Play interactive tour

Edit tour

Analysis Report FAKTURA I UWAGI.bat

Overview

General Information

Sample Name:	FAKTURA I UWAGI.bat (renamed file extension from bat to exe)
Analysis ID:	357266
MD5:	2c3b4c255d8d786535c4832f5b7f7c0e
SHA1:	3cc1d799b6f92a338cffa35d74d52b1c4f19a91e
SHA256:	46c474c38fd679025142a453fc46243a91e0820d4ab0449aab0bd92c29d0ee30
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

FAKTURA I UWAGI.exe (PID: 6492 cmdline: 'C:\Users\user\Desktop\FAKTURA I UWAGI.exe' MD5: 2C3B4C255D8D786535C4832F5B7F7C0E)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: FAKTURA I UWAGI.exe PID: 6492	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: FAKTURA I UWAGI.exe PID: 6492	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: FAKTURA I UWAGI.exe	Virustotal: Detection: 42%			Perma Link
Source: FAKTURA I UWAGI.exe	ReversingLabs: Detection: 36%

Compliance:

Uses 32bit PE files

Show sources

Source: FAKTURA I UWAGI.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe

Code function: 1_2_0040673C

1_2_0040673C

Source: FAKTURA I UWAGI.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: FAKTURA I UWAGI.exe, 00000001.00000000.200222774.000000000040F000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamedosissspiro.exe vs FAKTURA I UWAGI.exe
Source: FAKTURA I UWAGI.exe, 00000001.00000002.725896004.0000000002090000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs FAKTURA I UWAGI.exe
Source: FAKTURA I UWAGI.exe	Binary or memory string: OriginalFilenamedosissspiro.exe vs FAKTURA I UWAGI.exe

Source: FAKTURA I UWAGI.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.rans.troj.evad.winEXE@1/0@0/0

Source: FAKTURA I UWAGI.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: FAKTURA I UWAGI.exe	Virustotal: Detection: 42%
Source: FAKTURA I UWAGI.exe	ReversingLabs: Detection: 36%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: FAKTURA I UWAGI.exe PID: 6492, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: FAKTURA I UWAGI.exe PID: 6492, type: MEMORY

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_00406B41 push FFFFFFFFh; ret	1_2_00406B44
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_004065F7 push edx; ret	1_2_00406607
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E6893 push esi; retf	1_2_020E68A6
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E44CB pushad ; ret	1_2_020E44D3

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1A30	1_2_020E1A30
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1AA6	1_2_020E1AA6
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E56CF	1_2_020E56CF
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E56D2	1_2_020E56D2
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1AE3	1_2_020E1AE3
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1B49	1_2_020E1B49
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E176F	1_2_020E176F
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E179A	1_2_020E179A
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E17C9	1_2_020E17C9
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E17F6	1_2_020E17F6
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E184D	1_2_020E184D
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1C63	1_2_020E1C63
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E18B2	1_2_020E18B2
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1D2D	1_2_020E1D2D
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1D2B	1_2_020E1D2B
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1925	1_2_020E1925
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1958	1_2_020E1958
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1D52	1_2_020E1D52
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1D81	1_2_020E1D81
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1993	1_2_020E1993
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E19D9	1_2_020E19D9

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	RDTSC instruction interceptor: First address: 00000000020E596A second address: 00000000020E5829 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, al 0x0000000c mov eax, 00000539h 0x00000011 mov ecx, dword ptr [ebp+1Ch] 0x00000014 mov edx, 8802EDACh 0x00000019 cmp edx, FBBA1D1Eh 0x0000001f call 00007F030CBE3678h 0x00000024 jmp 00007F030CBE3C1Ah 0x00000026 test dh, ah 0x00000028 push esi 0x00000029 push edx 0x0000002a jmp 00007F030CBE3C1Eh 0x0000002c test bh, 00000007h 0x0000002f push ecx 0x00000030 jmp 00007F030CBE3C1Ah 0x00000032 cmp dh, ch 0x00000034 cmp eax, 00000539h 0x00000039 jne 00007F030CBE3C92h 0x0000003f jmp 00007F030CBE3C1Eh 0x00000041 cmp edi, 8CD470F3h 0x00000047 test dx, ax 0x0000004a test bh, dh 0x0000004c push 6DDB9555h 0x00000051 call 00007F030CBE3F42h 0x00000056 mov eax, dword ptr fs:[00000030h] 0x0000005c cmp cl, al 0x0000005e mov eax, dword ptr [eax+0Ch] 0x00000061 mov eax, dword ptr [eax+14h] 0x00000064 mov ecx, dword ptr [eax] 0x00000066 mov eax, ecx 0x00000068 cmp edx, 332BDEA8h 0x0000006e jmp 00007F030CBE3C2Bh 0x00000070 mov ebx, dword ptr [eax+28h] 0x00000073 cmp ebx, 00000000h 0x00000076 je 00007F030CBE3C29h 0x00000078 pushad 0x00000079 mov eax, 000000CAh 0x0000007e rdtsc
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	RDTSC instruction interceptor: First address: 00000000020E59D0 second address: 00000000020E59D0 instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: FAKTURA I UWAGI.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	RDTSC instruction interceptor: First address: 00000000020E5914 second address: 00000000020E596A instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 cmp bx, ax 0x00000006 test ecx, ecx 0x00000008 test ax, dx 0x0000000b test bl, bl 0x0000000d jmp 00007F030C871BA2h 0x0000000f cmp cx, bx 0x00000012 push ss 0x00000013 pop ss 0x00000014 jmp 00007F030C871BA1h 0x00000016 pushad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	RDTSC instruction interceptor: First address: 00000000020E596A second address: 00000000020E5829 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a cmp cl, al 0x0000000c mov eax, 00000539h 0x00000011 mov ecx, dword ptr [ebp+1Ch] 0x00000014 mov edx, 8802EDACh 0x00000019 cmp edx, FBBA1D1Eh 0x0000001f call 00007F030CBE3678h 0x00000024 jmp 00007F030CBE3C1Ah 0x00000026 test dh, ah 0x00000028 push esi 0x00000029 push edx 0x0000002a jmp 00007F030CBE3C1Eh 0x0000002c test bh, 00000007h 0x0000002f push ecx 0x00000030 jmp 00007F030CBE3C1Ah 0x00000032 cmp dh, ch 0x00000034 cmp eax, 00000539h 0x00000039 jne 00007F030CBE3C92h 0x0000003f jmp 00007F030CBE3C1Eh 0x00000041 cmp edi, 8CD470F3h 0x00000047 test dx, ax 0x0000004a test bh, dh 0x0000004c push 6DDB9555h 0x00000051 call 00007F030CBE3F42h 0x00000056 mov eax, dword ptr fs:[00000030h] 0x0000005c cmp cl, al 0x0000005e mov eax, dword ptr [eax+0Ch] 0x00000061 mov eax, dword ptr [eax+14h] 0x00000064 mov ecx, dword ptr [eax] 0x00000066 mov eax, ecx 0x00000068 cmp edx, 332BDEA8h 0x0000006e jmp 00007F030CBE3C2Bh 0x00000070 mov ebx, dword ptr [eax+28h] 0x00000073 cmp ebx, 00000000h 0x00000076 je 00007F030CBE3C29h 0x00000078 pushad 0x00000079 mov eax, 000000CAh 0x0000007e rdtsc
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	RDTSC instruction interceptor: First address: 00000000020E59D0 second address: 00000000020E59D0 instructions:
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	RDTSC instruction interceptor: First address: 00000000020E5EC3 second address: 00000000020E2FED instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b test dx, ax 0x0000000e test edx, edx 0x00000010 ret 0x00000011 cmp si, 7336h 0x00000016 test bl, cl 0x00000018 call 00007F030CBE66FFh 0x0000001d cmp dx, ax 0x00000020 call 00007F030CBE3AF1h 0x00000025 cmp ebx, ecx 0x00000027 jmp 00007F030CBE3C22h 0x00000029 test ecx, 4D23117Ah 0x0000002f cmp dh, ch 0x00000031 xor edi, edi 0x00000033 test dx, dx 0x00000036 mov ecx, 00A95F60h 0x0000003b cmp ecx, 7DEA00C7h 0x00000041 test dl, al 0x00000043 cmp cl, cl 0x00000045 push ecx 0x00000046 cmp cx, 8097h 0x0000004b call 00007F030CBE3C3Dh 0x00000050 call 00007F030CBE3C39h 0x00000055 lfence 0x00000058 mov edx, dword ptr [7FFE0014h] 0x0000005e lfence 0x00000061 ret 0x00000062 mov esi, edx 0x00000064 pushad 0x00000065 rdtsc
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	RDTSC instruction interceptor: First address: 00000000020E2FED second address: 00000000020E2FED instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F030C871BA9h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e cmp eax, edx 0x00000020 add edi, edx 0x00000022 test cx, bx 0x00000025 dec ecx 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007F030C871B67h 0x0000002b cmp cl, cl 0x0000002d push ecx 0x0000002e cmp cx, 8097h 0x00000033 call 00007F030C871BBDh 0x00000038 call 00007F030C871BB9h 0x0000003d lfence 0x00000040 mov edx, dword ptr [7FFE0014h] 0x00000046 lfence 0x00000049 ret 0x0000004a mov esi, edx 0x0000004c pushad 0x0000004d rdtsc

