Play interactive tour

Edit tour

Analysis Report REQUEST FOR QUOTATION.exe

Overview

General Information

Sample Name:	REQUEST FOR QUOTATION.exe
Analysis ID:	341412
MD5:	9c634109c87ad8b8d0b03b7283c44c6c
SHA1:	fac666c82ee6ac4fa1cddc1e4be5faaa4f9965a8
SHA256:	dc4b0fbae22a707e56c85725ac645ff7f7fe72164060da65070a38d1a5092012
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

REQUEST FOR QUOTATION.exe (PID: 5720 cmdline: 'C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe' MD5: 9C634109C87AD8B8D0B03B7283C44C6C)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: REQUEST FOR QUOTATION.exe PID: 5720	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: REQUEST FOR QUOTATION.exe PID: 5720	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: REQUEST FOR QUOTATION.exe	Virustotal: Detection: 33%			Perma Link
Source: REQUEST FOR QUOTATION.exe	ReversingLabs: Detection: 23%

Compliance:

Uses 32bit PE files

Show sources

Source: REQUEST FOR QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: REQUEST FOR QUOTATION.exe

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Process Stats: CPU usage > 98%

Source: REQUEST FOR QUOTATION.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.1316641910.00000000021F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.1318380230.0000000002B10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameGangede7.exeFE2X vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe, 00000001.00000000.236576334.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameGangede7.exe vs REQUEST FOR QUOTATION.exe
Source: REQUEST FOR QUOTATION.exe	Binary or memory string: OriginalFilenameGangede7.exe vs REQUEST FOR QUOTATION.exe

Source: REQUEST FOR QUOTATION.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

File created: C:\Users\user\AppData\Local\Temp\~DF2354CAF8E7AD853F.TMP

Jump to behavior

Source: REQUEST FOR QUOTATION.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: REQUEST FOR QUOTATION.exe	Virustotal: Detection: 33%
Source: REQUEST FOR QUOTATION.exe	ReversingLabs: Detection: 23%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: REQUEST FOR QUOTATION.exe PID: 5720, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: REQUEST FOR QUOTATION.exe PID: 5720, type: MEMORY

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_004078FB push edx; iretd		1_2_004078FF
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_00402889 pushfd ; ret		1_2_00402895

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Code function: 1_2_02224EC3

1_2_02224EC3

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: REQUEST FOR QUOTATION.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

RDTSC instruction interceptor: First address: 0000000002225AAA second address: 0000000002225AAA instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FFAE4A19648h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d add edi, edx 0x0000001f cmp cl, bl 0x00000021 dec dword ptr [ebp+000000F8h] 0x00000027 cmp esi, 355D7D1Fh 0x0000002d cmp dword ptr [ebp+000000F8h], 00000000h 0x00000034 jne 00007FFAE4A19622h 0x00000036 cmp edx, ecx 0x00000038 call 00007FFAE4A1969Ch 0x0000003d call 00007FFAE4A19658h 0x00000042 lfence 0x00000045 mov edx, dword ptr [7FFE0014h] 0x0000004b lfence 0x0000004e ret 0x0000004f mov esi, edx 0x00000051 pushad 0x00000052 rdtsc

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Code function: 1_2_02225628 rdtsc

1_2_02225628

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: REQUEST FOR QUOTATION.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe

Code function: 1_2_02225628 rdtsc

1_2_02225628

Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_02225246 mov eax, dword ptr fs:[00000030h]	1_2_02225246
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_02221AA5 mov eax, dword ptr fs:[00000030h]	1_2_02221AA5
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_022222B7 mov eax, dword ptr fs:[00000030h]	1_2_022222B7
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_02225F3F mov eax, dword ptr fs:[00000030h]	1_2_02225F3F
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_022257A1 mov eax, dword ptr fs:[00000030h]	1_2_022257A1
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_02223079 mov eax, dword ptr fs:[00000030h]	1_2_02223079
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_02226160 mov eax, dword ptr fs:[00000030h]	1_2_02226160
Source: C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe	Code function: 1_2_02226180 mov eax, dword ptr fs:[00000030h]	1_2_02226180

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.1316225426.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.1316225426.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.1316225426.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.1316225426.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: REQUEST FOR QUOTATION.exe, 00000001.00000002.1316225426.0000000000D60000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery411	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
REQUEST FOR QUOTATION.exe	34%	Virustotal		Browse
REQUEST FOR QUOTATION.exe	24%	ReversingLabs	Win32.Trojan.Midie

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	341412
Start date:	19.01.2021
Start time:	10:27:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 11m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	REQUEST FOR QUOTATION.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	35
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.279365958703334
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	REQUEST FOR QUOTATION.exe
File size:	98304
MD5:	9c634109c87ad8b8d0b03b7283c44c6c
SHA1:	fac666c82ee6ac4fa1cddc1e4be5faaa4f9965a8
SHA256:	dc4b0fbae22a707e56c85725ac645ff7f7fe72164060da65070a38d1a5092012
SHA512:	ea6dfb7f2b349a3ec99f554a463718a7bd42f909041d52f5ffc67a26d1a56d6614843b4ba3adf0c67f58148dbed787b053879cf9c4aadc368dabf9be2e2cece7
SSDEEP:	1536:e8//ikbGLpJWA49qVj6riRhPWF/hLF9FxZ3av9vU2Q2pzhduFvidE4z+:DyDtxR8iRZWZhLf/Z3+9v1Q2pNdgib+
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......`.................P...0...............`....@................

File Icon


Icon Hash:	6eeed0e4a4a4e0d2

Static PE Info

General
Entrypoint:	0x401394
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6005F69C [Mon Jan 18 20:59:08 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1e586cf04261bd749b013218f1926344

Entrypoint Preview

Instruction
push 00401C60h
call 00007FFAE499C555h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
dec eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi+1Dh], dl
stosb
xchg dword ptr [ebx-48B8BC43h], ebp
push ebx
or dword ptr [ebx], 00DFFB14h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+6Ch], al
arpl word ptr [edx+esi*2+6Fh], si
bound ebp, dword ptr [ecx+6Fh]
insb
outsd
imul esp, dword ptr [bp+di+61h], 36796C6Ch
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or ah, byte ptr [edi-59h]
cmp dword ptr [esi+4Ch], esi
lodsb
adc byte ptr [ebp-61h], al
pop eax
mov edi, F043DB5Ch
dec ebx
mov esi, 7C0D6F39h
je 00007FFAE499C5AEh
xchg edi, ebp
sub cl, bl
jmp 00007FFAE499C5A3h
jl 00007FFAE499C591h
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jc 00007FFAE499C569h
add byte ptr [eax], al
fadd dword ptr [0D000000h]
add byte ptr [edi+6Ch], ah
outsd
jc 00007FFAE499C5CBh
imul sp, word ptr [ebx+61h], 6974h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x159a4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x894	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xfc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14e1c	0x15000	False	0.40337844122	data	6.69865394882	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0x119c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x894	0x1000	False	0.330322265625	data	3.0255925292	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1832c	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x18318	0x14	data
RT_VERSION	0x180f0	0x228	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaCastObjVar, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, __vbaVarLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Gangede7
FileVersion	1.00
CompanyName	Colossus Corp.
ProductName	hoodlumism
ProductVersion	1.00
OriginalFilename	Gangede7.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: REQUEST FOR QUOTATION.exe PID: 5720 Parent PID: 5564

General

Start time:	10:28:00
Start date:	19/01/2021
Path:	C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\REQUEST FOR QUOTATION.exe'
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	9C634109C87AD8B8D0B03B7283C44C6C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: REQUEST FOR QUOTATION.exe PID: 5720 Parent PID: 5564 REQUEST FOR QUOTATION.exeCOMMON

