Play interactive tour

Edit tour

Analysis Report USD18,620-00_swift-copy_mt103.exe

Overview

General Information

Sample Name:	USD18,620-00_swift-copy_mt103.exe
Analysis ID:	356539
MD5:	395a2f37acb7606721dd540c4bd25575
SHA1:	a1e28437c7d4c64fd087078e9063a4588f36018f
SHA256:	376e9cf15752762b0b38372261de1b2595816c2116100a2cf7164e5227b3a207
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Machine Learning detection for sample

Potentially malicious time measurement code found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

PE file contains an invalid checksum

PE file contains strange resources

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

USD18,620-00_swift-copy_mt103.exe (PID: 6600 cmdline: 'C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe' MD5: 395A2F37ACB7606721DD540C4BD25575)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: USD18,620-00_swift-copy_mt103.exe	Virustotal: Detection: 30%			Perma Link
Source: USD18,620-00_swift-copy_mt103.exe	ReversingLabs: Detection: 21%

Machine Learning detection for sample

Show sources

Source: USD18,620-00_swift-copy_mt103.exe

Joe Sandbox ML: detected

Compliance:

Uses 32bit PE files

Show sources

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Code function: 1_2_02BCE961 NtProtectVirtualMemory,

1_2_02BCE961

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameTannages7.exe vs USD18,620-00_swift-copy_mt103.exe
Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.751691739.0000000002210000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs USD18,620-00_swift-copy_mt103.exe
Source: USD18,620-00_swift-copy_mt103.exe	Binary or memory string: OriginalFilenameTannages7.exe vs USD18,620-00_swift-copy_mt103.exe

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DFE00194A98C429E88.TMP

Jump to behavior

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: USD18,620-00_swift-copy_mt103.exe	Virustotal: Detection: 30%
Source: USD18,620-00_swift-copy_mt103.exe	ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Window detected: Number of UI elements: 15

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: USD18,620-00_swift-copy_mt103.exe PID: 6600, type: MEMORY

Source: USD18,620-00_swift-copy_mt103.exe

Static PE information: real checksum: 0x416ac should be: 0x3a3c0

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_00407B19 push 760F90C1h; iretd	1_2_00407B92
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCE6D8 push esp; retf	1_2_02BCE6DC
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCE707 push cs; ret	1_2_02BCE954
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCE861 push cs; ret	1_2_02BCE954

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1228	1_2_02BC1228
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC13BC	1_2_02BC13BC
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1358	1_2_02BC1358
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1049	1_2_02BC1049
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC71B8	1_2_02BC71B8
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1160	1_2_02BC1160
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1688	1_2_02BC1688
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1650	1_2_02BC1650
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1780	1_2_02BC1780
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC17E8	1_2_02BC17E8
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC45B2	1_2_02BC45B2
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC15E0	1_2_02BC15E0
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1570	1_2_02BC1570
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1568	1_2_02BC1568
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC3567	1_2_02BC3567
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1AC4	1_2_02BC1AC4
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCEA05	1_2_02BCEA05
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1A48	1_2_02BC1A48
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1B88	1_2_02BC1B88
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1BF4	1_2_02BC1BF4
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC18C4	1_2_02BC18C4
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1860	1_2_02BC1860
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1980	1_2_02BC1980
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC19E4	1_2_02BC19E4
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC191C	1_2_02BC191C
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1CB8	1_2_02BC1CB8
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1C50	1_2_02BC1C50
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1D87	1_2_02BC1D87
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1DE8	1_2_02BC1DE8
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1D14	1_2_02BC1D14

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: USD18,620-00_swift-copy_mt103.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

RDTSC instruction interceptor: First address: 0000000002BC671A second address: 0000000002BC671A instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F6A903A1645h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp cx, dx 0x00000020 pop ecx 0x00000021 cmp dl, dl 0x00000023 jmp 00007F6A903A163Ah 0x00000025 test dh, dh 0x00000027 add edi, edx 0x00000029 dec ecx 0x0000002a cmp ecx, 00000000h 0x0000002d jne 00007F6A903A1540h 0x00000033 jmp 00007F6A903A163Ah 0x00000035 test dh, dh 0x00000037 push ecx 0x00000038 test ecx, 8A763D23h 0x0000003e call 00007F6A903A16B5h 0x00000043 call 00007F6A903A1655h 0x00000048 lfence 0x0000004b mov edx, dword ptr [7FFE0014h] 0x00000051 lfence 0x00000054 ret 0x00000055 mov esi, edx 0x00000057 pushad 0x00000058 rdtsc

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Code function: 1_2_02BC5290 rdtsc

1_2_02BC5290

Source: USD18,620-00_swift-copy_mt103.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Potentially malicious time measurement code found

Show sources

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1049 Start: 02BC144F End: 02BC11C0		1_2_02BC1049
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC1160 Start: 02BC144F End: 02BC11C0		1_2_02BC1160

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Code function: 1_2_02BC5290 rdtsc

1_2_02BC5290

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC636A mov eax, dword ptr fs:[00000030h]	1_2_02BC636A
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC4118 mov eax, dword ptr fs:[00000030h]	1_2_02BC4118
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCC104 mov eax, dword ptr fs:[00000030h]	1_2_02BCC104
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCC144 mov eax, dword ptr fs:[00000030h]	1_2_02BCC144
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC4600 mov eax, dword ptr fs:[00000030h]	1_2_02BC4600
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC465C mov eax, dword ptr fs:[00000030h]	1_2_02BC465C
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC45B2 mov eax, dword ptr fs:[00000030h]	1_2_02BC45B2
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC458C mov eax, dword ptr fs:[00000030h]	1_2_02BC458C
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BC3567 mov eax, dword ptr fs:[00000030h]	1_2_02BC3567
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCAB24 mov eax, dword ptr fs:[00000030h]	1_2_02BCAB24
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCD9B3 mov eax, dword ptr fs:[00000030h]	1_2_02BCD9B3
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Code function: 1_2_02BCD9FB mov eax, dword ptr fs:[00000030h]	1_2_02BCD9FB

HIPS / PFW / Operating System Protection Evasion:

Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: USD18,620-00_swift-copy_mt103.exe, 00000001.00000002.750838494.0000000000D90000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe

Code function: 1_2_02BC3055 cpuid

1_2_02BC3055

Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe	Queries volume information: C:\ VolumeInformation			Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	Security Software Discovery311	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery221	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
USD18,620-00_swift-copy_mt103.exe	30%	Virustotal		Browse
USD18,620-00_swift-copy_mt103.exe	21%	ReversingLabs	Win32.Trojan.Generic
USD18,620-00_swift-copy_mt103.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	356539
Start date:	23.02.2021
Start time:	09:47:26
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	USD18,620-00_swift-copy_mt103.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 1.6% (good quality ratio 1.4%) Quality average: 53.7% Quality standard deviation: 17.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
09:48:14	API Interceptor	1x Sleep call for process: USD18,620-00_swift-copy_mt103.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.577899394086821
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	USD18,620-00_swift-copy_mt103.exe
File size:	221184
MD5:	395a2f37acb7606721dd540c4bd25575
SHA1:	a1e28437c7d4c64fd087078e9063a4588f36018f
SHA256:	376e9cf15752762b0b38372261de1b2595816c2116100a2cf7164e5227b3a207
SHA512:	30a94488d7f8e7dbe8b3b8f876e103e6377ed901a6ce23545aa6e9758c691807434c86166b391e3016dc3a6c18f17d47535a4948b4d7c09160c9017006788c8f
SSDEEP:	1536:Bwruwhmp6AsZ0BqiMIZu6e2XtZXbhiXlQzJVhyyoyMcC8KI3nx1JalqUoqFdYC+:CSte0zrXtphYOzbhywrp
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L....eKO................. ...@...............0....@................

File Icon


Icon Hash:	0634b8d4c8c4c0ce

Static PE Info

General
Entrypoint:	0x401608
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4F4B65A7 [Mon Feb 27 11:14:47 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c34d630eb809dc856f203fbb66941a87

Entrypoint Preview

Instruction
push 00402B7Ch
call 00007F6A90D91F15h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp-48h], dh
pushad
pop eax
imul esp, dword ptr [esi-6171BFE6h], 516507DFh
sbb eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ebx], al
add edi, dword ptr [eax]
or byte ptr [ecx+00h], al
push eax
jc 00007F6A90D91F91h
push 00000065h
arpl word ptr [ecx+esi+00h], si
jnbe 00007F6A90D91F44h
add eax, dword ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sub byte ptr [edi+6A724505h], bl
jmp 00007F6A90D91F20h
dec edx
cmpsd
adc esi, dword ptr [esi-1435F1A5h]
dec ebp
mov edx, 07CE35CBh
dec ecx
dec ecx
scasd
inc eax
and dword ptr [esi+ecx+10h], edx
mov al, byte ptr [33AD4F3Ah]
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov edx, dword ptr [eax+eax]
add byte ptr [ebx+0000000Eh], al
or al, byte ptr [eax]
inc ebx
push 6F6B6665h
outsb
outsd
insd
xor dword ptr [eax], eax
or eax, 72000501h
imul esi, dword ptr [edx+edi*2+61h], 00000000h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x32604	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x35000	0x122a	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x114	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x31ae4	0x32000	False	0.262973632813	data	6.79901735773	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x33000	0x1280	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x35000	0x122a	0x2000	False	0.164794921875	data	2.26783554917	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x35982	0x8a8	data
RT_ICON	0x3541a	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x353f8	0x22	data
RT_VERSION	0x35120	0x2d8	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaCyAdd, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaCyI2, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Coldest
InternalName	Tannages7
FileVersion	1.00
CompanyName	SummerDream Company
LegalTrademarks	Coldest
Comments	SummerDream Company
ProductName	Project1
ProductVersion	1.00
OriginalFilename	Tannages7.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: USD18,620-00_swift-copy_mt103.exe PID: 6600 Parent PID: 5796

General

Start time:	09:48:14
Start date:	23/02/2021
Path:	C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\USD18,620-00_swift-copy_mt103.exe'
Imagebase:	0x7fffae0c0000
File size:	221184 bytes
MD5 hash:	395A2F37ACB7606721DD540C4BD25575
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: USD18,620-00_swift-copy_mt103.exe PID: 6600 Parent PID: 5796 USD18,620-00_swift-copy_mt103.exeCOMMON

Executed Functions

Function 004300C0, Relevance: 84.3, APIs: 39, Strings: 9, Instructions: 319
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E004300C0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				void* _v36;
				signed int _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				signed int _v92;
				char _v100;
				char* _v124;
				intOrPtr _v132;
				void* _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v180;
				intOrPtr _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				signed int _v216;
				signed int _t150;
				char* _t153;
				signed int _t158;
				signed int _t162;
				signed int _t170;
				signed int _t174;
				char* _t178;
				signed int _t179;
				signed int _t180;
				signed int _t186;
				signed int _t192;
				void* _t230;
				void* _t232;
				intOrPtr _t233;

				_t233 = _t232 - 0xc;
				 *[fs:0x0] = _t233;
				L00401470();
				_v16 = _t233;
				_v12 = 0x4012c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401476, _t230);
				L004015BA();
				_v92 = L"VB.OptionButton";
				_v100 = 8;
				_v124 = L"Perversiteterne";
				_v132 = 8;
				_t150 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v52);
				asm("fclex");
				_v156 = _t150;
				if(_v156 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x4031dc);
					_push(_a4);
					_push(_v156);
					L004015D8();
					_v188 = _t150;
				}
				_push(0x10);
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push(_v52);
				_t153 =  &_v68;
				_push(_t153); // executed
				L0040153C(); // executed
				_push(_t153);
				L00401542();
				_push(_t153);
				_push( &_v32);
				L00401548();
				L004015D2();
				L004015C6();
				if( *0x433010 != 0) {
					_v192 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v192 = 0x433010;
				}
				_t158 =  &_v52;
				L004015E4();
				_v156 = _t158;
				_t162 =  *((intOrPtr*)( *_v156 + 0x218))(_v156,  &_v48, _t158,  *((intOrPtr*)( *((intOrPtr*)( *_v192)) + 0x330))( *_v192));
				asm("fclex");
				_v160 = _t162;
				if(_v160 >= 0) {
					_v196 = _v196 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x403650);
					_push(_v156);
					_push(_v160);
					L004015D8();
					_v196 = _t162;
				}
				_v180 = _v48;
				_v48 = _v48 & 0x00000000;
				_v60 = _v180;
				_v68 = 8;
				_push(0x10);
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Caption");
				_push(_v32);
				L00401536();
				L004015D2();
				L004015C6();
				_v92 = 0x3071;
				_v100 = 2;
				_push(0x10);
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push(_v32);
				L00401536();
				if( *0x433010 != 0) {
					_v200 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v200 = 0x433010;
				}
				_t170 =  &_v52;
				L004015E4();
				_v156 = _t170;
				_t174 =  *((intOrPtr*)( *_v156 + 0x128))(_v156,  &_v152, _t170,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x35c))( *_v200));
				asm("fclex");
				_v160 = _t174;
				if(_v160 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x403650);
					_push(_v156);
					_push(_v160);
					L004015D8();
					_v204 = _t174;
				}
				_v92 = _v152;
				_v100 = 2;
				_push(0x10);
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push(_v32);
				L00401536();
				L004015D2();
				_v92 = _v92 | 0xffffffff;
				_v100 = 0xb;
				_push(0x10);
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push(_v32);
				L00401536();
				_v92 = L"Organisationsformens";
				_v100 = 0x8008;
				_push(0);
				_push(L"Caption");
				_push(_v32);
				_t178 =  &_v68;
				_push(_t178);
				L0040153C();
				_push(_t178);
				_t179 =  &_v100;
				_push(_t179);
				L00401530();
				_v156 = _t179;
				L004015C6();
				_t180 = _v156;
				if(_t180 != 0) {
					if( *0x4333a0 != 0) {
						_v208 = 0x4333a0;
					} else {
						_push(0x4333a0);
						_push(0x403b80);
						L004015DE();
						_v208 = 0x4333a0;
					}
					_v156 =  *_v208;
					_t186 =  *((intOrPtr*)( *_v156 + 0x1c))(_v156,  &_v52);
					asm("fclex");
					_v160 = _t186;
					if(_v160 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403b70);
						_push(_v156);
						_push(_v160);
						L004015D8();
						_v212 = _t186;
					}
					_v164 = _v52;
					_v92 = 0x80020004;
					_v100 = 0xa;
					L00401470();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t192 =  *((intOrPtr*)( *_v164 + 0x5c))(_v164, 0x10,  &_v48);
					asm("fclex");
					_v168 = _t192;
					if(_v168 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x403b90);
						_push(_v164);
						_push(_v168);
						L004015D8();
						_v216 = _t192;
					}
					_t180 = _v48;
					_v184 = _t180;
					_v48 = _v48 & 0x00000000;
					L004015C0();
					L004015D2();
				}
				asm("wait");
				_push(0x4305ab);
				L004015A8();
				L004015D2();
				L004015A8();
				return _t180;
			}

0x004300c3
0x004300d2
0x004300de
0x004300e6
0x004300e9
0x004300f0
0x004300ff
0x00430108
0x0043010d
0x00430114
0x0043011b
0x00430122
0x00430135
0x0043013b
0x0043013d
0x0043014a
0x0043016c
0x0043014c
0x0043014c
0x00430151
0x00430156
0x00430159
0x0043015f
0x00430164
0x00430164
0x00430173
0x00430176
0x00430180
0x00430181
0x00430182
0x00430183
0x00430184
0x00430187
0x00430191
0x00430192
0x00430193
0x00430194
0x00430195
0x00430197
0x0043019c
0x0043019f
0x004301a2
0x004301a3
0x004301ab
0x004301ac
0x004301b1
0x004301b5
0x004301b6
0x004301be
0x004301c6
0x004301d2
0x004301ef
0x004301d4
0x004301d4
0x004301d9
0x004301de
0x004301e3
0x004301e3
0x00430213
0x00430217
0x0043021c
0x00430234
0x0043023a
0x0043023c
0x00430249
0x0043026e
0x0043024b
0x0043024b
0x00430250
0x00430255
0x0043025b
0x00430261
0x00430266
0x00430266
0x00430278
0x0043027e
0x00430288
0x0043028b
0x00430292
0x00430295
0x0043029f
0x004302a0
0x004302a1
0x004302a2
0x004302a3
0x004302a8
0x004302ab
0x004302b3
0x004302bb
0x004302c0
0x004302c7
0x004302ce
0x004302d1
0x004302db
0x004302dc
0x004302dd
0x004302de
0x004302df
0x004302e4
0x004302e7
0x004302f3
0x00430310
0x004302f5
0x004302f5
0x004302fa
0x004302ff
0x00430304
0x00430304
0x00430334
0x00430338
0x0043033d
0x00430358
0x0043035e
0x00430360
0x0043036d
0x00430392
0x0043036f
0x0043036f
0x00430374
0x00430379
0x0043037f
0x00430385
0x0043038a
0x0043038a
0x004303a0
0x004303a4
0x004303ab
0x004303ae
0x004303b8
0x004303b9
0x004303ba
0x004303bb
0x004303bc
0x004303c1
0x004303c4
0x004303cc
0x004303d1
0x004303d5
0x004303dc
0x004303df
0x004303e9
0x004303ea
0x004303eb
0x004303ec
0x004303ed
0x004303f2
0x004303f5
0x004303fa
0x00430401
0x00430408
0x0043040a
0x0043040f
0x00430412
0x00430415
0x00430416
0x0043041e
0x0043041f
0x00430422
0x00430423
0x00430428
0x00430432
0x00430437
0x00430440
0x0043044d
0x0043046a
0x0043044f
0x0043044f
0x00430454
0x00430459
0x0043045e
0x0043045e
0x0043047c
0x00430494
0x00430497
0x00430499
0x004304a6
0x004304c8
0x004304a8
0x004304a8
0x004304aa
0x004304af
0x004304b5
0x004304bb
0x004304c0
0x004304c0
0x004304d2
0x004304d8
0x004304df
0x004304ed
0x004304f7
0x004304f8
0x004304f9
0x004304fa
0x00430509
0x0043050c
0x0043050e
0x0043051b
0x0043053d
0x0043051d
0x0043051d
0x0043051f
0x00430524
0x0043052a
0x00430530
0x00430535
0x00430535
0x00430544
0x00430547
0x0043054d
0x0043055a
0x00430562
0x00430562
0x00430567
0x00430568
0x00430595
0x0043059d
0x004305a5
0x004305aa

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 004300DE
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 00430108
__vbaHresultCheckObj.MSVBVM60(00000000,004012C0,004031DC,00000218), ref: 0043015F
__vbaChkstk.MSVBVM60(00000000,004012C0,004031DC,00000218), ref: 00430176
__vbaChkstk.MSVBVM60(00000000,004012C0,004031DC,00000218), ref: 00430187
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 004301A3
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 004301AC
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 004301B6
__vbaFreeObj.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 004301BE
__vbaFreeVar.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 004301C6
__vbaNew2.MSVBVM60(00403E5C,00433010,?,00000000,00000000), ref: 004301DE
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430217
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000218), ref: 00430261
__vbaChkstk.MSVBVM60(00000000,?,00403650,00000218), ref: 00430295
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 004302AB
__vbaFreeObj.MSVBVM60(?,Caption), ref: 004302B3
__vbaFreeVar.MSVBVM60(?,Caption), ref: 004302BB
__vbaChkstk.MSVBVM60(?,Caption), ref: 004302D1
__vbaLateMemSt.MSVBVM60(?,Left,?,Caption), ref: 004302E7
__vbaNew2.MSVBVM60(00403E5C,00433010,?,Left,?,Caption), ref: 004302FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430338
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000128), ref: 00430385
__vbaChkstk.MSVBVM60(00000000,?,00403650,00000128), ref: 004303AE
__vbaLateMemSt.MSVBVM60(?,Top), ref: 004303C4
__vbaFreeObj.MSVBVM60(?,Top), ref: 004303CC
__vbaChkstk.MSVBVM60(?,Top), ref: 004303DF
__vbaLateMemSt.MSVBVM60(?,Visible,?,Top), ref: 004303F5
__vbaLateMemCallLd.MSVBVM60(00000008,?,Caption,00000000,?,Visible,?,Top), ref: 00430416
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,00000000), ref: 00430423
__vbaFreeVar.MSVBVM60(?,00000000,?,?,00000000), ref: 00430432
__vbaNew2.MSVBVM60(00403B80,004333A0,?,00000000,?,?,00000000), ref: 00430459
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B70,0000001C), ref: 004304BB
__vbaChkstk.MSVBVM60(00000000), ref: 004304ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B90,0000005C), ref: 00430530
__vbaStrMove.MSVBVM60(00000000,?,00403B90,0000005C), ref: 0043055A
__vbaFreeObj.MSVBVM60(00000000,?,00403B90,0000005C), ref: 00430562
__vbaFreeStr.MSVBVM60(004305AB,?,00000000,?,?,00000000), ref: 00430595
__vbaFreeObj.MSVBVM60(004305AB,?,00000000,?,?,00000000), ref: 0043059D
__vbaFreeStr.MSVBVM60(004305AB,?,00000000,?,?,00000000), ref: 004305A5