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe

Code function: 1_2_020E1616 rdtsc

1_2_020E1616

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: FAKTURA I UWAGI.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe

Code function: 1_2_020E1616 rdtsc

1_2_020E1616

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E2E36 mov eax, dword ptr fs:[00000030h]	1_2_020E2E36
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E530A mov eax, dword ptr fs:[00000030h]	1_2_020E530A
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E176F mov eax, dword ptr fs:[00000030h]	1_2_020E176F
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1FCA mov eax, dword ptr fs:[00000030h]	1_2_020E1FCA
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E57D8 mov eax, dword ptr fs:[00000030h]	1_2_020E57D8
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1FE0 mov eax, dword ptr fs:[00000030h]	1_2_020E1FE0
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E600D mov eax, dword ptr fs:[00000030h]	1_2_020E600D
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E600B mov eax, dword ptr fs:[00000030h]	1_2_020E600B
Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe	Code function: 1_2_020E1D52 mov eax, dword ptr fs:[00000030h]	1_2_020E1D52

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Source: FAKTURA I UWAGI.exe, 00000001.00000002.725714003.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: FAKTURA I UWAGI.exe, 00000001.00000002.725714003.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: FAKTURA I UWAGI.exe, 00000001.00000002.725714003.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: FAKTURA I UWAGI.exe, 00000001.00000002.725714003.0000000000C30000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\FAKTURA I UWAGI.exe

Code function: 1_2_020E56A5 cpuid

1_2_020E56A5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery511	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
FAKTURA I UWAGI.exe	42%	Virustotal		Browse
FAKTURA I UWAGI.exe	36%	ReversingLabs	Win32.Trojan.VBObfuse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357266
Start date:	24.02.2021
Start time:	11:03:49
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 41s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FAKTURA I UWAGI.bat (renamed file extension from bat to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 23.1% (good quality ratio 14.5%) Quality average: 34.6% Quality standard deviation: 33.2%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.798232487088525
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FAKTURA I UWAGI.exe
File size:	61440
MD5:	2c3b4c255d8d786535c4832f5b7f7c0e
SHA1:	3cc1d799b6f92a338cffa35d74d52b1c4f19a91e
SHA256:	46c474c38fd679025142a453fc46243a91e0820d4ab0449aab0bd92c29d0ee30
SHA512:	847d322ab76b98b24cc12c0591b2e4a8cf78afe8411e18aefc10eb1bc9824eb6251000a043403fc4ff6cebef523fbe3fd09554a2f442f1eea28ee25329a064e3
SSDEEP:	768:AZI4oR9Y0oIF+ik9FQGDMcZ7/R9hxIB6oRiU:lZR9FoIFo9FQgD1iVl
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L....[.P.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4012c4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x509C5BCE [Fri Nov 9 01:26:38 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f8fb5be8a6ea86fb9d04da61d8bfeb3a

Entrypoint Preview

Instruction
push 004014F4h
call 00007F030C7AC163h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edx], ch
test dh, al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xc234	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xf000	0x9ac	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xd0	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xb608	0xc000	False	0.456787109375	data	5.50676985986	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0xd000	0x118c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0xf000	0x9ac	0x1000	False	0.180419921875	data	2.10150879762	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0xf87c	0x130	data
RT_ICON	0xf594	0x2e8	data
RT_ICON	0xf46c	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0xf43c	0x30	data
RT_VERSION	0xf150	0x2ec	data	Hungarian	Hungary

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaAryMove, __vbaFreeVar, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaVarDup, _CIatan, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x040e 0x04b0
LegalCopyright	Copyright (C) AC
InternalName	dosissspiro
FileVersion	1.00
CompanyName	AC
LegalTrademarks	Copyright (C) AC
Comments	AC
ProductName	AC
ProductVersion	1.00
FileDescription	AC
OriginalFilename	dosissspiro.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Hungarian	Hungary

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: FAKTURA I UWAGI.exe PID: 6492 Parent PID: 5660

General

Start time:	11:04:36
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\FAKTURA I UWAGI.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FAKTURA I UWAGI.exe'
Imagebase:	0x400000
File size:	61440 bytes
MD5 hash:	2C3B4C255D8D786535C4832F5B7F7C0E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: FAKTURA I UWAGI.exe PID: 6492 Parent PID: 5660 FAKTURA I UWAGI.exeCOMMON

Executed Functions

Function 0040AA14, Relevance: 126.9, APIs: 70, Strings: 2, Instructions: 878
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E0040AA14(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				char** _v16;
				intOrPtr _v28;
				signed int _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char _v44;
				signed int _v48;
				signed int _v52;
				char _v56;
				signed int* _v60;
				signed int _v64;
				void* _v76;
				long long _v84;
				char* _v88;
				signed int _v92;
				char _v96;
				signed int _v100;
				char _v104;
				intOrPtr _v112;
				char _v120;
				char _v136;
				char _v156;
				char* _v164;
				char _v172;
				intOrPtr _v180;
				char _v188;
				char _v192;
				void* _v196;
				char* _v200;
				char _v204;
				char _v208;
				char _v212;
				char _v216;
				char _v220;
				intOrPtr _v224;
				char _v228;
				intOrPtr _v232;
				char _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				intOrPtr* _v256;
				signed int _v260;
				signed int _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				void* _v296;
				intOrPtr* _v300;
				signed int _v304;
				signed int* _v308;
				signed int _v312;
				intOrPtr* _v316;
				signed int _v320;
				intOrPtr* _v324;
				signed int _v328;
				intOrPtr* _v332;
				signed int _v336;
				intOrPtr* _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr* _v352;
				signed int _v356;
				intOrPtr* _v360;
				signed int _v364;
				intOrPtr* _v368;
				signed int _v372;
				signed int _v376;
				intOrPtr* _v380;
				signed int _v384;
				intOrPtr* _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				signed int _v404;
				intOrPtr* _v408;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				void* _v440;
				intOrPtr _v456;
				char** _v460;
				void* _v472;
				signed int _t485;
				signed int _t492;
				signed int _t496;
				signed int _t508;
				signed int _t512;
				signed int _t516;
				signed int _t520;
				signed int _t533;
				signed int _t537;
				signed int _t549;
				signed int _t554;
				signed int _t558;
				signed int _t562;
				signed int _t566;
				signed int _t578;
				signed int _t582;
				signed int _t590;
				char* _t593;
				signed int _t597;
				signed int _t601;
				signed int _t605;
				signed int _t609;
				char* _t613;
				signed int _t617;
				signed int _t627;
				signed int _t634;
				signed int _t638;
				signed int _t643;
				signed int _t649;
				signed int _t653;
				signed int _t655;
				signed int _t657;
				char* _t658;
				signed int _t664;
				signed int _t668;
				signed int _t678;
				void* _t685;
				intOrPtr _t697;
				intOrPtr _t713;
				intOrPtr _t726;
				intOrPtr _t730;
				char* _t731;
				char** _t745;
				char* _t750;
				void* _t753;
				void* _t754;
				void* _t756;
				char** _t757;
				char** _t758;
				char** _t759;
				char** _t760;

