96E02D629454DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 02126E85, Relevance: 1.3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

Strings

`, xrefs: 02126F52

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 2c1e9cea539954f7721d96338b54f2818ad3118aadc3ae0c6e3ca2573a466a2e
Instruction ID: b8d9eb77dfc6a5d11ed14a5fe48daf833768001460c3f4e9ccbb0200ac4cba7f
Opcode Fuzzy Hash: 2c1e9cea539954f7721d96338b54f2818ad3118aadc3ae0c6e3ca2573a466a2e
Instruction Fuzzy Hash: CE214973A55284DFCF758E3D9D893CA37B5AF04200F9E0067884C9B941E6754A0ECF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212A349, Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

_a", xrefs: 0212A3F3

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: _a"
API String ID: 0-744307758
Opcode ID: 6fb954faa4ace23388c0dcb9d569977e90009ced60b7307d0fcafb7bc9a90007
Instruction ID: 7188f26bc3629e514a4aaca46cb20c23377ac8638ad23eac8cb292987eecc27d
Opcode Fuzzy Hash: 6fb954faa4ace23388c0dcb9d569977e90009ced60b7307d0fcafb7bc9a90007
Instruction Fuzzy Hash: 281106B7614201CFD75609389C663CB72B2AF88210FCF092D889C82E50E63A484DCF81

Uniqueness

Uniqueness Score: -1.00%

Function 021216F7, Relevance: 1.3, Strings: 1, Instructions: 64COMMON

Download Yara Rule

Strings

ug, xrefs: 02121775

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ug
API String ID: 0-1706028500
Opcode ID: 3414cc7a7313e36e407df322434173232805b733bc84067453c07ae2a12fe196
Instruction ID: 26e39f7559e1b77ac0e4a8e241f2ab028b4835d32b0139d4cede1daaa3336264
Opcode Fuzzy Hash: 3414cc7a7313e36e407df322434173232805b733bc84067453c07ae2a12fe196
Instruction Fuzzy Hash: 2E01D677168155DFCB5346789C663D737B7EE486007CF047A885C86D12EB2A481ECF80

Uniqueness

Uniqueness Score: -1.00%

Function 02128CB2, Relevance: 1.3, Strings: 1, Instructions: 47COMMON

Download Yara Rule

Strings

&H, xrefs: 02128CC3

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: &H
API String ID: 0-3312123479
Opcode ID: ee4fcdd713f0adbbe34e2ecd5704cb46937b6c4868c61ca996d09c83b56c86ac
Instruction ID: 39575ee7d4e7c8d757a054117c66a86953ed359d7c57fe13f1f205f327ca6549
Opcode Fuzzy Hash: ee4fcdd713f0adbbe34e2ecd5704cb46937b6c4868c61ca996d09c83b56c86ac
Instruction Fuzzy Hash: 7FF0989F666282CEA587107E69673C7266AA9194043CF047B4C8CE1E02A84E881ECF94

Uniqueness

Uniqueness Score: -1.00%

Function 0212BFBB, Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

?g}Q, xrefs: 0212C00D

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ?g}Q
API String ID: 0-1114213527
Opcode ID: db09cc4fa4f913db7816f6a4e219dee9b381b794a2290fc3269e7cb2e72c22f8
Instruction ID: 9e3fdce2d147c2a4131d112b85b2947379ec19ca09ba4da041bf224cb713f4ea
Opcode Fuzzy Hash: db09cc4fa4f913db7816f6a4e219dee9b381b794a2290fc3269e7cb2e72c22f8
Instruction Fuzzy Hash: C4F045AF2A1106CEE6CB047D6AB63C721A6AF084107CF48360C4DD4D02F98E8C4ECF90

Uniqueness

Uniqueness Score: -1.00%

Function 021228A1, Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

R5, xrefs: 021228F8

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID: R5
API String ID: 0-974090089
Opcode ID: 79af2116245c0fe97ec7b8248d6908aa3a50eea95f5da48ae6479d18f5b1e445
Instruction ID: e241ede7205edce3bead50baef386db518d7e7e6f2caef155e58c47a303a3984
Opcode Fuzzy Hash: 79af2116245c0fe97ec7b8248d6908aa3a50eea95f5da48ae6479d18f5b1e445
Instruction Fuzzy Hash: 92F054AB261105CBC65B493DA9A67CB33B6AF0C6107CF053A4C4C85D62F96B880ECF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212A82F, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 383c35db4c79fb47800e1fa74437e91d3ded7ab2653a6c744d7302bf7d5de8f1
Instruction ID: 77a1db17a16bb94bd7b45beee5109c957894fd84b2e2b94a87801b6b3e81de5f
Opcode Fuzzy Hash: 383c35db4c79fb47800e1fa74437e91d3ded7ab2653a6c744d7302bf7d5de8f1
Instruction Fuzzy Hash: 5EC127715483D58FDB768F3888987DA7FE25F12220F4E82AAC8A94F1E7D334450AC712

Uniqueness

Uniqueness Score: -1.00%

Function 0212A91D, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc1b22720102235cfc53808ffdcf79de28f162951c4361b4a20ca766659675d7
Instruction ID: b2ad58ac22c73257d186e95bde092c1676ed93ea1569f44227ed2842faa0083c
Opcode Fuzzy Hash: dc1b22720102235cfc53808ffdcf79de28f162951c4361b4a20ca766659675d7
Instruction Fuzzy Hash: C8A149715483D58FDB368F388CA87DA7BE25F16220F4E82AAC89D4F696D335450AC712

Uniqueness

Uniqueness Score: -1.00%

Function 0212AA13, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d93ce2188dba22948b07e54491ab26eefb766088dd091a9c169590cf277697
Instruction ID: 93c22d49f57441ee3b56b1bcd8b1c88d43f9d321cbdcc6b94213008b73fc3b22
Opcode Fuzzy Hash: 32d93ce2188dba22948b07e54491ab26eefb766088dd091a9c169590cf277697
Instruction Fuzzy Hash: CF813771588399CFCF768F389CE43DA7BA2AF16210F8A416ACC498F686D3354509CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02124FE2, Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 727d6cc96553739408faefb1101b71380a16431276a5ad6b883bb40a39667cdc
Instruction ID: 5edfdfa27cac0217ed77ef281ab66893a685766917da89976663686f4a88eb3b
Opcode Fuzzy Hash: 727d6cc96553739408faefb1101b71380a16431276a5ad6b883bb40a39667cdc
Instruction Fuzzy Hash: A981E371640394AFEB78CE6A8AD47DF73E3AF89340F94812ADC4D8B208D3349A55CB15

Uniqueness

Uniqueness Score: -1.00%

Function 02120365, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850ee892c5b842963944ca0c1165ca88354ccbf55e821f6ca1785c75a478267a
Instruction ID: 145e085534937e068668c0444d9b31e156db20a0ea7f36bd20bcb2ccab17429e
Opcode Fuzzy Hash: 850ee892c5b842963944ca0c1165ca88354ccbf55e821f6ca1785c75a478267a
Instruction Fuzzy Hash: 63514376154281CFC7464F7998962C67BB2FF08208BDE492DD8C89AC12D73A886DCB80

Uniqueness

Uniqueness Score: -1.00%

Function 021260C3, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500c47bfd5cec2ba51ee7bfcd1d5c102dade1cb5d6ceebfeb849cfea9ca0f261
Instruction ID: fca8ea817141147941a959e80a1af85167d360ee605437f3d83cecb41305f889
Opcode Fuzzy Hash: 500c47bfd5cec2ba51ee7bfcd1d5c102dade1cb5d6ceebfeb849cfea9ca0f261
Instruction Fuzzy Hash: 2961B0B6240289DFDB758E39DD95BCA77B7FF48300F5A8029ED4C8B610D7368A598B40