Executed Functions

Function 0040F5C4, Relevance: 297.6, APIs: 155, Strings: 14, Instructions: 1878COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 0040F5E2
#521.MSVBVM60(00402B64,?,?,?,?,00401226), ref: 0040F616
__vbaStrMove.MSVBVM60(00402B64,?,?,?,?,00401226), ref: 0040F620
__vbaStrCmp.MSVBVM60(00402B70,00000000,00402B64,?,?,?,?,00401226), ref: 0040F62B
__vbaFreeStr.MSVBVM60(00402B70,00000000,00402B64,?,?,?,?,00401226), ref: 0040F642
__vbaNew2.MSVBVM60(00402100,00416010,00402B70,00000000,00402B64,?,?,?,?,00401226), ref: 0040F669
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F6A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000158), ref: 0040F6EC
__vbaNew2.MSVBVM60(00402100,00416010), ref: 0040F713
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F74C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000058), ref: 0040F793
__vbaNew2.MSVBVM60(00402100,00416010), ref: 0040F7BA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F7F3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B84,00000060), ref: 0040F83A
__vbaNew2.MSVBVM60(00402BB4,0041633C), ref: 0040F861
__vbaChkstk.MSVBVM60(?), ref: 0040F902
__vbaChkstk.MSVBVM60(?), ref: 0040F916
__vbaChkstk.MSVBVM60(?), ref: 0040F92A
__vbaChkstk.MSVBVM60(?), ref: 0040F93E
__vbaChkstk.MSVBVM60(?), ref: 0040F952
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BA4,00000044), ref: 0040F995
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0040F9BB
__vbaFreeVar.MSVBVM60(?,?,?,?,00401226), ref: 0040F9C6
__vbaNew2.MSVBVM60(00402100,00416010,00402B70,00000000,00402B64,?,?,?,?,00401226), ref: 0040F9DE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FA17
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000070), ref: 0040FA5E
__vbaNew2.MSVBVM60(00402100,00416010), ref: 0040FA85
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FABE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000058), ref: 0040FB05
__vbaStrCopy.MSVBVM60(00000000,?,00402B74,00000058), ref: 0040FB21
__vbaChkstk.MSVBVM60(?), ref: 0040FB7C
__vbaChkstk.MSVBVM60(?,00000003,00810059,?,?), ref: 0040FBAA
__vbaFreeStr.MSVBVM60(?,00000003,00810059,?,?), ref: 0040FBCC
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000003,00810059,?,?), ref: 0040FBDB
__vbaFreeVar.MSVBVM60(?,?,00401226), ref: 0040FBE6
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,004029CC,000006F8), ref: 0040FC1B
__vbaNew2.MSVBVM60(00402100,00416010), ref: 0040FC42
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FC7B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402BEC,00000060), ref: 0040FCC2
__vbaNew2.MSVBVM60(00402100,00416010), ref: 0040FCE9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FD22
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B84,00000060), ref: 0040FD69
__vbaVarMove.MSVBVM60(?,?,00000003,?), ref: 0040FDD2
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000003,?), ref: 0040FDE1
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00401226), ref: 0040FDEC
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,?,00401226), ref: 0040FE04
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FE3D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000178), ref: 0040FE8A
__vbaStrCopy.MSVBVM60(00000000,?,00402B74,00000178), ref: 0040FECA
__vbaFreeStr.MSVBVM60(?,?,004FA7FA,611850A0,00000003,?), ref: 0040FF11
__vbaFreeObj.MSVBVM60(?,?,004FA7FA,611850A0,00000003,?), ref: 0040FF19
__vbaFreeVar.MSVBVM60(?,?,004FA7FA,611850A0,00000003,?), ref: 0040FF21
__vbaVarDup.MSVBVM60(?,?,004FA7FA,611850A0,00000003,?), ref: 0040FF43
__vbaStrCopy.MSVBVM60(?,?,004FA7FA,611850A0,00000003,?), ref: 0040FF50
__vbaFreeStr.MSVBVM60(?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 0040FF83
__vbaFreeVar.MSVBVM60(?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 0040FF8B
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 0040FFA3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 0040FFDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BEC,00000158,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 00410029
__vbaChkstk.MSVBVM60(DE511AD0,00005AF3,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 0041005E
__vbaFreeObj.MSVBVM60(?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 00410086
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 0041009E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 004100D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B84,00000048,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 0041011B
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 00410142
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 0041017B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BEC,000001A0,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 004101C8
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?,?,004FA7FA,611850A0,00000003,?), ref: 00410270
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,00401226), ref: 0041027B
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,?,?,?,?,00401226), ref: 00410293
__vbaObjSet.MSVBVM60(?,00000000), ref: 004102CC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,000001E8), ref: 00410319
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00410340
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410379
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BEC,000000F8), ref: 004103C3
__vbaStrCopy.MSVBVM60(00000000,?,00402BEC,000000F8), ref: 00410413
__vbaVarDup.MSVBVM60(00000000,?,00402BEC,000000F8), ref: 00410449
__vbaChkstk.MSVBVM60(?,?,1BC2BF50,00000009), ref: 00410469
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,004029CC,000006FC), ref: 004104B3
__vbaFreeStr.MSVBVM60(00000000,00401140,004029CC,000006FC), ref: 004104CA
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004104D9
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 004104EE
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00410509
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410542
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BEC,00000110), ref: 0041058F
__vbaFreeObj.MSVBVM60(?,?), ref: 004105D4
__vbaNew2.MSVBVM60(00402100,00416010,?,?), ref: 004105EC
__vbaObjSet.MSVBVM60(?,00000000,?,?), ref: 00410625
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B84,00000158,?,?), ref: 0041066F
__vbaNew2.MSVBVM60(00402100,00416010,?,?), ref: 00410696
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?), ref: 004106CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402CB8,00000060,?,?,?,?), ref: 00410716
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?), ref: 0041073D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?), ref: 00410776
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000238,?,?,?,?,?,?), ref: 004107C0
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,?,?), ref: 004107E7
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 00410820
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BEC,00000178,?,?,?,?,?,?,?,?), ref: 0041086A
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,?,?,?,?,?,?,?,?), ref: 0041088C
__vbaI4Var.MSVBVM60(?), ref: 0041089B
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,?,?,00000008,?,00005F9E), ref: 0041094C
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,?,?), ref: 00410968
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,?,?,?,?,?,?), ref: 00410983
__vbaObjSet.MSVBVM60(?,00000000), ref: 004109BC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B84,00000100), ref: 00410A06
__vbaLateIdCallLd.MSVBVM60(?,00000000,00000000,00000000), ref: 00410A28
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00410A43
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410A7C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BEC,00000108), ref: 00410AC6
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00410AED
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410B26
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B84,000000F8), ref: 00410B73
__vbaVarDup.MSVBVM60(00000000,?,00402B84,000000F8), ref: 00410BC9
__vbaChkstk.MSVBVM60(?), ref: 00410BD7
__vbaI4Var.MSVBVM60(?,00000000,?), ref: 00410BF2
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,004029CC,00000700,?,?,00000003,00000000,?,00000000,?), ref: 00410C3E
__vbaFreeStr.MSVBVM60(?,?,00000003,00000000,?,00000000,?), ref: 00410C55
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,00000000,?,?,00000003,00000000,?,00000000,?), ref: 00410C6C
__vbaFreeVarList.MSVBVM60(00000003,?,00000003,?), ref: 00410C88
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00410CA3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410CDC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000048), ref: 00410D20
__vbaChkstk.MSVBVM60(00000008,?), ref: 00410D73
__vbaFreeObj.MSVBVM60 ref: 00410D9E
__vbaFreeVar.MSVBVM60 ref: 00410DA6
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00410DBE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410DF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B84,00000158), ref: 00410E41
__vbaLateIdCallLd.MSVBVM60(00000008,00000000,00000000,00000000), ref: 00410E60
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00410E7B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410EB4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BEC,00000130), ref: 00410EFE
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00410F25
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410F5E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000170), ref: 00410FAB
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00410FD2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041100B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,000001C8), ref: 00411058
__vbaI4Var.MSVBVM60(00000008), ref: 004110C4
__vbaFreeObjList.MSVBVM60(00000005,?,?,?,?,00000000), ref: 00411142
__vbaFreeVarList.MSVBVM60(00000004,00000008,00000008,00000003,00000003), ref: 00411165
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00411180
__vbaObjSet.MSVBVM60(?,00000000), ref: 004111B9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,000001C8), ref: 00411206
__vbaNew2.MSVBVM60(00402100,00416010), ref: 0041122D
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00411266
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000098), ref: 004112B3
__vbaNew2.MSVBVM60(00402100,00416010), ref: 004112DA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411313
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BEC,00000178), ref: 0041135D
__vbaVarDup.MSVBVM60(00000000,?,00402BEC,00000178), ref: 0041139B
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,004029CC,00000704), ref: 00411446
__vbaFreeObjList.MSVBVM60(00000003,?,00000000,?), ref: 00411471
__vbaFreeVarList.MSVBVM60(00000002,00000009,00000008), ref: 00411486
__vbaHresultCheckObj.MSVBVM60(00000000,00401140,0040299C,000002B4), ref: 004114C0