				_t685 = __ebx;
				_t754 = _t756;
				_t757 = _t756 - 0xc;
				 *[fs:0x0] = _t757;
				L00401190();
				_v16 = _t757;
				_v12 = 0x4010f8;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401196, _t753);
				_v164 = L"19:19:19";
				_v172 = 8;
				L00401298();
				_push( &_v120);
				_push( &_v136); // executed
				L0040129E(); // executed
				_v180 = 0x13;
				_v188 = 0x8002;
				_push( &_v136);
				_t485 =  &_v188;
				_push(_t485);
				L004012A4();
				_v240 = _t485;
				_push( &_v136);
				_push( &_v120);
				_push(2);
				L00401292();
				_t758 =  &(_t757[3]);
				if(_v240 != 0) {
					if( *0x40d010 != 0) {
						_v300 = 0x40d010;
					} else {
						_push("HqE");
						_push(0x401f28);
						L00401286();
						_v300 = 0x40d010;
					}
					_t664 =  &_v96;
					L0040128C();
					_v240 = _t664;
					_t668 =  *((intOrPtr*)( *_v240 + 0x108))(_v240,  &_v92, _t664,  *((intOrPtr*)( *((intOrPtr*)( *_v300)) + 0x314))( *_v300));
					asm("fclex");
					_v244 = _t668;
					if(_v244 >= 0) {
						_t40 =  &_v304;
						 *_t40 = _v304 & 0x00000000;
						__eflags =  *_t40;
					} else {
						_push(0x108);
						_push(0x401cc8);
						_push(_v240);
						_push(_v244);
						L00401280();
						_v304 = _t668;
					}
					if( *0x40d33c != 0) {
						_v308 = 0x40d33c;
					} else {
						_push(0x40d33c);
						_push(0x401cf8);
						L00401286();
						_v308 = 0x40d33c;
					}
					_v248 =  *_v308;
					_v284 = _v92;
					_v92 = _v92 & 0x00000000;
					_v112 = _v284;
					_v120 = 8;
					_v164 = 0xe3;
					_v172 = 2;
					L00401190();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401190();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t678 =  *((intOrPtr*)( *_v248 + 0x38))(_v248, 0x10, 0x10,  &_v136);
					asm("fclex");
					_v252 = _t678;
					if(_v252 >= 0) {
						_t66 =  &_v312;
						 *_t66 = _v312 & 0x00000000;
						__eflags =  *_t66;
					} else {
						_push(0x38);
						_push(0x401ce8);
						_push(_v248);
						_push(_v252);
						L00401280();
						_v312 = _t678;
					}
					_push( &_v136);
					_push( &_v156);
					L00401274();
					_push( &_v156);
					_push( &_v56);
					L0040127A();
					L0040126E();
					_push( &_v136);
					_push( &_v120);
					_push(2);
					L00401292();
					_t758 =  &(_t758[3]);
				}
				if( *0x40d010 != 0) {
					_v316 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v316 = 0x40d010;
				}
				_t492 =  &_v96;
				L0040128C();
				_v240 = _t492;
				_t496 =  *((intOrPtr*)( *_v240 + 0x158))(_v240,  &_v92, _t492,  *((intOrPtr*)( *((intOrPtr*)( *_v316)) + 0x300))( *_v316));
				asm("fclex");
				_v244 = _t496;
				if(_v244 >= 0) {
					_t91 =  &_v320;
					 *_t91 = _v320 & 0x00000000;
					__eflags =  *_t91;
				} else {
					_push(0x158);
					_push(0x401d08);
					_push(_v240);
					_push(_v244);
					L00401280();
					_v320 = _t496;
				}
				_v192 = 0x633;
				_v200 = 0x1e68d1;
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4, _v92,  &_v200,  &_v192,  &_v220);
				_v48 = _v220;
				_v44 = _v216;
				L00401268();
				L0040126E();
				if( *0x40d010 != 0) {
					_v324 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v324 = 0x40d010;
				}
				_t508 =  &_v96;
				L0040128C();
				_v240 = _t508;
				_t512 =  *((intOrPtr*)( *_v240 + 0xf8))(_v240,  &_v100, _t508,  *((intOrPtr*)( *((intOrPtr*)( *_v324)) + 0x300))( *_v324));
				asm("fclex");
				_v244 = _t512;
				if(_v244 >= 0) {
					_t124 =  &_v328;
					 *_t124 = _v328 & 0x00000000;
					__eflags =  *_t124;
				} else {
					_push(0xf8);
					_push(0x401d08);
					_push(_v240);
					_push(_v244);
					L00401280();
					_v328 = _t512;
				}
				if( *0x40d010 != 0) {
					_v332 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v332 = 0x40d010;
				}
				_t697 =  *((intOrPtr*)( *_v332));
				_t516 =  &_v104;
				L0040128C();
				_v248 = _t516;
				_t520 =  *((intOrPtr*)( *_v248 + 0x88))(_v248,  &_v200, _t516,  *((intOrPtr*)(_t697 + 0x310))( *_v332));
				asm("fclex");
				_v252 = _t520;
				if(_v252 >= 0) {
					_t142 =  &_v336;
					 *_t142 = _v336 & 0x00000000;
					__eflags =  *_t142;
				} else {
					_push(0x88);
					_push(0x401d18);
					_push(_v248);
					_push(_v252);
					L00401280();
					_v336 = _t520;
				}
				_v204 =  *0x4010f0;
				_v288 = _v100;
				_v100 = _v100 & 0x00000000;
				_v112 = _v288;
				_v120 = 9;
				 *_t758 = _v200;
				 *_t758 =  *0x4010e8;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v120, _t697, _t697,  &_v204, _t697);
				_push( &_v104);
				_push( &_v96);
				_push(2);
				L00401262();
				_t759 =  &(_t758[3]);
				L0040125C();
				if( *0x40d010 != 0) {
					_v340 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v340 = 0x40d010;
				}
				_t533 =  &_v96;
				L0040128C();
				_v240 = _t533;
				_t537 =  *((intOrPtr*)( *_v240 + 0x170))(_v240,  &_v92, _t533,  *((intOrPtr*)( *((intOrPtr*)( *_v340)) + 0x30c))( *_v340));
				asm("fclex");
				_v244 = _t537;
				if(_v244 >= 0) {
					_t177 =  &_v344;
					 *_t177 = _v344 & 0x00000000;
					__eflags =  *_t177;
				} else {
					_push(0x170);
					_push(0x401d28);
					_push(_v240);
					_push(_v244);
					L00401280();
					_v344 = _t537;
				}
				_v292 = _v92;
				_v92 = _v92 & 0x00000000;
				_v112 = _v292;
				_v120 = 8;
				_v220 = 0xc96ed9a0;
				_v216 = 0x5b01;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v220, 0x7cbc2ca0, 0x5afe,  &_v120,  &_v136);
				L00401256();
				L0040126E();
				L0040125C();
				_t549 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v200);
				_v240 = _t549;
				if(_v240 >= 0) {
					_t207 =  &_v348;
					 *_t207 = _v348 & 0x00000000;
					__eflags =  *_t207;
				} else {
					_push(0x6f8);
					_push(0x401b4c);
					_push(_a4);
					_push(_v240);
					L00401280();
					_v348 = _t549;
				}
				_v88 = _v200;
				if( *0x40d010 != 0) {
					_v352 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v352 = 0x40d010;
				}
				_t554 =  &_v96;
				L0040128C();
				_v240 = _t554;
				_t558 =  *((intOrPtr*)( *_v240 + 0x50))(_v240,  &_v192, _t554,  *((intOrPtr*)( *((intOrPtr*)( *_v352)) + 0x310))( *_v352));
				asm("fclex");
				_v244 = _t558;
				if(_v244 >= 0) {
					_t227 =  &_v356;
					 *_t227 = _v356 & 0x00000000;
					__eflags =  *_t227;
				} else {
					_push(0x50);
					_push(0x401d18);
					_push(_v240);
					_push(_v244);
					L00401280();
					_v356 = _t558;
				}
				if( *0x40d010 != 0) {
					_v360 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v360 = 0x40d010;
				}
				_t562 =  &_v100;
				L0040128C();
				_v248 = _t562;
				_t566 =  *((intOrPtr*)( *_v248 + 0x78))(_v248,  &_v200, _t562,  *((intOrPtr*)( *((intOrPtr*)( *_v360)) + 0x30c))( *_v360));
				asm("fclex");
				_v252 = _t566;
				if(_v252 >= 0) {
					_t245 =  &_v364;
					 *_t245 = _v364 & 0x00000000;
					__eflags =  *_t245;
				} else {
					_push(0x78);
					_push(0x401d28);
					_push(_v248);
					_push(_v252);
					L00401280();
					_v364 = _t566;
				}
				_v204 = _v200;
				 *((intOrPtr*)( *_a4 + 0x718))(_a4, _v192,  &_v204,  &_v196);
				_v60 = _v196;
				_push( &_v100);
				_push( &_v96);
				_push(2);
				L00401262();
				_t760 =  &(_t759[3]);
				if( *0x40d010 != 0) {
					_v368 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v368 = 0x40d010;
