Play interactive tour

Edit tour

Analysis Report Proof of payment.exe

Overview

General Information

Sample Name:	Proof of payment.exe
Analysis ID:	338405
MD5:	606275919e922f6a1f639c42f8e2580c
SHA1:	32d9ef9a02da8cf64594608c61bb7adc7b397703
SHA256:	94644b63a2f087324bcbab6b789ec015939cee82844f788987835837f57d0acc
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Proof of payment.exe (PID: 5352 cmdline: 'C:\Users\user\Desktop\Proof of payment.exe' MD5: 606275919E922F6A1F639C42F8E2580C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Proof of payment.exe PID: 5352	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Proof of payment.exe PID: 5352	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: Proof of payment.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Proof of payment.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Proof of payment.exe

Source: C:\Users\user\Desktop\Proof of payment.exe

Process Stats: CPU usage > 98%

Source: Proof of payment.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: Proof of payment.exe, 00000000.00000002.1288564482.0000000002250000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs Proof of payment.exe
Source: Proof of payment.exe, 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameUNDERWOOD.exe vs Proof of payment.exe
Source: Proof of payment.exe	Binary or memory string: OriginalFilenameUNDERWOOD.exe vs Proof of payment.exe

Source: Proof of payment.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Proof of payment.exe

File created: C:\Users\user\AppData\Local\Temp\~DF1BAB6DD5B79524A4.TMP

Jump to behavior

Source: Proof of payment.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Proof of payment.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Proof of payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: Proof of payment.exe PID: 5352, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: Proof of payment.exe PID: 5352, type: MEMORY

Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_00402CAE push edx; retf	0_2_00402CAF
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004059F9 push FFFFFFC2h; ret	0_2_00405A30
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_0040460F push esi; iretd	0_2_00404613
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004077E4 push es; ret	0_2_004077F7

Source: C:\Users\user\Desktop\Proof of payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F284A	0_2_004F284A
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F0C5C	0_2_004F0C5C
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F1948	0_2_004F1948
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F2966	0_2_004F2966
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F0D06	0_2_004F0D06
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F2642	0_2_004F2642
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F262E	0_2_004F262E
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F53D3	0_2_004F53D3

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\Proof of payment.exe

RDTSC instruction interceptor: First address: 00000000004F6062 second address: 00000000004F6062 instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Proof of payment.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Proof of payment.exe	RDTSC instruction interceptor: First address: 00000000004F6062 second address: 00000000004F6062 instructions:
Source: C:\Users\user\Desktop\Proof of payment.exe	RDTSC instruction interceptor: First address: 00000000004F53F1 second address: 00000000004F54D3 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test bh, dh 0x0000000d xor edi, edi 0x0000000f cmp bx, dx 0x00000012 mov dword ptr [ebp+000000F8h], 00A95F60h 0x0000001c cmp bh, ah 0x0000001e push edi 0x0000001f jmp 00007F6314B6B4DDh 0x00000021 call 00007F6314B6B469h 0x00000026 pop edi 0x00000027 jmp edi 0x00000029 pop edi 0x0000002a pushad 0x0000002b mov dh, 46h 0x0000002d cmp dh, 00000046h 0x00000030 jne 00007F6314B6863Dh 0x00000036 popad 0x00000037 call 00007F6314B6B4EBh 0x0000003c call 00007F6314B6B4A8h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Proof of payment.exe	RDTSC instruction interceptor: First address: 00000000004F54D3 second address: 00000000004F54D3 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6314B667A8h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp bl, FFFFFFAAh 0x00000020 cmp ax, bx 0x00000023 jmp 00007F6314B667BAh 0x00000025 test ecx, 2977CC05h 0x0000002b add edi, edx 0x0000002d cmp dl, dl 0x0000002f dec dword ptr [ebp+000000F8h] 0x00000035 test ah, dh 0x00000037 cmp dword ptr [ebp+000000F8h], 00000000h 0x0000003e jne 00007F6314B66701h 0x00000044 push edi 0x00000045 jmp 00007F6314B667EDh 0x00000047 call 00007F6314B66779h 0x0000004c pop edi 0x0000004d jmp edi 0x0000004f pop edi 0x00000050 pushad 0x00000051 mov dh, 46h 0x00000053 cmp dh, 00000046h 0x00000056 jne 00007F6314B6394Dh 0x0000005c popad 0x0000005d call 00007F6314B667FBh 0x00000062 call 00007F6314B667B8h 0x00000067 lfence 0x0000006a mov edx, dword ptr [7FFE0014h] 0x00000070 lfence 0x00000073 ret 0x00000074 mov esi, edx 0x00000076 pushad 0x00000077 rdtsc

Source: C:\Users\user\Desktop\Proof of payment.exe

Code function: 0_2_004F284A rdtsc

0_2_004F284A

Source: Proof of payment.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\Proof of payment.exe

Code function: 0_2_004F284A rdtsc

0_2_004F284A

Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F205F mov eax, dword ptr fs:[00000030h]	0_2_004F205F
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F4CD5 mov eax, dword ptr fs:[00000030h]	0_2_004F4CD5
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F208E mov eax, dword ptr fs:[00000030h]	0_2_004F208E
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F1948 mov eax, dword ptr fs:[00000030h]	0_2_004F1948
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F2DCB mov eax, dword ptr fs:[00000030h]	0_2_004F2DCB
Source: C:\Users\user\Desktop\Proof of payment.exe	Code function: 0_2_004F519B mov eax, dword ptr fs:[00000030h]	0_2_004F519B

Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Proof of payment.exe, 00000000.00000002.1288156600.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Proof of payment.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\Proof of payment.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	Security Software Discovery411	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery311	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338405
Start date:	12.01.2021
Start time:	08:33:21
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Proof of payment.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	39
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 58.9% (good quality ratio 34.6%) Quality average: 31.3% Quality standard deviation: 32.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, wermgr.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.326441903886581
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Proof of payment.exe
File size:	73728
MD5:	606275919e922f6a1f639c42f8e2580c
SHA1:	32d9ef9a02da8cf64594608c61bb7adc7b397703
SHA256:	94644b63a2f087324bcbab6b789ec015939cee82844f788987835837f57d0acc
SHA512:	30e6f09b597dec9906c183c100cb7e39672ae670b43336cea0060cb5e8e064e0eb54183324e04682e86d6f6c773084ffdab31056ccf6ac5a31ece20342e7fe12
SSDEEP:	768:mXt0cNb+/PNGtXHcXftQNK1JmZXpDeGNzTdYgSA/+JVkG3m3aZN:mXtFb8Pgx8X8K1RGzTVy
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L....q.H.....................0......T.............@................

File Icon


Icon Hash:	8c9393f29393b284

Static PE Info

General
Entrypoint:	0x401254
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x489671A3 [Mon Aug 4 03:04:03 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	a468bb2dc3574e0bac04516976bc7905

Entrypoint Preview

Instruction
push 0040BBA0h
call 00007F6314CDD135h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], bl
or byte ptr [edi+4A2D179Fh], ch
dec eax
mov dword ptr [8CC15009h], eax
jne 00007F6314CDD0C7h
std
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
inc edx
add byte ptr [esi], al
push eax
add dword ptr [edx], 41h
insb
imul ebp, dword ptr [ebp+65h], 6E61746Eh
je 00007F6314CDD1A7h
jc 00007F6314CDD1B5h
add byte ptr [edx], bl
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sub dword ptr [esi], ebp
stosb

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xfab4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x858	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xbc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xee54	0xf000	False	0.423583984375	data	5.96912378458	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x10000	0x1904	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x858	0x1000	False	0.1396484375	data	2.11621167583	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x122f0	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x122dc	0x14	data
RT_VERSION	0x120f0	0x1ec	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	UNDERWOOD
FileVersion	1.00
OriginalFilename	UNDERWOOD.exe
ProductName	Alimentanters

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Proof of payment.exe PID: 5352 Parent PID: 5524

General

Start time:	08:34:17
Start date:	12/01/2021
Path:	C:\Users\user\Desktop\Proof of payment.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Proof of payment.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	606275919E922F6A1F639C42F8E2580C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Proof of payment.exe PID: 5352 Parent PID: 5524 Proof of payment.exeCOMMON

Executed Functions

Function 0040E464, Relevance: 174.3, APIs: 96, Strings: 3, Instructions: 1070
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040E464(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v48;
				signed int _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v104;
				char _v120;
				signed int _v128;
				char _v136;
				char* _v144;
				intOrPtr _v152;
				char* _v160;
				signed int _v168;
				char* _v176;
				intOrPtr _v184;
				char* _v192;
				intOrPtr _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				char _v224;
				char _v228;
				signed int _v232;
				char _v236;
				intOrPtr _v248;
				char _v304;
				intOrPtr _v308;
				char _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr* _t296;
				intOrPtr* _t298;
				intOrPtr* _t300;
				void* _t302;
				intOrPtr* _t303;
				intOrPtr* _t305;
				void* _t306;
				intOrPtr* _t309;
				intOrPtr* _t311;
				void* _t313;
				intOrPtr* _t314;
				intOrPtr* _t316;
				void* _t317;
				intOrPtr* _t320;
				intOrPtr* _t322;
				void* _t324;
				intOrPtr* _t325;
				intOrPtr* _t327;
				intOrPtr* _t329;
				void* _t331;
				intOrPtr* _t333;
				intOrPtr* _t335;
				void* _t337;
				intOrPtr* _t338;
				intOrPtr* _t340;
				void* _t342;
				intOrPtr* _t343;
				intOrPtr* _t345;
				void* _t347;
				char* _t348;
				char* _t349;
				intOrPtr* _t350;
				intOrPtr* _t360;
				intOrPtr* _t362;
				void* _t364;
				intOrPtr* _t365;
				intOrPtr* _t367;
				void* _t369;
				intOrPtr* _t370;
				intOrPtr* _t372;
				void* _t374;
				intOrPtr* _t375;
				intOrPtr* _t377;
				void* _t379;
				void* _t383;
				intOrPtr* _t388;
				intOrPtr* _t390;
				void* _t392;
				intOrPtr* _t393;
				intOrPtr* _t395;
				void* _t397;
				intOrPtr* _t398;
				intOrPtr* _t400;
				void* _t402;
				intOrPtr* _t404;
				intOrPtr* _t406;
				void* _t408;
				intOrPtr* _t410;
				intOrPtr* _t412;
				void* _t414;
				char* _t416;
				char* _t421;
				void* _t425;
				intOrPtr* _t436;
				intOrPtr* _t438;
				void* _t440;
				intOrPtr* _t441;
				intOrPtr* _t443;
				void* _t445;
				intOrPtr* _t447;
				intOrPtr* _t449;
				void* _t451;
				char* _t453;
				char* _t456;
				void* _t461;
				void* _t472;
				intOrPtr _t473;
				void* _t474;
				signed int _t475;
				intOrPtr _t481;
				intOrPtr _t486;
				intOrPtr _t500;
				char* _t512;
				char* _t513;
				void* _t549;
				intOrPtr* _t550;
				intOrPtr* _t557;
				intOrPtr* _t558;
				intOrPtr* _t559;
				intOrPtr* _t560;
				intOrPtr* _t561;
				intOrPtr* _t562;
				intOrPtr* _t563;
				intOrPtr* _t564;
				intOrPtr* _t568;
				intOrPtr* _t569;
				intOrPtr* _t570;
				intOrPtr* _t571;
				void* _t580;
				intOrPtr* _t585;
				intOrPtr* _t590;
				intOrPtr _t591;
				intOrPtr* _t596;
				intOrPtr* _t598;
				intOrPtr* _t599;
				intOrPtr* _t600;
				intOrPtr _t603;
				intOrPtr _t604;
				intOrPtr* _t607;
				void* _t608;
				intOrPtr* _t611;
				void* _t612;
				void* _t613;
				intOrPtr* _t614;
				void* _t615;
				intOrPtr* _t616;
				intOrPtr _t673;
				intOrPtr _t674;