Strings

guts, xrefs: 0040FF48
polyplegic, xrefs: 0041137B
Corsite, xrefs: 0040FB26
Breams4, xrefs: 00410B87
<cA, xrefs: 0040F87C
Oprejsningsbevillingernes7, xrefs: 00410BAC
kaktusplanten, xrefs: 0041040B
*Ba, xrefs: 0041110E, 00411114
KONSULENTTJENESTE, xrefs: 0040FF26
L\!, xrefs: 004113E6, 004113EC
DOMICILET, xrefs: 0041003D
Ultraofficious4, xrefs: 0041042C
flagellariaceous, xrefs: 0040FEC2
DUNITE, xrefs: 0040FB19

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$List$Chkstk$Copy$CallLate$Move$#521
String ID: *Ba$<cA$Breams4$Corsite$DOMICILET$DUNITE$KONSULENTTJENESTE$L\!$Oprejsningsbevillingernes7$Ultraofficious4$flagellariaceous$guts$kaktusplanten$polyplegic
API String ID: 686690730-1440347306
Opcode ID: c68c6610cc2926e17812510a8d1917ba8208a56c6b21a992ef73dfa8e16a233d
Instruction ID: 873d14afbdfa04174ba824c51b4b72ff03a14c11f4601ea4d645b897d6a53c5c
Opcode Fuzzy Hash: c68c6610cc2926e17812510a8d1917ba8208a56c6b21a992ef73dfa8e16a233d
Instruction Fuzzy Hash: 6B13E771940218DFDB21DF91CC49BDDBBB4BB08304F1040EAE54ABB2A1DBB99A85DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041212D, Relevance: 52.8, APIs: 26, Strings: 4, Instructions: 272COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 0041214A
__vbaVarDup.MSVBVM60(?,?,?,?,00401226), ref: 00412162
__vbaChkstk.MSVBVM60 ref: 00412178
#689.MSVBVM60(SALMONS,kvindesager,DIPLOMET), ref: 00412195
__vbaStrMove.MSVBVM60(SALMONS,kvindesager,DIPLOMET), ref: 0041219F
__vbaStrCmp.MSVBVM60(00000000,00000000,SALMONS,kvindesager,DIPLOMET), ref: 004121A7
__vbaFreeStr.MSVBVM60(00000000,00000000,SALMONS,kvindesager,DIPLOMET), ref: 004121BE
__vbaNew2.MSVBVM60(00402100,00416010,00000000,00000000,SALMONS,kvindesager,DIPLOMET), ref: 004121E5
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041221E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,000000E8), ref: 00412268
__vbaNew2.MSVBVM60(00402100,00416010), ref: 0041228F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004122C8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000058), ref: 0041230F
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00412336
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041236F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000060), ref: 004123B6
__vbaNew2.MSVBVM60(00402BB4,0041633C), ref: 004123DD
__vbaChkstk.MSVBVM60(?), ref: 0041246C
__vbaChkstk.MSVBVM60(?), ref: 00412480
__vbaChkstk.MSVBVM60(?), ref: 00412491
__vbaChkstk.MSVBVM60(?), ref: 004124A2
__vbaChkstk.MSVBVM60(?), ref: 004124B3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BA4,00000044), ref: 004124F6
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0041251C
__vbaFreeVar.MSVBVM60 ref: 00412527
__vbaFreeVar.MSVBVM60(00412568,00000000,00000000,SALMONS,kvindesager,DIPLOMET), ref: 00412562

Strings

SALMONS, xrefs: 00412190
kvindesager, xrefs: 0041218B
<cA, xrefs: 004123F8
DIPLOMET, xrefs: 00412186

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2$#689ListMove
String ID: <cA$DIPLOMET$SALMONS$kvindesager
API String ID: 1217911116-3875045752
Opcode ID: 901b77be90fbaf9d064ca28a6b25ac51773ba6bccb476e439db2a8f1deb5728f
Instruction ID: 724ac055c97297795c1a7c390cf8a179f2225a4e7ff25f4f6ff2dc8a40a34ebe
Opcode Fuzzy Hash: 901b77be90fbaf9d064ca28a6b25ac51773ba6bccb476e439db2a8f1deb5728f
Instruction Fuzzy Hash: EFB11871900218EFDB20DFA5CD45BDDB7B5BF09704F1044AAE509BB291CBB95A84CF19

Uniqueness

Uniqueness Score: -1.00%

Function 004118D3, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 64COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 004118EE
__vbaVarDup.MSVBVM60 ref: 00411914
#543.MSVBVM60(?,?), ref: 00411921
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 0041193C
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0041194F
__vbaVarDup.MSVBVM60 ref: 00411973
#666.MSVBVM60(?,?), ref: 00411980
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?), ref: 0041198F

Strings

6:6:6, xrefs: 00411900
anglicisation, xrefs: 0041195F

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeList$#543#666Chkstk
String ID: 6:6:6$anglicisation
API String ID: 2144927966-1625444541
Opcode ID: 2f2b39b4546d216803391a664b6028f343539f6c6489c80ce8c7e7b813e3745d
Instruction ID: 8d9787af43f7ecc566d403b099a4b90c4b680a82c58df6f77ec0a79d51ac39f9
Opcode Fuzzy Hash: 2f2b39b4546d216803391a664b6028f343539f6c6489c80ce8c7e7b813e3745d
Instruction Fuzzy Hash: AC21ECB181025CAADF01EBD1DD46EEEB7BCBF04704F54452EE504BA590EBB85508CB65

Uniqueness

Uniqueness Score: -1.00%

Function 00401394, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401399

Strings

9o|, xrefs: 00401402
VB5!6&*, xrefs: 00401394

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: 9o|$VB5!6&*
API String ID: 1341478452-3832882254
Opcode ID: c9be7a2ed969b2b4cb70037388eae75a4367dca9f57592d104b36f5223ffccac
Instruction ID: 126da73f5eefc13a479dcc49d2b48ef2cdb696464e7e44296ff89b91310b223c
Opcode Fuzzy Hash: c9be7a2ed969b2b4cb70037388eae75a4367dca9f57592d104b36f5223ffccac
Instruction Fuzzy Hash: CA51822148E7D18FC3138B7499691917FB1AE5326871A42EBC491DF0F3E2694D0ACBA6

Uniqueness

Uniqueness Score: -1.00%

Function 00406280, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 350memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Strings

@jjj, xrefs: 00406306

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: @jjj
API String ID: 4275171209-3445998268
Opcode ID: 83cabdefa8aa929f0d8b8a93c6954ff621736d1e331280c8cc35ae40ea18af00
Instruction ID: 37cdde9f055b84c1e65ea49f6e3dfe8f4c6bbcc16d5ada07fe62a3617b566389
Opcode Fuzzy Hash: 83cabdefa8aa929f0d8b8a93c6954ff621736d1e331280c8cc35ae40ea18af00
Instruction Fuzzy Hash: E751A3E1E5E313C8E23C550888681B2115CA64F70453B693B9C8F372E6853D6A37B8DF

Uniqueness

Uniqueness Score: -1.00%

Function 00405F67, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 277memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Strings

V999, xrefs: 00405F68

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: V999
API String ID: 4275171209-3038336207
Opcode ID: 35797f31b1bf5ce95a36785554708174edc6a8ff3226c668f1b6b5a526e3266e
Instruction ID: bcc42c028a073ee9eb2e9feff4760a921b3d7fd23f7400852a31aa2a77f65364
Opcode Fuzzy Hash: 35797f31b1bf5ce95a36785554708174edc6a8ff3226c668f1b6b5a526e3266e
Instruction Fuzzy Hash: A85116E1E6F313D9D22C990498905B0606CAA0FB48533787B984F7B4C78A7D6237B59F

Uniqueness

Uniqueness Score: -1.00%

Function 0040632C, Relevance: 1.7, APIs: 1, Instructions: 411memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f7f0185969281a5b53fd14ad13a587e1ae878d786e0c5cccf423d44e51ac7ade
Instruction ID: 90ec91a44a655d61a5cd70c0bc1e988fe1b83a40427c09198c19cf87045924fe
Opcode Fuzzy Hash: f7f0185969281a5b53fd14ad13a587e1ae878d786e0c5cccf423d44e51ac7ade
Instruction Fuzzy Hash: B771A4A0D9E233C8C62D490494520B1115CA5AF728BB3683BD94FB71C685BCA933F4DF

Uniqueness

Uniqueness Score: -1.00%

Function 00406023, Relevance: 1.6, APIs: 1, Instructions: 366memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 36845d5e23c298b67cd5283f19a54d00461a3776130915620cb46e1a849e3dc6
Instruction ID: b31d695ce4d83f34180f989d0cbd273854315113ff4828e7accbc2f2547c9e90
Opcode Fuzzy Hash: 36845d5e23c298b67cd5283f19a54d00461a3776130915620cb46e1a849e3dc6
Instruction Fuzzy Hash: 4B51B1E1DAE313C9D22CD90858584B2205CAA0F754A3BB977984F732E3953C6A37749F

