Play interactive tour

Edit tour

Analysis Report RFQ-PR#20211201.exe

Overview

General Information

Sample Name:	RFQ-PR#20211201.exe
Analysis ID:	338418
MD5:	7f460fbf235c5e678b553edd2113d890
SHA1:	6cda9cecf924e6e2fe967ed0ad0c1d189e41fb81
SHA256:	1c9344d3993bafbe60739644d0fae336276c4ffd835da89d44b58ef4d744eee0
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Potential time zone aware malware

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

RFQ-PR#20211201.exe (PID: 7148 cmdline: 'C:\Users\user\Desktop\RFQ-PR#20211201.exe' MD5: 7F460FBF235C5E678B553EDD2113D890)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RFQ-PR#20211201.exe PID: 7148	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: RFQ-PR#20211201.exe PID: 7148	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ-PR#20211201.exe

ReversingLabs: Detection: 13%

Source: RFQ-PR#20211201.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

Process Stats: CPU usage > 98%

Source: RFQ-PR#20211201.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: RFQ-PR#20211201.exe, 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCredo8.exe vs RFQ-PR#20211201.exe
Source: RFQ-PR#20211201.exe, 00000000.00000002.1282522380.00000000022E0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs RFQ-PR#20211201.exe
Source: RFQ-PR#20211201.exe	Binary or memory string: OriginalFilenameCredo8.exe vs RFQ-PR#20211201.exe

Source: RFQ-PR#20211201.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

File created: C:\Users\user\AppData\Local\Temp\~DFF6B59D46F994D8A9.TMP

Jump to behavior

Source: RFQ-PR#20211201.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RFQ-PR#20211201.exe

ReversingLabs: Detection: 13%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: RFQ-PR#20211201.exe PID: 7148, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: RFQ-PR#20211201.exe PID: 7148, type: MEMORY

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_0040C94F push eax; iretd	0_2_0040C950
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_0040995D push ss; iretd	0_2_0040996F
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_00408123 push cs; retf	0_2_0040817B
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_0040C197 push esi; iretd	0_2_0040C198
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_0040CAD7 push eax; iretd	0_2_0040CAD8
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_0040D2F6 push esp; retf	0_2_0040D2F7
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_0040E69C push edx; iretd	0_2_0040E6BC
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_0040C6A8 push eax; iretd	0_2_0040C6AC
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_0040C6BF push eax; iretd	0_2_0040C6C0
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_00408370 push ds; iretd	0_2_0040838B
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_0040A3D3 push edx; iretd	0_2_0040A3D8
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_00408F97 push eax; iretd	0_2_00408F98
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_00404399 push ds; iretd	0_2_0040439A

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

RDTSC instruction interceptor: First address: 000000000242601F second address: 00000000024266F7 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F8358954AE1h 0x0000000f test cl, bl 0x00000011 mov eax, dword ptr fs:[00000030h] 0x00000017 cmp ah, ch 0x00000019 mov eax, dword ptr [eax+0Ch] 0x0000001c mov eax, dword ptr [eax+14h] 0x0000001f cmp edx, ecx 0x00000021 mov ecx, dword ptr [eax] 0x00000023 jmp 00007F835895453Eh 0x00000025 test ebx, D9666EB4h 0x0000002b mov eax, ecx 0x0000002d cmp cx, ax 0x00000030 jmp 00007F8358954523h 0x00000032 test ecx, ecx 0x00000034 mov ebx, dword ptr [eax+28h] 0x00000037 test ax, dx 0x0000003a cmp ebx, 00000000h 0x0000003d je 00007F835895458Dh 0x0000003f test edx, ebx 0x00000041 push ebx 0x00000042 test dx, ax 0x00000045 call 00007F835895458Eh 0x0000004a cmp dl, dl 0x0000004c mov esi, dword ptr [esp+04h] 0x00000050 pushad 0x00000051 mov eax, 000000EFh 0x00000056 rdtsc

Potential time zone aware malware

Show sources

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

System information queried: CurrentTimeZoneInformation

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RFQ-PR#20211201.exe, 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEF
Source: RFQ-PR#20211201.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	RDTSC instruction interceptor: First address: 000000000242601F second address: 00000000024266F7 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F8358954AE1h 0x0000000f test cl, bl 0x00000011 mov eax, dword ptr fs:[00000030h] 0x00000017 cmp ah, ch 0x00000019 mov eax, dword ptr [eax+0Ch] 0x0000001c mov eax, dword ptr [eax+14h] 0x0000001f cmp edx, ecx 0x00000021 mov ecx, dword ptr [eax] 0x00000023 jmp 00007F835895453Eh 0x00000025 test ebx, D9666EB4h 0x0000002b mov eax, ecx 0x0000002d cmp cx, ax 0x00000030 jmp 00007F8358954523h 0x00000032 test ecx, ecx 0x00000034 mov ebx, dword ptr [eax+28h] 0x00000037 test ax, dx 0x0000003a cmp ebx, 00000000h 0x0000003d je 00007F835895458Dh 0x0000003f test edx, ebx 0x00000041 push ebx 0x00000042 test dx, ax 0x00000045 call 00007F835895458Eh 0x0000004a cmp dl, dl 0x0000004c mov esi, dword ptr [esp+04h] 0x00000050 pushad 0x00000051 mov eax, 000000EFh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	RDTSC instruction interceptor: First address: 0000000002426EB3 second address: 0000000002426EB3 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp byte ptr [esi+ecx], 00000000h 0x00000007 je 00007F8358D3B01Eh 0x00000009 jmp 00007F8358D3B08Ah 0x0000000b cmp eax, ebx 0x0000000d inc ecx 0x0000000e cmp ecx, ebx 0x00000010 jnl 00007F8358D3AEF8h 0x00000016 pushad 0x00000017 mov ecx, 0000005Eh 0x0000001c rdtsc

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

Code function: 0_2_02426A4F rdtsc

0_2_02426A4F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RFQ-PR#20211201.exe, 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exef
Source: RFQ-PR#20211201.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe

Code function: 0_2_02426A4F rdtsc

0_2_02426A4F

Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_02423763 mov eax, dword ptr fs:[00000030h]	0_2_02423763
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_02425F91 mov eax, dword ptr fs:[00000030h]	0_2_02425F91
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_02422857 mov eax, dword ptr fs:[00000030h]	0_2_02422857
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_02422832 mov eax, dword ptr fs:[00000030h]	0_2_02422832
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_024228A7 mov eax, dword ptr fs:[00000030h]	0_2_024228A7
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_024265FA mov eax, dword ptr fs:[00000030h]	0_2_024265FA
Source: C:\Users\user\Desktop\RFQ-PR#20211201.exe	Code function: 0_2_024271FC mov eax, dword ptr fs:[00000030h]	0_2_024271FC

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: RFQ-PR#20211201.exe, 00000000.00000002.1281974451.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ-PR#20211201.exe, 00000000.00000002.1281974451.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RFQ-PR#20211201.exe, 00000000.00000002.1281974451.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RFQ-PR#20211201.exe, 00000000.00000002.1281974451.0000000000D70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	System Time Discovery1	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Security Software Discovery411	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Virtualization/Sandbox Evasion11	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery21	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFQ-PR#20211201.exe	13%	ReversingLabs	Win32.Infostealer.PonyStealer

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	338418
Start date:	12.01.2021
Start time:	08:45:54
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 35s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ-PR#20211201.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.1% (good quality ratio 2.9%) Quality average: 5.5% Quality standard deviation: 15.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.89482429017858
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ-PR#20211201.exe
File size:	90112
MD5:	7f460fbf235c5e678b553edd2113d890
SHA1:	6cda9cecf924e6e2fe967ed0ad0c1d189e41fb81
SHA256:	1c9344d3993bafbe60739644d0fae336276c4ffd835da89d44b58ef4d744eee0
SHA512:	50055fc24c925117f463075b86dd68457ee193751926582a070017d76a1ce99b14d4dcd27a77cb2a8891a96289847b5aa3283930afc51ae533cc6ff0191b12ea
SSDEEP:	768:7UD0AyHMB8Q9+FAjnNGvM591DZH+vcLt/Wfu1FXpuIUQUzYRT:7JM9PEvy1HDh/MuPXIQCW
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......_.................0...0......\........@....@................

File Icon


Icon Hash:	6eeed0e4a4a4e0d2

Static PE Info

General
Entrypoint:	0x40135c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FFCDAD5 [Mon Jan 11 23:10:13 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2a71f44ac1c823400003a5bea275b301

Entrypoint Preview

Instruction
push 00401E08h
call 00007F8358990B55h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dh, bh
dec edx
cmp dword ptr [esi+4C6F8B44h], eax
mov edx, 9677A334h
and byte ptr [eax-0Ah], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push esp
dec ecx
dec ebp
dec edi
dec esi
inc ebp
inc ebp
push edx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
and edx, ebp
mul dword ptr [edx+ecx*8+4A6F2DE6h]
mov dword ptr [748B69F4h], eax
salc
dec eax
lds ecx, fword ptr [ecx+09h]
popad
out dx, eax
call far EE98h : B34D2D1Ah
sub byte ptr [ebp+3A3EA90Eh], ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
clc
or dword ptr [eax], eax
add cl, bl
add eax, 0C000000h
add byte ptr [ecx+74h], al
push 6F697265h
popad
popad
xor al, 00h
or eax, 45000A01h
jns 00007F8358990BC7h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x12e84	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x16000	0x894	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x10c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x12338	0x13000	False	0.389327199836	data	6.32360628392	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x14000	0x1174	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x16000	0x894	0x1000	False	0.3310546875	data	3.03052529206	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1632c	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x16318	0x14	data
RT_VERSION	0x160f0	0x228	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaCyAdd, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaCyI2, __vbaStrCmp, __vbaVarTstEq, __vbaR4Str, __vbaObjVar, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarAdd, __vbaVarDup, __vbaVarLateMemCallLd, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Credo8
FileVersion	1.00
CompanyName	Cloud Share
ProductName	Effektiviteternes
ProductVersion	1.00
OriginalFilename	Credo8.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: RFQ-PR#20211201.exe PID: 7148 Parent PID: 6104

General

Start time:	08:46:47
Start date:	12/01/2021
Path:	C:\Users\user\Desktop\RFQ-PR#20211201.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\RFQ-PR#20211201.exe'
Imagebase:	0x400000
File size:	90112 bytes
MD5 hash:	7F460FBF235C5E678B553EDD2113D890
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFQ-PR#20211201.exe PID: 7148 Parent PID: 6104 RFQ-PR#20211201.exeCOMMON

Executed Functions

Function 00411124, Relevance: 144.4, APIs: 76, Strings: 6, Instructions: 921
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E00411124(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr _v36;
				char* _v40;
				intOrPtr _v44;
				void* _v48;
				signed int _v68;
				signed int _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				signed int _v100;
				char _v108;
				intOrPtr _v116;
				char _v124;
				char* _v132;
				intOrPtr _v140;
				char* _v148;
				intOrPtr _v156;
				char* _v160;
				char _v164;
				signed int _v168;
				char _v172;
				char _v176;
				char _v180;
				char _v184;
				char _v188;
				char _v196;
				intOrPtr _v200;
				char _v204;
				char* _v208;
				char _v212;
				signed int _v216;
				signed int _v220;
				intOrPtr* _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				intOrPtr* _v276;
				signed int _v280;
				intOrPtr* _v284;
				signed int _v288;
				intOrPtr* _v292;
				signed int _v296;
				signed int _v300;
				intOrPtr* _v304;
				signed int _v308;
				intOrPtr* _v312;
				signed int _v316;
				signed int _v320;
				intOrPtr* _v324;
				signed int _v328;
				intOrPtr* _v332;
				signed int _v336;
				intOrPtr* _v340;
				signed int _v344;
				intOrPtr* _v348;
				signed int _v352;
				signed int _v356;
				intOrPtr* _v360;
				signed int _v364;
				intOrPtr* _v368;
				signed int _v372;
				intOrPtr* _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				intOrPtr* _v392;
				signed int _v396;
				intOrPtr* _v400;
				signed int _v404;
				signed int _t461;
				signed int _t465;
				signed int _t472;
				signed int _t476;
				char* _t480;
				signed int _t484;
				signed int _t491;
				signed int _t499;
				signed int _t503;
				char* _t507;
				signed int _t511;
				signed int _t518;
				signed int _t524;
				signed int _t528;
				char* _t532;
				signed int _t536;
				signed int _t540;
				signed int _t544;
				signed int _t548;
				signed int _t552;
				signed int _t565;
				signed int _t574;
				signed int _t578;
				char* _t582;
				signed int _t586;
				signed int _t590;
				signed int _t594;
				signed int _t607;
				signed int _t617;
				signed int _t624;
				signed int _t628;
				char* _t632;
				signed int _t636;
				char* _t650;
				void* _t651;
				signed int* _t685;
				char* _t708;
				void* _t709;
				void* _t716;
				intOrPtr _t723;
				void* _t725;
				void* _t726;
				void* _t727;
				intOrPtr* _t729;