				 *[fs:0x0] = _t603;
				_t604 = _t603 - 0x12c;
				_v16 = _t604;
				_v12 = 0x4010d8;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_t296 = _a4;
				 *((intOrPtr*)( *_t296 + 4))(_t296, _t549, _t580, _t472,  *[fs:0x0], 0x401146);
				_t298 =  *0x410010; // 0x6d02d0
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v72 = 0;
				_v76 = 0;
				_v80 = 0;
				_v84 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				_v168 = 0;
				_v204 = 0;
				_v208 = 0;
				_v212 = 0;
				_v216 = 0;
				_v220 = 0;
				_v224 = 0;
				_v228 = 0;
				_v236 = 0;
				_v232 = 0;
				if(_t298 == 0) {
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t298 =  *0x410010; // 0x6d02d0
				}
				_t300 =  &_v64;
				L00401236();
				_t550 = _t300;
				_t302 =  *((intOrPtr*)( *_t550 + 0x1d8))(_t550,  &_v204, _t300,  *((intOrPtr*)( *_t298 + 0x314))(_t298));
				asm("fclex");
				if(_t302 < 0) {
					_push(0x1d8);
					_push(0x40c654);
					_push(_t550);
					_push(_t302);
					L0040122A();
				}
				_t303 =  *0x410010; // 0x6d02d0
				if(_t303 == 0) {
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t303 =  *0x410010; // 0x6d02d0
				}
				_t305 =  &_v68;
				L00401236();
				_t473 = 0xa;
				_v176 = 0x80020004;
				_v184 = _t473;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = 0x80020004;
				_v168 = _t473;
				_t607 = _t604 - 0xfffffffffffffff0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = 0x80020004;
				_v152 = _t473;
				asm("movsd");
				_t481 =  *_t305;
				_v304 = _v204;
				asm("fild dword [ebp-0x12c]");
				asm("movsd");
				_v308 = _t673;
				_t674 = _v308;
				asm("movsd");
				_v248 = _t305;
				asm("movsd");
				 *_t607 = _t674;
				_t306 =  *((intOrPtr*)(_t481 + 0x204))(_t305, _t481, _t305,  *((intOrPtr*)( *_t303 + 0x374))(_t303));
				asm("fclex");
				if(_t306 < 0) {
					_push(0x204);
					_push(0x40c664);
					_push(_v248);
					_push(_t306);
					L0040122A();
				}
				_push( &_v68);
				_push( &_v64);
				_push(2);
				L00401224();
				_t309 =  *0x410010; // 0x6d02d0
				_t608 = _t607 + 0xc;
				if(_t309 == 0) {
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t309 =  *0x410010; // 0x6d02d0
				}
				_t311 =  &_v64;
				L00401236();
				_t585 = _t311;
				_t313 =  *((intOrPtr*)( *_t585 + 0x1b8))(_t585,  &_v204, _t311,  *((intOrPtr*)( *_t309 + 0x300))(_t309));
				asm("fclex");
				if(_t313 < 0) {
					_push(0x1b8);
					_push(0x40c674);
					_push(_t585);
					_push(_t313);
					L0040122A();
				}
				_t314 =  *0x410010; // 0x6d02d0
				if(_t314 == 0) {
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t314 =  *0x410010; // 0x6d02d0
				}
				_t316 =  &_v68;
				L00401236();
				_v176 = 0x80020004;
				_v184 = _t473;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v160 = 0x80020004;
				_v168 = _t473;
				_t611 = _t608 - 0xfffffffffffffff0;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = 0x80020004;
				_v152 = _t473;
				asm("movsd");
				_t486 =  *_t316;
				_v312 = _v204;
				asm("fild dword [ebp-0x134]");
				asm("movsd");
				_v316 = _t674;
				asm("movsd");
				_v248 = _t316;
				asm("movsd");
				 *_t611 = _v316;
				_t317 =  *((intOrPtr*)(_t486 + 0x130))(_t316, _t486, _t316,  *((intOrPtr*)( *_t314 + 0x310))(_t314));
				asm("fclex");
				if(_t317 < 0) {
					_push(0x130);
					_push(0x40c684);
					_push(_v248);
					_push(_t317);
					L0040122A();
				}
				_push( &_v68);
				_push( &_v64);
				_push(2);
				L00401224();
				_t320 =  *0x410010; // 0x6d02d0
				_t612 = _t611 + 0xc;
				if(_t320 != 0) {
					_t474 = 0x40ca0c;
				} else {
					_t474 = 0x40ca0c;
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t320 =  *0x410010; // 0x6d02d0
				}
				_t322 =  &_v64;
				L00401236();
				_t557 = _t322;
				_t324 =  *((intOrPtr*)( *_t557 + 0xa8))(_t557,  &_v52, _t322,  *((intOrPtr*)( *_t320 + 0x378))(_t320));
				asm("fclex");
				if(_t324 < 0) {
					_push(0xa8);
					_push(0x40c664);
					_push(_t557);
					_push(_t324);
					L0040122A();
				}
				_t325 = _a4;
				_v236 =  *0x4010d0;
				_v212 = 0x362c17;
				 *((intOrPtr*)( *_t325 + 0x708))(_t325,  &_v236,  &_v212, _v52);
				L0040121E();
				L00401218();
				_t327 =  *0x410010; // 0x6d02d0
				if(_t327 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t327 =  *0x410010; // 0x6d02d0
				}
				_t329 =  &_v64;
				L00401236();
				_t558 = _t329;
				_t331 =  *((intOrPtr*)( *_t558 + 0x160))(_t558,  &_v68, _t329,  *((intOrPtr*)( *_t327 + 0x31c))(_t327));
				asm("fclex");
				if(_t331 < 0) {
					_push(0x160);
					_push(0x40c694);
					_push(_t558);
					_push(_t331);
					L0040122A();
				}
				_push(0);
				_push(0);
				_push(_v68);
				_push( &_v104);
				L00401212();
				_t333 =  *0x410010; // 0x6d02d0
				_t613 = _t612 + 0x10;
				if(_t333 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t333 =  *0x410010; // 0x6d02d0
				}
				_t335 =  &_v72;
				L00401236();
				_t559 = _t335;
				_t337 =  *((intOrPtr*)( *_t559 + 0x80))(_t559,  &_v212, _t335,  *((intOrPtr*)( *_t333 + 0x350))(_t333));
				asm("fclex");
				if(_t337 < 0) {
					_push(0x80);
					_push(0x40c694);
					_push(_t559);
					_push(_t337);
					L0040122A();
				}
				_t338 =  *0x410010; // 0x6d02d0
				if(_t338 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t338 =  *0x410010; // 0x6d02d0
				}
				_t340 =  &_v76;
				L00401236();
				_t560 = _t340;
				_t342 =  *((intOrPtr*)( *_t560 + 0x68))(_t560,  &_v216, _t340,  *((intOrPtr*)( *_t338 + 0x368))(_t338));
				asm("fclex");
				if(_t342 < 0) {
					_push(0x68);
					_push(0x40c684);
					_push(_t560);
					_push(_t342);
					L0040122A();
				}
				_t343 =  *0x410010; // 0x6d02d0
				if(_t343 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t343 =  *0x410010; // 0x6d02d0
				}
				_t345 =  &_v80;
				L00401236();
				_t561 = _t345;
				_t347 =  *((intOrPtr*)( *_t561 + 0xd0))(_t561,  &_v84, _t345,  *((intOrPtr*)( *_t343 + 0x368))(_t343));
				asm("fclex");
				if(_t347 < 0) {
					_push(0xd0);
					_push(0x40c684);
					_push(_t561);
					_push(_t347);
					L0040122A();
				}
				_t348 =  &_v120;
				L00401212();
				_t614 = _t613 + 0x10;
				L0040120C();
				_v228 = _t348;
				_t349 =  &_v104;
				_v224 = _v212;
				_v236 = 0xca41f960;
				_v232 = 0x5b07;
				L0040120C();
				_v220 = _t349;
				_t350 = _a4;
				_t500 =  *_t350;
				 *_t614 = _v216;
				 *_t614 =  *0x4010cc;
				 *((intOrPtr*)(_t500 + 0x70c))(_t350,  &_v220,  &_v224, _t500,  &_v236, _t500,  &_v228, _t349, _t348, _t348, _v84, 0, 0);
				_push( &_v84);
				_push( &_v68);
				_push( &_v80);
				_push( &_v76);
				_push( &_v72);
				_push( &_v64);
				_push(6);
				L00401224();
				_push( &_v120);
				_push( &_v104);
				_push(2);
				L00401206();
				_t360 =  *0x410010; // 0x6d02d0
				_t615 = _t614 + 0x28;
				if(_t360 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t360 =  *0x410010; // 0x6d02d0
				}
				_t362 =  &_v64;
				L00401236();
				_t562 = _t362;
				_t364 =  *((intOrPtr*)( *_t562 + 0x98))(_t562,  &_v204, _t362,  *((intOrPtr*)( *_t360 + 0x384))(_t360));
				asm("fclex");
				if(_t364 < 0) {
					_push(0x98);
					_push(0x40c6fc);
					_push(_t562);
					_push(_t364);
					L0040122A();
				}
				_t365 =  *0x410010; // 0x6d02d0
				if(_t365 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t365 =  *0x410010; // 0x6d02d0
				}
				_t367 =  &_v68;
				L00401236();
				_t563 = _t367;
				_t369 =  *((intOrPtr*)( *_t563 + 0x48))(_t563,  &_v52, _t367,  *((intOrPtr*)( *_t365 + 0x328))(_t365));
				asm("fclex");
				if(_t369 < 0) {
					_push(0x48);
					_push(0x40c70c);
					_push(_t563);
					_push(_t369);
					L0040122A();
				}
				_t370 =  *0x410010; // 0x6d02d0
				if(_t370 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t370 =  *0x410010; // 0x6d02d0
				}
				_t372 =  &_v72;
				L00401236();
				_t564 = _t372;
				_t374 =  *((intOrPtr*)( *_t564 + 0x70))(_t564,  &_v212, _t372,  *((intOrPtr*)( *_t370 + 0x344))(_t370));
				asm("fclex");
				if(_t374 < 0) {
					_push(0x70);
					_push(0x40c70c);
					_push(_t564);
					_push(_t374);
					L0040122A();
				}
				_t375 =  *0x410010; // 0x6d02d0
				if(_t375 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t375 =  *0x410010; // 0x6d02d0
				}
				_t377 =  &_v76;
				L00401236();
				_t590 = _t377;
				_t379 =  *((intOrPtr*)( *_t590 + 0x60))(_t590,  &_v216, _t377,  *((intOrPtr*)( *_t375 + 0x348))(_t375));
				asm("fclex");
				if(_t379 < 0) {
					_push(0x60);
					_push(0x40c71c);
					_push(_t590);
					_push(_t379);
					L0040122A();
				}
				_v52 = _v52 & 0x00000000;
				_t591 = 8;
				_v192 = L"r4WMQa3yutx5dEhgAYgNTGv4cBsqPTm8";
				_v200 = _t591;
				_v220 = 0x48dc0f;
				L00401200();
				_v208 = _v204;
				_v176 = L"JcWTlg9jhc80";
				_v184 = _t591;
				_v160 = L"elzm4pRnCdnbkV1aQ7lJO140";
				_v168 = _t591;
				L004011FA();
				_t512 =  &_v220;
				_t616 = _t615 - 0x10;
				_v144 = 0x5ad7fb;
				_v152 = 3;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t616 = _v212;
				_t513 =  &_v56;
				 *_t616 =  *0x4010c8;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t383 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v104,  &_v208, _t513, _t513, _t512, _t512, _v216,  &_v236);
				if(_t383 < 0) {
					_push(0x6f8);
					_push(0x40c344);
					_push(_a4);
					_push(_t383);
					L0040122A();
				}
				L0040121E();
				_push( &_v76);
				_push( &_v72);
				_push( &_v68);
				_push( &_v64);
				_push(4);
				L00401224();
				L004011F4();
				_t388 =  *0x410010; // 0x6d02d0
				if(_t388 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t388 =  *0x410010; // 0x6d02d0
				}
				_t390 =  &_v64;
				L00401236();
				_t568 = _t390;
				_t392 =  *((intOrPtr*)( *_t568 + 0x70))(_t568,  &_v212, _t390,  *((intOrPtr*)( *_t388 + 0x358))(_t388));
				asm("fclex");
				if(_t392 < 0) {
					_push(0x70);
					_push(0x40c774);
					_push(_t568);
					_push(_t392);
					L0040122A();
				}
				_t393 =  *0x410010; // 0x6d02d0
				if(_t393 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t393 =  *0x410010; // 0x6d02d0
				}
				_t395 =  &_v68;
				L00401236();
				_t569 = _t395;
				_t397 =  *((intOrPtr*)( *_t569 + 0x160))(_t569,  &_v216, _t395,  *((intOrPtr*)( *_t393 + 0x36c))(_t393));
				asm("fclex");
				if(_t397 < 0) {
					_push(0x160);
					_push(0x40c654);
					_push(_t569);
					_push(_t397);
					L0040122A();
				}
				_t398 =  *0x410010; // 0x6d02d0
				if(_t398 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t398 =  *0x410010; // 0x6d02d0
				}
				_t400 =  &_v72;
				L00401236();
				_t570 = _t400;
				_t402 =  *((intOrPtr*)( *_t570 + 0xf8))(_t570,  &_v76, _t400,  *((intOrPtr*)( *_t398 + 0x388))(_t398));
				asm("fclex");
				if(_t402 < 0) {
					_push(0xf8);
					_push(0x40c694);
					_push(_t570);
					_push(_t402);
					L0040122A();
				}
				_push(0);
				_push(0);
				_push(_v76);
				_push( &_v104);
				L00401212();
				_t404 =  *0x410010; // 0x6d02d0
				if(_t404 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t404 =  *0x410010; // 0x6d02d0
				}
				_t406 =  &_v80;
				L00401236();
				_t571 = _t406;
				_t408 =  *((intOrPtr*)( *_t571 + 0x178))(_t571,  &_v84, _t406,  *((intOrPtr*)( *_t404 + 0x354))(_t404));
				asm("fclex");
				if(_t408 < 0) {
					_push(0x178);
					_push(0x40c70c);
					_push(_t571);
					_push(_t408);
					L0040122A();
				}
				_push(0);
				_push(0);
				_push(_v84);
				_push( &_v120);
				L00401212();
				_t410 =  *0x410010; // 0x6d02d0
				if(_t410 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t410 =  *0x410010; // 0x6d02d0
				}
				_t412 =  &_v88;
				L00401236();
				_t596 = _t412;
				_t414 =  *((intOrPtr*)( *_t596 + 0x1b0))(_t596,  &_v52, _t412,  *((intOrPtr*)( *_t410 + 0x32c))(_t410));
				asm("fclex");
				if(_t414 < 0) {
					_push(0x1b0);
					_push(0x40c674);
					_push(_t596);
					_push(_t414);
					L0040122A();
				}
				_v52 = _v52 & 0x00000000;
				_v128 = _v52;
				_t416 =  &_v120;
				_v136 = 8;
				L0040120C();
				_v228 = _t416;
				_v224 = _v216;
				_v320 =  *_a4;
				asm("movsd");
				_v220 = _v212;
				asm("movsd");
				asm("movsd");
				_t421 =  &_v104;
				asm("movsd");
				L0040120C();
				_t425 =  *((intOrPtr*)(_v320 + 0x6fc))(_a4,  &_v220, 0x330a,  &_v224, _t421, _t421,  &_v228,  &_v236, _t416);
				if(_t425 < 0) {
					_push(0x6fc);
					_push(0x40c344);
					_push(_a4);
					_push(_t425);
					L0040122A();
				}
				_push( &_v84);
				_push( &_v76);
				_push( &_v88);
				_push( &_v80);
				_push( &_v72);
				_push( &_v68);
				_push( &_v64);
				_push(7);
				L00401224();
				_push( &_v136);
				_push( &_v120);
				_push( &_v104);
				_push(3);
				L00401206();
				_t436 =  *0x410010; // 0x6d02d0
				if(_t436 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t436 =  *0x410010; // 0x6d02d0
				}
				_t438 =  &_v64;
				L00401236();
				_t598 = _t438;
				_t440 =  *((intOrPtr*)( *_t598 + 0x48))(_t598,  &_v52, _t438,  *((intOrPtr*)( *_t436 + 0x308))(_t436));
				asm("fclex");
				if(_t440 < 0) {
					_push(0x48);
					_push(0x40c784);
					_push(_t598);
					_push(_t440);
					L0040122A();
				}
				_t441 =  *0x410010; // 0x6d02d0
				if(_t441 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t441 =  *0x410010; // 0x6d02d0
				}
				_t443 =  &_v68;
				L00401236();
				_t599 = _t443;
				_t445 =  *((intOrPtr*)( *_t599 + 0xf0))(_t599,  &_v72, _t443,  *((intOrPtr*)( *_t441 + 0x380))(_t441));
				asm("fclex");
				if(_t445 < 0) {
					_push(0xf0);
					_push(0x40c71c);
					_push(_t599);
					_push(_t445);
					L0040122A();
				}
				_push(0);
				_push(0);
				_push(_v72);
				_push( &_v104);
				L00401212();
				_t447 =  *0x410010; // 0x6d02d0
				if(_t447 == 0) {
					_push(0x410010);
					_push(_t474);
					L00401230();
					_t447 =  *0x410010; // 0x6d02d0
				}
				_t449 =  &_v76;
				L00401236();
				_t600 = _t449;
				_t451 =  *((intOrPtr*)( *_t600 + 0x190))(_t600,  &_v80, _t449,  *((intOrPtr*)( *_t447 + 0x32c))(_t447));
				asm("fclex");
				if(_t451 < 0) {
					_push(0x190);
					_push(0x40c674);
					_push(_t600);
					_push(_t451);
					L0040122A();
				}
				L00401212(); // executed
				_t453 =  &_v104;
				_v236 =  *0x4010c0;
				L0040120C();
				_v216 = _t453;
				_v212 = 0x352b2;
				_v144 = 0x60b60b;
				_v152 = 3;
				_v52 = 0;
				L00401200();
				_t475 = _a4;
				_t456 =  &_v120;
				L004011EE();
				L00401200();
				_v324 =  *_t475;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t461 =  *((intOrPtr*)(_v324 + 0x700))(_t475,  &_v56,  &_v212, 0x59d7,  &_v216, _t456, _t456,  &_v236, 0x1ba087c0, 0x5af6,  &_v220, _t453,  &_v120, _v80, 0, 0);
				if(_t461 < 0) {
					_push(0x700);
					_push(0x40c344);
					_push(_t475);
					_push(_t461);
					L0040122A();
				}
				_push( &_v60);
				_push( &_v56);
				_push(2);
				L004011E8();
				_push( &_v80);
				_push( &_v72);
				_push( &_v76);
				_push( &_v68);
				_push( &_v64);
				_push(5);
				L00401224();
				_push( &_v120);
				_push( &_v104);
				_push(2);
				L00401206();
				_push(0x401ff8);
				goto ( *__edi);
			}