Uniqueness

Uniqueness Score: -1.00%

Function 00405ED3, Relevance: 1.6, APIs: 1, Instructions: 363memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 77a510fac431e2ba9469805b52fd254d6978c3a59e47f595e4ee2df1437279c7
Instruction ID: ad1b22d83f585bcf97b38bc65d0ffa9038bbe27fb35abbfe71d56a87f6a992b0
Opcode Fuzzy Hash: 77a510fac431e2ba9469805b52fd254d6978c3a59e47f595e4ee2df1437279c7
Instruction Fuzzy Hash: 775114E1E6E317C9D21CA90498904F0606CAA0FB44A33693B988F374C7857C6237749F

Uniqueness

Uniqueness Score: -1.00%

Function 00405E76, Relevance: 1.6, APIs: 1, Instructions: 351COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7b8213325e79aeed32205bcd947aa97b4726206536cb862601514b893888c1c
Instruction ID: 6be1efe8c24d2e4024f1532635528150770dae1aa26f13df38a8fa3b6b2d41fd
Opcode Fuzzy Hash: e7b8213325e79aeed32205bcd947aa97b4726206536cb862601514b893888c1c
Instruction Fuzzy Hash: DD518EA0D6FB53C8E228A60089504F7A06CE60FB556376837958F775C7853C6A33788F

Uniqueness

Uniqueness Score: -1.00%

Function 0040612F, Relevance: 1.6, APIs: 1, Instructions: 313memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e3e668f93d8e46f5de4f6a2dbea194abf1f402773fdd5b380b829a1b08472b73
Instruction ID: 63635d03282771122a35e7fa52c633702149c5367ccf91ed12f8d74b83550795
Opcode Fuzzy Hash: e3e668f93d8e46f5de4f6a2dbea194abf1f402773fdd5b380b829a1b08472b73
Instruction Fuzzy Hash: 1A4137E1E6F313D8E21CA90098904F0616CAA0FB48633683BD88F774C6967D6637749F

Uniqueness

Uniqueness Score: -1.00%

Function 00405FDC, Relevance: 1.5, APIs: 1, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4b86ea5691298c4dfd55d6b95baf74b1dcdcb008e9e7aa196b045ce651889b85
Instruction ID: 3b2de7753beb35e582bf7b6c1335bb192197113d429d7bc1333b5b32131e2959
Opcode Fuzzy Hash: 4b86ea5691298c4dfd55d6b95baf74b1dcdcb008e9e7aa196b045ce651889b85
Instruction Fuzzy Hash: E45169E0EAE323C8D22C990498845B1606CAA0FB44637B93BD94F375D3857D6637749F

Uniqueness

Uniqueness Score: -1.00%

Function 00405EA3, Relevance: 1.5, APIs: 1, Instructions: 293memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a83a92df31a1e30b55ce8c2594277aa44585f4f12bdb9d8f0924da228312b2b5
Instruction ID: 901ec529d1c6542b873880b02fa68016543b38e21aafad9095b2ffe6c3f7fced
Opcode Fuzzy Hash: a83a92df31a1e30b55ce8c2594277aa44585f4f12bdb9d8f0924da228312b2b5
Instruction Fuzzy Hash: CC5136E1E6E313C9D21C990498905F160ACAA0FB04A33787B988F774C7963C6637789F

Uniqueness

Uniqueness Score: -1.00%

Function 00405E4C, Relevance: 1.5, APIs: 1, Instructions: 292memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d8facae68a2df1be935e856eb32a5ea8fe38ca75f0575a4a5487256c68eec212
Instruction ID: 15fb29ee165b1df508742db0ddc3d2fd604319e0df7d89fc01f1bd015eb5062f
Opcode Fuzzy Hash: d8facae68a2df1be935e856eb32a5ea8fe38ca75f0575a4a5487256c68eec212
Instruction Fuzzy Hash: F75113E1E6E313C8E22CA90098904F1606CAA0FB44973783B988F374C7857D6237789F

Uniqueness

Uniqueness Score: -1.00%

Function 00405FE0, Relevance: 1.5, APIs: 1, Instructions: 281memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 71f7b0860f7ece7338ed0ecb3af8331e07719f002951f47302be6d47f972e1de
Instruction ID: 81f2c4c5c0fc4ae099e628b35e6005152c7af1e1701936b5bb80fa62d0b9a32e
Opcode Fuzzy Hash: 71f7b0860f7ece7338ed0ecb3af8331e07719f002951f47302be6d47f972e1de
Instruction Fuzzy Hash: 9E4104E1E6E313D8E21CA90098905F0606CAA0FB48533783B988F774C7957D6237749F

Uniqueness

Uniqueness Score: -1.00%

Function 00406348, Relevance: 1.5, APIs: 1, Instructions: 277memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: adb91d5f8b26ab6eeab1d8565809ac1380d300b67ff553aa436864b45055f1e4
Instruction ID: 84b2ea36f1f465a42e4895acfcc04f7e327a491c7848683fbced10cafc0c0bb1
Opcode Fuzzy Hash: adb91d5f8b26ab6eeab1d8565809ac1380d300b67ff553aa436864b45055f1e4
Instruction Fuzzy Hash: E6512BE1E2E223C8DA2D9910D8901B1615CAA2F728533683BED4FB31C2857D7637759F

Uniqueness

Uniqueness Score: -1.00%

Function 00406183, Relevance: 1.5, APIs: 1, Instructions: 275memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a52d92195926a592f232d14e1c088f18a1e34fad34e38c67eb1fe2b3b49591f5
Instruction ID: 1cc9944c39761e8c280d0ed40e9a69ac4ba79487c5d33d528608ccc9124fa743
Opcode Fuzzy Hash: a52d92195926a592f232d14e1c088f18a1e34fad34e38c67eb1fe2b3b49591f5
Instruction Fuzzy Hash: 42413AE1E6E313C9D21CA90498904F4616CAA0FB54633797BD88F774C6863C6237749F

Uniqueness

Uniqueness Score: -1.00%

Function 00406075, Relevance: 1.5, APIs: 1, Instructions: 266memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 8a2408c3d7f7153d80b9df6c74dd71bea9820a5e7157ec6b1af5915af8476ac9
Instruction ID: c6849b765036c96ba2976b3b1c07e2636eca0a34509fa837cef3c166749ec14c
Opcode Fuzzy Hash: 8a2408c3d7f7153d80b9df6c74dd71bea9820a5e7157ec6b1af5915af8476ac9
Instruction Fuzzy Hash: AF4125E1E6F313C8D21CA90498904B0606CAA0FB04A33797B988F770C7863D6237B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00405FB5, Relevance: 1.5, APIs: 1, Instructions: 266memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 03361d77bf96cc8d699a8bd3b4d50281a4404cbf58be3845f4e3a4dba3f463bf
Instruction ID: 05dba2ad412ae429e3c1524ea32ba34c8e71593225f29ed8290c28c8d92a7c0a
Opcode Fuzzy Hash: 03361d77bf96cc8d699a8bd3b4d50281a4404cbf58be3845f4e3a4dba3f463bf
Instruction Fuzzy Hash: 2141F4E1E6F317D8D21CA94098904B0606CAA0FB44533793B988F774C7957D6237749F

Uniqueness

Uniqueness Score: -1.00%

Function 004061F8, Relevance: 1.5, APIs: 1, Instructions: 261memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c80ac1bda9ae3602052591d32f683a02dcc8279a685e96dc6b05b60694bc5e7c
Instruction ID: eb30e878cc547975015ad9e583a466a32a32ddaa9dd96ea2e1c12e773fa6fbaa
Opcode Fuzzy Hash: c80ac1bda9ae3602052591d32f683a02dcc8279a685e96dc6b05b60694bc5e7c
Instruction Fuzzy Hash: 6B4127E1E6F313C8D21CA90498904F061ACAA0FB48633A87BD88F774C6857D6237749F

Uniqueness

Uniqueness Score: -1.00%

Function 00405FA4, Relevance: 1.5, APIs: 1, Instructions: 258memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 878643e2aa27b88c8959778952d3a2f389a8813f8ae88d14504a47a8a593fb1d
Instruction ID: 372100b18cf3515da964b728d069e27f48d9f4b412d4c09d2777bc3bb144efb7
Opcode Fuzzy Hash: 878643e2aa27b88c8959778952d3a2f389a8813f8ae88d14504a47a8a593fb1d
Instruction Fuzzy Hash: 565124E1E6E313D8D21CA90098905F0606CAA0FB44633787B988F370C7967D6237749F