Uniqueness

Uniqueness Score: -1.00%

Function 0212AB53, Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a22a6765f35459a4fac53ad3539e2b81336f604f2dc02f34631836fca9f0be5a
Instruction ID: a6005e36362a78e874fe0c98a8689087d4bf811c06770ee45feff47eb51738f2
Opcode Fuzzy Hash: a22a6765f35459a4fac53ad3539e2b81336f604f2dc02f34631836fca9f0be5a
Instruction Fuzzy Hash: BF511276688394CFCF758E389CA53DB7BA2AF15210F8E417E8C4D8BA42D73A4509CB11

Uniqueness

Uniqueness Score: -1.00%

Function 00401505, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781420338.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781411599.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781452214.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781462619.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727

Uniqueness

Uniqueness Score: -1.00%

Function 0212AC37, Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 718c3ebc8ae6360bf9501cfdbe1f6b23f6cb77a7f7860b313d7e6386919e80ec
Instruction ID: 010cb080024c901fe86264f987576d956c85e370a20235eed7cde69e870887a7
Opcode Fuzzy Hash: 718c3ebc8ae6360bf9501cfdbe1f6b23f6cb77a7f7860b313d7e6386919e80ec
Instruction Fuzzy Hash: 7641E2B6648294CFDF798E389CA57EB77A2AF15210FCA406ECC4E8BA01D7354908CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0212A001, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04524acb0f823eb0cfe5418b4b0205eb54d964b7efd32d858dbba6c128556ff3
Instruction ID: 99fa1cf959d2e589ae4087305dc7c021824550298cf0382281142e2186e259aa
Opcode Fuzzy Hash: 04524acb0f823eb0cfe5418b4b0205eb54d964b7efd32d858dbba6c128556ff3
Instruction Fuzzy Hash: 4A41F8B5684355CFDB7A4E3DDCA57EA32A6DF05310F9A013EAC4D8AA40DB39494DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 02125041, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ddda69bf02f455e29bf4178a0467d884a3bc85aabb35ccecd41fccaebb8c23d
Instruction ID: fdf64246e02f3ff84233cb6fe1caad1e40d3dbd822de8d971f0263363080b679
Opcode Fuzzy Hash: 0ddda69bf02f455e29bf4178a0467d884a3bc85aabb35ccecd41fccaebb8c23d
Instruction Fuzzy Hash: 6041CF75650644EBDB78CE2A8AD53DB33E3BF88300FC9912ACC4DCAA04D734A949CB54

Uniqueness

Uniqueness Score: -1.00%

Function 0212AF31, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 762f7cfcfc942e9dc688eecd5f336e03b16c52f8e0b9246756a7b13789235223
Instruction ID: a3fc87815e8114f9bae76cbb5ca039b540c0f6669e045e642ddbdacc05a88a48
Opcode Fuzzy Hash: 762f7cfcfc942e9dc688eecd5f336e03b16c52f8e0b9246756a7b13789235223
Instruction Fuzzy Hash: D9416962548280CFCB728F39DC993DEBB62BF55110F8A81AACCD84F906D731564ACB51

Uniqueness

Uniqueness Score: -1.00%

Function 02126205, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9687533166c842c0a9120c31c994d89d6d607f56dacca1218caf8438c0435559
Instruction ID: 6a543d9c267f0377732cf65651233596cbf1acf6b6e4adb65bb0a6bcdb910839
Opcode Fuzzy Hash: 9687533166c842c0a9120c31c994d89d6d607f56dacca1218caf8438c0435559
Instruction Fuzzy Hash: 9441F5B6240245DFDB628E39DD917CA77B3FF98300F9A4138DD4C87624DB36895A8B40

Uniqueness

Uniqueness Score: -1.00%

Function 0212AEDB, Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff61b58f9ca2d6e1ee9102d7a529564eea9a0599c06916898cdb495df45b43e
Instruction ID: f78dce40e47e707651ed1ccbf1499a0ff92971f2a82ddd29caf16bbf9b31d59a
Opcode Fuzzy Hash: 9ff61b58f9ca2d6e1ee9102d7a529564eea9a0599c06916898cdb495df45b43e
Instruction Fuzzy Hash: EA414866548280CACBB68E39AD9A3DF7773BF55104F8F812A8C988AE06D735450ECB40

Uniqueness

Uniqueness Score: -1.00%

Function 02129259, Relevance: .1, Instructions: 98COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 404b5082f2fb11c2a693bf1f55c5e117b0f4064832b9dda146035fa6c78c54ee
Instruction ID: 273c28f29560186d7215a79a68d4148c808153dd38de2328ac71874f7036f771
Opcode Fuzzy Hash: 404b5082f2fb11c2a693bf1f55c5e117b0f4064832b9dda146035fa6c78c54ee
Instruction Fuzzy Hash: A9316FB6A55214CFDB399E389D613DB32AAAF58700FCA403EDC4D97A00DB358D09CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02124E15, Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b38555ace00f972f2469eb59a3d1f5e8a861ff805dd68bad012c7e6d7aa31b23
Instruction ID: 619debd1a1f98971eb50ff0c3e1d81c461700d51c244ff754407ed9dfb0f29ce
Opcode Fuzzy Hash: b38555ace00f972f2469eb59a3d1f5e8a861ff805dd68bad012c7e6d7aa31b23
Instruction Fuzzy Hash: F3314C361583818FDF76CE7C8C957C67B919F06220F8E82AD8C9C8A98BE735441ECB41

Uniqueness

Uniqueness Score: -1.00%

Function 0212630E, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20247e115720a1ac661381c44b82e62298e1a21002b9dc9e3e06cec6b6c1184c
Instruction ID: 758edd51ad62de6f531316c3a76b844e145e9ee68adea6956a3d0a76077f42b7
Opcode Fuzzy Hash: 20247e115720a1ac661381c44b82e62298e1a21002b9dc9e3e06cec6b6c1184c
Instruction Fuzzy Hash: B72185BB250245CADBA64D399D957C772B7BF48240FDF84355D4C86914EA3A490E8F80

Uniqueness

Uniqueness Score: -1.00%

Function 021297D1, Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddb4b09833c06841d5ec22a5e53a94b6e876144efd1c1f9de7077c1ae579edd
Instruction ID: b11c28aa2014af98370ab3f863c5c555eb82a42667fbc8c2cf484507558eca78
Opcode Fuzzy Hash: 2ddb4b09833c06841d5ec22a5e53a94b6e876144efd1c1f9de7077c1ae579edd
Instruction Fuzzy Hash: A121FCB6650115DFDB668E29D9A57CA33A5AF0C710FCF043A9C4CE7A01D636AD19CF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212AD6F, Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9bd9df3626f29a77e062366038d31d3a5ef9f241ec7a4bca57fc37f7226de334
Instruction ID: 23eef58d8c5a5cf9b0bbeaf3845156906177ced7b0d660aa2ce692e5737e5850
Opcode Fuzzy Hash: 9bd9df3626f29a77e062366038d31d3a5ef9f241ec7a4bca57fc37f7226de334
Instruction Fuzzy Hash: 7C2192BA695211CFDBA65E39ACF57D722B2AF18100BCF403A8C4D96E06D62D494DCF40