Strings

Caption, xrefs: 004302A3, 0043040A
VB.OptionButton, xrefs: 0043010D
q0, xrefs: 004302C0
Top, xrefs: 004303BC
Visible, xrefs: 004303ED
Left, xrefs: 004302DF
Perversiteterne, xrefs: 0043011B
Add, xrefs: 00430197
Organisationsformens, xrefs: 004303FA

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$Late$CheckHresult$New2$Call$AddrefCopyMove
String ID: Add$Caption$Left$Organisationsformens$Perversiteterne$Top$VB.OptionButton$Visible$q0
API String ID: 1415330174-305080560
Opcode ID: 5deb93ef0ed35a63b5447a7207dda5a854e7a7120e52ad162b9bbbc576d4a3b7
Instruction ID: e1b3012a881c4144dfa8c9d3f370bf2e02b6c9210d8178fbf325bd39499bb58b
Opcode Fuzzy Hash: 5deb93ef0ed35a63b5447a7207dda5a854e7a7120e52ad162b9bbbc576d4a3b7
Instruction Fuzzy Hash: 99D10970910228EFDB10EFA1CC55BDDBBB5BF09305F1041AAE509BB2A1CB795A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401608, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 77%

			_entry_() {
				signed char _t51;
				intOrPtr* _t52;
				signed int _t54;
				signed char _t55;
				signed char _t56;
				intOrPtr* _t57;
				signed int _t59;
				intOrPtr* _t60;
				void* _t65;
				signed int _t67;
				signed int _t69;
				intOrPtr* _t70;
				signed char _t71;
				void* _t73;
				signed int _t74;
				void* _t75;
				void* _t76;
				signed int _t77;
				void* _t78;
				signed short _t79;
				void* _t83;
				void* _t85;

				_push("VB5!6&*"); // executed
				L00401602(); // executed
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 + _t51;
				 *_t51 =  *_t51 ^ _t51;
				 *_t51 =  *_t51 + _t51;
				_t52 = _t51 + 1;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *_t52 =  *_t52 + _t52;
				 *((intOrPtr*)(_t78 - 0x48)) =  *((intOrPtr*)(_t78 - 0x48)) + _t69;
				_t53 = 0xa6695860;
				asm("sbb al, [eax-0x72]");
				asm("sahf");
				asm("fild word [edi]");
				_push(_t67);
				asm("repe sbb eax, [eax]");
				 *0xa6695860 =  *0xa6695860 + 0xa6695860;
				 *0xa6695860 =  *0xa6695860 + 0xa6695860;
				 *_t67 =  *_t67 + 0xa6695860;
				 *0xa6695860 =  *0xa6695860 + 0xa6695860;
				 *_t60 =  *_t60 + 0xa6695860;
				_t74 = _t73 +  *0xa6695860;
				 *_t67 =  *_t67 | 0xa6695860;
				_t85 =  *_t67;
				_push(0xa6695860);
				if(_t85 < 0) {
					L6:
					_push(cs);
					 *_t53 =  *_t53 + _t53;
					 *_t69 =  *_t69 + _t67;
					 *((intOrPtr*)(_t60 + 0x68)) =  *((intOrPtr*)(_t60 + 0x68)) + _t53;
					_t79 =  *[gs:edi+0x6e] * 0x6f;
					asm("insd");
					 *_t53 =  *_t53 ^ _t53;
					_t54 = _t53 | 0x72000501;
					_t77 =  *(_t69 + 0x61 + _t74 * 2) * 0x11900;
					_t70 = _t69 + 1;
					 *_t60 =  *_t60 + _t54;
					 *_t54 =  *_t54 + _t54;
					asm("insb");
					if ( *_t54 == 0) goto L7;
					 *_t77 =  *_t77 + _t70;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					 *_t54 =  *_t54 + _t54;
					_t55 = _t54 +  *_t54;
					 *_t55 =  *_t55 & _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 | _t55;
					 *_t55 =  *_t55 + _t55;
					 *[es:eax] =  *[es:eax] + _t55;
					 *_t55 =  *_t55 + _t70;
					asm("adc [eax], al");
					 *_t67 =  *_t67 + _t55;
					 *_t55 =  *_t55 + _t67;
					 *((intOrPtr*)(_t55 + 5)) =  *((intOrPtr*)(_t55 + 5)) + _t67;
					 *_t55 =  *_t55 + _t55;
					asm("into");
					 *_t55 =  *_t55 | _t55;
					 *_t55 =  *_t55 + _t67;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 | _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *((char*)(_t55 + _t55)) =  *((char*)(_t55 + _t55));
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t67 =  *_t67 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55;
					 *_t55 =  *_t55;
					 *((intOrPtr*)(_t55 + 0x800080)) =  *((intOrPtr*)(_t55 + 0x800080)) + _t55;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + 0x80;
					 *((intOrPtr*)(_t55 - 0x3fffff80)) =  *((intOrPtr*)(_t55 - 0x3fffff80)) + _t55;
					asm("rol al, 0x0");
					 *((char*)(_t55 + 0x80)) =  *((char*)(_t55 + 0x80)) + 0xff;
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + 1;
					 *_t55 =  *_t55 + _t55;
					asm("invalid");
					 *_t55 =  *_t55 + _t55;
					 *_t55 =  *_t55 + 1;
					_t65 = _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60 + _t60;
					asm("invalid");
					 *_t67 =  *_t67 + _t67;
					 *_t67 =  *_t67 | _t67;
					 *_t70 =  *_t70 + _t70;
					asm("adc dl, [edx]");
					 *_t74 =  *_t74 + _t65;
					ds = cs;
					ds = cs;
					 *((intOrPtr*)(_t83 + _t79)) =  *((intOrPtr*)(_t83 + _t79)) + _t67;
					_t56 = _t55;
					 *((intOrPtr*)(_t70 + 0x52)) =  *((intOrPtr*)(_t70 + 0x52)) + _t70;
					 *((intOrPtr*)(_t74 + 0x5f)) =  *((intOrPtr*)(_t74 + 0x5f)) + _t65;
					_t75 = _t70;
					 *((intOrPtr*)(_t83 + 0x6c + (_t79 + 3) * 2)) =  *((intOrPtr*)(_t83 + 0x6c + (_t79 + 3) * 2)) + _t67;
					_t41 = _t56 + 0x78;
					 *_t41 =  *((intOrPtr*)(_t56 + 0x78)) + _t65;
					if ( *_t41 < 0) goto L8;
					_t57 = _t70;
					_t71 = _t56;
					 *((intOrPtr*)(_t75 - 0x54ff6061)) =  *((intOrPtr*)(_t75 - 0x54ff6061)) + _t65;
					asm("stosd");
					L9:
					asm("stosd");
					 *((intOrPtr*)(_t57 - 0x3aff4748)) =  *((intOrPtr*)(_t57 - 0x3aff4748)) + _t65;
					asm("invalid");
					asm("rcl dl, cl");
					_t71 = _t71 + _t71 + _t65;
					asm("invalid");
					_t65 = _t65 + _t67;
					goto L9;
				}
				_push(0x65);
				asm("arpl [ecx+esi], si");
				if(_t85 > 0) {
					_pop(es);
					_t67 = _t67;
					asm("scasd");
					 *(_t76 + _t67 + 0x10) =  *(_t76 + _t67 + 0x10) & _t69;
					_t53 =  *[es:0x33ad4f3a];
					asm("cdq");
					asm("iretw");
					asm("adc [edi+0xaa000c], esi");
					asm("pushad");
					asm("rcl dword [ebx], cl");
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					 *0xa6695860 =  *0xa6695860 + _t53;
					_t69 =  *0xFFFFFFFF4CD2B0C0;
					 *((intOrPtr*)(_t60 + 0xe)) =  *((intOrPtr*)(_t60 + 0xe)) + _t53;
					goto L6;
				}
				_t59 = 0xa6695860 +  *0xa6695860;
				 *0xa6695860 =  *0xa6695860 + _t59;
				 *0xa6695860 =  *0xa6695860 + _t59;
				 *0xa6695860 =  *0xa6695860 + _t59;
				asm("int3");
				 *_t59 =  *_t59 ^ _t59;
				 *((intOrPtr*)(_t74 + 0x6a724505)) =  *((intOrPtr*)(_t74 + 0x6a724505)) - _t60 + _t60;
				L4:
				goto L4;
			}

0x00401608
0x0040160d
0x00401612
0x00401614
0x00401616
0x00401618
0x0040161a
0x0040161c
0x0040161d
0x0040161f
0x00401621
0x00401623
0x00401625
0x0040162a
0x0040162d
0x0040162e
0x00401630
0x00401632
0x00401635
0x00401637
0x00401639
0x0040163b
0x0040163d
0x0040163f
0x00401641
0x00401641
0x00401644
0x00401645
0x004016b6
0x004016b6
0x004016b7
0x004016b9
0x004016bb
0x004016be
0x004016c4
0x004016c5
0x004016c7
0x004016cc
0x004016d4
0x004016d5
0x004016d9
0x004016db
0x004016dc
0x004016de
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f3
0x004016f5
0x004016f8
0x004016fa
0x004016fc
0x004016fe
0x00401700
0x00401703
0x00401705
0x00401706
0x00401708
0x0040170a
0x0040170c
0x0040170e
0x00401710
0x00401713
0x00401715
0x00401717
0x00401719
0x0040171b
0x0040171d
0x00401721
0x00401723
0x00401725
0x00401727
0x00401729
0x0040172b
0x0040172d
0x0040172f
0x00401731
0x00401733
0x00401735
0x00401737
0x0040173a
0x0040173d
0x00401743
0x00401745
0x00401748
0x0040174e
0x00401751
0x00401758
0x0040175a
0x0040175c
0x0040175e
0x00401762
0x0040176a
0x0040176c
0x0040176e
0x00401770
0x00401772
0x00401774
0x00401776
0x00401778
0x0040177a
0x0040177b
0x0040177c
0x0040177f
0x00401788
0x0040178c
0x0040178f
0x00401790
0x00401794
0x00401794
0x00401797
0x0040179f
0x0040179f
0x004017a0
0x004017a6
0x004017a7
0x004017a7
0x004017a8
0x004017ae
0x004017b2
0x004017b4
0x004017b6
0x004017b8
0x00000000
0x004017b8
0x00401647
0x00401649
0x0040164d
0x00401671
0x00401674
0x00401675
0x00401677
0x0040167b
0x00401681
0x00401682
0x00401684
0x0040168a
0x0040168b
0x00401691
0x00401693
0x00401695
0x00401697
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ab
0x004016ad
0x004016af
0x004016b1
0x004016b4
0x00000000
0x004016b4
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401659
0x0040165a
0x0040165c
0x00401662
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040160D

Strings

VB5!6&*, xrefs: 00401608, 00401644

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 1972235c25075a30bcb81241dfb1064ddea45bbfb7349307ba75812a2b9856d4
Instruction ID: 21310359a5d6b2ab44a4f488a1a6f51fa452c01bb49722372cc521b313824d1f
Opcode Fuzzy Hash: 1972235c25075a30bcb81241dfb1064ddea45bbfb7349307ba75812a2b9856d4
Instruction Fuzzy Hash: F941406280E7C05FD3039B749C6A6917FB0AE13224B1E46DBC0C1DF4F3E269581AD766

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02BC1228, Relevance: 2.6, Strings: 2, Instructions: 109COMMON

Download Yara Rule

Strings

1.!T, xrefs: 02BC130D
R, xrefs: 02BC1233

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID: 1.!T$R
API String ID: 0-128154503
Opcode ID: c38aaf1e4f0e1915d81c3c5c1bed5f9cdb0499400f28a05b0d07d29e0f534386
Instruction ID: ff59bde653886b8f9677b0d60dd53ecabdb3451e2aa5f470de5fe6b2b8fed724
Opcode Fuzzy Hash: c38aaf1e4f0e1915d81c3c5c1bed5f9cdb0499400f28a05b0d07d29e0f534386
Instruction Fuzzy Hash: 33218A743843096BEB202E684D527D93B835F03BA4F74439DFDAA7B1C2D795C844C551

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1049, Relevance: 1.4, Strings: 1, Instructions: 157COMMON

Download Yara Rule

Strings

1.!T, xrefs: 02BC130D

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: 3f5caa7681393affd619b034d70227712832d0f8fa3214036460b7b21d9c8665
Instruction ID: cdfd2a1e5caa7e08bf0ce41b105fc2bc3ac315e301f846eec62383f838a4e52f
Opcode Fuzzy Hash: 3f5caa7681393affd619b034d70227712832d0f8fa3214036460b7b21d9c8665
Instruction Fuzzy Hash: 5B416C74344309AFEB205F688D557E936439F467B4F30439DBD6ABB2C5DBA58C80C611

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1160, Relevance: 1.4, Strings: 1, Instructions: 130COMMON

Download Yara Rule

Strings

1.!T, xrefs: 02BC130D

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID: 1.!T
API String ID: 0-3147410236
Opcode ID: f07f894f4b13ccfe0d2f0f25875f0455fe79d01a5237e6e46b66ad0eacd915af
Instruction ID: e185255a93535e2727765da4b64fcf56e79443a183b3347f9757f64056525bd7
Opcode Fuzzy Hash: f07f894f4b13ccfe0d2f0f25875f0455fe79d01a5237e6e46b66ad0eacd915af
Instruction Fuzzy Hash: 46319B74340309AFEB205F688E927E93A439F46BA4F30429DBE6A7B2C5D6B5CC40C651

Uniqueness

Uniqueness Score: -1.00%

Function 02BC3567, Relevance: .9, Instructions: 885COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a8f0a2753ae13299f25a8c1bc694cc81e7b9de43c7dd80db54f2d936e6cf2e0b
Instruction ID: 91a0c57840bea83a9ce17efc06aa92e7c5f9cb7745ecda0a0dc04577887a3bf1
Opcode Fuzzy Hash: a8f0a2753ae13299f25a8c1bc694cc81e7b9de43c7dd80db54f2d936e6cf2e0b
Instruction Fuzzy Hash: 9C528E70304306AFEB245E28CD91BE673A2FF05360FB482BDED9693281D775A884CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1570, Relevance: .8, Instructions: 796COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c4c0789ff9c0eea69dfa148747b99da7adcbceb6f4f97c12566ead357e9d28b2
Instruction ID: 0dcd41626e897eb9c9925f635d5d2cab9512d4f998db4201ea90de76c9a7a44a
Opcode Fuzzy Hash: c4c0789ff9c0eea69dfa148747b99da7adcbceb6f4f97c12566ead357e9d28b2
Instruction Fuzzy Hash: 30329D70644306ABFF301E28CD95BFA2267EF427A0FB442ADED8AA71C5D7759481CA41

Uniqueness

Uniqueness Score: -1.00%

Function 02BC45B2, Relevance: .5, Instructions: 480COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67da40a2cf00ca97d23124b8d51802eec0d6add7b45c9cdffb57828d3f70ac49
Instruction ID: 26cd9765178db2ff7f21f089da3288dec08a05d32194b3ff0c67eb31481cbb2c
Opcode Fuzzy Hash: 67da40a2cf00ca97d23124b8d51802eec0d6add7b45c9cdffb57828d3f70ac49
Instruction Fuzzy Hash: ECE12570644309AFFB301E24CD55BE937A6EF45350FB442ADEE96AB1D1D3B8A480CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02BC71B8, Relevance: .4, Instructions: 414COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da5a92a59ef675052f6e0638b6539f2d60cc215281b6da0de1a2ef2b46b1c2fe
Instruction ID: 8ade1ac5f8f57f0eb316c9fbe20ff18f1c3c6d305f8ce35ac203108cf37767ba
Opcode Fuzzy Hash: da5a92a59ef675052f6e0638b6539f2d60cc215281b6da0de1a2ef2b46b1c2fe
Instruction Fuzzy Hash: 34D11771244309AFEB301E24CD85BE93766EF45360FB4426CFE96AB1D1D7B9A485CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1568, Relevance: .3, Instructions: 337COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57ce2d2e98fa66f53fcd8584f8fb6fe273e88a75336ee2b298fa2ce36bb908a9
Instruction ID: 273640bf4aea6a8c43c152096ba294d91554fbb65b4b2f37afa6a277b38077cf
Opcode Fuzzy Hash: 57ce2d2e98fa66f53fcd8584f8fb6fe273e88a75336ee2b298fa2ce36bb908a9
Instruction Fuzzy Hash: E391BA706443079BFB35292C8AA47FA21179F537D0F7845BEEC8BE3189DB25C882C552

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1688, Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33262e5619aeb109ffb4078e3f27d2fd20c35ba20ee2902b955c9b6645b3d349
Instruction ID: b00641bf3d8d4f13e095b444a5d6cb07e60f70ab01fe2cb09be9fc17d6a55c82
Opcode Fuzzy Hash: 33262e5619aeb109ffb4078e3f27d2fd20c35ba20ee2902b955c9b6645b3d349
Instruction Fuzzy Hash: C6919B746443079AFB34252C89A57FA21179F537E0FB446AEEC8BE21C9DB25C8C2C552

Uniqueness

Uniqueness Score: -1.00%

Function 02BC15E0, Relevance: .3, Instructions: 322COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a524e1226b75e8477e196600ca4453f6012e2741eed2702054a6ce869395373
Instruction ID: e58bdb9907a8700859229de8344fa2db2646d2ed8b1f4609cacff3889d9790b9
Opcode Fuzzy Hash: 2a524e1226b75e8477e196600ca4453f6012e2741eed2702054a6ce869395373
Instruction Fuzzy Hash: 1091CB706443079AFB34252C8AA57FA21179F437D0FB845BEEC8BE3089DB26C8C2C552

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1650, Relevance: .3, Instructions: 309COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d3e11a841b56dbbafece3ccc207e18f2697fad6c575c9856daa961ec29c2ec6
Instruction ID: 209cfd60e3c55f9a73052ed57ddf220f37cf81acea1ec3bf80a17670343974c5
Opcode Fuzzy Hash: 4d3e11a841b56dbbafece3ccc207e18f2697fad6c575c9856daa961ec29c2ec6
Instruction Fuzzy Hash: 4E81BA746043029AFB34252C8AA57FA11179F437E0F7846AEEC8BE3089DB26C8C2C552

Uniqueness

Uniqueness Score: -1.00%

Function 02BC5290, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82b0be96ba56e92cec535eaeac147fd95e85fdcd7c6b4a6d12fcaf75e0e392ca
Instruction ID: 0dc767fd5fb49943acad9169f28af107e00f5b5d9773a22d442463ad68182ae7
Opcode Fuzzy Hash: 82b0be96ba56e92cec535eaeac147fd95e85fdcd7c6b4a6d12fcaf75e0e392ca
Instruction Fuzzy Hash: EC9128B160430AAFEF310E14CD95BE93666EF05360FA4466CFD86B71D1D7B9A484CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02BCD9B3, Relevance: .3, Instructions: 282COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0591d2d8e6156c4ee80e86e33135758e449ed41160d24acc70da46384fe3313d
Instruction ID: 52a988c113b9cf851ed0b9be5372079e41fe3c9b36995ed191004659fe084b6c
Opcode Fuzzy Hash: 0591d2d8e6156c4ee80e86e33135758e449ed41160d24acc70da46384fe3313d
Instruction Fuzzy Hash: BBA1C764608343CFDB25DE288594765B7A2DF56360F6482EDCDE68F2DAD335C442C722

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1780, Relevance: .3, Instructions: 279COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ef7d8273b62c1087fd84a33e6947d9491bcebb167116cc85563a0e791af03ac
Instruction ID: 8237b3fec6d8e08b80f94fc023040c06455eb63f81ea32627877754c0a259706
Opcode Fuzzy Hash: 4ef7d8273b62c1087fd84a33e6947d9491bcebb167116cc85563a0e791af03ac
Instruction Fuzzy Hash: 9871BC706543039AFB35256C8AA57FE11179F537E0FB845AEEC8BE20C9DB66C8C2C542

Uniqueness

Uniqueness Score: -1.00%

Function 02BC17E8, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c137e62b4fecc9ecafaa0f20c034390b0167d9f2b4e868c947cbacf3785a49dd
Instruction ID: 9e84f60288642ad1c55e41e6a6e48c076aaad0c753938b73eb09469cdf116371
Opcode Fuzzy Hash: c137e62b4fecc9ecafaa0f20c034390b0167d9f2b4e868c947cbacf3785a49dd
Instruction Fuzzy Hash: 8571CEB46143029AFB35256C8AA57FE11179F537D0FB845AEEC8BE20C9DB66C8C2C442