Uniqueness

Uniqueness Score: -1.00%

Function 0040623F, Relevance: 1.5, APIs: 1, Instructions: 257memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 53f195ea3c993c9a37e81b425ea418c36c2595b3bc112a0e5e91853b768bf366
Instruction ID: 18337ba47db0b530f6260d34fe0b5ec7aa29f1d02623a88815d5e81fd9fb7a6f
Opcode Fuzzy Hash: 53f195ea3c993c9a37e81b425ea418c36c2595b3bc112a0e5e91853b768bf366
Instruction Fuzzy Hash: D64136E1E6F313D8E21CA90098905F0616CAA0FB48633697BD88F774C6853C6237B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00406388, Relevance: 1.5, APIs: 1, Instructions: 257memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9b8a498a4064aedd57cca6e8443256475b2bf3da526a7fea7e01b194afd62b86
Instruction ID: 0434e05d969a616b7eabae689364e5cd067aa72fbe9904065e493d1f5cc82561
Opcode Fuzzy Hash: 9b8a498a4064aedd57cca6e8443256475b2bf3da526a7fea7e01b194afd62b86
Instruction Fuzzy Hash: 484114E1E6F317C8D21CA94098904F0616CAA0FB48633A937E88F770C2953C6633B45F

Uniqueness

Uniqueness Score: -1.00%

Function 00405FCC, Relevance: 1.5, APIs: 1, Instructions: 256memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7befcd8587529e04b8b3c35714f56e1a1a88e4441903f70ec136d140d90f0eb2
Instruction ID: 0a9227e5e591433e150dcabadf9f830afd6193f861c337524a35a6fd53cb31b0
Opcode Fuzzy Hash: 7befcd8587529e04b8b3c35714f56e1a1a88e4441903f70ec136d140d90f0eb2
Instruction Fuzzy Hash: 0B4113E1E6F313D8E21CA90098904B0606CAA0FB58633793B998F774C7857D6237749F

Uniqueness

Uniqueness Score: -1.00%

Function 004064AD, Relevance: 1.5, APIs: 1, Instructions: 250memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e39e9d829c5a3a338b0ab41dde620f2c3a54ca62e8483f8d296d97eddf51eed8
Instruction ID: 9b54236f0d9e087368dbc26dd18dfc61924bc4a7169dedc8ca7f66f270002127
Opcode Fuzzy Hash: e39e9d829c5a3a338b0ab41dde620f2c3a54ca62e8483f8d296d97eddf51eed8
Instruction Fuzzy Hash: 644106E1E6F317C8D21CA94498905F4606DAA0FB48633A83BD88F770C6953D6633B45F

Uniqueness

Uniqueness Score: -1.00%

Function 0040611A, Relevance: 1.5, APIs: 1, Instructions: 246memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 99f09c42fd44de04ff4172eb15f1130ac4d7bd5be39a0a329e14d14a107c0310
Instruction ID: eb21148c0eebef28d9855822513f67d9d38fe69c803be3612bb85638bb693058
Opcode Fuzzy Hash: 99f09c42fd44de04ff4172eb15f1130ac4d7bd5be39a0a329e14d14a107c0310
Instruction Fuzzy Hash: F84124E1E6E313C8E21CA90498904F0606CAA0FB08633783BA88F774C6857C6637749F

Uniqueness

Uniqueness Score: -1.00%

Function 004064E3, Relevance: 1.5, APIs: 1, Instructions: 235memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6fffc2158f4fc4a866697226c64d0fbe3a7602af7fdc1896b97278c23668dec0
Instruction ID: 95935f14bb095bfeae2f89ed5d60263cbd6663256b85276ecfc57d90a3330563
Opcode Fuzzy Hash: 6fffc2158f4fc4a866697226c64d0fbe3a7602af7fdc1896b97278c23668dec0
Instruction Fuzzy Hash: 7D4104E1E6F317C8D21CA90098905F0606DAA0FB48633A87BD88F774C2963D6633B45F

Uniqueness

Uniqueness Score: -1.00%

Function 0040651C, Relevance: 1.5, APIs: 1, Instructions: 228memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 5c03b0503c6c2920f1edf4c19ac386c07ef0d40a1a25880384329247f8a37f37
Instruction ID: b3ca6d55e8960ab30e74a3ae07dcd60b3e19cb499e8b605ac6ac6254f0d1ae01
Opcode Fuzzy Hash: 5c03b0503c6c2920f1edf4c19ac386c07ef0d40a1a25880384329247f8a37f37
Instruction Fuzzy Hash: 624157E1E6F317C8D61CA90098901F1606CAA0FB08A33A97BD84F731C2853C6233B49F

Uniqueness

Uniqueness Score: -1.00%

Function 004063B8, Relevance: 1.5, APIs: 1, Instructions: 225memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6eb5f4240618829d8e8a78e10ef807cf73bfb8c32fb17e7b29a2951338fb68d8
Instruction ID: 2f00dc2a230f51fb9d62384118a71d00f390b36409a718e374828460ca1bd262
Opcode Fuzzy Hash: 6eb5f4240618829d8e8a78e10ef807cf73bfb8c32fb17e7b29a2951338fb68d8
Instruction Fuzzy Hash: 174159E1E6F323C8D62C990498904F1515CAA0FB58973A83BE88F731C2853C6A33745F

Uniqueness

Uniqueness Score: -1.00%

Function 004066A1, Relevance: 1.5, APIs: 1, Instructions: 223memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 78562a24cf93f447454b82746c13fc8e3d756c01a078e39aa9e357679c7894cd
Instruction ID: 26127459d5c524ba27e9cf691081211e4fea02c6c825f9ac54eb64ef2ccc74bd
Opcode Fuzzy Hash: 78562a24cf93f447454b82746c13fc8e3d756c01a078e39aa9e357679c7894cd
Instruction Fuzzy Hash: C73102D1E6F317C8E21CA94098905F1606CAA0FB48633A93BD88F771C2853D6637B45F

Uniqueness

Uniqueness Score: -1.00%

Function 00406565, Relevance: 1.5, APIs: 1, Instructions: 221memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 4c9e1749f6229c8055a8a2ce375b7e78bf0e6e5741d69fe0ebac6070f5106d39
Instruction ID: eb2e54dfcf33fb5325c8c85fdc822f76213332898b667faec543c06646589823
Opcode Fuzzy Hash: 4c9e1749f6229c8055a8a2ce375b7e78bf0e6e5741d69fe0ebac6070f5106d39
Instruction Fuzzy Hash: 043106E1E6F317C8E21CA94498905F0606DAA0FB48633A87BD98F730C2953D6637B45F

Uniqueness

Uniqueness Score: -1.00%

Function 004063D6, Relevance: 1.5, APIs: 1, Instructions: 221memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 68c66c67b801e50f181d8439a0ddc611d64ec6e45be5ebe6b505383931486cb6
Instruction ID: 0f6f7124ad5655850500d1ceed6572a4df88029ef4e8853ed3962fc6be774000
Opcode Fuzzy Hash: 68c66c67b801e50f181d8439a0ddc611d64ec6e45be5ebe6b505383931486cb6
Instruction Fuzzy Hash: 974104E1E6E313C8D21CA90098904F1606CAA0FB58533A937E84F370C6963C6233745F

Uniqueness

Uniqueness Score: -1.00%

Function 0040670A, Relevance: 1.5, APIs: 1, Instructions: 217memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1627481f49668892c5abd06591449122cb355037b943fe2166d0a671d2c7a5d8
Instruction ID: 8d30ae49bcb8a6cc253c74482967e8abd817184fb40f05016dc24868bf8f01b4
Opcode Fuzzy Hash: 1627481f49668892c5abd06591449122cb355037b943fe2166d0a671d2c7a5d8
Instruction Fuzzy Hash: 50316895E6F353C8E61C691068905F5506DAA0FB2A273B877E84F770C2853C6633B46F

Uniqueness

Uniqueness Score: -1.00%

Function 004065FE, Relevance: 1.5, APIs: 1, Instructions: 216memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81bb3a10f315dd579e3e5ac8733f2b5d7ee8add3b0e8b385bd30c1aee0acc449
Instruction ID: 01d5fcf18818bb4f76aae30e593f00adc1915be28f5ccd04e9a04a39692d2a12
Opcode Fuzzy Hash: 81bb3a10f315dd579e3e5ac8733f2b5d7ee8add3b0e8b385bd30c1aee0acc449
Instruction Fuzzy Hash: D23104A1E6F317C8D21CA94098905F4606CAA0FB48633A83BD84F730C2963C6637B45F