Uniqueness

Uniqueness Score: -1.00%

Function 021213BC, Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48f7c0bc18ba59ff85c4049fa296f9d12bc4527c25f35a7a06aa3b07dc5f02a3
Instruction ID: 150564b840566e45f61a6a2a9c483041a774599bb9e5f3d5b2f7a393457f5848
Opcode Fuzzy Hash: 48f7c0bc18ba59ff85c4049fa296f9d12bc4527c25f35a7a06aa3b07dc5f02a3
Instruction Fuzzy Hash: D411ECB7690042CFDB5A9A3DA8A53DB7377AF18500FCF443A485C96D01EA2A484DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 02126446, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebb05da514eeb176368e67789f6f57ca57e82377f068323111a18668f2a67108
Instruction ID: b672faab90de2e73ee6b0f5ef7862e8be5a53a319d5d4bd4498ce924f9210fa6
Opcode Fuzzy Hash: ebb05da514eeb176368e67789f6f57ca57e82377f068323111a18668f2a67108
Instruction Fuzzy Hash: AB218E7A265144DFDB9A1939AD663CF32A3AF04604FCF052A9C8C90C60EB1A495DCF81

Uniqueness

Uniqueness Score: -1.00%

Function 0212BEE1, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8601021f81bd573cac9d7ed634956c4401eede79775e54924bd6a3a063862ab9
Instruction ID: aa2ec1241fda3cdd33f678cd8244d2781b7910a189fbc5de64f7449dac2db862
Opcode Fuzzy Hash: 8601021f81bd573cac9d7ed634956c4401eede79775e54924bd6a3a063862ab9
Instruction Fuzzy Hash: 7E11E9AA260142CEDB47063DADE27DB37779F090107CF41B6888C86D63EB1A484DCF81

Uniqueness

Uniqueness Score: -1.00%

Function 0212AFEF, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 801d727bf96097fac039099ec3131c4d0db6980947a4a2c97a099db21dbcb5ea
Instruction ID: fc2296ca7c45f31d26606c445f4c57814807e37c32f148b4a1e941f86de22da7
Opcode Fuzzy Hash: 801d727bf96097fac039099ec3131c4d0db6980947a4a2c97a099db21dbcb5ea
Instruction Fuzzy Hash: 5E212666548385CACBB24E389C993CFBBB2BF15218F8F816ACC984AD46D735164DCB40

Uniqueness

Uniqueness Score: -1.00%

Function 0212180F, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dc19adc76f8a812c58649ce5b2d1346a030c7aa7813d4e87ffa4ea1eca2c83d
Instruction ID: d1aeef08420ed7009dd48b43f18e3d5c6657848dd3d095cb1bc07f65202f6e3b
Opcode Fuzzy Hash: 2dc19adc76f8a812c58649ce5b2d1346a030c7aa7813d4e87ffa4ea1eca2c83d
Instruction Fuzzy Hash: 3711E16B265081EED6875439AD6A2C737A69E090443CF087A5C4C81D03E80F481DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212A12B, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 283c0f9b87a8c97fb7e00c5c3092f72477e03533a39d7330da2813a5143115c0
Instruction ID: 287c311be6f08953f1241e1f8a14829899067d15b4e9d584f61b8f025b97599d
Opcode Fuzzy Hash: 283c0f9b87a8c97fb7e00c5c3092f72477e03533a39d7330da2813a5143115c0
Instruction Fuzzy Hash: 86115177254112CFDB6A453DAC663DB22A69F05610FDF453A9C5CC6D40FB2A498DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 021266AF, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd27a9082d3b81e7de05b41a17c74d71128c85fa4d54c56fd12c75ebd5a0f77d
Instruction ID: 6f959c1e7ba569155de92f41432a3bc7b279ace742e48d99f73a9edeeaa83e47
Opcode Fuzzy Hash: dd27a9082d3b81e7de05b41a17c74d71128c85fa4d54c56fd12c75ebd5a0f77d
Instruction Fuzzy Hash: 231191B63A0145CFC75A5A3DADB63CB36B7AF48600BCF443A984C81D14EA3A491DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212A17F, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 408039aea4d9a9fa101efdb92c3da9f70766abe66e9a6b9fec85c4bf80dd8b15
Instruction ID: 1543c5b8e0cb0064a06cbf555d0cec4576919ffa4524e1508e8df1bbb62679a1
Opcode Fuzzy Hash: 408039aea4d9a9fa101efdb92c3da9f70766abe66e9a6b9fec85c4bf80dd8b15
Instruction Fuzzy Hash: 4B115E77250112CEDBAA453DAC663DB22A69F09610FEF453A9C4CC5D40FA2A488DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212A609, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e7f23e263626a49d319c0da55410a7341969012c8e38acdf48ec304dff27eb9
Instruction ID: 2d779ec2c652b9a29d06ddae2188b65d7a8171265864075b36101726d9d1391d
Opcode Fuzzy Hash: 5e7f23e263626a49d319c0da55410a7341969012c8e38acdf48ec304dff27eb9
Instruction Fuzzy Hash: 17217C3578435B8BCB349E68C8D1BEB73B2BF56304F5A4119E8598B312E73184598B45

Uniqueness

Uniqueness Score: -1.00%

Function 0212908F, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d09bd3419b561513b223e157ab5e70bed0908f9abeab43a729f23484b89d3c
Instruction ID: ced6adf3e016f070e9a2dc4bdeaccdab4177a5f32204f04f7203f1015efc76f3
Opcode Fuzzy Hash: e7d09bd3419b561513b223e157ab5e70bed0908f9abeab43a729f23484b89d3c
Instruction Fuzzy Hash: B211A5A7695151CFDB67063C99A23D737B6AF1A610FCF0076C88C95E01F65A440DCB41

Uniqueness

Uniqueness Score: -1.00%

Function 021251AD, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35a5f90fce6d80a067881d3b24f02495c44a78996c5e579d24409fcd122814ac
Instruction ID: f14b0bd5a8a93a8a8a99d309eaf2df7c4c92b96d4c3e7479e93a4a35b2879f3a
Opcode Fuzzy Hash: 35a5f90fce6d80a067881d3b24f02495c44a78996c5e579d24409fcd122814ac
Instruction Fuzzy Hash: E7118176651205DFC7698E7A9AE53CB32A2AF08604FCA503A8C4D86E01D739990CCB54

Uniqueness

Uniqueness Score: -1.00%

Function 0212903B, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41bb79367e09b87dbb3e5a5c5988bd23fb2ab761bc2ec43fbfe4bff1127ba0a1
Instruction ID: f53e3153eb843ed2176896d613f4a0aac894b2618255090a81b2458b2605ea15
Opcode Fuzzy Hash: 41bb79367e09b87dbb3e5a5c5988bd23fb2ab761bc2ec43fbfe4bff1127ba0a1
Instruction Fuzzy Hash: BA11C2A7695251CFDB67463899A23D737A6AF1A210FCF0076DC8D86E01F659440DCB41

Uniqueness

Uniqueness Score: -1.00%

Function 02126CD3, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0a8207a6e7b74dce79f38a8085760079b513e9c865edc5f1cb0acc9005464e9
Instruction ID: cffe7e7c645ef146172bc289274a5ee614825e583d7e9ba6f791273ff2cb6034
Opcode Fuzzy Hash: f0a8207a6e7b74dce79f38a8085760079b513e9c865edc5f1cb0acc9005464e9
Instruction Fuzzy Hash: A1115677362145CFEBA649399DA63CB3277AF44200FDF002A4C4C99D019A7E490ECF41

