Play interactive tour

Edit tour

Analysis Report payment.exe

Overview

General Information

Sample Name:	payment.exe
Analysis ID:	357249
MD5:	0780e01f6ac683c0529fb1d40aaca8b4
SHA1:	d2c1ef0cab63992d4bea95fdf7838047997c46a7
SHA256:	0fc71d13ed4108b3afb81d9347063f9ef6ed9c3528a9c6e67a892c8a8db5fada
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected AgentTesla

Yara detected GuLoader

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Hides threads from debuggers

Initial sample is a PE file and has a suspicious name

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

payment.exe (PID: 6976 cmdline: 'C:\Users\user\Desktop\payment.exe' MD5: 0780E01F6AC683C0529FB1D40AACA8B4)

RegAsm.exe (PID: 4660 cmdline: 'C:\Users\user\Desktop\payment.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 4688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author
0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000F.00000002.592476347.0000000000564000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 4660	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 4660	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 4660	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: payment.exe	Virustotal: Detection: 56%			Perma Link
Source: payment.exe	ReversingLabs: Detection: 46%

Compliance:

Uses 32bit PE files

Show sources

Source: payment.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

Source: unknown

DNS traffic detected: queries for: onedrive.live.com

Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	String found in binary or memory: http://kBTuTq.com
Source: RegAsm.exe	String found in binary or memory: https://onedrive.live.com/download?cid=876616565B0E44B1&resid=876616565B0E44B1%213215&authkey=AC2zGE
Source: RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

System Summary:

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: payment.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: payment.exe

Source: C:\Users\user\Desktop\payment.exe

Process Stats: CPU usage > 98%

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056E697 NtProtectVirtualMemory,		15_2_0056E697
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056EC97 NtSetInformationThread,		15_2_0056EC97

Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00411464	0_2_00411464
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00410C71	0_2_00410C71
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00411817	0_2_00411817
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00411016	0_2_00411016
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_004114E6	0_2_004114E6
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00410CF8	0_2_00410CF8
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_0041108A	0_2_0041108A
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_004110AC	0_2_004110AC
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_0041156A	0_2_0041156A
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_0040411C	0_2_0040411C
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_0041191C	0_2_0041191C
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00411133	0_2_00411133
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_004115F5	0_2_004115F5
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_0041199B	0_2_0041199B
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00410E05	0_2_00410E05
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00411237	0_2_00411237
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_004112D0	0_2_004112D0
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00410E88	0_2_00410E88
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_0041134F	0_2_0041134F
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00410B5E	0_2_00410B5E
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00410F06	0_2_00410F06
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_0041170E	0_2_0041170E
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_004113D2	0_2_004113D2
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00410BF4	0_2_00410BF4
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00410F8F	0_2_00410F8F
Source: C:\Users\user\Desktop\payment.exe	Code function: 0_2_00411796	0_2_00411796
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056D7F2	15_2_0056D7F2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_1CF247B2	15_2_1CF247B2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_1CF2D6D0	15_2_1CF2D6D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_1CF24827	15_2_1CF24827

Source: payment.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: payment.exe, 00000000.00000000.328356879.0000000000436000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameAncistrocladaceous5.exe vs payment.exe
Source: payment.exe	Binary or memory string: OriginalFilenameAncistrocladaceous5.exe vs payment.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: payment.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/0@2/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4688:120:WilError_01

Source: C:\Users\user\Desktop\payment.exe

File created: C:\Users\user\AppData\Local\Temp\~DFDAD0523DB1C225BD.TMP

Jump to behavior

Source: payment.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\payment.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\payment.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: payment.exe	Virustotal: Detection: 56%
Source: payment.exe	ReversingLabs: Detection: 46%

Source: unknown	Process created: C:\Users\user\Desktop\payment.exe 'C:\Users\user\Desktop\payment.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\payment.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\payment.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\payment.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\payment.exe

Window detected: Number of UI elements: 15

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 0000000F.00000002.592476347.0000000000564000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4660, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00567050 push edi; ret	15_2_00567057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056B050 push edi; ret	15_2_0056B057
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056705C push edi; ret	15_2_00567063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056B05C push edi; ret	15_2_0056B063
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00568058 push edi; ret	15_2_0056805F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00565058 push edi; ret	15_2_0056505F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00566058 push edi; ret	15_2_0056605F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056B044 push edi; ret	15_2_0056B04B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00566040 push edi; ret	15_2_00566047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056A040 push edi; ret	15_2_0056A047
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056804C push edi; ret	15_2_00568053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056504C push edi; ret	15_2_00565053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056604C push edi; ret	15_2_00566053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056A04C push edi; ret	15_2_0056A053
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00567049 push di; ret	15_2_0056704B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00567074 push edi; ret	15_2_0056707B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056B074 push edi; ret	15_2_0056B07B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00568070 push edi; ret	15_2_00568077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00565070 push edi; ret	15_2_00565077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00566070 push edi; ret	15_2_00566077
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056807C push edi; ret	15_2_00568083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056607C push edi; ret	15_2_00566083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056507C push edi; ret	15_2_00565083
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056A078 push edi; ret	15_2_0056A07F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056A066 push edi; ret	15_2_0056A067
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00568064 push edi; ret	15_2_0056806B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00565064 push edi; ret	15_2_0056506B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00566064 push edi; ret	15_2_0056606B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056A06C push edi; ret	15_2_0056A073
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00567068 push edi; ret	15_2_0056706F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056A016 push edi; ret	15_2_0056A017

Source: initial sample

Static PE information: section name: .text entropy: 6.80293275288

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\payment.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 00000000004468FB second address: 00000000004468FB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF4A85B8858h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 jmp 00007FF4A85B8896h 0x00000023 test dx, bx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FF4A85B87ADh 0x0000002f jmp 00007FF4A85B8896h 0x00000031 cmp al, bl 0x00000033 push ecx 0x00000034 test ebx, eax 0x00000036 test cx, ax 0x00000039 call 00007FF4A85B891Ah 0x0000003e call 00007FF4A85B8868h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 00000000004414CD second address: 0000000000441549 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b mov ah, D8h 0x0000000d cmp ah, FFFFFFD8h 0x00000010 jne 00007FF4A85BC575h 0x00000016 popad 0x00000017 jmp 00007FF4A85B8896h 0x00000019 test al, cl 0x0000001b mov esi, 1A100000h 0x00000020 sub esi, 00001000h 0x00000026 push 00000004h 0x00000028 push 00003000h 0x0000002d mov dword ptr [ebp+64h], esi 0x00000030 mov ebx, ebp 0x00000032 pushad 0x00000033 mov ecx, 000000B2h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 0000000000441CC9 second address: 0000000000441CDC instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push 0003E800h 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 000000000044215A second address: 000000000044215A instructions:
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 00000000004452BD second address: 00000000004452BD instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000565193 second address: 0000000000565193 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\payment.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\payment.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 000000000044C4E9 second address: 000000000044C664 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007FF4A886B5AAh 0x00000005 test dl, al 0x00000007 jmp 00007FF4A886B5A6h 0x00000009 test bl, al 0x0000000b jmp 00007FF4A886B5AAh 0x0000000d cmp ecx, edx 0x0000000f jmp 00007FF4A886B5A6h 0x00000011 cmp cl, dl 0x00000013 jmp 00007FF4A886B5AAh 0x00000015 pushad 0x00000016 mov ebx, 00000057h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 000000000044C664 second address: 000000000044C119 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, 00000539h 0x00000008 jmp 00007FF4A85B8896h 0x0000000a test ax, ax 0x0000000d mov ecx, dword ptr [ebp+1Ch] 0x00000010 jmp 00007FF4A85B8896h 0x00000012 cld 0x00000013 mov edx, 8802EDACh 0x00000018 call 00007FF4A85B6F2Eh 0x0000001d push esi 0x0000001e jmp 00007FF4A85B889Ah 0x00000020 test bl, bl 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FF4A85B889Ah 0x00000026 cmp dh, ah 0x00000028 cmp eax, 00000539h 0x0000002d jne 00007FF4A85B8A8Fh 0x00000033 jmp 00007FF4A85B8896h 0x00000035 test dh, 0000007Eh 0x00000038 push 6DDB9555h 0x0000003d call 00007FF4A85B98FFh 0x00000042 mov eax, dword ptr fs:[00000030h] 0x00000048 jmp 00007FF4A85B8896h 0x0000004a test bl, al 0x0000004c mov eax, dword ptr [eax+0Ch] 0x0000004f mov eax, dword ptr [eax+14h] 0x00000052 mov ecx, dword ptr [eax] 0x00000054 mov eax, ecx 0x00000056 jmp 00007FF4A85B889Ah 0x00000058 cmp ecx, edx 0x0000005a jmp 00007FF4A85B88F4h 0x0000005f jmp 00007FF4A85B8896h 0x00000061 pushad 0x00000062 mov ecx, 00000016h 0x00000067 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 000000000044C119 second address: 000000000044C304 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, dword ptr [eax+28h] 0x00000006 jmp 00007FF4A886B5AAh 0x00000008 test dl, al 0x0000000a cmp ebx, 00000000h 0x0000000d je 00007FF4A886B610h 0x00000013 push ebx 0x00000014 call 00007FF4A886B6A3h 0x00000019 jmp 00007FF4A886B5A6h 0x0000001b pushad 0x0000001c mov ecx, 00000025h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 00000000004468FB second address: 00000000004468FB instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FF4A85B8858h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 dec ecx 0x00000021 jmp 00007FF4A85B8896h 0x00000023 test dx, bx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FF4A85B87ADh 0x0000002f jmp 00007FF4A85B8896h 0x00000031 cmp al, bl 0x00000033 push ecx 0x00000034 test ebx, eax 0x00000036 test cx, ax 0x00000039 call 00007FF4A85B891Ah 0x0000003e call 00007FF4A85B8868h 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 0000000000446DCA second address: 0000000000446DCA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF4A8871918h 0x0000001d popad 0x0000001e call 00007FF4A886B655h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 00000000004414CD second address: 0000000000441549 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a pushad 0x0000000b mov ah, D8h 0x0000000d cmp ah, FFFFFFD8h 0x00000010 jne 00007FF4A85BC575h 0x00000016 popad 0x00000017 jmp 00007FF4A85B8896h 0x00000019 test al, cl 0x0000001b mov esi, 1A100000h 0x00000020 sub esi, 00001000h 0x00000026 push 00000004h 0x00000028 push 00003000h 0x0000002d mov dword ptr [ebp+64h], esi 0x00000030 mov ebx, ebp 0x00000032 pushad 0x00000033 mov ecx, 000000B2h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 000000000044F427 second address: 000000000044F530 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [eax+10h], 00000000h 0x0000000f jne 00007FF4A886B98Dh 0x00000015 jmp 00007FF4A886B5A6h 0x00000017 test ax, 0000F517h 0x0000001b cmp dword ptr [eax+14h], 00000000h 0x0000001f jne 00007FF4A886B939h 0x00000025 cmp dword ptr [eax+18h], 00000000h 0x00000029 jne 00007FF4A886B92Fh 0x0000002f jmp 00007FF4A886B5A6h 0x00000031 cmp bx, dx 0x00000034 pop eax 0x00000035 jmp 00007FF4A886B5A6h 0x00000037 pushad 0x00000038 mov eax, 00000020h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 0000000000441CC9 second address: 0000000000441CDC instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push 0003E800h 0x0000000f pushad 0x00000010 lfence 0x00000013 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 000000000044215A second address: 000000000044215A instructions:
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 00000000004452BD second address: 00000000004452BD instructions:
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 000000000044608B second address: 0000000000446102 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test bx, ax 0x0000000e cmp dword ptr [esp+08h], 0Ah 0x00000013 jg 00007FF4A886B5E2h 0x00000019 test ebx, edx 0x0000001b cmp ecx, 70DD50C1h 0x00000021 jmp 00007FF4A886E112h 0x00000026 call 00007FF4A88689FFh 0x0000002b pop eax 0x0000002c pushad 0x0000002d lfence 0x00000030 rdtsc
Source: C:\Users\user\Desktop\payment.exe	RDTSC instruction interceptor: First address: 0000000000446102 second address: 00000000004497C4 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push edi 0x0000000c cmp bh, FFFFFF83h 0x0000000f push eax 0x00000010 test ax, ax 0x00000013 call 00007FF4A85BBE67h 0x00000018 jmp 00007FF4A85B889Ah 0x0000001a test bh, bh 0x0000001c jmp 00007FF4A85B8896h 0x0000001e pushad 0x0000001f mov ecx, 00000026h 0x00000024 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000056C4E9 second address: 000000000056C664 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007FF4A886B5AAh 0x00000005 test dl, al 0x00000007 jmp 00007FF4A886B5A6h 0x00000009 test bl, al 0x0000000b jmp 00007FF4A886B5AAh 0x0000000d cmp ecx, edx 0x0000000f jmp 00007FF4A886B5A6h 0x00000011 cmp cl, dl 0x00000013 jmp 00007FF4A886B5AAh 0x00000015 pushad 0x00000016 mov ebx, 00000057h 0x0000001b rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000056C664 second address: 000000000056C119 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov eax, 00000539h 0x00000008 jmp 00007FF4A85B8896h 0x0000000a test ax, ax 0x0000000d mov ecx, dword ptr [ebp+1Ch] 0x00000010 jmp 00007FF4A85B8896h 0x00000012 cld 0x00000013 mov edx, 8802EDACh 0x00000018 call 00007FF4A85B6F2Eh 0x0000001d push esi 0x0000001e jmp 00007FF4A85B889Ah 0x00000020 test bl, bl 0x00000022 push edx 0x00000023 push ecx 0x00000024 jmp 00007FF4A85B889Ah 0x00000026 cmp dh, ah 0x00000028 cmp eax, 00000539h 0x0000002d jne 00007FF4A85B8A8Fh 0x00000033 jmp 00007FF4A85B8896h 0x00000035 test dh, 0000007Eh 0x00000038 push 6DDB9555h 0x0000003d call 00007FF4A85B98FFh 0x00000042 mov eax, dword ptr fs:[00000030h] 0x00000048 jmp 00007FF4A85B8896h 0x0000004a test bl, al 0x0000004c mov eax, dword ptr [eax+0Ch] 0x0000004f mov eax, dword ptr [eax+14h] 0x00000052 mov ecx, dword ptr [eax] 0x00000054 mov eax, ecx 0x00000056 jmp 00007FF4A85B889Ah 0x00000058 cmp ecx, edx 0x0000005a jmp 00007FF4A85B88F4h 0x0000005f jmp 00007FF4A85B8896h 0x00000061 pushad 0x00000062 mov ecx, 00000016h 0x00000067 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000056C119 second address: 000000000056C304 instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 mov ebx, dword ptr [eax+28h] 0x00000006 jmp 00007FF4A886B5AAh 0x00000008 test dl, al 0x0000000a cmp ebx, 00000000h 0x0000000d je 00007FF4A886B610h 0x00000013 push ebx 0x00000014 call 00007FF4A886B6A3h 0x00000019 jmp 00007FF4A886B5A6h 0x0000001b pushad 0x0000001c mov ecx, 00000025h 0x00000021 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000566DCA second address: 0000000000566DCA instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FF4A85BEC08h 0x0000001d popad 0x0000001e call 00007FF4A85B8945h 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000561549 second address: 000000000056BD6F instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 add ebx, 64h 0x00000006 push ebx 0x00000007 jmp 00007FF4A886B5AAh 0x00000009 push si 0x0000000b mov si, 323Dh 0x0000000f pop si 0x00000011 push 00000000h 0x00000013 mov dword ptr [ebp+68h], 00000000h 0x0000001a add ebx, 04h 0x0000001d push ebx 0x0000001e cmp bx, ax 0x00000021 push FFFFFFFFh 0x00000023 test cl, bl 0x00000025 call 00007FF4A8875976h 0x0000002a jmp 00007FF4A8868408h 0x0000002f call 00007FF4A886E6BDh 0x00000034 pop ebx 0x00000035 cmp dword ptr [ebx], 00000000h 0x00000038 jne 00007FF4A886B819h 0x0000003e jmp 00007FF4A886B5A6h 0x00000040 cmp cl, dl 0x00000042 jmp 00007FF4A886B5AAh 0x00000044 test cx, cx 0x00000047 jmp 00007FF4A886B5A6h 0x00000049 pushad 0x0000004a mov ecx, 00000077h 0x0000004f rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 000000000056F427 second address: 000000000056F530 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp dword ptr [eax+10h], 00000000h 0x0000000f jne 00007FF4A85B8C7Dh 0x00000015 jmp 00007FF4A85B8896h 0x00000017 test ax, 0000F517h 0x0000001b cmp dword ptr [eax+14h], 00000000h 0x0000001f jne 00007FF4A85B8C29h 0x00000025 cmp dword ptr [eax+18h], 00000000h 0x00000029 jne 00007FF4A85B8C1Fh 0x0000002f jmp 00007FF4A85B8896h 0x00000031 cmp bx, dx 0x00000034 pop eax 0x00000035 jmp 00007FF4A85B8896h 0x00000037 pushad 0x00000038 mov eax, 00000020h 0x0000003d rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000565193 second address: 0000000000565193 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 15_2_0056EC97 rdtsc

15_2_0056EC97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 717			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 9102			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5560

Thread sleep time: -24903104499507879s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: RegAsm.exe, 0000000F.00000002.597861206.000000001FC20000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\payment.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\payment.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 15_2_0056EC97 rdtsc

15_2_0056EC97

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_005664EC mov eax, dword ptr fs:[00000030h]	15_2_005664EC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_00566534 mov eax, dword ptr fs:[00000030h]	15_2_00566534
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056DC0F mov eax, dword ptr fs:[00000030h]	15_2_0056DC0F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056AC3D mov eax, dword ptr fs:[00000030h]	15_2_0056AC3D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 15_2_0056BF85 mov eax, dword ptr fs:[00000030h]	15_2_0056BF85

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\payment.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 560000

Jump to behavior

Source: C:\Users\user\Desktop\payment.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\payment.exe'

Jump to behavior

Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp	Binary or memory string: &Program Manager
Source: RegAsm.exe, 0000000F.00000002.593288205.0000000000F10000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 15_2_00565184 cpuid

15_2_00565184

Source: C:\Users\user\Desktop\payment.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\payment.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4660, type: MEMORY

Source: Yara match	File source: 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4660, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 4660, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Process Injection112	Virtualization/Sandbox Evasion34	OS Credential Dumping	Security Software Discovery631	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Disable or Modify Tools1	LSASS Memory	Virtualization/Sandbox Evasion34	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information2	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	DLL Side-Loading1	Cached Domain Credentials	System Information Discovery323	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
payment.exe	57%	Virustotal		Browse
payment.exe	46%	ReversingLabs	Win32.Backdoor.Remcos

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://kBTuTq.com	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
onedrive.live.com	unknown	unknown	false		high
c3ixha.bl.files.1drv.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://kBTuTq.com	RegAsm.exe, 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://onedrive.live.com/download?cid=876616565B0E44B1&resid=876616565B0E44B1%213215&authkey=AC2zGE	RegAsm.exe	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357249
Start date:	24.02.2021
Start time:	10:43:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 49s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	payment.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	24
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/0@2/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 22.5% (good quality ratio 21.9%) Quality average: 54.7% Quality standard deviation: 11.1%
HCA Information:	Successful, ratio: 69% Number of executed functions: 38 Number of non-executed functions: 37
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, WmiPrvSE.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 104.43.193.48, 92.122.145.220, 104.42.151.234, 51.11.168.160, 2.20.142.209, 2.20.142.210, 51.103.5.159, 92.122.213.247, 92.122.213.194, 52.155.217.156, 20.54.26.129, 13.107.42.13, 13.107.42.12, 184.30.24.56 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, odc-web-brs.onedrive.akadns.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, a1449.dscg2.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, arc.msn.com, vip1-par02p.wns.notify.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, l-0004.l-msedge.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, odwebpl.trafficmanager.net.l-0004.dc-msedge.net.l-0004.l-msedge.net, l-0003.l-msedge.net, audownload.windowsupdate.nsatc.net, odc-bl-files-brs.onedrive.akadns.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, odc-bl-files-geo.onedrive.akadns.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, odc-web-geo.onedrive.akadns.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, bl-files.ha.1drv.com.l-0003.dc-msedge.net.l-0003.l-msedge.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, ctldl.windowsupdate.com, e1723.g.akamaiedge.net, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus16.cloudapp.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:44:19	API Interceptor	1x Sleep call for process: payment.exe modified
10:46:00	API Interceptor	191x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.584972265863127
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	payment.exe
File size:	225280
MD5:	0780e01f6ac683c0529fb1d40aaca8b4
SHA1:	d2c1ef0cab63992d4bea95fdf7838047997c46a7
SHA256:	0fc71d13ed4108b3afb81d9347063f9ef6ed9c3528a9c6e67a892c8a8db5fada
SHA512:	d7c0ede50d907e9374d3dc6ccaf18dedb1984b0d54a8bd50ba9fac9405c9f4acb7994e182b7a9e49d7d9c95f1135015e1d5cb61d8838536cc7edbfa12724bd8d
SSDEEP:	1536:ai24BsvhHpVmqBu755CxBa/t3UWoF6Jp6GeSlm3WdtHV1BsjlwoEffyW053iYk:SxZTGb9F3UWoFWpNgZUfh
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L...M..H.................0...@......0........@....@................