				}
				_t713 =  *((intOrPtr*)( *_v368));
				_t578 =  &_v96;
				L0040128C();
				_v240 = _t578;
				_t582 =  *((intOrPtr*)( *_v240 + 0x68))(_v240,  &_v200, _t578,  *((intOrPtr*)(_t713 + 0x30c))( *_v368));
				asm("fclex");
				_v244 = _t582;
				if(_v244 >= 0) {
					_t275 =  &_v372;
					 *_t275 = _v372 & 0x00000000;
					__eflags =  *_t275;
				} else {
					_push(0x68);
					_push(0x401d28);
					_push(_v240);
					_push(_v244);
					L00401280();
					_v372 = _t582;
				}
				_v220 =  *0x4010e0;
				_v296 = _v200;
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v220, _t713,  &_v228);
				_v84 = _v228;
				L0040126E();
				_t590 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v240 = _t590;
				if(_v240 >= 0) {
					_t295 =  &_v376;
					 *_t295 = _v376 & 0x00000000;
					__eflags =  *_t295;
				} else {
					_push(0x2b4);
					_push(0x401b1c);
					_push(_a4);
					_push(_v240);
					L00401280();
					_v376 = _t590;
				}
				_v272 = 0x5ae61;
				_v268 = 1;
				_v32 = _v32 & 0x00000000;
				while(_v32 <= _v272) {
					if( *0x40d010 != 0) {
						_v380 = 0x40d010;
					} else {
						_push("HqE");
						_push(0x401f28);
						L00401286();
						_v380 = 0x40d010;
					}
					_t597 =  &_v96;
					L0040128C();
					_v240 = _t597;
					_t601 =  *((intOrPtr*)( *_v240 + 0x218))(_v240,  &_v92, _t597,  *((intOrPtr*)( *((intOrPtr*)( *_v380)) + 0x308))( *_v380));
					asm("fclex");
					_v244 = _t601;
					if(_v244 >= 0) {
						_t322 =  &_v384;
						 *_t322 = _v384 & 0x00000000;
						__eflags =  *_t322;
					} else {
						_push(0x218);
						_push(0x401d38);
						_push(_v240);
						_push(_v244);
						L00401280();
						_v384 = _t601;
					}
					if( *0x40d010 != 0) {
						_v388 = 0x40d010;
					} else {
						_push("HqE");
						_push(0x401f28);
						L00401286();
						_v388 = 0x40d010;
					}
					_t605 =  &_v100;
					L0040128C();
					_v248 = _t605;
					_t609 =  *((intOrPtr*)( *_v248 + 0x138))(_v248,  &_v200, _t605,  *((intOrPtr*)( *((intOrPtr*)( *_v388)) + 0x30c))( *_v388));
					asm("fclex");
					_v252 = _t609;
					if(_v252 >= 0) {
						_t340 =  &_v392;
						 *_t340 = _v392 & 0x00000000;
						__eflags =  *_t340;
					} else {
						_push(0x138);
						_push(0x401d28);
						_push(_v248);
						_push(_v252);
						L00401280();
						_v392 = _t609;
					}
					if( *0x40d010 != 0) {
						_v396 = 0x40d010;
					} else {
						_push("HqE");
						_push(0x401f28);
						L00401286();
						_v396 = 0x40d010;
					}
					_t726 =  *((intOrPtr*)( *_v396));
					_t613 =  &_v104;
					L0040128C();
					_v256 = _t613;
					_t617 =  *((intOrPtr*)( *_v256 + 0x188))(_v256,  &_v204, _t613,  *((intOrPtr*)(_t726 + 0x300))( *_v396));
					asm("fclex");
					_v260 = _t617;
					if(_v260 >= 0) {
						_t358 =  &_v400;
						 *_t358 = _v400 & 0x00000000;
						__eflags =  *_t358;
					} else {
						_push(0x188);
						_push(0x401d08);
						_push(_v256);
						_push(_v260);
						L00401280();
						_v400 = _t617;
					}
					_v164 = _v200;
					_v172 = 3;
					_v296 = _v92;
					_v92 = _v92 & 0x00000000;
					_v112 = _v296;
					_v120 = 8;
					_v208 = 0x8227e0;
					_v384 =  *0x4010d8;
					L00401190();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401190();
					_t750 =  &_v120;
					_t745 = _t760;
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t627 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v208, 0x10, 0x10, _t726, _t726, _v204,  &_v212);
					_v264 = _t627;
					if(_v264 >= 0) {
						_t384 =  &_v404;
						 *_t384 = _v404 & 0x00000000;
						__eflags =  *_t384;
					} else {
						_push(0x6fc);
						_push(0x401b4c);
						_push(_a4);
						_push(_v264);
						L00401280();
						_v404 = _t627;
					}
					_v28 = _v212;
					_push( &_v104);
					_push( &_v100);
					_push( &_v96);
					_push(3);
					L00401262();
					_t760 =  &(_t760[4]);
					L0040125C();
					if( *0x40d010 != 0) {
						_v408 = 0x40d010;
					} else {
						_push("HqE");
						_push(0x401f28);
						L00401286();
						_v408 = 0x40d010;
					}
					_t730 =  *((intOrPtr*)( *_v408));
					_t634 =  &_v96;
					L0040128C();
					_v240 = _t634;
					_t638 =  *((intOrPtr*)( *_v240 + 0x70))(_v240,  &_v200, _t634,  *((intOrPtr*)(_t730 + 0x310))( *_v408));
					asm("fclex");
					_v244 = _t638;
					if(_v244 >= 0) {
						_t408 =  &_v412;
						 *_t408 = _v412 & 0x00000000;
						__eflags =  *_t408;
					} else {
						_push(0x70);
						_push(0x401d18);
						_push(_v240);
						_push(_v244);
						L00401280();
						_v412 = _t638;
					}
					_v228 =  *0x4010d0;
					_v220 = 0x445fc8f0;
					_v216 = 0x5af7;
					 *_t760 = _v200;
					_t643 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v220, _t730,  &_v228, 0xf6292);
					_v248 = _t643;
					if(_v248 >= 0) {
						_t424 =  &_v416;
						 *_t424 = _v416 & 0x00000000;
						__eflags =  *_t424;
					} else {
						_push(0x700);
						_push(0x401b4c);
						_push(_a4);
						_push(_v248);
						L00401280();
						_v416 = _t643;
					}
					_t731 =  &_v96;
					L0040126E();
					_v228 = 0xde5a6cd0;
					_v224 = 0x5af7;
					_v220 = 0xc72725d0;
					_v216 = 0x5afc;
					_t649 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v220,  &_v228,  &_v236);
					_v240 = _t649;
					if(_v240 >= 0) {
						_t442 =  &_v420;
						 *_t442 = _v420 & 0x00000000;
						__eflags =  *_t442;
					} else {
						_push(0x704);
						_push(0x401b4c);
						_push(_a4);
						_push(_v240);
						L00401280();
						_v420 = _t649;
					}
					_v40 = _v236;
					_v36 = _v232;
					_t653 = _v32 + _v268;
					if(_t653 < 0) {
						L0040124A();
						_push(_t754);
						_push(_t731);
						_push(_t731);
						_push(0x401196);
						_push( *[fs:0x0]);
						 *[fs:0x0] = _t760;
						_t655 = 0x28;
						L00401190();
						_push(_t685);
						_push(_t750);
						_push(_t745);
						_v460 = _t760;
						_v456 = 0x401110;
						L00401244();
						asm("fldz");
						L00401214();
						L0040123E();
						asm("fcomp qword [0x401108]");
						asm("fnstsw ax");
						asm("sahf");
						if(__eflags != 0) {
							__eflags =  *0x40d33c;
							if( *0x40d33c != 0) {
								_v60 = 0x40d33c;
							} else {
								_push(0x40d33c);
								_push(0x401cf8);
								L00401286();
								_v60 = 0x40d33c;
							}
							_t657 =  *_v60;
							_v48 = _t657;
							L00401238();
							_t658 =  &_v44;
							L0040128C();
							_t655 =  *((intOrPtr*)( *_v48 + 0x40))(_v48, _t658, _t658, _t657, _v32, 0x401d60, L"Filmbyer");
							asm("fclex");
							_v52 = _t655;
							__eflags = _v52;
							if(_v52 >= 0) {
								_t468 =  &_v64;
								 *_t468 = _v64 & 0x00000000;
								__eflags =  *_t468;
							} else {
								_push(0x40);
								_push(0x401ce8);
								_push(_v48);
								_push(_v52);
								L00401280();
								_v64 = _t655;
							}
							L0040126E();
						}
						asm("wait");
						_push(E0040BA43);
						L00401268();
						L0040126E();
						return _t655;
					} else {
						_v32 = _t653;
						continue;
					}
					L113:
				}
				 *((intOrPtr*)(0x278388 + _v312))(0x19129e);
				_push(E0040B924);
				_t593 =  &_v56;
				_push(_t593);
				_push(0);
				L00401250();
				L0040125C();
				return _t593;
				goto L113;
			}