Uniqueness

Uniqueness Score: -1.00%

Function 00406651, Relevance: 1.5, APIs: 1, Instructions: 207memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 857028a3510c5efdd2738db3cc2b8bcc6a09fd275057a9cf2c2eac755e425183
Instruction ID: 14e97f6e752a5cc0c596161efb07689fbc96c9a5c59bf5e28bc25534c1514a20
Opcode Fuzzy Hash: 857028a3510c5efdd2738db3cc2b8bcc6a09fd275057a9cf2c2eac755e425183
Instruction Fuzzy Hash: 0031E291E6F317C8D65CA94098905F4606DAA0FB48633B83BD84F770C2963C6637B45F

Uniqueness

Uniqueness Score: -1.00%

Function 004065D9, Relevance: 1.5, APIs: 1, Instructions: 205memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e2dbee961afe5046fbc7e424591887d70c41fc58c0c5bcd900df7bc0351596f1
Instruction ID: 36d4b673febb286c980bc2433085c42d9b964697dd8d23c4853fea09a3c49010
Opcode Fuzzy Hash: e2dbee961afe5046fbc7e424591887d70c41fc58c0c5bcd900df7bc0351596f1
Instruction Fuzzy Hash: C33104E1E6F317C8D21CA90098905F0606DAA0FB48633A97BD88F770C2953D6237B45F

Uniqueness

Uniqueness Score: -1.00%

Function 0040650D, Relevance: 1.5, APIs: 1, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b3ebb35f5edbdb4c574ba7d0e9721baf7958f52e68c30c09229cf53abbfcbaf3
Instruction ID: f931afd8adab73c3bf9faecd0acace543bff7211c73a4f25c383cbb99cb2e6c2
Opcode Fuzzy Hash: b3ebb35f5edbdb4c574ba7d0e9721baf7958f52e68c30c09229cf53abbfcbaf3
Instruction Fuzzy Hash: 274112E1E6F317C8D21CA90098905F0606DAA0FB48633A97BD88F770C2963D6233B45F

Uniqueness

Uniqueness Score: -1.00%

Function 0040658F, Relevance: 1.5, APIs: 1, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 030a2528ddb53ca5bdc510ae28cadf3b49199870e0a73ea16be569b62b901ea3
Instruction ID: e4398a3120d9438d025e5185cedc487bd576c9e2d7b9fb02d53234fefa24c851
Opcode Fuzzy Hash: 030a2528ddb53ca5bdc510ae28cadf3b49199870e0a73ea16be569b62b901ea3
Instruction Fuzzy Hash: 8D3113E1E6F317C8D21CA90098905B4606DAA0FB48633A87BD94F771C29A3D6637B45F

Uniqueness

Uniqueness Score: -1.00%

Function 00406641, Relevance: 1.5, APIs: 1, Instructions: 202memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 46eaaf609b6ce57c76455f5a65e275e7ff842eeebdbf5c42e33d9ed3cec3ad7f
Instruction ID: 292003ced22cfbb901b4f4db330619353e7a2ed7943112aa6b4886ccf54390bd
Opcode Fuzzy Hash: 46eaaf609b6ce57c76455f5a65e275e7ff842eeebdbf5c42e33d9ed3cec3ad7f
Instruction Fuzzy Hash: 97311291E6F367C8E22CA94098904B5606CAA0FB58633B83BD94F771C2853D6637B45F

Uniqueness

Uniqueness Score: -1.00%

Function 00406740, Relevance: 1.5, APIs: 1, Instructions: 201memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 1813f9b529e4bfb70b8adeb90dd18aea109428444bb31fdd76fb1471a2291ac4
Instruction ID: ea3acc8fe697e50d5cc89a15630b812575a0bf0bed18bcaa689f241bcc4e0edc
Opcode Fuzzy Hash: 1813f9b529e4bfb70b8adeb90dd18aea109428444bb31fdd76fb1471a2291ac4
Instruction Fuzzy Hash: 13313695E6F327C9D61CA95098805F0616CAA0FB04237A87BD84F771C2963C7237B45F

Uniqueness

Uniqueness Score: -1.00%

Function 00406686, Relevance: 1.4, APIs: 1, Instructions: 200memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: f9783c0917028e693f05e6288751c9d39dcd009dd959fc436fa1647980a4023a
Instruction ID: 472cd793b00ceb1fa5893a1cd847a577924ae94cd5d58fa4f5814b79ab7e8f16
Opcode Fuzzy Hash: f9783c0917028e693f05e6288751c9d39dcd009dd959fc436fa1647980a4023a
Instruction Fuzzy Hash: 1531F2D5E6F327C8E21CA94098905F1606DAA0FB48633A87BE84F730C2953C6637B45F

Uniqueness

Uniqueness Score: -1.00%

Function 004066D3, Relevance: 1.4, APIs: 1, Instructions: 184memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 931634e48f681bd7a38e34768f7ca2b57126a6fea8bb305e538b7f96cf67ec29
Instruction ID: 0d17a4c58edf0b8a33d5b8905e4ec218c0e597fe2e86a7852aebce6c35b1f485
Opcode Fuzzy Hash: 931634e48f681bd7a38e34768f7ca2b57126a6fea8bb305e538b7f96cf67ec29
Instruction Fuzzy Hash: 17312291E6F367C8E21CA90498804F0606CAA0FB48233B87BD84F771C2953C6237B49F

Uniqueness

Uniqueness Score: -1.00%

Function 00406703, Relevance: 1.4, APIs: 1, Instructions: 181memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(004026E1), ref: 0040677C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d13b319bed42fb61f2b0a51ab1b2ef6be45c68044fd115899e363ec68eccfb02
Instruction ID: b0670b16d728ed1d8f6c52d851e72573649bb992ba2435a0bd4ad5eade4f9aca
Opcode Fuzzy Hash: d13b319bed42fb61f2b0a51ab1b2ef6be45c68044fd115899e363ec68eccfb02
Instruction Fuzzy Hash: DE310395E6F367C8E21CA91498805F1606CAA0FB04233B87BD84F770C2953C6237B45F

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02221AA5, Relevance: 5.5, Strings: 4, Instructions: 517COMMON

Download Yara Rule

Strings

>Rk , xrefs: 02221F80
/2A,, xrefs: 02221F59
1.!T, xrefs: 0222071C
>Rk , xrefs: 02221F7B

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID: /2A,$1.!T$>Rk $>Rk
API String ID: 0-1516576515
Opcode ID: 08eee60f162ddf9838e9fd09114f6a68616df57c96d751e8b693720b024160b9
Instruction ID: daa59719253f78f4ced36547b747018de9b06952fa8926f9587b8d6cb71511c0
Opcode Fuzzy Hash: 08eee60f162ddf9838e9fd09114f6a68616df57c96d751e8b693720b024160b9
Instruction Fuzzy Hash: 65F17A70720326FFEB149EA4CC90BE673A6BF19740F944329EC5993249C7779899CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02225F3F, Relevance: .3, Instructions: 345COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19c98cd0423ec26441e59ee80baa046be23a1c272464c67674cab764c9540ecc
Instruction ID: ecdb6de094254ca513865997daf73c47275ab4086ea0368bc4bf44d134c4d371
Opcode Fuzzy Hash: 19c98cd0423ec26441e59ee80baa046be23a1c272464c67674cab764c9540ecc
Instruction Fuzzy Hash: ADC14A72924363AFDB24CFB485D47B577D5AF12320F48829AC9D68F2DEC766804AC712

Uniqueness

Uniqueness Score: -1.00%

Function 02226160, Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49d6211d0020682a43c104ba64bc92dd8e62e3d2960a096f4d954913e97c26b
Instruction ID: b3592902769e3ac42cb5c09c12dabf78c5bf65e2b569c65348e59672ff8fb299
Opcode Fuzzy Hash: b49d6211d0020682a43c104ba64bc92dd8e62e3d2960a096f4d954913e97c26b
Instruction Fuzzy Hash: 4B51F672A243939FCB24DF6884947B177D59F12360F488299CCD68F2EAD375C44AC712

Uniqueness

Uniqueness Score: -1.00%

Function 02226180, Relevance: .2, Instructions: 160COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d099a148db689d80e019da2a03c61922e6a456340b87ea89afce7bbcb38889c1
Instruction ID: ab716a592a9583f436b15468e21f513da3b403938f50253cdd63fa4a1e4d9ceb
Opcode Fuzzy Hash: d099a148db689d80e019da2a03c61922e6a456340b87ea89afce7bbcb38889c1
Instruction Fuzzy Hash: 9D51F572A243939ECB24DF6885947B1BBD5AF16360F498299CDD68F2EAC3718049C712