File Icon


Icon Hash:	0634b8d4c8c4c0ce

Static PE Info

General
Entrypoint:	0x401630
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x48A5FC4D [Fri Aug 15 21:59:41 2008 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c495ca9196b04f3a1871ecbfcbd50911

Entrypoint Preview

Instruction
push 00402BD8h
call 00007FF4A8EA6DC5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], dl
pop edx
out dx, eax
or eax, 4E4BFD93h
xchg eax, edx
or dh, ah
das
push ebx
clc
jnc 00007FF4A8EA6DD2h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+72h], dl
outsd
push 00000065h
arpl word ptr [ecx+esi+00h], si
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
sub byte ptr [edx], ch
call far 42B0h : F9A52BC6h
mov edi, DA7EB6B7h
lds eax, fword ptr [edx+edi*2+3Fh]
dec edi
faddp st(6), st(0)
aaa
leave
cdq
inc esp
mov bh, byte ptr [ecx]
xor ebp, ebp
xchg dword ptr [eax], edi
adc byte ptr [eax+3Ah], bl
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov esp, B4000014h
push cs
add byte ptr [eax], al
add byte ptr [ebx], dl
add byte ptr [ecx+eax*2+54h], al
inc ecx
push esp
push edx
inc ecx
dec esi
push ebx
dec ebp
dec ecx
push ebx
push ebx
dec ecx
dec edi
dec esi
inc ebp
push edx
push ebx

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x33364	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x36000	0x1252	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x124	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x32870	0x33000	False	0.263604856005	data	6.80293275288	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x34000	0x1280	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x36000	0x1252	0x2000	False	0.168090820312	data	2.29185489566	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x369aa	0x8a8	data
RT_ICON	0x36442	0x568	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x36420	0x22	data
RT_VERSION	0x36120	0x300	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaLateMemSt, __vbaObjSet, __vbaCyAdd, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaCyI2, __vbaStrCmp, __vbaVarTstEq, __vbaObjVar, __vbaI2I4, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaI2Var, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaLateMemCall, __vbaVarDup, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
LegalCopyright	Coldest
InternalName	Ancistrocladaceous5
FileVersion	1.00
CompanyName	SummerDream Company
LegalTrademarks	Coldest
Comments	SummerDream Company
ProductName	Project1
ProductVersion	1.00
OriginalFilename	Ancistrocladaceous5.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 10:44:10.911381006 CET	55074	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:10.960200071 CET	53	55074	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:11.780896902 CET	54513	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:11.834822893 CET	53	54513	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:12.757447004 CET	62044	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:12.806353092 CET	53	62044	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:13.411082983 CET	63791	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:13.477824926 CET	53	63791	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:13.569865942 CET	64267	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:13.618797064 CET	53	64267	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:14.516139984 CET	49448	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:14.568125010 CET	53	49448	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:15.470302105 CET	60342	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:15.522371054 CET	53	60342	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:16.690913916 CET	61346	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:16.740000963 CET	53	61346	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:18.376986980 CET	51774	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:18.428474903 CET	53	51774	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:19.211590052 CET	56023	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:19.264411926 CET	53	56023	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:20.427401066 CET	58384	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:20.480751991 CET	53	58384	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:23.716433048 CET	60261	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:23.768256903 CET	53	60261	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:25.128577948 CET	56061	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:25.177556038 CET	53	56061	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:29.631326914 CET	58336	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:29.683278084 CET	53	58336	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:31.132128954 CET	53781	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:31.183218002 CET	53	53781	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:32.073699951 CET	54064	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:32.127625942 CET	53	54064	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:32.960329056 CET	52811	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:33.009255886 CET	53	52811	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:37.799596071 CET	55299	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:37.851288080 CET	53	55299	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:38.644771099 CET	63745	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:38.693814993 CET	53	63745	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:44.368793964 CET	50055	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:44.420629025 CET	53	50055	8.8.8.8	192.168.2.6
Feb 24, 2021 10:44:49.696610928 CET	61374	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:44:49.748292923 CET	53	61374	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:05.888565063 CET	50339	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:05.954570055 CET	53	50339	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:07.742175102 CET	63307	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:07.792047024 CET	53	63307	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:22.955830097 CET	49694	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:23.017445087 CET	53	49694	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:29.490305901 CET	54982	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:29.541260958 CET	53	54982	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:30.131491899 CET	50010	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:30.181240082 CET	53	50010	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:30.849584103 CET	63718	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:30.950206041 CET	53	63718	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:31.368204117 CET	62116	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:31.433454990 CET	53	62116	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:31.986391068 CET	63816	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:32.055495024 CET	53	63816	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:32.674719095 CET	55014	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:32.732131958 CET	53	55014	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:33.386050940 CET	62208	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:33.443485022 CET	53	62208	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:34.287131071 CET	57574	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:34.347367048 CET	53	57574	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:35.530936956 CET	51818	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:35.588417053 CET	53	51818	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:36.095642090 CET	56628	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:36.156138897 CET	53	56628	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:36.366750956 CET	60778	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:36.416053057 CET	53	60778	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:49.429064035 CET	53799	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:49.478157043 CET	53	53799	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:50.202363014 CET	54683	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:50.230230093 CET	59329	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:45:50.281210899 CET	53	54683	8.8.8.8	192.168.2.6
Feb 24, 2021 10:45:50.289444923 CET	53	59329	8.8.8.8	192.168.2.6
Feb 24, 2021 10:46:11.232192039 CET	64021	53	192.168.2.6	8.8.8.8
Feb 24, 2021 10:46:11.283066988 CET	53	64021	8.8.8.8	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 10:45:49.429064035 CET	192.168.2.6	8.8.8.8	0xd2a9	Standard query (0)	onedrive.live.com	A (IP address)	IN (0x0001)
Feb 24, 2021 10:45:50.202363014 CET	192.168.2.6	8.8.8.8	0x8cbf	Standard query (0)	c3ixha.bl.files.1drv.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Type	Class
Feb 24, 2021 10:45:49.478157043 CET	8.8.8.8	192.168.2.6	0xd2a9	No error (0)	onedrive.live.com	odc-web-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 10:45:50.281210899 CET	8.8.8.8	192.168.2.6	0x8cbf	No error (0)	c3ixha.bl.files.1drv.com	bl-files.fe.1drv.com	CNAME (Canonical name)	IN (0x0001)
Feb 24, 2021 10:45:50.281210899 CET	8.8.8.8	192.168.2.6	0x8cbf	No error (0)	bl-files.fe.1drv.com	odc-bl-files-geo.onedrive.akadns.net	CNAME (Canonical name)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: payment.exe PID: 6976 Parent PID: 5912

General

Start time:	10:44:18
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\payment.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\payment.exe'
Imagebase:	0x400000
File size:	225280 bytes
MD5 hash:	0780E01F6AC683C0529FB1D40AACA8B4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 4660 Parent PID: 6976

General

Start time:	10:45:35
Start date:	24/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\payment.exe'
Imagebase:	0x10000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.597115330.000000001D081000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 0000000F.00000002.592476347.0000000000564000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4688 Parent PID: 4660

General

Start time:	10:45:36
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff61de10000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: payment.exe PID: 6976 Parent PID: 5912 payment.exeCOMMON

Executed Functions

Function 00410BF4, Relevance: 7.5, APIs: 1, Strings: 2, Instructions: 3027memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 344081a9e957f9bee5c444a38d0826f5b02eca8d80a9e3656bea2e06e6be5f3e
Instruction ID: fc249f55af19438dea1da7045ea8114553ff38e410982f795c4a9446aaaa7463
Opcode Fuzzy Hash: 344081a9e957f9bee5c444a38d0826f5b02eca8d80a9e3656bea2e06e6be5f3e
Instruction Fuzzy Hash: 97F24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410C71, Relevance: 7.5, APIs: 1, Strings: 2, Instructions: 3018memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 318cf2cba8b50a0f6180e2a6a309c837fae99a04c5883ad29734aa4248fd1229
Instruction ID: 91e04b9da519b0778f4d973dbb5c3002368fcecb652c0af800898c521d9eea43
Opcode Fuzzy Hash: 318cf2cba8b50a0f6180e2a6a309c837fae99a04c5883ad29734aa4248fd1229
Instruction Fuzzy Hash: 3DF24593E2F72598E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410B5E, Relevance: 7.5, APIs: 1, Strings: 2, Instructions: 2985memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: f739f6f01639704e167c661b8b4bd158a3ae10b0d5ef812b43330cac348874e9
Instruction ID: 90afb1502c11686d719c2fd0952e7d72f5f6588ad8f678889a243cffbb85a171
Opcode Fuzzy Hash: f739f6f01639704e167c661b8b4bd158a3ae10b0d5ef812b43330cac348874e9
Instruction Fuzzy Hash: 3DF24593E2F71998E7933030C1017D59680DF276C6F228F6B9825B19A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410CF8, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2939memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: b000239c428deddacbf7cdda7138e9bfaf367fcc61eb967e764028dec277edde
Instruction ID: 1abef2046404d8eedd89b14fd4c005b6f5f35b417650ea4bd47701fe42baee57
Opcode Fuzzy Hash: b000239c428deddacbf7cdda7138e9bfaf367fcc61eb967e764028dec277edde
Instruction Fuzzy Hash: 41F24593E2F72598E7933030C1017D59680DF276C6F228F6B9825B19A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 004110AC, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2937memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 025a782635192ebeb1211b26ccc61b16330a79d400dabe5f8ab5f33ba307ee99
Instruction ID: 974df687547c88a6f491db90318dc3627bdef15cf8237470cedd21c278686867
Opcode Fuzzy Hash: 025a782635192ebeb1211b26ccc61b16330a79d400dabe5f8ab5f33ba307ee99
Instruction Fuzzy Hash: AEF24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410E88, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2928memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 908535d991d3ce8f4eebae76e577d90dd26a654a2c9d365a57e8aac9fa866fe1
Instruction ID: b8d2c4f850850a33977c61d92603aa02298e725a368514e019c4dccf3ac35423
Opcode Fuzzy Hash: 908535d991d3ce8f4eebae76e577d90dd26a654a2c9d365a57e8aac9fa866fe1
Instruction Fuzzy Hash: EFF24593E2F71998E7933030C1017D59680DF276C6F228F6B9825B19A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410F06, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2922memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 343c120f32a15d716563639c59025396ac9981b9a450876970698a2ea1b6e662
Instruction ID: c15a554f23dbcb0233a1e2580bbfd642565a630e9421c390a76d633abc06374c
Opcode Fuzzy Hash: 343c120f32a15d716563639c59025396ac9981b9a450876970698a2ea1b6e662
Instruction Fuzzy Hash: F7F24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410F8F, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2910memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 2569b8aa103566811d2210200241a5092b36e41b163ffac69e0bb344369d2af1
Instruction ID: a7c2addc97e63e88ee446a6d2867a83a60978b1d3306158b6ab4087027b15313
Opcode Fuzzy Hash: 2569b8aa103566811d2210200241a5092b36e41b163ffac69e0bb344369d2af1
Instruction Fuzzy Hash: AAF24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00410E05, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2900memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: d6e96a1974a2788903e34aab4ceacfc0613bc67ab80f1624598b6c9cd321422d
Instruction ID: 13360ed7ae84c40827d3be59bd080eead0d84be0a04c2790e6e09ac281899483
Opcode Fuzzy Hash: d6e96a1974a2788903e34aab4ceacfc0613bc67ab80f1624598b6c9cd321422d
Instruction Fuzzy Hash: BBF24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00411237, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2864memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: cedcd1f01d799a7a690c94f103b27dc6e3900c9aab625f402a37fcd46ef209d8
Instruction ID: 6ac5c76e663cea04e1b439e1eff2eac3c82c9bc5e2015db2b346c50ed7c4a7be
Opcode Fuzzy Hash: cedcd1f01d799a7a690c94f103b27dc6e3900c9aab625f402a37fcd46ef209d8
Instruction Fuzzy Hash: 0FF24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041156A, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2856memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 257f400a02cbdf980df65fa8e9ef417bf66b0d5ece9182a9b025a9def87657a6
Instruction ID: 7b2ff9133446ae033883b0c554762835b1db2edba0c7886f5920d4b0c25ae35d
Opcode Fuzzy Hash: 257f400a02cbdf980df65fa8e9ef417bf66b0d5ece9182a9b025a9def87657a6
Instruction Fuzzy Hash: F9E25593E2F72998E7937030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF28D9

Uniqueness

Uniqueness Score: -1.00%

Function 00411016, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2853memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 76a5a3ef8becfc84a077a48e3782705f12e4ac3a79613b786192d43cd6737fdd
Instruction ID: 5fd43e1685d51dab0070fb8e997c64790a262e5d9eac5036e2fbf0a817b2e447
Opcode Fuzzy Hash: 76a5a3ef8becfc84a077a48e3782705f12e4ac3a79613b786192d43cd6737fdd
Instruction Fuzzy Hash: F4F24593E2F71998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 004115F5, Relevance: 7.4, APIs: 1, Strings: 2, Instructions: 2851memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 15788a6da49ff9867df0fff4f36db262330ab2d590c799e62496b02db6c3b767
Instruction ID: 17d2a645b754a6d3f5a4bbdcd9a7f4cecae91a3ae73bc11c475bdd1e88c1e77b
Opcode Fuzzy Hash: 15788a6da49ff9867df0fff4f36db262330ab2d590c799e62496b02db6c3b767
Instruction Fuzzy Hash: 2AE25593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF28D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041108A, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2846memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 72e57cc3b57caa52246623658c5c70a75feb6492b1c665ba1f0c59613428e944
Instruction ID: 3ec891002bf661d323f15c2c16d4447ed70fe822f3e1930a8a2fe5e7bc3a583d
Opcode Fuzzy Hash: 72e57cc3b57caa52246623658c5c70a75feb6492b1c665ba1f0c59613428e944
Instruction Fuzzy Hash: ABF24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00411133, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2845memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: ed60877f4b7448e94d7313b7d9ffeaba2c5b47fa5f636aa0306aaac2ba80cfd7
Instruction ID: db7f47d58d33546f340a5101b118ef49288c4eaa7dde9ee75aff08170d936748
Opcode Fuzzy Hash: ed60877f4b7448e94d7313b7d9ffeaba2c5b47fa5f636aa0306aaac2ba80cfd7
Instruction Fuzzy Hash: 96F24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041134F, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2838memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: c094b0afec258ced6625313c88e7c9a89a18b4bda115ccb5a38f65333597f2e0
Instruction ID: 1713713dd0178941b5ac97d3c50cb0b377db84bb1f89def5cdb7dd56f73db28b
Opcode Fuzzy Hash: c094b0afec258ced6625313c88e7c9a89a18b4bda115ccb5a38f65333597f2e0
Instruction Fuzzy Hash: 55F25593E2F72998E7937030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF28D9

Uniqueness

Uniqueness Score: -1.00%

Function 004113D2, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2829memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 777b4e5a4b2bb6ec85913441b157197fcdc673c341c4ba1a484654a79fec5e46
Instruction ID: c17b782f454b7b0550ce3131950979241ecec9232a512c0ad3b95b5fb35c13ff
Opcode Fuzzy Hash: 777b4e5a4b2bb6ec85913441b157197fcdc673c341c4ba1a484654a79fec5e46
Instruction Fuzzy Hash: 77F25593E2F72998E7937030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF28D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041199B, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2829memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 8b024b30770a44c1b6f59f24e8e849a8b22b03d352846a5fc55b8ac236a5f974
Instruction ID: fdd258ec843d27f2c7d43fe18d0476eea36c6f41e982d8f5092b1ad52b9f1c05
Opcode Fuzzy Hash: 8b024b30770a44c1b6f59f24e8e849a8b22b03d352846a5fc55b8ac236a5f974
Instruction Fuzzy Hash: B6E246A3E2F71598E7933130C1017D59A80DF276C6F228F6B9825B15A13B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 004112D0, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2826COMMON

Download Yara Rule

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: +234$\
API String ID: 0-1434540490
Opcode ID: 71c2559999acc7ca6ef863a301dca511fce54a2315950f2661c7f921b57a0d61
Instruction ID: 46095710a7bcfb5b05cceded298307c1227fac9d61509d5ba8d4c042a5ee21a1
Opcode Fuzzy Hash: 71c2559999acc7ca6ef863a301dca511fce54a2315950f2661c7f921b57a0d61
Instruction Fuzzy Hash: 01F25593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041170E, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2819memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: fe40baec1b23085195f148b9c731d35ff25b0b9788971ca1769e37c4a5fd7a73
Instruction ID: 0fc53721e25099b6020ca31511fba3b0763f2330ea5f90697008e93f1d0fd958
Opcode Fuzzy Hash: fe40baec1b23085195f148b9c731d35ff25b0b9788971ca1769e37c4a5fd7a73
Instruction Fuzzy Hash: 3BE24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00411464, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2816memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 53a34f06f768f1e0d20bf416ce609652094ceac1e085e5e0e90622097aff4c73
Instruction ID: ac811da4c31a14ade3070a1cf5807e9d8fab4d7a82d329ff1c335ae994de827a
Opcode Fuzzy Hash: 53a34f06f768f1e0d20bf416ce609652094ceac1e085e5e0e90622097aff4c73
Instruction Fuzzy Hash: EAE25593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 004114E6, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2810memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: 287327555e79dce779832173b35fd18332b2c0f5e6e6d6c57a8ae4f533f799a1
Instruction ID: e7c9359d5d29f6415173f85a14c11f6387ce1efe51f6768e4fb5bebef73fce2b
Opcode Fuzzy Hash: 287327555e79dce779832173b35fd18332b2c0f5e6e6d6c57a8ae4f533f799a1
Instruction Fuzzy Hash: 38E25593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00411796, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2805memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: e977dd3488db0b2e85e8892f4389ecfbd9105451752cd7a1bec8944369774b1e
Instruction ID: 7e57687f7f5cffff31a2dcb9e2c0dd8924782e2965bc26baa83a718fb8743e18
Opcode Fuzzy Hash: e977dd3488db0b2e85e8892f4389ecfbd9105451752cd7a1bec8944369774b1e
Instruction Fuzzy Hash: 35E24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00411817, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2796memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: eb0d59cf8606b7d8c4294aa6b591dc521793a0d1a25c90c3567308b0c4f4c2d3
Instruction ID: 47a102cd4f1956b437e8ca7f7233ab21d3902229000a11dd252a2577eabea871
Opcode Fuzzy Hash: eb0d59cf8606b7d8c4294aa6b591dc521793a0d1a25c90c3567308b0c4f4c2d3
Instruction Fuzzy Hash: CAE24593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 0041191C, Relevance: 7.3, APIs: 1, Strings: 2, Instructions: 2777memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00014000,00001598,00000042), ref: 00411A8D

Strings

\, xrefs: 0041A51B
+234, xrefs: 0041A4C9

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: +234$\
API String ID: 4275171209-1434540490
Opcode ID: ec2618d6cbdb3cf51d46fbc910b0a903c782c78b7c94083da7a16f852273aacb
Instruction ID: 546f4365deb54196e08a624f1c1c01cc1637828a7de322982189c5736f59e7ad
Opcode Fuzzy Hash: ec2618d6cbdb3cf51d46fbc910b0a903c782c78b7c94083da7a16f852273aacb
Instruction Fuzzy Hash: EAE25593E2F72998E7933030C1017D59680DF276C6F228F6B9825B15A17B1F4ACF29D9

Uniqueness

Uniqueness Score: -1.00%

Function 00430DF0, Relevance: 84.3, APIs: 39, Strings: 9, Instructions: 319
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E00430DF0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				void* _v36;
				signed int _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				signed int _v92;
				char _v100;
				char* _v124;
				intOrPtr _v132;
				void* _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v180;
				intOrPtr _v184;
				signed int _v188;
				intOrPtr* _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				intOrPtr* _v208;
				signed int _v212;
				signed int _v216;
				signed int _t150;
				char* _t153;
				signed int _t158;
				signed int _t162;
				signed int _t170;
				signed int _t174;
				char* _t178;
				signed int _t179;
				signed int _t180;
				signed int _t186;
				signed int _t192;
				void* _t230;
				void* _t232;
				intOrPtr _t233;