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1860, Relevance: .3, Instructions: 254COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 451ec81f31d94d3e4c3a23a7c07b363f01503e2dfa31b6bca7c219909d7b3bf3
Instruction ID: 145923875c59f4a1687962191d36c8c825d6107ed4906023de283bbbccedef8e
Opcode Fuzzy Hash: 451ec81f31d94d3e4c3a23a7c07b363f01503e2dfa31b6bca7c219909d7b3bf3
Instruction Fuzzy Hash: B461BE746543069AFB35256C89A57FE11179F537E0FB446AEEC8BE30C9DB66C8C2C402

Uniqueness

Uniqueness Score: -1.00%

Function 02BC18C4, Relevance: .2, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fffa1e2b6667fd96b4aed8205e37ede0ecfe9abebc2d25861bcff04094d26a1
Instruction ID: f29a1ba563bedb34d9d0120f13c91e69cb22e78b0188298327923f7ad1c58273
Opcode Fuzzy Hash: 4fffa1e2b6667fd96b4aed8205e37ede0ecfe9abebc2d25861bcff04094d26a1
Instruction Fuzzy Hash: F361DF746143029AFB34252C89957EE11179F537E0F7446AEEC9BE30C9DB66C882C902

Uniqueness

Uniqueness Score: -1.00%

Function 02BC191C, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd711463895d13d82e546ca0db7cb60cc64cc81003c56e8f914fe9bf8c57c2a5
Instruction ID: f03e30ac89852ea4b6125fac44e985423cb34cf268119cb409e0a68d89c66bcc
Opcode Fuzzy Hash: bd711463895d13d82e546ca0db7cb60cc64cc81003c56e8f914fe9bf8c57c2a5
Instruction Fuzzy Hash: F561DE746543029AFF35256C89957EA21139F537E0F7446AEEC8BE30C9DB66C8C2C502

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1980, Relevance: .2, Instructions: 227COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6cd6badca29eaaaf26577c5ad76ab518fdc54bc8b1cdcdf9fbb9cac88a238ae
Instruction ID: 9f72b4e8a49d453582a76785860e6d5ab68a0cc06daaeeb99b6d17b2f73f3d66
Opcode Fuzzy Hash: c6cd6badca29eaaaf26577c5ad76ab518fdc54bc8b1cdcdf9fbb9cac88a238ae
Instruction Fuzzy Hash: DD51AD746443069AFF35156C89A57FE11179F537E0FB446AEEC8BE21C9DB66C8C2C402

Uniqueness

Uniqueness Score: -1.00%

Function 02BC19E4, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89dcc3e3e35f6db73a03ab8fd419028c48a2b9325a45f66db94689140d269595
Instruction ID: 282a9b23f0c75812b0546da231464bdc680d125faf186c368ad55ff6d8acb385
Opcode Fuzzy Hash: 89dcc3e3e35f6db73a03ab8fd419028c48a2b9325a45f66db94689140d269595
Instruction Fuzzy Hash: 9051CE64A143069AFF34252C89957FE11179F537E0FB846AEEC8BE31C9DB66C8C2C502

Uniqueness

Uniqueness Score: -1.00%

Function 02BCEA05, Relevance: .2, Instructions: 212COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e04d7c1aea9fe844966ee5e013ad6e49330cf1f724704dcd74dde3be869c96a
Instruction ID: 6c7280f9621a1afa23efdcf2b7f274145f6b9062fbdee0023c422e682cdf2518
Opcode Fuzzy Hash: 1e04d7c1aea9fe844966ee5e013ad6e49330cf1f724704dcd74dde3be869c96a
Instruction Fuzzy Hash: 39512A6020820ADFEF346E20D5643F96263EF51364FB042FFD8A387995D769C8C8C942

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1A48, Relevance: .2, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ae377746baa606c69362493dd698e44676ffae83931093aa418fb1e5c994ae7
Instruction ID: a2c8f144e7e3ce21745c01b9bf062d9bdafcc7434932c2410aa629e1ffeb2b62
Opcode Fuzzy Hash: 0ae377746baa606c69362493dd698e44676ffae83931093aa418fb1e5c994ae7
Instruction Fuzzy Hash: 61518C74A143069AFF35152C8A957FE11179F937E0FB846AEEC8BE21C9DB65C8C2C502

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1AC4, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 584f37eb41ba031617e3b435a7c266127242e566c3752e891c3276eb6173b1fa
Instruction ID: e24ed91ca316e2524c3cb2da3bea63cf62ca84aa9b16791599f34818406bcf48
Opcode Fuzzy Hash: 584f37eb41ba031617e3b435a7c266127242e566c3752e891c3276eb6173b1fa
Instruction Fuzzy Hash: C9518D74A043069AFF34152C8A957FA11179F937E0FB4466EEC8BE21C8DB69CCC2C442

Uniqueness

Uniqueness Score: -1.00%

Function 02BCD9FB, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2cfdc4e5739e9386a80c298d426043b848b14798bff827e662769dea22fbfa
Instruction ID: 81fb687958337a2d17d91bea3b1f98642a0cc0a34635c6afc19d333d6c8a2842
Opcode Fuzzy Hash: 9f2cfdc4e5739e9386a80c298d426043b848b14798bff827e662769dea22fbfa
Instruction Fuzzy Hash: 8251C674604343CFDB25DF28C8A4766B7A2EF56260F6982FDCC968B296D375C442C712

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1B88, Relevance: .2, Instructions: 169COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 982dcf8abcbc3cb436a03662b747ef21ff0139a0b0b86e34ec43e1e1d6b1a657
Instruction ID: fbec1718307e1032769ec53975934986d7ee8a5149bb0309fd0d83daa953a1be
Opcode Fuzzy Hash: 982dcf8abcbc3cb436a03662b747ef21ff0139a0b0b86e34ec43e1e1d6b1a657
Instruction Fuzzy Hash: 6B419C646043029EFF35256C8A997FA11179F537E0FB4469EEC8BE21C9CB66C8C6C442

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1BF4, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6a21725578a938e0b5000bf0bfaf30223287814f2c3cc13764142f6e6b6ffc5e
Instruction ID: 4c2f23097d53caba85eebc8928b6d5bf38ba86ee3b7ba3d1625e3b62a2db1630
Opcode Fuzzy Hash: 6a21725578a938e0b5000bf0bfaf30223287814f2c3cc13764142f6e6b6ffc5e
Instruction Fuzzy Hash: 9641AB645043029EFF35256C8A983FA21139F537E0FB8469FEC8BE61C9CB16C8C6C542

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1C50, Relevance: .1, Instructions: 145COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0bd060cf1d02026e9c90e3702bb19a40ae54570bdc8e2b4239e2bdba62d679
Instruction ID: e70c38b53ee1bd492efabe5a3161cbd91c47252f28de9920118740f89d76a6a2
Opcode Fuzzy Hash: 6b0bd060cf1d02026e9c90e3702bb19a40ae54570bdc8e2b4239e2bdba62d679
Instruction Fuzzy Hash: 3E4159646043069EFF39256C8A997FA11139F537E0FB4469FEC8BE21C9DB66C8C2C442

Uniqueness

Uniqueness Score: -1.00%

Function 02BC4118, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c70250ed739ca76ee65c507f0a4ad301ddd6da1e93a572aafbcd17313e3339f
Instruction ID: 204d9e4f695f39cbac2ca70f0313da4e0ceb0cf08174973b72951902dcc409ff
Opcode Fuzzy Hash: 6c70250ed739ca76ee65c507f0a4ad301ddd6da1e93a572aafbcd17313e3339f
Instruction Fuzzy Hash: 70415671740202AFD7249A28CD65BE673B6BF45360F7443BCECA6D3286DB24D989CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1CB8, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bef1f658e9e885bcde29d029c51a534a73e7a6cab2f2f777e4b266ee220f5cb2
Instruction ID: 488be2c2e1786beb52ddfa2d97c215f9efaaa028d8b3c91a87d846ef1bc8ab28
Opcode Fuzzy Hash: bef1f658e9e885bcde29d029c51a534a73e7a6cab2f2f777e4b266ee220f5cb2
Instruction Fuzzy Hash: 013168646043069EFF35156C8AD97FA21139F537A0FB4469FEC8BE21D8CB66C8C2C842

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1D14, Relevance: .1, Instructions: 125COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7610a5ca4a7621f4aad23046b2e10475c56e419c2568e3b123674b24b9a2f824
Instruction ID: 4f57a0d8c21008a5fa36dc39f304d981c6332b0b5f84bf8f13607de25ef7499e
Opcode Fuzzy Hash: 7610a5ca4a7621f4aad23046b2e10475c56e419c2568e3b123674b24b9a2f824
Instruction Fuzzy Hash: D63189645043069EFF35252C4AA47FA25139F537A0FB4469FEC9BE61C8CB15C8C6C942

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1D87, Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9db59737b1842dc650c1b9ea9636d93f02771720c858252ab942a5208e37c2db
Instruction ID: 64b17892d5381526ab05670d1b0b20a7de211483c7f73c73c267dd4591de1576
Opcode Fuzzy Hash: 9db59737b1842dc650c1b9ea9636d93f02771720c858252ab942a5208e37c2db
Instruction Fuzzy Hash: 8A3148645042069EFF34256C5AA87FA11139F537A0FB4468FEC5BE61DCCB25C9C6C542

Uniqueness

Uniqueness Score: -1.00%

Function 02BC458C, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a957d30158ab897c05e7bcf2f2647cd3cbaac6bc0411e2e4a168a51f729f24
Instruction ID: 4c253ced7014f930304191628ed2a8d34fe1614ce660a4a892c4d85b06c2ab53
Opcode Fuzzy Hash: a5a957d30158ab897c05e7bcf2f2647cd3cbaac6bc0411e2e4a168a51f729f24
Instruction Fuzzy Hash: E5313730648384DFFB21AFA0C954BE537B2EF42350FA440EEEE565B0D2C7749644CA22

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1DE8, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bdbf4b30f19ba80a174ea0cfe6d33e985f4cff52388e13172875f71ebe610f3
Instruction ID: 3e6a9f99c8f702a673555584f5075a7db3f7e0673bb52cbeec7d00bdde99ab6b
Opcode Fuzzy Hash: 8bdbf4b30f19ba80a174ea0cfe6d33e985f4cff52388e13172875f71ebe610f3
Instruction Fuzzy Hash: 20217C745043069EFF31297889957FA21139F537A0F74429FDC5BE61C8CB25C8C5C942

Uniqueness

Uniqueness Score: -1.00%

Function 02BC3055, Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 006938a452710b2bf6c10c1b9f655224aed1e74293ff1ab56cfb77c7daf3106b
Instruction ID: a98381c431b1b63c4476964b0715483808528387bd0ca3d476c844ee02248e21
Opcode Fuzzy Hash: 006938a452710b2bf6c10c1b9f655224aed1e74293ff1ab56cfb77c7daf3106b
Instruction Fuzzy Hash: 5521495120C3CD9BDB223E749D553AE3B65AF02634F3482EFE8F6860D1DB658885CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02BC4600, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed49d7656f6a218f95ff2bb4bb95ffe0016e97619c3967bb7b6fd86c5cf7445
Instruction ID: dc67c10febbea889a412e77b082ff7927f181d9cbfd179399544f9f71209d86d
Opcode Fuzzy Hash: 9ed49d7656f6a218f95ff2bb4bb95ffe0016e97619c3967bb7b6fd86c5cf7445
Instruction Fuzzy Hash: 1021D630A48244DFFB30ABA0C954BE437B6EF45350F7040EEEE565B1D5D7B4A680CA22

Uniqueness

Uniqueness Score: -1.00%

Function 02BC465C, Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 082cf8019fa60bf7394a56cdea7a08879c56890d91d43f3d4808822907f0ef35
Instruction ID: 1d41e60598dc2993d80907c6283e697a9770eb4252be3ed7ab447582fc79b4be
Opcode Fuzzy Hash: 082cf8019fa60bf7394a56cdea7a08879c56890d91d43f3d4808822907f0ef35
Instruction Fuzzy Hash: FE21E730A48241DFFB30ABA0CD54BE436A6EF45780F7440EEEF565B0D1C7B4A281CA22

Uniqueness

Uniqueness Score: -1.00%

Function 02BC1358, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830a31d272ca32edba1eaa55518b0d57e76e56933ab57f3d1dfe7c926221e86a
Instruction ID: e64cd08725cd13686ce8eb30e2af4be912c2add979e28a5a6e2b67b3729d3cfd
Opcode Fuzzy Hash: 830a31d272ca32edba1eaa55518b0d57e76e56933ab57f3d1dfe7c926221e86a
Instruction Fuzzy Hash: CE117A74244309ABE7011A685D563D63B52AF037F8F68439CED6A771C6D7568844C680

Uniqueness

Uniqueness Score: -1.00%

Function 02BC13BC, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de4fa8146ba5f19a493c89da2591772f07aff6512648ad0c0dd229b693b83417
Instruction ID: 8ba754cc2b070cb9032d9e9c1b65579daf0e65309578fe93c18bcf3d7c40b8ee
Opcode Fuzzy Hash: de4fa8146ba5f19a493c89da2591772f07aff6512648ad0c0dd229b693b83417
Instruction Fuzzy Hash: D60168B42043095BE7015A6C9D553E63F02AF067F8FB803ACBC6A771C6D765CC40C690

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC104, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 83a7c2988b8a59bfef8a254a3190a1cc9bdda8102ea0d69459a1824a08458c11
Instruction ID: cb6e41cfe9bb299fbf7a557d38d30f9b2d932f010acd6549dad886ccb65a668b
Opcode Fuzzy Hash: 83a7c2988b8a59bfef8a254a3190a1cc9bdda8102ea0d69459a1824a08458c11
Instruction Fuzzy Hash: 70F0D431315201CBC624DA48D6E4A6A7BA5AFB5710B3584EFE85ECB615D330D980CA16

Uniqueness

Uniqueness Score: -1.00%

Function 02BCC144, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0799b03bfc6aa039737c0cec6d6e518dba05fb0beaf1c58b269fa9d887e1b10
Instruction ID: 7df2ab3d0abb57868813b62569a469c59f60048c27855a7613859dc205a41464
Opcode Fuzzy Hash: d0799b03bfc6aa039737c0cec6d6e518dba05fb0beaf1c58b269fa9d887e1b10
Instruction Fuzzy Hash: 19F03030349201CFD715DA48E5D4F697FA5AFA5700B2981DFE84E8B616D331D880CA16

Uniqueness

Uniqueness Score: -1.00%

Function 02BC636A, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4ddff26dad23f2acb4b243b2f26ab8e0bd6ded65e7269270e5f682221fae7812
Instruction ID: d7cf165bc497e909d17d2ac9425f5a2e47cfa98abdcd22aabdbef0ed6613190c
Opcode Fuzzy Hash: 4ddff26dad23f2acb4b243b2f26ab8e0bd6ded65e7269270e5f682221fae7812
Instruction Fuzzy Hash: D1C09B772505808FFF11CE04C5D6FC173B0F722684B4444D0D481CF711D314E915C600

Uniqueness

Uniqueness Score: -1.00%

Function 02BCAB24, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9fa06d49e3a894e8d18375d62da7f7f3f59e67fa7d1e817cd9ec6cc953727ba
Instruction ID: 2d7511e8d1a670a67a16b217c6e85fb8e695014c800c18bedc660732403cfb05
Opcode Fuzzy Hash: b9fa06d49e3a894e8d18375d62da7f7f3f59e67fa7d1e817cd9ec6cc953727ba
Instruction Fuzzy Hash: 24B01274251749CFCE55CF08C1A0F5073B0F708B00FC104C4E402C7B11C264E800C900

Uniqueness

Uniqueness Score: -1.00%

Function 02BCE961, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.754681801.0000000002BC0000.00000040.00000001.sdmp, Offset: 02BC0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1985188533ae361fcbfaf6301ae5d8934191e8d79537ea20f659d31287449d5
Instruction ID: b36b371992250da8c45f1cd1506764a1d816c012ef71655a4cc1844282d2f311
Opcode Fuzzy Hash: d1985188533ae361fcbfaf6301ae5d8934191e8d79537ea20f659d31287449d5
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00432224, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00432224(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a20, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				char* _t63;
				char* _t67;
				signed int _t71;
				char* _t73;
				signed int _t76;
				char* _t79;
				intOrPtr _t107;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t107;
				_push(0x70);
				L00401470();
				_v12 = _t107;
				_v8 = 0x401448;
				L004015BA();
				L004015A2();
				L004015BA();
				if( *0x433010 != 0) {
					_v120 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v120 = 0x433010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v120)) + 0x36c))( *_v120));
				_t63 =  &_v64;
				_push(_t63);
				L004015E4();
				_v108 = _t63;
				_v88 = 0x80020004;
				_v96 = 0xa;
				if( *0x433010 != 0) {
					_v124 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v124 = 0x433010;
				}
				_t67 =  &_v56;
				L004015E4();
				_v100 = _t67;
				_t71 =  *((intOrPtr*)( *_v100 + 0x180))(_v100,  &_v60, _t67,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x368))( *_v124));
				asm("fclex");
				_v104 = _t71;
				if(_v104 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x403608);
					_push(_v100);
					_push(_v104);
					L004015D8();
					_v128 = _t71;
				}
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t73 =  &_v80;
				L0040159C();
				L0040158A();
				L004015C0();
				_t76 =  *((intOrPtr*)( *_v108 + 0x1ec))(_v108, _t73, _t73, _t73, _v60, 0, 0, 0x10);
				asm("fclex");
				_v112 = _t76;
				if(_v112 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403650);
					_push(_v108);
					_push(_v112);
					L004015D8();
					_v132 = _t76;
				}
				L004015A8();
				_push( &_v64);
				_push( &_v60);
				_t79 =  &_v56;
				_push(_t79);
				_push(3);
				L004015CC();
				L004015C6();
				_push(0x432424);
				L004015C6();
				L004015A8();
				L004015A8();
				return _t79;
			}

0x00432229
0x00432234
0x00432235
0x0043223c
0x0043223f
0x00432247
0x0043224a
0x00432257
0x00432262
0x0043226d
0x00432279
0x00432293
0x0043227b
0x0043227b
0x00432280
0x00432285
0x0043228a
0x0043228a
0x004322ad
0x004322ae
0x004322b1
0x004322b2
0x004322b7
0x004322ba
0x004322c1
0x004322cf
0x004322e9
0x004322d1
0x004322d1
0x004322d6
0x004322db
0x004322e0
0x004322e0
0x00432304
0x00432308
0x0043230d
0x0043231c
0x00432322
0x00432324
0x0043232b
0x00432347
0x0043232d
0x0043232d
0x00432332
0x00432337
0x0043233a
0x0043233d
0x00432342
0x00432342
0x0043234e
0x00432358
0x00432359
0x0043235a
0x0043235b
0x00432363
0x00432367
0x00432370
0x0043237a
0x00432388
0x0043238e
0x00432390
0x00432397
0x004323b3
0x00432399
0x00432399
0x0043239e
0x004323a3
0x004323a6
0x004323a9
0x004323ae
0x004323ae
0x004323ba
0x004323c2
0x004323c6
0x004323c7
0x004323ca
0x004323cb
0x004323cd
0x004323d8
0x004323dd
0x0043240e
0x00432416
0x0043241e
0x00432423

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0043223F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 00432257
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 00432262
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 0043226D
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00432285
__vbaObjSet.MSVBVM60(?,00000000), ref: 004322B2
__vbaNew2.MSVBVM60(00403E5C,00433010,?,00000000), ref: 004322DB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432308
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403608,00000180), ref: 0043233D
__vbaChkstk.MSVBVM60 ref: 0043234E
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00432367
__vbaStrVarMove.MSVBVM60(00000000), ref: 00432370
__vbaStrMove.MSVBVM60(00000000), ref: 0043237A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001EC), ref: 004323A9
__vbaFreeStr.MSVBVM60 ref: 004323BA
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004323CD
__vbaFreeVar.MSVBVM60 ref: 004323D8
__vbaFreeVar.MSVBVM60(00432424), ref: 0043240E
__vbaFreeStr.MSVBVM60(00432424), ref: 00432416
__vbaFreeStr.MSVBVM60(00432424), ref: 0043241E