0x0040aa14
0x0040aa15
0x0040aa17
0x0040aa26
0x0040aa32
0x0040aa3a
0x0040aa3d
0x0040aa4a
0x0040aa53
0x0040aa5e
0x0040aa61
0x0040aa6b
0x0040aa7e
0x0040aa86
0x0040aa8d
0x0040aa8e
0x0040aa93
0x0040aa9d
0x0040aaad
0x0040aaae
0x0040aab4
0x0040aab5
0x0040aaba
0x0040aac7
0x0040aacb
0x0040aacc
0x0040aace
0x0040aad3
0x0040aadf
0x0040aaec
0x0040ab09
0x0040aaee
0x0040aaee
0x0040aaf3
0x0040aaf8
0x0040aafd
0x0040aafd
0x0040ab2d
0x0040ab31
0x0040ab36
0x0040ab4e
0x0040ab54
0x0040ab56
0x0040ab63
0x0040ab88
0x0040ab88
0x0040ab88
0x0040ab65
0x0040ab65
0x0040ab6a
0x0040ab6f
0x0040ab75
0x0040ab7b
0x0040ab80
0x0040ab80
0x0040ab96
0x0040abb3
0x0040ab98
0x0040ab98
0x0040ab9d
0x0040aba2
0x0040aba7
0x0040aba7
0x0040abc5
0x0040abce
0x0040abd4
0x0040abde
0x0040abe1
0x0040abe8
0x0040abf2
0x0040ac06
0x0040ac10
0x0040ac11
0x0040ac12
0x0040ac13
0x0040ac17
0x0040ac24
0x0040ac25
0x0040ac26
0x0040ac27
0x0040ac36
0x0040ac39
0x0040ac3b
0x0040ac48
0x0040ac6a
0x0040ac6a
0x0040ac6a
0x0040ac4a
0x0040ac4a
0x0040ac4c
0x0040ac51
0x0040ac57
0x0040ac5d
0x0040ac62
0x0040ac62
0x0040ac77
0x0040ac7e
0x0040ac7f
0x0040ac8a
0x0040ac8e
0x0040ac8f
0x0040ac97
0x0040aca2
0x0040aca6
0x0040aca7
0x0040aca9
0x0040acae
0x0040acae
0x0040acb8
0x0040acd5
0x0040acba
0x0040acba
0x0040acbf
0x0040acc4
0x0040acc9
0x0040acc9
0x0040acf9
0x0040acfd
0x0040ad02
0x0040ad1a
0x0040ad20
0x0040ad22
0x0040ad2f
0x0040ad54
0x0040ad54
0x0040ad54
0x0040ad31
0x0040ad31
0x0040ad36
0x0040ad3b
0x0040ad41
0x0040ad47
0x0040ad4c
0x0040ad4c
0x0040ad5b
0x0040ad64
0x0040ad8e
0x0040ad9a
0x0040ada3
0x0040ada9
0x0040adb1
0x0040adbd
0x0040adda
0x0040adbf
0x0040adbf
0x0040adc4
0x0040adc9
0x0040adce
0x0040adce
0x0040adfe
0x0040ae02
0x0040ae07
0x0040ae1f
0x0040ae25
0x0040ae27
0x0040ae34
0x0040ae59
0x0040ae59
0x0040ae59
0x0040ae36
0x0040ae36
0x0040ae3b
0x0040ae40
0x0040ae46
0x0040ae4c
0x0040ae51
0x0040ae51
0x0040ae67
0x0040ae84
0x0040ae69
0x0040ae69
0x0040ae6e
0x0040ae73
0x0040ae78
0x0040ae78
0x0040ae9e
0x0040aea8
0x0040aeac
0x0040aeb1
0x0040aecc
0x0040aed2
0x0040aed4
0x0040aee1
0x0040af06
0x0040af06
0x0040af06
0x0040aee3
0x0040aee3
0x0040aee8
0x0040aeed
0x0040aef3
0x0040aef9
0x0040aefe
0x0040aefe
0x0040af13
0x0040af1c
0x0040af22
0x0040af2c
0x0040af2f
0x0040af3d
0x0040af4f
0x0040af5e
0x0040af67
0x0040af6b
0x0040af6c
0x0040af6e
0x0040af73
0x0040af79
0x0040af85
0x0040afa2
0x0040af87
0x0040af87
0x0040af8c
0x0040af91
0x0040af96
0x0040af96
0x0040afc6
0x0040afca
0x0040afcf
0x0040afe7
0x0040afed
0x0040afef
0x0040affc
0x0040b021
0x0040b021
0x0040b021
0x0040affe
0x0040affe
0x0040b003
0x0040b008
0x0040b00e
0x0040b014
0x0040b019
0x0040b019
0x0040b02b
0x0040b031
0x0040b03b
0x0040b03e
0x0040b045
0x0040b04f
0x0040b07d
0x0040b08c
0x0040b094
0x0040b09c
0x0040b0b0
0x0040b0b6
0x0040b0c3
0x0040b0e5
0x0040b0e5
0x0040b0e5
0x0040b0c5
0x0040b0c5
0x0040b0ca
0x0040b0cf
0x0040b0d2
0x0040b0d8
0x0040b0dd
0x0040b0dd
0x0040b0f2
0x0040b0fc
0x0040b119
0x0040b0fe
0x0040b0fe
0x0040b103
0x0040b108
0x0040b10d
0x0040b10d
0x0040b13d
0x0040b141
0x0040b146
0x0040b161
0x0040b164
0x0040b166
0x0040b173
0x0040b195
0x0040b195
0x0040b195
0x0040b175
0x0040b175
0x0040b177
0x0040b17c
0x0040b182
0x0040b188
0x0040b18d
0x0040b18d
0x0040b1a3
0x0040b1c0
0x0040b1a5
0x0040b1a5
0x0040b1aa
0x0040b1af
0x0040b1b4
0x0040b1b4
0x0040b1e4
0x0040b1e8
0x0040b1ed
0x0040b208
0x0040b20b
0x0040b20d
0x0040b21a
0x0040b23c
0x0040b23c
0x0040b23c
0x0040b21c
0x0040b21c
0x0040b21e
0x0040b223
0x0040b229
0x0040b22f
0x0040b234
0x0040b234
0x0040b249
0x0040b26b
0x0040b278
0x0040b27f
0x0040b283
0x0040b284
0x0040b286
0x0040b28b
0x0040b295
0x0040b2b2
0x0040b297
0x0040b297
0x0040b29c
0x0040b2a1
0x0040b2a6
0x0040b2a6
0x0040b2cc
0x0040b2d6
0x0040b2da
0x0040b2df
0x0040b2fa
0x0040b2fd
0x0040b2ff
0x0040b30c
0x0040b32e
0x0040b32e
0x0040b32e
0x0040b30e
0x0040b30e
0x0040b310
0x0040b315
0x0040b31b
0x0040b321
0x0040b326
0x0040b326
0x0040b33b
0x0040b34f
0x0040b361
0x0040b36d
0x0040b373
0x0040b380
0x0040b386
0x0040b388
0x0040b395
0x0040b3b7
0x0040b3b7
0x0040b3b7
0x0040b397
0x0040b397
0x0040b39c
0x0040b3a1
0x0040b3a4
0x0040b3aa
0x0040b3af
0x0040b3af
0x0040b3be
0x0040b3c8
0x0040b3d2
0x0040b3ea
0x0040b400
0x0040b41d
0x0040b402
0x0040b402
0x0040b407
0x0040b40c
0x0040b411
0x0040b411
0x0040b441
0x0040b445
0x0040b44a
0x0040b462
0x0040b468
0x0040b46a
0x0040b477
0x0040b49c
0x0040b49c
0x0040b49c
0x0040b479
0x0040b479
0x0040b47e
0x0040b483
0x0040b489
0x0040b48f
0x0040b494
0x0040b494
0x0040b4aa
0x0040b4c7
0x0040b4ac
0x0040b4ac
0x0040b4b1
0x0040b4b6
0x0040b4bb
0x0040b4bb
0x0040b4eb
0x0040b4ef
0x0040b4f4
0x0040b50f
0x0040b515
0x0040b517
0x0040b524
0x0040b549
0x0040b549
0x0040b549
0x0040b526
0x0040b526
0x0040b52b
0x0040b530
0x0040b536
0x0040b53c
0x0040b541
0x0040b541
0x0040b557
0x0040b574
0x0040b559
0x0040b559
0x0040b55e
0x0040b563
0x0040b568
0x0040b568
0x0040b58e
0x0040b598
0x0040b59c
0x0040b5a1
0x0040b5bc
0x0040b5c2
0x0040b5c4
0x0040b5d1
0x0040b5f6
0x0040b5f6
0x0040b5f6
0x0040b5d3
0x0040b5d3
0x0040b5d8
0x0040b5dd
0x0040b5e3
0x0040b5e9
0x0040b5ee
0x0040b5ee
0x0040b603
0x0040b609
0x0040b616
0x0040b61c
0x0040b626
0x0040b629
0x0040b630
0x0040b64f
0x0040b655
0x0040b662
0x0040b663
0x0040b664
0x0040b665
0x0040b669
0x0040b66e
0x0040b671
0x0040b673
0x0040b674
0x0040b675
0x0040b676
0x0040b686
0x0040b68c
0x0040b699
0x0040b6bb
0x0040b6bb
0x0040b6bb
0x0040b69b
0x0040b69b
0x0040b6a0
0x0040b6a5
0x0040b6a8
0x0040b6ae
0x0040b6b3
0x0040b6b3
0x0040b6c8
0x0040b6ce
0x0040b6d2
0x0040b6d6
0x0040b6d7
0x0040b6d9
0x0040b6de
0x0040b6e4
0x0040b6f0
0x0040b70d
0x0040b6f2
0x0040b6f2
0x0040b6f7
0x0040b6fc
0x0040b701
0x0040b701
0x0040b727
0x0040b731
0x0040b735
0x0040b73a
0x0040b755
0x0040b758
0x0040b75a
0x0040b767
0x0040b789
0x0040b789
0x0040b789
0x0040b769
0x0040b769
0x0040b76b
0x0040b770
0x0040b776
0x0040b77c
0x0040b781
0x0040b781
0x0040b796
0x0040b79c
0x0040b7a6
0x0040b7c3
0x0040b7d5
0x0040b7db
0x0040b7e8
0x0040b80a
0x0040b80a
0x0040b80a
0x0040b7ea
0x0040b7ea
0x0040b7ef
0x0040b7f4
0x0040b7f7
0x0040b7fd
0x0040b802
0x0040b802
0x0040b811
0x0040b814
0x0040b819
0x0040b823
0x0040b82d
0x0040b837
0x0040b85e
0x0040b864
0x0040b871
0x0040b893
0x0040b893
0x0040b893
0x0040b873
0x0040b873
0x0040b878
0x0040b87d
0x0040b880
0x0040b886
0x0040b88b
0x0040b88b
0x0040b8a0
0x0040b8a9
0x0040b3db
0x0040b3e1
0x0040b943
0x0040b948
0x0040b94b
0x0040b94c
0x0040b94d
0x0040b958
0x0040b959
0x0040b962
0x0040b963
0x0040b968
0x0040b969
0x0040b96a
0x0040b96b
0x0040b96e
0x0040b97b
0x0040b980
0x0040b982
0x0040b987
0x0040b98c
0x0040b992
0x0040b994
0x0040b995
0x0040b99b
0x0040b9a2
0x0040b9bc
0x0040b9a4
0x0040b9a4
0x0040b9a9
0x0040b9ae
0x0040b9b3
0x0040b9b3
0x0040b9c6
0x0040b9c8
0x0040b9d8
0x0040b9de
0x0040b9e2
0x0040b9f0
0x0040b9f3
0x0040b9f5
0x0040b9f8
0x0040b9fc
0x0040ba15
0x0040ba15
0x0040ba15
0x0040b9fe
0x0040b9fe
0x0040ba00
0x0040ba05
0x0040ba08
0x0040ba0b
0x0040ba10
0x0040ba10
0x0040ba1c
0x0040ba1c
0x0040ba21
0x0040ba22
0x0040ba35
0x0040ba3d
0x0040ba42
0x0040b3e7
0x0040b3e7
0x00000000
0x0040b3e7
0x00000000
0x0040b3e1
0x0040b8be
0x0040b8c0
0x0040b910
0x0040b913
0x0040b914
0x0040b916
0x0040b91e
0x0040b923
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401196), ref: 0040AA32
__vbaVarDup.MSVBVM60 ref: 0040AA7E
#544.MSVBVM60(?,?), ref: 0040AA8E
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 0040AAB5
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0040AACE
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,00401196), ref: 0040AAF8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040AB31
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401CC8,00000108), ref: 0040AB7B
__vbaNew2.MSVBVM60(00401CF8,0040D33C), ref: 0040ABA2
__vbaChkstk.MSVBVM60(?), ref: 0040AC06
__vbaChkstk.MSVBVM60(?), ref: 0040AC17
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401CE8,00000038), ref: 0040AC5D
__vbaVar2Vec.MSVBVM60(?,?), ref: 0040AC7F
__vbaAryMove.MSVBVM60(?,?,?,?), ref: 0040AC8F
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 0040AC97
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?), ref: 0040ACA9
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,00401196), ref: 0040ACC4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040ACFD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D08,00000158), ref: 0040AD47
__vbaFreeStr.MSVBVM60 ref: 0040ADA9
__vbaFreeObj.MSVBVM60 ref: 0040ADB1
__vbaNew2.MSVBVM60(00401F28,HqE), ref: 0040ADC9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040AE02
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D08,000000F8), ref: 0040AE4C
__vbaNew2.MSVBVM60(00401F28,HqE), ref: 0040AE73
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040AEAC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D18,00000088), ref: 0040AEF9
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,?), ref: 0040AF6E
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00401196), ref: 0040AF79
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,?,?,?,00401196), ref: 0040AF91
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040AFCA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D28,00000170), ref: 0040B014
__vbaVarMove.MSVBVM60 ref: 0040B08C
__vbaFreeObj.MSVBVM60 ref: 0040B094
__vbaFreeVar.MSVBVM60 ref: 0040B09C
__vbaHresultCheckObj.MSVBVM60(00000000,004010F8,00401B4C,000006F8), ref: 0040B0D8
__vbaNew2.MSVBVM60(00401F28,HqE), ref: 0040B108
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040B141
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00401D18,00000050), ref: 0040B188
__vbaNew2.MSVBVM60(00401F28,HqE), ref: 0040B1AF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040B1E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D28,00000078), ref: 0040B22F
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040B286
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,?,?,?,?,?,?,00401196), ref: 0040B2A1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040B2DA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D28,00000068), ref: 0040B321
__vbaFreeObj.MSVBVM60(?,?), ref: 0040B373
__vbaHresultCheckObj.MSVBVM60(00000000,004010F8,00401B1C,000002B4,?,?), ref: 0040B3AA
__vbaNew2.MSVBVM60(00401F28,HqE,?,?), ref: 0040B40C
__vbaObjSet.MSVBVM60(?,00000000,?,?), ref: 0040B445
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00401D38,00000218,?,?), ref: 0040B48F
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,?,?), ref: 0040B4B6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?), ref: 0040B4EF