				 *[fs:0x0] = _t723;
				L004011D0();
				_v16 = _t723;
				_v12 = 0x401140;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t709, _t716, _t651,  *[fs:0x0], 0x4011d6);
				if( *0x414010 != 0) {
					_v276 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v276 = 0x414010;
				}
				_t461 =  &_v80;
				L00401332();
				_v216 = _t461;
				_t465 =  *((intOrPtr*)( *_v216 + 0x70))(_v216,  &_v68, _t461,  *((intOrPtr*)( *((intOrPtr*)( *_v276)) + 0x304))( *_v276));
				asm("fclex");
				_v220 = _t465;
				if(_v220 >= 0) {
					_v280 = _v280 & 0x00000000;
				} else {
					_push(0x70);
					_push(0x40271c);
					_push(_v216);
					_push(_v220);
					L00401326();
					_v280 = _t465;
				}
				_v260 = _v68;
				_v68 = _v68 & 0x00000000;
				_v100 = _v260;
				_v108 = 8;
				_push(0);
				_push( &_v108); // executed
				L00401338(); // executed
				L0040133E();
				L00401320();
				L0040131A();
				if( *0x414010 != 0) {
					_v284 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v284 = 0x414010;
				}
				_t472 =  &_v80;
				L00401332();
				_v216 = _t472;
				_t476 =  *((intOrPtr*)( *_v216 + 0x150))(_v216,  &_v68, _t472,  *((intOrPtr*)( *((intOrPtr*)( *_v284)) + 0x2fc))( *_v284));
				asm("fclex");
				_v220 = _t476;
				if(_v220 >= 0) {
					_v288 = _v288 & 0x00000000;
				} else {
					_push(0x150);
					_push(0x40272c);
					_push(_v216);
					_push(_v220);
					L00401326();
					_v288 = _t476;
				}
				if( *0x414010 != 0) {
					_v292 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v292 = 0x414010;
				}
				_t480 =  &_v84;
				L00401332();
				_v224 = _t480;
				_t484 =  *((intOrPtr*)( *_v224 + 0x48))(_v224,  &_v72, _t480,  *((intOrPtr*)( *((intOrPtr*)( *_v292)) + 0x300))( *_v292));
				asm("fclex");
				_v228 = _t484;
				if(_v228 >= 0) {
					_v296 = _v296 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x40272c);
					_push(_v224);
					_push(_v228);
					L00401326();
					_v296 = _t484;
				}
				_v148 = L"Komparenten7";
				_v156 = 8;
				_v264 = _v72;
				_v72 = _v72 & 0x00000000;
				L0040133E();
				_v100 = 0x39d6fa;
				_v108 = 3;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t491 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, _v68,  &_v108, 0x1c137100, 0x5afa,  &_v76, 0x10, 0x7922bc);
				_v232 = _t491;
				if(_v232 >= 0) {
					_v300 = _v300 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402470);
					_push(_a4);
					_push(_v232);
					L00401326();
					_v300 = _t491;
				}
				_push( &_v76);
				_push( &_v68);
				_push(2);
				L00401314();
				_push( &_v84);
				_push( &_v80);
				_push(2);
				L0040130E();
				_t725 = _t723 + 0x18;
				L0040131A();
				if( *0x414010 != 0) {
					_v304 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v304 = 0x414010;
				}
				_t499 =  &_v80;
				L00401332();
				_v216 = _t499;
				_t503 =  *((intOrPtr*)( *_v216 + 0x1c0))(_v216,  &_v160, _t499,  *((intOrPtr*)( *((intOrPtr*)( *_v304)) + 0x300))( *_v304));
				asm("fclex");
				_v220 = _t503;
				if(_v220 >= 0) {
					_v308 = _v308 & 0x00000000;
				} else {
					_push(0x1c0);
					_push(0x40272c);
					_push(_v216);
					_push(_v220);
					L00401326();
					_v308 = _t503;
				}
				if( *0x414010 != 0) {
					_v312 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v312 = 0x414010;
				}
				_t507 =  &_v84;
				L00401332();
				_v224 = _t507;
				_t511 =  *((intOrPtr*)( *_v224 + 0x78))(_v224,  &_v164, _t507,  *((intOrPtr*)( *((intOrPtr*)( *_v312)) + 0x2fc))( *_v312));
				asm("fclex");
				_v228 = _t511;
				if(_v228 >= 0) {
					_v316 = _v316 & 0x00000000;
				} else {
					_push(0x78);
					_push(0x40272c);
					_push(_v224);
					_push(_v228);
					L00401326();
					_v316 = _t511;
				}
				_v168 = _v164;
				_v132 = _v160;
				_v140 = 3;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t518 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, 0x10,  &_v168,  &_v172);
				_v232 = _t518;
				if(_v232 >= 0) {
					_v320 = _v320 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402470);
					_push(_a4);
					_push(_v232);
					L00401326();
					_v320 = _t518;
				}
				_v32 = _v172;
				_push( &_v84);
				_push( &_v80);
				_push(2);
				L0040130E();
				_t726 = _t725 + 0xc;
				if( *0x414010 != 0) {
					_v324 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v324 = 0x414010;
				}
				_t524 =  &_v80;
				L00401332();
				_v216 = _t524;
				_t528 =  *((intOrPtr*)( *_v216 + 0x170))(_v216,  &_v160, _t524,  *((intOrPtr*)( *((intOrPtr*)( *_v324)) + 0x300))( *_v324));
				asm("fclex");
				_v220 = _t528;
				if(_v220 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40272c);
					_push(_v216);
					_push(_v220);
					L00401326();
					_v328 = _t528;
				}
				if( *0x414010 != 0) {
					_v332 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v332 = 0x414010;
				}
				_t532 =  &_v84;
				L00401332();
				_v224 = _t532;
				_t536 =  *((intOrPtr*)( *_v224 + 0x60))(_v224,  &_v164, _t532,  *((intOrPtr*)( *((intOrPtr*)( *_v332)) + 0x304))( *_v332));
				asm("fclex");
				_v228 = _t536;
				if(_v228 >= 0) {
					_v336 = _v336 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40271c);
					_push(_v224);
					_push(_v228);
					L00401326();
					_v336 = _t536;
				}
				if( *0x414010 != 0) {
					_v340 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v340 = 0x414010;
				}
				_t540 =  &_v88;
				L00401332();
				_v232 = _t540;
				_t544 =  *((intOrPtr*)( *_v232 + 0x80))(_v232,  &_v168, _t540,  *((intOrPtr*)( *((intOrPtr*)( *_v340)) + 0x300))( *_v340));
				asm("fclex");
				_v236 = _t544;
				if(_v236 >= 0) {
					_v344 = _v344 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x40272c);
					_push(_v232);
					_push(_v236);
					L00401326();
					_v344 = _t544;
				}
				if( *0x414010 != 0) {
					_v348 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v348 = 0x414010;
				}
				_t548 =  &_v92;
				L00401332();
				_v240 = _t548;
				_t552 =  *((intOrPtr*)( *_v240 + 0x78))(_v240,  &_v172, _t548,  *((intOrPtr*)( *((intOrPtr*)( *_v348)) + 0x300))( *_v348));
				asm("fclex");
				_v244 = _t552;
				if(_v244 >= 0) {
					_v352 = _v352 & 0x00000000;
				} else {
					_push(0x78);
					_push(0x40272c);
					_push(_v240);
					_push(_v244);
					L00401326();
					_v352 = _t552;
				}
				_t685 =  &_v68;
				L00401308();
				_v184 = _v172;
				_v180 = 0x81ccb9;
				_v196 =  *0x401138;
				_v100 = _v164;
				_v108 = 3;
				_v132 = L"Diarch4";
				_v140 = 8;
				_v176 = _v160;
				_v280 =  *0x401130;
				_v288 = _v168;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t565 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v176, 0x10,  &_v108,  &_v196,  &_v180, _t685,  &_v184, _t685,  &_v68,  &_v188);
				_v248 = _t565;
				if(_v248 >= 0) {
					_v356 = _v356 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402470);
					_push(_a4);
					_push(_v248);
					L00401326();
					_v356 = _t565;
				}
				_v36 = _v188;
				L00401302();
				_push( &_v92);
				_push( &_v88);
				_push( &_v84);
				_push( &_v80);
				_push(4);
				L0040130E();
				_t727 = _t726 + 0x14;
				L0040131A();
				if( *0x414010 != 0) {
					_v360 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v360 = 0x414010;
				}
				_t574 =  &_v80;
				L00401332();
				_v216 = _t574;
				_t578 =  *((intOrPtr*)( *_v216 + 0x60))(_v216,  &_v160, _t574,  *((intOrPtr*)( *((intOrPtr*)( *_v360)) + 0x30c))( *_v360));
				asm("fclex");
				_v220 = _t578;
				if(_v220 >= 0) {
					_v364 = _v364 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40271c);
					_push(_v216);
					_push(_v220);
					L00401326();
					_v364 = _t578;
				}
				if( *0x414010 != 0) {
					_v368 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v368 = 0x414010;
				}
				_t582 =  &_v84;
				L00401332();
				_v224 = _t582;
				_t586 =  *((intOrPtr*)( *_v224 + 0x1c0))(_v224,  &_v164, _t582,  *((intOrPtr*)( *((intOrPtr*)( *_v368)) + 0x300))( *_v368));
				asm("fclex");
				_v228 = _t586;
				if(_v228 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0x1c0);
					_push(0x40272c);
					_push(_v224);
					_push(_v228);
					L00401326();
					_v372 = _t586;
				}
				if( *0x414010 != 0) {
					_v376 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v376 = 0x414010;
				}
				_t590 =  &_v88;
				L00401332();
				_v232 = _t590;
				_t594 =  *((intOrPtr*)( *_v232 + 0xa0))(_v232,  &_v68, _t590,  *((intOrPtr*)( *((intOrPtr*)( *_v376)) + 0x300))( *_v376));
				asm("fclex");
				_v236 = _t594;
				if(_v236 >= 0) {
					_v380 = _v380 & 0x00000000;
				} else {
					_push(0xa0);
					_push(0x40272c);
					_push(_v232);
					_push(_v236);
					L00401326();
					_v380 = _t594;
				}
				_v116 = 0x6451d2;
				_v124 = 3;
				_v268 = _v68;
				_v68 = _v68 & 0x00000000;
				_v100 = _v268;
				_v108 = 8;
				_v204 = 0xfb4cd7f0;
				_v200 = 0x5af3;
				_v168 = _v160;
				_v132 = 0x4b712a;
				_v140 = 3;
				_v196 =  *0x401128;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t607 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v196, L"Holocentridae2", 0x10, 0x5ac5,  &_v168, _v164,  &_v204, 0x10,  &_v124,  &_v212);
				_v240 = _t607;
				if(_v240 >= 0) {
					_v384 = _v384 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x402470);
					_push(_a4);
					_push(_v240);
					L00401326();
					_v384 = _t607;
				}
				_v44 = _v212;
				_v40 = _v208;
				L0040130E();
				L004012FC();
				_t729 = _t727 + 0x1c;
				_t617 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v108,  &_v124, 3,  &_v80,  &_v84,  &_v88);
				asm("fclex");
				_v216 = _t617;
				if(_v216 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402440);
					_push(_a4);
					_push(_v216);
					L00401326();
					_v388 = _t617;
				}
				while(1) {
					 *((intOrPtr*)( *_a4 + 0x70c))(_a4);
					if( *0x414010 != 0) {
						_v392 = 0x414010;
					} else {
						_push(0x414010);
						_push(0x402ba8);
						L0040132C();
						_v392 = 0x414010;
					}
					_t624 =  &_v80;
					L00401332();
					_v216 = _t624;
					_t628 =  *((intOrPtr*)( *_v216 + 0x60))(_v216,  &_v160, _t624,  *((intOrPtr*)( *((intOrPtr*)( *_v392)) + 0x2fc))( *_v392));
					asm("fclex");
					_v220 = _t628;
					if(_v220 >= 0) {
						_v396 = _v396 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40272c);
						_push(_v216);
						_push(_v220);
						L00401326();
						_v396 = _t628;
					}
					if( *0x414010 != 0) {
						_v400 = 0x414010;
					} else {
						_push(0x414010);
						_push(0x402ba8);
						L0040132C();
						_v400 = 0x414010;
					}
					_t632 =  &_v84;
					L00401332();
					_v224 = _t632;
					_t636 =  *((intOrPtr*)( *_v224 + 0xa0))(_v224,  &_v68, _t632,  *((intOrPtr*)( *((intOrPtr*)( *_v400)) + 0x2fc))( *_v400));
					asm("fclex");
					_v228 = _t636;
					if(_v228 >= 0) {
						_v404 = _v404 & 0x00000000;
					} else {
						_push(0xa0);
						_push(0x40272c);
						_push(_v224);
						_push(_v228);
						L00401326();
						_v404 = _t636;
					}
					_v196 =  *0x401120;
					_t708 = L"Seksualklinikken9";
					L00401308();
					_v272 = _v68;
					_v68 = _v68 & 0x00000000;
					_v116 = _v272;
					_v124 = 8;
					_v100 = _v160;
					_v108 = 3;
					L004011D0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					 *_t729 =  *0x401118;
					 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v72,  &_v108, 0x10,  &_v72,  &_v196);
					L00401302();
					_push( &_v84);
					_push( &_v80);
					_push(2);
					L0040130E();
					_push( &_v124);
					_t650 =  &_v108;
					_push(_t650);
					_push(2);
					L004012FC();
					_t729 = _t729 + 0x18;
					_push(1);
					L004012F0();
					_push(_t708);
					_push(_t650);
					_push(_v40);
					_push(_v44);
					L004012F6();
					_v44 = _t650;
					_v40 = _t708;
					_push(_v40);
					_push(_v44);
					L004012EA();
					if(_t650 >= 0) {
						break;
					}
				}
				goto __ebx;
			}