				_t233 = _t232 - 0xc;
				 *[fs:0x0] = _t233;
				L00401480();
				_v16 = _t233;
				_v12 = 0x4012d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401486, _t230);
				L004015CA();
				_v92 = L"VB.OptionButton";
				_v100 = 8;
				_v124 = L"Perversiteterne";
				_v132 = 8;
				_t150 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v52);
				asm("fclex");
				_v156 = _t150;
				if(_v156 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x40324c);
					_push(_a4);
					_push(_v156);
					L004015E8();
					_v188 = _t150;
				}
				_push(0x10);
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(0x10);
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(2);
				_push(L"Add");
				_push(_v52);
				_t153 =  &_v68;
				_push(_t153); // executed
				L0040154C(); // executed
				_push(_t153);
				L00401552();
				_push(_t153);
				_push( &_v32);
				L00401558();
				L004015E2();
				L004015D6();
				if( *0x434010 != 0) {
					_v192 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v192 = 0x434010;
				}
				_t158 =  &_v52;
				L004015F4();
				_v156 = _t158;
				_t162 =  *((intOrPtr*)( *_v156 + 0x218))(_v156,  &_v48, _t158,  *((intOrPtr*)( *((intOrPtr*)( *_v192)) + 0x330))( *_v192));
				asm("fclex");
				_v160 = _t162;
				if(_v160 >= 0) {
					_v196 = _v196 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x4036c0);
					_push(_v156);
					_push(_v160);
					L004015E8();
					_v196 = _t162;
				}
				_v180 = _v48;
				_v48 = _v48 & 0x00000000;
				_v60 = _v180;
				_v68 = 8;
				_push(0x10);
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Caption");
				_push(_v32);
				L00401546();
				L004015E2();
				L004015D6();
				_v92 = 0x3071;
				_v100 = 2;
				_push(0x10);
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Left");
				_push(_v32);
				L00401546();
				if( *0x434010 != 0) {
					_v200 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v200 = 0x434010;
				}
				_t170 =  &_v52;
				L004015F4();
				_v156 = _t170;
				_t174 =  *((intOrPtr*)( *_v156 + 0x128))(_v156,  &_v152, _t170,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x35c))( *_v200));
				asm("fclex");
				_v160 = _t174;
				if(_v160 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x4036c0);
					_push(_v156);
					_push(_v160);
					L004015E8();
					_v204 = _t174;
				}
				_v92 = _v152;
				_v100 = 2;
				_push(0x10);
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Top");
				_push(_v32);
				L00401546();
				L004015E2();
				_v92 = _v92 | 0xffffffff;
				_v100 = 0xb;
				_push(0x10);
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(L"Visible");
				_push(_v32);
				L00401546();
				_v92 = L"Organisationsformens";
				_v100 = 0x8008;
				_push(0);
				_push(L"Caption");
				_push(_v32);
				_t178 =  &_v68;
				_push(_t178);
				L0040154C();
				_push(_t178);
				_t179 =  &_v100;
				_push(_t179);
				L00401540();
				_v156 = _t179;
				L004015D6();
				_t180 = _v156;
				if(_t180 != 0) {
					if( *0x4343a0 != 0) {
						_v208 = 0x4343a0;
					} else {
						_push(0x4343a0);
						_push(0x403bf0);
						L004015EE();
						_v208 = 0x4343a0;
					}
					_v156 =  *_v208;
					_t186 =  *((intOrPtr*)( *_v156 + 0x1c))(_v156,  &_v52);
					asm("fclex");
					_v160 = _t186;
					if(_v160 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x403be0);
						_push(_v156);
						_push(_v160);
						L004015E8();
						_v212 = _t186;
					}
					_v164 = _v52;
					_v92 = 0x80020004;
					_v100 = 0xa;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t192 =  *((intOrPtr*)( *_v164 + 0x5c))(_v164, 0x10,  &_v48);
					asm("fclex");
					_v168 = _t192;
					if(_v168 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x403c00);
						_push(_v164);
						_push(_v168);
						L004015E8();
						_v216 = _t192;
					}
					_t180 = _v48;
					_v184 = _t180;
					_v48 = _v48 & 0x00000000;
					L004015D0();
					L004015E2();
				}
				asm("wait");
				_push(0x4312db);
				L004015B8();
				L004015E2();
				L004015B8();
				return _t180;
			}

0x00430df3
0x00430e02
0x00430e0e
0x00430e16
0x00430e19
0x00430e20
0x00430e2f
0x00430e38
0x00430e3d
0x00430e44
0x00430e4b
0x00430e52
0x00430e65
0x00430e6b
0x00430e6d
0x00430e7a
0x00430e9c
0x00430e7c
0x00430e7c
0x00430e81
0x00430e86
0x00430e89
0x00430e8f
0x00430e94
0x00430e94
0x00430ea3
0x00430ea6
0x00430eb0
0x00430eb1
0x00430eb2
0x00430eb3
0x00430eb4
0x00430eb7
0x00430ec1
0x00430ec2
0x00430ec3
0x00430ec4
0x00430ec5
0x00430ec7
0x00430ecc
0x00430ecf
0x00430ed2
0x00430ed3
0x00430edb
0x00430edc
0x00430ee1
0x00430ee5
0x00430ee6
0x00430eee
0x00430ef6
0x00430f02
0x00430f1f
0x00430f04
0x00430f04
0x00430f09
0x00430f0e
0x00430f13
0x00430f13
0x00430f43
0x00430f47
0x00430f4c
0x00430f64
0x00430f6a
0x00430f6c
0x00430f79
0x00430f9e
0x00430f7b
0x00430f7b
0x00430f80
0x00430f85
0x00430f8b
0x00430f91
0x00430f96
0x00430f96
0x00430fa8
0x00430fae
0x00430fb8
0x00430fbb
0x00430fc2
0x00430fc5
0x00430fcf
0x00430fd0
0x00430fd1
0x00430fd2
0x00430fd3
0x00430fd8
0x00430fdb
0x00430fe3
0x00430feb
0x00430ff0
0x00430ff7
0x00430ffe
0x00431001
0x0043100b
0x0043100c
0x0043100d
0x0043100e
0x0043100f
0x00431014
0x00431017
0x00431023
0x00431040
0x00431025
0x00431025
0x0043102a
0x0043102f
0x00431034
0x00431034
0x00431064
0x00431068
0x0043106d
0x00431088
0x0043108e
0x00431090
0x0043109d
0x004310c2
0x0043109f
0x0043109f
0x004310a4
0x004310a9
0x004310af
0x004310b5
0x004310ba
0x004310ba
0x004310d0
0x004310d4
0x004310db
0x004310de
0x004310e8
0x004310e9
0x004310ea
0x004310eb
0x004310ec
0x004310f1
0x004310f4
0x004310fc
0x00431101
0x00431105
0x0043110c
0x0043110f
0x00431119
0x0043111a
0x0043111b
0x0043111c
0x0043111d
0x00431122
0x00431125
0x0043112a
0x00431131
0x00431138
0x0043113a
0x0043113f
0x00431142
0x00431145
0x00431146
0x0043114e
0x0043114f
0x00431152
0x00431153
0x00431158
0x00431162
0x00431167
0x00431170
0x0043117d
0x0043119a
0x0043117f
0x0043117f
0x00431184
0x00431189
0x0043118e
0x0043118e
0x004311ac
0x004311c4
0x004311c7
0x004311c9
0x004311d6
0x004311f8
0x004311d8
0x004311d8
0x004311da
0x004311df
0x004311e5
0x004311eb
0x004311f0
0x004311f0
0x00431202
0x00431208
0x0043120f
0x0043121d
0x00431227
0x00431228
0x00431229
0x0043122a
0x00431239
0x0043123c
0x0043123e
0x0043124b
0x0043126d
0x0043124d
0x0043124d
0x0043124f
0x00431254
0x0043125a
0x00431260
0x00431265
0x00431265
0x00431274
0x00431277
0x0043127d
0x0043128a
0x00431292
0x00431292
0x00431297
0x00431298
0x004312c5
0x004312cd
0x004312d5
0x004312da

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00430E0E
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00430E38
__vbaHresultCheckObj.MSVBVM60(00000000,004012D0,0040324C,00000218), ref: 00430E8F
__vbaChkstk.MSVBVM60(00000000,004012D0,0040324C,00000218), ref: 00430EA6
__vbaChkstk.MSVBVM60(00000000,004012D0,0040324C,00000218), ref: 00430EB7
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00430ED3
__vbaObjVar.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00430EDC
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00430EE6
__vbaFreeObj.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00430EEE
__vbaFreeVar.MSVBVM60(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00430EF6
__vbaNew2.MSVBVM60(00403EE4,00434010,?,00000000,00000000), ref: 00430F0E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430F47
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000218), ref: 00430F91
__vbaChkstk.MSVBVM60(00000000,?,004036C0,00000218), ref: 00430FC5
__vbaLateMemSt.MSVBVM60(?,Caption), ref: 00430FDB
__vbaFreeObj.MSVBVM60(?,Caption), ref: 00430FE3
__vbaFreeVar.MSVBVM60(?,Caption), ref: 00430FEB
__vbaChkstk.MSVBVM60(?,Caption), ref: 00431001
__vbaLateMemSt.MSVBVM60(?,Left,?,Caption), ref: 00431017
__vbaNew2.MSVBVM60(00403EE4,00434010,?,Left,?,Caption), ref: 0043102F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431068
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000128), ref: 004310B5
__vbaChkstk.MSVBVM60(00000000,?,004036C0,00000128), ref: 004310DE
__vbaLateMemSt.MSVBVM60(?,Top), ref: 004310F4
__vbaFreeObj.MSVBVM60(?,Top), ref: 004310FC
__vbaChkstk.MSVBVM60(?,Top), ref: 0043110F
__vbaLateMemSt.MSVBVM60(?,Visible,?,Top), ref: 00431125
__vbaLateMemCallLd.MSVBVM60(00000008,?,Caption,00000000,?,Visible,?,Top), ref: 00431146
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,00000000), ref: 00431153
__vbaFreeVar.MSVBVM60(?,00000000,?,?,00000000), ref: 00431162
__vbaNew2.MSVBVM60(00403BF0,004343A0,?,00000000,?,?,00000000), ref: 00431189
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403BE0,0000001C), ref: 004311EB
__vbaChkstk.MSVBVM60(00000000), ref: 0043121D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C00,0000005C), ref: 00431260
__vbaStrMove.MSVBVM60(00000000,?,00403C00,0000005C), ref: 0043128A
__vbaFreeObj.MSVBVM60(00000000,?,00403C00,0000005C), ref: 00431292
__vbaFreeStr.MSVBVM60(004312DB,?,00000000,?,?,00000000), ref: 004312C5
__vbaFreeObj.MSVBVM60(004312DB,?,00000000,?,?,00000000), ref: 004312CD
__vbaFreeStr.MSVBVM60(004312DB,?,00000000,?,?,00000000), ref: 004312D5

Strings

VB.OptionButton, xrefs: 00430E3D
Perversiteterne, xrefs: 00430E4B
Left, xrefs: 0043100F
Top, xrefs: 004310EC
q0, xrefs: 00430FF0
Organisationsformens, xrefs: 0043112A
Add, xrefs: 00430EC7
Caption, xrefs: 00430FD3, 0043113A
Visible, xrefs: 0043111D

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$Late$CheckHresult$New2$Call$AddrefCopyMove
String ID: Add$Caption$Left$Organisationsformens$Perversiteterne$Top$VB.OptionButton$Visible$q0
API String ID: 1415330174-305080560
Opcode ID: 640fa2ef48b92ab662b01ad18650f52e63ddf681a2ee4f3495fccfb9aebdd07e
Instruction ID: 69edba65053cf36156d8910cf27e12e063a7ecc50ee0fa2613e574503f4d5a35
Opcode Fuzzy Hash: 640fa2ef48b92ab662b01ad18650f52e63ddf681a2ee4f3495fccfb9aebdd07e
Instruction Fuzzy Hash: FCD1E970910218EFDB10EFA5CC45BDDBBB5BF49308F1041AAE509BB2A1CB795A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00401630, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401635

Strings

VB5!6&*, xrefs: 00401630

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 087333300047761418bc170d762fd9b47bb1a3253fdd08c489bbc9a847fbbce5
Instruction ID: e0855f9add1c6886369c85d7745f1a857e9e27a2c99b4dd06e9d2a5c32e718d8
Opcode Fuzzy Hash: 087333300047761418bc170d762fd9b47bb1a3253fdd08c489bbc9a847fbbce5
Instruction Fuzzy Hash: 8C5184A140E7C01FD31397B48E296913FB0AE63219B1E42EBC481DF1F3D669490AC366

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040411C, Relevance: 3.8, Strings: 1, Instructions: 2502COMMON

Download Yara Rule

Strings

N@, xrefs: 0040433C

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 72b69ceb007071ba52511800517251bc8e435b349b764726effe55f0e2136a62
Instruction ID: 637f425949fb04da7917f27c8d85a3f65268bd6c6ef371a6948183f791778b8e
Opcode Fuzzy Hash: 72b69ceb007071ba52511800517251bc8e435b349b764726effe55f0e2136a62
Instruction Fuzzy Hash: D28266555CE3D21FC3238BA09C756907FB0AE4316931E15DBC1E2CA4A7C28D999BC723

Uniqueness

Uniqueness Score: -1.00%

Function 00432F54, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00432F54(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a20, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				void* _v44;
				void* _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				char* _t63;
				char* _t67;
				signed int _t71;
				char* _t73;
				signed int _t76;
				char* _t79;
				intOrPtr _t107;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t107;
				_push(0x70);
				L00401480();
				_v12 = _t107;
				_v8 = 0x401458;
				L004015CA();
				L004015B2();
				L004015CA();
				if( *0x434010 != 0) {
					_v120 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v120 = 0x434010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v120)) + 0x36c))( *_v120));
				_t63 =  &_v64;
				_push(_t63);
				L004015F4();
				_v108 = _t63;
				_v88 = 0x80020004;
				_v96 = 0xa;
				if( *0x434010 != 0) {
					_v124 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v124 = 0x434010;
				}
				_t67 =  &_v56;
				L004015F4();
				_v100 = _t67;
				_t71 =  *((intOrPtr*)( *_v100 + 0x180))(_v100,  &_v60, _t67,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x368))( *_v124));
				asm("fclex");
				_v104 = _t71;
				if(_v104 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x180);
					_push(0x403678);
					_push(_v100);
					_push(_v104);
					L004015E8();
					_v128 = _t71;
				}
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t73 =  &_v80;
				L004015AC();
				L0040159A();
				L004015D0();
				_t76 =  *((intOrPtr*)( *_v108 + 0x1ec))(_v108, _t73, _t73, _t73, _v60, 0, 0, 0x10);
				asm("fclex");
				_v112 = _t76;
				if(_v112 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4036c0);
					_push(_v108);
					_push(_v112);
					L004015E8();
					_v132 = _t76;
				}
				L004015B8();
				_push( &_v64);
				_push( &_v60);
				_t79 =  &_v56;
				_push(_t79);
				_push(3);
				L004015DC();
				L004015D6();
				_push(0x433154);
				L004015D6();
				L004015B8();
				L004015B8();
				return _t79;
			}

0x00432f59
0x00432f64
0x00432f65
0x00432f6c
0x00432f6f
0x00432f77
0x00432f7a
0x00432f87
0x00432f92
0x00432f9d
0x00432fa9
0x00432fc3
0x00432fab
0x00432fab
0x00432fb0
0x00432fb5
0x00432fba
0x00432fba
0x00432fdd
0x00432fde
0x00432fe1
0x00432fe2
0x00432fe7
0x00432fea
0x00432ff1
0x00432fff
0x00433019
0x00433001
0x00433001
0x00433006
0x0043300b
0x00433010
0x00433010
0x00433034
0x00433038
0x0043303d
0x0043304c
0x00433052
0x00433054
0x0043305b
0x00433077
0x0043305d
0x0043305d
0x00433062
0x00433067
0x0043306a
0x0043306d
0x00433072
0x00433072
0x0043307e
0x00433088
0x00433089
0x0043308a
0x0043308b
0x00433093
0x00433097
0x004330a0
0x004330aa
0x004330b8
0x004330be
0x004330c0
0x004330c7
0x004330e3
0x004330c9
0x004330c9
0x004330ce
0x004330d3
0x004330d6
0x004330d9
0x004330de
0x004330de
0x004330ea
0x004330f2
0x004330f6
0x004330f7
0x004330fa
0x004330fb
0x004330fd
0x00433108
0x0043310d
0x0043313e
0x00433146
0x0043314e
0x00433153

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00432F6F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00432F87
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00432F92
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00432F9D
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00432FB5
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432FE2
__vbaNew2.MSVBVM60(00403EE4,00434010,?,00000000), ref: 0043300B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00433038
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403678,00000180), ref: 0043306D
__vbaChkstk.MSVBVM60 ref: 0043307E
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00433097
__vbaStrVarMove.MSVBVM60(00000000), ref: 004330A0
__vbaStrMove.MSVBVM60(00000000), ref: 004330AA
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001EC), ref: 004330D9
__vbaFreeStr.MSVBVM60 ref: 004330EA
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004330FD
__vbaFreeVar.MSVBVM60 ref: 00433108
__vbaFreeVar.MSVBVM60(00433154), ref: 0043313E
__vbaFreeStr.MSVBVM60(00433154), ref: 00433146
__vbaFreeStr.MSVBVM60(00433154), ref: 0043314E

Strings

T1C, xrefs: 00433143

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultMoveNew2$CallLateList
String ID: T1C
API String ID: 1836669087-3179038950
Opcode ID: 3a2974a73aa6b55f2fb9a402027e940d17f56d4e4fd1c36532f74165a82b8ca7
Instruction ID: 5a56ce391b50ff38c5b8848b72806b0d9ff602a4563e8581a8e66382849d3823
Opcode Fuzzy Hash: 3a2974a73aa6b55f2fb9a402027e940d17f56d4e4fd1c36532f74165a82b8ca7
Instruction Fuzzy Hash: 4F510A71900208AFDB14EFA1CC45BDDBBB9AF48704F20452AF116BB2A1DB796A05DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00430C3E, Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00430C5B
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00430C73
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00430C7E
#589.MSVBVM60(00000001,?,?,?,?,00401486), ref: 00430C85
__vbaNew2.MSVBVM60(00403EE4,00434010), ref: 00430CC3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430CFC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000060), ref: 00430D43
__vbaChkstk.MSVBVM60(00000000,?,004036C0,00000060), ref: 00430D6A
__vbaChkstk.MSVBVM60(00000000,?,004036C0,00000060), ref: 00430D7B
__vbaChkstk.MSVBVM60(00000000,?,004036C0,00000060), ref: 00430D8C
__vbaLateMemCall.MSVBVM60(?,Tuh3uoQXnd1Ab1kNrTZdgk8195,00000003), ref: 00430DA4
__vbaFreeObj.MSVBVM60 ref: 00430DAF
__vbaFreeStr.MSVBVM60(00430DDD,00000001,?,?,?,?,00401486), ref: 00430DC7
__vbaFreeObj.MSVBVM60(00430DDD,00000001,?,?,?,?,00401486), ref: 00430DCF
__vbaFreeVar.MSVBVM60(00430DDD,00000001,?,?,?,?,00401486), ref: 00430DD7

Strings

Tuh3uoQXnd1Ab1kNrTZdgk8195, xrefs: 00430D9C
chondre, xrefs: 00430CA2

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$#589CallCheckCopyHresultLateNew2
String ID: Tuh3uoQXnd1Ab1kNrTZdgk8195$chondre
API String ID: 1883412668-1745548932
Opcode ID: 604942bced159c1db61b6b9e2b8fc45635e1d23e91465497cde28278b9c482e3
Instruction ID: 0b413eb748bf3492c80f89cabd7ee6b65f1019814e92ee31bf253298cad858d5
Opcode Fuzzy Hash: 604942bced159c1db61b6b9e2b8fc45635e1d23e91465497cde28278b9c482e3
Instruction Fuzzy Hash: FA414C70900208AFCB24DFA5CC46BDEB7B5BF49704F10416AF506BB2A1C7B96A45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004319B0, Relevance: 27.1, APIs: 18, Instructions: 144
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004319B0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				void* _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				char* _t67;
				char* _t71;
				signed int _t75;
				char* _t77;
				signed int _t80;
				char* _t83;
				void* _t105;
				void* _t107;
				intOrPtr _t108;

				_t108 = _t107 - 0xc;
				 *[fs:0x0] = _t108;
				L00401480();
				_v16 = _t108;
				_v12 = 0x401350;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x401486, _t105);
				L004015CA();
				L004015B2();
				if( *0x434010 != 0) {
					_v120 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v120 = 0x434010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v120)) + 0x37c))( *_v120));
				_t67 =  &_v60;
				_push(_t67);
				L004015F4();
				_v104 = _t67;
				_v84 = 0x80020004;
				_v92 = 0xa;
				if( *0x434010 != 0) {
					_v124 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v124 = 0x434010;
				}
				_t71 =  &_v52;
				L004015F4();
				_v96 = _t71;
				_t75 =  *((intOrPtr*)( *_v96 + 0x120))(_v96,  &_v56, _t71,  *((intOrPtr*)( *((intOrPtr*)( *_v124)) + 0x388))( *_v124));
				asm("fclex");
				_v100 = _t75;
				if(_v100 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x4037bc);
					_push(_v96);
					_push(_v100);
					L004015E8();
					_v128 = _t75;
				}
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t77 =  &_v76;
				L004015AC();
				L0040159A();
				L004015D0();
				_t80 =  *((intOrPtr*)( *_v104 + 0x1ec))(_v104, _t77, _t77, _t77, _v56, 0, 0, 0x10);
				asm("fclex");
				_v108 = _t80;
				if(_v108 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403678);
					_push(_v104);
					_push(_v108);
					L004015E8();
					_v132 = _t80;
				}
				L004015B8();
				_push( &_v60);
				_push( &_v56);
				_t83 =  &_v52;
				_push(_t83);
				_push(3);
				L004015DC();
				L004015D6();
				_push(0x431bb0);
				L004015D6();
				L004015B8();
				return _t83;
			}