Strings

19:19:19, xrefs: 0040AA61
HqE, xrefs: 0040AAE5, 0040AAEE, 0040AAFD, 0040AB09, 0040ACB1, 0040ACBA, 0040ACC9, 0040ACD5, 0040ADB6, 0040ADBF, 0040ADCE, 0040ADDA, 0040AE60, 0040AE69, 0040AE78, 0040AE84, 0040AF7E, 0040AF87, 0040AF96, 0040AFA2, 0040B0F5, 0040B0FE, 0040B10D, 0040B119, 0040B19C, 0040B1A5, 0040B1B4, 0040B1C0, 0040B28E, 0040B297, 0040B2A6, 0040B2B2, 0040B3F9, 0040B402, 0040B411, 0040B41D, 0040B4A3, 0040B4AC, 0040B4BB, 0040B4C7, 0040B550, 0040B559, 0040B568, 0040B574, 0040B6E9, 0040B6F2, 0040B701, 0040B70D

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List$Chkstk$Move$#544Var2
String ID: 19:19:19$HqE
API String ID: 2805188520-1965599473
Opcode ID: 3ad9fc7cf103ec1bdd6153f0aed98d91aeb0020ddd3812bb675727011ea81252
Instruction ID: 69d7518fa9d22da46d345442eedb7b3d92c7a96b2a65c529b2d4cfcabdc68ca6
Opcode Fuzzy Hash: 3ad9fc7cf103ec1bdd6153f0aed98d91aeb0020ddd3812bb675727011ea81252
Instruction Fuzzy Hash: E192E474940219DFDB20DF90CC45BD9B7B8BF08304F1085EAE509BB2A1DB795A89DF98

Uniqueness

Uniqueness Score: -1.00%

Function 004012C4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004012C9

Strings

VB5!6&*, xrefs: 004012C4

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 362fba7ade43407a365f484ee29d57f6cb431090739d134b1032c44c06235277
Instruction ID: ca3aed77aaa93f27c329ab32743da237f64d0a3277abb3fcc96024aee7dc6372
Opcode Fuzzy Hash: 362fba7ade43407a365f484ee29d57f6cb431090739d134b1032c44c06235277
Instruction Fuzzy Hash: 81D0A44444E3C20EC307127109226822F700C13A5030A02EB8480EA0F3856C1889C726

Uniqueness

Uniqueness Score: -1.00%

Function 00409561, Relevance: 1.8, APIs: 1, Instructions: 510memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?,0000C000,00001000,00000040), ref: 00409A4F