Uniqueness

Uniqueness Score: -1.00%

Function 02121417, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 122eabd1a8e761dab01a201ec458e3352f6f32ad2cca47257f88073b97cf878c
Instruction ID: 8f20b62be9470cde6e846039c14cb9f5170befd356507529b03b90cbbc3a7068
Opcode Fuzzy Hash: 122eabd1a8e761dab01a201ec458e3352f6f32ad2cca47257f88073b97cf878c
Instruction Fuzzy Hash: 9E01CDEB7A5051DAD687517D6DA63CB22679A088007DF097A184CD5D02AD5F881DCFC0

Uniqueness

Uniqueness Score: -1.00%

Function 0212B20B, Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85062aba2712b6a60b0ddf3af6f31b858bda3771d78992e603d90f374838aa45
Instruction ID: 8d8420812767ea1a04f2240234cf77e6c786b0165320383b30f697639be07def
Opcode Fuzzy Hash: 85062aba2712b6a60b0ddf3af6f31b858bda3771d78992e603d90f374838aa45
Instruction Fuzzy Hash: 6711D0B7568251CECFA69A38AC9E3DB7B61AF09510FCF416A888C95D01D72E090DCF52

Uniqueness

Uniqueness Score: -1.00%

Function 0212721C, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baf7240577f9e833c5f1ca2d8cc3652e0fa11ed88a4ceacd0e86d7561950debb
Instruction ID: 51c7b468cb673c6d2e38052bbe5e3468a40cdf73b794aed51450e382a389d4e0
Opcode Fuzzy Hash: baf7240577f9e833c5f1ca2d8cc3652e0fa11ed88a4ceacd0e86d7561950debb
Instruction Fuzzy Hash: C81103726483459FCBA88F35DA667EB77AAAF49350F46002EAD5A87252C7704901CF0A

Uniqueness

Uniqueness Score: -1.00%

Function 02127244, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4017c6996192b3788c9cf42abc971dc129be5ab2718d12fbdc7eb2e074bc29ce
Instruction ID: e52dfe321f832fdee49e6a73051cb5f6859377adeeaae23f3fce9e61867d6f2e
Opcode Fuzzy Hash: 4017c6996192b3788c9cf42abc971dc129be5ab2718d12fbdc7eb2e074bc29ce
Instruction Fuzzy Hash: 4F2105716083499FCBB88F39D9667EB77EAAF48350F42042EEC5AD7261D7708900CB06

Uniqueness

Uniqueness Score: -1.00%

Function 00401741, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781420338.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781411599.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781452214.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781462619.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727

Uniqueness

Uniqueness Score: -1.00%

Function 02129141, Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36102c48a663336d81aa8911ed6c80b495c64e87cbde907c9c847ccfbcc9eb8
Instruction ID: 56614693c1d516fe5d3ce1e97c30f8c982271967e622f1d227a7d4fa0110929d
Opcode Fuzzy Hash: e36102c48a663336d81aa8911ed6c80b495c64e87cbde907c9c847ccfbcc9eb8
Instruction Fuzzy Hash: E7011E9B6A5151CEDB670639A9A63C737B6AF1A500BCF04B6888C95E02F95E480DCF81

Uniqueness

Uniqueness Score: -1.00%

Function 021296E6, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 291314bd67ae6ffa4f0bc6fe67e71b527e47c215d362c1609d74b535ac941621
Instruction ID: 04ce3e4fe0bd4aaa4aa52e32b470b839280920a04098c4645265d7f944a09ee7
Opcode Fuzzy Hash: 291314bd67ae6ffa4f0bc6fe67e71b527e47c215d362c1609d74b535ac941621
Instruction Fuzzy Hash: B4014BAB6A0011DEDB97597DAD663CB22B69F08500FDF48366C4CD0E01EA2E8D4DDF80

Uniqueness

Uniqueness Score: -1.00%

Function 02128B09, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f637b41a60057fe0af5f2e75f5d1477a29630fad28cb2407b4c0c9494fa03b37
Instruction ID: 07d41fa1c5c6d83fcb9d8418285146960d5dae4876f7b271b97502a3ef5e58d3
Opcode Fuzzy Hash: f637b41a60057fe0af5f2e75f5d1477a29630fad28cb2407b4c0c9494fa03b37
Instruction Fuzzy Hash: 1EF03CAB261001CEDA8B413DA9A73CB337AAE095003CF003B8C4CD0D01AD1E481ECFD1

Uniqueness

Uniqueness Score: -1.00%

Function 021269E5, Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f35b3b723731d4f03882ea50af3871bbee23398737ee8578fba8543afaddb094
Instruction ID: aac119dc49265273d8dad443903a18e768b0a2a4369a0c94e5809703640b7f7b
Opcode Fuzzy Hash: f35b3b723731d4f03882ea50af3871bbee23398737ee8578fba8543afaddb094
Instruction Fuzzy Hash: 40F097AB7A1151CED69B053DADA63DB22ABAE085007CF053B5C5CD1E01AD5E884ECF80

Uniqueness

Uniqueness Score: -1.00%

Function 021290F3, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde100c4d89a1ef1bb250a57ff7dbe974844a228340266225950c6d8521618ce
Instruction ID: 46b49a0ea078b0d6c711bb5f362f5ee896b0034d2927c5c6072002d2dcb1936a
Opcode Fuzzy Hash: dde100c4d89a1ef1bb250a57ff7dbe974844a228340266225950c6d8521618ce
Instruction Fuzzy Hash: AE0162AB695251CEDB6B0638A9B63DB27B69F2B510FCF00B68C8D95E01F54E440DCB41

Uniqueness

Uniqueness Score: -1.00%

Function 02120257, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5fa7ffe4ba655f5b71bf765d4ea594d6a7ad0ced4e8a3eefee11733dbd4f126
Instruction ID: 107b9bd8926b4e3f25ecd83d774fea9e96948e72b85d452621b14b659a52dfea
Opcode Fuzzy Hash: e5fa7ffe4ba655f5b71bf765d4ea594d6a7ad0ced4e8a3eefee11733dbd4f126
Instruction Fuzzy Hash: 09F097BB2A2016CEDA8B457DAAA63DB3276AE0C6003CF04365C4DD0D11B95F881ECF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212014A, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe4527c81cbf16f029fac1f8b40a194e914c1e2be48b274bc87308fa33afdeda
Instruction ID: f50aeade6ffc1385d81d1f4fb91a0d78a30b7089c9d3f2b6d1e6ba75aa7308b3
Opcode Fuzzy Hash: fe4527c81cbf16f029fac1f8b40a194e914c1e2be48b274bc87308fa33afdeda
Instruction Fuzzy Hash: C3F059AB2A1151CADA971139AE663D726B69F1D900BCF043B0C5D90D02A95E981ECFD1

Uniqueness

Uniqueness Score: -1.00%

Function 02124F35, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1b00c0ddc9c605cb04110926e08b172862f2e889ae3c5062686231bf6ca5dd0
Instruction ID: ade674ddbfb70b392bfd680001e770ff594f83ea0311b8085e08e766f1ce3172
Opcode Fuzzy Hash: b1b00c0ddc9c605cb04110926e08b172862f2e889ae3c5062686231bf6ca5dd0
Instruction Fuzzy Hash: 800117AF169145CEEFA7893D6DA63CB3776AF09100BCF043A5C8C91D11D95A451DCF81

Uniqueness

Uniqueness Score: -1.00%

Function 02129BC1, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fbb1333daa2b8043999db662fb935cae21aa35eade21c6a602706e201a5d56f
Instruction ID: 46d2af0df887d7b1591deed283fb2ab629c446fe9229dcb613b6833989b3c0fe
Opcode Fuzzy Hash: 4fbb1333daa2b8043999db662fb935cae21aa35eade21c6a602706e201a5d56f
Instruction Fuzzy Hash: 67F09CAB3A2101CEDA9B453DAA767C722B6AF085003DF047A484CD5D12E95E880DCF84