Strings

$$C, xrefs: 00432413

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultMoveNew2$CallLateList
String ID: $$C
API String ID: 1836669087-3728262818
Opcode ID: bd0f45981342ffeb4622e5c36f23a8317680053d078dc78fb4b572c9c23ab930
Instruction ID: 5dcf32df6a3e698d4be153b05db4e5f599346ce706fd91fa9bdb05fc3db32c9e
Opcode Fuzzy Hash: bd0f45981342ffeb4622e5c36f23a8317680053d078dc78fb4b572c9c23ab930
Instruction Fuzzy Hash: 0D510971D00208AFCB14EFA1CD45BDDBBB9BF48704F20452AF016BB2A1DB796A05DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042FF0E, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042FF2B
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 0042FF43
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 0042FF4E
#589.MSVBVM60(00000001,?,?,?,?,00401476), ref: 0042FF55
__vbaNew2.MSVBVM60(00403E5C,00433010), ref: 0042FF93
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042FFCC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000060), ref: 00430013
__vbaChkstk.MSVBVM60(00000000,?,00403650,00000060), ref: 0043003A
__vbaChkstk.MSVBVM60(00000000,?,00403650,00000060), ref: 0043004B
__vbaChkstk.MSVBVM60(00000000,?,00403650,00000060), ref: 0043005C
__vbaLateMemCall.MSVBVM60(?,Tuh3uoQXnd1Ab1kNrTZdgk8195,00000003), ref: 00430074
__vbaFreeObj.MSVBVM60 ref: 0043007F
__vbaFreeStr.MSVBVM60(004300AD,00000001,?,?,?,?,00401476), ref: 00430097
__vbaFreeObj.MSVBVM60(004300AD,00000001,?,?,?,?,00401476), ref: 0043009F
__vbaFreeVar.MSVBVM60(004300AD,00000001,?,?,?,?,00401476), ref: 004300A7

Strings

chondre, xrefs: 0042FF72
Tuh3uoQXnd1Ab1kNrTZdgk8195, xrefs: 0043006C

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$#589CallCheckCopyHresultLateNew2
String ID: Tuh3uoQXnd1Ab1kNrTZdgk8195$chondre
API String ID: 1883412668-1745548932
Opcode ID: 32898375fb833d7ba659ffaf64a2cded8a4a1a0e42c1d3eeb2cee1c3438cd2fb
Instruction ID: d6666a2994559db09863ec72f9f39b60e66633706fed995b7cbcd6745fae0ab8
Opcode Fuzzy Hash: 32898375fb833d7ba659ffaf64a2cded8a4a1a0e42c1d3eeb2cee1c3438cd2fb
Instruction Fuzzy Hash: A4414B70900218AFCB20DFA5CC46BDEB7B5BF49708F10406AF546BB2A1CBB95A45CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00430C80, Relevance: 27.1, APIs: 18, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00430C80(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				void* _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				char* _t67;
				char* _t71;
				signed int _t75;
				char* _t77;
				signed int _t80;
				char* _t83;
				void* _t105;
				void* _t107;
				intOrPtr _t108;

				_t108 = _t107 - 0xc;
				 *[fs:0x0] = _t108;
				L00401470();
				_v16 = _t108;
				_v12 = 0x401340;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x401476, _t105);
				L004015BA();
				L004015A2();
				if( *0x433010 != 0) {
					_v120 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v120 = 0x433010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v120)) + 0x37c))( *_v120));
				_t67 =  &_v60;
				_push(_t67);
				L004015E4();
				_v104 = _t67;
				_v84 = 0x80020004;
				_v92 = 0xa;
				if( *0x433010 != 0) {
					_v124 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v124 = 0x433010;
				}
				_t71 =  &_v52;
				L004015E4();
				_v96 = _t71;
				_t75 =  *((intOrPtr*)( *_v96 + 0x120))(_v96,  &_v56, _t71,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x388))( *_v124));
				asm("fclex");
				_v100 = _t75;
				if(_v100 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40374c);
					_push(_v96);
					_push(_v100);
					L004015D8();
					_v128 = _t75;
				}
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t77 =  &_v76;
				L0040159C();
				L0040158A();
				L004015C0();
				_t80 =  *((intOrPtr*)( *_v104 + 0x1ec))(_v104, _t77, _t77, _t77, _v56, 0, 0, 0x10);
				asm("fclex");
				_v108 = _t80;
				if(_v108 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403608);
					_push(_v104);
					_push(_v108);
					L004015D8();
					_v132 = _t80;
				}
				L004015A8();
				_push( &_v60);
				_push( &_v56);
				_t83 =  &_v52;
				_push(_t83);
				_push(3);
				L004015CC();
				L004015C6();
				_push(0x430e80);
				L004015C6();
				L004015A8();
				return _t83;
			}

0x00430c83
0x00430c92
0x00430c9c
0x00430ca4
0x00430ca7
0x00430cae
0x00430cbd
0x00430cc6
0x00430cd1
0x00430cdd
0x00430cf7
0x00430cdf
0x00430cdf
0x00430ce4
0x00430ce9
0x00430cee
0x00430cee
0x00430d11
0x00430d12
0x00430d15
0x00430d16
0x00430d1b
0x00430d1e
0x00430d25
0x00430d33
0x00430d4d
0x00430d35
0x00430d35
0x00430d3a
0x00430d3f
0x00430d44
0x00430d44
0x00430d68
0x00430d6c
0x00430d71
0x00430d80
0x00430d86
0x00430d88
0x00430d8f
0x00430dab
0x00430d91
0x00430d91
0x00430d96
0x00430d9b
0x00430d9e
0x00430da1
0x00430da6
0x00430da6
0x00430db2
0x00430dbc
0x00430dbd
0x00430dbe
0x00430dbf
0x00430dc7
0x00430dcb
0x00430dd4
0x00430dde
0x00430dec
0x00430df2
0x00430df4
0x00430dfb
0x00430e17
0x00430dfd
0x00430dfd
0x00430e02
0x00430e07
0x00430e0a
0x00430e0d
0x00430e12
0x00430e12
0x00430e1e
0x00430e26
0x00430e2a
0x00430e2b
0x00430e2e
0x00430e2f
0x00430e31
0x00430e3c
0x00430e41
0x00430e72
0x00430e7a
0x00430e7f

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00430C9C
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 00430CC6
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 00430CD1
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00430CE9
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430D16
__vbaNew2.MSVBVM60(00403E5C,00433010,?,00000000), ref: 00430D3F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430D6C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040374C,00000120), ref: 00430DA1
__vbaChkstk.MSVBVM60 ref: 00430DB2
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00430DCB
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,00401476), ref: 00430DD4
__vbaStrMove.MSVBVM60(00000000,?,?,?,00401476), ref: 00430DDE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403608,000001EC), ref: 00430E0D
__vbaFreeStr.MSVBVM60 ref: 00430E1E
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00430E31
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,00401476), ref: 00430E3C
__vbaFreeVar.MSVBVM60(00430E80,?,?,?,?,?,?,?,00401476), ref: 00430E72
__vbaFreeStr.MSVBVM60(00430E80,?,?,?,?,?,?,?,00401476), ref: 00430E7A

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultMoveNew2$CallCopyLateList
String ID:
API String ID: 2463591421-0
Opcode ID: 29671684dea6cf2a5f8f7dc8c5b539548536c21da6d35fe2e17be6ae2220f7c8
Instruction ID: 0c04d6b3c419ef4ea805027ddfc7678dabdc2e83007f0ef4fda3e3f994e4932b
Opcode Fuzzy Hash: 29671684dea6cf2a5f8f7dc8c5b539548536c21da6d35fe2e17be6ae2220f7c8
Instruction Fuzzy Hash: 20511871D00208EFDB10EFA1C855BDDBBB9AF48704F20452AF006BB2A1DB796A45DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00432441, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 138COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0043245C
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00432481
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403E5C,00433010), ref: 004324BD
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403E5C,00433010), ref: 004324CE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004031DC,000002B0), ref: 00432505
__vbaNew2.MSVBVM60(00403E5C,00433010), ref: 00432526
__vbaHresultCheckObj.MSVBVM60(00000000,?,004031DC,000002B4), ref: 0043256C
#591.MSVBVM60(00004008), ref: 004325A4
__vbaStrMove.MSVBVM60(00004008), ref: 004325AE
#571.MSVBVM60(00000001,00004008), ref: 004325BB
__vbaFreeVar.MSVBVM60(004325E7,00004008), ref: 004325D1
__vbaFreeStr.MSVBVM60(004325E7,00004008), ref: 004325D9
__vbaFreeStr.MSVBVM60(004325E7,00004008), ref: 004325E1

Strings

X, xrefs: 0043257A

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$CheckHresultNew2$#571#591Move
String ID: X
API String ID: 658426820-3081909835
Opcode ID: a5f51cc29aafa6c704d5770fb12fee824d1d30fc4778f29e337d0773ddaf1d16
Instruction ID: 90e383fe92c831ec00ab8fdfa671a765b4d55ea5121bf9ddffdb970f753309dc
Opcode Fuzzy Hash: a5f51cc29aafa6c704d5770fb12fee824d1d30fc4778f29e337d0773ddaf1d16
Instruction Fuzzy Hash: 92513774D00308AFCB10EFD2C946B9DBBB0BF09305F20542AE406BB2A5C7BD9A05CB18

Uniqueness

Uniqueness Score: -1.00%

Function 004318C3, Relevance: 21.1, APIs: 14, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E004318C3(void* __ebx, void* __edi, void* __esi, void* _a8, void* _a28, signed int* _a56) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v56;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				intOrPtr* _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v140;
				char* _t58;
				char* _t62;
				signed int _t66;
				signed int _t70;
				char* _t72;
				void* _t93;
				intOrPtr _t94;

				_t94 = _t93 - 0xc;
				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t94;
				_push(0x74);
				L00401470();
				_v16 = _t94;
				_v12 = 0x4013d8;
				L004015A2();
				L004015A2();
				 *_a56 =  *_a56 & 0x00000000;
				if( *0x433010 != 0) {
					_v128 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v128 = 0x433010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x370))( *_v128));
				_t58 =  &_v84;
				_push(_t58);
				L004015E4();
				_v112 = _t58;
				_v92 = 0x80020004;
				_v100 = 0xa;
				if( *0x433010 != 0) {
					_v132 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v132 = 0x433010;
				}
				_t62 =  &_v80;
				L004015E4();
				_v104 = _t62;
				_t66 =  *((intOrPtr*)( *_v104 + 0xf8))(_v104, 0,  &_v76, _t62,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x338))( *_v132));
				asm("fclex");
				_v108 = _t66;
				if(_v108 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403650);
					_push(_v104);
					_push(_v108);
					L004015D8();
					_v136 = _t66;
				}
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t70 =  *((intOrPtr*)( *_v112 + 0x1ec))(_v112, _v76, 0x10);
				asm("fclex");
				_v116 = _t70;
				if(_v116 >= 0) {
					_v140 = _v140 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403608);
					_push(_v112);
					_push(_v116);
					L004015D8();
					_v140 = _t70;
				}
				L004015A8();
				_push( &_v84);
				_t72 =  &_v80;
				_push(_t72);
				_push(2);
				L004015CC();
				_push(0x431a9e);
				L004015C6();
				L004015C6();
				return _t72;
			}

0x004318c6
0x004318c9
0x004318d4
0x004318d5
0x004318dc
0x004318df
0x004318e7
0x004318ea
0x004318f7
0x00431902
0x0043190a
0x00431914
0x0043192e
0x00431916
0x00431916
0x0043191b
0x00431920
0x00431925
0x00431925
0x00431948
0x00431949
0x0043194c
0x0043194d
0x00431952
0x00431955
0x0043195c
0x0043196a
0x00431984
0x0043196c
0x0043196c
0x00431971
0x00431976
0x0043197b
0x0043197b
0x0043199f
0x004319a3
0x004319a8
0x004319b9
0x004319bf
0x004319c1
0x004319c8
0x004319e7
0x004319ca
0x004319ca
0x004319cf
0x004319d4
0x004319d7
0x004319da
0x004319df
0x004319df
0x004319f1
0x004319fb
0x004319fc
0x004319fd
0x004319fe
0x00431a0a
0x00431a10
0x00431a12
0x00431a19
0x00431a38
0x00431a1b
0x00431a1b
0x00431a20
0x00431a25
0x00431a28
0x00431a2b
0x00431a30
0x00431a30
0x00431a42
0x00431a4a
0x00431a4b
0x00431a4e
0x00431a4f
0x00431a51
0x00431a59
0x00431a90
0x00431a98
0x00431a9d

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 004318DF
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 004318F7
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 00431902
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00431920
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043194D
__vbaNew2.MSVBVM60(00403E5C,00433010,?,00000000), ref: 00431976
__vbaObjSet.MSVBVM60(?,00000000), ref: 004319A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000000F8), ref: 004319DA
__vbaChkstk.MSVBVM60 ref: 004319F1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403608,000001EC), ref: 00431A2B
__vbaFreeStr.MSVBVM60 ref: 00431A42
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00431A51
__vbaFreeVar.MSVBVM60(00431A9E,?,?,00401476), ref: 00431A90
__vbaFreeVar.MSVBVM60(00431A9E,?,?,00401476), ref: 00431A98

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$List
String ID:
API String ID: 3897332912-0
Opcode ID: f8fe65162f3da36458af5c0786c6c1b25073ba97ab3de68e76b409e92ffcfaf0
Instruction ID: c228b5f7064650ce3bf3230e5373ea2b1907af4f7966308745a620410bc22233
Opcode Fuzzy Hash: f8fe65162f3da36458af5c0786c6c1b25073ba97ab3de68e76b409e92ffcfaf0
Instruction Fuzzy Hash: E9510A74D40308AFCB10EFA1CC46B9DBBB9BF09305F10446AE016BB2A1CB795A45DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00431B66, Relevance: 19.6, APIs: 13, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00431B66(void* __ebx, void* __edi, void* __esi, char __fp0, intOrPtr* _a4, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				short _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				short _v144;
				char _v148;
				signed int _v152;
				char* _t68;
				signed int _t72;
				char* _t76;
				signed int _t83;
				char* _t85;
				intOrPtr _t93;
				void* _t104;
				void* _t106;
				intOrPtr _t107;
				char _t113;

				_t113 = __fp0;
				_t107 = _t106 - 0xc;
				 *[fs:0x0] = _t107;
				L00401470();
				_v16 = _t107;
				_v12 = 0x4013f8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401476, _t104);
				L004015A2();
				if( *0x433010 != 0) {
					_v132 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v132 = 0x433010;
				}
				_t68 =  &_v48;
				L004015E4();
				_v108 = _t68;
				_t72 =  *((intOrPtr*)( *_v108 + 0x170))(_v108,  &_v104, _t68,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x328))( *_v132));
				asm("fclex");
				_v112 = _t72;
				if(_v112 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x4037b8);
					_push(_v108);
					_push(_v112);
					L004015D8();
					_v136 = _t72;
				}
				if( *0x433010 != 0) {
					_v140 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v140 = 0x433010;
				}
				_t93 =  *((intOrPtr*)( *_v140));
				_t76 =  &_v52;
				L004015E4();
				_v116 = _t76;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v104;
				asm("fild dword [ebp-0x8c]");
				_v148 = _t113;
				_v76 = _v148;
				_t83 =  *((intOrPtr*)( *_v116 + 0x204))(_v116, _t93, 0x10, 0x10, 0x10, _t76,  *((intOrPtr*)(_t93 + 0x380))( *_v140));
				asm("fclex");
				_v120 = _t83;
				if(_v120 >= 0) {
					_v152 = _v152 & 0x00000000;
				} else {
					_push(0x204);
					_push(0x403650);
					_push(_v116);
					_push(_v120);
					L004015D8();
					_v152 = _t83;
				}
				_push( &_v52);
				_t85 =  &_v48;
				_push(_t85);
				_push(2);
				L004015CC();
				asm("wait");
				_push(0x431d80);
				L004015C6();
				return _t85;
			}

0x00431b66
0x00431b69
0x00431b78
0x00431b84
0x00431b8c
0x00431b8f
0x00431b96
0x00431ba5
0x00431bae
0x00431bba
0x00431bd4
0x00431bbc
0x00431bbc
0x00431bc1
0x00431bc6
0x00431bcb
0x00431bcb
0x00431bef
0x00431bf3
0x00431bf8
0x00431c07
0x00431c0d
0x00431c0f
0x00431c16
0x00431c35
0x00431c18
0x00431c18
0x00431c1d
0x00431c22
0x00431c25
0x00431c28
0x00431c2d
0x00431c2d
0x00431c43
0x00431c60
0x00431c45
0x00431c45
0x00431c4a
0x00431c4f
0x00431c54
0x00431c54
0x00431c7a
0x00431c84
0x00431c88
0x00431c8d
0x00431c90
0x00431c97
0x00431c9e
0x00431ca5
0x00431cac
0x00431cb3
0x00431cbd
0x00431cc7
0x00431cc8
0x00431cc9
0x00431cca
0x00431cce
0x00431cd8
0x00431cd9
0x00431cda
0x00431cdb
0x00431cdf
0x00431ce9
0x00431cea
0x00431ceb
0x00431cec
0x00431cf1
0x00431cf7
0x00431cfd
0x00431d0a
0x00431d15
0x00431d1b
0x00431d1d
0x00431d24
0x00431d43
0x00431d26
0x00431d26
0x00431d2b
0x00431d30
0x00431d33
0x00431d36
0x00431d3b
0x00431d3b
0x00431d4d
0x00431d4e
0x00431d51
0x00431d52
0x00431d54
0x00431d5c
0x00431d5d
0x00431d7a
0x00431d7f

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431B84
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 00431BAE
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00431BC6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431BF3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004037B8,00000170), ref: 00431C28
__vbaNew2.MSVBVM60(00403E5C,00433010), ref: 00431C4F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431C88
__vbaChkstk.MSVBVM60(?,00000000), ref: 00431CBD
__vbaChkstk.MSVBVM60(?,00000000), ref: 00431CCE
__vbaChkstk.MSVBVM60(?,00000000), ref: 00431CDF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000204,?,?,00000000), ref: 00431D36
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 00431D54
__vbaFreeVar.MSVBVM60(00431D80,?,?,00401476), ref: 00431D7A

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2$List
String ID:
API String ID: 1303183447-0
Opcode ID: 997269f6acf69743f19ec803a38cb25b5a787d95f5a89068331a56bf5199feef
Instruction ID: ebcaa6c17ffa4b79c120a28c546c0a7cf9056539da7430e9ed701557d891a684
Opcode Fuzzy Hash: 997269f6acf69743f19ec803a38cb25b5a787d95f5a89068331a56bf5199feef
Instruction Fuzzy Hash: D3514874D00318EFCB11DFA5C889B9DBBB5BF09704F20446AE505BB2A1CB795A45DF18

Uniqueness

Uniqueness Score: -1.00%

Function 0042F769, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042F769(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a24, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				char _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v76;
				signed int _v80;
				char* _t35;
				signed int _t39;
				intOrPtr _t58;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_push(0x3c);
				L00401470();
				_v12 = _t58;
				_v8 = 0x401238;
				L004015BA();
				L004015A2();
				if( *0x433010 != 0) {
					_v76 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v76 = 0x433010;
				}
				_t35 =  &_v44;
				L004015E4();
				_v64 = _t35;
				_v52 = 0x80020004;
				_v60 = 0xa;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t39 =  *((intOrPtr*)( *_v64 + 0x1ec))(_v64, L"skarpsindigst", 0x10, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x32c))( *_v76));
				asm("fclex");
				_v68 = _t39;
				if(_v68 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403650);
					_push(_v64);
					_push(_v68);
					L004015D8();
					_v80 = _t39;
				}
				L004015D2();
				_push(0x42f878);
				L004015C6();
				L004015A8();
				return _t39;
			}

0x0042f76e
0x0042f779
0x0042f77a
0x0042f781
0x0042f784
0x0042f78c
0x0042f78f
0x0042f79c
0x0042f7a7
0x0042f7b3
0x0042f7cd
0x0042f7b5
0x0042f7b5
0x0042f7ba
0x0042f7bf
0x0042f7c4
0x0042f7c4
0x0042f7e8
0x0042f7ec
0x0042f7f1
0x0042f7f4
0x0042f7fb
0x0042f805
0x0042f80f
0x0042f810
0x0042f811
0x0042f812
0x0042f820
0x0042f826
0x0042f828
0x0042f82f
0x0042f84b
0x0042f831
0x0042f831
0x0042f836
0x0042f83b
0x0042f83e
0x0042f841
0x0042f846
0x0042f846
0x0042f852
0x0042f857
0x0042f86a
0x0042f872
0x0042f877

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042F784
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 0042F79C
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 0042F7A7
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0042F7BF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F7EC
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042F805
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001EC), ref: 0042F841
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 0042F852
__vbaFreeVar.MSVBVM60(0042F878), ref: 0042F86A
__vbaFreeStr.MSVBVM60(0042F878), ref: 0042F872

Strings

skarpsindigst, xrefs: 0042F813

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckCopyHresultNew2
String ID: skarpsindigst
API String ID: 763330518-4173241240
Opcode ID: 525400aaf38b4c8553604ae8b824f00c7efa7e968a830d967b3dd0253fbe0bf3
Instruction ID: bde4e43f4a6e076f26e28caf163f25b4899096ea0948a686afb0d0ff7e33d42d
Opcode Fuzzy Hash: 525400aaf38b4c8553604ae8b824f00c7efa7e968a830d967b3dd0253fbe0bf3
Instruction Fuzzy Hash: 53310875900208ABCB14EF92D886BDDBBB9AF49704F90453AF002BB2A1DB795945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042F3BA, Relevance: 18.1, APIs: 12, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0042F3BA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				char* _t60;
				char* _t64;
				signed int _t68;
				signed int _t72;
				char* _t74;
				void* _t90;
				void* _t92;
				intOrPtr _t93;