0x004319b3
0x004319c2
0x004319cc
0x004319d4
0x004319d7
0x004319de
0x004319ed
0x004319f6
0x00431a01
0x00431a0d
0x00431a27
0x00431a0f
0x00431a0f
0x00431a14
0x00431a19
0x00431a1e
0x00431a1e
0x00431a41
0x00431a42
0x00431a45
0x00431a46
0x00431a4b
0x00431a4e
0x00431a55
0x00431a63
0x00431a7d
0x00431a65
0x00431a65
0x00431a6a
0x00431a6f
0x00431a74
0x00431a74
0x00431a98
0x00431a9c
0x00431aa1
0x00431ab0
0x00431ab6
0x00431ab8
0x00431abf
0x00431adb
0x00431ac1
0x00431ac1
0x00431ac6
0x00431acb
0x00431ace
0x00431ad1
0x00431ad6
0x00431ad6
0x00431ae2
0x00431aec
0x00431aed
0x00431aee
0x00431aef
0x00431af7
0x00431afb
0x00431b04
0x00431b0e
0x00431b1c
0x00431b22
0x00431b24
0x00431b2b
0x00431b47
0x00431b2d
0x00431b2d
0x00431b32
0x00431b37
0x00431b3a
0x00431b3d
0x00431b42
0x00431b42
0x00431b4e
0x00431b56
0x00431b5a
0x00431b5b
0x00431b5e
0x00431b5f
0x00431b61
0x00431b6c
0x00431b71
0x00431ba2
0x00431baa
0x00431baf

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004319CC
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 004319F6
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00431A01
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00431A19
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431A46
__vbaNew2.MSVBVM60(00403EE4,00434010,?,00000000), ref: 00431A6F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431A9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004037BC,00000120), ref: 00431AD1
__vbaChkstk.MSVBVM60 ref: 00431AE2
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00431AFB
__vbaStrVarMove.MSVBVM60(00000000,?,?,?,00401486), ref: 00431B04
__vbaStrMove.MSVBVM60(00000000,?,?,?,00401486), ref: 00431B0E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403678,000001EC), ref: 00431B3D
__vbaFreeStr.MSVBVM60 ref: 00431B4E
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00431B61
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,00401486), ref: 00431B6C
__vbaFreeVar.MSVBVM60(00431BB0,?,?,?,?,?,?,?,00401486), ref: 00431BA2
__vbaFreeStr.MSVBVM60(00431BB0,?,?,?,?,?,?,?,00401486), ref: 00431BAA

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultMoveNew2$CallCopyLateList
String ID:
API String ID: 2463591421-0
Opcode ID: e7614c6243bed5189cdaf3e6975facba9faca03cda5780e5018f0b63f9ba9b12
Instruction ID: 83e8f88dd5f889f755c025cb6b70412f28c794e42323de7effcf6fd8a88db005
Opcode Fuzzy Hash: e7614c6243bed5189cdaf3e6975facba9faca03cda5780e5018f0b63f9ba9b12
Instruction Fuzzy Hash: 2C510A71900208EFDB10EFA5C985BDDBBB9BF48304F20452AF502BB2A1DB796945DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004325F3, Relevance: 21.1, APIs: 14, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E004325F3(void* __ebx, void* __edi, void* __esi, void* _a8, void* _a28, signed int* _a56) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v56;
				char _v76;
				char _v80;
				char _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				intOrPtr* _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v140;
				char* _t58;
				char* _t62;
				signed int _t66;
				signed int _t70;
				char* _t72;
				void* _t93;
				intOrPtr _t94;

				_t94 = _t93 - 0xc;
				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t94;
				_push(0x74);
				L00401480();
				_v16 = _t94;
				_v12 = 0x4013e8;
				L004015B2();
				L004015B2();
				 *_a56 =  *_a56 & 0x00000000;
				if( *0x434010 != 0) {
					_v128 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v128 = 0x434010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v128)) + 0x370))( *_v128));
				_t58 =  &_v84;
				_push(_t58);
				L004015F4();
				_v112 = _t58;
				_v92 = 0x80020004;
				_v100 = 0xa;
				if( *0x434010 != 0) {
					_v132 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v132 = 0x434010;
				}
				_t62 =  &_v80;
				L004015F4();
				_v104 = _t62;
				_t66 =  *((intOrPtr*)( *_v104 + 0xf8))(_v104, 0,  &_v76, _t62,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x338))( *_v132));
				asm("fclex");
				_v108 = _t66;
				if(_v108 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x4036c0);
					_push(_v104);
					_push(_v108);
					L004015E8();
					_v136 = _t66;
				}
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t70 =  *((intOrPtr*)( *_v112 + 0x1ec))(_v112, _v76, 0x10);
				asm("fclex");
				_v116 = _t70;
				if(_v116 >= 0) {
					_v140 = _v140 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403678);
					_push(_v112);
					_push(_v116);
					L004015E8();
					_v140 = _t70;
				}
				L004015B8();
				_push( &_v84);
				_t72 =  &_v80;
				_push(_t72);
				_push(2);
				L004015DC();
				_push(0x4327ce);
				L004015D6();
				L004015D6();
				return _t72;
			}

0x004325f6
0x004325f9
0x00432604
0x00432605
0x0043260c
0x0043260f
0x00432617
0x0043261a
0x00432627
0x00432632
0x0043263a
0x00432644
0x0043265e
0x00432646
0x00432646
0x0043264b
0x00432650
0x00432655
0x00432655
0x00432678
0x00432679
0x0043267c
0x0043267d
0x00432682
0x00432685
0x0043268c
0x0043269a
0x004326b4
0x0043269c
0x0043269c
0x004326a1
0x004326a6
0x004326ab
0x004326ab
0x004326cf
0x004326d3
0x004326d8
0x004326e9
0x004326ef
0x004326f1
0x004326f8
0x00432717
0x004326fa
0x004326fa
0x004326ff
0x00432704
0x00432707
0x0043270a
0x0043270f
0x0043270f
0x00432721
0x0043272b
0x0043272c
0x0043272d
0x0043272e
0x0043273a
0x00432740
0x00432742
0x00432749
0x00432768
0x0043274b
0x0043274b
0x00432750
0x00432755
0x00432758
0x0043275b
0x00432760
0x00432760
0x00432772
0x0043277a
0x0043277b
0x0043277e
0x0043277f
0x00432781
0x00432789
0x004327c0
0x004327c8
0x004327cd

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0043260F
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00432627
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00432632
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00432650
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043267D
__vbaNew2.MSVBVM60(00403EE4,00434010,?,00000000), ref: 004326A6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004326D3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000000F8), ref: 0043270A
__vbaChkstk.MSVBVM60 ref: 00432721
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403678,000001EC), ref: 0043275B
__vbaFreeStr.MSVBVM60 ref: 00432772
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00432781
__vbaFreeVar.MSVBVM60(004327CE,?,?,00401486), ref: 004327C0
__vbaFreeVar.MSVBVM60(004327CE,?,?,00401486), ref: 004327C8

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$List
String ID:
API String ID: 3897332912-0
Opcode ID: 13cac67f63ccfe17bb98c14e7bef95d1df9cd2ce013bfce5a5c82e1e5a455922
Instruction ID: acde57d0621da7c9cbf92fb8d1475e95284f7dd4c80971951ea11dd6f877857f
Opcode Fuzzy Hash: 13cac67f63ccfe17bb98c14e7bef95d1df9cd2ce013bfce5a5c82e1e5a455922
Instruction Fuzzy Hash: 61511970900308AFCB14DFA1C986BDDBBB9BF48304F10446AE516BB2A1CBB96945DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004318BA, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 54
COMMON

Download Yara Rule

C-Code - Quality: 73%

			E004318BA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a16, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				void* _v64;
				char _v80;
				intOrPtr _v104;
				char _v112;
				short _v116;
				void* _t27;
				short _t30;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401480();
				_v16 = _t47;
				_v12 = 0x401340;
				_v8 = 0;
				_t27 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401486, _t44);
				L004015CA();
				L004015B2();
				L004015B2();
				_push(0x403c48);
				L00401528();
				_push(_t27);
				_push( &_v80);
				L0040152E();
				_v104 = 0x403c54;
				_v112 = 0x8008;
				_push( &_v80);
				_t30 =  &_v112;
				_push(_t30);
				L00401582();
				_v116 = _t30;
				L004015D6();
				_push(0x431989);
				L004015D6();
				L004015B8();
				L004015D6();
				return _t30;
			}

0x004318bd
0x004318cc
0x004318d6
0x004318de
0x004318e1
0x004318e8
0x004318f7
0x00431900
0x0043190b
0x00431916
0x0043191b
0x00431920
0x00431925
0x00431929
0x0043192a
0x0043192f
0x00431936
0x00431940
0x00431941
0x00431944
0x00431945
0x0043194a
0x00431951
0x00431956
0x00431973
0x0043197b
0x00431983
0x00431988

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004318D6
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00431900
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 0043190B
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00431916
__vbaI4Str.MSVBVM60(00403C48,?,?,?,?,00401486), ref: 00431920
#698.MSVBVM60(?,00000000,00403C48,?,?,?,?,00401486), ref: 0043192A
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 00431945
__vbaFreeVar.MSVBVM60(00008008,?), ref: 00431951
__vbaFreeVar.MSVBVM60(00431989,00008008,?), ref: 00431973
__vbaFreeStr.MSVBVM60(00431989,00008008,?), ref: 0043197B
__vbaFreeVar.MSVBVM60(00431989,00008008,?), ref: 00431983

Strings

H<@, xrefs: 00431970

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#698ChkstkCopy
String ID: H<@
API String ID: 3663778037-2229746949
Opcode ID: 85199bde369e254d91a32c5675be3dd8b94d906c62d2e56992421988c13559b1
Instruction ID: f8ca3546d2dd9b29ac4be2cffcf3a0d0d5c0668b1ca67900b23181b2c3c9ea9e
Opcode Fuzzy Hash: 85199bde369e254d91a32c5675be3dd8b94d906c62d2e56992421988c13559b1
Instruction Fuzzy Hash: 8C11EF71900208BBCB14EF91CD96ECDBBB8BF44708F50852AF4067B1A1DB786A09CB55

Uniqueness

Uniqueness Score: -1.00%

Function 00432896, Relevance: 19.6, APIs: 13, Instructions: 149
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E00432896(void* __ebx, void* __edi, void* __esi, char __fp0, intOrPtr* _a4, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				short _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				short _v144;
				char _v148;
				signed int _v152;
				char* _t68;
				signed int _t72;
				char* _t76;
				signed int _t83;
				char* _t85;
				intOrPtr _t93;
				void* _t104;
				void* _t106;
				intOrPtr _t107;
				char _t113;

				_t113 = __fp0;
				_t107 = _t106 - 0xc;
				 *[fs:0x0] = _t107;
				L00401480();
				_v16 = _t107;
				_v12 = 0x401408;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401486, _t104);
				L004015B2();
				if( *0x434010 != 0) {
					_v132 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v132 = 0x434010;
				}
				_t68 =  &_v48;
				L004015F4();
				_v108 = _t68;
				_t72 =  *((intOrPtr*)( *_v108 + 0x170))(_v108,  &_v104, _t68,  *((intOrPtr*)( *((intOrPtr*)( *_v132)) + 0x328))( *_v132));
				asm("fclex");
				_v112 = _t72;
				if(_v112 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x403828);
					_push(_v108);
					_push(_v112);
					L004015E8();
					_v136 = _t72;
				}
				if( *0x434010 != 0) {
					_v140 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v140 = 0x434010;
				}
				_t93 =  *((intOrPtr*)( *_v140));
				_t76 =  &_v52;
				L004015F4();
				_v116 = _t76;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v144 = _v104;
				asm("fild dword [ebp-0x8c]");
				_v148 = _t113;
				_v76 = _v148;
				_t83 =  *((intOrPtr*)( *_v116 + 0x204))(_v116, _t93, 0x10, 0x10, 0x10, _t76,  *((intOrPtr*)(_t93 + 0x380))( *_v140));
				asm("fclex");
				_v120 = _t83;
				if(_v120 >= 0) {
					_v152 = _v152 & 0x00000000;
				} else {
					_push(0x204);
					_push(0x4036c0);
					_push(_v116);
					_push(_v120);
					L004015E8();
					_v152 = _t83;
				}
				_push( &_v52);
				_t85 =  &_v48;
				_push(_t85);
				_push(2);
				L004015DC();
				asm("wait");
				_push(0x432ab0);
				L004015D6();
				return _t85;
			}

0x00432896
0x00432899
0x004328a8
0x004328b4
0x004328bc
0x004328bf
0x004328c6
0x004328d5
0x004328de
0x004328ea
0x00432904
0x004328ec
0x004328ec
0x004328f1
0x004328f6
0x004328fb
0x004328fb
0x0043291f
0x00432923
0x00432928
0x00432937
0x0043293d
0x0043293f
0x00432946
0x00432965
0x00432948
0x00432948
0x0043294d
0x00432952
0x00432955
0x00432958
0x0043295d
0x0043295d
0x00432973
0x00432990
0x00432975
0x00432975
0x0043297a
0x0043297f
0x00432984
0x00432984
0x004329aa
0x004329b4
0x004329b8
0x004329bd
0x004329c0
0x004329c7
0x004329ce
0x004329d5
0x004329dc
0x004329e3
0x004329ed
0x004329f7
0x004329f8
0x004329f9
0x004329fa
0x004329fe
0x00432a08
0x00432a09
0x00432a0a
0x00432a0b
0x00432a0f
0x00432a19
0x00432a1a
0x00432a1b
0x00432a1c
0x00432a21
0x00432a27
0x00432a2d
0x00432a3a
0x00432a45
0x00432a4b
0x00432a4d
0x00432a54
0x00432a73
0x00432a56
0x00432a56
0x00432a5b
0x00432a60
0x00432a63
0x00432a66
0x00432a6b
0x00432a6b
0x00432a7d
0x00432a7e
0x00432a81
0x00432a82
0x00432a84
0x00432a8c
0x00432a8d
0x00432aaa
0x00432aaf

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004328B4
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 004328DE
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 004328F6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432923
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403828,00000170), ref: 00432958
__vbaNew2.MSVBVM60(00403EE4,00434010), ref: 0043297F
__vbaObjSet.MSVBVM60(?,00000000), ref: 004329B8
__vbaChkstk.MSVBVM60(?,00000000), ref: 004329ED
__vbaChkstk.MSVBVM60(?,00000000), ref: 004329FE
__vbaChkstk.MSVBVM60(?,00000000), ref: 00432A0F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000204,?,?,00000000), ref: 00432A66
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,00000000), ref: 00432A84
__vbaFreeVar.MSVBVM60(00432AB0,?,?,00401486), ref: 00432AAA

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2$List
String ID:
API String ID: 1303183447-0
Opcode ID: 3e402e9d8725b0723391be1024c02d6954f45b4f3e784ac560aebe0ae4a88c6f
Instruction ID: 3dfec52ca4b874de9a697ec7263167c6f1701777904fde6fc443040eb8747ac2
Opcode Fuzzy Hash: 3e402e9d8725b0723391be1024c02d6954f45b4f3e784ac560aebe0ae4a88c6f
Instruction Fuzzy Hash: A2513770A00318EFCB11DFA5C985BDDBBB5BF09304F20806AE505BB2A1CBB96945DF18

Uniqueness

Uniqueness Score: -1.00%

Function 00430499, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E00430499(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a24, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				char _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v76;
				signed int _v80;
				char* _t35;
				signed int _t39;
				intOrPtr _t58;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_push(0x3c);
				L00401480();
				_v12 = _t58;
				_v8 = 0x401248;
				L004015CA();
				L004015B2();
				if( *0x434010 != 0) {
					_v76 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v76 = 0x434010;
				}
				_t35 =  &_v44;
				L004015F4();
				_v64 = _t35;
				_v52 = 0x80020004;
				_v60 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t39 =  *((intOrPtr*)( *_v64 + 0x1ec))(_v64, L"skarpsindigst", 0x10, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x32c))( *_v76));
				asm("fclex");
				_v68 = _t39;
				if(_v68 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4036c0);
					_push(_v64);
					_push(_v68);
					L004015E8();
					_v80 = _t39;
				}
				L004015E2();
				_push(0x4305a8);
				L004015D6();
				L004015B8();
				return _t39;
			}

0x0043049e
0x004304a9
0x004304aa
0x004304b1
0x004304b4
0x004304bc
0x004304bf
0x004304cc
0x004304d7
0x004304e3
0x004304fd
0x004304e5
0x004304e5
0x004304ea
0x004304ef
0x004304f4
0x004304f4
0x00430518
0x0043051c
0x00430521
0x00430524
0x0043052b
0x00430535
0x0043053f
0x00430540
0x00430541
0x00430542
0x00430550
0x00430556
0x00430558
0x0043055f
0x0043057b
0x00430561
0x00430561
0x00430566
0x0043056b
0x0043056e
0x00430571
0x00430576
0x00430576
0x00430582
0x00430587
0x0043059a
0x004305a2
0x004305a7

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004304B4
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 004304CC
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 004304D7
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 004304EF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043051C
__vbaChkstk.MSVBVM60(?,00000000), ref: 00430535
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001EC), ref: 00430571
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00430582
__vbaFreeVar.MSVBVM60(004305A8), ref: 0043059A
__vbaFreeStr.MSVBVM60(004305A8), ref: 004305A2

Strings

skarpsindigst, xrefs: 00430543

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckCopyHresultNew2
String ID: skarpsindigst
API String ID: 763330518-4173241240
Opcode ID: 275bfa16cbc3e33c1a011bef12dda268f8701a6a92b971f30c9d06db354cad37
Instruction ID: 10998a42cb138df2e9aa63619b1d7348e56ede8002062ccc91cccc709265b866
Opcode Fuzzy Hash: 275bfa16cbc3e33c1a011bef12dda268f8701a6a92b971f30c9d06db354cad37
Instruction Fuzzy Hash: D0313871910208EFCB14EF91D896BDDBBB8BF48708F10452AF502BB2A0CB796945CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004300EA, Relevance: 18.1, APIs: 12, Instructions: 124
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E004300EA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v52;
				char _v56;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				char* _t60;
				char* _t64;
				signed int _t68;
				signed int _t72;
				char* _t74;
				void* _t90;
				void* _t92;
				intOrPtr _t93;

				_t93 = _t92 - 0xc;
				 *[fs:0x0] = _t93;
				L00401480();
				_v16 = _t93;
				_v12 = 0x401228;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x5c,  *[fs:0x0], 0x401486, _t90);
				L004015B2();
				if( *0x434010 != 0) {
					_v104 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v104 = 0x434010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v104)) + 0x36c))( *_v104));
				_t60 =  &_v60;
				_push(_t60);
				L004015F4();
				_v88 = _t60;
				_v68 = 0x80020004;
				_v76 = 0xa;
				if( *0x434010 != 0) {
					_v108 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v108 = 0x434010;
				}
				_t64 =  &_v56;
				L004015F4();
				_v80 = _t64;
				_t68 =  *((intOrPtr*)( *_v80 + 0x188))(_v80,  &_v52, _t64,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x340))( *_v108));
				asm("fclex");
				_v84 = _t68;
				if(_v84 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x188);
					_push(0x4036c0);
					_push(_v80);
					_push(_v84);
					L004015E8();
					_v112 = _t68;
				}
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t72 =  *((intOrPtr*)( *_v88 + 0x1ec))(_v88, _v52, 0x10);
				asm("fclex");
				_v92 = _t72;
				if(_v92 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4036c0);
					_push(_v88);
					_push(_v92);
					L004015E8();
					_v116 = _t72;
				}
				L004015B8();
				_push( &_v60);
				_t74 =  &_v56;
				_push(_t74);
				_push(2);
				L004015DC();
				asm("wait");
				_push(0x43029f);
				L004015D6();
				return _t74;
			}

0x004300ed
0x004300fc
0x00430106
0x0043010e
0x00430111
0x00430118
0x00430127
0x00430130
0x0043013c
0x00430156
0x0043013e
0x0043013e
0x00430143
0x00430148
0x0043014d
0x0043014d
0x00430170
0x00430171
0x00430174
0x00430175
0x0043017a
0x0043017d
0x00430184
0x00430192
0x004301ac
0x00430194
0x00430194
0x00430199
0x0043019e
0x004301a3
0x004301a3
0x004301c7
0x004301cb
0x004301d0
0x004301df
0x004301e5
0x004301e7
0x004301ee
0x0043020a
0x004301f0
0x004301f0
0x004301f5
0x004301fa
0x004301fd
0x00430200
0x00430205
0x00430205
0x00430211
0x0043021b
0x0043021c
0x0043021d
0x0043021e
0x0043022a
0x00430230
0x00430232
0x00430239
0x00430255
0x0043023b
0x0043023b
0x00430240
0x00430245
0x00430248
0x0043024b
0x00430250
0x00430250
0x0043025c
0x00430264
0x00430265
0x00430268
0x00430269
0x0043026b
0x00430273
0x00430274
0x00430299
0x0043029e

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00430106
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00430130
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00430148
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430175
__vbaNew2.MSVBVM60(00403EE4,00434010,?,00000000), ref: 0043019E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004301CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000188), ref: 00430200
__vbaChkstk.MSVBVM60 ref: 00430211
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001EC), ref: 0043024B
__vbaFreeStr.MSVBVM60 ref: 0043025C
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043026B
__vbaFreeVar.MSVBVM60(0043029F,?,?,00401486), ref: 00430299