0x00411136
0x00411142
0x0041114a
0x0041114d
0x0041115a
0x00411163
0x0041116e
0x00411178
0x00411195
0x0041117a
0x0041117a
0x0041117f
0x00411184
0x00411189
0x00411189
0x004111b9
0x004111bd
0x004111c2
0x004111da
0x004111dd
0x004111df
0x004111ec
0x0041120e
0x004111ee
0x004111ee
0x004111f0
0x004111f5
0x004111fb
0x00411201
0x00411206
0x00411206
0x00411218
0x0041121e
0x00411228
0x0041122b
0x00411232
0x00411237
0x00411238
0x00411242
0x0041124a
0x00411252
0x0041125e
0x0041127b
0x00411260
0x00411260
0x00411265
0x0041126a
0x0041126f
0x0041126f
0x0041129f
0x004112a3
0x004112a8
0x004112c0
0x004112c6
0x004112c8
0x004112d5
0x004112fa
0x004112d7
0x004112d7
0x004112dc
0x004112e1
0x004112e7
0x004112ed
0x004112f2
0x004112f2
0x00411308
0x00411325
0x0041130a
0x0041130a
0x0041130f
0x00411314
0x00411319
0x00411319
0x00411349
0x0041134d
0x00411352
0x0041136a
0x0041136d
0x0041136f
0x0041137c
0x0041139e
0x0041137e
0x0041137e
0x00411380
0x00411385
0x0041138b
0x00411391
0x00411396
0x00411396
0x004113a5
0x004113af
0x004113bc
0x004113c2
0x004113cf
0x004113d4
0x004113db
0x004113ea
0x004113f7
0x004113f8
0x004113f9
0x004113fa
0x00411418
0x0041141e
0x0041142b
0x0041144d
0x0041142d
0x0041142d
0x00411432
0x00411437
0x0041143a
0x00411440
0x00411445
0x00411445
0x00411457
0x0041145b
0x0041145c
0x0041145e
0x00411469
0x0041146d
0x0041146e
0x00411470
0x00411475
0x0041147b
0x00411487
0x004114a4
0x00411489
0x00411489
0x0041148e
0x00411493
0x00411498
0x00411498
0x004114c8
0x004114cc
0x004114d1
0x004114ec
0x004114f2
0x004114f4
0x00411501
0x00411526
0x00411503
0x00411503
0x00411508
0x0041150d
0x00411513
0x00411519
0x0041151e
0x0041151e
0x00411534
0x00411551
0x00411536
0x00411536
0x0041153b
0x00411540
0x00411545
0x00411545
0x00411575
0x00411579
0x0041157e
0x00411599
0x0041159c
0x0041159e
0x004115ab
0x004115cd
0x004115ad
0x004115ad
0x004115af
0x004115b4
0x004115ba
0x004115c0
0x004115c5
0x004115c5
0x004115da
0x004115e6
0x004115e9
0x00411604
0x00411611
0x00411612
0x00411613
0x00411614
0x0041161d
0x00411623
0x00411630
0x00411652
0x00411632
0x00411632
0x00411637
0x0041163c
0x0041163f
0x00411645
0x0041164a
0x0041164a
0x0041165f
0x00411665
0x00411669
0x0041166a
0x0041166c
0x00411671
0x0041167b
0x00411698
0x0041167d
0x0041167d
0x00411682
0x00411687
0x0041168c
0x0041168c
0x004116bc
0x004116c0
0x004116c5
0x004116e0
0x004116e6
0x004116e8
0x004116f5
0x0041171a
0x004116f7
0x004116f7
0x004116fc
0x00411701
0x00411707
0x0041170d
0x00411712
0x00411712
0x00411728
0x00411745
0x0041172a
0x0041172a
0x0041172f
0x00411734
0x00411739
0x00411739
0x00411769
0x0041176d
0x00411772
0x0041178d
0x00411790
0x00411792
0x0041179f
0x004117c1
0x004117a1
0x004117a1
0x004117a3
0x004117a8
0x004117ae
0x004117b4
0x004117b9
0x004117b9
0x004117cf
0x004117ec
0x004117d1
0x004117d1
0x004117d6
0x004117db
0x004117e0
0x004117e0
0x00411810
0x00411814
0x00411819
0x00411834
0x0041183a
0x0041183c
0x00411849
0x0041186e
0x0041184b
0x0041184b
0x00411850
0x00411855
0x0041185b
0x00411861
0x00411866
0x00411866
0x0041187c
0x00411899
0x0041187e
0x0041187e
0x00411883
0x00411888
0x0041188d
0x0041188d
0x004118bd
0x004118c1
0x004118c6
0x004118e1
0x004118e4
0x004118e6
0x004118f3
0x00411915
0x004118f5
0x004118f5
0x004118f7
0x004118fc
0x00411902
0x00411908
0x0041190d
0x0041190d
0x00411921
0x00411924
0x0041192f
0x00411935
0x00411945
0x00411951
0x00411954
0x0041195b
0x00411962
0x00411972
0x0041198a
0x0041199b
0x004119b3
0x004119c0
0x004119c1
0x004119c2
0x004119c3
0x004119d3
0x004119d9
0x004119e6
0x00411a08
0x004119e8
0x004119e8
0x004119ed
0x004119f2
0x004119f5
0x004119fb
0x00411a00
0x00411a00
0x00411a15
0x00411a1b
0x00411a23
0x00411a27
0x00411a2b
0x00411a2f
0x00411a30
0x00411a32
0x00411a37
0x00411a3d
0x00411a49
0x00411a66
0x00411a4b
0x00411a4b
0x00411a50
0x00411a55
0x00411a5a
0x00411a5a
0x00411a8a
0x00411a8e
0x00411a93
0x00411aae
0x00411ab1
0x00411ab3
0x00411ac0
0x00411ae2
0x00411ac2
0x00411ac2
0x00411ac4
0x00411ac9
0x00411acf
0x00411ad5
0x00411ada
0x00411ada
0x00411af0
0x00411b0d
0x00411af2
0x00411af2
0x00411af7
0x00411afc
0x00411b01
0x00411b01
0x00411b31
0x00411b35
0x00411b3a
0x00411b55
0x00411b5b
0x00411b5d
0x00411b6a
0x00411b8f
0x00411b6c
0x00411b6c
0x00411b71
0x00411b76
0x00411b7c
0x00411b82
0x00411b87
0x00411b87
0x00411b9d
0x00411bba
0x00411b9f
0x00411b9f
0x00411ba4
0x00411ba9
0x00411bae
0x00411bae
0x00411bde
0x00411be2
0x00411be7
0x00411bff
0x00411c05
0x00411c07
0x00411c14
0x00411c39
0x00411c16
0x00411c16
0x00411c1b
0x00411c20
0x00411c26
0x00411c2c
0x00411c31
0x00411c31
0x00411c40
0x00411c47
0x00411c51
0x00411c57
0x00411c61
0x00411c64
0x00411c6b
0x00411c75
0x00411c85
0x00411c8b
0x00411c92
0x00411ca2
0x00411cb6
0x00411cc0
0x00411cc1
0x00411cc2
0x00411cc3
0x00411ce0
0x00411ced
0x00411cee
0x00411cef
0x00411cf0
0x00411d05
0x00411d0b
0x00411d18
0x00411d3a
0x00411d1a
0x00411d1a
0x00411d1f
0x00411d24
0x00411d27
0x00411d2d
0x00411d32
0x00411d32
0x00411d47
0x00411d50
0x00411d61
0x00411d73
0x00411d78
0x00411d83
0x00411d89
0x00411d8b
0x00411d98
0x00411dba
0x00411d9a
0x00411d9a
0x00411d9f
0x00411da4
0x00411da7
0x00411dad
0x00411db2
0x00411db2
0x00411dc1
0x00411dc9
0x00411dd6
0x00411df3
0x00411dd8
0x00411dd8
0x00411ddd
0x00411de2
0x00411de7
0x00411de7
0x00411e17
0x00411e1b
0x00411e20
0x00411e3b
0x00411e3e
0x00411e40
0x00411e4d
0x00411e6f
0x00411e4f
0x00411e4f
0x00411e51
0x00411e56
0x00411e5c
0x00411e62
0x00411e67
0x00411e67
0x00411e7d
0x00411e9a
0x00411e7f
0x00411e7f
0x00411e84
0x00411e89
0x00411e8e
0x00411e8e
0x00411ebe
0x00411ec2
0x00411ec7
0x00411edf
0x00411ee5
0x00411ee7
0x00411ef4
0x00411f19
0x00411ef6
0x00411ef6
0x00411efb
0x00411f00
0x00411f06
0x00411f0c
0x00411f11
0x00411f11
0x00411f26
0x00411f2c
0x00411f34
0x00411f3c
0x00411f42
0x00411f4c
0x00411f4f
0x00411f5c
0x00411f5f
0x00411f74
0x00411f7e
0x00411f7f
0x00411f80
0x00411f81
0x00411f8d
0x00411f98
0x00411fa1
0x00411fa9
0x00411fad
0x00411fae
0x00411fb0
0x00411fbb
0x00411fbc
0x00411fbf
0x00411fc0
0x00411fc2
0x00411fc7
0x00411fca
0x00411fcc
0x00411fd1
0x00411fd2
0x00411fd3
0x00411fd6
0x00411fd9
0x00411fde
0x00411fe1
0x00411fe4
0x00411fe7
0x00411ff0
0x00411ff7
0x00000000
0x00000000
0x00411ff9
0x00412003

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00411142
__vbaNew2.MSVBVM60(00402BA8,00414010,?,?,?,?,004011D6), ref: 00411184
__vbaObjSet.MSVBVM60(?,00000000), ref: 004111BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040271C,00000070), ref: 00411201
#645.MSVBVM60(00000008,00000000), ref: 00411238
__vbaStrMove.MSVBVM60(00000008,00000000), ref: 00411242
__vbaFreeObj.MSVBVM60(00000008,00000000), ref: 0041124A
__vbaFreeVar.MSVBVM60(00000008,00000000), ref: 00411252
__vbaNew2.MSVBVM60(00402BA8,00414010,00000008,00000000), ref: 0041126A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004112A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,00000150), ref: 004112ED
__vbaNew2.MSVBVM60(00402BA8,00414010), ref: 00411314
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041134D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,00000048), ref: 00411391
__vbaStrMove.MSVBVM60(00000000,?,0040272C,00000048), ref: 004113CF
__vbaChkstk.MSVBVM60(007922BC), ref: 004113EA
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402470,000006F8), ref: 00411440
__vbaFreeStrList.MSVBVM60(00000002,00000000,?), ref: 0041145E
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,004011D6), ref: 00411470
__vbaFreeVar.MSVBVM60(?,?,?,?,?,004011D6), ref: 0041147B
__vbaNew2.MSVBVM60(00402BA8,00414010,?,?,?,?,?,004011D6), ref: 00411493
__vbaObjSet.MSVBVM60(?,00000000), ref: 004114CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,000001C0), ref: 00411519
__vbaNew2.MSVBVM60(00402BA8,00414010), ref: 00411540
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411579
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,00000078), ref: 004115C0
__vbaChkstk.MSVBVM60(?,?), ref: 00411604
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402470,000006FC), ref: 00411645
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041166C
__vbaNew2.MSVBVM60(00402BA8,00414010,?,?,?,?,?,?,?,?,004011D6), ref: 00411687
__vbaObjSet.MSVBVM60(?,00000000), ref: 004116C0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,00000170), ref: 0041170D
__vbaNew2.MSVBVM60(00402BA8,00414010), ref: 00411734
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041176D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040271C,00000060), ref: 004117B4
__vbaNew2.MSVBVM60(00402BA8,00414010), ref: 004117DB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411814
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,00000080), ref: 00411861
__vbaNew2.MSVBVM60(00402BA8,00414010), ref: 00411888
__vbaObjSet.MSVBVM60(?,00000000), ref: 004118C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,00000078), ref: 00411908
__vbaStrCopy.MSVBVM60(00000000,?,0040272C,00000078), ref: 00411924
__vbaChkstk.MSVBVM60(00000003,?,0081CCB9,?,?,?,?,?), ref: 004119B3
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402470,00000700,?,?,?,?,?), ref: 004119FB
__vbaFreeStr.MSVBVM60(?,?,?,?,?), ref: 00411A1B
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,?,?,?), ref: 00411A32
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00411A3D
__vbaNew2.MSVBVM60(00402BA8,00414010,?,?,?,?,?,?,?,?,?,?,?,?,?,004011D6), ref: 00411A55
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411A8E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040271C,00000060), ref: 00411AD5
__vbaNew2.MSVBVM60(00402BA8,00414010), ref: 00411AFC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411B35
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,000001C0), ref: 00411B82
__vbaNew2.MSVBVM60(00402BA8,00414010), ref: 00411BA9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411BE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,000000A0), ref: 00411C2C
__vbaChkstk.MSVBVM60(00000003,?), ref: 00411CB6
__vbaChkstk.MSVBVM60(00005AC5,?,?,FB4CD7F0,00000003,?), ref: 00411CE0
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402470,00000704), ref: 00411D2D
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00411D61
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00411D73
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,00402440,000002B4), ref: 00411DAD
__vbaNew2.MSVBVM60(00402BA8,00414010,?,00000001), ref: 00411DE2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411E1B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,00000060), ref: 00411E62
__vbaNew2.MSVBVM60(00402BA8,00414010,00000000,?,0040272C,00000060), ref: 00411E89
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411EC2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,000000A0), ref: 00411F0C
__vbaStrCopy.MSVBVM60(00000000,?,0040272C,000000A0), ref: 00411F34
__vbaChkstk.MSVBVM60(?,?), ref: 00411F74
__vbaFreeStr.MSVBVM60(?,00000003,?,?), ref: 00411FA1
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000003,?,?), ref: 00411FB0
__vbaFreeVarList.MSVBVM60(00000002,00000003,?), ref: 00411FC2
__vbaCyI2.MSVBVM60(00000001), ref: 00411FCC
__vbaCyAdd.MSVBVM60(?,?,00000000,?,00000001), ref: 00411FD9
__vbaFpCmpCy.MSVBVM60(?,?,?,?,00000000,?,00000001), ref: 00411FF0