Uniqueness

Uniqueness Score: -1.00%

Function 0212357C, Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 436372c3d7c476e706797716e4edeb80ffa0a9912afa5633f164e9b66d7dfe1d
Instruction ID: 26ae93658734554379bf0a326b04e75d507e20ab6981a69698f0e13aeebe5109
Opcode Fuzzy Hash: 436372c3d7c476e706797716e4edeb80ffa0a9912afa5633f164e9b66d7dfe1d
Instruction Fuzzy Hash: 29F0817B261101CFC68B4539A9A62C633A56E085007CF087A595CA6D02E95E880DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 02128E1A, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bddecb6a48392d0d853eaa6a43a7adfb34e489ae76c9fb54a2b5406d981d0a6b
Instruction ID: e562d8eb6b7b7e451ae1660b9b2f3f987c303837b373ca458f3b43a79c1e1649
Opcode Fuzzy Hash: bddecb6a48392d0d853eaa6a43a7adfb34e489ae76c9fb54a2b5406d981d0a6b
Instruction Fuzzy Hash: BFF03AAB2A1446CAD78706BE69A62C772B6BE095043CF1936984CD4E12F95B480DCFC1

Uniqueness

Uniqueness Score: -1.00%

Function 02126B03, Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c97c552127f184f606db2e892a63027967d5308c0599d1ca2faeb6a6a6241d90
Instruction ID: 6c6439e978082ec6800041f517fd9de5fd77c4e66d19ada5df6a1ea6dde0560e
Opcode Fuzzy Hash: c97c552127f184f606db2e892a63027967d5308c0599d1ca2faeb6a6a6241d90
Instruction Fuzzy Hash: FEF0E1BB661055CED7930A3DAD563C73266AF19640BCF04364C4C96D01E96A4D0DCFC0

Uniqueness

Uniqueness Score: -1.00%

Function 02128805, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d0eb329c8e2096b10aa4e8a7150d8347294467353cc1215e1ffe82c8f3cb2cd
Instruction ID: c4c36815d0cc3ae22903bdce2b0002da8eb9874d6d9ccc075e00fc3ad5e4b3bb
Opcode Fuzzy Hash: 7d0eb329c8e2096b10aa4e8a7150d8347294467353cc1215e1ffe82c8f3cb2cd
Instruction Fuzzy Hash: 8DF0B7EB6B1002C9D6870479A9667C71277AA0D4403CF483B488C90D01A84F480DCFC0

Uniqueness

Uniqueness Score: -1.00%

Function 0212719F, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c714bb2cd2c326d59f02a71542f874e4f661ec6cf6432e31e032b01cbe31067
Instruction ID: 36e83e640072771fa425be2c317ff3fae4788e2765a93e8b5eede9dfc6348bda
Opcode Fuzzy Hash: 1c714bb2cd2c326d59f02a71542f874e4f661ec6cf6432e31e032b01cbe31067
Instruction Fuzzy Hash: 8BF031BF2E1041CEDBAA8939AD667DB3276AF04600BCF04269C4C94D00992F890DCF81

Uniqueness

Uniqueness Score: -1.00%

Function 021295AD, Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2763a1f89b64fc9e42d57f3b5222a1bec946f9cbb77455812e661f71fcbef59d
Instruction ID: 7834e88e30d2595370a991553e903ad7cd93dcc153bdb4a79a574f79a6f22b2e
Opcode Fuzzy Hash: 2763a1f89b64fc9e42d57f3b5222a1bec946f9cbb77455812e661f71fcbef59d
Instruction Fuzzy Hash: 6CF00DAB275141CEEAC7453DA9A67C726B66F095047CF047A488CD5E42A99F8C0ECF80

Uniqueness

Uniqueness Score: -1.00%

Function 021252C5, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2134542b28caef8e74938ede781be0391770728a19ff47a81b7cd75764c3a2c
Instruction ID: 6399d10681854aabb2976a052797ae9feb3e4292d40f257c56c74e49e2b47a4d
Opcode Fuzzy Hash: c2134542b28caef8e74938ede781be0391770728a19ff47a81b7cd75764c3a2c
Instruction Fuzzy Hash: 37F0DAAF271242CEDA8B057A69E63CB22A7AE085003CF04374D8CE5D12A95E880DCF81

Uniqueness

Uniqueness Score: -1.00%

Function 0212938F, Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9853dcddd5b677a9ffebb573d0f1727caa8e2583ffc93e14e0a3f338be1ac75a
Instruction ID: 43a14d95ce3ca3d939fff0715fc4e1ea59280c0c40ce8ab1b5486678fd92110a
Opcode Fuzzy Hash: 9853dcddd5b677a9ffebb573d0f1727caa8e2583ffc93e14e0a3f338be1ac75a
Instruction Fuzzy Hash: 79F05FAB7A2002C9AA87103D696A3CB126A6A585017DF4837188CD4D01AD4E885DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212B115, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cc4ce1d5b27a38a6e6b242a10c138a972eeceadfe0281b1babe62955f2a2b1b
Instruction ID: c6eadf3fa3b79be854f0f6eca202f49e590b6e6284d6a8c8d82b9e537917ad27
Opcode Fuzzy Hash: 5cc4ce1d5b27a38a6e6b242a10c138a972eeceadfe0281b1babe62955f2a2b1b
Instruction Fuzzy Hash: 3CF062AF2B5106DD998710396DB67CB12A7AD195003CF443B088CD1E026D4E981ECF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212350F, Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 258b9e80575f7bd3f027106c0e13fae4c2a3614dbffd6e5c6f54e5aedaa1ff7a
Instruction ID: 676771a0d797bba02bc148d90bfb6584dba38a568c54e72f3e27cdb795f6e930
Opcode Fuzzy Hash: 258b9e80575f7bd3f027106c0e13fae4c2a3614dbffd6e5c6f54e5aedaa1ff7a
Instruction Fuzzy Hash: B3F0B2AB3A1041CADA87053D6AAA3C726A66E098403CF087A098CA5D01B89F990DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 02129B4A, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffcc7dd9c88e70fffea374fa727b3006678c03f09529f03a01f7ebbcce41ede8
Instruction ID: 98cc6a3e8a192908e1bb39a58a83eae6b447fade02cee692f19ca123f525141a
Opcode Fuzzy Hash: ffcc7dd9c88e70fffea374fa727b3006678c03f09529f03a01f7ebbcce41ede8
Instruction Fuzzy Hash: 82012271B506A8CFCB78CE2CCA94BD973E4AF58750F55946AE82DCB311D730EA20CA14

Uniqueness

Uniqueness Score: -1.00%

Function 0212777F, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7af92c0a6c7a8291e56dcece398e563b8e825c0786ae89aa661ab2d082f9f0cf
Instruction ID: 034e381a653ca20c9d1e0413e0e145864ce2d97e39674ef442336e34ff7ce259
Opcode Fuzzy Hash: 7af92c0a6c7a8291e56dcece398e563b8e825c0786ae89aa661ab2d082f9f0cf
Instruction Fuzzy Hash: D0F028EB362101CEDAD74539AEA63CB226AAF0D5107DF443A484C90D02A89E8C0DCFC0