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$List
String ID:
API String ID: 3897332912-0
Opcode ID: 3809b01d25e460442db70466fa0806969acc3f17f20c92048ec47377a7a2ee59
Instruction ID: 401c57cb7612a8f279230722f967a4dac2730aeba93351471840f972b4a268b9
Opcode Fuzzy Hash: 3809b01d25e460442db70466fa0806969acc3f17f20c92048ec47377a7a2ee59
Instruction Fuzzy Hash: 8E510470900208EFCB10EFD1D949BDEBBB9BF49304F20456AE506BB2A1C7796945DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004302C6, Relevance: 18.1, APIs: 12, Instructions: 123
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004302C6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v44;
				char _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v96;
				intOrPtr* _v100;
				signed int _v104;
				signed int _v108;
				char* _t60;
				char* _t64;
				signed int _t68;
				signed int _t72;
				char* _t74;
				void* _t90;
				void* _t92;
				intOrPtr _t93;

				_t93 = _t92 - 0xc;
				 *[fs:0x0] = _t93;
				L00401480();
				_v16 = _t93;
				_v12 = 0x401238;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x54,  *[fs:0x0], 0x401486, _t90);
				L004015B2();
				if( *0x434010 != 0) {
					_v96 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v96 = 0x434010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x330))( *_v96));
				_t60 =  &_v52;
				_push(_t60);
				L004015F4();
				_v80 = _t60;
				_v60 = 0x80020004;
				_v68 = 0xa;
				if( *0x434010 != 0) {
					_v100 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v100 = 0x434010;
				}
				_t64 =  &_v48;
				L004015F4();
				_v72 = _t64;
				_t68 =  *((intOrPtr*)( *_v72 + 0x158))(_v72,  &_v44, _t64,  *((intOrPtr*)( *((intOrPtr*)( *_v100)) + 0x2fc))( *_v100));
				asm("fclex");
				_v76 = _t68;
				if(_v76 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x403904);
					_push(_v72);
					_push(_v76);
					L004015E8();
					_v104 = _t68;
				}
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t72 =  *((intOrPtr*)( *_v80 + 0x1ec))(_v80, _v44, 0x10);
				asm("fclex");
				_v84 = _t72;
				if(_v84 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4036c0);
					_push(_v80);
					_push(_v84);
					L004015E8();
					_v108 = _t72;
				}
				L004015B8();
				_push( &_v52);
				_t74 =  &_v48;
				_push(_t74);
				_push(2);
				L004015DC();
				_push(0x43047a);
				L004015D6();
				return _t74;
			}

0x004302c9
0x004302d8
0x004302e2
0x004302ea
0x004302ed
0x004302f4
0x00430303
0x0043030c
0x00430318
0x00430332
0x0043031a
0x0043031a
0x0043031f
0x00430324
0x00430329
0x00430329
0x0043034c
0x0043034d
0x00430350
0x00430351
0x00430356
0x00430359
0x00430360
0x0043036e
0x00430388
0x00430370
0x00430370
0x00430375
0x0043037a
0x0043037f
0x0043037f
0x004303a3
0x004303a7
0x004303ac
0x004303bb
0x004303c1
0x004303c3
0x004303ca
0x004303e6
0x004303cc
0x004303cc
0x004303d1
0x004303d6
0x004303d9
0x004303dc
0x004303e1
0x004303e1
0x004303ed
0x004303f7
0x004303f8
0x004303f9
0x004303fa
0x00430406
0x0043040c
0x0043040e
0x00430415
0x00430431
0x00430417
0x00430417
0x0043041c
0x00430421
0x00430424
0x00430427
0x0043042c
0x0043042c
0x00430438
0x00430440
0x00430441
0x00430444
0x00430445
0x00430447
0x0043044f
0x00430474
0x00430479

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004302E2
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 0043030C
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00430324
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430351
__vbaNew2.MSVBVM60(00403EE4,00434010,?,00000000), ref: 0043037A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004303A7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403904,00000158), ref: 004303DC
__vbaChkstk.MSVBVM60 ref: 004303ED
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001EC), ref: 00430427
__vbaFreeStr.MSVBVM60 ref: 00430438
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00430447
__vbaFreeVar.MSVBVM60(0043047A,?,?,00401486), ref: 00430474

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2$List
String ID:
API String ID: 3897332912-0
Opcode ID: 77e5d84974c6116c95ee11d88e9658096a95569391b83b6f75a997f57f3bd996
Instruction ID: c573db233c540e791ac6c9c85910e9be47dc17f54cf8ecdd82c1c42397e6030d
Opcode Fuzzy Hash: 77e5d84974c6116c95ee11d88e9658096a95569391b83b6f75a997f57f3bd996
Instruction Fuzzy Hash: 2A510775D00208EFCB10DFD5C999BDDBBB9BF48304F10416AE502BB2A1C7796906DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00432D03, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E00432D03(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				char* _t41;
				signed int _t45;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t61 = _t60 - 0xc;
				 *[fs:0x0] = _t61;
				L00401480();
				_v16 = _t61;
				_v12 = 0x401438;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401486, _t58);
				L004015CA();
				 *_a32 =  *_a32 & 0x00000000;
				if( *0x434010 != 0) {
					_v84 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v84 = 0x434010;
				}
				_t41 =  &_v48;
				L004015F4();
				_v68 = _t41;
				_v56 = 0x80020004;
				_v64 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t45 =  *((intOrPtr*)( *_v68 + 0x1ec))(_v68, L"TRANGERE", 0x10, _t41,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x340))( *_v84));
				asm("fclex");
				_v72 = _t45;
				if(_v72 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4036c0);
					_push(_v68);
					_push(_v72);
					L004015E8();
					_v88 = _t45;
				}
				L004015E2();
				_push(0x432e2a);
				L004015B8();
				return _t45;
			}

0x00432d06
0x00432d15
0x00432d1f
0x00432d27
0x00432d2a
0x00432d31
0x00432d40
0x00432d49
0x00432d51
0x00432d5b
0x00432d75
0x00432d5d
0x00432d5d
0x00432d62
0x00432d67
0x00432d6c
0x00432d6c
0x00432d90
0x00432d94
0x00432d99
0x00432d9c
0x00432da3
0x00432dad
0x00432db7
0x00432db8
0x00432db9
0x00432dba
0x00432dc8
0x00432dce
0x00432dd0
0x00432dd7
0x00432df3
0x00432dd9
0x00432dd9
0x00432dde
0x00432de3
0x00432de6
0x00432de9
0x00432dee
0x00432dee
0x00432dfa
0x00432dff
0x00432e24
0x00432e29

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00432D1F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00432D49
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00432D67
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432D94
__vbaChkstk.MSVBVM60(?,00000000), ref: 00432DAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001EC), ref: 00432DE9
__vbaFreeObj.MSVBVM60 ref: 00432DFA
__vbaFreeStr.MSVBVM60(00432E2A), ref: 00432E24

Strings

TRANGERE, xrefs: 00432DBB

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$CheckCopyHresultNew2
String ID: TRANGERE
API String ID: 2888502551-3714728012
Opcode ID: 13ae291df9d722b35e939cb59b71c0db1d84c5dd04af675a45a03c107410b238
Instruction ID: c40b5e5d7f7b5998fba3ed333d344f8615e35f57b84b9739d5da63aafa01793c
Opcode Fuzzy Hash: 13ae291df9d722b35e939cb59b71c0db1d84c5dd04af675a45a03c107410b238
Instruction Fuzzy Hash: 4A314B70900208EFCB05EF95C946BDDBBB5FF49704F10442AF502BB2A1C7B9A905DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00431BCF, Relevance: 15.1, APIs: 10, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00431BCF(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v92;
				char* _t57;
				char* _t61;
				signed int _t65;
				signed int _t69;
				char* _t71;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t87 = _t86 - 0xc;
				 *[fs:0x0] = _t87;
				L00401480();
				_v16 = _t87;
				_v12 = 0x401360;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401486, _t84);
				if( *0x434010 != 0) {
					_v80 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v80 = 0x434010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x33c))( *_v80));
				_t57 =  &_v36;
				_push(_t57);
				L004015F4();
				_v64 = _t57;
				_v44 = 0x80020004;
				_v52 = 0xa;
				if( *0x434010 != 0) {
					_v84 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v84 = 0x434010;
				}
				_t61 =  &_v32;
				L004015F4();
				_v56 = _t61;
				_t65 =  *((intOrPtr*)( *_v56 + 0x140))(_v56,  &_v28, _t61,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x33c))( *_v84));
				asm("fclex");
				_v60 = _t65;
				if(_v60 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x4036c0);
					_push(_v56);
					_push(_v60);
					L004015E8();
					_v88 = _t65;
				}
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t69 =  *((intOrPtr*)( *_v64 + 0x1ec))(_v64, _v28, 0x10);
				asm("fclex");
				_v68 = _t69;
				if(_v68 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4036c0);
					_push(_v64);
					_push(_v68);
					L004015E8();
					_v92 = _t69;
				}
				L004015B8();
				_push( &_v36);
				_t71 =  &_v32;
				_push(_t71);
				_push(2);
				L004015DC();
				_push(0x431d70);
				return _t71;
			}

0x00431bd2
0x00431be1
0x00431beb
0x00431bf3
0x00431bf6
0x00431bfd
0x00431c0c
0x00431c16
0x00431c30
0x00431c18
0x00431c18
0x00431c1d
0x00431c22
0x00431c27
0x00431c27
0x00431c4a
0x00431c4b
0x00431c4e
0x00431c4f
0x00431c54
0x00431c57
0x00431c5e
0x00431c6c
0x00431c86
0x00431c6e
0x00431c6e
0x00431c73
0x00431c78
0x00431c7d
0x00431c7d
0x00431ca1
0x00431ca5
0x00431caa
0x00431cb9
0x00431cbf
0x00431cc1
0x00431cc8
0x00431ce4
0x00431cca
0x00431cca
0x00431ccf
0x00431cd4
0x00431cd7
0x00431cda
0x00431cdf
0x00431cdf
0x00431ceb
0x00431cf5
0x00431cf6
0x00431cf7
0x00431cf8
0x00431d04
0x00431d0a
0x00431d0c
0x00431d13
0x00431d2f
0x00431d15
0x00431d15
0x00431d1a
0x00431d1f
0x00431d22
0x00431d25
0x00431d2a
0x00431d2a
0x00431d36
0x00431d3e
0x00431d3f
0x00431d42
0x00431d43
0x00431d45
0x00431d4d
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00431BEB
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00431C22
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431C4F
__vbaNew2.MSVBVM60(00403EE4,00434010,?,00000000), ref: 00431C78
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431CA5
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000140), ref: 00431CDA
__vbaChkstk.MSVBVM60 ref: 00431CEB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001EC), ref: 00431D25
__vbaFreeStr.MSVBVM60 ref: 00431D36
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00431D45

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2$List
String ID:
API String ID: 2926503497-0
Opcode ID: cd157405c71791a6c982d586afd344688d6064eb23e1c30d8b14679b610af7ba
Instruction ID: eed3b20e391fc6fd17573b919d255342b12c4c59376f351bd6bc78a0524cd33d
Opcode Fuzzy Hash: cd157405c71791a6c982d586afd344688d6064eb23e1c30d8b14679b610af7ba
Instruction Fuzzy Hash: 1E410374A00208EFCB14DFD1D985BDDBBB9BF49704F10542AF502BB2A0C7796905DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00431D8F, Relevance: 15.1, APIs: 10, Instructions: 118
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00431D8F(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				char* _t57;
				char* _t61;
				signed int _t65;
				signed int _t69;
				char* _t71;
				void* _t84;
				void* _t86;
				intOrPtr _t87;

				_t87 = _t86 - 0xc;
				 *[fs:0x0] = _t87;
				L00401480();
				_v16 = _t87;
				_v12 = 0x401370;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x401486, _t84);
				if( *0x434010 != 0) {
					_v84 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v84 = 0x434010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x33c))( *_v84));
				_t57 =  &_v40;
				_push(_t57);
				L004015F4();
				_v68 = _t57;
				_v48 = 0x80020004;
				_v56 = 0xa;
				if( *0x434010 != 0) {
					_v88 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v88 = 0x434010;
				}
				_t61 =  &_v36;
				L004015F4();
				_v60 = _t61;
				_t65 =  *((intOrPtr*)( *_v60 + 0x148))(_v60,  &_v32, _t61,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x30c))( *_v88));
				asm("fclex");
				_v64 = _t65;
				if(_v64 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x148);
					_push(0x4037bc);
					_push(_v60);
					_push(_v64);
					L004015E8();
					_v92 = _t65;
				}
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t69 =  *((intOrPtr*)( *_v68 + 0x1ec))(_v68, _v32, 0x10);
				asm("fclex");
				_v72 = _t69;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4036c0);
					_push(_v68);
					_push(_v72);
					L004015E8();
					_v96 = _t69;
				}
				L004015B8();
				_push( &_v40);
				_t71 =  &_v36;
				_push(_t71);
				_push(2);
				L004015DC();
				_push(0x431f30);
				return _t71;
			}

0x00431d92
0x00431da1
0x00431dab
0x00431db3
0x00431db6
0x00431dbd
0x00431dcc
0x00431dd6
0x00431df0
0x00431dd8
0x00431dd8
0x00431ddd
0x00431de2
0x00431de7
0x00431de7
0x00431e0a
0x00431e0b
0x00431e0e
0x00431e0f
0x00431e14
0x00431e17
0x00431e1e
0x00431e2c
0x00431e46
0x00431e2e
0x00431e2e
0x00431e33
0x00431e38
0x00431e3d
0x00431e3d
0x00431e61
0x00431e65
0x00431e6a
0x00431e79
0x00431e7f
0x00431e81
0x00431e88
0x00431ea4
0x00431e8a
0x00431e8a
0x00431e8f
0x00431e94
0x00431e97
0x00431e9a
0x00431e9f
0x00431e9f
0x00431eab
0x00431eb5
0x00431eb6
0x00431eb7
0x00431eb8
0x00431ec4
0x00431eca
0x00431ecc
0x00431ed3
0x00431eef
0x00431ed5
0x00431ed5
0x00431eda
0x00431edf
0x00431ee2
0x00431ee5
0x00431eea
0x00431eea
0x00431ef6
0x00431efe
0x00431eff
0x00431f02
0x00431f03
0x00431f05
0x00431f0d
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00431DAB
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00431DE2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431E0F
__vbaNew2.MSVBVM60(00403EE4,00434010,?,00000000), ref: 00431E38
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431E65
__vbaHresultCheckObj.MSVBVM60(00000000,?,004037BC,00000148), ref: 00431E9A
__vbaChkstk.MSVBVM60 ref: 00431EAB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001EC), ref: 00431EE5
__vbaFreeStr.MSVBVM60 ref: 00431EF6
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00431F05

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2$List
String ID:
API String ID: 2926503497-0
Opcode ID: 2b426bbaf37ae5397a772e5179e455ee7ff670b0f24ea2596aca076829608155
Instruction ID: 96fee0ca799c03aac1aa8ba111f5f55947b597dc5a62649fb69dd77cdb2bb90d
Opcode Fuzzy Hash: 2b426bbaf37ae5397a772e5179e455ee7ff670b0f24ea2596aca076829608155
Instruction Fuzzy Hash: 9541E475900208EFCB04DFD5D985BDEBBB9BF49304F20442AF502BB2A1C7796905DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004306A0, Relevance: 15.1, APIs: 10, Instructions: 114
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E004306A0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _v84;
				char* _t50;
				char* _t54;
				signed int _t58;
				signed int _t62;
				char* _t64;
				intOrPtr _t80;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t80;
				_push(0x40);
				L00401480();
				_v12 = _t80;
				_v8 = 0x401268;
				if( *0x434010 != 0) {
					_v72 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v72 = 0x434010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x380))( *_v72));
				_t50 =  &_v32;
				_push(_t50);
				L004015F4();
				_v60 = _t50;
				_v40 = 0x80020004;
				_v48 = 0xa;
				if( *0x434010 != 0) {
					_v76 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v76 = 0x434010;
				}
				_t54 =  &_v28;
				L004015F4();
				_v52 = _t54;
				_t58 =  *((intOrPtr*)( *_v52 + 0x90))(_v52,  &_v24, _t54,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x390))( *_v76));
				asm("fclex");
				_v56 = _t58;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x90);
					_push(0x403ab4);
					_push(_v52);
					_push(_v56);
					L004015E8();
					_v80 = _t58;
				}
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_v60 + 0x1ec))(_v60, _v24, 0x10);
				asm("fclex");
				_v64 = _t62;
				if(_v64 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4036c0);
					_push(_v60);
					_push(_v64);
					L004015E8();
					_v84 = _t62;
				}
				L004015B8();
				_push( &_v32);
				_t64 =  &_v28;
				_push(_t64);
				_push(2);
				L004015DC();
				_push(0x43082e);
				return _t64;
			}

0x004306a5
0x004306b0
0x004306b1
0x004306b8
0x004306bb
0x004306c3
0x004306c6
0x004306d4
0x004306ee
0x004306d6
0x004306d6
0x004306db
0x004306e0
0x004306e5
0x004306e5
0x00430708
0x00430709
0x0043070c
0x0043070d
0x00430712
0x00430715
0x0043071c
0x0043072a
0x00430744
0x0043072c
0x0043072c
0x00430731
0x00430736
0x0043073b
0x0043073b
0x0043075f
0x00430763
0x00430768
0x00430777
0x0043077d
0x0043077f
0x00430786
0x004307a2
0x00430788
0x00430788
0x0043078d
0x00430792
0x00430795
0x00430798
0x0043079d
0x0043079d
0x004307a9
0x004307b3
0x004307b4
0x004307b5
0x004307b6
0x004307c2
0x004307c8
0x004307ca
0x004307d1
0x004307ed
0x004307d3
0x004307d3
0x004307d8
0x004307dd
0x004307e0
0x004307e3
0x004307e8
0x004307e8
0x004307f4
0x004307fc
0x004307fd
0x00430800
0x00430801
0x00430803
0x0043080b
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004306BB
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 004306E0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043070D
__vbaNew2.MSVBVM60(00403EE4,00434010,?,00000000), ref: 00430736
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430763
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403AB4,00000090), ref: 00430798
__vbaChkstk.MSVBVM60 ref: 004307A9
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001EC), ref: 004307E3
__vbaFreeStr.MSVBVM60 ref: 004307F4
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00430803

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2$List
String ID:
API String ID: 2926503497-0
Opcode ID: 139b28748c9e3248545c533aa45b84c76146ca2ffec976a9ca1353ecaeca5489
Instruction ID: e54755ddfe934b79abfa9cd897be187fd5c1cecdf2123167c44ead2684b60612
Opcode Fuzzy Hash: 139b28748c9e3248545c533aa45b84c76146ca2ffec976a9ca1353ecaeca5489
Instruction Fuzzy Hash: 09410674900208AFCB14DF95D986BDEBBB9AF48704F20052AF101BB2A1C7B96905DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0043221C, Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0043221C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				void* _v48;
				char _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v120;
				signed int _v124;
				char* _t45;
				signed int _t51;
				intOrPtr _t56;
				void* _t68;
				void* _t70;
				intOrPtr* _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401480();
				_v16 = _t71;
				_v12 = 0x4013b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401486, _t68);
				L004015B2();
				if( *0x434010 != 0) {
					_v120 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v120 = 0x434010;
				}
				_t56 =  *((intOrPtr*)( *_v120));
				_t45 =  &_v52;
				L004015F4();
				_v104 = _t45;
				_v92 = 0x80020004;
				_v100 = 0xa;
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t71 =  *0x4013b0;
				_t51 =  *((intOrPtr*)( *_v104 + 0x204))(_v104, _t56, 0x10, 0x10, 0x10, _t45,  *((intOrPtr*)(_t56 + 0x34c))( *_v120));
				asm("fclex");
				_v108 = _t51;
				if(_v108 >= 0) {
					_v124 = _v124 & 0x00000000;
				} else {
					_push(0x204);
					_push(0x4036c0);
					_push(_v104);
					_push(_v108);
					L004015E8();
					_v124 = _t51;
				}
				L004015E2();
				asm("wait");
				_push(0x43236f);
				L004015D6();
				return _t51;
			}

0x0043221f
0x0043222e
0x00432238
0x00432240
0x00432243
0x0043224a
0x00432259
0x00432262
0x0043226e
0x00432288
0x00432270
0x00432270
0x00432275
0x0043227a
0x0043227f
0x0043227f
0x00432299
0x004322a3
0x004322a7
0x004322ac
0x004322af
0x004322b6
0x004322bd
0x004322c4
0x004322cb
0x004322d2
0x004322dc
0x004322e6
0x004322e7
0x004322e8
0x004322e9
0x004322ed
0x004322f7
0x004322f8
0x004322f9
0x004322fa
0x004322fe
0x00432308
0x00432309
0x0043230a
0x0043230b
0x00432313
0x0043231e
0x00432324
0x00432326
0x0043232d
0x00432349
0x0043232f
0x0043232f
0x00432334
0x00432339
0x0043233c
0x0043233f
0x00432344
0x00432344
0x00432350
0x00432355
0x00432356
0x00432369
0x0043236e