Strings

Holocentridae2, xrefs: 00411CF1
Diarch4, xrefs: 0041195B
*qK, xrefs: 00411C8B
Seksualklinikken9, xrefs: 00411F2C
centennial, xrefs: 0041191C
Komparenten7, xrefs: 004113A5

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List$Chkstk$CopyMove$#645
String ID: *qK$Diarch4$Holocentridae2$Komparenten7$Seksualklinikken9$centennial
API String ID: 3649353455-958078613
Opcode ID: 7a54103f50c8969bb11e2ebb534764ef3885d8a6dfa10551285c07b7d8bec714
Instruction ID: 3889a7ac47ea2abaa3c11f190616f45ae455a7a9f5ade9a97a96f0d0bd7f56e4
Opcode Fuzzy Hash: 7a54103f50c8969bb11e2ebb534764ef3885d8a6dfa10551285c07b7d8bec714
Instruction Fuzzy Hash: 8392E5B1900228DFDB21DFA1CC49BDDBBB5BB08304F1044EAE609BB2A1D7795A85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 00412209, Relevance: 77.2, APIs: 37, Strings: 7, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 43%

			E00412209(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				void* _v48;
				void* _v64;
				char _v68;
				char _v72;
				char _v76;
				intOrPtr _v84;
				char _v92;
				char _v108;
				signed int _v116;
				char _v124;
				char* _v132;
				intOrPtr _v140;
				void* _v160;
				signed int _v164;
				signed int _v168;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				intOrPtr _t91;
				signed int _t95;
				char* _t98;
				signed int _t107;
				signed int _t111;
				char* _t116;
				signed int _t117;
				char* _t118;
				void* _t152;
				void* _t154;
				intOrPtr _t155;

				_t155 = _t154 - 0xc;
				 *[fs:0x0] = _t155;
				L004011D0();
				_v16 = _t155;
				_v12 = 0x401150;
				_v8 = 0;
				_t91 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011d6, _t152);
				L00401308();
				L004012CC();
				L004012B4();
				L0040133E();
				L004012B4();
				L0040133E();
				L004012B4();
				_v84 = _t91;
				_v92 = 8;
				_v132 = L"tryms";
				_v140 = 8;
				_t95 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v76, 0x402898, _t91, L"ictureBo", _t91, 0x402878, "VB.");
				asm("fclex");
				_v164 = _t95;
				if(_v164 >= 0) {
					_v180 = _v180 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x402440);
					_push(_a4);
					_push(_v164);
					L00401326();
					_v180 = _t95;
				}
				_push(0x10);
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push(_v76);
				_t98 =  &_v108;
				_push(_t98); // executed
				L004012BA(); // executed
				_push(_t98);
				L004012C0();
				_push(_t98);
				_push( &_v32);
				L004012C6();
				_push( &_v72);
				_push( &_v68);
				_push(2);
				L00401314();
				L00401320();
				_push( &_v108);
				_push( &_v92);
				_push(2);
				L004012FC();
				if( *0x414010 != 0) {
					_v184 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v184 = 0x414010;
				}
				_t107 =  &_v76;
				L00401332();
				_v164 = _t107;
				_t111 =  *((intOrPtr*)( *_v164 + 0x1e8))(_v164,  &_v160, _t107,  *((intOrPtr*)( *((intOrPtr*)( *_v184)) + 0x2fc))( *_v184));
				asm("fclex");
				_v168 = _t111;
				if(_v168 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x40272c);
					_push(_v164);
					_push(_v168);
					L00401326();
					_v188 = _t111;
				}
				_v116 = _v160;
				_v124 = 2;
				_push(0x10);
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push(_v32);
				L004012AE();
				L00401320();
				_v116 = 0x1ea5;
				_v124 = 2;
				_push(0x10);
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push(_v32);
				L004012AE();
				_v116 = _v116 | 0xffffffff;
				_v124 = 0xb;
				_push(0x10);
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push(_v32);
				L004012AE();
				_v116 = _v116 | 0xffffffff;
				_v124 = 0x800b;
				_push(0);
				_push(L"Enabled");
				_push(_v32);
				_t116 =  &_v92;
				_push(_t116);
				L004012BA();
				_push(_t116);
				_t117 =  &_v124;
				_push(_t117);
				L004012A8();
				_v164 = _t117;
				L0040131A();
				_t118 = _v164;
				if(_t118 != 0) {
					_push(0x4028ec);
					_push(0x4028ec);
					L004012A2();
					if(_t118 == 0) {
						_t118 =  &_v92;
						_push(_t118);
						L00401296();
						L0040129C();
					}
				}
				_push(0x412571);
				L00401302();
				L00401320();
				L0040131A();
				L0040131A();
				return _t118;
			}

0x0041220c
0x0041221b
0x00412227
0x0041222f
0x00412232
0x00412239
0x00412248
0x00412251
0x0041225c
0x0041226b
0x00412275
0x00412280
0x0041228a
0x00412295
0x0041229a
0x0041229d
0x004122a4
0x004122ab
0x004122c1
0x004122c7
0x004122c9
0x004122d6
0x004122f8
0x004122d8
0x004122d8
0x004122dd
0x004122e2
0x004122e5
0x004122eb
0x004122f0
0x004122f0
0x004122ff
0x00412302
0x0041230c
0x0041230d
0x0041230e
0x0041230f
0x00412310
0x00412313
0x00412320
0x00412321
0x00412322
0x00412323
0x00412324
0x00412326
0x0041232b
0x0041232e
0x00412331
0x00412332
0x0041233a
0x0041233b
0x00412340
0x00412344
0x00412345
0x0041234d
0x00412351
0x00412352
0x00412354
0x0041235f
0x00412367
0x0041236b
0x0041236c
0x0041236e
0x0041237d
0x0041239a
0x0041237f
0x0041237f
0x00412384
0x00412389
0x0041238e
0x0041238e
0x004123be
0x004123c2
0x004123c7
0x004123e2
0x004123e8
0x004123ea
0x004123f7
0x0041241c
0x004123f9
0x004123f9
0x004123fe
0x00412403
0x00412409
0x0041240f
0x00412414
0x00412414
0x0041242a
0x0041242e
0x00412435
0x00412438
0x00412442
0x00412443
0x00412444
0x00412445
0x00412446
0x0041244b
0x0041244e
0x00412456
0x0041245b
0x00412462
0x00412469
0x0041246c
0x00412476
0x00412477
0x00412478
0x00412479
0x0041247a
0x0041247f
0x00412482
0x00412487
0x0041248b
0x00412492
0x00412495
0x0041249f
0x004124a0
0x004124a1
0x004124a2
0x004124a3
0x004124a8
0x004124ab
0x004124b0
0x004124b4
0x004124bb
0x004124bd
0x004124c2
0x004124c5
0x004124c8
0x004124c9
0x004124d1
0x004124d2
0x004124d5
0x004124d6
0x004124db
0x004124e5
0x004124ea
0x004124f3
0x004124f5
0x004124fa
0x004124ff
0x00412506
0x00412508
0x0041250b
0x0041250c
0x00412517
0x00412517
0x00412506
0x0041251c
0x00412553
0x0041255b
0x00412563
0x0041256b
0x00412570

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00412227
__vbaStrCopy.MSVBVM60(?,?,?,?,004011D6), ref: 00412251
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 0041225C
__vbaStrCat.MSVBVM60(00402878,VB.,?,?,?,?,004011D6), ref: 0041226B
__vbaStrMove.MSVBVM60(00402878,VB.,?,?,?,?,004011D6), ref: 00412275
__vbaStrCat.MSVBVM60(ictureBo,00000000,00402878,VB.,?,?,?,?,004011D6), ref: 00412280
__vbaStrMove.MSVBVM60(ictureBo,00000000,00402878,VB.,?,?,?,?,004011D6), ref: 0041228A
__vbaStrCat.MSVBVM60(00402898,00000000,ictureBo,00000000,00402878,VB.,?,?,?,?,004011D6), ref: 00412295
__vbaHresultCheckObj.MSVBVM60(00000000,00401150,00402440,00000218), ref: 004122EB
__vbaChkstk.MSVBVM60(00000000,00401150,00402440,00000218), ref: 00412302
__vbaChkstk.MSVBVM60(00000000,00401150,00402440,00000218), ref: 00412313
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00412332
__vbaObjVar.MSVBVM60(00000000,?,00402898,00000000,ictureBo,00000000,00402878,VB.,?,?,?,?,004011D6), ref: 0041233B
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,00402898,00000000,ictureBo,00000000,00402878,VB.,?,?,?,?,004011D6), ref: 00412345
__vbaFreeStrList.MSVBVM60(00000002,00000000,00000000,?,00000000,00000000,?,00402898,00000000,ictureBo,00000000,00402878,VB.), ref: 00412354
__vbaFreeObj.MSVBVM60(?,00000000,00000000,?,00402898,00000000,ictureBo,00000000,00402878,VB.,?,?,?,?,004011D6), ref: 0041235F
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000000,00000000,?,00402898,00000000,ictureBo,00000000,00402878,VB.), ref: 0041236E
__vbaNew2.MSVBVM60(00402BA8,00414010,?,?,?,?,00000000,00000000,?,00402898,00000000,ictureBo,00000000,00402878,VB.), ref: 00412389
__vbaObjSet.MSVBVM60(?,00000000), ref: 004123C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,000001E8), ref: 0041240F
__vbaChkstk.MSVBVM60(00000000,?,0040272C,000001E8), ref: 00412438
__vbaLateMemSt.MSVBVM60(?,Left), ref: 0041244E
__vbaFreeObj.MSVBVM60(?,Left), ref: 00412456
__vbaChkstk.MSVBVM60(?,Left), ref: 0041246C
__vbaLateMemSt.MSVBVM60(?,Top,?,Left), ref: 00412482
__vbaChkstk.MSVBVM60(?,Top,?,Left), ref: 00412495
__vbaLateMemSt.MSVBVM60(?,Visible,?,Top,?,Left), ref: 004124AB
__vbaLateMemCallLd.MSVBVM60(?,?,Enabled,00000000,?,Visible,?,Top,?,Left), ref: 004124C9
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402898,00000000,ictureBo), ref: 004124D6
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402898,00000000,ictureBo), ref: 004124E5
__vbaStrCmp.MSVBVM60(004028EC,004028EC,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402898), ref: 004124FF
#546.MSVBVM60(?,004028EC,004028EC,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 0041250C
__vbaVarMove.MSVBVM60(?,004028EC,004028EC,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00412517
__vbaFreeStr.MSVBVM60(00412571,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402898,00000000), ref: 00412553
__vbaFreeObj.MSVBVM60(00412571,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402898,00000000), ref: 0041255B
__vbaFreeVar.MSVBVM60(00412571,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402898,00000000), ref: 00412563
__vbaFreeVar.MSVBVM60(00412571,?,00000000,?,?,?,?,?,?,?,?,00000000,00000000,?,00402898,00000000), ref: 0041256B

Strings

Add, xrefs: 00412326
ictureBo, xrefs: 0041227B
Enabled, xrefs: 004124BD
Left, xrefs: 00412446
Visible, xrefs: 004124A3
Top, xrefs: 0041247A
VB., xrefs: 00412261