Uniqueness

Uniqueness Score: -1.00%

Function 0212822F, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7650f534409c38f8cedfca65e2bc4d44eea82589194a5d013651f93e3c99f31e
Instruction ID: 7a1b9ebcd2b08687243c53251f54ee0d3e97dc3a4aaa6acd1daea5701f4cf5a6
Opcode Fuzzy Hash: 7650f534409c38f8cedfca65e2bc4d44eea82589194a5d013651f93e3c99f31e
Instruction Fuzzy Hash: 4EF0D5AB2A1006CADA87057EAEA73C736BAAE0C9003CF0436484CD0D11A95F885DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212A73B, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59382339022e05266ae2f03b9d5dbd14cad3ec2273aa3f6faab59b44c16e1dad
Instruction ID: 5f6324bc2134da7afbab2cdc5217c4ed6d4b5f5d9a39efe3ee0d22d4d43344a5
Opcode Fuzzy Hash: 59382339022e05266ae2f03b9d5dbd14cad3ec2273aa3f6faab59b44c16e1dad
Instruction Fuzzy Hash: 44E072AF7A1102CDEA9B00797D7A3C721B6AE084412DF193A5C8D91E427D8F881ECFD0

Uniqueness

Uniqueness Score: -1.00%

Function 021267D7, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5834508269b8ea90d2f7f6cb425ccce590feb9b6e86597157234459c53a0f433
Instruction ID: 103b5aa4e3a4f471349e067d58617847e65adab7e281bb3b79a3e85947e85678
Opcode Fuzzy Hash: 5834508269b8ea90d2f7f6cb425ccce590feb9b6e86597157234459c53a0f433
Instruction Fuzzy Hash: 6AF0D5AB261006CAD687057DAEA73CB62B7AE199403DF4436488CD0D11A95F881DCF90

Uniqueness

Uniqueness Score: -1.00%

Function 0212BDF7, Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0efd158605be7984dda316f8c9f57ab5bccf4f6e2f9c9d062653baa12ae52d4
Instruction ID: 0550f0a0893af60fb56dab8018b290a8b50081b6ea85029216b2c2d81c40b276
Opcode Fuzzy Hash: d0efd158605be7984dda316f8c9f57ab5bccf4f6e2f9c9d062653baa12ae52d4
Instruction Fuzzy Hash: B9E005DB362001CA9A8B047D69B63DB116659484053DF047A584D90D01AD4E485DDF80

Uniqueness

Uniqueness Score: -1.00%

Function 021268F0, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1881bb54341c00ddf324e120c5af78d30641d7a21d4bd50822d469851aa30378
Instruction ID: 07ef39113c7d8c22dc7526130953234999c9d05e54c329a7adbdf30f85197d87
Opcode Fuzzy Hash: 1881bb54341c00ddf324e120c5af78d30641d7a21d4bd50822d469851aa30378
Instruction Fuzzy Hash: 3FE00EAB2A5041DAEA874139B9763C766665D499042DF047B488C95D12A84F880ECF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212B365, Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50be485639f0a0db893b68d76954e63dc80f776dc1d7b52dcc15f202cb24ede
Instruction ID: 25fb561068536dcb75d57b3fd9797fd5217bf2a608e272002e6683dba9a8bb2f
Opcode Fuzzy Hash: f50be485639f0a0db893b68d76954e63dc80f776dc1d7b52dcc15f202cb24ede
Instruction Fuzzy Hash: CAE065EB271001DADA87057EADA73C76277AE099403CF047A488CD0D12B95F881DCF90

Uniqueness

Uniqueness Score: -1.00%

Function 02128F97, Relevance: .0, Instructions: 38COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51600a211f65c123ce1d0268cdfad022cd9d76f8f8764d7c96453e90d851228b
Instruction ID: be9a36b107bc2a16a75bcf21e85258d1b7144516cc79a6138968d97ccb4a6549
Opcode Fuzzy Hash: 51600a211f65c123ce1d0268cdfad022cd9d76f8f8764d7c96453e90d851228b
Instruction Fuzzy Hash: FEE06EAB2A1142C9A68B003A6AAA3C711AB6D088406CF043A0C4C90D01AD4E880DCF84

Uniqueness

Uniqueness Score: -1.00%

Function 02128C53, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d172dbfc608a0b1f0f9b33c2fd1c5b6ed3ca35c303f38c2b683cdeebdd8557c
Instruction ID: 50b98aa693da0b1591c24d8b623ae348b4b75326fb4ab45b3167f54914439da3
Opcode Fuzzy Hash: 4d172dbfc608a0b1f0f9b33c2fd1c5b6ed3ca35c303f38c2b683cdeebdd8557c
Instruction Fuzzy Hash: 05E0DEAB2A1056CADA97057DAAA73CB3676AA199403CF05764C4CD0D12B95F881DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 02128F47, Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7732053446b710575b68ad9122ff507689c8a6b219edff5250a2aa66b2d31e17
Instruction ID: a023e0099ba2121d8f3377175175bfcca32c7da82bca4a160ed93a9b1f9ccb2f
Opcode Fuzzy Hash: 7732053446b710575b68ad9122ff507689c8a6b219edff5250a2aa66b2d31e17
Instruction Fuzzy Hash: EFE07AAB2A5152D9EA8B003A6EBA3D712AB6D099406CF053A1C5DA1D01A94F881DCF84

Uniqueness

Uniqueness Score: -1.00%

Function 021288D1, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5219ba817a360b6842ce7767cfb01794ec9ae772620fff74c7f2c8c181751443
Instruction ID: eb71ffef3505880b9971ac14220406d09247ea5413b142eb9b45935664c7a625
Opcode Fuzzy Hash: 5219ba817a360b6842ce7767cfb01794ec9ae772620fff74c7f2c8c181751443
Instruction Fuzzy Hash: 82E0599F6A6045CEDA87413EBDA73DB26B7AD084007CF043A488CE0D12AD4E880DCFC4

Uniqueness

Uniqueness Score: -1.00%

Function 004016F4, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781420338.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781411599.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781452214.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781462619.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 02127D80, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff4789e3201d3c7ea264341f6041ed7231cc30e89d55f80fa583b4c25284db1a
Instruction ID: e7797740abb341ece503272907ae7dcd4b2306b909ff4de8689756271a336ef1
Opcode Fuzzy Hash: ff4789e3201d3c7ea264341f6041ed7231cc30e89d55f80fa583b4c25284db1a
Instruction Fuzzy Hash: D4E00EDF2A2005CAA9C7043AAD7B7D7156A6A588042CF187B4C8CD1D12B84F8C0ECF84

Uniqueness

Uniqueness Score: -1.00%

Function 02129A0B, Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491d22a079d31d51336aff6204f00264a58c329aef0e8b9ff2b4e9bda683ada0
Instruction ID: db9ae74be419e8cc6949f0753001b3e656ecd99499e9ee58360951270cf1d716
Opcode Fuzzy Hash: 491d22a079d31d51336aff6204f00264a58c329aef0e8b9ff2b4e9bda683ada0
Instruction Fuzzy Hash: 06E075EB775141CDD6CB5479AAAB3CB56A79A185003CF583A498CD0D06BC4E981ECFC4

Uniqueness

Uniqueness Score: -1.00%

Function 0212363D, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a7bb085085075d8119f14928e2525e88cb9088c7fba581a42c289fa3b985c84
Instruction ID: ed32f557a373bb2d1f3824edacfa7ce3a475a4f9476083f0472caf23a56b7b44
Opcode Fuzzy Hash: 0a7bb085085075d8119f14928e2525e88cb9088c7fba581a42c289fa3b985c84
Instruction Fuzzy Hash: 64E075AB261111D99687403979663C762A65A085003CF043A188C90D01A84E890DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212707F, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b848ae61a8e21b819fc5e04717af7e6b9c10188cb38cd6b17e57c4b3422887dc
Instruction ID: 8fd42fea9bf9e2bedbd83c363f021bdd1e1a73c3333e217f958069af989776ab
Opcode Fuzzy Hash: b848ae61a8e21b819fc5e04717af7e6b9c10188cb38cd6b17e57c4b3422887dc
Instruction Fuzzy Hash: 3CE002AF371012DDE68B41796DA73CB11AB5E188003DF483A484CE1D15A84F8C4DCF84