Uniqueness

Uniqueness Score: -1.00%

Function 022222B7, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c07df478639c32eefb1039a06b88e4fef0fa9c74f90f54b7653f93660fb7903
Instruction ID: ff5306b021fb861be894523ae32a24f85d9e6a5526e8e1ec7d1b9f7e454a3887
Opcode Fuzzy Hash: 4c07df478639c32eefb1039a06b88e4fef0fa9c74f90f54b7653f93660fb7903
Instruction Fuzzy Hash: 42413034760321FEEB10AE74C899BD53397AF05750FC54259EC864B1E9D7A784CDCA11

Uniqueness

Uniqueness Score: -1.00%

Function 02225628, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9700d928dd59d623c1f316df2556e7d2072c46321a3dd140bd3c1bd445407b6
Instruction ID: 839735726a66d53c00780f5834b9f203e9224f3f710a4d71e7d59ca61bccf2db
Opcode Fuzzy Hash: d9700d928dd59d623c1f316df2556e7d2072c46321a3dd140bd3c1bd445407b6
Instruction Fuzzy Hash: 17113A35B24373AFC724ADA884D03E72392AF96740BDDD468DCC6C7205E366889AC601

Uniqueness

Uniqueness Score: -1.00%

Function 02224EC3, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16ed6c26bc30abd84e3883d0062064626a87f27529e1044df54cc70a4d6c1ec9
Instruction ID: 52b4bcfba6493e8b48c2a4289a7a2edd3949a445ae0ac0b7fbee140b3cb5796d
Opcode Fuzzy Hash: 16ed6c26bc30abd84e3883d0062064626a87f27529e1044df54cc70a4d6c1ec9
Instruction Fuzzy Hash: 4A113D34234626BFCB2C7AA4C960BFA2366DF59350F908609EC53C749DDB67CC98D611

Uniqueness

Uniqueness Score: -1.00%

Function 022257A1, Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06dbd5f799449913f0560127120a94d9ec1bd228a4ba96e9230f8f21bb11cc32
Instruction ID: 1b0f1b1f9a611b7d43a06651fa4e9008d84871c4f8342ea52dd91873e283853b
Opcode Fuzzy Hash: 06dbd5f799449913f0560127120a94d9ec1bd228a4ba96e9230f8f21bb11cc32
Instruction Fuzzy Hash: 15F0EC31361311EFCB28DF98C0E0FA633A6AB29700FC1C069E884CB019C720ECD6CA05

Uniqueness

Uniqueness Score: -1.00%

Function 02223079, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272e97a669d3b6470e36b210c5f872993beb2fa133650b2bcf27f94f1a4ddef5
Instruction ID: 732c134532d96fb29955e73fcd573646f8ebc6089a05545e247013d8d4537ed8
Opcode Fuzzy Hash: 272e97a669d3b6470e36b210c5f872993beb2fa133650b2bcf27f94f1a4ddef5
Instruction Fuzzy Hash: BFB092BA6015808FFF42CB0CC481B0073F0FB48648B0804E0E402CB712D224E900CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02225246, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1316706510.0000000002220000.00000040.00000001.sdmp, Offset: 02220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a04a220e949eafde2005e8f47f5f5dd572947f0b36a8d3eda31a81186914ce7
Instruction ID: 430fc26140526c9e7c58c6f64364384799b4640097cdddb5767c0e99a1a3b7bb
Opcode Fuzzy Hash: 4a04a220e949eafde2005e8f47f5f5dd572947f0b36a8d3eda31a81186914ce7
Instruction Fuzzy Hash: 81C09274362A40CFD789CE0AC280FC173B1BB84B50F8594A4F8028BA9AC3A9E800DA00

Uniqueness

Uniqueness Score: -1.00%

Function 00411EF5, Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 109COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 00411F10
__vbaLenBstrB.MSVBVM60(00402DA8,?,?,?,?,00401226), ref: 00411F27
__vbaVarLateMemCallLd.MSVBVM60(?,?,rB5217,00000000,00402DA8,?,?,?,?,00401226), ref: 00411F44
__vbaNew2.MSVBVM60(00402BB4,0041633C), ref: 00411F5F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BA4,0000001C), ref: 00411FA3
__vbaChkstk.MSVBVM60(00000000,?,00402BA4,0000001C), ref: 00411FC8
__vbaCastObjVar.MSVBVM60(?,00402DBC), ref: 00411FDF
__vbaObjSet.MSVBVM60(?,00000000,?,00402DBC), ref: 00411FE9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D74,00000058), ref: 00412012
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041202A
__vbaFreeVar.MSVBVM60 ref: 00412035
__vbaFreeVar.MSVBVM60(00412065,00402DA8,?,?,?,?,00401226), ref: 0041205F

Strings

rB5217, xrefs: 00411F37
e A, xrefs: 0041205C
<cA, xrefs: 00411F74

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$BstrCallCastLateListNew2
String ID: <cA$e A$rB5217
API String ID: 2853878360-4026250076
Opcode ID: 9228b344571125cdcbdfc4c24194414734720f6696cf1c01854180bd124b74e9
Instruction ID: ed152cffca88a9d3ab6b7f83dccb6568586396d43fa4a47017a37bce4dd90825
Opcode Fuzzy Hash: 9228b344571125cdcbdfc4c24194414734720f6696cf1c01854180bd124b74e9
Instruction Fuzzy Hash: 9A410771900208AFDB00EFD5C94AFDEBBB9AF08704F10452AF501BB1A1D7B9A985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411CEA, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 122COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 00411D07
__vbaVarDup.MSVBVM60 ref: 00411D2D
#717.MSVBVM60(?,?,00000003,00000000), ref: 00411D3E
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,00000003,00000000), ref: 00411D59
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,00000003,00000000), ref: 00411D6C
__vbaNew2.MSVBVM60(00402BB4,0041633C), ref: 00411D93
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BA4,0000001C), ref: 00411DE9
__vbaChkstk.MSVBVM60(?), ref: 00411E1B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D74,0000005C), ref: 00411E5E
__vbaVarMove.MSVBVM60(00000000,?,00402D74,0000005C), ref: 00411E95
__vbaFreeObj.MSVBVM60(00000000,?,00402D74,0000005C), ref: 00411E9D
__vbaFreeVar.MSVBVM60(00411EDA), ref: 00411ED4

Strings

<cA, xrefs: 00411DAE

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$#717ListMoveNew2
String ID: <cA
API String ID: 2511207350-2637925508
Opcode ID: f66bac22812330e9a89165ded2ea4779d1b0db5245764d9571ba3fbe1d1dec9f
Instruction ID: fa265b766d35ecb9380df94c2a7784ce7f12b9e254dd7b67fc11c25d04fd4931
Opcode Fuzzy Hash: f66bac22812330e9a89165ded2ea4779d1b0db5245764d9571ba3fbe1d1dec9f
Instruction Fuzzy Hash: C651D571D00218AFDB10DF95D845BDDBBB8BF08704F5080AAE518B72A1DBB85A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 004157A5, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 004157C1
__vbaNew2.MSVBVM60(00402BB4,0041633C,?,?,?,?,00401226), ref: 004157F8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BA4,00000014), ref: 0041583C
__vbaNew2.MSVBVM60(00402100,00416010), ref: 00415871
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041589E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B74,00000238), ref: 004158D3
__vbaChkstk.MSVBVM60 ref: 004158E4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,0000013C), ref: 0041591E
__vbaFreeStr.MSVBVM60 ref: 0041592F
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041593E

Strings

<cA, xrefs: 0041580D

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2$List
String ID: <cA
API String ID: 3896226546-2637925508
Opcode ID: 7e6273174af9f66946bab92c8b6960857e9fa645e6bec90dc793bdf2601594ad
Instruction ID: 300713a24512775fd51ff0c53f4a404e5ddf5d0e91e651cd6f0fe8e7106b9a16
Opcode Fuzzy Hash: 7e6273174af9f66946bab92c8b6960857e9fa645e6bec90dc793bdf2601594ad
Instruction Fuzzy Hash: B651DF70D00608EFDB00EF95C949BDDBBB5BF08704F20406AE415BB2A1C7B9A995DF59