0x0040e476
0x0040e47d
0x0040e486
0x0040e489
0x0040e496
0x0040e499
0x0040e49d
0x0040e4a3
0x0040e4a6
0x0040e4af
0x0040e4b2
0x0040e4b5
0x0040e4b8
0x0040e4bb
0x0040e4be
0x0040e4c1
0x0040e4c4
0x0040e4c7
0x0040e4ca
0x0040e4cd
0x0040e4d0
0x0040e4d3
0x0040e4d6
0x0040e4dc
0x0040e4e2
0x0040e4e8
0x0040e4ee
0x0040e4f4
0x0040e4fa
0x0040e500
0x0040e506
0x0040e50c
0x0040e512
0x0040e518
0x0040e51a
0x0040e51f
0x0040e524
0x0040e529
0x0040e529
0x0040e538
0x0040e53c
0x0040e541
0x0040e54d
0x0040e555
0x0040e557
0x0040e559
0x0040e55e
0x0040e563
0x0040e564
0x0040e565
0x0040e565
0x0040e56a
0x0040e571
0x0040e573
0x0040e578
0x0040e57d
0x0040e582
0x0040e582
0x0040e591
0x0040e595
0x0040e5a1
0x0040e5ab
0x0040e5b3
0x0040e5b9
0x0040e5ba
0x0040e5bb
0x0040e5bc
0x0040e5c8
0x0040e5ce
0x0040e5d4
0x0040e5d7
0x0040e5d8
0x0040e5d9
0x0040e5e1
0x0040e5ea
0x0040e5f0
0x0040e5f6
0x0040e5f7
0x0040e5f9
0x0040e5ff
0x0040e605
0x0040e606
0x0040e60c
0x0040e612
0x0040e614
0x0040e61a
0x0040e61b
0x0040e61f
0x0040e627
0x0040e629
0x0040e62b
0x0040e630
0x0040e635
0x0040e63b
0x0040e63c
0x0040e63c
0x0040e644
0x0040e648
0x0040e649
0x0040e64b
0x0040e650
0x0040e655
0x0040e65a
0x0040e65c
0x0040e661
0x0040e666
0x0040e66b
0x0040e66b
0x0040e67a
0x0040e67e
0x0040e683
0x0040e68f
0x0040e697
0x0040e699
0x0040e69b
0x0040e6a0
0x0040e6a5
0x0040e6a6
0x0040e6a7
0x0040e6a7
0x0040e6ac
0x0040e6b3
0x0040e6b5
0x0040e6ba
0x0040e6bf
0x0040e6c4
0x0040e6c4
0x0040e6d3
0x0040e6d7
0x0040e6ec
0x0040e6f2
0x0040e6f8
0x0040e6f9
0x0040e6fa
0x0040e6fb
0x0040e707
0x0040e70d
0x0040e713
0x0040e716
0x0040e717
0x0040e718
0x0040e720
0x0040e729
0x0040e72f
0x0040e735
0x0040e736
0x0040e738
0x0040e73e
0x0040e744
0x0040e745
0x0040e751
0x0040e753
0x0040e759
0x0040e75a
0x0040e75e
0x0040e766
0x0040e768
0x0040e76a
0x0040e76f
0x0040e774
0x0040e77a
0x0040e77b
0x0040e77b
0x0040e783
0x0040e787
0x0040e788
0x0040e78a
0x0040e78f
0x0040e794
0x0040e79e
0x0040e7b3
0x0040e7a0
0x0040e7a0
0x0040e7a5
0x0040e7a6
0x0040e7a7
0x0040e7ac
0x0040e7ac
0x0040e7c2
0x0040e7c6
0x0040e7cb
0x0040e7d4
0x0040e7dc
0x0040e7de
0x0040e7e0
0x0040e7e5
0x0040e7ea
0x0040e7eb
0x0040e7ec
0x0040e7ec
0x0040e7f4
0x0040e805
0x0040e814
0x0040e81e
0x0040e827
0x0040e82f
0x0040e834
0x0040e83b
0x0040e83d
0x0040e83e
0x0040e83f
0x0040e844
0x0040e844
0x0040e853
0x0040e857
0x0040e85c
0x0040e865
0x0040e86d
0x0040e86f
0x0040e871
0x0040e876
0x0040e87b
0x0040e87c
0x0040e87d
0x0040e87d
0x0040e882
0x0040e884
0x0040e886
0x0040e88c
0x0040e88d
0x0040e892
0x0040e897
0x0040e89c
0x0040e89e
0x0040e89f
0x0040e8a0
0x0040e8a5
0x0040e8a5
0x0040e8b4
0x0040e8b8
0x0040e8bd
0x0040e8c9
0x0040e8d1
0x0040e8d3
0x0040e8d5
0x0040e8da
0x0040e8df
0x0040e8e0
0x0040e8e1
0x0040e8e1
0x0040e8e6
0x0040e8ed
0x0040e8ef
0x0040e8f0
0x0040e8f1
0x0040e8f6
0x0040e8f6
0x0040e905
0x0040e909
0x0040e90e
0x0040e91a
0x0040e91f
0x0040e921
0x0040e923
0x0040e925
0x0040e92a
0x0040e92b
0x0040e92c
0x0040e92c
0x0040e931
0x0040e938
0x0040e93a
0x0040e93b
0x0040e93c
0x0040e941
0x0040e941
0x0040e950
0x0040e954
0x0040e959
0x0040e962
0x0040e96a
0x0040e96c
0x0040e96e
0x0040e973
0x0040e978
0x0040e979
0x0040e97a
0x0040e97a
0x0040e986
0x0040e98a
0x0040e98f
0x0040e993
0x0040e99e
0x0040e9a4
0x0040e9a7
0x0040e9ae
0x0040e9b8
0x0040e9c2
0x0040e9cd
0x0040e9d3
0x0040e9dc
0x0040e9e6
0x0040e9f7
0x0040ea03
0x0040ea0c
0x0040ea10
0x0040ea14
0x0040ea18
0x0040ea1c
0x0040ea20
0x0040ea21
0x0040ea23
0x0040ea2b
0x0040ea2f
0x0040ea30
0x0040ea32
0x0040ea37
0x0040ea3c
0x0040ea41
0x0040ea43
0x0040ea44
0x0040ea45
0x0040ea4a
0x0040ea4a
0x0040ea59
0x0040ea5d
0x0040ea62
0x0040ea6e
0x0040ea76
0x0040ea78
0x0040ea7a
0x0040ea7f
0x0040ea84
0x0040ea85
0x0040ea86
0x0040ea86
0x0040ea8b
0x0040ea92
0x0040ea94
0x0040ea95
0x0040ea96
0x0040ea9b
0x0040ea9b
0x0040eaaa
0x0040eaae
0x0040eab3
0x0040eabc
0x0040eac1
0x0040eac3
0x0040eac5
0x0040eac7
0x0040eacc
0x0040eacd
0x0040eace
0x0040eace
0x0040ead3
0x0040eada
0x0040eadc
0x0040eadd
0x0040eade
0x0040eae3
0x0040eae3
0x0040eaf2
0x0040eaf6
0x0040eafb
0x0040eb07
0x0040eb0c
0x0040eb0e
0x0040eb10
0x0040eb12
0x0040eb17
0x0040eb18
0x0040eb19
0x0040eb19
0x0040eb1e
0x0040eb25
0x0040eb27
0x0040eb28
0x0040eb29
0x0040eb2e
0x0040eb2e
0x0040eb3d
0x0040eb41
0x0040eb46
0x0040eb52
0x0040eb57
0x0040eb59
0x0040eb5b
0x0040eb5d
0x0040eb62
0x0040eb63
0x0040eb64
0x0040eb64
0x0040eb6c
0x0040eb75
0x0040eb76
0x0040eb80
0x0040eb86
0x0040eb90
0x0040eba4
0x0040ebaa
0x0040ebb4
0x0040ebba
0x0040ebc4
0x0040ebca
0x0040ebdc
0x0040ebe2
0x0040ebe5
0x0040ebf1
0x0040ebfb
0x0040ec0b
0x0040ec0c
0x0040ec0f
0x0040ec10
0x0040ec19
0x0040ec2c
0x0040ec38
0x0040ec39
0x0040ec3a
0x0040ec3c
0x0040ec48
0x0040ec49
0x0040ec4d
0x0040ec4e
0x0040ec4f
0x0040ec57
0x0040ec59
0x0040ec5e
0x0040ec63
0x0040ec66
0x0040ec67
0x0040ec67
0x0040ec6f
0x0040ec77
0x0040ec7b
0x0040ec7f
0x0040ec83
0x0040ec84
0x0040ec86
0x0040ec91
0x0040ec96
0x0040eca2
0x0040eca4
0x0040eca5
0x0040eca6
0x0040ecab
0x0040ecab
0x0040ecba
0x0040ecbe
0x0040ecc3
0x0040eccf
0x0040ecd4
0x0040ecd6
0x0040ecd8
0x0040ecda
0x0040ecdf
0x0040ece0
0x0040ece1
0x0040ece1
0x0040ece6
0x0040eced
0x0040ecef
0x0040ecf0
0x0040ecf1
0x0040ecf6
0x0040ecf6
0x0040ed05
0x0040ed09
0x0040ed0e
0x0040ed1a
0x0040ed22
0x0040ed24
0x0040ed26
0x0040ed2b
0x0040ed30
0x0040ed31
0x0040ed32
0x0040ed32
0x0040ed37
0x0040ed3e
0x0040ed40
0x0040ed41
0x0040ed42
0x0040ed47
0x0040ed47
0x0040ed56
0x0040ed5a
0x0040ed5f
0x0040ed68
0x0040ed70
0x0040ed72
0x0040ed74
0x0040ed79
0x0040ed7e
0x0040ed7f
0x0040ed80
0x0040ed80
0x0040ed85
0x0040ed87
0x0040ed89
0x0040ed8f
0x0040ed90
0x0040ed95
0x0040ed9f
0x0040eda1
0x0040eda2
0x0040eda3
0x0040eda8
0x0040eda8
0x0040edb7
0x0040edbb
0x0040edc0
0x0040edc9
0x0040edd1
0x0040edd3
0x0040edd5
0x0040edda
0x0040eddf
0x0040ede0
0x0040ede1
0x0040ede1
0x0040ede6
0x0040ede8
0x0040edea
0x0040edf0
0x0040edf1
0x0040edf6
0x0040ee00
0x0040ee02
0x0040ee03
0x0040ee04
0x0040ee09
0x0040ee09
0x0040ee18
0x0040ee1c
0x0040ee21
0x0040ee2a
0x0040ee32
0x0040ee34
0x0040ee36
0x0040ee3b
0x0040ee40
0x0040ee41
0x0040ee42
0x0040ee42
0x0040ee4a
0x0040ee4e
0x0040ee51
0x0040ee55
0x0040ee5f
0x0040ee64
0x0040ee70
0x0040ee91
0x0040ee99
0x0040eea0
0x0040eea6
0x0040eea7
0x0040eea9
0x0040eead
0x0040eeae
0x0040eed0
0x0040eed8
0x0040eeda
0x0040eedf
0x0040eee4
0x0040eee7
0x0040eee8
0x0040eee8
0x0040eef0
0x0040eef4
0x0040eef8
0x0040eefc
0x0040ef00
0x0040ef04
0x0040ef08
0x0040ef09
0x0040ef0b
0x0040ef16
0x0040ef1a
0x0040ef1e
0x0040ef1f
0x0040ef21
0x0040ef26
0x0040ef35
0x0040ef37
0x0040ef38
0x0040ef39
0x0040ef3e
0x0040ef3e
0x0040ef4d
0x0040ef51
0x0040ef56
0x0040ef5f
0x0040ef64
0x0040ef66
0x0040ef68
0x0040ef6a
0x0040ef6f
0x0040ef70
0x0040ef71
0x0040ef71
0x0040ef76
0x0040ef7d
0x0040ef7f
0x0040ef80
0x0040ef81
0x0040ef86
0x0040ef86
0x0040ef95
0x0040ef99
0x0040ef9e
0x0040efa7
0x0040efaf
0x0040efb1
0x0040efb3
0x0040efb8
0x0040efbd
0x0040efbe
0x0040efbf
0x0040efbf
0x0040efc4
0x0040efc6
0x0040efc8
0x0040efce
0x0040efcf
0x0040efd4
0x0040efde
0x0040efe0
0x0040efe1
0x0040efe2
0x0040efe7
0x0040efe7
0x0040eff6
0x0040effa
0x0040efff
0x0040f008
0x0040f010
0x0040f012
0x0040f014
0x0040f019
0x0040f01e
0x0040f01f
0x0040f020
0x0040f020
0x0040f030
0x0040f03e
0x0040f041
0x0040f048
0x0040f053
0x0040f059
0x0040f063
0x0040f06d
0x0040f077
0x0040f07a
0x0040f07f
0x0040f09c
0x0040f0a0
0x0040f0aa
0x0040f0c6
0x0040f0d4
0x0040f0d5
0x0040f0d6
0x0040f0e2
0x0040f0e3
0x0040f0eb
0x0040f0ed
0x0040f0f2
0x0040f0f7
0x0040f0f8
0x0040f0f9
0x0040f0f9
0x0040f101
0x0040f105
0x0040f106
0x0040f108
0x0040f110
0x0040f114
0x0040f118
0x0040f11c
0x0040f120
0x0040f121
0x0040f123
0x0040f12b
0x0040f12f
0x0040f130
0x0040f132
0x0040f14b
0x0040f14e