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$Late$Move$CallCheckHresultList$#546AddrefCopyNew2
String ID: Add$Enabled$Left$Top$VB.$Visible$ictureBo
API String ID: 2967171306-3546694788
Opcode ID: ae2a6e3c5f190c1c4236bb7dd001c6a01cb48d27d79e055d8ac9f9d016b6f3ec
Instruction ID: 2ff4d40a270ec4077ce0a0e3e0c23f8315790b57629b9496bb2fc088835d0882
Opcode Fuzzy Hash: ae2a6e3c5f190c1c4236bb7dd001c6a01cb48d27d79e055d8ac9f9d016b6f3ec
Instruction Fuzzy Hash: FF915D75D00208ABDB10EFA1CC46BDEBB75BF08704F5041AAF905BB1E2DBB85985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412B2B, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00412B2B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v32;
				char _v40;
				char* _t11;
				intOrPtr _t22;

				_push(0x4011d6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t22;
				_push(0x28);
				L004011D0();
				_v12 = _t22;
				_v8 = 0x401198;
				_v32 = 0x17;
				_v40 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_t11 =  &_v40;
				_push(_t11); // executed
				L00401284(); // executed
				L0040133E();
				L0040131A();
				_push(0x412ba2);
				L00401302();
				return _t11;
			}

0x00412b30
0x00412b3b
0x00412b3c
0x00412b43
0x00412b46
0x00412b4e
0x00412b51
0x00412b58
0x00412b5f
0x00412b66
0x00412b68
0x00412b6a
0x00412b6c
0x00412b6e
0x00412b71
0x00412b72
0x00412b7c
0x00412b84
0x00412b89
0x00412b9c
0x00412ba1

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00412B46
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011D6), ref: 00412B72
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011D6), ref: 00412B7C
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011D6), ref: 00412B84
__vbaFreeStr.MSVBVM60(00412BA2,00000002,000000FF,000000FE,000000FE,000000FE,?,?,?,?,?,?,004011D6), ref: 00412B9C

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#702ChkstkMove
String ID:
API String ID: 3665094559-0
Opcode ID: 6c706117bd3f121bdfcc1a177522e02fedd55c1aeb7ec265e0129e5918486587
Instruction ID: 9da6ad19345e9a975e8ad1c1f34dc2d0f685cfa5996c12a1557b37407c3e622e
Opcode Fuzzy Hash: 6c706117bd3f121bdfcc1a177522e02fedd55c1aeb7ec265e0129e5918486587
Instruction Fuzzy Hash: 3FF04F70804249BADB04DF96CE46FDEB7B8EB05724F70436AB021765E1DAB82E048768

Uniqueness

Uniqueness Score: -1.00%

Function 0040135C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 15%

			_entry_(signed int __eax, signed int __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __fp0) {
				signed int _t53;
				signed int _t54;
				intOrPtr* _t55;
				intOrPtr* _t56;
				signed int _t57;
				signed char _t58;
				signed char _t60;
				intOrPtr* _t64;
				signed int _t69;
				intOrPtr* _t70;
				signed int _t76;
				void* _t80;
				void* _t82;
				void* _t85;
				signed int _t88;
				void* _t89;
				void* _t90;
				intOrPtr _t93;
				intOrPtr _t100;
				intOrPtr _t102;
				void* _t105;

				_t105 = __fp0;
				_push("VB5!6&*"); // executed
				L00401356(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t53 = __eax + 1;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *(_t53 - 0xa) =  *(_t53 - 0xa) & __ecx;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				_push(_t89);
				_t69 = __ecx - 1;
				_t82 = __esi - 1;
				_t88 = _t85 - 1 + 2;
				_push(0x9677a334);
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				 *_t53 =  *_t53 + _t53;
				_t90 = _t89 - 1;
				 *_t53 =  *_t53 ^ _t53;
				_t76 = _t53 *  *((0x9677a334 & _t88) + 0x4a6f2de6 + _t69 * 8) >> 0x20;
				_t54 = _t53 *  *(0x9677a334 + 0x4a6f2de6 + _t69 * 8);
				 *0x748b69f4 = _t54;
				asm("salc");
				_t55 = _t54 - 1;
				asm("lds ecx, [ecx+0x9]");
				asm("popad");
				asm("out dx, eax");
				0xee98();
				 *((intOrPtr*)(_t88 + 0x3a3ea90e)) =  *((intOrPtr*)(_t88 + 0x3a3ea90e)) - _t55;
				_t80 = __edi;
				asm("lodsd");
				_t56 = _t55;
				asm("stosb");
				 *((intOrPtr*)(_t56 - 0x2d)) =  *((intOrPtr*)(_t56 - 0x2d)) + _t56;
				_t57 = __ebx ^  *(_t69 - 0x48ee309a);
				_t64 = _t56;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				 *_t57 =  *_t57 + _t57;
				asm("clc");
				 *_t57 =  *_t57 | _t57;
				_t70 = _t69 + _t64;
				_t58 = _t57 + 0xc000000;
				 *((intOrPtr*)(_t70 + 0x74)) =  *((intOrPtr*)(_t70 + 0x74)) + _t58;
				_push(0x6f697265);
				asm("a16 popad");
				asm("popad");
				_t60 = _t58 ^ 0x00000000 | 0x45000a01;
				while(1) {
					 *_t76 =  *_t76 + _t70;
					_t22 = _t88 + 0x79;
					 *_t22 =  *((intOrPtr*)(_t88 + 0x79)) + _t60;
					_t93 =  *_t22;
					while(1) {
						asm("gs insb");
						asm("insb");
						asm("popad");
						if(_t93 < 0) {
							if(_t93 < 0) {
								 *_t70 =  *_t70 + _t64;
								 *_t60 =  *_t60 + _t60;
								_t76 = _t76 + 1;
								 *_t76 =  *_t76 + _t60;
								 *_t64 =  *_t64 + _t90;
								_t24 = _t60;
								_t60 =  *0x746c0000;
								 *0x746c0000 = _t24;
								 *_t60 =  *_t60 + _t60;
								if( *_t60 > 0) {
									 *_t60 =  *_t60 + _t60;
									 *_t60 =  *_t60 + _t60;
									 *_t60 =  *_t60 + _t60;
								}
								 *_t70 =  *_t70 + _t60;
								 *_t60 =  *_t60 + _t76;
								asm("adc [eax], al");
								 *_t70 =  *_t70 + _t60;
								 *_t60 =  *_t60 + _t70;
								 *((intOrPtr*)(_t60 + 5)) =  *((intOrPtr*)(_t60 + 5)) + _t70;
								 *_t60 =  *_t60 + _t60;
								_push(ss);
								 *_t60 =  *_t60 + _t60;
								 *_t60 =  *_t60 + _t70;
								 *_t60 =  *_t60 + _t60;
								L9:
								 *_t60 =  *_t60 + _t60;
								asm("adc [eax], al");
								 *_t60 =  *_t60 + _t60;
								L10:
								 *_t60 =  *_t60 + _t60;
								 *_t60 =  *_t60 + _t60;
								 *_t70 =  *_t70 + _t60;
								 *_t60 =  *_t60 + _t70;
							}
							 *_t60 =  *_t60 | _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							_t60 = _t60 + 1;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							 *_t60 =  *_t60 + _t60;
							_t27 = _t80 - 0x66;
							 *_t27 =  *((intOrPtr*)(_t80 - 0x66)) + _t76;
							_t100 =  *_t27;
						}
						asm("retf");
						_t31 = _t76 - 0x59;
						 *_t31 =  *((intOrPtr*)(_t76 - 0x59)) + _t70;
						_t102 =  *_t31;
						asm("rol dword [eax], cl");
						_push(0xffffffa8);
						asm("rol dword [eax], cl");
						_push(0x6700d5a8);
						asm("lodsb");
						_push(0xffffffab);
						_t105 = _t105 +  *_t60 +  *_t60;
						if(_t102 >= 0) {
							goto L9;
						}
						asm("aad 0x0");
						if(_t102 < 0) {
							goto L10;
						}
						asm("fiadd dword [eax]");
						asm("insd");
						 *((intOrPtr*)(_t82 - 0x4b)) =  *((intOrPtr*)(_t82 - 0x4b)) + 0xe5;
						goto 0xe8f57eb9;
						 *((intOrPtr*)(_t80 - 0x45)) =  *((intOrPtr*)(_t80 - 0x45)) + _t64;
						 *((intOrPtr*)(_t60 - 0x66)) =  *((intOrPtr*)(_t60 - 0x66)) + _t76;
					}
				}
			}

0x0040135c
0x0040135c
0x00401361
0x00401366
0x00401368
0x0040136a
0x0040136c
0x0040136e
0x00401370
0x00401371
0x00401373
0x00401375
0x00401385
0x00401388
0x0040138a
0x0040138c
0x0040138e
0x00401390
0x00401392
0x00401394
0x00401396
0x00401398
0x00401399
0x0040139c
0x0040139e
0x0040139f
0x004013a0
0x004013a2
0x004013a4
0x004013a6
0x004013a8
0x004013aa
0x004013ac
0x004013ae
0x004013b2
0x004013b2
0x004013b9
0x004013be
0x004013bf
0x004013c0
0x004013c3
0x004013c4
0x004013c5
0x004013cc
0x004013d2
0x004013d3
0x004013da
0x004013dc
0x004013dd
0x004013e0
0x004013e0
0x004013e1
0x004013e3
0x004013e5
0x004013e7
0x004013e9
0x004013eb
0x004013ed
0x004013ef
0x004013f1
0x004013f3
0x004013f5
0x004013f7
0x004013f9
0x004013fb
0x004013fd
0x004013ff
0x00401401
0x00401403
0x00401405
0x00401406
0x00401408
0x0040140a
0x0040140f
0x00401412
0x00401417
0x00401419
0x0040141d
0x0040141e
0x0040141e
0x00401420
0x00401420
0x00401420
0x00401423
0x00401423
0x00401424
0x00401425
0x00401426
0x00401428
0x0040142b
0x0040142d
0x0040142f
0x00401430
0x00401432
0x00401434
0x00401434
0x00401434
0x0040143a
0x0040143c
0x0040143e
0x00401440
0x00401442
0x00401442
0x00401443
0x00401445
0x00401447
0x00401449
0x0040144b
0x0040144d
0x00401450
0x00401452
0x00401453
0x00401455
0x00401457
0x00401458
0x00401458
0x0040145a
0x0040145c
0x0040145d
0x0040145d
0x0040145f
0x00401461
0x00401463
0x00401463
0x00401464
0x00401466
0x00401468
0x0040146a
0x0040146b
0x0040146d
0x0040146f
0x00401471
0x00401473
0x00401475
0x00401477
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401481
0x00401481
0x00401481
0x00401481
0x00401490
0x00401491
0x00401491
0x00401491
0x00401494
0x00401496
0x00401498
0x0040149a
0x0040149f
0x004014a2
0x004014a4
0x004014a6
0x00000000
0x00000000
0x004014a8
0x004014aa
0x00000000
0x00000000
0x004014ac
0x004014ae
0x004014b1
0x004014b4
0x004014b9
0x00401489
0x00401489
0x00401423

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401361

Strings

VB5!6&*, xrefs: 0040135C

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 26cbd66f12ada51bbe12e1d38359e916d4a7366ca4171c24dc20939117664712
Instruction ID: 317410eaeaf5a28c6eb34111c82dbd390bf55d3aba4c966721f39f4ac0e76b70
Opcode Fuzzy Hash: 26cbd66f12ada51bbe12e1d38359e916d4a7366ca4171c24dc20939117664712
Instruction Fuzzy Hash: C351966158E7D18FD3038BB498291917FB0AE9326835E42EBC481DF0F3D1AD4C4ACB66

Uniqueness

Uniqueness Score: -1.00%

Function 0040682C, Relevance: 1.6, APIs: 1, Instructions: 314memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: eae7f603d2a53e7a17b8abeef325f21922e8350281bd04b46e7e1b57f22b20de
Instruction ID: 83eacc33aef8c0a95ac33feea440880c52c6b990944c276999ca3a208005104c
Opcode Fuzzy Hash: eae7f603d2a53e7a17b8abeef325f21922e8350281bd04b46e7e1b57f22b20de
Instruction Fuzzy Hash: 464142E1EAF303D9E26CA91048805F561ADAA4FB58532B977894F331C7417C3623B96F

Uniqueness

Uniqueness Score: -1.00%

Function 00406DEE, Relevance: 1.5, APIs: 1, Instructions: 272memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 66c1248a414894d0e8975d6793e667bab4c93ad4910da99cce3d711aca6e0fd5
Instruction ID: d2039b042900ab02775c49ad82f3b9cf1553ffd71db55e059d80b930c7c4d16c
Opcode Fuzzy Hash: 66c1248a414894d0e8975d6793e667bab4c93ad4910da99cce3d711aca6e0fd5
Instruction Fuzzy Hash: 924178E1EAF343D9E268942058804F5669DA60FB58131B9B7C94F372C7813C3617B59F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D58, Relevance: 1.5, APIs: 1, Instructions: 269memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 77698b07ea378370f1c35b86f36d5061d4b14197a2070cea336d42eafdc60540
Instruction ID: acdb0b31893da820297133263e8709fcb24b2676c13e825c4c8f4b0ad84e0b48
Opcode Fuzzy Hash: 77698b07ea378370f1c35b86f36d5061d4b14197a2070cea336d42eafdc60540
Instruction Fuzzy Hash: ED4133E1EAF343D9E268A91048804F5669DAA0FB58132B9B7C90F371C7513C3623B59F