				_t93 = _t92 - 0xc;
				 *[fs:0x0] = _t93;
				L00401470();
				_v16 = _t93;
				_v12 = 0x401218;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x5c,  *[fs:0x0], 0x401476, _t90);
				L004015A2();
				if( *0x433010 != 0) {
					_v104 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v104 = 0x433010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v104)) + 0x36c))( *_v104));
				_t60 =  &_v60;
				_push(_t60);
				L004015E4();
				_v88 = _t60;
				_v68 = 0x80020004;
				_v76 = 0xa;
				if( *0x433010 != 0) {
					_v108 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v108 = 0x433010;
				}
				_t64 =  &_v56;
				L004015E4();
				_v80 = _t64;
				_t68 =  *((intOrPtr*)( *_v80 + 0x188))(_v80,  &_v52, _t64,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x340))( *_v108));
				asm("fclex");
				_v84 = _t68;
				if(_v84 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x188);
					_push(0x403650);
					_push(_v80);
					_push(_v84);
					L004015D8();
					_v112 = _t68;
				}
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t72 =  *((intOrPtr*)( *_v88 + 0x1ec))(_v88, _v52, 0x10);
				asm("fclex");
				_v92 = _t72;
				if(_v92 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403650);
					_push(_v88);
					_push(_v92);
					L004015D8();
					_v116 = _t72;
				}
				L004015A8();
				_push( &_v60);
				_t74 =  &_v56;
				_push(_t74);
				_push(2);
				L004015CC();
				asm("wait");
				_push(0x42f56f);
				L004015C6();
				return _t74;
			}

0x0042f3bd
0x0042f3cc
0x0042f3d6
0x0042f3de
0x0042f3e1
0x0042f3e8
0x0042f3f7
0x0042f400
0x0042f40c
0x0042f426
0x0042f40e
0x0042f40e
0x0042f413
0x0042f418
0x0042f41d
0x0042f41d
0x0042f440
0x0042f441
0x0042f444
0x0042f445
0x0042f44a
0x0042f44d
0x0042f454
0x0042f462
0x0042f47c
0x0042f464
0x0042f464
0x0042f469
0x0042f46e
0x0042f473
0x0042f473
0x0042f497
0x0042f49b
0x0042f4a0
0x0042f4af
0x0042f4b5
0x0042f4b7
0x0042f4be
0x0042f4da
0x0042f4c0
0x0042f4c0
0x0042f4c5
0x0042f4ca
0x0042f4cd
0x0042f4d0
0x0042f4d5
0x0042f4d5
0x0042f4e1
0x0042f4eb
0x0042f4ec
0x0042f4ed
0x0042f4ee
0x0042f4fa
0x0042f500
0x0042f502
0x0042f509
0x0042f525
0x0042f50b
0x0042f50b
0x0042f510
0x0042f515
0x0042f518
0x0042f51b
0x0042f520
0x0042f520
0x0042f52c
0x0042f534
0x0042f535
0x0042f538
0x0042f539
0x0042f53b
0x0042f543
0x0042f544
0x0042f569
0x0042f56e

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042F3D6
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 0042F400
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0042F418
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F445
__vbaNew2.MSVBVM60(00403E5C,00433010,?,00000000), ref: 0042F46E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F49B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000188), ref: 0042F4D0
__vbaChkstk.MSVBVM60 ref: 0042F4E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001EC), ref: 0042F51B
__vbaFreeStr.MSVBVM60 ref: 0042F52C
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042F53B
__vbaFreeVar.MSVBVM60(0042F56F,?,?,00401476), ref: 0042F569

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$List
String ID:
API String ID: 3897332912-0
Opcode ID: c7d0f0afcf714cbe234a25a9387ab0b839c6480598a22e9d0d87ccebc01b2b8f
Instruction ID: 654c61a89388751789bb7e9bc224db1a8c155b414513279e307bc853d8b09af8
Opcode Fuzzy Hash: c7d0f0afcf714cbe234a25a9387ab0b839c6480598a22e9d0d87ccebc01b2b8f
Instruction Fuzzy Hash: AF510874E00208AFCB10EFD1D945B9DBBB9BF09705F60443AF106BB2A1CBB95A45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042F596, Relevance: 18.1, APIs: 12, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0042F596(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v96;
				intOrPtr* _v100;
				signed int _v104;
				signed int _v108;
				char* _t60;
				char* _t64;
				signed int _t68;
				signed int _t72;
				char* _t74;
				void* _t90;
				void* _t92;
				intOrPtr _t93;

				_t93 = _t92 - 0xc;
				 *[fs:0x0] = _t93;
				L00401470();
				_v16 = _t93;
				_v12 = 0x401228;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x54,  *[fs:0x0], 0x401476, _t90);
				L004015A2();
				if( *0x433010 != 0) {
					_v96 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v96 = 0x433010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x330))( *_v96));
				_t60 =  &_v52;
				_push(_t60);
				L004015E4();
				_v80 = _t60;
				_v60 = 0x80020004;
				_v68 = 0xa;
				if( *0x433010 != 0) {
					_v100 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v100 = 0x433010;
				}
				_t64 =  &_v48;
				L004015E4();
				_v72 = _t64;
				_t68 =  *((intOrPtr*)( *_v72 + 0x158))(_v72,  &_v44, _t64,  *((intOrPtr*)( *((intOrPtr*)( *_v100)) + 0x2fc))( *_v100));
				asm("fclex");
				_v76 = _t68;
				if(_v76 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x403894);
					_push(_v72);
					_push(_v76);
					L004015D8();
					_v104 = _t68;
				}
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t72 =  *((intOrPtr*)( *_v80 + 0x1ec))(_v80, _v44, 0x10);
				asm("fclex");
				_v84 = _t72;
				if(_v84 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403650);
					_push(_v80);
					_push(_v84);
					L004015D8();
					_v108 = _t72;
				}
				L004015A8();
				_push( &_v52);
				_t74 =  &_v48;
				_push(_t74);
				_push(2);
				L004015CC();
				_push(0x42f74a);
				L004015C6();
				return _t74;
			}

0x0042f599
0x0042f5a8
0x0042f5b2
0x0042f5ba
0x0042f5bd
0x0042f5c4
0x0042f5d3
0x0042f5dc
0x0042f5e8
0x0042f602
0x0042f5ea
0x0042f5ea
0x0042f5ef
0x0042f5f4
0x0042f5f9
0x0042f5f9
0x0042f61c
0x0042f61d
0x0042f620
0x0042f621
0x0042f626
0x0042f629
0x0042f630
0x0042f63e
0x0042f658
0x0042f640
0x0042f640
0x0042f645
0x0042f64a
0x0042f64f
0x0042f64f
0x0042f673
0x0042f677
0x0042f67c
0x0042f68b
0x0042f691
0x0042f693
0x0042f69a
0x0042f6b6
0x0042f69c
0x0042f69c
0x0042f6a1
0x0042f6a6
0x0042f6a9
0x0042f6ac
0x0042f6b1
0x0042f6b1
0x0042f6bd
0x0042f6c7
0x0042f6c8
0x0042f6c9
0x0042f6ca
0x0042f6d6
0x0042f6dc
0x0042f6de
0x0042f6e5
0x0042f701
0x0042f6e7
0x0042f6e7
0x0042f6ec
0x0042f6f1
0x0042f6f4
0x0042f6f7
0x0042f6fc
0x0042f6fc
0x0042f708
0x0042f710
0x0042f711
0x0042f714
0x0042f715
0x0042f717
0x0042f71f
0x0042f744
0x0042f749

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042F5B2
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 0042F5DC
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0042F5F4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F621
__vbaNew2.MSVBVM60(00403E5C,00433010,?,00000000), ref: 0042F64A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F677
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403894,00000158), ref: 0042F6AC
__vbaChkstk.MSVBVM60 ref: 0042F6BD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001EC), ref: 0042F6F7
__vbaFreeStr.MSVBVM60 ref: 0042F708
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042F717
__vbaFreeVar.MSVBVM60(0042F74A,?,?,00401476), ref: 0042F744

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$List
String ID:
API String ID: 3897332912-0
Opcode ID: 63c82f78bc2e87ba351025c8835ca47cffa03e0abaa2aa9aac60b229a5b8b1f7
Instruction ID: f00b92fb61c0f1a3ebbd2bcff6a47b781fe98244630651119d4fdb7bb842b752
Opcode Fuzzy Hash: 63c82f78bc2e87ba351025c8835ca47cffa03e0abaa2aa9aac60b229a5b8b1f7
Instruction Fuzzy Hash: 3551F575D00218EFCB10EF91C849B9DBBB9FF48305F60443AE406BB2A1C7B95A06DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00430B8A, Relevance: 16.6, APIs: 11, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E00430B8A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a16, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				void* _v64;
				char _v80;
				intOrPtr _v104;
				char _v112;
				short _v116;
				void* _t27;
				short _t30;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401470();
				_v16 = _t47;
				_v12 = 0x401330;
				_v8 = 0;
				_t27 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401476, _t44);
				L004015BA();
				L004015A2();
				L004015A2();
				_push(0x403bd8);
				L00401518();
				_push(_t27);
				_push( &_v80);
				L0040151E();
				_v104 = 0x403be4;
				_v112 = 0x8008;
				_push( &_v80);
				_t30 =  &_v112;
				_push(_t30);
				L00401572();
				_v116 = _t30;
				L004015C6();
				_push(0x430c59);
				L004015C6();
				L004015A8();
				L004015C6();
				return _t30;
			}

0x00430b8d
0x00430b9c
0x00430ba6
0x00430bae
0x00430bb1
0x00430bb8
0x00430bc7
0x00430bd0
0x00430bdb
0x00430be6
0x00430beb
0x00430bf0
0x00430bf5
0x00430bf9
0x00430bfa
0x00430bff
0x00430c06
0x00430c10
0x00430c11
0x00430c14
0x00430c15
0x00430c1a
0x00430c21
0x00430c26
0x00430c43
0x00430c4b
0x00430c53
0x00430c58

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00430BA6
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 00430BD0
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 00430BDB
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 00430BE6
__vbaI4Str.MSVBVM60(00403BD8,?,?,?,?,00401476), ref: 00430BF0
#698.MSVBVM60(?,00000000,00403BD8,?,?,?,?,00401476), ref: 00430BFA
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00430C15
__vbaFreeVar.MSVBVM60(00008008,?), ref: 00430C21
__vbaFreeVar.MSVBVM60(00430C59,00008008,?), ref: 00430C43
__vbaFreeStr.MSVBVM60(00430C59,00008008,?), ref: 00430C4B
__vbaFreeVar.MSVBVM60(00430C59,00008008,?), ref: 00430C53

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#698ChkstkCopy
String ID:
API String ID: 3663778037-0
Opcode ID: 4cc9ae162ce823e5a8711e84bc26e6a52fb29ec7744204ea0d4222b206c65f61
Instruction ID: fa1f958eda020d403a77a18ed7b6719ac4b96741b5cdeac8bf32509702cc9314
Opcode Fuzzy Hash: 4cc9ae162ce823e5a8711e84bc26e6a52fb29ec7744204ea0d4222b206c65f61
Instruction Fuzzy Hash: 54111F71D00248BBCB05EFA1CC56ECDBBB8BF44708F50812AF4067B1A1DB786A09CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00431FD3, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00431FD3(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				char* _t41;
				signed int _t45;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t61 = _t60 - 0xc;
				 *[fs:0x0] = _t61;
				L00401470();
				_v16 = _t61;
				_v12 = 0x401428;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401476, _t58);
				L004015BA();
				 *_a32 =  *_a32 & 0x00000000;
				if( *0x433010 != 0) {
					_v84 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v84 = 0x433010;
				}
				_t41 =  &_v48;
				L004015E4();
				_v68 = _t41;
				_v56 = 0x80020004;
				_v64 = 0xa;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t45 =  *((intOrPtr*)( *_v68 + 0x1ec))(_v68, L"TRANGERE", 0x10, _t41,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x340))( *_v84));
				asm("fclex");
				_v72 = _t45;
				if(_v72 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403650);
					_push(_v68);
					_push(_v72);
					L004015D8();
					_v88 = _t45;
				}
				L004015D2();
				_push(0x4320fa);
				L004015A8();
				return _t45;
			}

0x00431fd6
0x00431fe5
0x00431fef
0x00431ff7
0x00431ffa
0x00432001
0x00432010
0x00432019
0x00432021
0x0043202b
0x00432045
0x0043202d
0x0043202d
0x00432032
0x00432037
0x0043203c
0x0043203c
0x00432060
0x00432064
0x00432069
0x0043206c
0x00432073
0x0043207d
0x00432087
0x00432088
0x00432089
0x0043208a
0x00432098
0x0043209e
0x004320a0
0x004320a7
0x004320c3
0x004320a9
0x004320a9
0x004320ae
0x004320b3
0x004320b6
0x004320b9
0x004320be
0x004320be
0x004320ca
0x004320cf
0x004320f4
0x004320f9

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431FEF
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 00432019
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00432037
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432064
__vbaChkstk.MSVBVM60(?,00000000), ref: 0043207D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001EC), ref: 004320B9
__vbaFreeObj.MSVBVM60 ref: 004320CA
__vbaFreeStr.MSVBVM60(004320FA), ref: 004320F4

Strings

TRANGERE, xrefs: 0043208B

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$CheckCopyHresultNew2
String ID: TRANGERE
API String ID: 2888502551-3714728012
Opcode ID: 610d48f564dc61525cec7afd462a637746555418a56ee45d97ea32bbff9c6bdc
Instruction ID: 6ff2d3b8b9316de6c79ac3c2192a30737751911d15ed781c763fadbd9c84bc82
Opcode Fuzzy Hash: 610d48f564dc61525cec7afd462a637746555418a56ee45d97ea32bbff9c6bdc
Instruction Fuzzy Hash: E8310975900208EFCB14EF95C945B9DBBB5BF09705F20842AF502BB2A1C7BDAA05DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043105F, Relevance: 15.1, APIs: 10, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0043105F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				char* _t57;
				char* _t61;
				signed int _t65;
				signed int _t69;
				char* _t71;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t87 = _t86 - 0xc;
				 *[fs:0x0] = _t87;
				L00401470();
				_v16 = _t87;
				_v12 = 0x401360;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x401476, _t84);
				if( *0x433010 != 0) {
					_v84 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v84 = 0x433010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x33c))( *_v84));
				_t57 =  &_v40;
				_push(_t57);
				L004015E4();
				_v68 = _t57;
				_v48 = 0x80020004;
				_v56 = 0xa;
				if( *0x433010 != 0) {
					_v88 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v88 = 0x433010;
				}
				_t61 =  &_v36;
				L004015E4();
				_v60 = _t61;
				_t65 =  *((intOrPtr*)( *_v60 + 0x148))(_v60,  &_v32, _t61,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x30c))( *_v88));
				asm("fclex");
				_v64 = _t65;
				if(_v64 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x148);
					_push(0x40374c);
					_push(_v60);
					_push(_v64);
					L004015D8();
					_v92 = _t65;
				}
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t69 =  *((intOrPtr*)( *_v68 + 0x1ec))(_v68, _v32, 0x10);
				asm("fclex");
				_v72 = _t69;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403650);
					_push(_v68);
					_push(_v72);
					L004015D8();
					_v96 = _t69;
				}
				L004015A8();
				_push( &_v40);
				_t71 =  &_v36;
				_push(_t71);
				_push(2);
				L004015CC();
				_push(0x431200);
				return _t71;
			}

0x00431062
0x00431071
0x0043107b
0x00431083
0x00431086
0x0043108d
0x0043109c
0x004310a6
0x004310c0
0x004310a8
0x004310a8
0x004310ad
0x004310b2
0x004310b7
0x004310b7
0x004310da
0x004310db
0x004310de
0x004310df
0x004310e4
0x004310e7
0x004310ee
0x004310fc
0x00431116
0x004310fe
0x004310fe
0x00431103
0x00431108
0x0043110d
0x0043110d
0x00431131
0x00431135
0x0043113a
0x00431149
0x0043114f
0x00431151
0x00431158
0x00431174
0x0043115a
0x0043115a
0x0043115f
0x00431164
0x00431167
0x0043116a
0x0043116f
0x0043116f
0x0043117b
0x00431185
0x00431186
0x00431187
0x00431188
0x00431194
0x0043119a
0x0043119c
0x004311a3
0x004311bf
0x004311a5
0x004311a5
0x004311aa
0x004311af
0x004311b2
0x004311b5
0x004311ba
0x004311ba
0x004311c6
0x004311ce
0x004311cf
0x004311d2
0x004311d3
0x004311d5
0x004311dd
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0043107B
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 004310B2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004310DF
__vbaNew2.MSVBVM60(00403E5C,00433010,?,00000000), ref: 00431108
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431135
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040374C,00000148), ref: 0043116A
__vbaChkstk.MSVBVM60 ref: 0043117B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001EC), ref: 004311B5
__vbaFreeStr.MSVBVM60 ref: 004311C6
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004311D5

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2$List
String ID:
API String ID: 2926503497-0
Opcode ID: 726ba93b7be04757cdb6123674f4cc93d83abb9dff63c7f37517071d0bed5b61
Instruction ID: 93f4af37c34d384f54681394dd82aad497e3f766820f7aac3a8aaddc124ecbe0
Opcode Fuzzy Hash: 726ba93b7be04757cdb6123674f4cc93d83abb9dff63c7f37517071d0bed5b61
Instruction Fuzzy Hash: 9541F574D00248EFCB14DFD1C945BDDBBB9BB08705F20442AF112BB2A5C7B99A05DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00430E9F, Relevance: 15.1, APIs: 10, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00430E9F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v92;
				char* _t57;
				char* _t61;
				signed int _t65;
				signed int _t69;
				char* _t71;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t87 = _t86 - 0xc;
				 *[fs:0x0] = _t87;
				L00401470();
				_v16 = _t87;
				_v12 = 0x401350;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401476, _t84);
				if( *0x433010 != 0) {
					_v80 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v80 = 0x433010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x33c))( *_v80));
				_t57 =  &_v36;
				_push(_t57);
				L004015E4();
				_v64 = _t57;
				_v44 = 0x80020004;
				_v52 = 0xa;
				if( *0x433010 != 0) {
					_v84 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v84 = 0x433010;
				}
				_t61 =  &_v32;
				L004015E4();
				_v56 = _t61;
				_t65 =  *((intOrPtr*)( *_v56 + 0x140))(_v56,  &_v28, _t61,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x33c))( *_v84));
				asm("fclex");
				_v60 = _t65;
				if(_v60 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x403650);
					_push(_v56);
					_push(_v60);
					L004015D8();
					_v88 = _t65;
				}
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t69 =  *((intOrPtr*)( *_v64 + 0x1ec))(_v64, _v28, 0x10);
				asm("fclex");
				_v68 = _t69;
				if(_v68 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403650);
					_push(_v64);
					_push(_v68);
					L004015D8();
					_v92 = _t69;
				}
				L004015A8();
				_push( &_v36);
				_t71 =  &_v32;
				_push(_t71);
				_push(2);
				L004015CC();
				_push(0x431040);
				return _t71;
			}

0x00430ea2
0x00430eb1
0x00430ebb
0x00430ec3
0x00430ec6
0x00430ecd
0x00430edc
0x00430ee6
0x00430f00
0x00430ee8
0x00430ee8
0x00430eed
0x00430ef2
0x00430ef7
0x00430ef7
0x00430f1a
0x00430f1b
0x00430f1e
0x00430f1f
0x00430f24
0x00430f27
0x00430f2e
0x00430f3c
0x00430f56
0x00430f3e
0x00430f3e
0x00430f43
0x00430f48
0x00430f4d
0x00430f4d
0x00430f71
0x00430f75
0x00430f7a
0x00430f89
0x00430f8f
0x00430f91
0x00430f98
0x00430fb4
0x00430f9a
0x00430f9a
0x00430f9f
0x00430fa4
0x00430fa7
0x00430faa
0x00430faf
0x00430faf
0x00430fbb
0x00430fc5
0x00430fc6
0x00430fc7
0x00430fc8
0x00430fd4
0x00430fda
0x00430fdc
0x00430fe3
0x00430fff
0x00430fe5
0x00430fe5
0x00430fea
0x00430fef
0x00430ff2
0x00430ff5
0x00430ffa
0x00430ffa
0x00431006
0x0043100e
0x0043100f
0x00431012
0x00431013
0x00431015
0x0043101d
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00430EBB
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00430EF2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430F1F
__vbaNew2.MSVBVM60(00403E5C,00433010,?,00000000), ref: 00430F48
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430F75
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000140), ref: 00430FAA
__vbaChkstk.MSVBVM60 ref: 00430FBB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001EC), ref: 00430FF5
__vbaFreeStr.MSVBVM60 ref: 00431006
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00431015