APIs

__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040E524
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E53C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C654,000001D8), ref: 0040E565
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040E57D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E595
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040C664,00000204), ref: 0040E63C
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040E64B
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040E666
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E67E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C674,000001B8), ref: 0040E6A7
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040E6BF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E6D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040C684,00000130), ref: 0040E77B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040E78A
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040E7A7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E7C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C664,000000A8), ref: 0040E7EC
__vbaFreeStr.MSVBVM60 ref: 0040E827
__vbaFreeObj.MSVBVM60 ref: 0040E82F
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040E83F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E857
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C694,00000160), ref: 0040E87D
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040E88D
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040E8A0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E8B8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C694,00000080), ref: 0040E8E1
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040E8F1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E909
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C684,00000068), ref: 0040E92C
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040E93C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E954
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C684,000000D0), ref: 0040E97A
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040E98A
__vbaI4Var.MSVBVM60(00000000), ref: 0040E993
__vbaI4Var.MSVBVM60(?,00000000), ref: 0040E9C2
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EA23
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000006,?,?,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EA32
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EA45
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EA5D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C6FC,00000098,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EA86
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EA96
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EAAE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C70C,00000048,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EACE
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EADE
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EAF6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C70C,00000070,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EB19
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EB29
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EB41
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C71C,00000060,?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EB64
__vbaStrMove.MSVBVM60(?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EB90
__vbaVarDup.MSVBVM60(?,?,?,?,?,CA41F960,?,?,?,00000000), ref: 0040EBCA
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0040C344,000006F8,?,?,?,?,?,?,?,?), ref: 0040EC67
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0040EC6F
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040EC86
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040EC91
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040ECA6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040ECBE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C774,00000070), ref: 0040ECE1
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040ECF1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040ED09
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C654,00000160), ref: 0040ED32
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040ED42
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040ED5A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C694,000000F8), ref: 0040ED80
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040ED90
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040EDA3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EDBB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C70C,00000178), ref: 0040EDE1
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040EDF1
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040EE04
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EE1C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C674,000001B0), ref: 0040EE42
__vbaI4Var.MSVBVM60(?), ref: 0040EE5F
__vbaI4Var.MSVBVM60(?,?), ref: 0040EEAE
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0040C344,000006FC), ref: 0040EEE8
__vbaFreeObjList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0040EF0B
__vbaFreeVarList.MSVBVM60(00000003,?,?,00000008,00000007,?,?,?,?,?,?,?), ref: 0040EF21
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040EF39
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EF51
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C784,00000048), ref: 0040EF71
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040EF81
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EF99
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C71C,000000F0), ref: 0040EFBF
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040EFCF
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040EFE2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EFFA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C674,00000190), ref: 0040F020
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040F030
__vbaI4Var.MSVBVM60(?), ref: 0040F048
__vbaStrMove.MSVBVM60(?), ref: 0040F07A
__vbaStrVarMove.MSVBVM60(?,CA41F960,1BA087C0,00005AF6,0048DC0F,?), ref: 0040F0A0
__vbaStrMove.MSVBVM60(?,CA41F960,1BA087C0,00005AF6,0048DC0F,?), ref: 0040F0AA
__vbaHresultCheckObj.MSVBVM60(00000000,000000FE,0040C344,00000700), ref: 0040F0F9
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040F108
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?,00000002,?,?), ref: 0040F123
__vbaFreeVarList.MSVBVM60(00000002,?,?,00000005,?,?,?,?,?,00000002,?,?), ref: 0040F132

Strings

JcWTlg9jhc80, xrefs: 0040EBAA
r4WMQa3yutx5dEhgAYgNTGv4cBsqPTm8, xrefs: 0040EB76
elzm4pRnCdnbkV1aQ7lJO140, xrefs: 0040EBBA

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$New2$Free$List$CallLate$Move
String ID: JcWTlg9jhc80$elzm4pRnCdnbkV1aQ7lJO140$r4WMQa3yutx5dEhgAYgNTGv4cBsqPTm8
API String ID: 696360579-2753231109
Opcode ID: e200e9c966637f79d8cc39dd789b2eb7c797d2353b9c604edb309590781664c0
Instruction ID: f3b66f2c5537ace0c0517f68213c027123baea226579bbc3da7160f86237dccf
Opcode Fuzzy Hash: e200e9c966637f79d8cc39dd789b2eb7c797d2353b9c604edb309590781664c0
Instruction Fuzzy Hash: 74823B71A00218ABDB20EFA5DC85FDF77BCAF08704F1045AAF509FB191DB749A458B68

Uniqueness

Uniqueness Score: -1.00%

Function 00401254, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401259

Strings

VB5!6&*, xrefs: 00401254

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 702ebb0d0d9558fabbcf2f9a0c8e86e2ca639b74212a839a74f12f4039aefba0
Instruction ID: 8f3492070b5af22ae81af633623380934d76205b563a3c94f7094fe14ebf2493
Opcode Fuzzy Hash: 702ebb0d0d9558fabbcf2f9a0c8e86e2ca639b74212a839a74f12f4039aefba0
Instruction Fuzzy Hash: 2131A76254E3C18FD3078B708D252517FB0AE1321170E48EBC8C1DA9F3D26C6849CB2A

Uniqueness

Uniqueness Score: -1.00%

Function 00402FC8, Relevance: 1.4, APIs: 1, Instructions: 184COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e0192dbfb6211c8c79436f97a9897d9a528775855f49786a96feabb3b00b6d6
Instruction ID: 45a70ef3d443fa09a428d0ebcbbc2a78faad08d87c55f7329be75ed355162ea9
Opcode Fuzzy Hash: 3e0192dbfb6211c8c79436f97a9897d9a528775855f49786a96feabb3b00b6d6
Instruction Fuzzy Hash: 4B41266292E701E4E1636D3006C68769D5DDE67387630C7FBA423389D6627E434B724F

Uniqueness

Uniqueness Score: -1.00%

Function 00403155, Relevance: 1.4, APIs: 1, Instructions: 157memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e7c82a535e85d223502aa033a97cd345819a99e65ca511bc82200adc4dfda6fe
Instruction ID: 4dbfecd325ebae32a923f8c53c4a010239c4e73fdc3c572ec45411414c347d43
Opcode Fuzzy Hash: e7c82a535e85d223502aa033a97cd345819a99e65ca511bc82200adc4dfda6fe
Instruction Fuzzy Hash: 2131D2A1A2D740E8D1936D3544C29325C5CDE67357630C7FBA823799D2A23E034B321F

Uniqueness

Uniqueness Score: -1.00%

Function 0040307B, Relevance: 1.4, APIs: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d66dda4dccc1de11b4dc6936fbcdbef10fea41313b1454eb89615b544c73a47c
Instruction ID: fffe4770bb16979f5d9d41cf2a09776ec43cd8f6399f730467ffaee255fa7f8a
Opcode Fuzzy Hash: d66dda4dccc1de11b4dc6936fbcdbef10fea41313b1454eb89615b544c73a47c
Instruction Fuzzy Hash: 2131CDA1A2E340E8D1936D3548C68325C1D9F67797630C7FBA823788E6623E034B321F

Uniqueness

Uniqueness Score: -1.00%

Function 004032B6, Relevance: 1.4, APIs: 1, Instructions: 128memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c016ae840b4fb55348757dd0157d8afddf9337c4daaff11f29cd764db6d09f3c
Instruction ID: 22078bf4f711f33c8b05c9b96e2ed763b4a4d7bb77dba48a08fb64333a229a34
Opcode Fuzzy Hash: c016ae840b4fb55348757dd0157d8afddf9337c4daaff11f29cd764db6d09f3c
Instruction Fuzzy Hash: A1210291A2E741E4D0A36D3504C29365C5C9E67797530CBF7A923749D2663E134B321F

Uniqueness

Uniqueness Score: -1.00%

Function 004031E2, Relevance: 1.4, APIs: 1, Instructions: 127memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 05c1bf8417bad3e67cc0b730ea4d4cd71514631975942faa0afbca77b538dc6a
Instruction ID: 6b1aabdc2d07bbcac42c0dc8041f37a1292bbf34df98ab0ae20eb02c11710889
Opcode Fuzzy Hash: 05c1bf8417bad3e67cc0b730ea4d4cd71514631975942faa0afbca77b538dc6a
Instruction Fuzzy Hash: B431F191A6D701E4D0936E3545C29726D5CDE673A7630CBFBA823748D2A63E134B320F

Uniqueness

Uniqueness Score: -1.00%

Function 0040308D, Relevance: 1.4, APIs: 1, Instructions: 125memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 931fc9d04047992ad14eb393e4aafef6c6261faded0d7cffaa23126524ed5e78
Instruction ID: 95a085831d6028faeedd13cd3a478706254bb40d783e790b4c6655d86c48108e
Opcode Fuzzy Hash: 931fc9d04047992ad14eb393e4aafef6c6261faded0d7cffaa23126524ed5e78
Instruction Fuzzy Hash: 1E31ADA1A2E740E8D1A36D3548C29325C5D9F67797530CBFBA823788D6623E074B320F

Uniqueness

Uniqueness Score: -1.00%

Function 0040311D, Relevance: 1.4, APIs: 1, Instructions: 122memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 127333015e9004783f8b9a10074f731eaed060b248806dbb182144e400a57f68
Instruction ID: 1fe49c52799f49e225a52d7fb3ec60e50f73ae9f861f5a5fd589c8533517698e
Opcode Fuzzy Hash: 127333015e9004783f8b9a10074f731eaed060b248806dbb182144e400a57f68
Instruction Fuzzy Hash: 76318DA1A2D700E8E1A36D3549C29325C5D9F67797531C7FBA823788E2663E034B321F

Uniqueness

Uniqueness Score: -1.00%

Function 004030B3, Relevance: 1.4, APIs: 1, Instructions: 121memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2697998ea98fb9f087a1e445ad70cfeb00662510b5e65e721135a9c76ec476fb
Instruction ID: bc35c070d4e200063e4449e5ae9b0807bea642261e89a052444a28f2c3f95d02
Opcode Fuzzy Hash: 2697998ea98fb9f087a1e445ad70cfeb00662510b5e65e721135a9c76ec476fb
Instruction Fuzzy Hash: B631ADA1A2D700E4D1A36D3549C29325C1D9F67757530C7FBA823789D6A63E034B320F

Uniqueness

Uniqueness Score: -1.00%

Function 004030D8, Relevance: 1.4, APIs: 1, Instructions: 119memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 866d75fcf6d3eb9ff41fed30eda3c680aede4e289fd16b3077d8a10ac6588f13
Instruction ID: 93dc55c889f594185c8504fee3dd994a797405c1b8c74a1b320b1623a234cec2
Opcode Fuzzy Hash: 866d75fcf6d3eb9ff41fed30eda3c680aede4e289fd16b3077d8a10ac6588f13
Instruction Fuzzy Hash: E131C0A1A2D700E8D1A36D3549C29325C1D9F67757530CBFBA823788D2623E034B321F

Uniqueness

Uniqueness Score: -1.00%

Function 0040322B, Relevance: 1.4, APIs: 1, Instructions: 118memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c73ae0e0a48a5053dde6f80c3e25f108ce3fb53a255e5cf436bd8580cef9f7c5
Instruction ID: 08565feea22ec9095df9bb2d575494cb0f4c8759b44ff37d67910b4c4257e034
Opcode Fuzzy Hash: c73ae0e0a48a5053dde6f80c3e25f108ce3fb53a255e5cf436bd8580cef9f7c5
Instruction Fuzzy Hash: 07318E5152D700E8E4A36E3609D293A6C0D9EA6377631CBF76433745E2A63D034B312F

Uniqueness

Uniqueness Score: -1.00%

Function 0040306B, Relevance: 1.4, APIs: 1, Instructions: 116memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a7cbab3c6aed49fb5d58c162f8f11fe168d1662033b46e2431727a25127deb3b
Instruction ID: bc63b5cdbb9f998295f0877d9b03d5e08b34a6f081e4d06f9c88010aa4890710
Opcode Fuzzy Hash: a7cbab3c6aed49fb5d58c162f8f11fe168d1662033b46e2431727a25127deb3b
Instruction Fuzzy Hash: 7031EE91A2E740E8D0A36E3508C29325C1D9F6B797530C7FBA823789D2623E034B320F