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00432238
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00432262
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 0043227A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004322A7
__vbaChkstk.MSVBVM60(?,00000000), ref: 004322DC
__vbaChkstk.MSVBVM60(?,00000000), ref: 004322ED
__vbaChkstk.MSVBVM60(?,00000000), ref: 004322FE
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000204,?,?,00000000), ref: 0043233F
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 00432350
__vbaFreeVar.MSVBVM60(0043236F,?,?,00000000), ref: 00432369

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$CheckHresultNew2
String ID:
API String ID: 2431949001-0
Opcode ID: 7974903002684bc80cee4f4a74f1e9654f5018f94666e70473529ec1ceeb3532
Instruction ID: c30200ef26dee96d6b9d9b4fe30afa579a53dc967076bdbb1b4af6812ef9a72d
Opcode Fuzzy Hash: 7974903002684bc80cee4f4a74f1e9654f5018f94666e70473529ec1ceeb3532
Instruction Fuzzy Hash: 56413971900708EFDB10DFA5C985B9DBBB5BF09704F20456AF901BF2A1C7B96945CB48

Uniqueness

Uniqueness Score: -1.00%

Function 0043239C, Relevance: 15.1, APIs: 10, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0043239C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v44;
				char _v48;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				char* _t43;
				signed int _t47;
				void* _t63;
				void* _t65;
				intOrPtr _t66;

				_t66 = _t65 - 0xc;
				 *[fs:0x0] = _t66;
				L00401480();
				_v16 = _t66;
				_v12 = 0x4013c8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401486, _t63);
				L004015CA();
				L004015B2();
				if( *0x434010 != 0) {
					_v84 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v84 = 0x434010;
				}
				_t43 =  &_v48;
				L004015F4();
				_v68 = _t43;
				_v56 = _v56 & 0x00000000;
				_v64 = 2;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t47 =  *((intOrPtr*)( *_v68 + 0x200))(_v68, 0x10, _t43,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x37c))( *_v84));
				asm("fclex");
				_v72 = _t47;
				if(_v72 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x403678);
					_push(_v68);
					_push(_v72);
					L004015E8();
					_v88 = _t47;
				}
				L004015E2();
				_push(0x4324b6);
				L004015B8();
				L004015D6();
				return _t47;
			}

0x0043239f
0x004323ae
0x004323b8
0x004323c0
0x004323c3
0x004323ca
0x004323d9
0x004323e2
0x004323ed
0x004323f9
0x00432413
0x004323fb
0x004323fb
0x00432400
0x00432405
0x0043240a
0x0043240a
0x0043242e
0x00432432
0x00432437
0x0043243a
0x0043243e
0x00432448
0x00432452
0x00432453
0x00432454
0x00432455
0x0043245e
0x00432464
0x00432466
0x0043246d
0x00432489
0x0043246f
0x0043246f
0x00432474
0x00432479
0x0043247c
0x0043247f
0x00432484
0x00432484
0x00432490
0x00432495
0x004324a8
0x004324b0
0x004324b5

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004323B8
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 004323E2
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 004323ED
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00432405
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432432
__vbaChkstk.MSVBVM60(?,00000000), ref: 00432448
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403678,00000200), ref: 0043247F
__vbaFreeObj.MSVBVM60 ref: 00432490
__vbaFreeStr.MSVBVM60(004324B6), ref: 004324A8
__vbaFreeVar.MSVBVM60(004324B6), ref: 004324B0

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckCopyHresultNew2
String ID:
API String ID: 763330518-0
Opcode ID: 0a08e70d3646f0797e9e05fb31f27f2d022833b2296f503d0735401c8367bd62
Instruction ID: ec014f3367bbc4f190746ab0d4e4b76b6d506302d52ef8b95598010690a219ea
Opcode Fuzzy Hash: 0a08e70d3646f0797e9e05fb31f27f2d022833b2296f503d0735401c8367bd62
Instruction Fuzzy Hash: 22310971900208EFCB14DFA1C94ABDDBBB4BF48304F10842AF502BB2A1C7B96905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0042FFC1, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0042FFC1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v72;
				signed int _v76;
				char* _t36;
				signed int _t40;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L00401480();
				_v16 = _t53;
				_v12 = 0x401218;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401486, _t50);
				if( *0x434010 != 0) {
					_v72 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v72 = 0x434010;
				}
				_t36 =  &_v36;
				L004015F4();
				_v56 = _t36;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t40 =  *((intOrPtr*)( *_v56 + 0x1ec))(_v56, L"PERIKUMBRNDEVIN", 0x10, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x32c))( *_v72));
				asm("fclex");
				_v60 = _t40;
				if(_v60 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x4036c0);
					_push(_v56);
					_push(_v60);
					L004015E8();
					_v76 = _t40;
				}
				L004015E2();
				_push(0x4300bd);
				return _t40;
			}

0x0042ffc4
0x0042ffd3
0x0042ffdd
0x0042ffe5
0x0042ffe8
0x0042ffef
0x0042fffe
0x00430008
0x00430022
0x0043000a
0x0043000a
0x0043000f
0x00430014
0x00430019
0x00430019
0x0043003d
0x00430041
0x00430046
0x00430049
0x00430050
0x0043005a
0x00430064
0x00430065
0x00430066
0x00430067
0x00430075
0x0043007b
0x0043007d
0x00430084
0x004300a0
0x00430086
0x00430086
0x0043008b
0x00430090
0x00430093
0x00430096
0x0043009b
0x0043009b
0x004300a7
0x004300ac
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0042FFDD
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00430014
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430041
__vbaChkstk.MSVBVM60(?,00000000), ref: 0043005A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001EC), ref: 00430096
__vbaFreeObj.MSVBVM60 ref: 004300A7

Strings

PERIKUMBRNDEVIN, xrefs: 00430068

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: PERIKUMBRNDEVIN
API String ID: 3189907775-3996290216
Opcode ID: b3a944620965d0e970a5b1806777695562b0f6aade2a488a96b64b5b5ae8f10b
Instruction ID: 13c0d8d17c26902e0de3a10ea5b1009aed132ca326a23c658bf894b3a46bfe0e
Opcode Fuzzy Hash: b3a944620965d0e970a5b1806777695562b0f6aade2a488a96b64b5b5ae8f10b
Instruction Fuzzy Hash: 3F215A70A00208EFCB14DF95E985B9DBBB9FF49704F20402AF501BB2A0C779AA01CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004309A0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E004309A0(void* __ebx, void* __edi, void* __esi, signed int* _a20) {
				intOrPtr _v12;
				intOrPtr _v16;
				char _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				signed int _v84;
				char* _t31;
				signed int _t35;
				void* _t47;
				intOrPtr _t48;

				_t48 = _t47 - 0xc;
				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_push(0x3c);
				L00401480();
				_v16 = _t48;
				_v12 = 0x401290;
				 *_a20 =  *_a20 & 0x00000000;
				if( *0x434010 != 0) {
					_v80 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v80 = 0x434010;
				}
				_t31 =  &_v44;
				L004015F4();
				_v64 = _t31;
				_v52 = 0x80020004;
				_v60 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t35 =  *((intOrPtr*)( *_v64 + 0x1ec))(_v64, L"Revselse7", 0x10, _t31,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x37c))( *_v80));
				asm("fclex");
				_v68 = _t35;
				if(_v68 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403678);
					_push(_v64);
					_push(_v68);
					L004015E8();
					_v84 = _t35;
				}
				L004015E2();
				_push(0x430aa2);
				return _t35;
			}

0x004309a3
0x004309a6
0x004309b1
0x004309b2
0x004309b9
0x004309bc
0x004309c4
0x004309c7
0x004309d1
0x004309db
0x004309f5
0x004309dd
0x004309dd
0x004309e2
0x004309e7
0x004309ec
0x004309ec
0x00430a10
0x00430a14
0x00430a19
0x00430a1c
0x00430a23
0x00430a2d
0x00430a37
0x00430a38
0x00430a39
0x00430a3a
0x00430a48
0x00430a4e
0x00430a50
0x00430a57
0x00430a73
0x00430a59
0x00430a59
0x00430a5e
0x00430a63
0x00430a66
0x00430a69
0x00430a6e
0x00430a6e
0x00430a7a
0x00430a7f
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004309BC
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 004309E7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00430A14
__vbaChkstk.MSVBVM60(?,00000000), ref: 00430A2D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403678,000001EC), ref: 00430A69
__vbaFreeObj.MSVBVM60 ref: 00430A7A

Strings

Revselse7, xrefs: 00430A3B

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: Revselse7
API String ID: 3189907775-4127856029
Opcode ID: 69418d442d7df8442aac3ce80ffeae19327b1ee4ff1dd7b2dda299122942427c
Instruction ID: 3a5fe856102e5f344ab02ab8a6e3aaa171c62f15ad61f61ab5ba7df11d0e924d
Opcode Fuzzy Hash: 69418d442d7df8442aac3ce80ffeae19327b1ee4ff1dd7b2dda299122942427c
Instruction Fuzzy Hash: 52214A71E40208EFCB14EFA5E846B9DBBB8BF49705F10452AF511BB2A1C7B96801CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00431302, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00431302(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t29;
				signed int _t33;
				intOrPtr _t46;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x28);
				L00401480();
				_v12 = _t46;
				_v8 = 0x4012e0;
				if( *0x434010 != 0) {
					_v56 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v56 = 0x434010;
				}
				_t29 =  &_v24;
				L004015F4();
				_v44 = _t29;
				_v32 = 0x80020004;
				_v40 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t33 =  *((intOrPtr*)( *_v44 + 0x1ec))(_v44, L"cattalos", 0x10, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x368))( *_v56));
				asm("fclex");
				_v48 = _t33;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x403678);
					_push(_v44);
					_push(_v48);
					L004015E8();
					_v60 = _t33;
				}
				L004015E2();
				_push(0x4313eb);
				return _t33;
			}

0x00431307
0x00431312
0x00431313
0x0043131a
0x0043131d
0x00431325
0x00431328
0x00431336
0x00431350
0x00431338
0x00431338
0x0043133d
0x00431342
0x00431347
0x00431347
0x0043136b
0x0043136f
0x00431374
0x00431377
0x0043137e
0x00431388
0x00431392
0x00431393
0x00431394
0x00431395
0x004313a3
0x004313a9
0x004313ab
0x004313b2
0x004313ce
0x004313b4
0x004313b4
0x004313b9
0x004313be
0x004313c1
0x004313c4
0x004313c9
0x004313c9
0x004313d5
0x004313da
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0043131D
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00431342
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401486), ref: 0043136F
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00431388
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403678,000001EC,?,?,?,?,?,?,?,?,?,?,00401486), ref: 004313C4
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401486), ref: 004313D5

Strings

cattalos, xrefs: 00431396

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID: cattalos
API String ID: 3189907775-1666761588
Opcode ID: 5fd6059663a4a0ea34161d090e5703935dd5d241e8109eed3cad78f8d1c67879
Instruction ID: d68948ece08422dd1fd8444f7fafcb4876a3e27f135cb61c47d2f069489b600c
Opcode Fuzzy Hash: 5fd6059663a4a0ea34161d090e5703935dd5d241e8109eed3cad78f8d1c67879
Instruction Fuzzy Hash: D2218E71900208AFDB04DF95C986BDDBBB9EB0D714F20542AF501BB2A0C7B96900CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00430841, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00430841(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v96;
				signed int _v100;
				char* _t42;
				signed int _t48;
				intOrPtr _t52;
				void* _t62;
				void* _t64;
				intOrPtr* _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L00401480();
				_v16 = _t65;
				_v12 = 0x401280;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x401486, _t62);
				if( *0x434010 != 0) {
					_v96 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v96 = 0x434010;
				}
				_t52 =  *((intOrPtr*)( *_v96));
				_t42 =  &_v28;
				L004015F4();
				_v80 = _t42;
				_v68 = 0x80020004;
				_v76 = 0xa;
				_v52 = 0x80020004;
				_v60 = 0xa;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t65 =  *0x401278;
				_t48 =  *((intOrPtr*)( *_v80 + 0x204))(_v80, _t52, 0x10, 0x10, 0x10, _t42,  *((intOrPtr*)(_t52 + 0x33c))( *_v96));
				asm("fclex");
				_v84 = _t48;
				if(_v84 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x204);
					_push(0x4036c0);
					_push(_v80);
					_push(_v84);
					L004015E8();
					_v100 = _t48;
				}
				L004015E2();
				asm("wait");
				_push(0x430981);
				return _t48;
			}

0x00430844
0x00430853
0x0043085d
0x00430865
0x00430868
0x0043086f
0x0043087e
0x00430888
0x004308a2
0x0043088a
0x0043088a
0x0043088f
0x00430894
0x00430899
0x00430899
0x004308b3
0x004308bd
0x004308c1
0x004308c6
0x004308c9
0x004308d0
0x004308d7
0x004308de
0x004308e5
0x004308ec
0x004308f6
0x00430900
0x00430901
0x00430902
0x00430903
0x00430907
0x00430911
0x00430912
0x00430913
0x00430914
0x00430918
0x00430922
0x00430923
0x00430924
0x00430925
0x0043092d
0x00430938
0x0043093e
0x00430940
0x00430947
0x00430963
0x00430949
0x00430949
0x0043094e
0x00430953
0x00430956
0x00430959
0x0043095e
0x0043095e
0x0043096a
0x0043096f
0x00430970
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0043085D
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00430894
__vbaObjSet.MSVBVM60(?,00000000), ref: 004308C1
__vbaChkstk.MSVBVM60(?,00000000), ref: 004308F6
__vbaChkstk.MSVBVM60(?,00000000), ref: 00430907
__vbaChkstk.MSVBVM60(?,00000000), ref: 00430918
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000204,?,?,00000000), ref: 00430959
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0043096A

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 5f212e66b6527ae13f6a3ec74cff4ce35f8d569698e6c55653912d2a707b2b95
Instruction ID: 0e7b5bcc52b13c450151acc747ab4b4351a0be6e97944a3ab1626caad5afcb57
Opcode Fuzzy Hash: 5f212e66b6527ae13f6a3ec74cff4ce35f8d569698e6c55653912d2a707b2b95
Instruction Fuzzy Hash: 7E3136B0D10608EFDB01DF95D889B8EBBB5BF09714F10852AF901BF2A1C7BA5445CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004324D5, Relevance: 12.1, APIs: 8, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004324D5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				signed int _v24;
				void* _v40;
				void* _v44;
				char _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				signed int _t44;
				signed int _t49;
				intOrPtr _t61;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t61;
				_push(0x3c);
				L00401480();
				_v12 = _t61;
				_v8 = 0x4013d8;
				L004015B2();
				if( *0x4343a0 != 0) {
					_v72 = 0x4343a0;
				} else {
					_push(0x4343a0);
					_push(0x403bf0);
					L004015EE();
					_v72 = 0x4343a0;
				}
				_v52 =  *_v72;
				_t44 =  *((intOrPtr*)( *_v52 + 0x14))(_v52,  &_v44);
				asm("fclex");
				_v56 = _t44;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x403be0);
					_push(_v52);
					_push(_v56);
					L004015E8();
					_v76 = _t44;
				}
				_v60 = _v44;
				_t49 =  *((intOrPtr*)( *_v60 + 0x118))(_v60,  &_v48);
				asm("fclex");
				_v64 = _t49;
				if(_v64 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x403c60);
					_push(_v60);
					_push(_v64);
					L004015E8();
					_v80 = _t49;
				}
				L0040151C();
				_v24 = _t49;
				L004015E2();
				_push(0x4325e0);
				L004015D6();
				return _t49;
			}

0x004324da
0x004324e5
0x004324e6
0x004324ed
0x004324f0
0x004324f8
0x004324fb
0x00432508
0x00432514
0x0043252e
0x00432516
0x00432516
0x0043251b
0x00432520
0x00432525
0x00432525
0x0043253a
0x00432549
0x0043254c
0x0043254e
0x00432555
0x0043256e
0x00432557
0x00432557
0x00432559
0x0043255e
0x00432561
0x00432564
0x00432569
0x00432569
0x00432575
0x00432584
0x0043258a
0x0043258c
0x00432593
0x004325af
0x00432595
0x00432595
0x0043259a
0x0043259f
0x004325a2
0x004325a5
0x004325aa
0x004325aa
0x004325b6
0x004325bb
0x004325c2
0x004325c7
0x004325da
0x004325df

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004324F0
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00432508
__vbaNew2.MSVBVM60(00403BF0,004343A0,?,?,?,?,00401486), ref: 00432520
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403BE0,00000014), ref: 00432564
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403C60,00000118), ref: 004325A5
__vbaI2I4.MSVBVM60(00000000,?,00403C60,00000118), ref: 004325B6
__vbaFreeObj.MSVBVM60(00000000,?,00403C60,00000118), ref: 004325C2
__vbaFreeVar.MSVBVM60(004325E0), ref: 004325DA

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID:
API String ID: 304406766-0
Opcode ID: bf1a261904e9bf258812d99f8e5dcaea002565eda8646947cd08820cc70fe595
Instruction ID: da902e6b2c76e8889d22c48cf512dd6320c3d1a46452b5294daf5a68770749e2
Opcode Fuzzy Hash: bf1a261904e9bf258812d99f8e5dcaea002565eda8646947cd08820cc70fe595
Instruction Fuzzy Hash: AA310271D40208BFCB05DF95DA86BDDBBB4AF48714F60502AF002B72A1D7B86A45CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00432AD9, Relevance: 12.1, APIs: 8, Instructions: 73
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E00432AD9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v72;
				signed int _v76;
				char* _t32;
				signed int _t36;
				intOrPtr _t52;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(0x38);
				L00401480();
				_v12 = _t52;
				_v8 = 0x401418;
				L004015B2();
				if( *0x434010 != 0) {
					_v72 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v72 = 0x434010;
				}
				_t32 =  &_v40;
				L004015F4();
				_v60 = _t32;
				_v48 = 1;
				_v56 = 2;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t36 =  *((intOrPtr*)( *_v60 + 0x17c))(_v60, 0x10, _t32,  *((intOrPtr*)( *((intOrPtr*)( *_v72)) + 0x30c))( *_v72));
				asm("fclex");
				_v64 = _t36;
				if(_v64 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x17c);
					_push(0x4037bc);
					_push(_v60);
					_push(_v64);
					L004015E8();
					_v76 = _t36;
				}
				L004015E2();
				_push(0x432bd0);
				L004015D6();
				return _t36;
			}

0x00432ade
0x00432ae9
0x00432aea
0x00432af1
0x00432af4
0x00432afc
0x00432aff
0x00432b0c
0x00432b18
0x00432b32
0x00432b1a
0x00432b1a
0x00432b1f
0x00432b24
0x00432b29
0x00432b29
0x00432b4d
0x00432b51
0x00432b56
0x00432b59
0x00432b60
0x00432b6a
0x00432b74
0x00432b75
0x00432b76
0x00432b77
0x00432b80
0x00432b86
0x00432b88
0x00432b8f
0x00432bab
0x00432b91
0x00432b91
0x00432b96
0x00432b9b
0x00432b9e
0x00432ba1
0x00432ba6
0x00432ba6
0x00432bb2
0x00432bb7
0x00432bca
0x00432bcf

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00432AF4
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00432B0C
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00432B24
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432B51
__vbaChkstk.MSVBVM60(?,00000000), ref: 00432B6A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004037BC,0000017C), ref: 00432BA1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00432BB2
__vbaFreeVar.MSVBVM60(00432BD0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00432BCA

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$CheckHresultNew2
String ID:
API String ID: 2807847221-0
Opcode ID: b55ac194e78041e695282c95163c058b4ae06d88bceaae66a3c8430ba27107e2
Instruction ID: 0ed24240cef11e5b697bee6cf631d4ac7d9a324cc22834907ff995c563f837dd
Opcode Fuzzy Hash: b55ac194e78041e695282c95163c058b4ae06d88bceaae66a3c8430ba27107e2
Instruction Fuzzy Hash: AD213D70900208EFCB15DF91D985BDDBBB9EF48704F20446AF101BB2A1C7B96945DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00432028, Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00432028(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v60;
				signed int _v64;
				char* _t36;
				signed int _t39;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L00401480();
				_v16 = _t53;
				_v12 = 0x401390;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x28,  *[fs:0x0], 0x401486, _t50);
				L004015CA();
				if( *0x434010 != 0) {
					_v60 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v60 = 0x434010;
				}
				_t36 =  &_v40;
				L004015F4();
				_v44 = _t36;
				_t39 =  *((intOrPtr*)( *_v44 + 0x1e8))(_v44, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v60)) + 0x330))( *_v60));
				asm("fclex");
				_v48 = _t39;
				if(_v48 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x4036c0);
					_push(_v44);
					_push(_v48);
					L004015E8();
					_v64 = _t39;
				}
				L004015E2();
				asm("wait");
				_push(0x432114);
				L004015B8();
				return _t39;
			}