Uniqueness

Uniqueness Score: -1.00%

Function 00406E03, Relevance: 1.5, APIs: 1, Instructions: 264memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 738aceffe3baad55e29067768cfd077827f50d2ad61c54309ffc0f0fa488ca1f
Instruction ID: df106df897589fa80fea5df994886e9d7fc4e576c73e34e6db224c5f9da79418
Opcode Fuzzy Hash: 738aceffe3baad55e29067768cfd077827f50d2ad61c54309ffc0f0fa488ca1f
Instruction Fuzzy Hash: 043168E1EAF343D9E268982018804F5669DAA0FB58131B9B7C94F371C3813C3613B59F

Uniqueness

Uniqueness Score: -1.00%

Function 00406CAF, Relevance: 1.5, APIs: 1, Instructions: 244memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6f2fb53b687380baef72e64b1406efe2e2cd769295f6211da9e4c9e0990bbf47
Instruction ID: 9942b95d6dd923763eece1f8847dd5d3cb4a5af1f73ec4d777e917806a03d7a0
Opcode Fuzzy Hash: 6f2fb53b687380baef72e64b1406efe2e2cd769295f6211da9e4c9e0990bbf47
Instruction Fuzzy Hash: E14155E1EAF343D9E268A91048804F1629DAA0FB5853279B7C94F331C7427C3623B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00406DC1, Relevance: 1.5, APIs: 1, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 804aeb0248dd60ca5a7c40acb15d69754b5c778ae2363253fa3b60f5fd67b690
Instruction ID: 0f67fc09da8fea770757203f88e1e5144ab936c8b3336a22b7df22b175920994
Opcode Fuzzy Hash: 804aeb0248dd60ca5a7c40acb15d69754b5c778ae2363253fa3b60f5fd67b690
Instruction Fuzzy Hash: 313143E1EAF343D8E268A96048804F565ADAA0FB58131B9B7CA0F331C3413C3613B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D00, Relevance: 1.5, APIs: 1, Instructions: 229memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 645d93ec5039e33647a8ad3761190484fc5a33868e1f1f5b64c2e020fac0c0a0
Instruction ID: 983ce30685a2bc1efbb9bd28686d0116c71f3cc8d8f26fc856b1b8ec7bed149c
Opcode Fuzzy Hash: 645d93ec5039e33647a8ad3761190484fc5a33868e1f1f5b64c2e020fac0c0a0
Instruction Fuzzy Hash: A54133E1EAF343D9E268A92048804F5669DAA0FB5813279B7C94F331C7417C3623B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00406E86, Relevance: 1.5, APIs: 1, Instructions: 227memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a7bf0dcda25cc2afbd6b93a133b447cc797b0241871e6fa468272580d533186d
Instruction ID: f697a82de26f746174dc399d4d5835e0dfefe3b81d8086e3bf5a0209b3223b55
Opcode Fuzzy Hash: a7bf0dcda25cc2afbd6b93a133b447cc797b0241871e6fa468272580d533186d
Instruction Fuzzy Hash: E43125E1EAF343D9E268985018804F5669DA60FB58131B9B7CA0F371C7513D3613B46F

Uniqueness

Uniqueness Score: -1.00%

Function 00406DA7, Relevance: 1.5, APIs: 1, Instructions: 219memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 84b4ab61ceeea72b823a32a45c9936eefec41f32ffaf901fc783fdb1544aaee6
Instruction ID: ac4cec94675611fcd70a020c4ea126d29b49c68b3f791b85d3fbf12b6534ed90
Opcode Fuzzy Hash: 84b4ab61ceeea72b823a32a45c9936eefec41f32ffaf901fc783fdb1544aaee6
Instruction Fuzzy Hash: D93114E1EAF347D9E268A92058804F562ADAA4FB58131B9B7C90F371C3413C3613B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F4A, Relevance: 1.5, APIs: 1, Instructions: 218memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9e577a7e1317ccb98f5a2842c586440105a98a9bf58379834631bc06ca1157f9
Instruction ID: 7eb6da92c8e686cbea43cbd46065ff8ac78c9ba7cd1c3ec5f28b0bedaa43cf5a
Opcode Fuzzy Hash: 9e577a7e1317ccb98f5a2842c586440105a98a9bf58379834631bc06ca1157f9
Instruction Fuzzy Hash: 2B3168E1EAF343D9E2A8681008804F6629DA60FB98130B9B7C90F372C7907D3617B05F

Uniqueness

Uniqueness Score: -1.00%

Function 00406ECB, Relevance: 1.5, APIs: 1, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3bef97dbd730a3916c38d664079276cf9ea6e8ba00da2ea418812c4e6c6513d1
Instruction ID: f0e917149cb3838018876efc28d8bb5e2f4c2b707240eb7901fda230a45233aa
Opcode Fuzzy Hash: 3bef97dbd730a3916c38d664079276cf9ea6e8ba00da2ea418812c4e6c6513d1
Instruction Fuzzy Hash: 413125E1EAF347D9E2A8A81018804F5669DAA0FB58131B9B7C90F371C7513D3613B46F

Uniqueness

Uniqueness Score: -1.00%

Function 00406CEE, Relevance: 1.5, APIs: 1, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: beaae969b32d02d2cb22f3d3b21aa28623babff026f5e463ed6a868c0e6eefa9
Instruction ID: 9b4426b276705d5704ee371df8118b90652f2e5f7f0fa7c5f4d466155cea28f9
Opcode Fuzzy Hash: beaae969b32d02d2cb22f3d3b21aa28623babff026f5e463ed6a868c0e6eefa9
Instruction Fuzzy Hash: F44133E1EAF343D9E268A92048804F5619DAA0FB5813279B7C94F331C7417C3623B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F22, Relevance: 1.5, APIs: 1, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f5aae17f8ba995658924ae29d5384638f021c553ebec440f2903bdb8a792de2c
Instruction ID: e1a56461b39dea9b284dde7c3686017758f1b66a686d2fc7d785461b40a195e7
Opcode Fuzzy Hash: f5aae17f8ba995658924ae29d5384638f021c553ebec440f2903bdb8a792de2c
Instruction Fuzzy Hash: AB3137E1EAF347D9E2A8A81008804F5659DA60FB98130B9B7C90F372C7517D3617B45F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D2F, Relevance: 1.5, APIs: 1, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 13a00140bf3ff4f417d41f875eab54576bc95815c7ba024af496589d80006272
Instruction ID: 277222e5044ef899f4d54aacd8598c144b6a046457f9c8305defd77ed8e4b08a
Opcode Fuzzy Hash: 13a00140bf3ff4f417d41f875eab54576bc95815c7ba024af496589d80006272
Instruction Fuzzy Hash: 574122E1EAF343D9E268A91058804F5619DAA0FB9803279B7C90F331C7413D3623B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D3B, Relevance: 1.5, APIs: 1, Instructions: 213memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6cc60c329cb09e6a7be864134bf4a1461fafc6caf6017e99f581ebcd5ed62f42
Instruction ID: 402b1214a6948bffa4fc14c62dbda46182d524cd8661a1d19292e74c8c294de2
Opcode Fuzzy Hash: 6cc60c329cb09e6a7be864134bf4a1461fafc6caf6017e99f581ebcd5ed62f42
Instruction Fuzzy Hash: 0B4144E1EAF343D9E268A92048800F1619DAA4FB5813279B7C90F331C3813C3623B59F

Uniqueness

Uniqueness Score: -1.00%

Function 00406EB2, Relevance: 1.5, APIs: 1, Instructions: 212memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1111822a057c5006549f6740044b45ce14f7af87cd96458e8eaf24220a0e7465
Instruction ID: f56d5e92029f38455806e6f9795145579c05b9b1b49768df2c6213b8df9c2226
Opcode Fuzzy Hash: 1111822a057c5006549f6740044b45ce14f7af87cd96458e8eaf24220a0e7465
Instruction Fuzzy Hash: 233145E1EAF347D9E2A8A81018804F5619DA60FB58031B9B7CA0F372C7913D3613B45F

Uniqueness

Uniqueness Score: -1.00%

Function 00406D23, Relevance: 1.5, APIs: 1, Instructions: 209memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f7490034656930c8591b0cbdda22d5349ad460b5240b16f1979930b318910f32
Instruction ID: b2479456a18c2d7aa7dd78c9281dff2fdf24ff02c633865e5d12ec8613a5a044
Opcode Fuzzy Hash: f7490034656930c8591b0cbdda22d5349ad460b5240b16f1979930b318910f32
Instruction Fuzzy Hash: 5E4112E1EAF343D9E268A91058804F561ADAA4FB58132B9B7890F331C7417C3623B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00406F75, Relevance: 1.4, APIs: 1, Instructions: 178memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE ref: 00406F7D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2dfae537999febe044839186c1f89c890eff505547ea4474a0093485818af857
Instruction ID: d79b177c805c306350ebfb1b4ab26d992e6440e90d434d1970052a2abde80cc2
Opcode Fuzzy Hash: 2dfae537999febe044839186c1f89c890eff505547ea4474a0093485818af857
Instruction Fuzzy Hash: 7A3157E1EAF347D9E2A8A85008804F6659DA64FB58130B9B7C90F332C7513D3607B49F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 024271FC, Relevance: .3, Instructions: 312COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 447c81792bdc7bf8ad036b6adcdc063405390aba3ce3a1ecb0f5aa63b1f0b8e6
Instruction ID: 3f5d7c73c610300eb30f3ec1466d0ba77ddea69843d58365c5644296096b90dc
Opcode Fuzzy Hash: 447c81792bdc7bf8ad036b6adcdc063405390aba3ce3a1ecb0f5aa63b1f0b8e6
Instruction Fuzzy Hash: 5BB1F930A443629EDB25DE2585D4796F7929F52360FC8C2AFCD928B3D6D334848AC722

Uniqueness

Uniqueness Score: -1.00%

Function 02422832, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28d84cfaa16590f8ec4c896c4eb6fd0e04b1ca018face9ca4d14200ffb49e4cd
Instruction ID: 8cc13ede7cd4afb34613be64797684e8cb64a639215a95ebefe9eff4b885f643
Opcode Fuzzy Hash: 28d84cfaa16590f8ec4c896c4eb6fd0e04b1ca018face9ca4d14200ffb49e4cd
Instruction Fuzzy Hash: 65414730380311AFEB209E26DD95BE577E2AF11790F91819AED819F1D1C7A9C4CDCA12

Uniqueness

Uniqueness Score: -1.00%

Function 02422857, Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8e412082f187c401556b43aa06e15954caccf522e3e048562a74f0f857c314
Instruction ID: 28326f7ac2ddf582cd2c8b1da63941e3c96c1de42c9023ad1f004d63cf96ee23
Opcode Fuzzy Hash: cb8e412082f187c401556b43aa06e15954caccf522e3e048562a74f0f857c314
Instruction Fuzzy Hash: 3C313730380310AFEB209F22ED85BD577E2AF06B94F91819ADD85AF1D1C776C48DCA11

Uniqueness

Uniqueness Score: -1.00%

Function 024265FA, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3e8a3e1b0b16268637d5ef42f4a713c43a5f9ae6fad3c8a272796ea56dba985
Instruction ID: d073bf0dac6638c0ce53c1928fa01f7f6bdb8492a5e24b7279fcc8eb18578a05
Opcode Fuzzy Hash: e3e8a3e1b0b16268637d5ef42f4a713c43a5f9ae6fad3c8a272796ea56dba985
Instruction Fuzzy Hash: 0021F9702002229EDF21AA1796D4BAF376E8F16B64FD2806BFC4187215D361C8CECD56

Uniqueness

Uniqueness Score: -1.00%

Function 024228A7, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56b1a585c46101df4d7ef9030abeb34e92b18dafae0cfa0e6a4f28f633a70bc3
Instruction ID: 4a40285e9c39313c6e1b4ff33850adedf0d5ad89dfc4064c8b828d5c17d23bcf
Opcode Fuzzy Hash: 56b1a585c46101df4d7ef9030abeb34e92b18dafae0cfa0e6a4f28f633a70bc3
Instruction Fuzzy Hash: 7F21C630380311AFE7209F22AD89BD56BA2AF16B54F91809AED859F1D1D775C48DC911

Uniqueness

Uniqueness Score: -1.00%

Function 02423763, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39fb491b7d4d21a83c45de75bd6ac6c1d959600a691ccc539f81e6b6acfb6632
Instruction ID: 463807242e8d0e0cf716a19baa488e642c2006179366ded27e7762e31fa68de8
Opcode Fuzzy Hash: 39fb491b7d4d21a83c45de75bd6ac6c1d959600a691ccc539f81e6b6acfb6632
Instruction Fuzzy Hash: DDC012BA3004818FEB62CA08C180B80B762AF02648F8040A0E002DB386D259ED86C504