Uniqueness

Uniqueness Score: -1.00%

Function 00403136, Relevance: 1.4, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 074058da6269bbbcda5940e97933143269bd546f6160460e5674638ad5019fd3
Instruction ID: 8a5cf0d53dc4f9d4896fbb0ddf80903d971ae649beefcc3ab5b1b0c3a24e4a74
Opcode Fuzzy Hash: 074058da6269bbbcda5940e97933143269bd546f6160460e5674638ad5019fd3
Instruction Fuzzy Hash: 0231BCA1A2D700E8D1936D3548C29325C1DAE67797530C7FBA823788D6A23E034B321F

Uniqueness

Uniqueness Score: -1.00%

Function 00403342, Relevance: 1.4, APIs: 1, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: bb7737632f16db9ee0ba60e674f5f86e042446b4e40b83c42dd2b99db71648d0
Instruction ID: fca313f0762b316f9786e5994126b00681d89e02aa4efdf10a4b37268e329760
Opcode Fuzzy Hash: bb7737632f16db9ee0ba60e674f5f86e042446b4e40b83c42dd2b99db71648d0
Instruction Fuzzy Hash: 5D110491A2D701E4D0A36D3108C29326C5C9E27797630CBF3A523789E2A63E534B320F

Uniqueness

Uniqueness Score: -1.00%

Function 0040359B, Relevance: 1.4, APIs: 1, Instructions: 112memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2420658d08359ab1333625260846fd6999b300805662beb88428ac4590ace974
Instruction ID: 261a303e554191707be72bc633e815d30e388fc9c92ba393542303a275dd6121
Opcode Fuzzy Hash: 2420658d08359ab1333625260846fd6999b300805662beb88428ac4590ace974
Instruction Fuzzy Hash: B101229222D201F5C4A26D2046898346D5E9E43343234CBB7A523B26E0833F0B47310F

Uniqueness

Uniqueness Score: -1.00%

Function 004032FE, Relevance: 1.4, APIs: 1, Instructions: 110memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9430bd1b3e32306df16cb3b8c249c46baa770737fe7bf5c6e04d92ce1a8fac7b
Instruction ID: 940b6568c2ec98c775241dd212edfefeeea5512c05ffe989a31f688aadcb8519
Opcode Fuzzy Hash: 9430bd1b3e32306df16cb3b8c249c46baa770737fe7bf5c6e04d92ce1a8fac7b
Instruction Fuzzy Hash: D0110391A2D701E4D0A36D3508C18325C5CAE67797631C7F3A423789E2A73E534B321F

Uniqueness

Uniqueness Score: -1.00%

Function 004031C7, Relevance: 1.4, APIs: 1, Instructions: 109memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2043e536e701f4d3b8d1af6cf24ac5e86ea9a463045fcc0b8c1a829e3548dca8
Instruction ID: 79b3be076b504af7c3c25ff49b94db2354513c4003aa719f0c433de885e5704f
Opcode Fuzzy Hash: 2043e536e701f4d3b8d1af6cf24ac5e86ea9a463045fcc0b8c1a829e3548dca8
Instruction Fuzzy Hash: A621DE91A2E744E4D0A36D3549C29365C1D9E67757930C7FBA823798E2663E034B321F

Uniqueness

Uniqueness Score: -1.00%

Function 00403265, Relevance: 1.3, APIs: 1, Instructions: 99memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 46e5d668aaf0fa061d9e620e2d4af9fff61b470733d7a47ca1ed4b637206f906
Instruction ID: 0c4fd0af364c3bf69b8cc377cb16bff64c5ea507e19823ff32a15f608c2d60b8
Opcode Fuzzy Hash: 46e5d668aaf0fa061d9e620e2d4af9fff61b470733d7a47ca1ed4b637206f906
Instruction Fuzzy Hash: 2D212792A2D301E5D0636E3544C19726D5C9E27397630C7F7A423754D2B63E135B321F

Uniqueness

Uniqueness Score: -1.00%

Function 00403329, Relevance: 1.3, APIs: 1, Instructions: 95memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d0570b66e1410825c0cca6dcdb5ee1a872d6eedbed9b8594e792275f7b4edfdf
Instruction ID: 6dc2e6b8355a48d8d1367bb8add9bfda9318970ab35954d2d3f255c1fe2fc2b8
Opcode Fuzzy Hash: d0570b66e1410825c0cca6dcdb5ee1a872d6eedbed9b8594e792275f7b4edfdf
Instruction Fuzzy Hash: E9110491A2D701E4D0A37D3108C19325C5CAE6779B630CBF36523789E2A63E534B321F

Uniqueness

Uniqueness Score: -1.00%

Function 00403398, Relevance: 1.3, APIs: 1, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: aacd819fdbfcf536699a41a2019789dad7664ece754fe03938fd79d5dfd2622d
Instruction ID: 94a5577455b09473e7e55d3aa297bf4c471ee311f4f5321b3a4329fcea53a4d5
Opcode Fuzzy Hash: aacd819fdbfcf536699a41a2019789dad7664ece754fe03938fd79d5dfd2622d
Instruction Fuzzy Hash: 6511E381A2E640E4D0A37E3149C19366C6DAE67797630CBF7A523785E2623E534B320F

Uniqueness

Uniqueness Score: -1.00%

Function 00403375, Relevance: 1.3, APIs: 1, Instructions: 90memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: dd819cc0ca66aca0e72e4225768870bdc9bb59f3aa2594f599780677d58d1071
Instruction ID: ae87ed2385f07e110eb8a6e77dbfc208b71a95c929a2a8e7512cd980a4e9315b
Opcode Fuzzy Hash: dd819cc0ca66aca0e72e4225768870bdc9bb59f3aa2594f599780677d58d1071
Instruction Fuzzy Hash: 3711D0D2A6E705E4D0A36D3509C59325C5CAE27757230CBF3A123B89E2A23E534B321F

Uniqueness

Uniqueness Score: -1.00%

Function 00403476, Relevance: 1.3, APIs: 1, Instructions: 89memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0cfaee3dc1fc2ee1456d775cc22b5e56c353ffde3032993b1fa06cee70428b97
Instruction ID: bc5acdbd809321c54d3761e7e2a73b62c7673ee93139161749cb83078865c3ca
Opcode Fuzzy Hash: 0cfaee3dc1fc2ee1456d775cc22b5e56c353ffde3032993b1fa06cee70428b97
Instruction Fuzzy Hash: B801D29262E600F4D0A37E3108C29366C6D9E2739B630CBF7A123755E1A23E534B320F

Uniqueness

Uniqueness Score: -1.00%

Function 004032EF, Relevance: 1.3, APIs: 1, Instructions: 83memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 364f5cdb6cdf4ce5427fb68fbcdbcd673b786cfed5f07e336212e396663d1e5a
Instruction ID: b89e1c87af3277dfc407628e05f1ae07101610061c1b29d07e764f891719c6a5
Opcode Fuzzy Hash: 364f5cdb6cdf4ce5427fb68fbcdbcd673b786cfed5f07e336212e396663d1e5a
Instruction Fuzzy Hash: 0321DF91A6E741E4D0A36D3508C29325C5CAE6779B530C7F7A523749E2663E134B321F

Uniqueness

Uniqueness Score: -1.00%

Function 00403416, Relevance: 1.3, APIs: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ddfd21f1cfb3e2d1f31948a7db04517ed4ac71cc36d5004abd04e36e2b54680b
Instruction ID: b871ff4b56cc664b5bb97c922d2f5f81a49694a8ba67c43dc8fdec37b594b200
Opcode Fuzzy Hash: ddfd21f1cfb3e2d1f31948a7db04517ed4ac71cc36d5004abd04e36e2b54680b
Instruction Fuzzy Hash: BC11C68192E741E8D0637E3108C19366C6D9E27397631C7F7A123755E2A23E535B320F

Uniqueness

Uniqueness Score: -1.00%

Function 004033EF, Relevance: 1.3, APIs: 1, Instructions: 82memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 44759c448d4d6e7bf3cc0175cd876f6879a48c3e4a4a0a58273d3b26ef03c3f4
Instruction ID: 9e5330b9d8790a5fc31000c77ed42aa4a489404cd258d32f0c5c00c7ac9a512d
Opcode Fuzzy Hash: 44759c448d4d6e7bf3cc0175cd876f6879a48c3e4a4a0a58273d3b26ef03c3f4
Instruction Fuzzy Hash: 2811C692A2E740E8D063BD3548C29366C5D9E27797631C7F7A423755E2623E1747310F

Uniqueness

Uniqueness Score: -1.00%

Function 004033B8, Relevance: 1.3, APIs: 1, Instructions: 77memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fa06a76b9b6da6cd3c35455fdf654faa8726c14979556fb0cc62341869495322
Instruction ID: 08da866100192462a65bf03ecef76ce137dcbf6860562a71ade420dd727bc13c
Opcode Fuzzy Hash: fa06a76b9b6da6cd3c35455fdf654faa8726c14979556fb0cc62341869495322
Instruction Fuzzy Hash: 9911088192D601E4D0636E3504C19326D6C9E17357630C7F7B123795E2623D5747320F

Uniqueness

Uniqueness Score: -1.00%

Function 00403449, Relevance: 1.3, APIs: 1, Instructions: 74memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0ec0995af32bb64efdb676a146979a8d19aa8e22bffaff1fa702f29fa9a7c377
Instruction ID: 13576e10207ee6a34e5ee060590cd9fa9f6954f47ea07183d1c917de64794e01
Opcode Fuzzy Hash: 0ec0995af32bb64efdb676a146979a8d19aa8e22bffaff1fa702f29fa9a7c377
Instruction Fuzzy Hash: 8611E2A252D700E8D153BE3544C2936AE6CAE17397630C7F7A023395E1A23E535B720F

Uniqueness

Uniqueness Score: -1.00%

Function 0040357B, Relevance: 1.3, APIs: 1, Instructions: 70memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9c7cee1d8e3faa525cd2a13a33c939a0563c84da31b24447d8428fbf13d69226
Instruction ID: df4d148ba01d2f699ca461b87ef9d251819776ccffd8ef9edf57209b3e517120
Opcode Fuzzy Hash: 9c7cee1d8e3faa525cd2a13a33c939a0563c84da31b24447d8428fbf13d69226
Instruction Fuzzy Hash: DAF081D261D200E8D0A26D2544D2C356C6D9E27393630CBF7A523769E1923E575B324F

Uniqueness

Uniqueness Score: -1.00%

Function 00403514, Relevance: 1.3, APIs: 1, Instructions: 69memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d7c8c5ac80751c58ca34c315d44d8a959434839909135fb4e9fb2f4aee1985cb
Instruction ID: ffe73aa3c79abf890e3269a1a4f68ce18043c46f8da6b6867321915ee74c8879
Opcode Fuzzy Hash: d7c8c5ac80751c58ca34c315d44d8a959434839909135fb4e9fb2f4aee1985cb
Instruction Fuzzy Hash: 76F0AFD262D200E8D0A27E3149C2C35ACAD9E17393630CBF7A123759E1523E579B320F

Uniqueness

Uniqueness Score: -1.00%

Function 004034D4, Relevance: 1.3, APIs: 1, Instructions: 60memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1baddd101a687dcfb8407005be4599d1e58a7804a75e646ad38b0f51fae41a1b
Instruction ID: 951b99e36f3cda871d7121467a787fcd7a0e5816aa3e3e441458a314c6cc1c95
Opcode Fuzzy Hash: 1baddd101a687dcfb8407005be4599d1e58a7804a75e646ad38b0f51fae41a1b
Instruction Fuzzy Hash: 0F01C09262D740E9D0A2AE3448C1C35AD6D9E57397334CBF7A123755E1A23E574B320F

Uniqueness

Uniqueness Score: -1.00%

Function 00403519, Relevance: 1.3, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0c377b5eedf171c400842b3269769079d7bd01ada5b9464eed3ec4c191d521ba
Instruction ID: e68d20124ed4b4ec748ddb345cc9aaabc8f6c9b8b17a5bf1ec4d96874e86e29d
Opcode Fuzzy Hash: 0c377b5eedf171c400842b3269769079d7bd01ada5b9464eed3ec4c191d521ba
Instruction Fuzzy Hash: AC014BD2A2E240E8D0A27E3508D18355DAD9E27397630CBF7A523759E1A23E575B320F

Uniqueness

Uniqueness Score: -1.00%

Function 0040354C, Relevance: 1.3, APIs: 1, Instructions: 52memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ece36f2f140c14b074a68823729509964172c0087d62836c52ec55de627c339c
Instruction ID: b5149b11a9d8053dc5257120147a1c7c9cdbd41387ba01b915889e9202a09124
Opcode Fuzzy Hash: ece36f2f140c14b074a68823729509964172c0087d62836c52ec55de627c339c
Instruction Fuzzy Hash: 1DF0ADD262D240E8D0A27E300885C356CAD5E27387230CBF7A123755E0923E535B320F

Uniqueness

Uniqueness Score: -1.00%

Function 004035B3, Relevance: 1.3, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,-0000022F,FFFFFECB), ref: 00403620

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 540ece1f5e7ed1484747e0f408777eea586f42ec9bd0a9c47d4c9cbc9299fe4b
Instruction ID: 93262f19fed22fb8fa27d96aa022a6d7f7898386a5cedeee381c8fb0c8c8057e
Opcode Fuzzy Hash: 540ece1f5e7ed1484747e0f408777eea586f42ec9bd0a9c47d4c9cbc9299fe4b
Instruction Fuzzy Hash: 62F0AFD291D240E5D0A26E2144C1834ACAD9E17393730CBF7A523B6AD1823E474B320F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004F1948, Relevance: 7.0, Strings: 5, Instructions: 769COMMON

Download Yara Rule

Strings

u%j, xrefs: 004F2BF1
j@h, xrefs: 004F2A48
8j, xrefs: 004F297E
-, xrefs: 004F194A
@<, xrefs: 004F28DE