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2$List
String ID:
API String ID: 2926503497-0
Opcode ID: 14a56ea85088df992f5a762bb1f4318d8e4c2ac4f791cf6b05b447409474ff90
Instruction ID: 684a657160daf03eaac3a985eeedf3928710192f025379c9e7f71d64d02be0a8
Opcode Fuzzy Hash: 14a56ea85088df992f5a762bb1f4318d8e4c2ac4f791cf6b05b447409474ff90
Instruction Fuzzy Hash: 26410674D00208EFCB14EF91C885B9DBBB9BF09705F20442AF516BB2A1C7B99A45DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042F970, Relevance: 15.1, APIs: 10, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0042F970(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _v84;
				char* _t50;
				char* _t54;
				signed int _t58;
				signed int _t62;
				char* _t64;
				intOrPtr _t80;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t80;
				_push(0x40);
				L00401470();
				_v12 = _t80;
				_v8 = 0x401258;
				if( *0x433010 != 0) {
					_v72 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v72 = 0x433010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x380))( *_v72));
				_t50 =  &_v32;
				_push(_t50);
				L004015E4();
				_v60 = _t50;
				_v40 = 0x80020004;
				_v48 = 0xa;
				if( *0x433010 != 0) {
					_v76 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v76 = 0x433010;
				}
				_t54 =  &_v28;
				L004015E4();
				_v52 = _t54;
				_t58 =  *((intOrPtr*)( *_v52 + 0x90))(_v52,  &_v24, _t54,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x390))( *_v76));
				asm("fclex");
				_v56 = _t58;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x90);
					_push(0x403a44);
					_push(_v52);
					_push(_v56);
					L004015D8();
					_v80 = _t58;
				}
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_v60 + 0x1ec))(_v60, _v24, 0x10);
				asm("fclex");
				_v64 = _t62;
				if(_v64 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403650);
					_push(_v60);
					_push(_v64);
					L004015D8();
					_v84 = _t62;
				}
				L004015A8();
				_push( &_v32);
				_t64 =  &_v28;
				_push(_t64);
				_push(2);
				L004015CC();
				_push(0x42fafe);
				return _t64;
			}

0x0042f975
0x0042f980
0x0042f981
0x0042f988
0x0042f98b
0x0042f993
0x0042f996
0x0042f9a4
0x0042f9be
0x0042f9a6
0x0042f9a6
0x0042f9ab
0x0042f9b0
0x0042f9b5
0x0042f9b5
0x0042f9d8
0x0042f9d9
0x0042f9dc
0x0042f9dd
0x0042f9e2
0x0042f9e5
0x0042f9ec
0x0042f9fa
0x0042fa14
0x0042f9fc
0x0042f9fc
0x0042fa01
0x0042fa06
0x0042fa0b
0x0042fa0b
0x0042fa2f
0x0042fa33
0x0042fa38
0x0042fa47
0x0042fa4d
0x0042fa4f
0x0042fa56
0x0042fa72
0x0042fa58
0x0042fa58
0x0042fa5d
0x0042fa62
0x0042fa65
0x0042fa68
0x0042fa6d
0x0042fa6d
0x0042fa79
0x0042fa83
0x0042fa84
0x0042fa85
0x0042fa86
0x0042fa92
0x0042fa98
0x0042fa9a
0x0042faa1
0x0042fabd
0x0042faa3
0x0042faa3
0x0042faa8
0x0042faad
0x0042fab0
0x0042fab3
0x0042fab8
0x0042fab8
0x0042fac4
0x0042facc
0x0042facd
0x0042fad0
0x0042fad1
0x0042fad3
0x0042fadb
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042F98B
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0042F9B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F9DD
__vbaNew2.MSVBVM60(00403E5C,00433010,?,00000000), ref: 0042FA06
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042FA33
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403A44,00000090), ref: 0042FA68
__vbaChkstk.MSVBVM60 ref: 0042FA79
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001EC), ref: 0042FAB3
__vbaFreeStr.MSVBVM60 ref: 0042FAC4
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042FAD3

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2$List
String ID:
API String ID: 2926503497-0
Opcode ID: 95f233eef24dcfc803d586812603a053ac9b284ae59c37741aa2877f4f69fd79
Instruction ID: 83070da2a09741a75faedc89b16c09af343c8519e3bbe9dc0f0bbe555d9a1c57
Opcode Fuzzy Hash: 95f233eef24dcfc803d586812603a053ac9b284ae59c37741aa2877f4f69fd79
Instruction Fuzzy Hash: 79414874E00208AFCB14DF91D845B9EBBB8BF08704F60003AF106BB2A0C7B95905DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004314EC, Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004314EC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				void* _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v120;
				signed int _v124;
				char* _t45;
				signed int _t51;
				intOrPtr _t56;
				void* _t68;
				void* _t70;
				intOrPtr* _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401470();
				_v16 = _t71;
				_v12 = 0x4013a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401476, _t68);
				L004015A2();
				if( *0x433010 != 0) {
					_v120 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v120 = 0x433010;
				}
				_t56 =  *((intOrPtr*)( *_v120));
				_t45 =  &_v52;
				L004015E4();
				_v104 = _t45;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t71 =  *0x4013a0;
				_t51 =  *((intOrPtr*)( *_v104 + 0x204))(_v104, _t56, 0x10, 0x10, 0x10, _t45,  *((intOrPtr*)(_t56 + 0x34c))( *_v120));
				asm("fclex");
				_v108 = _t51;
				if(_v108 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x204);
					_push(0x403650);
					_push(_v104);
					_push(_v108);
					L004015D8();
					_v124 = _t51;
				}
				L004015D2();
				asm("wait");
				_push(0x43163f);
				L004015C6();
				return _t51;
			}

0x004314ef
0x004314fe
0x00431508
0x00431510
0x00431513
0x0043151a
0x00431529
0x00431532
0x0043153e
0x00431558
0x00431540
0x00431540
0x00431545
0x0043154a
0x0043154f
0x0043154f
0x00431569
0x00431573
0x00431577
0x0043157c
0x0043157f
0x00431586
0x0043158d
0x00431594
0x0043159b
0x004315a2
0x004315ac
0x004315b6
0x004315b7
0x004315b8
0x004315b9
0x004315bd
0x004315c7
0x004315c8
0x004315c9
0x004315ca
0x004315ce
0x004315d8
0x004315d9
0x004315da
0x004315db
0x004315e3
0x004315ee
0x004315f4
0x004315f6
0x004315fd
0x00431619
0x004315ff
0x004315ff
0x00431604
0x00431609
0x0043160c
0x0043160f
0x00431614
0x00431614
0x00431620
0x00431625
0x00431626
0x00431639
0x0043163e

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431508
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 00431532
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0043154A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431577
__vbaChkstk.MSVBVM60(?,00000000), ref: 004315AC
__vbaChkstk.MSVBVM60(?,00000000), ref: 004315BD
__vbaChkstk.MSVBVM60(?,00000000), ref: 004315CE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000204,?,?,00000000), ref: 0043160F
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 00431620
__vbaFreeVar.MSVBVM60(0043163F,?,?,00000000), ref: 00431639

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$CheckHresultNew2
String ID:
API String ID: 2431949001-0
Opcode ID: edf4782592f088632e54417af89195d6a7f1a56099ff8ec8a18b74e71a04c657
Instruction ID: 0c115f4a62e91c75b5df17a31a975c17c6a4348a5ae519694ac64a631c59a5eb
Opcode Fuzzy Hash: edf4782592f088632e54417af89195d6a7f1a56099ff8ec8a18b74e71a04c657
Instruction Fuzzy Hash: DB412C71900708EFDB11EFA5C94AB8DBBB6BF09704F20442AF506BF2A1C7B95945CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0043166C, Relevance: 15.1, APIs: 10, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0043166C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v44;
				char _v48;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				char* _t43;
				signed int _t47;
				void* _t63;
				void* _t65;
				intOrPtr _t66;

				_t66 = _t65 - 0xc;
				 *[fs:0x0] = _t66;
				L00401470();
				_v16 = _t66;
				_v12 = 0x4013b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401476, _t63);
				L004015BA();
				L004015A2();
				if( *0x433010 != 0) {
					_v84 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v84 = 0x433010;
				}
				_t43 =  &_v48;
				L004015E4();
				_v68 = _t43;
				_v56 = _v56 & 0x00000000;
				_v64 = 2;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t47 =  *((intOrPtr*)( *_v68 + 0x200))(_v68, 0x10, _t43,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x37c))( *_v84));
				asm("fclex");
				_v72 = _t47;
				if(_v72 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x403608);
					_push(_v68);
					_push(_v72);
					L004015D8();
					_v88 = _t47;
				}
				L004015D2();
				_push(0x431786);
				L004015A8();
				L004015C6();
				return _t47;
			}

0x0043166f
0x0043167e
0x00431688
0x00431690
0x00431693
0x0043169a
0x004316a9
0x004316b2
0x004316bd
0x004316c9
0x004316e3
0x004316cb
0x004316cb
0x004316d0
0x004316d5
0x004316da
0x004316da
0x004316fe
0x00431702
0x00431707
0x0043170a
0x0043170e
0x00431718
0x00431722
0x00431723
0x00431724
0x00431725
0x0043172e
0x00431734
0x00431736
0x0043173d
0x00431759
0x0043173f
0x0043173f
0x00431744
0x00431749
0x0043174c
0x0043174f
0x00431754
0x00431754
0x00431760
0x00431765
0x00431778
0x00431780
0x00431785

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431688
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 004316B2
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 004316BD
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 004316D5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431702
__vbaChkstk.MSVBVM60(?,00000000), ref: 00431718
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403608,00000200), ref: 0043174F
__vbaFreeObj.MSVBVM60 ref: 00431760
__vbaFreeStr.MSVBVM60(00431786), ref: 00431778
__vbaFreeVar.MSVBVM60(00431786), ref: 00431780

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckCopyHresultNew2
String ID:
API String ID: 763330518-0
Opcode ID: cd6158e4de6bfe3a964379ef06a77e1a91f182733156d4725a1167bf6b990d09
Instruction ID: 32899a0f546fbb9c68e5db3fb725898fa13fe43ca36734ca15836e331e764106
Opcode Fuzzy Hash: cd6158e4de6bfe3a964379ef06a77e1a91f182733156d4725a1167bf6b990d09
Instruction Fuzzy Hash: BA31E975900208EFDB10DF91C946B9DBBB5BF49705F10542AF5027B2A1CB7D6A05CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042F291, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0042F291(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v72;
				signed int _v76;
				char* _t36;
				signed int _t40;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L00401470();
				_v16 = _t53;
				_v12 = 0x401208;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401476, _t50);
				if( *0x433010 != 0) {
					_v72 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v72 = 0x433010;
				}
				_t36 =  &_v36;
				L004015E4();
				_v56 = _t36;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t40 =  *((intOrPtr*)( *_v56 + 0x1ec))(_v56, L"PERIKUMBRNDEVIN", 0x10, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x32c))( *_v72));
				asm("fclex");
				_v60 = _t40;
				if(_v60 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403650);
					_push(_v56);
					_push(_v60);
					L004015D8();
					_v76 = _t40;
				}
				L004015D2();
				_push(0x42f38d);
				return _t40;
			}

0x0042f294
0x0042f2a3
0x0042f2ad
0x0042f2b5
0x0042f2b8
0x0042f2bf
0x0042f2ce
0x0042f2d8
0x0042f2f2
0x0042f2da
0x0042f2da
0x0042f2df
0x0042f2e4
0x0042f2e9
0x0042f2e9
0x0042f30d
0x0042f311
0x0042f316
0x0042f319
0x0042f320
0x0042f32a
0x0042f334
0x0042f335
0x0042f336
0x0042f337
0x0042f345
0x0042f34b
0x0042f34d
0x0042f354
0x0042f370
0x0042f356
0x0042f356
0x0042f35b
0x0042f360
0x0042f363
0x0042f366
0x0042f36b
0x0042f36b
0x0042f377
0x0042f37c
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042F2AD
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0042F2E4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042F311
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042F32A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001EC), ref: 0042F366
__vbaFreeObj.MSVBVM60 ref: 0042F377

Strings

PERIKUMBRNDEVIN, xrefs: 0042F338

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: PERIKUMBRNDEVIN
API String ID: 3189907775-3996290216
Opcode ID: a6ba9da5181e777b30579a391a495ed28d9b0723cd9b80d3ac0524dddd197d9a
Instruction ID: efef14d3949a55734e3718e270fe5e0d28349fb5d1b45b2ccd8a4d662bf96e6a
Opcode Fuzzy Hash: a6ba9da5181e777b30579a391a495ed28d9b0723cd9b80d3ac0524dddd197d9a
Instruction Fuzzy Hash: CE214B74A00208EFCB10DF95D985B9DBBB5BF09704F60407AF401BB2A0C7BD6A45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042FC70, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042FC70(void* __ebx, void* __edi, void* __esi, signed int* _a20) {
				intOrPtr _v12;
				intOrPtr _v16;
				char _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				signed int _v84;
				char* _t31;
				signed int _t35;
				void* _t47;
				intOrPtr _t48;

				_t48 = _t47 - 0xc;
				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_push(0x3c);
				L00401470();
				_v16 = _t48;
				_v12 = 0x401280;
				 *_a20 =  *_a20 & 0x00000000;
				if( *0x433010 != 0) {
					_v80 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v80 = 0x433010;
				}
				_t31 =  &_v44;
				L004015E4();
				_v64 = _t31;
				_v52 = 0x80020004;
				_v60 = 0xa;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t35 =  *((intOrPtr*)( *_v64 + 0x1ec))(_v64, L"Revselse7", 0x10, _t31,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x37c))( *_v80));
				asm("fclex");
				_v68 = _t35;
				if(_v68 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403608);
					_push(_v64);
					_push(_v68);
					L004015D8();
					_v84 = _t35;
				}
				L004015D2();
				_push(0x42fd72);
				return _t35;
			}

0x0042fc73
0x0042fc76
0x0042fc81
0x0042fc82
0x0042fc89
0x0042fc8c
0x0042fc94
0x0042fc97
0x0042fca1
0x0042fcab
0x0042fcc5
0x0042fcad
0x0042fcad
0x0042fcb2
0x0042fcb7
0x0042fcbc
0x0042fcbc
0x0042fce0
0x0042fce4
0x0042fce9
0x0042fcec
0x0042fcf3
0x0042fcfd
0x0042fd07
0x0042fd08
0x0042fd09
0x0042fd0a
0x0042fd18
0x0042fd1e
0x0042fd20
0x0042fd27
0x0042fd43
0x0042fd29
0x0042fd29
0x0042fd2e
0x0042fd33
0x0042fd36
0x0042fd39
0x0042fd3e
0x0042fd3e
0x0042fd4a
0x0042fd4f
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042FC8C
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0042FCB7
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042FCE4
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042FCFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403608,000001EC), ref: 0042FD39
__vbaFreeObj.MSVBVM60 ref: 0042FD4A

Strings

Revselse7, xrefs: 0042FD0B

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: Revselse7
API String ID: 3189907775-4127856029
Opcode ID: f751833eadd9e30f043b8a4b88ecfb80e6c90e19779fb4a7bb944f6d79574be3
Instruction ID: df1afe3e0ba266676c735053486e7dcee58f4a85cdfb4e78073f21146ad72279
Opcode Fuzzy Hash: f751833eadd9e30f043b8a4b88ecfb80e6c90e19779fb4a7bb944f6d79574be3
Instruction Fuzzy Hash: E5213674E00618EFCB14EF96D846B8DBBB8BF09705F50443AF412BB2A0C7B95905DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004305D2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004305D2(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t29;
				signed int _t33;
				intOrPtr _t46;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x28);
				L00401470();
				_v12 = _t46;
				_v8 = 0x4012d0;
				if( *0x433010 != 0) {
					_v56 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v56 = 0x433010;
				}
				_t29 =  &_v24;
				L004015E4();
				_v44 = _t29;
				_v32 = 0x80020004;
				_v40 = 0xa;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t33 =  *((intOrPtr*)( *_v44 + 0x1ec))(_v44, L"cattalos", 0x10, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x368))( *_v56));
				asm("fclex");
				_v48 = _t33;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403608);
					_push(_v44);
					_push(_v48);
					L004015D8();
					_v60 = _t33;
				}
				L004015D2();
				_push(0x4306bb);
				return _t33;
			}

0x004305d7
0x004305e2
0x004305e3
0x004305ea
0x004305ed
0x004305f5
0x004305f8
0x00430606
0x00430620
0x00430608
0x00430608
0x0043060d
0x00430612
0x00430617
0x00430617
0x0043063b
0x0043063f
0x00430644
0x00430647
0x0043064e
0x00430658
0x00430662
0x00430663
0x00430664
0x00430665
0x00430673
0x00430679
0x0043067b
0x00430682
0x0043069e
0x00430684
0x00430684
0x00430689
0x0043068e
0x00430691
0x00430694
0x00430699
0x00430699
0x004306a5
0x004306aa
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 004305ED
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00430612
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401476), ref: 0043063F
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401476), ref: 00430658
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403608,000001EC,?,?,?,?,?,?,?,?,?,?,00401476), ref: 00430694
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401476), ref: 004306A5

Strings

cattalos, xrefs: 00430666

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: cattalos
API String ID: 3189907775-1666761588
Opcode ID: 4e889e1394f5e519e82a2020f0bf27edb855cf8f0cadb87b2102d7bac8fe9578
Instruction ID: 6a0778c1e15be65036c34bf6820e3b50cdc8eef4db32de772d9c5a61e51aa707
Opcode Fuzzy Hash: 4e889e1394f5e519e82a2020f0bf27edb855cf8f0cadb87b2102d7bac8fe9578
Instruction Fuzzy Hash: 2B215CB4D40608AFCB10DF96C946BDDBBB9EB4D715F20542AF001BB2A1C7BD5A40CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0042FB11, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0042FB11(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v96;
				signed int _v100;
				char* _t42;
				signed int _t48;
				intOrPtr _t52;
				void* _t62;
				void* _t64;
				intOrPtr* _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L00401470();
				_v16 = _t65;
				_v12 = 0x401270;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x401476, _t62);
				if( *0x433010 != 0) {
					_v96 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v96 = 0x433010;
				}
				_t52 =  *((intOrPtr*)( *_v96));
				_t42 =  &_v28;
				L004015E4();
				_v80 = _t42;
				_v68 = 0x80020004;
				_v76 = 0xa;
				_v52 = 0x80020004;
				_v60 = 0xa;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t65 =  *0x401268;
				_t48 =  *((intOrPtr*)( *_v80 + 0x204))(_v80, _t52, 0x10, 0x10, 0x10, _t42,  *((intOrPtr*)(_t52 + 0x33c))( *_v96));
				asm("fclex");
				_v84 = _t48;
				if(_v84 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x204);
					_push(0x403650);
					_push(_v80);
					_push(_v84);
					L004015D8();
					_v100 = _t48;
				}
				L004015D2();
				asm("wait");
				_push(0x42fc51);
				return _t48;
			}

0x0042fb14
0x0042fb23
0x0042fb2d
0x0042fb35
0x0042fb38
0x0042fb3f
0x0042fb4e
0x0042fb58
0x0042fb72
0x0042fb5a
0x0042fb5a
0x0042fb5f
0x0042fb64
0x0042fb69
0x0042fb69
0x0042fb83
0x0042fb8d
0x0042fb91
0x0042fb96
0x0042fb99
0x0042fba0
0x0042fba7
0x0042fbae
0x0042fbb5
0x0042fbbc
0x0042fbc6
0x0042fbd0
0x0042fbd1
0x0042fbd2
0x0042fbd3
0x0042fbd7
0x0042fbe1
0x0042fbe2
0x0042fbe3
0x0042fbe4
0x0042fbe8
0x0042fbf2
0x0042fbf3
0x0042fbf4
0x0042fbf5
0x0042fbfd
0x0042fc08
0x0042fc0e
0x0042fc10
0x0042fc17
0x0042fc33
0x0042fc19
0x0042fc19
0x0042fc1e
0x0042fc23
0x0042fc26
0x0042fc29
0x0042fc2e
0x0042fc2e
0x0042fc3a
0x0042fc3f
0x0042fc40
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042FB2D
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0042FB64
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042FB91
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042FBC6
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042FBD7
__vbaChkstk.MSVBVM60(?,00000000), ref: 0042FBE8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000204,?,?,00000000), ref: 0042FC29
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0042FC3A