Uniqueness

Uniqueness Score: -1.00%

Function 02426A4F, Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 999bcddb5915d9afde9b3de7d408ce0897c80fb5eedd3644fc7bbd051f8a0ded
Instruction ID: d2296979d197198e0c617e3f360a4dd21c352ae12c82e9ae2f0f3adecb3a32ae
Opcode Fuzzy Hash: 999bcddb5915d9afde9b3de7d408ce0897c80fb5eedd3644fc7bbd051f8a0ded
Instruction Fuzzy Hash: 57B012E39340F10B1E623A733708079040E45C3734343C6791091A640CD848CFCD4841

Uniqueness

Uniqueness Score: -1.00%

Function 02425F91, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1282690513.0000000002420000.00000040.00000001.sdmp, Offset: 02420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b3fa2efa98236e17f93690714cfd55d1e50cd36d2fcf7614d5fd4ff6f1ec1a1
Instruction ID: ad05957e4a0d210746e45318fb911e386b99f73c0f649d1f7a5a1d910ab3f8d1
Opcode Fuzzy Hash: 6b3fa2efa98236e17f93690714cfd55d1e50cd36d2fcf7614d5fd4ff6f1ec1a1
Instruction Fuzzy Hash: 78B00975661A808FCA96CA19C690E44B3E5BB48A50B9258A0E416CBA62D268E940CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00412BB5, Relevance: 33.2, APIs: 22, Instructions: 168
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00412BB5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				char _v56;
				long long _v64;
				char _v72;
				char _v88;
				char _v104;
				char _v120;
				intOrPtr _v144;
				char _v152;
				intOrPtr _v160;
				char _v168;
				void* _v172;
				short _v176;
				signed int _v180;
				short _v184;
				intOrPtr* _v192;
				signed int _v196;
				char* _t72;
				signed int _t76;
				char* _t78;
				char* _t83;
				short _t87;
				char* _t94;
				short _t98;
				intOrPtr _t120;
				char* _t126;

				_push(0x4011d6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t120;
				L004011D0();
				_v12 = _t120;
				_v8 = 0x4011b8;
				L004012CC();
				if( *0x414010 != 0) {
					_v192 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x402ba8);
					L0040132C();
					_v192 = 0x414010;
				}
				_t72 =  &_v56;
				L00401332();
				_v176 = _t72;
				_t76 =  *((intOrPtr*)( *_v176 + 0x1c0))(_v176,  &_v172, _t72,  *((intOrPtr*)( *((intOrPtr*)( *_v192)) + 0x300))( *_v192));
				asm("fclex");
				_v180 = _t76;
				if(_v180 >= 0) {
					_v196 = _v196 & 0x00000000;
				} else {
					_push(0x1c0);
					_push(0x40272c);
					_push(_v176);
					_push(_v180);
					L00401326();
					_v196 = _t76;
				}
				_v64 = _v172;
				_v72 = 3;
				_t78 =  &_v72;
				_push(_t78);
				L0040127E();
				asm("sbb eax, eax");
				_v184 =  ~( ~(_t78 - 0xffff) + 1);
				L00401320();
				L0040131A();
				_t83 = _v184;
				if(_t83 != 0) {
					_v64 =  *0x4011b0;
					_v72 = 5;
					_push(0);
					_push( &_v72);
					_push( &_v88);
					L00401278();
					_v160 = 1;
					_v168 = 0x8002;
					_push( &_v88);
					_t87 =  &_v168;
					_push(_t87);
					L004012A8();
					_v176 = _t87;
					_push( &_v88);
					_push( &_v72);
					_push(2);
					L004012FC();
					_t83 = _v176;
					_t126 = _t83;
					if(_t126 != 0) {
						_push(0x40295c);
						L00401272();
						asm("fcomp dword [0x4011a8]");
						asm("fnstsw ax");
						asm("sahf");
						if(_t126 == 0) {
							_push( &_v72);
							L0040126C();
							_push( &_v88);
							L0040126C();
							_v144 = 1;
							_v152 = 2;
							_push(1);
							_push(1);
							_push( &_v88);
							_push( &_v152);
							_t94 =  &_v104;
							_push(_t94);
							L00401260();
							_push(_t94);
							_push( &_v72);
							_push(0x402964);
							_push( &_v120);
							L00401266();
							_v160 = 1;
							_v168 = 0x8002;
							_push( &_v120);
							_t98 =  &_v168;
							_push(_t98);
							L004012A8();
							_v176 = _t98;
							_push( &_v120);
							_push( &_v104);
							_push( &_v72);
							_push( &_v88);
							_push(4);
							L004012FC();
							_t83 = _v176;
							if(_t83 != 0) {
								_t83 =  &_v72;
								_push(_t83);
								L00401296();
								L0040129C();
							}
						}
					}
				}
				asm("wait");
				_push(0x412e63);
				L0040131A();
				L0040131A();
				return _t83;
			}

0x00412bba
0x00412bc5
0x00412bc6
0x00412bd2
0x00412bda
0x00412bdd
0x00412bea
0x00412bf6
0x00412c13
0x00412bf8
0x00412bf8
0x00412bfd
0x00412c02
0x00412c07
0x00412c07
0x00412c37
0x00412c3b
0x00412c40
0x00412c5b
0x00412c61
0x00412c63
0x00412c70
0x00412c95
0x00412c72
0x00412c72
0x00412c77
0x00412c7c
0x00412c82
0x00412c88
0x00412c8d
0x00412c8d
0x00412ca2
0x00412ca5
0x00412cac
0x00412caf
0x00412cb0
0x00412cbc
0x00412cc1
0x00412ccb
0x00412cd3
0x00412cd8
0x00412ce1
0x00412ced
0x00412cf0
0x00412cf7
0x00412cfc
0x00412d00
0x00412d01
0x00412d06
0x00412d10
0x00412d1d
0x00412d1e
0x00412d24
0x00412d25
0x00412d2a
0x00412d34
0x00412d38
0x00412d39
0x00412d3b
0x00412d43
0x00412d4a
0x00412d4c
0x00412d52
0x00412d57
0x00412d5c
0x00412d62
0x00412d64
0x00412d65
0x00412d6e
0x00412d6f
0x00412d77
0x00412d78
0x00412d7d
0x00412d87
0x00412d91
0x00412d93
0x00412d98
0x00412d9f
0x00412da0
0x00412da3
0x00412da4
0x00412da9
0x00412dad
0x00412dae
0x00412db6
0x00412db7
0x00412dbc
0x00412dc6
0x00412dd3
0x00412dd4
0x00412dda
0x00412ddb
0x00412de0
0x00412dea
0x00412dee
0x00412df2
0x00412df6
0x00412df7
0x00412df9
0x00412e01
0x00412e0a
0x00412e0c
0x00412e0f
0x00412e10
0x00412e1b
0x00412e1b
0x00412e0a
0x00412d65
0x00412d4c
0x00412e20
0x00412e21
0x00412e55
0x00412e5d
0x00412e62

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00412BD2
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00412BEA
__vbaNew2.MSVBVM60(00402BA8,00414010,?,?,?,?,004011D6), ref: 00412C02
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412C3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040272C,000001C0), ref: 00412C88
#561.MSVBVM60(00000003), ref: 00412CB0
__vbaFreeObj.MSVBVM60(00000003), ref: 00412CCB
__vbaFreeVar.MSVBVM60(00000003), ref: 00412CD3
#714.MSVBVM60(?,00000005,00000000,00000003), ref: 00412D01
__vbaVarTstEq.MSVBVM60(00008002,?,?,00000005,00000000,00000003), ref: 00412D25
__vbaFreeVarList.MSVBVM60(00000002,00000005,?,00008002,?,?,00000005,00000000,00000003), ref: 00412D3B
__vbaR4Str.MSVBVM60(0040295C), ref: 00412D57
#610.MSVBVM60(?,0040295C), ref: 00412D6F
#610.MSVBVM60(?,?,0040295C), ref: 00412D78
__vbaVarAdd.MSVBVM60(?,00000002,?,00000001,00000001), ref: 00412DA4
#662.MSVBVM60(?,00402964,?,00000000,?,00000002,?,00000001,00000001), ref: 00412DB7
__vbaVarTstEq.MSVBVM60(00008002,?,?,00402964,?,00000000,?,00000002,?,00000001,00000001), ref: 00412DDB
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,00008002,?,?,00402964,?,00000000,?,00000002,?,00000001,00000001), ref: 00412DF9
#546.MSVBVM60(?,?,?,?,?,0040295C), ref: 00412E10
__vbaVarMove.MSVBVM60(?,?,?,?,?,0040295C), ref: 00412E1B
__vbaFreeVar.MSVBVM60(00412E63,00000003), ref: 00412E55
__vbaFreeVar.MSVBVM60(00412E63,00000003), ref: 00412E5D

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#610List$#546#561#662#714CheckChkstkHresultMoveNew2
String ID:
API String ID: 3512411045-0
Opcode ID: 16db300eebab481ad6964f19c1051754af9683450ce2900b868b51724e90439a
Instruction ID: ed16744d3b8feb72ac50105a6bc1dd2b13454f605a1b51a50ee3c987784fa16d
Opcode Fuzzy Hash: 16db300eebab481ad6964f19c1051754af9683450ce2900b868b51724e90439a
Instruction Fuzzy Hash: 3E610A71900218EADB11EFA1CD45FDEB7B8AF08704F1041ABB505F7191EB78AA898F65

Uniqueness

Uniqueness Score: -1.00%

Function 004128A6, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E004128A6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a16, void* _a48) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				signed int _t87;
				signed int _t91;
				signed int _t95;
				signed int _t101;
				signed int _t106;
				void* _t125;
				void* _t127;
				intOrPtr _t128;
				signed int _t131;

				_t128 = _t127 - 0xc;
				 *[fs:0x0] = _t128;
				L004011D0();
				_v16 = _t128;
				_v12 = 0x401188;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x4011d6, _t125);
				L00401308();
				L004012CC();
				L004012CC();
				_t87 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v88);
				asm("fclex");
				_v92 = _t87;
				_t131 = _v92;
				if(_t131 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0xb0);
					_push(0x402440);
					_push(_a4);
					_push(_v92);
					L00401326();
					_v124 = _t87;
				}
				asm("fcomp dword [0x401180]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t131 == 0) {
					if( *0x414010 != 0) {
						_v128 = 0x414010;
					} else {
						_push(0x414010);
						_push(0x402ba8);
						L0040132C();
						_v128 = 0x414010;
					}
					_t91 =  &_v80;
					L00401332();
					_v92 = _t91;
					_t95 =  *((intOrPtr*)( *_v92 + 0x158))(_v92,  &_v72, _t91,  *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x2fc))( *_v128));
					asm("fclex");
					_v96 = _t95;
					if(_v96 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x158);
						_push(0x40272c);
						_push(_v92);
						_push(_v96);
						L00401326();
						_v132 = _t95;
					}
					if( *0x41433c != 0) {
						_v136 = 0x41433c;
					} else {
						_push(0x41433c);
						_push(0x4027f8);
						L0040132C();
						_v136 = 0x41433c;
					}
					_v100 =  *_v136;
					_t101 =  *((intOrPtr*)( *_v100 + 0x4c))(_v100,  &_v84);
					asm("fclex");
					_v104 = _t101;
					if(_v104 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x4027e8);
						_push(_v100);
						_push(_v104);
						L00401326();
						_v140 = _t101;
					}
					_v108 = _v84;
					_t106 =  *((intOrPtr*)( *_v108 + 0x24))(_v108, _v72, L"DOMNENAVNENES",  &_v76);
					asm("fclex");
					_v112 = _t106;
					if(_v112 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x24);
						_push(0x402948);
						_push(_v108);
						_push(_v112);
						L00401326();
						_v144 = _t106;
					}
					_push( &_v76);
					_push( &_v72);
					_push(2);
					L00401314();
					_push( &_v84);
					_t87 =  &_v80;
					_push(_t87);
					_push(2);
					L0040130E();
				}
				asm("wait");
				_push(0x412afe);
				L0040131A();
				L0040131A();
				L00401302();
				return _t87;
			}

0x004128a9
0x004128b8
0x004128c2
0x004128ca
0x004128cd
0x004128d4
0x004128e3
0x004128ec
0x004128f7
0x00412902
0x00412913
0x00412919
0x0041291b
0x0041291e
0x00412922
0x0041293e
0x00412924
0x00412924
0x00412929
0x0041292e
0x00412931
0x00412934
0x00412939
0x00412939
0x00412945
0x0041294b
0x0041294d
0x0041294e
0x0041295b
0x00412975
0x0041295d
0x0041295d
0x00412962
0x00412967
0x0041296c
0x0041296c
0x00412990
0x00412994
0x00412999
0x004129a8
0x004129ae
0x004129b0
0x004129b7
0x004129d3
0x004129b9
0x004129b9
0x004129be
0x004129c3
0x004129c6
0x004129c9
0x004129ce
0x004129ce
0x004129de
0x004129fb
0x004129e0
0x004129e0
0x004129e5
0x004129ea
0x004129ef
0x004129ef
0x00412a0d
0x00412a1c
0x00412a1f
0x00412a21
0x00412a28
0x00412a44
0x00412a2a
0x00412a2a
0x00412a2c
0x00412a31
0x00412a34
0x00412a37
0x00412a3c
0x00412a3c
0x00412a4e
0x00412a65
0x00412a68
0x00412a6a
0x00412a71
0x00412a8d
0x00412a73
0x00412a73
0x00412a75
0x00412a7a
0x00412a7d
0x00412a80
0x00412a85
0x00412a85
0x00412a97
0x00412a9b
0x00412a9c
0x00412a9e
0x00412aa9
0x00412aaa
0x00412aad
0x00412aae
0x00412ab0
0x00412ab5
0x00412ab8
0x00412ab9
0x00412ae8
0x00412af0
0x00412af8
0x00412afd