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: -$8j$j@h$u%j$@<
API String ID: 0-1412188365
Opcode ID: 487ef60ec3d7c5cebe5cebeacc3af119e239f1a3fba84833db1750728cc56ece
Instruction ID: 10bebe8e346f345a2af0ae60601d5e6569ed7b280e1ccc131668eb360678f3ee
Opcode Fuzzy Hash: 487ef60ec3d7c5cebe5cebeacc3af119e239f1a3fba84833db1750728cc56ece
Instruction Fuzzy Hash: BD327B7074030AEFEB245E24CD91BF677A6FF05350F54422AEE8593281D77CA886CB99

Uniqueness

Uniqueness Score: -1.00%

Function 004F53D3, Relevance: 5.4, Strings: 4, Instructions: 373COMMON

Download Yara Rule

Strings

u%j, xrefs: 004F2BF1
j@h, xrefs: 004F2A48
8j, xrefs: 004F297E
@<, xrefs: 004F28DE

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: 8j$j@h$u%j$@<
API String ID: 0-2754106608
Opcode ID: 547359d68ee0432c314b9705880e3049186050849270925e85bfbfb79269ab85
Instruction ID: 30b9af50e3bbee92bfd5afd362057fac44ed4191d14f1ce505814e6040e8ed6a
Opcode Fuzzy Hash: 547359d68ee0432c314b9705880e3049186050849270925e85bfbfb79269ab85
Instruction Fuzzy Hash: 7CB136B074020E6EFB301E14CE827FA3A62AF55354FA4422AFF45662C5C3FC94C59759

Uniqueness

Uniqueness Score: -1.00%

Function 004F262E, Relevance: 5.3, Strings: 4, Instructions: 335COMMON

Download Yara Rule

Strings

u%j, xrefs: 004F2BF1
j@h, xrefs: 004F2A48
8j, xrefs: 004F297E
@<, xrefs: 004F28DE

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: 8j$j@h$u%j$@<
API String ID: 0-2754106608
Opcode ID: abc9f946838749a17aecd6b8ea30cc97c2e936bbaaae7a2e984c117cfcefdd26
Instruction ID: 5e2c7947e6f07e55012325c1bd8681a06b0291681b72741651a1d321f39eae85
Opcode Fuzzy Hash: abc9f946838749a17aecd6b8ea30cc97c2e936bbaaae7a2e984c117cfcefdd26
Instruction Fuzzy Hash: 53A135B074020E6EFB201E14CE52BFA3A62EF55354FA4422AFF85662C5C3FC98C59759

Uniqueness

Uniqueness Score: -1.00%

Function 004F2642, Relevance: 5.3, Strings: 4, Instructions: 331COMMON

Download Yara Rule

Strings

u%j, xrefs: 004F2BF1
j@h, xrefs: 004F2A48
8j, xrefs: 004F297E
@<, xrefs: 004F28DE

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: 8j$j@h$u%j$@<
API String ID: 0-2754106608
Opcode ID: 1cea1a9acc20471ae2ea20303e1be50fa18535bc6254ec723d1ffda21d7fb5d6
Instruction ID: 0dbfe6408e29e97a3ff31af6825fdf87cb75c4166c5adc78a0be730e263ef9ca
Opcode Fuzzy Hash: 1cea1a9acc20471ae2ea20303e1be50fa18535bc6254ec723d1ffda21d7fb5d6
Instruction Fuzzy Hash: 74A135B074020E6EFB201E24CE567FA3A62EF45354F94422AFB85A72C5C3FC98C59759

Uniqueness

Uniqueness Score: -1.00%

Function 004F284A, Relevance: 5.2, Strings: 4, Instructions: 214COMMON

Download Yara Rule

Strings

u%j, xrefs: 004F2BF1
j@h, xrefs: 004F2A48
8j, xrefs: 004F297E
@<, xrefs: 004F28DE

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: 8j$j@h$u%j$@<
API String ID: 0-2754106608
Opcode ID: b6a8c7a2e9cb9cbc158328ff8e520d20118b5794778fa796e1ec19ba428d5c9e
Instruction ID: b6134db15ab71f771d004d5a539bf58b947b063984dea350beb55d15daf9c6e4
Opcode Fuzzy Hash: b6a8c7a2e9cb9cbc158328ff8e520d20118b5794778fa796e1ec19ba428d5c9e
Instruction Fuzzy Hash: B461F5B074420EAFFB310E14CD567E93A62EB05344F94422AFB85AA2C5C3FD98C59749

Uniqueness

Uniqueness Score: -1.00%

Function 004F2966, Relevance: 3.9, Strings: 3, Instructions: 159COMMON

Download Yara Rule

Strings

u%j, xrefs: 004F2BF1
j@h, xrefs: 004F2A48
8j, xrefs: 004F297E

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: 8j$j@h$u%j
API String ID: 0-3660047931
Opcode ID: e97b955067d73b36c06a4265072f2f1ff209f889f3247480e0c47405592d0553
Instruction ID: b52f42f2076a2f5302913ef8d7cff5cbd4929172c02033d1a116df60bd04f6fe
Opcode Fuzzy Hash: e97b955067d73b36c06a4265072f2f1ff209f889f3247480e0c47405592d0553
Instruction Fuzzy Hash: CA4124B074420E6FFF310E18CE867EA3A56EB08354F54422AFF85A6184C7FD88C59659

Uniqueness

Uniqueness Score: -1.00%

Function 004F0C5C, Relevance: 2.7, Strings: 2, Instructions: 188COMMON

Download Yara Rule

Strings

q@, xrefs: 004F0C91
8j, xrefs: 004F0CE0

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: 8j$q@
API String ID: 0-888782686
Opcode ID: 3fb2de81b3a57702fa8515205edd83b0b8ba992c1739b7f248752e2361fddd7f
Instruction ID: 583eb1ea9808504398d9ef245eafdcc44f9dcc0997f1337ef97dfa94d1e4948a
Opcode Fuzzy Hash: 3fb2de81b3a57702fa8515205edd83b0b8ba992c1739b7f248752e2361fddd7f
Instruction Fuzzy Hash: 1D519E24A0430EAAEF34356849A97FF26638FD17A4FF4811BEF9152187CB6CC8C6454B

Uniqueness

Uniqueness Score: -1.00%

Function 004F205F, Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ff0720ccf169dbeab00597210a2a2556049e3bf1fe4943088c19615d31a3416
Instruction ID: db90a374c687bad4408043b2d774e1d7685cde705654206275dd62cd295afdd5
Opcode Fuzzy Hash: 1ff0720ccf169dbeab00597210a2a2556049e3bf1fe4943088c19615d31a3416
Instruction Fuzzy Hash: CE413470284309EFEB145E24CE59BF673A1AF02384F65414BEF855B1D2C7B8C882C62A

Uniqueness

Uniqueness Score: -1.00%

Function 004F208E, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33ad6e23e36c8d8a64fd422bcaab24b20bd1c308556db004596dee8df2de4cc4
Instruction ID: b8fde49d6b404cc5e923510144371555020bad859d2605391fcdc196585c9cc5
Opcode Fuzzy Hash: 33ad6e23e36c8d8a64fd422bcaab24b20bd1c308556db004596dee8df2de4cc4
Instruction Fuzzy Hash: B72123302C4309EEEB255B249F5ABF633A1EF02784F64414BEF854B1D2C7A88486D52A

Uniqueness

Uniqueness Score: -1.00%

Function 004F0D06, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad8a72ddeedeb5a0abdaab5bba0135ca95073fec971af5501b886e205faa1c5b
Instruction ID: e0c8a191724dcd4f13ed2ffe2567df610bc6840655e52274933b216a4e7fe327
Opcode Fuzzy Hash: ad8a72ddeedeb5a0abdaab5bba0135ca95073fec971af5501b886e205faa1c5b
Instruction Fuzzy Hash: 8E117F6090838FADFF312A748D153FB26129F937E8FB0821BDE55121C7C7AD9485851B

Uniqueness

Uniqueness Score: -1.00%

Function 004F519B, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6514bdcc77d94ba7dce5bf8833ee7eac1ee21971f79ee30e1ead2d898cb7a0b
Instruction ID: 8353f16f36234a40e4e2217afd360b44d48d1c064e284eae6b2153a333267d90
Opcode Fuzzy Hash: e6514bdcc77d94ba7dce5bf8833ee7eac1ee21971f79ee30e1ead2d898cb7a0b
Instruction Fuzzy Hash: 54F0BE34700A028FE308DA19C690B7373F2BFA8790F1AC0699F09C3225D738EC01C914

Uniqueness

Uniqueness Score: -1.00%

Function 004F2DCB, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39dfebad0fd311657c8d6296fe89d2f42ccbc9d4bff888cd3a03ae942976e8d1
Instruction ID: 4d9c72cc686073d9023cd20d4c02fbd79f59ff954c29421d248a16dd34a117cb
Opcode Fuzzy Hash: 39dfebad0fd311657c8d6296fe89d2f42ccbc9d4bff888cd3a03ae942976e8d1
Instruction Fuzzy Hash: 8CC092BA341584CFFB51CB0CC681B5073B5FB026C8B440491E012CFB16C228ED42DA0A

Uniqueness

Uniqueness Score: -1.00%

Function 004F4CD5, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edb7274a764348ae90b74e5ba895c7f5c715803b25872c2aa6570a8c350241db
Instruction ID: cdf0003822932a5825088b91c6d257ee9916eeffa4e6c472f3e1d81314832776
Opcode Fuzzy Hash: edb7274a764348ae90b74e5ba895c7f5c715803b25872c2aa6570a8c350241db
Instruction Fuzzy Hash: 9BB09231212A80CFCA89CE08C280E9273B0BB44750F0214C0E85287A12C328E905DA21

Uniqueness

Uniqueness Score: -1.00%

Function 0040F52D, Relevance: 27.2, APIs: 18, Instructions: 156
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040F52D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a28, void* _a68) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v44;
				char _v48;
				char _v64;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				intOrPtr* _t45;
				intOrPtr* _t47;
				intOrPtr* _t49;
				void* _t51;
				intOrPtr* _t52;
				intOrPtr* _t54;
				intOrPtr* _t55;
				intOrPtr* _t57;
				void* _t59;
				void* _t61;
				char* _t63;
				intOrPtr* _t65;
				intOrPtr* _t66;
				intOrPtr* _t89;
				void* _t91;
				void* _t93;
				intOrPtr _t94;

				_t94 = _t93 - 0xc;
				 *[fs:0x0] = _t94;
				_v16 = _t94 - 0x6c;
				_v12 = 0x401108;
				_v8 = 0;
				_t45 = _a4;
				 *((intOrPtr*)( *_t45 + 4))(_t45, __edi, __esi, __ebx,  *[fs:0x0], 0x401146, _t91);
				_v40 = 0;
				_v48 = 0;
				_v44 = 0;
				_v64 = 0;
				_v80 = 0;
				_v84 = 0;
				_v88 = 0;
				_v92 = 0;
				L004011FA();
				L004011FA();
				L004011FA();
				_t47 =  *0x410010; // 0x6d02d0
				if(_t47 == 0) {
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t47 =  *0x410010; // 0x6d02d0
				}
				_t49 =  &_v88;
				L00401236();
				_v100 = 0x80020004;
				_v108 = 0xa;
				_t65 = _t49;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t51 =  *((intOrPtr*)( *_t65 + 0x12c))(_t65, _t49,  *((intOrPtr*)( *_t47 + 0x39c))(_t47));
				asm("fclex");
				if(_t51 < 0) {
					_push(0x12c);
					_push(0x40c82c);
					_push(_t65);
					_push(_t51);
					L0040122A();
				}
				L00401218();
				_t52 =  *0x410010; // 0x6d02d0
				if(_t52 == 0) {
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t52 =  *0x410010; // 0x6d02d0
				}
				_push( *((intOrPtr*)( *_t52 + 0x36c))(_t52));
				_t54 =  &_v92;
				_push(_t54);
				L00401236();
				_t66 = _t54;
				_t55 =  *0x410010; // 0x6d02d0
				_v100 = 0x80020004;
				_v108 = 0xa;
				if(_t55 == 0) {
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t55 =  *0x410010; // 0x6d02d0
				}
				_t57 =  &_v88;
				L00401236();
				_t89 = _t57;
				_t59 =  *((intOrPtr*)( *_t89 + 0xf8))(_t89, 0,  &_v84, _t57,  *((intOrPtr*)( *_t55 + 0x378))(_t55));
				asm("fclex");
				if(_t59 < 0) {
					_push(0xf8);
					_push(0x40c664);
					_push(_t89);
					_push(_t59);
					L0040122A();
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t61 =  *((intOrPtr*)( *_t66 + 0x1ec))(_t66, _v84);
				asm("fclex");
				if(_t61 < 0) {
					_push(0x1ec);
					_push(0x40c654);
					_push(_t66);
					_push(_t61);
					L0040122A();
				}
				L0040121E();
				_push( &_v92);
				_t63 =  &_v88;
				_push(_t63);
				_push(2);
				L00401224();
				_push(0x40f72d);
				L004011F4();
				L004011F4();
				L004011F4();
				return _t63;
			}