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 7487fae06e6cfe6abf34c8234aa2359ad074d4e0db20b35370201a460d94414a
Instruction ID: 4530634678900d81b1b315c8dbce18aed1bad0a409623cb178a41472a98b24cf
Opcode Fuzzy Hash: 7487fae06e6cfe6abf34c8234aa2359ad074d4e0db20b35370201a460d94414a
Instruction Fuzzy Hash: 43F1E6DFE55A520BF3422938FE593DB1F9AC7617AAF0B42769D0957ECBE02D0B094140

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040673C, Relevance: .5, Instructions: 540
COMMONCrypto

Download Yara Rule

C-Code - Quality: 30%

			E0040673C(void* __eax, void* __ebx, void* __ecx, signed char __edx, void* __edi, signed int __esi, void* __fp0) {
				signed char _t80;
				signed int _t81;
				signed char _t82;
				signed int _t83;
				signed char _t88;
				signed char _t93;
				signed char _t96;
				signed char _t105;
				signed char _t107;
				signed int _t113;
				signed int _t114;
				signed char _t118;
				signed char _t121;
				signed int _t123;
				signed int _t127;
				void* _t135;
				signed char _t138;
				signed int _t160;
				void* _t172;
				signed char _t180;
				void* _t185;
				signed int _t191;
				void* _t194;