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 64260e3a3111bf31c7294ffff892acbc000d3e6669bc6e64a6d991503af03893
Instruction ID: 50a5fdcebf00d8db8b0029ebfeb8532d36ad7711822081ce59d1265424a1b1f4
Opcode Fuzzy Hash: 64260e3a3111bf31c7294ffff892acbc000d3e6669bc6e64a6d991503af03893
Instruction Fuzzy Hash: 303125B1D00708EBCB11EF91D849B8EBBB5BF09714F50842AF901BF2A1C7B95946CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004317A5, Relevance: 12.1, APIs: 8, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004317A5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				void* _v40;
				void* _v44;
				char _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				signed int _t44;
				signed int _t49;
				intOrPtr _t61;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t61;
				_push(0x3c);
				L00401470();
				_v12 = _t61;
				_v8 = 0x4013c8;
				L004015A2();
				if( *0x4333a0 != 0) {
					_v72 = 0x4333a0;
				} else {
					_push(0x4333a0);
					_push(0x403b80);
					L004015DE();
					_v72 = 0x4333a0;
				}
				_v52 =  *_v72;
				_t44 =  *((intOrPtr*)( *_v52 + 0x14))(_v52,  &_v44);
				asm("fclex");
				_v56 = _t44;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403b70);
					_push(_v52);
					_push(_v56);
					L004015D8();
					_v76 = _t44;
				}
				_v60 = _v44;
				_t49 =  *((intOrPtr*)( *_v60 + 0x118))(_v60,  &_v48);
				asm("fclex");
				_v64 = _t49;
				if(_v64 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x403bf0);
					_push(_v60);
					_push(_v64);
					L004015D8();
					_v80 = _t49;
				}
				L0040150C();
				_v24 = _t49;
				L004015D2();
				_push(0x4318b0);
				L004015C6();
				return _t49;
			}

0x004317aa
0x004317b5
0x004317b6
0x004317bd
0x004317c0
0x004317c8
0x004317cb
0x004317d8
0x004317e4
0x004317fe
0x004317e6
0x004317e6
0x004317eb
0x004317f0
0x004317f5
0x004317f5
0x0043180a
0x00431819
0x0043181c
0x0043181e
0x00431825
0x0043183e
0x00431827
0x00431827
0x00431829
0x0043182e
0x00431831
0x00431834
0x00431839
0x00431839
0x00431845
0x00431854
0x0043185a
0x0043185c
0x00431863
0x0043187f
0x00431865
0x00431865
0x0043186a
0x0043186f
0x00431872
0x00431875
0x0043187a
0x0043187a
0x00431886
0x0043188b
0x00431892
0x00431897
0x004318aa
0x004318af

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 004317C0
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 004317D8
__vbaNew2.MSVBVM60(00403B80,004333A0,?,?,?,?,00401476), ref: 004317F0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403B70,00000014), ref: 00431834
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403BF0,00000118), ref: 00431875
__vbaI2I4.MSVBVM60(00000000,?,00403BF0,00000118), ref: 00431886
__vbaFreeObj.MSVBVM60(00000000,?,00403BF0,00000118), ref: 00431892
__vbaFreeVar.MSVBVM60(004318B0), ref: 004318AA

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID:
API String ID: 304406766-0
Opcode ID: 40cfe134044a0f37d8dd7020bcb8ac11af744c17b2ceab369d7005dfa5f86502
Instruction ID: c107ca7fbd7309432070b976003ef4ca20176fec5fc64de0f2bef083e643be2f
Opcode Fuzzy Hash: 40cfe134044a0f37d8dd7020bcb8ac11af744c17b2ceab369d7005dfa5f86502
Instruction Fuzzy Hash: 0D31E270900208AFCB14EF95D946FDDBBB5AF08715F20502AF002B62B1DB786A459B69

Uniqueness

Uniqueness Score: -1.00%

Function 00431DA9, Relevance: 12.1, APIs: 8, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00431DA9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				char* _t32;
				signed int _t36;
				intOrPtr _t52;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(0x38);
				L00401470();
				_v12 = _t52;
				_v8 = 0x401408;
				L004015A2();
				if( *0x433010 != 0) {
					_v72 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v72 = 0x433010;
				}
				_t32 =  &_v40;
				L004015E4();
				_v60 = _t32;
				_v48 = 1;
				_v56 = 2;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t36 =  *((intOrPtr*)( *_v60 + 0x17c))(_v60, 0x10, _t32,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x30c))( *_v72));
				asm("fclex");
				_v64 = _t36;
				if(_v64 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x17c);
					_push(0x40374c);
					_push(_v60);
					_push(_v64);
					L004015D8();
					_v76 = _t36;
				}
				L004015D2();
				_push(0x431ea0);
				L004015C6();
				return _t36;
			}

0x00431dae
0x00431db9
0x00431dba
0x00431dc1
0x00431dc4
0x00431dcc
0x00431dcf
0x00431ddc
0x00431de8
0x00431e02
0x00431dea
0x00431dea
0x00431def
0x00431df4
0x00431df9
0x00431df9
0x00431e1d
0x00431e21
0x00431e26
0x00431e29
0x00431e30
0x00431e3a
0x00431e44
0x00431e45
0x00431e46
0x00431e47
0x00431e50
0x00431e56
0x00431e58
0x00431e5f
0x00431e7b
0x00431e61
0x00431e61
0x00431e66
0x00431e6b
0x00431e6e
0x00431e71
0x00431e76
0x00431e76
0x00431e82
0x00431e87
0x00431e9a
0x00431e9f

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431DC4
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 00431DDC
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00431DF4
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431E21
__vbaChkstk.MSVBVM60(?,00000000), ref: 00431E3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040374C,0000017C), ref: 00431E71
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 00431E82
__vbaFreeVar.MSVBVM60(00431EA0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 00431E9A

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$CheckHresultNew2
String ID:
API String ID: 2807847221-0
Opcode ID: 503c7ddd630b2a28c1c88a7e4df3d2195432c9b99fdc1680b750550a63a1b44c
Instruction ID: 3781e9276e0c0429dc0f7f76aa75a5d1194a61133c14cc79bdd5032298cbcfca
Opcode Fuzzy Hash: 503c7ddd630b2a28c1c88a7e4df3d2195432c9b99fdc1680b750550a63a1b44c
Instruction Fuzzy Hash: D9212E71D00208AFCB15DF92C946BDDBBB5AF09705F60442AF401BB2B1C7BD6A45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004312F8, Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E004312F8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v60;
				signed int _v64;
				char* _t36;
				signed int _t39;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L00401470();
				_v16 = _t53;
				_v12 = 0x401380;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x28,  *[fs:0x0], 0x401476, _t50);
				L004015BA();
				if( *0x433010 != 0) {
					_v60 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v60 = 0x433010;
				}
				_t36 =  &_v40;
				L004015E4();
				_v44 = _t36;
				_t39 =  *((intOrPtr*)( *_v44 + 0x1e8))(_v44, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v60)) + 0x330))( *_v60));
				asm("fclex");
				_v48 = _t39;
				if(_v48 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x403650);
					_push(_v44);
					_push(_v48);
					L004015D8();
					_v64 = _t39;
				}
				L004015D2();
				asm("wait");
				_push(0x4313e4);
				L004015A8();
				return _t39;
			}

0x004312fb
0x0043130a
0x00431314
0x0043131c
0x0043131f
0x00431326
0x00431335
0x0043133e
0x0043134a
0x00431364
0x0043134c
0x0043134c
0x00431351
0x00431356
0x0043135b
0x0043135b
0x0043137f
0x00431383
0x00431388
0x00431393
0x00431399
0x0043139b
0x004313a2
0x004313be
0x004313a4
0x004313a4
0x004313a9
0x004313ae
0x004313b1
0x004313b4
0x004313b9
0x004313b9
0x004313c5
0x004313ca
0x004313cb
0x004313de
0x004313e3

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431314
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 0043133E
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00431356
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431383
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001E8), ref: 004313B4
__vbaFreeObj.MSVBVM60 ref: 004313C5
__vbaFreeStr.MSVBVM60(004313E4), ref: 004313DE

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: 5e4b2d343b2e187b8018d34a1495ec094ee325394c9293284d413c61e8eb416f
Instruction ID: b0d26a59da532999e9c9686fe4715375306483a32c5b2ed53d052a6617c7dd31
Opcode Fuzzy Hash: 5e4b2d343b2e187b8018d34a1495ec094ee325394c9293284d413c61e8eb416f
Instruction Fuzzy Hash: 5921F674900208AFDB04EFA6C985BDDBBB4AB08715F10906AF402BB2A0CB799945DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0042FE15, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0042FE15(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				char* _t29;
				signed int _t32;
				intOrPtr _t46;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x30);
				L00401470();
				_v12 = _t46;
				_v8 = 0x4012a0;
				L004015A2();
				if( *0x433010 != 0) {
					_v64 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v64 = 0x433010;
				}
				_t29 =  &_v48;
				L004015E4();
				_v52 = _t29;
				_t32 =  *((intOrPtr*)( *_v52 + 0x1e8))(_v52, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x380))( *_v64));
				asm("fclex");
				_v56 = _t32;
				if(_v56 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x403650);
					_push(_v52);
					_push(_v56);
					L004015D8();
					_v68 = _t32;
				}
				L004015D2();
				_push(0x42feed);
				L004015C6();
				return _t32;
			}

0x0042fe1a
0x0042fe25
0x0042fe26
0x0042fe2d
0x0042fe30
0x0042fe38
0x0042fe3b
0x0042fe48
0x0042fe54
0x0042fe6e
0x0042fe56
0x0042fe56
0x0042fe5b
0x0042fe60
0x0042fe65
0x0042fe65
0x0042fe89
0x0042fe8d
0x0042fe92
0x0042fe9d
0x0042fea3
0x0042fea5
0x0042feac
0x0042fec8
0x0042feae
0x0042feae
0x0042feb3
0x0042feb8
0x0042febb
0x0042febe
0x0042fec3
0x0042fec3
0x0042fecf
0x0042fed4
0x0042fee7
0x0042feec

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042FE30
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 0042FE48
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0042FE60
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 0042FE8D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001E8), ref: 0042FEBE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 0042FECF
__vbaFreeVar.MSVBVM60(0042FEED,?,?,?,?,?,?,?,?,?,?,?,?,00401476), ref: 0042FEE7

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: 3efc3abe07796a2ef22682b6fabd3dc0b028ee0b46d0cc0ecf2067bc6feddbca
Instruction ID: 8d43d9b04f771463f02202e0f429e1c582a16e10ca93fd5f3dfa602626c1ced5
Opcode Fuzzy Hash: 3efc3abe07796a2ef22682b6fabd3dc0b028ee0b46d0cc0ecf2067bc6feddbca
Instruction Fuzzy Hash: DB21E574910218BFCB15DF95D945B9DB7B9BB08705F90443AF012BA2B1DB785A04DB18

Uniqueness

Uniqueness Score: -1.00%

Function 0042F19C, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0042F19C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				char* _t29;
				signed int _t32;
				intOrPtr _t46;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x20);
				L00401470();
				_v12 = _t46;
				_v8 = 0x4011f8;
				L004015BA();
				if( *0x433010 != 0) {
					_v48 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v48 = 0x433010;
				}
				_t29 =  &_v32;
				L004015E4();
				_v36 = _t29;
				_t32 =  *((intOrPtr*)( *_v36 + 0x1f8))(_v36, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x334))( *_v48));
				asm("fclex");
				_v40 = _t32;
				if(_v40 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x1f8);
					_push(0x403650);
					_push(_v36);
					_push(_v40);
					L004015D8();
					_v52 = _t32;
				}
				L004015D2();
				_push(0x42f274);
				L004015A8();
				return _t32;
			}

0x0042f1a1
0x0042f1ac
0x0042f1ad
0x0042f1b4
0x0042f1b7
0x0042f1bf
0x0042f1c2
0x0042f1cf
0x0042f1db
0x0042f1f5
0x0042f1dd
0x0042f1dd
0x0042f1e2
0x0042f1e7
0x0042f1ec
0x0042f1ec
0x0042f210
0x0042f214
0x0042f219
0x0042f224
0x0042f22a
0x0042f22c
0x0042f233
0x0042f24f
0x0042f235
0x0042f235
0x0042f23a
0x0042f23f
0x0042f242
0x0042f245
0x0042f24a
0x0042f24a
0x0042f256
0x0042f25b
0x0042f26e
0x0042f273

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042F1B7
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 0042F1CF
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0042F1E7
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401476), ref: 0042F214
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001F8,?,?,?,?,?,?,?,?,00401476), ref: 0042F245
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401476), ref: 0042F256
__vbaFreeStr.MSVBVM60(0042F274,?,?,?,?,?,?,?,?,00401476), ref: 0042F26E

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: be996fe698a601b51e0677fd94a90ce870dff52715f8fc0f885bbc73fc730702
Instruction ID: 374a8c9c90fa991e2ccb56fdacd1b84123ef0160a090d5c1aa0d14635963df2e
Opcode Fuzzy Hash: be996fe698a601b51e0677fd94a90ce870dff52715f8fc0f885bbc73fc730702
Instruction Fuzzy Hash: 91212874D40219EFCB14DF95C945BEDB7B8BB49705FA0417AE012BB2A0CB7D6A04DB28

Uniqueness

Uniqueness Score: -1.00%

Function 0042F88B, Relevance: 10.6, APIs: 7, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0042F88B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v40;
				char _v56;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				char _v104;
				signed int _v108;
				short _v112;
				signed int _v120;
				signed int _t27;
				short _t29;
				short _t32;
				intOrPtr _t41;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(0x64);
				L00401470();
				_v12 = _t41;
				_v8 = 0x401248;
				_v80 = 0x403a40;
				_v88 = 8;
				L004015A2();
				_push( &_v56);
				_t27 =  &_v40;
				_push(_t27);
				L0040156C();
				_v108 = _t27;
				if(_v108 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(_v108);
					L00401566();
					_v120 = _t27;
				}
				_v96 = 2;
				_v104 = 0x8002;
				_push( &_v56);
				_t29 =  &_v104;
				_push(_t29);
				L00401572();
				_v112 = _t29;
				_push( &_v56);
				_push( &_v40);
				_push(2);
				L004015AE();
				_t32 = _v112;
				if(_t32 != 0) {
					_push(0x8e);
					L00401560();
					_v24 = _t32;
				}
				_push(0x42f95d);
				return _t32;
			}

0x0042f890
0x0042f89b
0x0042f89c
0x0042f8a3
0x0042f8a6
0x0042f8ae
0x0042f8b1
0x0042f8b8
0x0042f8bf
0x0042f8cc
0x0042f8d4
0x0042f8d5
0x0042f8d8
0x0042f8d9
0x0042f8de
0x0042f8e5
0x0042f8f4
0x0042f8e7
0x0042f8e7
0x0042f8ea
0x0042f8ef
0x0042f8ef
0x0042f8f8
0x0042f8ff
0x0042f909
0x0042f90a
0x0042f90d
0x0042f90e
0x0042f913
0x0042f91a
0x0042f91e
0x0042f91f
0x0042f921
0x0042f929
0x0042f92f
0x0042f931
0x0042f936
0x0042f93b
0x0042f93b
0x0042f93e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042F8A6
__vbaVarDup.MSVBVM60 ref: 0042F8CC
#564.MSVBVM60(?,?), ref: 0042F8D9
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?), ref: 0042F8EA
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?), ref: 0042F90E
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?,?,?,?,?), ref: 0042F921
#570.MSVBVM60(0000008E), ref: 0042F936

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#564#570CheckChkstkFreeHresultList
String ID:
API String ID: 4191202046-0
Opcode ID: 1d184a0e140af37c38ff26c2f7a46aa00720190c7b5480159438bfb304ab83b5
Instruction ID: bc499c70597cf0c877c9f78ed9c6a319fe9af04deac42f519a788796303268ff
Opcode Fuzzy Hash: 1d184a0e140af37c38ff26c2f7a46aa00720190c7b5480159438bfb304ab83b5
Instruction Fuzzy Hash: 8711EDB1D01308BADB00EBE1C946BDEBBBCEB04B44F60453BA106BB191E7785A49CB55

Uniqueness

Uniqueness Score: -1.00%

Function 004307C5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004307C5(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				signed int _v40;
				short _v44;
				signed int _v56;
				signed int _t30;
				short _t34;
				void* _t39;
				void* _t41;
				intOrPtr _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L00401470();
				_v16 = _t42;
				_v12 = 0x4012f0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401476, _t39);
				_t30 =  *((intOrPtr*)( *_a4 + 0xa8))(_a4,  &_v36);
				asm("fclex");
				_v40 = _t30;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0xa8);
					_push(0x4031dc);
					_push(_a4);
					_push(_v40);
					L004015D8();
					_v56 = _t30;
				}
				_push(_v36);
				_push(0);
				L0040152A();
				asm("sbb eax, eax");
				_v44 =  ~( ~_t30 + 1);
				L004015A8();
				_t34 = _v44;
				if(_t34 != 0) {
					_push(L"Ombuddets6");
					L00401524();
				}
				asm("wait");
				_push(0x430881);
				return _t34;
			}

0x004307c8
0x004307d7
0x004307e1
0x004307e9
0x004307ec
0x004307f3
0x00430802
0x00430811
0x00430817
0x00430819
0x00430820
0x0043083c
0x00430822
0x00430822
0x00430827
0x0043082c
0x0043082f
0x00430832
0x00430837
0x00430837
0x00430840
0x00430843
0x00430845
0x0043084c
0x00430851
0x00430858
0x0043085d
0x00430863
0x00430865
0x0043086a
0x0043086a
0x0043086f
0x00430870
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 004307E1
__vbaHresultCheckObj.MSVBVM60(00000000,004012F0,004031DC,000000A8), ref: 00430832
__vbaStrCmp.MSVBVM60(00000000,?), ref: 00430845
__vbaFreeStr.MSVBVM60(00000000,?), ref: 00430858
#532.MSVBVM60(Ombuddets6,00000000,?), ref: 0043086A

Strings

Ombuddets6, xrefs: 00430865

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#532CheckChkstkFreeHresult
String ID: Ombuddets6
API String ID: 282215524-1727458866
Opcode ID: b26436f45e650078669779d058707d01719a8b38bf2ad074946821b11698d28e
Instruction ID: bf46c1b1481cc634813634ba900020d983291eda4979877dfbed16c61fc575f2
Opcode Fuzzy Hash: b26436f45e650078669779d058707d01719a8b38bf2ad074946821b11698d28e
Instruction Fuzzy Hash: 30112831A41208BFCF00EFA5C945FDDBBB8AF09B45F10506AF405BA1A1D7789A448BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00431ABB, Relevance: 10.5, APIs: 7, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00431ABB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _t18;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t31 = _t30 - 0xc;
				 *[fs:0x0] = _t31;
				L00401470();
				_v16 = _t31;
				_v12 = 0x4013e8;
				_v8 = 0;
				_t18 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x14,  *[fs:0x0], 0x401476, _t28);
				L004015BA();
				L004015BA();
				_push(0x403be4);
				L00401506();
				if(_t18 != 0x61) {
					_push(0xf6);
					L00401500();
					_v32 = _t18;
				}
				_push(0x431b47);
				L004015A8();
				L004015A8();
				return _t18;
			}

0x00431abe
0x00431acd
0x00431ad7
0x00431adf
0x00431ae2
0x00431ae9
0x00431af8
0x00431b01
0x00431b0c
0x00431b11
0x00431b16
0x00431b1f
0x00431b21
0x00431b26
0x00431b2e
0x00431b2e
0x00431b31
0x00431b39
0x00431b41
0x00431b46

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431AD7
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 00431B01
__vbaStrCopy.MSVBVM60(?,?,?,?,00401476), ref: 00431B0C
#696.MSVBVM60(00403BE4,?,?,?,?,00401476), ref: 00431B16
#571.MSVBVM60(000000F6,00403BE4,?,?,?,?,00401476), ref: 00431B26
__vbaFreeStr.MSVBVM60(00431B47,00403BE4,?,?,?,?,00401476), ref: 00431B39
__vbaFreeStr.MSVBVM60(00431B47,00403BE4,?,?,?,?,00401476), ref: 00431B41

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CopyFree$#571#696Chkstk
String ID:
API String ID: 3932495866-0
Opcode ID: 030d2f5b9722075b320097b9839be3734bb3251b833c5ccf2983892afcb48195
Instruction ID: dc0ef38bc579cdd114b99a2730afbe487a6110731c9272a05edee6af58b8de0b
Opcode Fuzzy Hash: 030d2f5b9722075b320097b9839be3734bb3251b833c5ccf2983892afcb48195
Instruction Fuzzy Hash: AB011E70940209BBCB00EF95CC86FAEBB74EB44745F50806AB4017B2F1D77CA945CB94