0x0040f530
0x0040f53f
0x0040f54c
0x0040f54f
0x0040f558
0x0040f55b
0x0040f561
0x0040f56a
0x0040f56d
0x0040f570
0x0040f573
0x0040f576
0x0040f579
0x0040f57c
0x0040f57f
0x0040f582
0x0040f58d
0x0040f598
0x0040f59d
0x0040f5a4
0x0040f5a6
0x0040f5ab
0x0040f5b0
0x0040f5b5
0x0040f5b5
0x0040f5c4
0x0040f5c8
0x0040f5d5
0x0040f5dc
0x0040f5e3
0x0040f5e5
0x0040f5e9
0x0040f5ea
0x0040f5eb
0x0040f5ec
0x0040f5f4
0x0040f5f6
0x0040f5f8
0x0040f5fd
0x0040f602
0x0040f603
0x0040f604
0x0040f604
0x0040f60c
0x0040f611
0x0040f618
0x0040f61a
0x0040f61f
0x0040f624
0x0040f629
0x0040f629
0x0040f637
0x0040f638
0x0040f63b
0x0040f63c
0x0040f641
0x0040f643
0x0040f64a
0x0040f651
0x0040f658
0x0040f65a
0x0040f65f
0x0040f664
0x0040f669
0x0040f669
0x0040f678
0x0040f67c
0x0040f681
0x0040f68c
0x0040f694
0x0040f696
0x0040f698
0x0040f69d
0x0040f6a2
0x0040f6a3
0x0040f6a4
0x0040f6a4
0x0040f6b3
0x0040f6b7
0x0040f6b8
0x0040f6ba
0x0040f6bb
0x0040f6c3
0x0040f6c5
0x0040f6c7
0x0040f6cc
0x0040f6d1
0x0040f6d2
0x0040f6d3
0x0040f6d3
0x0040f6db
0x0040f6e3
0x0040f6e4
0x0040f6e7
0x0040f6e8
0x0040f6ea
0x0040f6f2
0x0040f717
0x0040f71f
0x0040f727
0x0040f72c

APIs

__vbaVarDup.MSVBVM60 ref: 0040F582
__vbaVarDup.MSVBVM60 ref: 0040F58D
__vbaVarDup.MSVBVM60 ref: 0040F598
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040F5B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F5C8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C82C,0000012C), ref: 0040F604
__vbaFreeObj.MSVBVM60 ref: 0040F60C
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040F624
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F63C
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,00000000), ref: 0040F664
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F67C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C664,000000F8), ref: 0040F6A4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C654,000001EC), ref: 0040F6D3
__vbaFreeStr.MSVBVM60 ref: 0040F6DB
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040F6EA
__vbaFreeVar.MSVBVM60(0040F72D), ref: 0040F717
__vbaFreeVar.MSVBVM60(0040F72D), ref: 0040F71F
__vbaFreeVar.MSVBVM60(0040F72D), ref: 0040F727

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$List
String ID:
API String ID: 1822686783-0
Opcode ID: 9d62c40199b754fc9125ef7adc380c9b013dc67b600bd0b4dd4cfcdfcec7f18d
Instruction ID: e83b29a5b781587fc0d34824fdf276c6661bfda75940c41c1db0689003fb2db2
Opcode Fuzzy Hash: 9d62c40199b754fc9125ef7adc380c9b013dc67b600bd0b4dd4cfcdfcec7f18d
Instruction Fuzzy Hash: 2B514071A00218ABCB10EFE5D885BDE7BB8BF09704F10457EF501BB1A1DBB95909CB99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F393, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040F393(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __fp0) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v40;
				char* _v48;
				char _v56;
				char _v60;
				intOrPtr _t30;
				void* _t32;
				intOrPtr* _t33;
				void* _t34;
				signed int _t37;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr* _t44;
				intOrPtr _t57;
				intOrPtr* _t60;
				intOrPtr* _t61;
				intOrPtr* _t63;
				intOrPtr _t67;
				intOrPtr _t71;
				intOrPtr _t76;

				_push(0x401146);
				_t30 =  *[fs:0x0];
				_push(_t30);
				 *[fs:0x0] = _t67;
				_v12 = _t67 - 0x48;
				_v8 = 0x4010f8;
				_push(0x40c798);
				_v24 = 0;
				_v40 = 0;
				_v56 = 0;
				_v60 = 0;
				L004011D6();
				_t57 = 2;
				if(_t30 != _t57) {
					_v48 = L"OxxEWqjpLUcRg8I5vV6VgY6GY8251";
					_v56 = 8;
					L004011FA();
					_push(_t57);
					_push( &_v40);
					L004011D0();
					st0 = __fp0;
					L004011F4();
				}
				_t71 =  *0x4103a4; // 0x2bdea7c
				if(_t71 == 0) {
					_push(0x4103a4);
					_push(0x40c7fc);
					L00401230();
				}
				_t60 =  *0x4103a4; // 0x2bdea7c
				_t32 =  *((intOrPtr*)( *_t60 + 0x14))(_t60,  &_v24);
				asm("fclex");
				if(_t32 < 0) {
					_push(0x14);
					_push(0x40c7ec);
					_push(_t60);
					_push(_t32);
					L0040122A();
				}
				_t33 = _v24;
				_t61 = _t33;
				_t34 =  *((intOrPtr*)( *_t33 + 0x100))(_t33,  &_v60);
				asm("fclex");
				if(_t34 < 0) {
					_push(0x100);
					_push(0x40c80c);
					_push(_t61);
					_push(_t34);
					L0040122A();
				}
				_t37 =  ~(0 | _v60 != 0x00400000);
				L00401218();
				if(_t37 != 0) {
					_t76 =  *0x4103a4; // 0x2bdea7c
					if(_t76 == 0) {
						_push(0x4103a4);
						_push(0x40c7fc);
						L00401230();
					}
					_t63 =  *0x4103a4; // 0x2bdea7c
					_t39 =  *((intOrPtr*)( *_t63 + 0x4c))(_t63,  &_v24);
					asm("fclex");
					if(_t39 < 0) {
						_push(0x4c);
						_push(0x40c7ec);
						_push(_t63);
						_push(_t39);
						L0040122A();
					}
					_v56 = _t57;
					_v48 = 1;
					_t40 = _v24;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t44 = _t40;
					asm("movsd");
					_t37 =  *((intOrPtr*)( *_t40 + 0x2c))(_t40);
					asm("fclex");
					if(_t37 < 0) {
						_push(0x2c);
						_push(0x40c81c);
						_push(_t44);
						_push(_t37);
						L0040122A();
					}
					L00401218();
				}
				asm("wait");
				_push(0x40f51a);
				return _t37;
			}

0x0040f398
0x0040f39d
0x0040f3a3
0x0040f3a4
0x0040f3b1
0x0040f3b4
0x0040f3bd
0x0040f3c2
0x0040f3c5
0x0040f3c8
0x0040f3cb
0x0040f3ce
0x0040f3d5
0x0040f3d8
0x0040f3e0
0x0040f3e7
0x0040f3ee
0x0040f3f6
0x0040f3f7
0x0040f3f8
0x0040f400
0x0040f402
0x0040f402
0x0040f407
0x0040f40d
0x0040f40f
0x0040f414
0x0040f419
0x0040f419
0x0040f41e
0x0040f42b
0x0040f430
0x0040f432
0x0040f434
0x0040f436
0x0040f43b
0x0040f43c
0x0040f43d
0x0040f43d
0x0040f442
0x0040f44c
0x0040f44e
0x0040f456
0x0040f458
0x0040f45a
0x0040f45f
0x0040f464
0x0040f465
0x0040f466
0x0040f466
0x0040f47a
0x0040f47e
0x0040f486
0x0040f488
0x0040f48e
0x0040f490
0x0040f495
0x0040f49a
0x0040f49a
0x0040f49f
0x0040f4ac
0x0040f4b1
0x0040f4b3
0x0040f4b5
0x0040f4b7
0x0040f4bc
0x0040f4bd
0x0040f4be
0x0040f4be
0x0040f4c6
0x0040f4ce
0x0040f4d5
0x0040f4d8
0x0040f4dc
0x0040f4dd
0x0040f4de
0x0040f4e0
0x0040f4e1
0x0040f4e6
0x0040f4e8
0x0040f4ea
0x0040f4ec
0x0040f4f1
0x0040f4f2
0x0040f4f3
0x0040f4f3
0x0040f4fb
0x0040f4fb
0x0040f500
0x0040f501
0x00000000

APIs

__vbaI4Str.MSVBVM60(0040C798), ref: 0040F3CE
__vbaVarDup.MSVBVM60(0040C798), ref: 0040F3EE
#600.MSVBVM60(?,00000002,0040C798), ref: 0040F3F8
__vbaFreeVar.MSVBVM60(?,00000002,0040C798), ref: 0040F402
__vbaNew2.MSVBVM60(0040C7FC,004103A4,0040C798), ref: 0040F419
__vbaHresultCheckObj.MSVBVM60(00000000,02BDEA7C,0040C7EC,00000014), ref: 0040F43D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040C80C,00000100), ref: 0040F466
__vbaFreeObj.MSVBVM60(00000000,?,0040C80C,00000100), ref: 0040F47E
__vbaNew2.MSVBVM60(0040C7FC,004103A4), ref: 0040F49A
__vbaHresultCheckObj.MSVBVM60(00000000,02BDEA7C,0040C7EC,0000004C), ref: 0040F4BE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040C81C,0000002C), ref: 0040F4F3
__vbaFreeObj.MSVBVM60(00000000,?,0040C81C,0000002C), ref: 0040F4FB

Strings

OxxEWqjpLUcRg8I5vV6VgY6GY8251, xrefs: 0040F3E0

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$#600
String ID: OxxEWqjpLUcRg8I5vV6VgY6GY8251
API String ID: 335478256-166552055
Opcode ID: ed0bc01db0b68752bbec9a0a045eee17efadcd0095f18222042bd217a16677f4
Instruction ID: dc04598c750b03351720e5146b0265e338d90ba397d99f6378c44dc270869668
Opcode Fuzzy Hash: ed0bc01db0b68752bbec9a0a045eee17efadcd0095f18222042bd217a16677f4
Instruction Fuzzy Hash: 5941BE70900209EFCB10EFA5C986ADF76B8AF58708F20457EF404B75D1D7B859488A69

Uniqueness

Uniqueness Score: -1.00%

Function 0040F92F, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040F92F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a40) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr* _t28;
				intOrPtr* _t30;
				intOrPtr* _t32;
				void* _t34;
				intOrPtr* _t35;
				intOrPtr* _t37;
				void* _t39;
				intOrPtr* _t41;
				intOrPtr* _t58;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				_v16 = _t62 - 0x3c;
				_v12 = 0x401128;
				_v8 = 0;
				_t28 = _a4;
				 *((intOrPtr*)( *_t28 + 4))(_t28, __edi, __esi, __ebx,  *[fs:0x0], 0x401146, _t59);
				_v28 = 0;
				_v32 = 0;
				_v48 = 0;
				_v52 = 0;
				L004011FA();
				L004011DC();
				_t30 =  *0x410010; // 0x6d02d0
				if(_t30 == 0) {
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t30 =  *0x410010; // 0x6d02d0
				}
				_t32 =  &_v52;
				L00401236();
				_v60 = 0x80020004;
				_v68 = 0xa;
				_t41 = _t32;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t34 =  *((intOrPtr*)( *_t41 + 0x1ec))(_t41, L"gXh0Uljw71", _t32,  *((intOrPtr*)( *_t30 + 0x314))(_t30));
				asm("fclex");
				if(_t34 < 0) {
					_push(0x1ec);
					_push(0x40c654);
					_push(_t41);
					_push(_t34);
					L0040122A();
				}
				L00401218();
				_t35 =  *0x410010; // 0x6d02d0
				if(_t35 == 0) {
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t35 =  *0x410010; // 0x6d02d0
				}
				_t37 =  &_v52;
				L00401236();
				_t58 = _t37;
				_t39 =  *((intOrPtr*)( *_t58 + 0x138))(_t58, _t37,  *((intOrPtr*)( *_t35 + 0x33c))(_t35));
				asm("fclex");
				if(_t39 < 0) {
					_push(0x138);
					_push(0x40c858);
					_push(_t58);
					_push(_t39);
					L0040122A();
				}
				L00401218();
				_push(0x40fa7c);
				L0040121E();
				L004011F4();
				return _t39;
			}

0x0040f932
0x0040f941
0x0040f94e
0x0040f951
0x0040f95a
0x0040f95d
0x0040f963
0x0040f96c
0x0040f96f
0x0040f972
0x0040f975
0x0040f978
0x0040f983
0x0040f988
0x0040f98f
0x0040f991
0x0040f996
0x0040f99b
0x0040f9a0
0x0040f9a0
0x0040f9af
0x0040f9b3
0x0040f9c0
0x0040f9c7
0x0040f9ce
0x0040f9d0
0x0040f9d8
0x0040f9d9
0x0040f9db
0x0040f9dc
0x0040f9e4
0x0040f9e6
0x0040f9e8
0x0040f9ed
0x0040f9f2
0x0040f9f3
0x0040f9f4
0x0040f9f4
0x0040f9fc
0x0040fa01
0x0040fa08
0x0040fa0a
0x0040fa0f
0x0040fa14
0x0040fa19
0x0040fa19
0x0040fa28
0x0040fa2c
0x0040fa31
0x0040fa36
0x0040fa3e
0x0040fa40
0x0040fa42
0x0040fa47
0x0040fa4c
0x0040fa4d
0x0040fa4e
0x0040fa4e
0x0040fa56
0x0040fa5b
0x0040fa6e
0x0040fa76
0x0040fa7b

APIs

__vbaVarDup.MSVBVM60 ref: 0040F978
__vbaStrCopy.MSVBVM60 ref: 0040F983
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040F99B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F9B3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C654,000001EC), ref: 0040F9F4
__vbaFreeObj.MSVBVM60 ref: 0040F9FC
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040FA14
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA2C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C858,00000138), ref: 0040FA4E
__vbaFreeObj.MSVBVM60 ref: 0040FA56
__vbaFreeStr.MSVBVM60(0040FA7C), ref: 0040FA6E
__vbaFreeVar.MSVBVM60(0040FA7C), ref: 0040FA76

Strings

gXh0Uljw71, xrefs: 0040F9D3

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$Copy
String ID: gXh0Uljw71
API String ID: 1708244389-1982546169
Opcode ID: 923db0855488a8e6badab936de48c1ab98ad51714ed0a9d58bd4021f9d6ef039
Instruction ID: 48ef0915bf6c5af6238375ebed32722f5d97dcbae6d397baa781cb05dbf6c77e
Opcode Fuzzy Hash: 923db0855488a8e6badab936de48c1ab98ad51714ed0a9d58bd4021f9d6ef039
Instruction Fuzzy Hash: 22314E70A40218ABCB10EFA9DC85F9E7BB8BF19704F10857EF500B71D1D7B899058B99