Uniqueness

Uniqueness Score: -1.00%

Function 02129AEF, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb0e99fd1ff00ef9c7faf6a41418ee1a66b2957f1c2a430790623389d48522ed
Instruction ID: b5c6de2efadb7cdac6d0f75af4c955aece39f0c336f5465dadc92f8e370ed040
Opcode Fuzzy Hash: fb0e99fd1ff00ef9c7faf6a41418ee1a66b2957f1c2a430790623389d48522ed
Instruction Fuzzy Hash: 3BE08AAB3A2006CEDA97443DA9B67DB12A75A185007DF0437588CD1D01B99E584DCF91

Uniqueness

Uniqueness Score: -1.00%

Function 0212196C, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cd3bb73d4942cd70d348b1f8faa300673d57b22d2afac8834f474af77c1b105
Instruction ID: 4efdf46ef3e66383015f74cdc547364674a944b953a47358a32ee8301379d613
Opcode Fuzzy Hash: 0cd3bb73d4942cd70d348b1f8faa300673d57b22d2afac8834f474af77c1b105
Instruction Fuzzy Hash: 05E0829B265402C9999740396AB63D751665D184102CF053B5D9CD0D51684F880ECF80

Uniqueness

Uniqueness Score: -1.00%

Function 021229D8, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: def24e1eb8335f997cee9b4f739f8a7caf50408a43c38fd1e1643d291b384b04
Instruction ID: 8f815bf9951354f05517d66d5110436ebd1c79fb88cb801b930fdd58b23fa662
Opcode Fuzzy Hash: def24e1eb8335f997cee9b4f739f8a7caf50408a43c38fd1e1643d291b384b04
Instruction Fuzzy Hash: FBE082DB2A5151C9A6C7003EAD763C7166659088043CF08764C8C94D02B94F8C0DCF84

Uniqueness

Uniqueness Score: -1.00%

Function 02128FEF, Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11f3f8a94f47233b8e69ce34eabb5b8a4879c6b3b7a81d810e4e84dffe24b101
Instruction ID: ab73229410f77fab831b494a7e62bd16dd495022737e1062f12e7446a5da3f73
Opcode Fuzzy Hash: 11f3f8a94f47233b8e69ce34eabb5b8a4879c6b3b7a81d810e4e84dffe24b101
Instruction Fuzzy Hash: 0AE0029B2A1102D9958B00397D6B3C711676D098412CF053A0C4C94D016D4F480DCF80

Uniqueness

Uniqueness Score: -1.00%

Function 021253E8, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 05d2fc67c90a7e57936dd0a58fd4fe485658c8ecae79a00b04d2553a082d0872
Instruction ID: eca2a66768960fcb9b97526b6e42468736cbabc12607c868c50073dddf903b49
Opcode Fuzzy Hash: 05d2fc67c90a7e57936dd0a58fd4fe485658c8ecae79a00b04d2553a082d0872
Instruction Fuzzy Hash: A3E0829B2A5141DAE6C7113AA97B3DB66A75D494403CF087A488CD5D02A84F4C0EDF80

Uniqueness

Uniqueness Score: -1.00%

Function 0212020D, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90dd4d6673433efd9448f4e46ab28ffbd68320f88871923e9ac4bebb781f1e3c
Instruction ID: 8c6eb7a89f227227c7e342661b788159bfee5957dec3d51ac2da3c87694eff7e
Opcode Fuzzy Hash: 90dd4d6673433efd9448f4e46ab28ffbd68320f88871923e9ac4bebb781f1e3c
Instruction Fuzzy Hash: 9ED002DF2B2011C99587447E7D673C711B76A484043CF0837084CE0E11A84F880ECFD0

Uniqueness

Uniqueness Score: -1.00%

Function 02128B89, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d619a1f911baa4bab2eb4447afa0a86a011132b55f73388b65105ba0f124a13
Instruction ID: 113e3e8fe39f25e397ce187e226f8d5127b3428f3b47962e829f86610681e0ce
Opcode Fuzzy Hash: 1d619a1f911baa4bab2eb4447afa0a86a011132b55f73388b65105ba0f124a13
Instruction Fuzzy Hash: 37D002DF7B1016C99587443A7D673C715B66A484003CF183A484CD1D11A84F884ECF85

Uniqueness

Uniqueness Score: -1.00%

Function 02126BE9, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64cf4e513d12527a51a89d3920b8cd01cf9acfb7efa3f5074f22249a39087f2b
Instruction ID: 9933f2a62b8f4d380025d3e74a8f9734e667425c22b24e7d72e1e2f91ccc9272
Opcode Fuzzy Hash: 64cf4e513d12527a51a89d3920b8cd01cf9acfb7efa3f5074f22249a39087f2b
Instruction Fuzzy Hash: 12B002BAA515C19FFF56DF0CD591B5073A4FB59748B8904D0E456DB712D224E910CB04

Uniqueness

Uniqueness Score: -1.00%

Function 0212960F, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781926944.0000000002120000.00000040.00000001.sdmp, Offset: 02120000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4bd58b172bb8a145785a1cce5c1038b1ce1905cbc859746e1fec6fc9bc7646b9
Instruction ID: 0bd5377001bbe4ee011336cad77d82d8cd7533e9c5bdafbc84d3c797f33c3a2b
Opcode Fuzzy Hash: 4bd58b172bb8a145785a1cce5c1038b1ce1905cbc859746e1fec6fc9bc7646b9
Instruction Fuzzy Hash: 43B09230221680CFCA49CA08C1D0E0473B0B700600B520480E0118BB52C2A5E840CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00414990, Relevance: 56.2, APIs: 29, Strings: 3, Instructions: 212COMMON

Download Yara Rule

APIs

#693.MSVBVM60(00411174), ref: 004149DE
#535.MSVBVM60 ref: 004149EC
#593.MSVBVM60(?), ref: 00414A06
__vbaFreeVar.MSVBVM60 ref: 00414A11
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00414A29
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00414A54
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,00000110), ref: 00414A82
__vbaStrMove.MSVBVM60 ref: 00414A91
__vbaFreeObj.MSVBVM60 ref: 00414AA0
__vbaVarDup.MSVBVM60 ref: 00414AB6
#666.MSVBVM60(?,0000000A), ref: 00414AC4
__vbaVarMove.MSVBVM60 ref: 00414AD0
__vbaFreeVar.MSVBVM60 ref: 00414AD9
#709.MSVBVM60(ABC,004111A4,000000FF,00000000), ref: 00414AFC
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00414B1D
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00414B42
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,00000140), ref: 00414B68
__vbaFreeObj.MSVBVM60 ref: 00414B6D
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 00414B89
__vbaStrMove.MSVBVM60 ref: 00414B94
__vbaFreeVar.MSVBVM60 ref: 00414B9D
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00414BB6
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00414BDB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,00000070), ref: 00414BFB
__vbaFreeObj.MSVBVM60 ref: 00414C00
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000D7,overmandende), ref: 00414C10
__vbaFreeStr.MSVBVM60(00414C6C), ref: 00414C5B
__vbaFreeStr.MSVBVM60 ref: 00414C60
__vbaFreeVar.MSVBVM60 ref: 00414C65