Uniqueness

Uniqueness Score: -1.00%

Function 00431EB3, Relevance: 9.1, APIs: 6, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00431EB3(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				char* _t36;
				signed int _t40;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L00401470();
				_v16 = _t53;
				_v12 = 0x401418;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401476, _t50);
				if( *0x433010 != 0) {
					_v68 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v68 = 0x433010;
				}
				_t36 =  &_v32;
				L004015E4();
				_v52 = _t36;
				_v40 = 1;
				_v48 = 2;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t40 =  *((intOrPtr*)( *_v52 + 0x200))(_v52, 0x10, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x330))( *_v68));
				asm("fclex");
				_v56 = _t40;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x403650);
					_push(_v52);
					_push(_v56);
					L004015D8();
					_v72 = _t40;
				}
				L004015D2();
				_push(0x431faa);
				return _t40;
			}

0x00431eb6
0x00431ec5
0x00431ecf
0x00431ed7
0x00431eda
0x00431ee1
0x00431ef0
0x00431efa
0x00431f14
0x00431efc
0x00431efc
0x00431f01
0x00431f06
0x00431f0b
0x00431f0b
0x00431f2f
0x00431f33
0x00431f38
0x00431f3b
0x00431f42
0x00431f4c
0x00431f56
0x00431f57
0x00431f58
0x00431f59
0x00431f62
0x00431f68
0x00431f6a
0x00431f71
0x00431f8d
0x00431f73
0x00431f73
0x00431f78
0x00431f7d
0x00431f80
0x00431f83
0x00431f88
0x00431f88
0x00431f94
0x00431f99
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431ECF
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00431F06
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431F33
__vbaChkstk.MSVBVM60(?,00000000), ref: 00431F4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000200), ref: 00431F83
__vbaFreeObj.MSVBVM60 ref: 00431F94

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 079d4137cba8a486231a04fc07b393b66438844bbc7643d68dcc50cbd27e2721
Instruction ID: 62ec35f52fc4d66ee1769d0bb90dc19bae40e5d0e092ca3d8ec75a3c177b252b
Opcode Fuzzy Hash: 079d4137cba8a486231a04fc07b393b66438844bbc7643d68dcc50cbd27e2721
Instruction Fuzzy Hash: 8621F874D00608EFCB10EF95C949F9DBBB5BF09705F20442AF411BB2A1C7B95A05DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004306CE, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004306CE(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t29;
				signed int _t33;
				intOrPtr _t46;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x28);
				L00401470();
				_v12 = _t46;
				_v8 = 0x4012e0;
				if( *0x433010 != 0) {
					_v56 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v56 = 0x433010;
				}
				_t29 =  &_v24;
				L004015E4();
				_v44 = _t29;
				_v32 = 1;
				_v40 = 2;
				L00401470();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t33 =  *((intOrPtr*)( *_v44 + 0x200))(_v44, 0x10, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x340))( *_v56));
				asm("fclex");
				_v48 = _t33;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x403650);
					_push(_v44);
					_push(_v48);
					L004015D8();
					_v60 = _t33;
				}
				L004015D2();
				_push(0x4307b2);
				return _t33;
			}

0x004306d3
0x004306de
0x004306df
0x004306e6
0x004306e9
0x004306f1
0x004306f4
0x00430702
0x0043071c
0x00430704
0x00430704
0x00430709
0x0043070e
0x00430713
0x00430713
0x00430737
0x0043073b
0x00430740
0x00430743
0x0043074a
0x00430754
0x0043075e
0x0043075f
0x00430760
0x00430761
0x0043076a
0x00430770
0x00430772
0x00430779
0x00430795
0x0043077b
0x0043077b
0x00430780
0x00430785
0x00430788
0x0043078b
0x00430790
0x00430790
0x0043079c
0x004307a1
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 004306E9
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0043070E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401476), ref: 0043073B
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401476), ref: 00430754
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000200,?,?,?,?,?,?,?,?,?,?,00401476), ref: 0043078B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401476), ref: 0043079C

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: a3fede729b0a92afc802ce93c6578d9e989c80763407e4fd5f6d6f12fcab1fdf
Instruction ID: b09e95a500489b3c19ec14886b53c7822ebce2917150bc0766ddbe9e2f55cc0b
Opcode Fuzzy Hash: a3fede729b0a92afc802ce93c6578d9e989c80763407e4fd5f6d6f12fcab1fdf
Instruction Fuzzy Hash: 5A213C74D01208AFDB10DF95C99ABDDBBB9EB09715F20542AF001BB2A1C7BD69409F68

Uniqueness

Uniqueness Score: -1.00%

Function 00430A8A, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00430A8A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401470();
				_v16 = _t47;
				_v12 = 0x401320;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401476, _t44);
				if( *0x433010 != 0) {
					_v52 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v52 = 0x433010;
				}
				_t33 =  &_v32;
				L004015E4();
				_v36 = _t33;
				_t36 =  *((intOrPtr*)( *_v36 + 0x20c))(_v36, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x364))( *_v52));
				asm("fclex");
				_v40 = _t36;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x20c);
					_push(0x403650);
					_push(_v36);
					_push(_v40);
					L004015D8();
					_v56 = _t36;
				}
				L004015D2();
				asm("wait");
				_push(0x430b63);
				return _t36;
			}

0x00430a8d
0x00430a9c
0x00430aa6
0x00430aae
0x00430ab1
0x00430ab8
0x00430ac7
0x00430ad1
0x00430aeb
0x00430ad3
0x00430ad3
0x00430ad8
0x00430add
0x00430ae2
0x00430ae2
0x00430b06
0x00430b0a
0x00430b0f
0x00430b1a
0x00430b20
0x00430b22
0x00430b29
0x00430b45
0x00430b2b
0x00430b2b
0x00430b30
0x00430b35
0x00430b38
0x00430b3b
0x00430b40
0x00430b40
0x00430b4c
0x00430b51
0x00430b52
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00430AA6
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00430ADD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430B0A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,0000020C), ref: 00430B3B
__vbaFreeObj.MSVBVM60 ref: 00430B4C

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 40a295b3f0b864c694b19753cddaea4b0338617e110f98ca7564fa2c2090bd68
Instruction ID: 8ef2121aa35e3a9c87c89fb4e2dfa46e7200a68caa7c7b21642f78ea3e0b6889
Opcode Fuzzy Hash: 40a295b3f0b864c694b19753cddaea4b0338617e110f98ca7564fa2c2090bd68
Instruction Fuzzy Hash: F221E774901208AFCB10EF95D999F9DBBB5BB08705F20556AF002BB2A1C77D5A04DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004308A8, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004308A8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401470();
				_v16 = _t47;
				_v12 = 0x401300;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401476, _t44);
				if( *0x433010 != 0) {
					_v52 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v52 = 0x433010;
				}
				_t33 =  &_v32;
				L004015E4();
				_v36 = _t33;
				_t36 =  *((intOrPtr*)( *_v36 + 0x20c))(_v36, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x370))( *_v52));
				asm("fclex");
				_v40 = _t36;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x20c);
					_push(0x403608);
					_push(_v36);
					_push(_v40);
					L004015D8();
					_v56 = _t36;
				}
				L004015D2();
				asm("wait");
				_push(0x430981);
				return _t36;
			}

0x004308ab
0x004308ba
0x004308c4
0x004308cc
0x004308cf
0x004308d6
0x004308e5
0x004308ef
0x00430909
0x004308f1
0x004308f1
0x004308f6
0x004308fb
0x00430900
0x00430900
0x00430924
0x00430928
0x0043092d
0x00430938
0x0043093e
0x00430940
0x00430947
0x00430963
0x00430949
0x00430949
0x0043094e
0x00430953
0x00430956
0x00430959
0x0043095e
0x0043095e
0x0043096a
0x0043096f
0x00430970
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 004308C4
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 004308FB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430928
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403608,0000020C), ref: 00430959
__vbaFreeObj.MSVBVM60 ref: 0043096A

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 25dac011a7c627c7b92112fffc0a795f3b482aa057b4d4582a8419a8236298b9
Instruction ID: 549ad917cc3e0c9a525b8cd688a115fa59315adba8ef69cfedd78e45f97be126
Opcode Fuzzy Hash: 25dac011a7c627c7b92112fffc0a795f3b482aa057b4d4582a8419a8236298b9
Instruction Fuzzy Hash: E92115B4901208EFDB10DF95C959F9DBBB9BF08705F20556AF002BB2A2C77D9A00DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00432123, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00432123(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401470();
				_v16 = _t47;
				_v12 = 0x401438;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401476, _t44);
				if( *0x433010 != 0) {
					_v52 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v52 = 0x433010;
				}
				_t33 =  &_v32;
				L004015E4();
				_v36 = _t33;
				_t36 =  *((intOrPtr*)( *_v36 + 0x20c))(_v36, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x364))( *_v52));
				asm("fclex");
				_v40 = _t36;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x20c);
					_push(0x403650);
					_push(_v36);
					_push(_v40);
					L004015D8();
					_v56 = _t36;
				}
				L004015D2();
				_push(0x4321fb);
				return _t36;
			}

0x00432126
0x00432135
0x0043213f
0x00432147
0x0043214a
0x00432151
0x00432160
0x0043216a
0x00432184
0x0043216c
0x0043216c
0x00432171
0x00432176
0x0043217b
0x0043217b
0x0043219f
0x004321a3
0x004321a8
0x004321b3
0x004321b9
0x004321bb
0x004321c2
0x004321de
0x004321c4
0x004321c4
0x004321c9
0x004321ce
0x004321d1
0x004321d4
0x004321d9
0x004321d9
0x004321e5
0x004321ea
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0043213F
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 00432176
__vbaObjSet.MSVBVM60(?,00000000), ref: 004321A3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,0000020C), ref: 004321D4
__vbaFreeObj.MSVBVM60 ref: 004321E5

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 7561f806127395a15121be753c803d1a9b587de878244bdafae1bdbdd75688ba
Instruction ID: 1c51b5ee1549a6b636102b3ad3ab92bf471d3ba7d03be94377642f0bfc0179e1
Opcode Fuzzy Hash: 7561f806127395a15121be753c803d1a9b587de878244bdafae1bdbdd75688ba
Instruction Fuzzy Hash: 5A21E774900208BFCF10DF95CA49F9DBBB5BB08705F20556AF112BB2A1C7BD5A01DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043140B, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0043140B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x20);
				L00401470();
				_v12 = _t40;
				_v8 = 0x401390;
				if( *0x433010 != 0) {
					_v48 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v48 = 0x433010;
				}
				_t26 =  &_v32;
				L004015E4();
				_v36 = _t26;
				_t29 =  *((intOrPtr*)( *_v36 + 0x208))(_v36, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x34c))( *_v48));
				asm("fclex");
				_v40 = _t29;
				if(_v40 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x208);
					_push(0x403650);
					_push(_v36);
					_push(_v40);
					L004015D8();
					_v52 = _t29;
				}
				L004015D2();
				asm("wait");
				_push(0x4314d1);
				return _t29;
			}

0x00431410
0x0043141b
0x0043141c
0x00431423
0x00431426
0x0043142e
0x00431431
0x0043143f
0x00431459
0x00431441
0x00431441
0x00431446
0x0043144b
0x00431450
0x00431450
0x00431474
0x00431478
0x0043147d
0x00431488
0x0043148e
0x00431490
0x00431497
0x004314b3
0x00431499
0x00431499
0x0043149e
0x004314a3
0x004314a6
0x004314a9
0x004314ae
0x004314ae
0x004314ba
0x004314bf
0x004314c0
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431426
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 0043144B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401476), ref: 00431478
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,00000208,?,?,?,?,?,?,?,?,00401476), ref: 004314A9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401476), ref: 004314BA

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: f39ec6698318dede32cfc4bd120bbff5df6e7517bd186b62c545e24a22af2af7
Instruction ID: 854a81de16ee09d1926df939521acd883cc2170a25db0713b7db71beab541d72
Opcode Fuzzy Hash: f39ec6698318dede32cfc4bd120bbff5df6e7517bd186b62c545e24a22af2af7
Instruction Fuzzy Hash: 6F110674D00208AFCB14DFA6C949FADBBB8FB1C705F10956AE012BB2A1C77D59009B69

Uniqueness

Uniqueness Score: -1.00%

Function 004309A8, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004309A8(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v44;
				signed int _v48;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x1c);
				L00401470();
				_v12 = _t40;
				_v8 = 0x401310;
				if( *0x433010 != 0) {
					_v44 = 0x433010;
				} else {
					_push(0x433010);
					_push(0x403e5c);
					L004015DE();
					_v44 = 0x433010;
				}
				_t26 =  &_v28;
				L004015E4();
				_v32 = _t26;
				_t29 =  *((intOrPtr*)( *_v32 + 0x1e8))(_v32, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v44)) + 0x330))( *_v44));
				asm("fclex");
				_v36 = _t29;
				if(_v36 >= 0) {
					_v48 = _v48 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x403650);
					_push(_v32);
					_push(_v36);
					L004015D8();
					_v48 = _t29;
				}
				L004015D2();
				_push(0x430a6d);
				return _t29;
			}

0x004309ad
0x004309b8
0x004309b9
0x004309c0
0x004309c3
0x004309cb
0x004309ce
0x004309dc
0x004309f6
0x004309de
0x004309de
0x004309e3
0x004309e8
0x004309ed
0x004309ed
0x00430a11
0x00430a15
0x00430a1a
0x00430a25
0x00430a2b
0x00430a2d
0x00430a34
0x00430a50
0x00430a36
0x00430a36
0x00430a3b
0x00430a40
0x00430a43
0x00430a46
0x00430a4b
0x00430a4b
0x00430a57
0x00430a5c
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 004309C3
__vbaNew2.MSVBVM60(00403E5C,00433010,?,?,?,?,00401476), ref: 004309E8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401476), ref: 00430A15
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403650,000001E8,?,?,?,?,?,?,?,00401476), ref: 00430A46
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401476), ref: 00430A57

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: e01c785c0cad81690c872973ae6e992855d94bdc50b649c5e33039305ebfdf31
Instruction ID: ff34bcd36858703684b82825e7086b265f237cd4bcc0e38f6605a6aa1c7f4bbb
Opcode Fuzzy Hash: e01c785c0cad81690c872973ae6e992855d94bdc50b649c5e33039305ebfdf31
Instruction Fuzzy Hash: 21114770D40208AFDB14EF96C856BEEBBB8BB0C705F10552AE112BB2A0C77C5941DF68

Uniqueness

Uniqueness Score: -1.00%

Function 00431227, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00431227(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				intOrPtr _v60;
				char _v68;
				signed int _v72;
				signed int _v80;
				signed int _t25;
				signed int _t26;
				intOrPtr _t36;

				_push(0x401476);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_push(0x3c);
				L00401470();
				_v12 = _t36;
				_v8 = 0x401370;
				_push(1);
				_push( &_v36);
				L00401512();
				_v60 = 0x403bec;
				_v68 = 0x8008;
				_push( &_v36);
				_t25 =  &_v68;
				_push(_t25);
				L00401572();
				_v72 = _t25;
				L004015C6();
				_t26 = _v72;
				if(_t26 != 0) {
					_t26 =  *((intOrPtr*)( *_a4 + 0x15c))(_a4, 0x2047);
					asm("fclex");
					_v72 = _t26;
					if(_v72 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x15c);
						_push(0x4031dc);
						_push(_a4);
						_push(_v72);
						L004015D8();
						_v80 = _t26;
					}
				}
				_push(0x4312e5);
				return _t26;
			}

0x0043122c
0x00431237
0x00431238
0x0043123f
0x00431242
0x0043124a
0x0043124d
0x00431254
0x00431259
0x0043125a
0x0043125f
0x00431266
0x00431270
0x00431271
0x00431274
0x00431275
0x0043127a
0x00431281
0x00431286
0x0043128c
0x0043129b
0x004312a1
0x004312a3
0x004312aa
0x004312c6
0x004312ac
0x004312ac
0x004312b1
0x004312b6
0x004312b9
0x004312bc
0x004312c1
0x004312c1
0x004312aa
0x004312ca
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 00431242
#526.MSVBVM60(?,00000001,?,?,?,?,00401476), ref: 0043125A
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,00000001,?,?,?,?,00401476), ref: 00431275
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,00000001,?,?,?,?,00401476), ref: 00431281
__vbaHresultCheckObj.MSVBVM60(?,?,004031DC,0000015C,?,?,?,?,?,?,?,?,00000001), ref: 004312BC

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#526CheckChkstkFreeHresult
String ID:
API String ID: 2443935952-0
Opcode ID: 1a1f9cf74fc808d4cb72b0f905d1c1cf5e0d7cc37bbb80d30f425d7ffbb804de
Instruction ID: 8565d9ba51bbebe726e360a39c16afe954ca752a2e9b2ae224f5564b9d26680f
Opcode Fuzzy Hash: 1a1f9cf74fc808d4cb72b0f905d1c1cf5e0d7cc37bbb80d30f425d7ffbb804de
Instruction Fuzzy Hash: D211F875900248EFDB10DF91CC46FDEBBB8BB09744F10446AF101BA2A1D778AA45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0042FD8F, Relevance: 6.0, APIs: 4, Instructions: 29
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E0042FD8F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v48;
				void* _t14;
				void* _t21;
				void* _t23;
				intOrPtr _t24;

				_t24 = _t23 - 0xc;
				 *[fs:0x0] = _t24;
				L00401470();
				_v16 = _t24;
				_v12 = 0x401290;
				_v8 = 0;
				_t14 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401476, _t21);
				L004015A2();
				L0040155A();
				asm("wait");
				_push(0x42fdee);
				L004015C6();
				return _t14;
			}

0x0042fd92
0x0042fda1
0x0042fdab
0x0042fdb3
0x0042fdb6
0x0042fdbd
0x0042fdcc
0x0042fdd5
0x0042fdda
0x0042fddf
0x0042fde0
0x0042fde8
0x0042fded

APIs

__vbaChkstk.MSVBVM60(?,00401476), ref: 0042FDAB
__vbaVarDup.MSVBVM60(?,?,?,?,00401476), ref: 0042FDD5
#554.MSVBVM60(?,?,?,?,00401476), ref: 0042FDDA
__vbaFreeVar.MSVBVM60(0042FDEE,?,?,?,?,00401476), ref: 0042FDE8

Memory Dump Source

Source File: 00000001.00000002.748827589.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.748810140.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.749005638.0000000000433000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.749022110.0000000000435000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#554ChkstkFree
String ID:
API String ID: 2175279628-0
Opcode ID: d4bd71820cdb67a4c7a1267925ad7236c4b23f961ed87e97aa9c2e66b4454548
Instruction ID: 662270a87da253f3a1c1316fb9803fde33255d7e822fdac04ad745b1e2ecffe7
Opcode Fuzzy Hash: d4bd71820cdb67a4c7a1267925ad7236c4b23f961ed87e97aa9c2e66b4454548
Instruction Fuzzy Hash: 6FF0F471941248BFCB00EF69D946FCD7BB8EF44748F50C46AF406AB1A1D77899448B98

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report USD18,620-00_swift-copy_mt103.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: USD18,620-00_swift-copy_mt103.exe PID: 6600 Parent PID: 5796

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: USD18,620-00_swift-copy_mt103.exe PID: 6600 Parent PID: 5796 USD18,620-00_swift-copy_mt103.exeCOMMON

Executed Functions

Function 004300C0, Relevance: 84.3, APIs: 39, Strings: 9, Instructions: 319COMMON

Function 00401608, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115COMMON

Function 004300C0, Relevance: 84.3, APIs: 39, Strings: 9, Instructions: 319
COMMON

Function 00401608, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 115
COMMON

Function 00432224, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 145
COMMON

Function 00430C80, Relevance: 27.1, APIs: 18, Instructions: 144
COMMON

Function 004318C3, Relevance: 21.1, APIs: 14, Instructions: 126
COMMON

Function 00431B66, Relevance: 19.6, APIs: 13, Instructions: 149
COMMON

Function 0042F769, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79
COMMON

Function 0042F3BA, Relevance: 18.1, APIs: 12, Instructions: 124
COMMON

Function 0042F596, Relevance: 18.1, APIs: 12, Instructions: 123
COMMON

Function 00430B8A, Relevance: 16.6, APIs: 11, Instructions: 54
COMMON

Function 00431FD3, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80
COMMON

Function 0043105F, Relevance: 15.1, APIs: 10, Instructions: 118
COMMON

Function 00430E9F, Relevance: 15.1, APIs: 10, Instructions: 118
COMMON

Function 0042F970, Relevance: 15.1, APIs: 10, Instructions: 114
COMMON

Function 004314EC, Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Function 0043166C, Relevance: 15.1, APIs: 10, Instructions: 82
COMMON

Function 0042F291, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Function 0042FC70, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
COMMON

Function 004305D2, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
COMMON

Function 0042FB11, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Function 004317A5, Relevance: 12.1, APIs: 8, Instructions: 78
COMMON

Function 00431DA9, Relevance: 12.1, APIs: 8, Instructions: 73
COMMON

Function 004312F8, Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Function 0042FE15, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Function 0042F19C, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Function 0042F88B, Relevance: 10.6, APIs: 7, Instructions: 58
COMMON