Uniqueness

Uniqueness Score: -1.00%

Function 0040F758, Relevance: 21.1, APIs: 14, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040F758(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a28) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _t34;
				intOrPtr* _t36;
				intOrPtr* _t38;
				void* _t40;
				intOrPtr* _t41;
				intOrPtr* _t43;
				intOrPtr* _t44;
				intOrPtr* _t46;
				void* _t48;
				void* _t50;
				char* _t52;
				intOrPtr* _t54;
				intOrPtr* _t55;
				void* _t71;
				intOrPtr* _t72;
				void* _t74;
				void* _t76;
				intOrPtr _t77;

				_t77 = _t76 - 0xc;
				 *[fs:0x0] = _t77;
				_v16 = _t77 - 0x4c;
				_v12 = 0x401118;
				_v8 = 0;
				_t34 = _a4;
				 *((intOrPtr*)( *_t34 + 4))(_t34, __edi, __esi, __ebx,  *[fs:0x0], 0x401146, _t74);
				_v40 = 0;
				_v48 = 0;
				_v44 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				L004011FA();
				_t36 =  *0x410010; // 0x6d02d0
				if(_t36 != 0) {
					_t71 = 0x40ca0c;
				} else {
					_t71 = 0x40ca0c;
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t36 =  *0x410010; // 0x6d02d0
				}
				_t38 =  &_v56;
				L00401236();
				_t54 = _t38;
				_t40 =  *((intOrPtr*)( *_t54 + 0x1a8))(_t54, _t38,  *((intOrPtr*)( *_t36 + 0x370))(_t36));
				asm("fclex");
				if(_t40 < 0) {
					_push(0x1a8);
					_push(0x40c694);
					_push(_t54);
					_push(_t40);
					L0040122A();
				}
				L00401218();
				_t41 =  *0x410010; // 0x6d02d0
				if(_t41 == 0) {
					_push(0x410010);
					_push(_t71);
					L00401230();
					_t41 =  *0x410010; // 0x6d02d0
				}
				_push( *((intOrPtr*)( *_t41 + 0x378))(_t41));
				_t43 =  &_v60;
				_push(_t43);
				L00401236();
				_t55 = _t43;
				_t44 =  *0x410010; // 0x6d02d0
				_v68 = 0x80020004;
				_v76 = 0xa;
				if(_t44 == 0) {
					_push(0x410010);
					_push(_t71);
					L00401230();
					_t44 =  *0x410010; // 0x6d02d0
				}
				_t46 =  &_v56;
				L00401236();
				_t72 = _t46;
				_t48 =  *((intOrPtr*)( *_t72 + 0xf8))(_t72,  &_v52, _t46,  *((intOrPtr*)( *_t44 + 0x348))(_t44));
				asm("fclex");
				if(_t48 < 0) {
					_push(0xf8);
					_push(0x40c71c);
					_push(_t72);
					_push(_t48);
					L0040122A();
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t50 =  *((intOrPtr*)( *_t55 + 0x1ec))(_t55, _v52);
				asm("fclex");
				if(_t50 < 0) {
					_push(0x1ec);
					_push(0x40c664);
					_push(_t55);
					_push(_t50);
					L0040122A();
				}
				L0040121E();
				_push( &_v60);
				_t52 =  &_v56;
				_push(_t52);
				_push(2);
				L00401224();
				asm("wait");
				_push(0x40f90a);
				L004011F4();
				return _t52;
			}

0x0040f75b
0x0040f76a
0x0040f777
0x0040f77a
0x0040f783
0x0040f786
0x0040f78c
0x0040f795
0x0040f798
0x0040f79b
0x0040f79e
0x0040f7a1
0x0040f7a4
0x0040f7a7
0x0040f7ac
0x0040f7b8
0x0040f7cd
0x0040f7ba
0x0040f7ba
0x0040f7bf
0x0040f7c0
0x0040f7c1
0x0040f7c6
0x0040f7c6
0x0040f7dc
0x0040f7e0
0x0040f7e5
0x0040f7ea
0x0040f7f2
0x0040f7f4
0x0040f7f6
0x0040f7fb
0x0040f800
0x0040f801
0x0040f802
0x0040f802
0x0040f80a
0x0040f80f
0x0040f816
0x0040f818
0x0040f819
0x0040f81a
0x0040f81f
0x0040f81f
0x0040f82d
0x0040f82e
0x0040f831
0x0040f832
0x0040f837
0x0040f839
0x0040f840
0x0040f847
0x0040f84e
0x0040f850
0x0040f851
0x0040f852
0x0040f857
0x0040f857
0x0040f866
0x0040f86a
0x0040f86f
0x0040f878
0x0040f880
0x0040f882
0x0040f884
0x0040f889
0x0040f88e
0x0040f88f
0x0040f890
0x0040f890
0x0040f89f
0x0040f8a3
0x0040f8a4
0x0040f8a6
0x0040f8a7
0x0040f8af
0x0040f8b1
0x0040f8b3
0x0040f8b8
0x0040f8bd
0x0040f8be
0x0040f8bf
0x0040f8bf
0x0040f8c7
0x0040f8cf
0x0040f8d0
0x0040f8d3
0x0040f8d4
0x0040f8d6
0x0040f8de
0x0040f8df
0x0040f904
0x0040f909

APIs

__vbaVarDup.MSVBVM60 ref: 0040F7A7
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040F7C1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F7E0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C694,000001A8), ref: 0040F802
__vbaFreeObj.MSVBVM60 ref: 0040F80A
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040F81A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F832
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,00000000), ref: 0040F852
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F86A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C71C,000000F8), ref: 0040F890
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C664,000001EC), ref: 0040F8BF
__vbaFreeStr.MSVBVM60 ref: 0040F8C7
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040F8D6
__vbaFreeVar.MSVBVM60(0040F90A), ref: 0040F904

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$List
String ID:
API String ID: 1822686783-0
Opcode ID: 4947b5175818248264b48dd5f68277b5a2c44dce57803c98205fb5eb696ea500
Instruction ID: 6407dd6665faa6fbc9aa7b51b0af8d28d6b5395497ae4b56448bc3af07bfc10f
Opcode Fuzzy Hash: 4947b5175818248264b48dd5f68277b5a2c44dce57803c98205fb5eb696ea500
Instruction Fuzzy Hash: F5412C71A00218BBCB10EFA5D885EDE7BBCAF09704F10457AF504F7291DB7899058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1E8, Relevance: 21.1, APIs: 14, Instructions: 132
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E0040F1E8(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr* _t29;
				intOrPtr* _t31;
				void* _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;
				intOrPtr* _t37;
				intOrPtr* _t39;
				void* _t41;
				void* _t43;
				char* _t45;
				intOrPtr* _t47;
				intOrPtr* _t48;
				void* _t64;
				intOrPtr* _t65;
				intOrPtr _t69;

				_push(0x401146);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t69;
				_v12 = _t69 - 0x34;
				_v8 = 0x4010e8;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v36 = 0;
				L004011DC();
				_t29 =  *0x410010; // 0x6d02d0
				if(_t29 != 0) {
					_t64 = 0x40ca0c;
				} else {
					_t64 = 0x40ca0c;
					_push(0x410010);
					_push(0x40ca0c);
					L00401230();
					_t29 =  *0x410010; // 0x6d02d0
				}
				_t31 =  &_v32;
				L00401236();
				_t47 = _t31;
				_t33 =  *((intOrPtr*)( *_t47 + 0x170))(_t47, _t31,  *((intOrPtr*)( *_t29 + 0x348))(_t29));
				asm("fclex");
				if(_t33 < 0) {
					_push(0x170);
					_push(0x40c71c);
					_push(_t47);
					_push(_t33);
					L0040122A();
				}
				L00401218();
				_t34 =  *0x410010; // 0x6d02d0
				if(_t34 == 0) {
					_push(0x410010);
					_push(_t64);
					L00401230();
					_t34 =  *0x410010; // 0x6d02d0
				}
				_push( *((intOrPtr*)( *_t34 + 0x36c))(_t34));
				_t36 =  &_v36;
				_push(_t36);
				L00401236();
				_t48 = _t36;
				_t37 =  *0x410010; // 0x6d02d0
				_v44 = 0x80020004;
				_v52 = 0xa;
				if(_t37 == 0) {
					_push(0x410010);
					_push(_t64);
					L00401230();
					_t37 =  *0x410010; // 0x6d02d0
				}
				_t39 =  &_v32;
				L00401236();
				_t65 = _t39;
				_t41 =  *((intOrPtr*)( *_t65 + 0x48))(_t65,  &_v28, _t39,  *((intOrPtr*)( *_t37 + 0x308))(_t37));
				asm("fclex");
				if(_t41 < 0) {
					_push(0x48);
					_push(0x40c784);
					_push(_t65);
					_push(_t41);
					L0040122A();
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t43 =  *((intOrPtr*)( *_t48 + 0x1ec))(_t48, _v28);
				asm("fclex");
				if(_t43 < 0) {
					_push(0x1ec);
					_push(0x40c654);
					_push(_t48);
					_push(_t43);
					L0040122A();
				}
				L0040121E();
				_push( &_v36);
				_t45 =  &_v32;
				_push(_t45);
				_push(2);
				L00401224();
				_push(0x40f380);
				L0040121E();
				return _t45;
			}

0x0040f1ed
0x0040f1f8
0x0040f1f9
0x0040f206
0x0040f209
0x0040f218
0x0040f21b
0x0040f21e
0x0040f221
0x0040f224
0x0040f229
0x0040f235
0x0040f24a
0x0040f237
0x0040f237
0x0040f23c
0x0040f23d
0x0040f23e
0x0040f243
0x0040f243
0x0040f259
0x0040f25d
0x0040f262
0x0040f267
0x0040f26f
0x0040f271
0x0040f273
0x0040f278
0x0040f27d
0x0040f27e
0x0040f27f
0x0040f27f
0x0040f287
0x0040f28c
0x0040f293
0x0040f295
0x0040f296
0x0040f297
0x0040f29c
0x0040f29c
0x0040f2aa
0x0040f2ab
0x0040f2ae
0x0040f2af
0x0040f2b4
0x0040f2b6
0x0040f2bd
0x0040f2c4
0x0040f2cb
0x0040f2cd
0x0040f2ce
0x0040f2cf
0x0040f2d4
0x0040f2d4
0x0040f2e3
0x0040f2e7
0x0040f2ec
0x0040f2f5
0x0040f2fa
0x0040f2fc
0x0040f2fe
0x0040f300
0x0040f305
0x0040f306
0x0040f307
0x0040f307
0x0040f316
0x0040f31a
0x0040f31b
0x0040f31d
0x0040f31e
0x0040f326
0x0040f328
0x0040f32a
0x0040f32f
0x0040f334
0x0040f335
0x0040f336
0x0040f336
0x0040f33e
0x0040f346
0x0040f347
0x0040f34a
0x0040f34b
0x0040f34d
0x0040f355
0x0040f37a
0x0040f37f

APIs

__vbaStrCopy.MSVBVM60 ref: 0040F224
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040F23E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F25D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C71C,00000170), ref: 0040F27F
__vbaFreeObj.MSVBVM60(00000000,00000000,0040C71C,00000170), ref: 0040F287
__vbaNew2.MSVBVM60(0040CA0C,00410010), ref: 0040F297
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F2AF
__vbaNew2.MSVBVM60(0040CA0C,00410010,?,00000000), ref: 0040F2CF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F2E7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C784,00000048), ref: 0040F307
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040C654,000001EC), ref: 0040F336
__vbaFreeStr.MSVBVM60(00000000,00000000,0040C654,000001EC), ref: 0040F33E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040F34D
__vbaFreeStr.MSVBVM60(0040F380), ref: 0040F37A

Memory Dump Source

Source File: 00000000.00000002.1287081328.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1287048628.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1287180633.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1287217608.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$CopyList
String ID:
API String ID: 4130517723-0
Opcode ID: 98b8fde4bf621cdf5e69e8829d3b6ca6b6b55896263848405ae84c05ede26017
Instruction ID: 710e81a23e962f9eb87b7846ded7bc4dbc8f249c3b2431ffd971fb4f3b69c5ab
Opcode Fuzzy Hash: 98b8fde4bf621cdf5e69e8829d3b6ca6b6b55896263848405ae84c05ede26017
Instruction Fuzzy Hash: ED413BB1A00214ABCB10EFA5CC85EAF7BACAB19704F10457EF901F71A1D77899058BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004F6545, Relevance: 5.2, Strings: 4, Instructions: 157COMMON

Download Yara Rule

Strings

u%j, xrefs: 004F2BF1
j@h, xrefs: 004F2A48
8j, xrefs: 004F297E
@<, xrefs: 004F28DE

Memory Dump Source

Source File: 00000000.00000002.1287783795.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: 8j$j@h$u%j$@<
API String ID: 0-2754106608
Opcode ID: 16ea1efa54b0e9869f841569f10eb0bfb1c61247934d2eb62e5f8e34f57b50d6
Instruction ID: 621b86eb489b8889b8890d425c8b96a9019ff3b9f593f04d454f6fbf3a44a0a0
Opcode Fuzzy Hash: 16ea1efa54b0e9869f841569f10eb0bfb1c61247934d2eb62e5f8e34f57b50d6
Instruction Fuzzy Hash: 3A41E77070420ECDEF24597486547B625D2DB66374FBA412BCF43C7194D37C88C5964B

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Proof of payment.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Proof of payment.exe PID: 5352 Parent PID: 5524

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Proof of payment.exe PID: 5352 Parent PID: 5524 Proof of payment.exeCOMMON

Executed Functions

Function 0040E464, Relevance: 174.3, APIs: 96, Strings: 3, Instructions: 1070COMMON

Function 00401254, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103COMMON

Function 00402FC8, Relevance: 1.4, APIs: 1, Instructions: 184COMMON

Function 0040E464, Relevance: 174.3, APIs: 96, Strings: 3, Instructions: 1070
COMMON

Function 0040F52D, Relevance: 27.2, APIs: 18, Instructions: 156
COMMON

Function 0040F393, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 127
COMMON

Function 0040F92F, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 102
COMMON

Function 0040F758, Relevance: 21.1, APIs: 14, Instructions: 139
COMMON

Function 0040F1E8, Relevance: 21.1, APIs: 14, Instructions: 132
COMMON