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 004128C2
__vbaStrCopy.MSVBVM60(?,?,?,?,004011D6), ref: 004128EC
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 004128F7
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 00412902
__vbaHresultCheckObj.MSVBVM60(00000000,00401188,00402440,000000B0), ref: 00412934
__vbaNew2.MSVBVM60(00402BA8,00414010), ref: 00412967
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412994
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040272C,00000158), ref: 004129C9
__vbaNew2.MSVBVM60(004027F8,0041433C), ref: 004129EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004027E8,0000004C), ref: 00412A37
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402948,00000024), ref: 00412A80
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00412A9E
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,004011D6), ref: 00412AB0
__vbaFreeVar.MSVBVM60(00412AFE), ref: 00412AE8
__vbaFreeVar.MSVBVM60(00412AFE), ref: 00412AF0
__vbaFreeStr.MSVBVM60(00412AFE), ref: 00412AF8

Strings

DOMNENAVNENES, xrefs: 00412A55
<CA, xrefs: 004129FB

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ListNew2$ChkstkCopy
String ID: <CA$DOMNENAVNENES
API String ID: 4201096553-3117400353
Opcode ID: d71204c12f7b47b21e0a7f72f2e5f363a4847978c24b4a1227c95148994ec807
Instruction ID: c2795d3bdbd126e47108ee34257853649f080d66ed68b40b72a9d09d86631edc
Opcode Fuzzy Hash: d71204c12f7b47b21e0a7f72f2e5f363a4847978c24b4a1227c95148994ec807
Instruction Fuzzy Hash: 97610871900208EFDB10EFE5CA49BDDBBB5BF08305F10406AE505BB2A1D7B85995DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00412590, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 108
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00412590(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				signed int _v52;
				void* _v56;
				char _v72;
				intOrPtr _v80;
				intOrPtr _v88;
				void* _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr _v116;
				char _v120;
				signed int _v124;
				signed int _v128;
				char* _t61;
				signed int _t66;
				signed int _t72;
				signed int _t77;
				void* _t91;
				void* _t93;
				intOrPtr _t94;

				_t94 = _t93 - 0xc;
				 *[fs:0x0] = _t94;
				L004011D0();
				_v16 = _t94;
				_v12 = 0x401160;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x68,  *[fs:0x0], 0x4011d6, _t91);
				L004012CC();
				_v80 = _a4;
				_v88 = 9;
				L004012CC();
				_t61 =  &_v72;
				_push(_t61);
				L00401290();
				asm("sbb eax, eax");
				_v92 =  ~( ~(_t61 - 0xffff) + 1);
				L0040131A();
				_t66 = _v92;
				if(_t66 != 0) {
					if( *0x41433c != 0) {
						_v120 = 0x41433c;
					} else {
						_push(0x41433c);
						_push(0x4027f8);
						L0040132C();
						_v120 = 0x41433c;
					}
					_t20 =  &_v120; // 0x41433c
					_v92 =  *((intOrPtr*)( *_t20));
					_t72 =  *((intOrPtr*)( *_v92 + 0x14))(_v92,  &_v56);
					asm("fclex");
					_v96 = _t72;
					if(_v96 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4027e8);
						_push(_v92);
						_push(_v96);
						L00401326();
						_v124 = _t72;
					}
					_v100 = _v56;
					_t77 =  *((intOrPtr*)( *_v100 + 0x58))(_v100,  &_v52);
					asm("fclex");
					_v104 = _t77;
					if(_v104 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x402808);
						_push(_v100);
						_push(_v104);
						L00401326();
						_v128 = _t77;
					}
					_t66 = _v52;
					_v116 = _t66;
					_v52 = _v52 & 0x00000000;
					L0040133E();
					L00401320();
				}
				asm("wait");
				_push(0x41270f);
				L0040131A();
				L00401302();
				return _t66;
			}

0x00412593
0x004125a2
0x004125ac
0x004125b4
0x004125b7
0x004125be
0x004125cd
0x004125d6
0x004125de
0x004125e1
0x004125ee
0x004125f3
0x004125f6
0x004125f7
0x00412603
0x00412608
0x0041260f
0x00412614
0x0041261a
0x00412627
0x00412641
0x00412629
0x00412629
0x0041262e
0x00412633
0x00412638
0x00412638
0x00412648
0x0041264d
0x0041265c
0x0041265f
0x00412661
0x00412668
0x00412681
0x0041266a
0x0041266a
0x0041266c
0x00412671
0x00412674
0x00412677
0x0041267c
0x0041267c
0x00412688
0x00412697
0x0041269a
0x0041269c
0x004126a3
0x004126bc
0x004126a5
0x004126a5
0x004126a7
0x004126ac
0x004126af
0x004126b2
0x004126b7
0x004126b7
0x004126c0
0x004126c3
0x004126c6
0x004126d0
0x004126d8
0x004126d8
0x004126dd
0x004126de
0x00412701
0x00412709
0x0041270e

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 004125AC
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 004125D6
__vbaVarDup.MSVBVM60 ref: 004125EE
#562.MSVBVM60(?), ref: 004125F7
__vbaFreeVar.MSVBVM60(?), ref: 0041260F
__vbaNew2.MSVBVM60(004027F8,0041433C,?), ref: 00412633
__vbaHresultCheckObj.MSVBVM60(00000000,?,004027E8,00000014,?,?,?,?,?,?,?,?), ref: 00412677
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402808,00000058,?,?,?,?,?,?,?,?), ref: 004126B2
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 004126D0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?), ref: 004126D8
__vbaFreeVar.MSVBVM60(0041270F,?), ref: 00412701
__vbaFreeStr.MSVBVM60(0041270F,?), ref: 00412709

Strings

<CA, xrefs: 00412648

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#562ChkstkMoveNew2
String ID: <CA
API String ID: 2183228509-146778150
Opcode ID: 53522c384b44bf3f3f7ae7d157416c3a759887e919707269a03452af9ce1bdbe
Instruction ID: fce205f6c87082bd74089faa8297751ec449c653b240266752cd9be058e6abab
Opcode Fuzzy Hash: 53522c384b44bf3f3f7ae7d157416c3a759887e919707269a03452af9ce1bdbe
Instruction Fuzzy Hash: 8341E67190024DAFDF10EFE5CA85ADDBBB4BF08705F20412AE801BB2A1D7785995DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00412736, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 94
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00412736(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v44;
				void* _v48;
				void* _v52;
				void* _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				char _v80;
				signed int _v84;
				signed int _v88;
				signed int _t46;
				signed int _t50;
				signed int _t56;
				void* _t70;
				void* _t72;
				intOrPtr _t73;

				_t73 = _t72 - 0xc;
				 *[fs:0x0] = _t73;
				L004011D0();
				_v16 = _t73;
				_v12 = 0x401170;
				_v8 = 0;
				_t46 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4011d6, _t70);
				L004012CC();
				L0040128A();
				L0040133E();
				_push(_t46);
				_push(L"pointoptllingers");
				L004012A2();
				asm("sbb eax, eax");
				_v56 =  ~( ~_t46 + 1);
				L00401302();
				_t50 = _v56;
				if(_t50 != 0) {
					if( *0x41433c != 0) {
						_v80 = 0x41433c;
					} else {
						_push(0x41433c);
						_push(0x4027f8);
						L0040132C();
						_v80 = 0x41433c;
					}
					_t15 =  &_v80; // 0x41433c
					_v56 =  *((intOrPtr*)( *_t15));
					_t56 =  *((intOrPtr*)( *_v56 + 0x1c))(_v56,  &_v52);
					asm("fclex");
					_v60 = _t56;
					if(_v60 >= 0) {
						_v84 = _v84 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x4027e8);
						_push(_v56);
						_push(_v60);
						L00401326();
						_v84 = _t56;
					}
					_v64 = _v52;
					_t50 =  *((intOrPtr*)( *_v64 + 0x50))(_v64);
					asm("fclex");
					_v68 = _t50;
					if(_v68 >= 0) {
						_v88 = _v88 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x402918);
						_push(_v64);
						_push(_v68);
						L00401326();
						_v88 = _t50;
					}
					L00401320();
				}
				_push(0x41287f);
				L0040131A();
				return _t50;
			}

0x00412739
0x00412748
0x00412752
0x0041275a
0x0041275d
0x00412764
0x00412773
0x0041277c
0x00412781
0x0041278b
0x00412790
0x00412791
0x00412796
0x0041279d
0x004127a2
0x004127a9
0x004127ae
0x004127b4
0x004127c1
0x004127db
0x004127c3
0x004127c3
0x004127c8
0x004127cd
0x004127d2
0x004127d2
0x004127e2
0x004127e7
0x004127f6
0x004127f9
0x004127fb
0x00412802
0x0041281b
0x00412804
0x00412804
0x00412806
0x0041280b
0x0041280e
0x00412811
0x00412816
0x00412816
0x00412822
0x0041282d
0x00412830
0x00412832
0x00412839
0x00412852
0x0041283b
0x0041283b
0x0041283d
0x00412842
0x00412845
0x00412848
0x0041284d
0x0041284d
0x00412859
0x00412859
0x0041285e
0x00412879
0x0041287e

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00412752
__vbaVarDup.MSVBVM60(?,?,?,?,004011D6), ref: 0041277C
#669.MSVBVM60(?,?,?,?,004011D6), ref: 00412781
__vbaStrMove.MSVBVM60(?,?,?,?,004011D6), ref: 0041278B
__vbaStrCmp.MSVBVM60(pointoptllingers,00000000,?,?,?,?,004011D6), ref: 00412796
__vbaFreeStr.MSVBVM60(pointoptllingers,00000000,?,?,?,?,004011D6), ref: 004127A9
__vbaNew2.MSVBVM60(004027F8,0041433C,pointoptllingers,00000000,?,?,?,?,004011D6), ref: 004127CD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004027E8,0000001C), ref: 00412811
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402918,00000050), ref: 00412848
__vbaFreeObj.MSVBVM60(00000000,?,00402918,00000050), ref: 00412859
__vbaFreeVar.MSVBVM60(0041287F,pointoptllingers,00000000,?,?,?,?,004011D6), ref: 00412879

Strings

<CA, xrefs: 004127E2
pointoptllingers, xrefs: 00412791

Memory Dump Source

Source File: 00000000.00000002.1281554590.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1281546525.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1281586945.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1281600855.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#669ChkstkMoveNew2
String ID: <CA$pointoptllingers
API String ID: 256872743-2660778481
Opcode ID: e18aa788423bcb515f17eb00fb840792036a6777bdbf7e4ce9023d5c3021e1bd
Instruction ID: 47d370aff482de0b1f217770cf7030308afc570e670a23a850f5e083fb62d865
Opcode Fuzzy Hash: e18aa788423bcb515f17eb00fb840792036a6777bdbf7e4ce9023d5c3021e1bd
Instruction Fuzzy Hash: 0B311671A00208EFDB04EFA6DA45BDDBBB0BF18704F10812AF401FB2A1DBB85955DB59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report RFQ-PR#20211201.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: RFQ-PR#20211201.exe PID: 7148 Parent PID: 6104

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: RFQ-PR#20211201.exe PID: 7148 Parent PID: 6104 RFQ-PR#20211201.exeCOMMON

Executed Functions

Function 00411124, Relevance: 144.4, APIs: 76, Strings: 6, Instructions: 921COMMON

Function 00412209, Relevance: 77.2, APIs: 37, Strings: 7, Instructions: 233COMMON

Function 00412B2B, Relevance: 7.5, APIs: 5, Instructions: 35COMMON

Function 00411124, Relevance: 144.4, APIs: 76, Strings: 6, Instructions: 921
COMMON

Function 00412209, Relevance: 77.2, APIs: 37, Strings: 7, Instructions: 233
COMMON

Function 00412B2B, Relevance: 7.5, APIs: 5, Instructions: 35
COMMON

Function 0040135C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 188
COMMON

Function 00412BB5, Relevance: 33.2, APIs: 22, Instructions: 168
COMMON

Function 004128A6, Relevance: 31.7, APIs: 16, Strings: 2, Instructions: 165
COMMON

Function 00412590, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 108
COMMON

Function 00412736, Relevance: 22.8, APIs: 11, Strings: 2, Instructions: 94
COMMON