Uniqueness

Uniqueness Score: -1.00%

Function 004119C9, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 004119E4
__vbaVarDup.MSVBVM60(?,?,?,?,00401226), ref: 004119FC
#538.MSVBVM60(?,000007DB,0000000B,0000000B,?,?,?,?,00401226), ref: 00411A0E
#557.MSVBVM60(?,?,000007DB,0000000B,0000000B,?,?,?,?,00401226), ref: 00411A17
__vbaFreeVar.MSVBVM60(?,?,000007DB,0000000B,0000000B,?,?,?,?,00401226), ref: 00411A2E
__vbaNew2.MSVBVM60(00402BB4,0041633C,?,?,000007DB,0000000B,0000000B,?,?,?,?,00401226), ref: 00411A52
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BA4,0000001C,?,?,?,?,?,?,?,?,?,?,000007DB,0000000B), ref: 00411A96
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D74,00000064,?,?,?,?,?,?,?,?,?,?,000007DB,0000000B), ref: 00411AD3
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,000007DB,0000000B,0000000B), ref: 00411AE4
__vbaFreeVar.MSVBVM60(00411B0A,?,?,000007DB,0000000B,0000000B,?,?,?,?,00401226), ref: 00411B04

Strings

<cA, xrefs: 00411A67

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#538#557ChkstkNew2
String ID: <cA
API String ID: 820695169-2637925508
Opcode ID: 9f756f518267870b0bb4e82f18e74fdee73a22594a629bd6466479799fc58d5f
Instruction ID: be0ecd35a887c97734e40adee5599207ddb25778cb0d66e74565542c23b9c8ab
Opcode Fuzzy Hash: 9f756f518267870b0bb4e82f18e74fdee73a22594a629bd6466479799fc58d5f
Instruction Fuzzy Hash: AD312570901208EFDB14EFD5C986BDDBBB4FF08744F60442AF501BA1A0D7B8A945CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00411BC3, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 77COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 00411BDF
__vbaVarDup.MSVBVM60(?,?,?,?,00401226), ref: 00411C09
__vbaNew2.MSVBVM60(00402BB4,0041633C,?,?,?,?,00401226), ref: 00411C21
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BA4,0000004C), ref: 00411C65
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D8C,00000028), ref: 00411C9C
__vbaFreeObj.MSVBVM60 ref: 00411CAD
__vbaFreeVar.MSVBVM60(00411CCB), ref: 00411CC5

Strings

<cA, xrefs: 00411C36

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID: <cA
API String ID: 304406766-2637925508
Opcode ID: 99e315742264b2f566d72b7ed493fc19a0e92a3849dfcbc0e365ac7a72caaa97
Instruction ID: 8f75013d6b86449092da32d6b1d7cd04d6f050dc804788001ff890bd04864471
Opcode Fuzzy Hash: 99e315742264b2f566d72b7ed493fc19a0e92a3849dfcbc0e365ac7a72caaa97
Instruction Fuzzy Hash: EC31D270940208EFDB10EF99DA85BCDBBB1AF08714F10806AF505B72A1D7795985CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00411567, Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 00411582
__vbaVarDup.MSVBVM60(?,?,?,?,00401226), ref: 0041159A
__vbaVarDup.MSVBVM60(?,?,?,?,00401226), ref: 004115A5
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,00401226), ref: 004115BD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004115EA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B84,000001BC), ref: 0041161B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0041162C
__vbaFreeVar.MSVBVM60(00411652,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 00411644
__vbaFreeVar.MSVBVM60(00411652,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 0041164C

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: 7c5c46decd64a9a87b8c75088027c3877a272184298147065726430e19001d9e
Instruction ID: a2a9101309004e3e03b1f41ec385a3daee3c31d3c2cb1ce3c90546ce9b2b6807
Opcode Fuzzy Hash: 7c5c46decd64a9a87b8c75088027c3877a272184298147065726430e19001d9e
Instruction Fuzzy Hash: D7210770900208EFDB14EF91D886BDDBBB9FF08708F10442AF502B62B1DBB96945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004117C2, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 004117DD
__vbaNew2.MSVBVM60(00402BB4,0041633C,?,?,?,?,00401226), ref: 00411802
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402BA4,00000014,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 00411846
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D34,000000C0,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 00411887
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401226), ref: 004118A0

Strings

<cA, xrefs: 00411817

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2
String ID: <cA
API String ID: 1616694062-2637925508
Opcode ID: 3799c4d5972e2bc72815879f954490fd08460b8f50b0291d8ecb5d2273592336
Instruction ID: ab00320caf263da3acc1c7cd04422ce3b05c562e542c519a46f4424cb51a6a39
Opcode Fuzzy Hash: 3799c4d5972e2bc72815879f954490fd08460b8f50b0291d8ecb5d2273592336
Instruction Fuzzy Hash: A631D271D00208EFDB00EF99D985FDDBBB4FB08714F20806AF511B62A0D3B958859B29

Uniqueness

Uniqueness Score: -1.00%

Function 00412078, Relevance: 10.5, APIs: 7, Instructions: 40COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 00412094
__vbaStrCopy.MSVBVM60(?,?,?,?,00401226), ref: 004120BE
__vbaVarDup.MSVBVM60(?,?,?,?,00401226), ref: 004120C9
#594.MSVBVM60(0000000A), ref: 004120E0
__vbaFreeVar.MSVBVM60(0000000A), ref: 004120E8
__vbaFreeStr.MSVBVM60(0041210E,0000000A), ref: 00412100
__vbaFreeVar.MSVBVM60(0041210E,0000000A), ref: 00412108

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#594ChkstkCopy
String ID:
API String ID: 1840262908-0
Opcode ID: 1ea1b4bcaf7332576e076980a36f0c5454b98d51a23b74d3eeec58f68871f7d5
Instruction ID: 0f08df9b3304099694c371ee212d550c1141f3c4486050db13275142641ac8af
Opcode Fuzzy Hash: 1ea1b4bcaf7332576e076980a36f0c5454b98d51a23b74d3eeec58f68871f7d5
Instruction Fuzzy Hash: 72015E70900208EBDB00EF91D886BDDBFB4FF08744F40406AF900B75A1DB786945CB88

Uniqueness

Uniqueness Score: -1.00%

Function 00411665, Relevance: 7.6, APIs: 5, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401226), ref: 00411681
__vbaNew2.MSVBVM60(00402100,00416010,?,?,?,?,00401226), ref: 004116B8
__vbaObjSet.MSVBVM60(?,00000000), ref: 004116E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402B84,000001BC), ref: 00411716
__vbaFreeObj.MSVBVM60 ref: 00411727

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 9db552952a17a2ae902d6af2c54f89167ba7bcb5e746ed802c37a61a74ae3585
Instruction ID: e6db62cf87bec3d6232e6cd17ce3a9c092c9d2564c87018be2b88bbcc8f98927
Opcode Fuzzy Hash: 9db552952a17a2ae902d6af2c54f89167ba7bcb5e746ed802c37a61a74ae3585
Instruction Fuzzy Hash: F221C874900208EFDB00EFA5C849BDEBBB4FB08744F10846AF516BB2A1C7799945DF99

Uniqueness

Uniqueness Score: -1.00%

Function 00411B1D, Relevance: 7.6, APIs: 5, Instructions: 58COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60 ref: 00411B23
#693.MSVBVM60(00402D88), ref: 00411B2F
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,00402D88), ref: 00411B5D
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,00402D88), ref: 00411B6E
__vbaHresultCheckObj.MSVBVM60(?,?,0040299C,000002B0,?,?,?,?,?,?,00402D88), ref: 00411BA5

Memory Dump Source

Source File: 00000001.00000002.1315906060.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1315896035.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1315921750.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1315936393.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$#693CheckHresult
String ID:
API String ID: 2297938516-0
Opcode ID: c47b4c4b7b1ec0392cf5e8095ffc2424c2bff88b329b7f53aafb665f120dcdd4
Instruction ID: 1d6f3b8fffb385734c105970e6e5907962f28b821f80a1b9715ef1a58ca57d34
Opcode Fuzzy Hash: c47b4c4b7b1ec0392cf5e8095ffc2424c2bff88b329b7f53aafb665f120dcdd4
Instruction Fuzzy Hash: C1112E75900308ABDB01EF95D84ABCE7BB2EF49714F10446AF900BB2E1C3BA59418F6D

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report REQUEST FOR QUOTATION.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: REQUEST FOR QUOTATION.exe PID: 5720 Parent PID: 5564

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: REQUEST FOR QUOTATION.exe PID: 5720 Parent PID: 5564 REQUEST FOR QUOTATION.exeCOMMON

Executed Functions

Function 0040F5C4, Relevance: 297.6, APIs: 155, Strings: 14, Instructions: 1878COMMON

Function 0041212D, Relevance: 52.8, APIs: 26, Strings: 4, Instructions: 272COMMON

Function 004118D3, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 64COMMON

Function 00401394, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 156COMMON

Function 00406280, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 350memoryCOMMON