0x0043202b
0x0043203a
0x00432044
0x0043204c
0x0043204f
0x00432056
0x00432065
0x0043206e
0x0043207a
0x00432094
0x0043207c
0x0043207c
0x00432081
0x00432086
0x0043208b
0x0043208b
0x004320af
0x004320b3
0x004320b8
0x004320c3
0x004320c9
0x004320cb
0x004320d2
0x004320ee
0x004320d4
0x004320d4
0x004320d9
0x004320de
0x004320e1
0x004320e4
0x004320e9
0x004320e9
0x004320f5
0x004320fa
0x004320fb
0x0043210e
0x00432113

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00432044
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 0043206E
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00432086
__vbaObjSet.MSVBVM60(?,00000000), ref: 004320B3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001E8), ref: 004320E4
__vbaFreeObj.MSVBVM60 ref: 004320F5
__vbaFreeStr.MSVBVM60(00432114), ref: 0043210E

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: e6ca27110a9d6b9aa7e58e9a2cc040c1a678c559abc3e21a23f80b7e0e62642f
Instruction ID: a6f7c8b5828cbeb56038fd05aa3a3adb2cab500244b997c108eebfc9a9dd55a7
Opcode Fuzzy Hash: e6ca27110a9d6b9aa7e58e9a2cc040c1a678c559abc3e21a23f80b7e0e62642f
Instruction Fuzzy Hash: A7211B74900208EFCB04EFA5C985BDDBBB8EF48714F10946AF602BB2A0C7796945DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00430B45, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00430B45(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				char* _t29;
				signed int _t32;
				intOrPtr _t46;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x30);
				L00401480();
				_v12 = _t46;
				_v8 = 0x4012b0;
				L004015B2();
				if( *0x434010 != 0) {
					_v64 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v64 = 0x434010;
				}
				_t29 =  &_v48;
				L004015F4();
				_v52 = _t29;
				_t32 =  *((intOrPtr*)( *_v52 + 0x1e8))(_v52, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x380))( *_v64));
				asm("fclex");
				_v56 = _t32;
				if(_v56 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x4036c0);
					_push(_v52);
					_push(_v56);
					L004015E8();
					_v68 = _t32;
				}
				L004015E2();
				_push(0x430c1d);
				L004015D6();
				return _t32;
			}

0x00430b4a
0x00430b55
0x00430b56
0x00430b5d
0x00430b60
0x00430b68
0x00430b6b
0x00430b78
0x00430b84
0x00430b9e
0x00430b86
0x00430b86
0x00430b8b
0x00430b90
0x00430b95
0x00430b95
0x00430bb9
0x00430bbd
0x00430bc2
0x00430bcd
0x00430bd3
0x00430bd5
0x00430bdc
0x00430bf8
0x00430bde
0x00430bde
0x00430be3
0x00430be8
0x00430beb
0x00430bee
0x00430bf3
0x00430bf3
0x00430bff
0x00430c04
0x00430c17
0x00430c1c

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00430B60
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00430B78
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00430B90
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00430BBD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001E8), ref: 00430BEE
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00430BFF
__vbaFreeVar.MSVBVM60(00430C1D,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00430C17

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: 8835bf1d0c825fb4f2169adc9a6eff397c0835a0cd2669998530ba3d1c5b929a
Instruction ID: 9f4a17c0d6aad0b3e68a5b87246d6f1d90afe17374581f8e2f1203172b8a75e2
Opcode Fuzzy Hash: 8835bf1d0c825fb4f2169adc9a6eff397c0835a0cd2669998530ba3d1c5b929a
Instruction Fuzzy Hash: A821F570950208BFCB18DF95D995FDDB7B8FB48708F10552AF112BB2A0CB786904DB28

Uniqueness

Uniqueness Score: -1.00%

Function 0042FECC, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0042FECC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				char* _t29;
				signed int _t32;
				intOrPtr _t46;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x20);
				L00401480();
				_v12 = _t46;
				_v8 = 0x401208;
				L004015CA();
				if( *0x434010 != 0) {
					_v48 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v48 = 0x434010;
				}
				_t29 =  &_v32;
				L004015F4();
				_v36 = _t29;
				_t32 =  *((intOrPtr*)( *_v36 + 0x1f8))(_v36, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x334))( *_v48));
				asm("fclex");
				_v40 = _t32;
				if(_v40 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x1f8);
					_push(0x4036c0);
					_push(_v36);
					_push(_v40);
					L004015E8();
					_v52 = _t32;
				}
				L004015E2();
				_push(0x42ffa4);
				L004015B8();
				return _t32;
			}

0x0042fed1
0x0042fedc
0x0042fedd
0x0042fee4
0x0042fee7
0x0042feef
0x0042fef2
0x0042feff
0x0042ff0b
0x0042ff25
0x0042ff0d
0x0042ff0d
0x0042ff12
0x0042ff17
0x0042ff1c
0x0042ff1c
0x0042ff40
0x0042ff44
0x0042ff49
0x0042ff54
0x0042ff5a
0x0042ff5c
0x0042ff63
0x0042ff7f
0x0042ff65
0x0042ff65
0x0042ff6a
0x0042ff6f
0x0042ff72
0x0042ff75
0x0042ff7a
0x0042ff7a
0x0042ff86
0x0042ff8b
0x0042ff9e
0x0042ffa3

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0042FEE7
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 0042FEFF
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 0042FF17
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401486), ref: 0042FF44
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001F8,?,?,?,?,?,?,?,?,00401486), ref: 0042FF75
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401486), ref: 0042FF86
__vbaFreeStr.MSVBVM60(0042FFA4,?,?,?,?,?,?,?,?,00401486), ref: 0042FF9E

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyHresultNew2
String ID:
API String ID: 2810356740-0
Opcode ID: 639e88e66018a374afdc112b2a33dc4a83bcc43efa953666054e35cfc96c7d92
Instruction ID: 4822801be10b8f0eabcff767360b9da7ac691073d2a4d7d72abe6781541599ac
Opcode Fuzzy Hash: 639e88e66018a374afdc112b2a33dc4a83bcc43efa953666054e35cfc96c7d92
Instruction Fuzzy Hash: 31213970A00218AFCB04DFA5D945BEDB7B8FB49708F50407BF012BB2A0C7796904CB28

Uniqueness

Uniqueness Score: -1.00%

Function 004305BB, Relevance: 10.6, APIs: 7, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004305BB(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v40;
				char _v56;
				intOrPtr _v80;
				intOrPtr _v88;
				intOrPtr _v96;
				char _v104;
				signed int _v108;
				short _v112;
				signed int _v120;
				signed int _t27;
				short _t29;
				short _t32;
				intOrPtr _t41;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t41;
				_push(0x64);
				L00401480();
				_v12 = _t41;
				_v8 = 0x401258;
				_v80 = 0x403ab0;
				_v88 = 8;
				L004015B2();
				_push( &_v56);
				_t27 =  &_v40;
				_push(_t27);
				L0040157C();
				_v108 = _t27;
				if(_v108 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(_v108);
					L00401576();
					_v120 = _t27;
				}
				_v96 = 2;
				_v104 = 0x8002;
				_push( &_v56);
				_t29 =  &_v104;
				_push(_t29);
				L00401582();
				_v112 = _t29;
				_push( &_v56);
				_push( &_v40);
				_push(2);
				L004015BE();
				_t32 = _v112;
				if(_t32 != 0) {
					_push(0x8e);
					L00401570();
					_v24 = _t32;
				}
				_push(0x43068d);
				return _t32;
			}

0x004305c0
0x004305cb
0x004305cc
0x004305d3
0x004305d6
0x004305de
0x004305e1
0x004305e8
0x004305ef
0x004305fc
0x00430604
0x00430605
0x00430608
0x00430609
0x0043060e
0x00430615
0x00430624
0x00430617
0x00430617
0x0043061a
0x0043061f
0x0043061f
0x00430628
0x0043062f
0x00430639
0x0043063a
0x0043063d
0x0043063e
0x00430643
0x0043064a
0x0043064e
0x0043064f
0x00430651
0x00430659
0x0043065f
0x00430661
0x00430666
0x0043066b
0x0043066b
0x0043066e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004305D6
__vbaVarDup.MSVBVM60 ref: 004305FC
#564.MSVBVM60(?,?), ref: 00430609
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?), ref: 0043061A
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?), ref: 0043063E
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?,?,?,?,?), ref: 00430651
#570.MSVBVM60(0000008E), ref: 00430666

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#564#570CheckChkstkFreeHresultList
String ID:
API String ID: 4191202046-0
Opcode ID: ab1e6e700647fb72813b4272400ef9cab9eee8791dcc669d5cd87412697313ab
Instruction ID: d2697894fbff2aa8f6e724c1b787fe8058902a18212d7c296c2e2883fd9deab1
Opcode Fuzzy Hash: ab1e6e700647fb72813b4272400ef9cab9eee8791dcc669d5cd87412697313ab
Instruction Fuzzy Hash: B011CCB1D01308AADB00DFD1C946BDEBBBCEB48744F20452BE106BB191E7785A49CB69

Uniqueness

Uniqueness Score: -1.00%

Function 004314F5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004314F5(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				signed int _v40;
				short _v44;
				signed int _v56;
				signed int _t30;
				short _t34;
				void* _t39;
				void* _t41;
				intOrPtr _t42;

				_t42 = _t41 - 0xc;
				 *[fs:0x0] = _t42;
				L00401480();
				_v16 = _t42;
				_v12 = 0x401300;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401486, _t39);
				_t30 =  *((intOrPtr*)( *_a4 + 0xa8))(_a4,  &_v36);
				asm("fclex");
				_v40 = _t30;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0xa8);
					_push(0x40324c);
					_push(_a4);
					_push(_v40);
					L004015E8();
					_v56 = _t30;
				}
				_push(_v36);
				_push(0);
				L0040153A();
				asm("sbb eax, eax");
				_v44 =  ~( ~_t30 + 1);
				L004015B8();
				_t34 = _v44;
				if(_t34 != 0) {
					_push(L"Ombuddets6");
					L00401534();
				}
				asm("wait");
				_push(0x4315b1);
				return _t34;
			}

0x004314f8
0x00431507
0x00431511
0x00431519
0x0043151c
0x00431523
0x00431532
0x00431541
0x00431547
0x00431549
0x00431550
0x0043156c
0x00431552
0x00431552
0x00431557
0x0043155c
0x0043155f
0x00431562
0x00431567
0x00431567
0x00431570
0x00431573
0x00431575
0x0043157c
0x00431581
0x00431588
0x0043158d
0x00431593
0x00431595
0x0043159a
0x0043159a
0x0043159f
0x004315a0
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00431511
__vbaHresultCheckObj.MSVBVM60(00000000,00401300,0040324C,000000A8), ref: 00431562
__vbaStrCmp.MSVBVM60(00000000,?), ref: 00431575
__vbaFreeStr.MSVBVM60(00000000,?), ref: 00431588
#532.MSVBVM60(Ombuddets6,00000000,?), ref: 0043159A

Strings

Ombuddets6, xrefs: 00431595

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#532CheckChkstkFreeHresult
String ID: Ombuddets6
API String ID: 282215524-1727458866
Opcode ID: a4472c162d783c9a1e3bc8b9bee364c9e7ab303b14e1a35386834abb3af8bb9c
Instruction ID: 9176fc4ea6622cf906c3b392618b1e377887576c3a4e88471a20e122408f7856
Opcode Fuzzy Hash: a4472c162d783c9a1e3bc8b9bee364c9e7ab303b14e1a35386834abb3af8bb9c
Instruction Fuzzy Hash: B5111931941208BFCB00EFA5C945FDD7FB4AF49B45F10906AF406FB1A1D7789A448B99

Uniqueness

Uniqueness Score: -1.00%

Function 004327EB, Relevance: 10.5, APIs: 7, Instructions: 40
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E004327EB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8, void* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _t18;
				void* _t28;
				void* _t30;
				intOrPtr _t31;

				_t31 = _t30 - 0xc;
				 *[fs:0x0] = _t31;
				L00401480();
				_v16 = _t31;
				_v12 = 0x4013f8;
				_v8 = 0;
				_t18 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x14,  *[fs:0x0], 0x401486, _t28);
				L004015CA();
				L004015CA();
				_push(0x403c54);
				L00401516();
				if(_t18 != 0x61) {
					_push(0xf6);
					L00401510();
					_v32 = _t18;
				}
				_push(0x432877);
				L004015B8();
				L004015B8();
				return _t18;
			}

0x004327ee
0x004327fd
0x00432807
0x0043280f
0x00432812
0x00432819
0x00432828
0x00432831
0x0043283c
0x00432841
0x00432846
0x0043284f
0x00432851
0x00432856
0x0043285e
0x0043285e
0x00432861
0x00432869
0x00432871
0x00432876

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00432807
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00432831
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 0043283C
#696.MSVBVM60(00403C54,?,?,?,?,00401486), ref: 00432846
#571.MSVBVM60(000000F6,00403C54,?,?,?,?,00401486), ref: 00432856
__vbaFreeStr.MSVBVM60(00432877,00403C54,?,?,?,?,00401486), ref: 00432869
__vbaFreeStr.MSVBVM60(00432877,00403C54,?,?,?,?,00401486), ref: 00432871

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CopyFree$#571#696Chkstk
String ID:
API String ID: 3932495866-0
Opcode ID: 2b8672fbf631291b0a0191d4df22298dad19a048574adfed09189fbdc6e7d6a0
Instruction ID: 1863d3be044c8bee8e74616693bd85454cc85ce92137b13807fb18cc67956c31
Opcode Fuzzy Hash: 2b8672fbf631291b0a0191d4df22298dad19a048574adfed09189fbdc6e7d6a0
Instruction Fuzzy Hash: 8E011E30540249BFDB04FF96C946BAE7BB4EB44748F40813AF4017B2E1D67C9945CB95

Uniqueness

Uniqueness Score: -1.00%

Function 00432BE3, Relevance: 9.1, APIs: 6, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00432BE3(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v68;
				signed int _v72;
				char* _t36;
				signed int _t40;
				void* _t50;
				void* _t52;
				intOrPtr _t53;

				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L00401480();
				_v16 = _t53;
				_v12 = 0x401428;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401486, _t50);
				if( *0x434010 != 0) {
					_v68 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v68 = 0x434010;
				}
				_t36 =  &_v32;
				L004015F4();
				_v52 = _t36;
				_v40 = 1;
				_v48 = 2;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t40 =  *((intOrPtr*)( *_v52 + 0x200))(_v52, 0x10, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x330))( *_v68));
				asm("fclex");
				_v56 = _t40;
				if(_v56 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x4036c0);
					_push(_v52);
					_push(_v56);
					L004015E8();
					_v72 = _t40;
				}
				L004015E2();
				_push(0x432cda);
				return _t40;
			}

0x00432be6
0x00432bf5
0x00432bff
0x00432c07
0x00432c0a
0x00432c11
0x00432c20
0x00432c2a
0x00432c44
0x00432c2c
0x00432c2c
0x00432c31
0x00432c36
0x00432c3b
0x00432c3b
0x00432c5f
0x00432c63
0x00432c68
0x00432c6b
0x00432c72
0x00432c7c
0x00432c86
0x00432c87
0x00432c88
0x00432c89
0x00432c92
0x00432c98
0x00432c9a
0x00432ca1
0x00432cbd
0x00432ca3
0x00432ca3
0x00432ca8
0x00432cad
0x00432cb0
0x00432cb3
0x00432cb8
0x00432cb8
0x00432cc4
0x00432cc9
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00432BFF
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00432C36
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432C63
__vbaChkstk.MSVBVM60(?,00000000), ref: 00432C7C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000200), ref: 00432CB3
__vbaFreeObj.MSVBVM60 ref: 00432CC4

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 24dd8a10357c53b6dea634a12b1465b5f26ff8bb927c284fbf63a59bfc4fbc5e
Instruction ID: 4e6aac1b161c2b1e86546c4b4f841d5cdb2fe6d6d4e947565fc3452f8e68a0e6
Opcode Fuzzy Hash: 24dd8a10357c53b6dea634a12b1465b5f26ff8bb927c284fbf63a59bfc4fbc5e
Instruction Fuzzy Hash: 86216970D10208EFCB14DF95DA89B9DBBB9BF08704F20542AF402BB2A0C7B96905DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004313FE, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004313FE(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t29;
				signed int _t33;
				intOrPtr _t46;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_push(0x28);
				L00401480();
				_v12 = _t46;
				_v8 = 0x4012f0;
				if( *0x434010 != 0) {
					_v56 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v56 = 0x434010;
				}
				_t29 =  &_v24;
				L004015F4();
				_v44 = _t29;
				_v32 = 1;
				_v40 = 2;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t33 =  *((intOrPtr*)( *_v44 + 0x200))(_v44, 0x10, _t29,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x340))( *_v56));
				asm("fclex");
				_v48 = _t33;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x200);
					_push(0x4036c0);
					_push(_v44);
					_push(_v48);
					L004015E8();
					_v60 = _t33;
				}
				L004015E2();
				_push(0x4314e2);
				return _t33;
			}

0x00431403
0x0043140e
0x0043140f
0x00431416
0x00431419
0x00431421
0x00431424
0x00431432
0x0043144c
0x00431434
0x00431434
0x00431439
0x0043143e
0x00431443
0x00431443
0x00431467
0x0043146b
0x00431470
0x00431473
0x0043147a
0x00431484
0x0043148e
0x0043148f
0x00431490
0x00431491
0x0043149a
0x004314a0
0x004314a2
0x004314a9
0x004314c5
0x004314ab
0x004314ab
0x004314b0
0x004314b5
0x004314b8
0x004314bb
0x004314c0
0x004314c0
0x004314cc
0x004314d1
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00431419
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 0043143E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401486), ref: 0043146B
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401486), ref: 00431484
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000200,?,?,?,?,?,?,?,?,?,?,00401486), ref: 004314BB
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401486), ref: 004314CC

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: ae3255db0a5ca727964a7130c8590bfa363372d64ff27fe689b1d6fcb7652e29
Instruction ID: 52894bbb717c6dc327914319f63547242ca9c263f6d1c7527c9559d6076f330d
Opcode Fuzzy Hash: ae3255db0a5ca727964a7130c8590bfa363372d64ff27fe689b1d6fcb7652e29
Instruction Fuzzy Hash: CA215C70900208AFCB10DF95D989BDDBBB9EF08714F20542AF101BB2A1C7B969049B68

Uniqueness

Uniqueness Score: -1.00%

Function 004315D8, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004315D8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401480();
				_v16 = _t47;
				_v12 = 0x401310;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401486, _t44);
				if( *0x434010 != 0) {
					_v52 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v52 = 0x434010;
				}
				_t33 =  &_v32;
				L004015F4();
				_v36 = _t33;
				_t36 =  *((intOrPtr*)( *_v36 + 0x20c))(_v36, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x370))( *_v52));
				asm("fclex");
				_v40 = _t36;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x20c);
					_push(0x403678);
					_push(_v36);
					_push(_v40);
					L004015E8();
					_v56 = _t36;
				}
				L004015E2();
				asm("wait");
				_push(0x4316b1);
				return _t36;
			}

0x004315db
0x004315ea
0x004315f4
0x004315fc
0x004315ff
0x00431606
0x00431615
0x0043161f
0x00431639
0x00431621
0x00431621
0x00431626
0x0043162b
0x00431630
0x00431630
0x00431654
0x00431658
0x0043165d
0x00431668
0x0043166e
0x00431670
0x00431677
0x00431693
0x00431679
0x00431679
0x0043167e
0x00431683
0x00431686
0x00431689
0x0043168e
0x0043168e
0x0043169a
0x0043169f
0x004316a0
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004315F4
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 0043162B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00431658
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403678,0000020C), ref: 00431689
__vbaFreeObj.MSVBVM60 ref: 0043169A

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 1503e704adf4601b35c904b9c08f35aaa0e762e3f018b3df744e913439681ade
Instruction ID: e56a9e85b495bed5958833283bfb43392f09d4084c0912f9bf4d4d68f301a835
Opcode Fuzzy Hash: 1503e704adf4601b35c904b9c08f35aaa0e762e3f018b3df744e913439681ade
Instruction Fuzzy Hash: A1210474A01208AFCB04DFA5D98AFDDBBB8BB48704F20556AF402BB2A1C7795900DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004317BA, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004317BA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401480();
				_v16 = _t47;
				_v12 = 0x401330;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401486, _t44);
				if( *0x434010 != 0) {
					_v52 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v52 = 0x434010;
				}
				_t33 =  &_v32;
				L004015F4();
				_v36 = _t33;
				_t36 =  *((intOrPtr*)( *_v36 + 0x20c))(_v36, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x364))( *_v52));
				asm("fclex");
				_v40 = _t36;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x20c);
					_push(0x4036c0);
					_push(_v36);
					_push(_v40);
					L004015E8();
					_v56 = _t36;
				}
				L004015E2();
				asm("wait");
				_push(0x431893);
				return _t36;
			}

0x004317bd
0x004317cc
0x004317d6
0x004317de
0x004317e1
0x004317e8
0x004317f7
0x00431801
0x0043181b
0x00431803
0x00431803
0x00431808
0x0043180d
0x00431812
0x00431812
0x00431836
0x0043183a
0x0043183f
0x0043184a
0x00431850
0x00431852
0x00431859
0x00431875
0x0043185b
0x0043185b
0x00431860
0x00431865
0x00431868
0x0043186b
0x00431870
0x00431870
0x0043187c
0x00431881
0x00431882
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004317D6
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 0043180D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0043183A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,0000020C), ref: 0043186B
__vbaFreeObj.MSVBVM60 ref: 0043187C