Strings

overmandende, xrefs: 00414C02
sandvaanere, xrefs: 00414AA8
ABC, xrefs: 00414AF7

Memory Dump Source

Source File: 00000000.00000002.781420338.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781411599.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781452214.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781462619.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#535#593#666#693#704#709FileOpen
String ID: ABC$overmandende$sandvaanere
API String ID: 2783911502-2510946440
Opcode ID: 3066ff36288c8b16da0b8f94c2b84ae130f225b587c3b475b97300201a38975a
Instruction ID: 82345f0d992d447345c19e98a0b40ebf7f134c2c5fad931798f434525dd91ef9
Opcode Fuzzy Hash: 3066ff36288c8b16da0b8f94c2b84ae130f225b587c3b475b97300201a38975a
Instruction Fuzzy Hash: 4F817B70940219ABCB10DFA4DE48EDEBBB8FF48755F20412AF105B72E4DB745986CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00414EA0, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 162COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00414EE8
#712.MSVBVM60(?,00411174,00000000,00000001,000000FF,00000000), ref: 00414EFD
__vbaStrMove.MSVBVM60 ref: 00414F0E
__vbaStrCmp.MSVBVM60(004111D8,?), ref: 00414F19
#541.MSVBVM60(?,21:21:21), ref: 00414F30
__vbaStrVarMove.MSVBVM60(?), ref: 00414F3A
__vbaStrMove.MSVBVM60 ref: 00414F45
__vbaFreeVar.MSVBVM60 ref: 00414F4A
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00414F62
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 00414F8D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,000000B8), ref: 00414FBB
__vbaFreeObj.MSVBVM60 ref: 00414FC0
#535.MSVBVM60 ref: 00414FC6
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 00414FE0
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,0000001C), ref: 00415005
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410F30,00000064), ref: 00415027
__vbaFreeObj.MSVBVM60 ref: 0041502C
__vbaVarDup.MSVBVM60 ref: 00415046
#687.MSVBVM60(?,?), ref: 00415054
__vbaDateVar.MSVBVM60(?), ref: 0041505E
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00415070
__vbaFreeStr.MSVBVM60(004150AF), ref: 004150A7
__vbaFreeStr.MSVBVM60 ref: 004150AC

Strings

7/7/7, xrefs: 00415038
val, xrefs: 00414ECB
21:21:21, xrefs: 00414F2A

Memory Dump Source

Source File: 00000000.00000002.781420338.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781411599.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781452214.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781462619.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#535#541#687#712CopyDateList
String ID: 21:21:21$7/7/7$val
API String ID: 2692386279-935112925
Opcode ID: d920336204d3725ade39c3c1c21d7b1e6079f090d16a0c975f5dbe633f8bbe8e
Instruction ID: e1475fb1f93ef9a1ec82d9a1f67e7ee567fa347ab5fdaa20dfd5b926967bb147
Opcode Fuzzy Hash: d920336204d3725ade39c3c1c21d7b1e6079f090d16a0c975f5dbe633f8bbe8e
Instruction Fuzzy Hash: EE518E71900219EFCB00DFA4DD88EEEBBB9FB58705F10452AF505B72A4DB745889CB98

Uniqueness

Uniqueness Score: -1.00%

Function 004147A0, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 127COMMON

Download Yara Rule

APIs

#606.MSVBVM60(00000001,?), ref: 00414800
__vbaStrMove.MSVBVM60 ref: 0041480B
__vbaStrCmp.MSVBVM60(00411154,00000000), ref: 00414817
__vbaFreeStr.MSVBVM60 ref: 0041482A
__vbaFreeVar.MSVBVM60 ref: 00414839
#541.MSVBVM60(00000002,12:12:12), ref: 0041484D
__vbaStrVarMove.MSVBVM60(00000002), ref: 00414857
__vbaStrMove.MSVBVM60 ref: 00414862
__vbaFreeVar.MSVBVM60 ref: 0041486B
#648.MSVBVM60(00000002), ref: 0041487F
__vbaFreeVar.MSVBVM60 ref: 00414888
__vbaNew2.MSVBVM60(00410ED8,004165D8), ref: 0041489C
__vbaHresultCheckObj.MSVBVM60(00000000,029D004C,00410EC8,00000014), ref: 004148C7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00410EE8,000000B8), ref: 004148F5
__vbaFreeObj.MSVBVM60 ref: 004148FA
__vbaHresultCheckObj.MSVBVM60(00000000,00401160,00410914,000006FC), ref: 0041491C
__vbaFreeStr.MSVBVM60(0041495A), ref: 00414953

Strings

12:12:12, xrefs: 00414847
, xrefs: 004147F2

Memory Dump Source

Source File: 00000000.00000002.781420338.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781411599.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781452214.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781462619.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#541#606#648New2
String ID: $12:12:12
API String ID: 4248556555-1101392946
Opcode ID: 684de45ead30eddb0628d4cf1cb0a3cd4f2cb0cbeb8b68ab22907794830e529b
Instruction ID: 0c58ea7e028fab494be86df3efd621ba65edb83486e14d62d930ab9e8dd34979
Opcode Fuzzy Hash: 684de45ead30eddb0628d4cf1cb0a3cd4f2cb0cbeb8b68ab22907794830e529b
Instruction Fuzzy Hash: 45415174940219EFCB00DFA5DE89ADEBBB8FF58704F10411AE106B72A0DB745985CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00414D50, Relevance: 16.6, APIs: 11, Instructions: 89COMMON

Download Yara Rule

APIs

#632.MSVBVM60(?,?,00000000,?), ref: 00414DB0
__vbaStrVarVal.MSVBVM60(?,?), ref: 00414DBE
#516.MSVBVM60(00000000), ref: 00414DC5
__vbaFreeStr.MSVBVM60 ref: 00414DD9
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 00414DE9
#617.MSVBVM60(00000002,?,000000FF), ref: 00414E0A
#617.MSVBVM60(00000002,?,00000000), ref: 00414E28
__vbaStrVarMove.MSVBVM60(00000002), ref: 00414E32
__vbaStrMove.MSVBVM60 ref: 00414E3D
__vbaFreeVar.MSVBVM60 ref: 00414E46
__vbaFreeStr.MSVBVM60(00414E7A), ref: 00414E73

Memory Dump Source

Source File: 00000000.00000002.781420338.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781411599.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781452214.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781462619.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#617Move$#516#632List
String ID:
API String ID: 3155365896-0
Opcode ID: 932eb668ff17ed64adae54c77b8e402ece5888d99afb6bd268984d711da5926c
Instruction ID: a6d17c38310a98bedcfe9e67ee839cc925cda2e1aad737b3a6a2107308b7f2bb
Opcode Fuzzy Hash: 932eb668ff17ed64adae54c77b8e402ece5888d99afb6bd268984d711da5926c
Instruction Fuzzy Hash: 1231C5B1C00219EFCB04DF94DD89DEEBBB8FF58705F10422AE602A6164E7B41549CB94

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Fra FAC-ES101-2107-03806.doc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Fra FAC-ES101-2107-03806.doc.exe PID: 812 Parent PID: 852

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Fra FAC-ES101-2107-03806.doc.exe PID: 812 Parent PID: 852 Fra FAC-ES101-2107-03806.doc.exeCOMMON

Executed Functions

Function 0212B8AA, Relevance: 1.7, APIs: 1, Instructions: 212COMMON

Function 021274A7, Relevance: 1.7, APIs: 1, Instructions: 209memorynativeCOMMON

Function 0212B78F, Relevance: 1.7, APIs: 1, Instructions: 206COMMON