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 18a51ef5b9a3a7f7c8a2e6bf1cd7bac5c140a3276516279c5bfa5dcd12e1a924
Instruction ID: 116cbffa4bc79e138df6d1d866fcdfb68816bce4600b931d9f77a0eccd7d9f4a
Opcode Fuzzy Hash: 18a51ef5b9a3a7f7c8a2e6bf1cd7bac5c140a3276516279c5bfa5dcd12e1a924
Instruction Fuzzy Hash: C1210774901208FFCB04EF95D949B9DBBB9FB48704F20546AF402BB2A1C7799900DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00432E53, Relevance: 7.6, APIs: 5, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 66%

			E00432E53(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401480();
				_v16 = _t47;
				_v12 = 0x401448;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x401486, _t44);
				if( *0x434010 != 0) {
					_v52 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v52 = 0x434010;
				}
				_t33 =  &_v32;
				L004015F4();
				_v36 = _t33;
				_t36 =  *((intOrPtr*)( *_v36 + 0x20c))(_v36, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x364))( *_v52));
				asm("fclex");
				_v40 = _t36;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x20c);
					_push(0x4036c0);
					_push(_v36);
					_push(_v40);
					L004015E8();
					_v56 = _t36;
				}
				L004015E2();
				_push(0x432f2b);
				return _t36;
			}

0x00432e56
0x00432e65
0x00432e6f
0x00432e77
0x00432e7a
0x00432e81
0x00432e90
0x00432e9a
0x00432eb4
0x00432e9c
0x00432e9c
0x00432ea1
0x00432ea6
0x00432eab
0x00432eab
0x00432ecf
0x00432ed3
0x00432ed8
0x00432ee3
0x00432ee9
0x00432eeb
0x00432ef2
0x00432f0e
0x00432ef4
0x00432ef4
0x00432ef9
0x00432efe
0x00432f01
0x00432f04
0x00432f09
0x00432f09
0x00432f15
0x00432f1a
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00432E6F
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00432EA6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00432ED3
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,0000020C), ref: 00432F04
__vbaFreeObj.MSVBVM60 ref: 00432F15

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: ed4c4e294e6f3de962ecdcd089cbe9f1820a523a9c0d0aa8360c87acc54cc73e
Instruction ID: 3adf695c654b9433b6ce55bf7b653727fa34df6af7323ee0286f2b79fbde64ab
Opcode Fuzzy Hash: ed4c4e294e6f3de962ecdcd089cbe9f1820a523a9c0d0aa8360c87acc54cc73e
Instruction Fuzzy Hash: B6211874910208EFCB00DF95DA89F9DBBB5FB48704F20506AF502BB2A1C7B9A904DB58

Uniqueness

Uniqueness Score: -1.00%

Function 0043213B, Relevance: 7.6, APIs: 5, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0043213B(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v48;
				signed int _v52;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x20);
				L00401480();
				_v12 = _t40;
				_v8 = 0x4013a0;
				if( *0x434010 != 0) {
					_v48 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v48 = 0x434010;
				}
				_t26 =  &_v32;
				L004015F4();
				_v36 = _t26;
				_t29 =  *((intOrPtr*)( *_v36 + 0x208))(_v36, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x34c))( *_v48));
				asm("fclex");
				_v40 = _t29;
				if(_v40 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x208);
					_push(0x4036c0);
					_push(_v36);
					_push(_v40);
					L004015E8();
					_v52 = _t29;
				}
				L004015E2();
				asm("wait");
				_push(0x432201);
				return _t29;
			}

0x00432140
0x0043214b
0x0043214c
0x00432153
0x00432156
0x0043215e
0x00432161
0x0043216f
0x00432189
0x00432171
0x00432171
0x00432176
0x0043217b
0x00432180
0x00432180
0x004321a4
0x004321a8
0x004321ad
0x004321b8
0x004321be
0x004321c0
0x004321c7
0x004321e3
0x004321c9
0x004321c9
0x004321ce
0x004321d3
0x004321d6
0x004321d9
0x004321de
0x004321de
0x004321ea
0x004321ef
0x004321f0
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00432156
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 0043217B
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401486), ref: 004321A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,00000208,?,?,?,?,?,?,?,?,00401486), ref: 004321D9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401486), ref: 004321EA

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: ef6b2842a0cdd984c03e854897ae54a16bcbd48daa8eb38ea4af8b892550532b
Instruction ID: 40734ae33d7accc0ff208eae736f6d07c31208d9bec47483de358c3d52743825
Opcode Fuzzy Hash: ef6b2842a0cdd984c03e854897ae54a16bcbd48daa8eb38ea4af8b892550532b
Instruction Fuzzy Hash: 94110875910208AFCB04DF95CE49BDEB7B8FB4C704F10956AE511B72A0C7BD6900DB68

Uniqueness

Uniqueness Score: -1.00%

Function 004316D8, Relevance: 7.6, APIs: 5, Instructions: 57
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004316D8(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v44;
				signed int _v48;
				char* _t26;
				signed int _t29;
				intOrPtr _t40;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t40;
				_push(0x1c);
				L00401480();
				_v12 = _t40;
				_v8 = 0x401320;
				if( *0x434010 != 0) {
					_v44 = 0x434010;
				} else {
					_push(0x434010);
					_push(0x403ee4);
					L004015EE();
					_v44 = 0x434010;
				}
				_t26 =  &_v28;
				L004015F4();
				_v32 = _t26;
				_t29 =  *((intOrPtr*)( *_v32 + 0x1e8))(_v32, _t26,  *((intOrPtr*)( *((intOrPtr*)( *_v44)) + 0x330))( *_v44));
				asm("fclex");
				_v36 = _t29;
				if(_v36 >= 0) {
					_v48 = _v48 & 0x00000000;
				} else {
					_push(0x1e8);
					_push(0x4036c0);
					_push(_v32);
					_push(_v36);
					L004015E8();
					_v48 = _t29;
				}
				L004015E2();
				_push(0x43179d);
				return _t29;
			}

0x004316dd
0x004316e8
0x004316e9
0x004316f0
0x004316f3
0x004316fb
0x004316fe
0x0043170c
0x00431726
0x0043170e
0x0043170e
0x00431713
0x00431718
0x0043171d
0x0043171d
0x00431741
0x00431745
0x0043174a
0x00431755
0x0043175b
0x0043175d
0x00431764
0x00431780
0x00431766
0x00431766
0x0043176b
0x00431770
0x00431773
0x00431776
0x0043177b
0x0043177b
0x00431787
0x0043178c
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 004316F3
__vbaNew2.MSVBVM60(00403EE4,00434010,?,?,?,?,00401486), ref: 00431718
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401486), ref: 00431745
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036C0,000001E8,?,?,?,?,?,?,?,00401486), ref: 00431776
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401486), ref: 00431787

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 609d9c53fe388f4102108c9aadfbb5e98a82724bfaf743315569815302472916
Instruction ID: 84d43944bc709522ec8fc70b54ca23825c1438f00f6c5e9f283f68dd12eb238c
Opcode Fuzzy Hash: 609d9c53fe388f4102108c9aadfbb5e98a82724bfaf743315569815302472916
Instruction Fuzzy Hash: AD110674D00208AFCB14DF95C886BEEBBB8EB4C714F14542AE112BB2A0C77D6545DB69

Uniqueness

Uniqueness Score: -1.00%

Function 00431F57, Relevance: 7.6, APIs: 5, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00431F57(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				intOrPtr _v60;
				char _v68;
				signed int _v72;
				signed int _v80;
				signed int _t25;
				signed int _t26;
				intOrPtr _t36;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t36;
				_push(0x3c);
				L00401480();
				_v12 = _t36;
				_v8 = 0x401380;
				_push(1);
				_push( &_v36);
				L00401522();
				_v60 = 0x403c5c;
				_v68 = 0x8008;
				_push( &_v36);
				_t25 =  &_v68;
				_push(_t25);
				L00401582();
				_v72 = _t25;
				L004015D6();
				_t26 = _v72;
				if(_t26 != 0) {
					_t26 =  *((intOrPtr*)( *_a4 + 0x15c))(_a4, 0x2047);
					asm("fclex");
					_v72 = _t26;
					if(_v72 >= 0) {
						_v80 = _v80 & 0x00000000;
					} else {
						_push(0x15c);
						_push(0x40324c);
						_push(_a4);
						_push(_v72);
						L004015E8();
						_v80 = _t26;
					}
				}
				_push(0x432015);
				return _t26;
			}

0x00431f5c
0x00431f67
0x00431f68
0x00431f6f
0x00431f72
0x00431f7a
0x00431f7d
0x00431f84
0x00431f89
0x00431f8a
0x00431f8f
0x00431f96
0x00431fa0
0x00431fa1
0x00431fa4
0x00431fa5
0x00431faa
0x00431fb1
0x00431fb6
0x00431fbc
0x00431fcb
0x00431fd1
0x00431fd3
0x00431fda
0x00431ff6
0x00431fdc
0x00431fdc
0x00431fe1
0x00431fe6
0x00431fe9
0x00431fec
0x00431ff1
0x00431ff1
0x00431fda
0x00431ffa
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00431F72
#526.MSVBVM60(?,00000001,?,?,?,?,00401486), ref: 00431F8A
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,00000001,?,?,?,?,00401486), ref: 00431FA5
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,00000001,?,?,?,?,00401486), ref: 00431FB1
__vbaHresultCheckObj.MSVBVM60(?,?,0040324C,0000015C,?,?,?,?,?,?,?,?,00000001), ref: 00431FEC

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#526CheckChkstkFreeHresult
String ID:
API String ID: 2443935952-0
Opcode ID: eee1281c5f69d1825c001ab4a3f84a053e314418763a20e3de9a0fa89d5a3d48
Instruction ID: 879b34446d7572ad3910a712ed8941aa9e00b6795d68d5b6a10798fa8321196e
Opcode Fuzzy Hash: eee1281c5f69d1825c001ab4a3f84a053e314418763a20e3de9a0fa89d5a3d48
Instruction Fuzzy Hash: 6011F871900208FBDB14DF91CD45FDEBBB8BB08B45F10412AF505BA1A0D7B8AA45CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00430ABF, Relevance: 6.0, APIs: 4, Instructions: 29COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00430ADB
__vbaVarDup.MSVBVM60(?,?,?,?,00401486), ref: 00430B05
#554.MSVBVM60(?,?,?,?,00401486), ref: 00430B0A
__vbaFreeVar.MSVBVM60(00430B1E,?,?,?,?,00401486), ref: 00430B18

Memory Dump Source

Source File: 00000000.00000002.528338333.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.528330245.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.528368480.0000000000434000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.528378034.0000000000436000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#554ChkstkFree
String ID:
API String ID: 2175279628-0
Opcode ID: 4c3d3354b196c4bb07e3743db53f4649ac4a8334f9be341859f71a25a8660c8d
Instruction ID: 885f99ec5a54e797ec6c0cd016a432ca005c6cc980c0c60b94f7386fb693f8b8
Opcode Fuzzy Hash: 4c3d3354b196c4bb07e3743db53f4649ac4a8334f9be341859f71a25a8660c8d
Instruction Fuzzy Hash: 5AF0F471900209BBCB10EFA5C945F8DBB78FF44748F50C16AF415BB1A1D77C65448B99

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 4660 Parent PID: 6976 RegAsm.exeCOMMON

Executed Functions

Function 1CF251E6, Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1CF25302

Memory Dump Source

Source File: 0000000F.00000002.597002806.000000001CF20000.00000040.00000001.sdmp, Offset: 1CF20000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: b8eaf0083eaa3da0dd1c0c7e714c97e2be77741c6980728b08c9dc1ae20ef3dc
Instruction ID: fadab9325901140f5f2e9ec29883a401c36d233ca3fcd3b0ac6a9d2b759096ca
Opcode Fuzzy Hash: b8eaf0083eaa3da0dd1c0c7e714c97e2be77741c6980728b08c9dc1ae20ef3dc
Instruction Fuzzy Hash: 1C51D2B1D10309DFDF14CF99C884ADEBBB5BF48310F64852AE819AB250D771A845CF90

Uniqueness

Uniqueness Score: -1.00%

Function 1CF23CDC, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1CF25302

Memory Dump Source

Source File: 0000000F.00000002.597002806.000000001CF20000.00000040.00000001.sdmp, Offset: 1CF20000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 10aa1008038ad27a4661b74f8cdce575ec926a8d52af5335f6f0b053ce2c7d0e
Instruction ID: b92b2185b27cc6f6059b328729ef27ac866370f863e1b88a3cfd86cf1f17d100
Opcode Fuzzy Hash: 10aa1008038ad27a4661b74f8cdce575ec926a8d52af5335f6f0b053ce2c7d0e
Instruction Fuzzy Hash: D951D1B1D10309EFDF14CF99C884ADEBBB5BF48310F64852AE819AB250D775A845CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1CF269C4, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 1CF27D59

Memory Dump Source

Source File: 0000000F.00000002.597002806.000000001CF20000.00000040.00000001.sdmp, Offset: 1CF20000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: ddd524f90cba36f20e5b7afa1e7473ecda9509a3818bfc348b30a793d21f6d47
Instruction ID: 9e8d3850e6509d2ca2fdaf2695d979515309b88c15e14f63b03dd6e2617aec65
Opcode Fuzzy Hash: ddd524f90cba36f20e5b7afa1e7473ecda9509a3818bfc348b30a793d21f6d47
Instruction Fuzzy Hash: D8412AB5900249DFDB00CF99C484BAABBF5FB88324F64C459D519AB321C775E841CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 1CF26DD2, Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,1CF26D9E,?,?,?,?,?), ref: 1CF26E5F

Memory Dump Source

Source File: 0000000F.00000002.597002806.000000001CF20000.00000040.00000001.sdmp, Offset: 1CF20000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 5a1f8409d3340e93fe3ceb1b4f6814d18d9f188bd32d8243ef27a9f20cece505
Instruction ID: 3978003a99a4bb9fb51be81ef058c0f642a56929eb209569875f9a2a59dddafa
Opcode Fuzzy Hash: 5a1f8409d3340e93fe3ceb1b4f6814d18d9f188bd32d8243ef27a9f20cece505
Instruction Fuzzy Hash: C321C4B5D00248AFDB10CFAAD484ADEBBF4FF48324F54841AE919A7310D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1CF26778, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,1CF26D9E,?,?,?,?,?), ref: 1CF26E5F

Memory Dump Source

Source File: 0000000F.00000002.597002806.000000001CF20000.00000040.00000001.sdmp, Offset: 1CF20000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: dcf28d051a95b86e544d8fc6deb870e72c47957b069cf7f4287f122b15d02b3b
Instruction ID: f94f7942b1f95e9c288864003d879b2316256ce77da3e04056e669fa15c25f31
Opcode Fuzzy Hash: dcf28d051a95b86e544d8fc6deb870e72c47957b069cf7f4287f122b15d02b3b
Instruction Fuzzy Hash: 8021E4B5D00248AFDB10CFAAD484ADEBBF4FB48320F50841AE915A3310D375A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1CF2BE59, Relevance: 1.6, APIs: 1, Instructions: 59COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1CF2BEE2

Memory Dump Source

Source File: 0000000F.00000002.597002806.000000001CF20000.00000040.00000001.sdmp, Offset: 1CF20000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 37232d55a24bf80f9649b0037f4bcc323091fa4a0c0f2b07cb8337686cbf1e9b
Instruction ID: 9eb9e0bf0440407d32d8a4c47e3c9c4c2a977b9e4a3a7eaddf947ec7ad6ba56d
Opcode Fuzzy Hash: 37232d55a24bf80f9649b0037f4bcc323091fa4a0c0f2b07cb8337686cbf1e9b
Instruction Fuzzy Hash: EC218B70806B898FDB51CFAAD84878ABFF4FB45324F54856AD406A3A01C339A514CF61

Uniqueness

Uniqueness Score: -1.00%

Function 1CF2BE68, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1CF2BEE2

Memory Dump Source

Source File: 0000000F.00000002.597002806.000000001CF20000.00000040.00000001.sdmp, Offset: 1CF20000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 0142c1d4589a907b89123f4373ad6c975e761bd225c396d9663bbba94818e6b4
Instruction ID: a8d9108714a77a82c43280080263b661a6fdabd7f80752ffd494cd9631ab7a96
Opcode Fuzzy Hash: 0142c1d4589a907b89123f4373ad6c975e761bd225c396d9663bbba94818e6b4
Instruction Fuzzy Hash: 3A116A70901B498FDB50CFA9D8487DEBBF8FB49324F508529D806A3B40C77AA544CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1CE3D450, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.596769691.000000001CE3D000.00000040.00000001.sdmp, Offset: 1CE3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f528bdfe895c1bddf030d4c3ab65e8ec732196031ce19492ff61b87a390103f9
Instruction ID: 538565294d8918c7da2512ce480093b0fa4ac9a53e80df6cc06ee5c23b0b03f0
Opcode Fuzzy Hash: f528bdfe895c1bddf030d4c3ab65e8ec732196031ce19492ff61b87a390103f9
Instruction Fuzzy Hash: 6C21C1B1514284EFDB01DF14D9C0B17BB65FB88329F20D6A9E9094B246C337E956CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1CE3D53C, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.596769691.000000001CE3D000.00000040.00000001.sdmp, Offset: 1CE3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f48be387af73e1d1f90ab1c9596c19cda0b8efae88d9d380135a18a0ab24cbf2
Instruction ID: 5ea991c2240e0d7a5dcb70f1919bf332abd5edeaa7f3107d1700b8d6e42df3b7
Opcode Fuzzy Hash: f48be387af73e1d1f90ab1c9596c19cda0b8efae88d9d380135a18a0ab24cbf2
Instruction Fuzzy Hash: 032103B1514244EFDB01DF10D9C0B16BB66FB88329F209669E9094B246C337EA56CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1CE3D44B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.596769691.000000001CE3D000.00000040.00000001.sdmp, Offset: 1CE3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359ded2920b4906c1b9059edeb69a6e30f35fcf2532fefe88998094a7f2fd743
Instruction ID: 7e36d3722a0a0391ae8a59726bbe99454f373364e0dbca0cd36ab614af3c5d83
Opcode Fuzzy Hash: 359ded2920b4906c1b9059edeb69a6e30f35fcf2532fefe88998094a7f2fd743
Instruction Fuzzy Hash: 45119076904284DFDB02CF14D9C4B16BF72FB84328F24C6A9D8054B656C33AE55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 1CE3D537, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.596769691.000000001CE3D000.00000040.00000001.sdmp, Offset: 1CE3D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 359ded2920b4906c1b9059edeb69a6e30f35fcf2532fefe88998094a7f2fd743
Instruction ID: db631467a7b3bdbb83bb9d4e5f7bb32aa9ccc7e8201a29a46da55a55806ebde5
Opcode Fuzzy Hash: 359ded2920b4906c1b9059edeb69a6e30f35fcf2532fefe88998094a7f2fd743
Instruction Fuzzy Hash: 1F11B276504284DFDB02CF10D9C4B56BF72FB84328F24C6A9D8494B656C33AE55ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report payment.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

UDP Packets

DNS Queries

DNS Answers

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Function 00430DF0, Relevance: 84.3, APIs: 39, Strings: 9, Instructions: 319
COMMON

Function 00432F54, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 145
COMMON

Function 004319B0, Relevance: 27.1, APIs: 18, Instructions: 144
COMMON

Function 004325F3, Relevance: 21.1, APIs: 14, Instructions: 126
COMMON

Function 004318BA, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 54
COMMON

Function 00432896, Relevance: 19.6, APIs: 13, Instructions: 149
COMMON

Function 00430499, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 79
COMMON

Function 004300EA, Relevance: 18.1, APIs: 12, Instructions: 124
COMMON

Function 004302C6, Relevance: 18.1, APIs: 12, Instructions: 123
COMMON

Function 00432D03, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 80
COMMON

Function 00431BCF, Relevance: 15.1, APIs: 10, Instructions: 118
COMMON

Function 00431D8F, Relevance: 15.1, APIs: 10, Instructions: 118
COMMON

Function 004306A0, Relevance: 15.1, APIs: 10, Instructions: 114
COMMON

Function 0043221C, Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Function 0043239C, Relevance: 15.1, APIs: 10, Instructions: 82
COMMON

Function 0042FFC1, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 73
COMMON

Function 004309A0, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 70
COMMON

Function 00431302, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 69
COMMON

Function 00430841, Relevance: 12.1, APIs: 8, Instructions: 98
COMMON

Function 004324D5, Relevance: 12.1, APIs: 8, Instructions: 78
COMMON

Function 00432AD9, Relevance: 12.1, APIs: 8, Instructions: 73
COMMON

Function 00432028, Relevance: 10.6, APIs: 7, Instructions: 67
COMMON

Function 00430B45, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Function 0042FECC, Relevance: 10.6, APIs: 7, Instructions: 62
COMMON

Function 004305BB, Relevance: 10.6, APIs: 7, Instructions: 58
COMMON

Function 004314F5, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 57
COMMON

Function 004327EB, Relevance: 10.5, APIs: 7, Instructions: 40
COMMON

Function 00432BE3, Relevance: 9.1, APIs: 6, Instructions: 72
COMMON