				_t194 = __fp0;
				_t127 = __esi;
				_t107 = __edx;
				asm("lds ebx, [ebp+0x1f]");
				_pop(_t138);
				_push(__edi);
				_pop(ds);
				_t121 = __edi + 1;
				_t80 = __ecx + 1;
				_pop(es);
				 *_t80 =  *_t80 + _t80;
				_pop(es);
				 *_t80 =  *_t80 + _t80;
				_pop(es);
				 *_t80 =  *_t80 + _t80;
				_pop(es);
				 *_t80 =  *_t80 + _t80;
				_pop(es);
				 *_t80 =  *_t80 + _t80;
				_pop(es);
				 *_t80 =  *_t80 + _t80;
				_pop(es);
				 *_t80 =  *_t80 + _t80;
				_pop(es);
				 *_t80 =  *_t80 + _t80;
				while(1) {
					L1:
					_pop(es);
					 *_t80 =  *_t80 + _t80;
					_pop(es);
					 *(_t127 + 0x3fbcc6d5) =  *(_t127 + 0x3fbcc6d5) ^ _t127;
					 *_t80 =  *_t80 + _t80;
					_pop(es);
					 *_t80 =  *_t80 + _t80;
					_pop(es);
					 *_t80 =  *_t80 + _t80;
					_pop(es);
					 *_t80 =  *_t80 + _t80;
					_pop(es);
					 *_t80 =  *_t80 + _t80;
					_pop(es);
					 *_t80 =  *_t80 + _t80;
					_pop(es);
					 *_t80 =  *_t80 + _t80;
					_pop(es);
					while(1) {
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_t4 = _t80;
						_t80 = _t138;
						_t138 = _t4;
						asm("lodsb");
						asm("xorps xmm3, [edx-0x54]");
						_push(cs);
						_push(_t121);
						_t121 = _t121 - 1;
						asm("lodsb");
						_push(cs);
						_push(_t121);
						_push(_t80);
						asm("lodsb");
						asm("sbb dl, [edi+0x56]");
						asm("lodsb");
						asm("adc [edi+0x5a], dl");
						asm("lodsb");
						asm("popad");
						ds = _t121;
						asm("lodsb");
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_t172 =  *_t80;
						_pop(es);
						if(_t172 >= 0) {
							goto L1;
						}
						_t80 = _t121;
						_t121 = 0xa8a3414e;
						if(_t172 < 0) {
							continue;
						}
						asm("das");
						 *(_t80 + 0xffffffffd94fb4a5) =  *(_t80 + 0xffffffffd94fb4a5) ^  *(_t127 + 0xffffffffda4faaa5) * 0x6cac2957;
						ds = 0xa8a3414e;
						asm("lodsb");
						 *_t80 =  *_t80 + _t80;
						es = 0xa8a3414e;
						 *_t80 =  *_t80 + _t80;
						es = 0xa8a3414e;
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						_pop(es);
						 *_t80 =  *_t80 + _t80;
						while(1) {
							L5:
							_pop(es);
							 *0xFFFFFFFFF396B48E =  *((intOrPtr*)(0xfffffffff396b48e)) + 0x4b;
							 *0x5cdf1f0b = _t80;
							ds = 0x4b;
							asm("fistp word [ebx+0x1f]");
							asm("lahf");
							_pop(ds);
							asm("lock pop esp");
							ds = _t121;
							_t123 = _t121 + 1;
							if (_t123 < 0) goto L6;
							_pop(es);
							 *_t80 =  *_t80 + _t80;
							_pop(es);
							 *_t80 =  *_t80 + _t80;
							_pop(es);
							 *_t80 =  *_t80 + _t80;
							_pop(es);
							 *_t80 =  *_t80 + _t80;
							_pop(es);
							 *_t80 =  *_t80 + _t80;
							_pop(es);
							 *_t80 =  *_t80 + _t80;
							_pop(es);
							 *_t80 =  *_t80 + _t80;
							_pop(es);
							while(1) {
								 *_t80 =  *_t80 + _t80;
								_pop(es);
								 *_t80 =  *_t80 + _t80;
								while(1) {
									L8:
									 *_t123 =  *_t123 + _t80;
									 *_t80 =  *_t80 + _t80;
									_pop(es);
									asm("outsd");
									asm("lock inc esp");
									asm("std");
									_t93 = 0x570053e0;
									asm("insb");
									asm("lodsb");
									_t81 = _t80 & 0x2bac6c57;
									while(1) {
										L9:
										asm("lodsb");
										asm("lodsb");
										_push(0x5cac4357);
										while(1) {
											_push(_t123);
											_t107 = _t81 *  *(_t81 - 0x251f5749) >> 0x20;
											_t82 = _t81 *  *(_t81 - 0x251f5749);
											asm("arpl [edi], bx");
											asm("sbb byte [edi+0x1f], 0x82");
											while(1) {
												L12:
												asm("a16 pop ds");
												asm("sbb byte [esp+0x1f], 0x9c");
												while(1) {
													L13:
													_pop(ds);
													asm("popfd");
													while(1) {
														L14:
														asm("outsb");
														_pop(ds);
														asm("lock pop esp");
														while(1) {
															L15:
															ds = _t123;
															_t83 = _t93;
															_t93 = _t82;
															_t132 = 0x570053e0;
															_push(_t107);
															asm("lodsb");
															_t80 = _t83 ^ 0x2eac7c57;
															_t180 = _t80;
															_push(_t123);
															if(_t180 < 0) {
																break;
															}
															asm("das");
															_push(_t123);
															if(_t180 < 0) {
																L8:
																 *_t123 =  *_t123 + _t80;
																 *_t80 =  *_t80 + _t80;
																_pop(es);
																asm("outsd");
																asm("lock inc esp");
																asm("std");
																_t93 = 0x570053e0;
																asm("insb");
																asm("lodsb");
																_t81 = _t80 & 0x2bac6c57;
																goto L9;
															}
															asm("lodsb");
															if(_t107 <  *((intOrPtr*)(_t123 + 0x6b))) {
																L26:
																asm("lodsb");
																_push(ds);
																_push(_t123);
																_t80 = _t80 ^ 0x38ac7357;
																 *(0xa359c8bf + _t123 + 0x39ac6757) =  *(0xa359c8bf + _t123 + 0x39ac6757) ^ _t132;
																ds = _t123;
																asm("lodsb");
																 *_t80 =  *_t80 + _t80;
																es = _t123;
																 *_t80 =  *_t80 + _t80;
																es = 0xffffffac;
																 *_t80 =  *_t80 + _t80;
																L27:
																 *_t123 =  *_t123 + _t80;
																 *_t80 =  *_t80 + _t80;
																_pop(es);
																 *_t80 =  *_t80 + _t80;
																_pop(es);
																 *_t80 =  *_t80 + _t80;
																_pop(es);
																 *_t80 =  *_t80 + _t80;
															} else {
																_push(0xa359c8bf);
																asm("lodsb");
																asm("sbb [edi+0x4b], edx");
																asm("lodsb");
																_t26 = _t123 + 0x59;
																 *_t26 =  *((intOrPtr*)(_t123 + 0x59)) + _t107;
																asm("lodsb");
																_push(_t123);
																if( *_t26 <= 0) {
																	goto L9;
																} else {
																	 *(_t123 + 0x7a) =  *(_t123 + 0x7a) ^ _t107;
																	asm("lodsb");
																	_t107 = _t107 -  *((intOrPtr*)(_t123 + 0x70));
																	asm("lodsb");
																	_push(_t123);
																	if(_t107 == 0) {
																		_push(_t123);
																		_t107 = _t81 *  *(_t81 - 0x251f5749) >> 0x20;
																		_t82 = _t81 *  *(_t81 - 0x251f5749);
																		asm("arpl [edi], bx");
																		asm("sbb byte [edi+0x1f], 0x82");
																		goto L12;
																	} else {
																		_t31 = _t123 + 0x1f;
																		 *_t31 =  *((intOrPtr*)(_t123 + 0x1f)) + _t107;
																		_t93 = 0xbd;
																		asm("loopne 0x55");
																		_push(cs);
																		_push(_t123);
																		if( *_t31 != 0) {
																			L12:
																			asm("a16 pop ds");
																			asm("sbb byte [esp+0x1f], 0x9c");
																			goto L13;
																		} else {
																			_t185 = _t107 -  *((intOrPtr*)(_t123 + 0x5e));
																			asm("lodsb");
																			asm("das");
																			_push(_t123);
																			if(_t185 < 0) {
																				L13:
																				_pop(ds);
																				asm("popfd");
																				goto L14;
																			} else {
																				if(_t185 >= 0) {
																					if(_t185 != 0) {
																						L14:
																						asm("outsb");
																						_pop(ds);
																						asm("lock pop esp");
																						continue;
																					} else {
																						_t82 = _t80 & 0x00000057;
																						if(_t82 != 0) {
																							continue;
																						} else {
																							_t80 = _t82 + 0x1f;
																							asm("ficomp dword [esp+esi+0x1f]");
																							asm("fistp word [ecx+edi*2+0x1f]");
																							asm("das");
																							ds = _t123;
																							_pop(_t132);
																							ds = _t123;
																							 *((intOrPtr*)(_t80 + 0x4c571153)) =  *((intOrPtr*)(_t80 + 0x4c571153)) + _t123;
																							goto L26;
																						}
																					}
																				}
																			}
																		}
																	}
																}
															}
															 *_t123 =  *_t123 + _t80;
															 *_t80 =  *_t80 + _t80;
															_pop(es);
															 *_t80 =  *_t80 + _t80;
															_pop(es);
															 *_t80 =  *_t80 + _t80;
															_pop(es);
															 *_t80 =  *_t80 + _t80;
															asm("wait");
															asm("a16 mov ah, 0xf");
															asm("into");
															_push(0x77);
															 *0x2ecd6b04 = _t80;
															_t132 = _t132 &  *(_t107 - 0x24);
															_t191 = _t132;
															if(_t191 < 0) {
																if(__eflags >= 0) {
																	goto L32;
																} else {
																	 *_t80 =  *_t80 + _t80;
																	__eflags =  *_t80;
																	if( *_t80 <= 0) {
																		goto L31;
																	} else {
																		__eflags =  *_t80 - 0x77;
																		asm("fisubr word [esi]");
																		asm("insd");
																		asm("fbstp tword [0xef07138]");
																		_t113 = (_t107 ^  *0xFFFFFFFFA359C897 |  *(_t107 ^  *0xFFFFFFFFA359C897)) &  *0xFFFFFFFFA359C8A2 ^  *(((_t107 ^  *0xFFFFFFFFA359C897 |  *(_t107 ^  *0xFFFFFFFFA359C897)) &  *0xFFFFFFFFA359C8A2) + _t123 * 2);
																		asm("lodsb");
																		 *_t123 =  *_t123 + _t80;
																		 *_t80 =  *_t80 + _t80;
																		es = 0x6a1400df;
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		asm("daa");
																		_t96 = 0x4b;
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *_t80 =  *_t80 + _t80;
																		_pop(es);
																		 *0xFFFFFFFFA359C853 =  *((intOrPtr*)(0xffffffffa359c853)) + 0x4b;
																		_pop(ds);
																		asm("lodsb");
																		asm("hlt");
																		es = 0xa8a37edb;
																		 *0 =  *0;
																		_pop(es);
																		 *0 =  *0;
																		_pop(es);
																		 *0 =  *0;
																		_pop(es);
																		 *0 =  *0;
																		_pop(es);
																		 *0 =  *0;
																		_pop(es);
																		 *0 =  *0;
																		_pop(es);
																		 *0 =  *0;
																		_pop(es);
																		 *0 =  *0;
																		_pop(es);
																		 *0 =  *0;
																		asm("fdivr dword [eax-0x57726609]");
																		do {
																			_pop(ds);
																			asm("lds ebx, [ebx+edi+0x1f]");
																			__eflags =  *0xa8a37edb - _t96;
																			asm("int 0x5c");
																			__eflags = _t96 -  *0xa8a37edb;
																			_pop(_t135);
																			asm("o16 pop ds");
																			asm("sbb byte [edx+esi+0x1f], 0xd4");
																			_t96 = _t96 ^  *0xa8a37edb;
																			asm("lodsb");
																			_pop(es);
																			 *0 =  *0;
																			_pop(es);
																			 *0 =  *0;
																			_pop(es);
																			 *0 =  *0;
																			_pop(es);
																			 *0 =  *0;
																			_pop(es);
																			 *0 =  *0;
																			_pop(es);
																			 *0 =  *0;
																			_pop(es);
																			 *0 =  *0;
																			_pop(es);
																			 *0 =  *0;
																			_pop(es);
																			 *0 =  *0;
																			_pop(es);
																			 *((intOrPtr*)(_t96 + _t127 * 4 - 0x5c82e141)) =  *((intOrPtr*)(_t96 + _t127 * 4 - 0x5c82e141)) + _t113;
																			__eflags = 0;
																			asm("lodsb");
																			asm("das");
																			_push(0xa8a37edb);
																			_push(0xffffffac);
																			_push(0xa8a37edb);
																		} while (0 >= 0);
																		_t114 = _t113 ^  *0xFFFFFFFFA8A37F4E;
																		asm("lodsb");
																		__eflags =  *0xFFFFFFFFA8A37F55 - _t114;
																		asm("lodsb");
																		asm("cs lodsb");
																		_t160 = 0xa8a37edb;
																		_push(0xa8a37edb);
																		 *(_t114 - 0x52) & 0x4ce6e0a8 = 0;
																		asm("enter 0x59ac, 0x7");
																		_push(_t135);
																		asm("sbb al, 0xde");
																		asm("xlatb");
																		asm("loop 0xffffffbb");
																		[tword [edi-0x61] = _t194;
																		asm("lock in eax, 0x9e");
																		asm("out 0xe5, al");
																		asm("insd");
																		asm("out dx, al");
																		asm("lodsb");
																		asm("int1");
																		asm("sbb [ebx+0x32], bl");
																		_push(ss);
																		_t105 = 0x510404d7 |  *0xa8a37edb;
																		asm("daa");
																		_t118 = 0xf06c1543;
																		cs =  *0xFFFFFFFFFF7F01F8;
																		asm("loop 0x52");
																		asm("adc eax, 0xa2b30c54");
																		_t88 = 0xd6;
																		__eflags = 0xd6;
																		if(0xd6 != 0) {
																			asm("sbb al, 0x1b");
																			asm("bound eax, [ebp-0x17920ab8]");
																			asm("sbb [esi+0x5d], edi");
																			 *0x38479CAA =  *0x38479CAA >> 0xb2;
																			L39:
																			asm("adc ecx, edx");
																			asm("adc al, 0x35");
																			asm("fdivr st5, st0");
																			asm("scasb");
																			asm("invalid");
																			asm("sbb [ecx+esi*2], bh");
																			asm("enter 0xf4b5, 0x16");
																			_t105 = 0xc4;
																			asm("invalid");
																			_t88 =  *0xb25ca648;
																			 *0xa8a37edb =  *0xa8a37edb ^ 0x000000b8;
																			goto 0x9efd015f;
																			asm("fcmove st0, st5");
																			asm("int 0x2b");
																			asm("hlt");
																			asm("lock dec ebx");
																			__eflags =  *((intOrPtr*)(_t135 - 0x21)) - _t118;
																			asm("outsd");
																			asm("sbb byte [eax-0x594071e8], 0xff");
																		}
																		asm("invalid");
																		_pop(ss);
																		_t105 = _t105 - 1;
																		_t160 = _t160 |  *(_t96 + 0x30);
																		asm("scasb");
																		asm("rcr byte [edx+0x1a], 0xa2");
																		_t118 = _t118 | _t88;
																		__eflags = _t118;
																		if(_t118 >= 0) {
																			goto L39;
																		}
																		asm("aam 0x16");
																		asm("lds esp, [ebp+0x3faa7846]");
																		asm("cmc");
																		asm("int 0xe4");
																		asm("cld");
																		asm("cli");
																		_push(0xffffffff);
																		return _t88;
																	}
																}
															} else {
																if(_t191 != 0) {
																	goto L27;
																} else {
																	L31:
																	asm("aas");
																	_pop(es);
																	 *_t80 =  *_t80 + _t80;
																	_pop(es);
																	 *_t80 =  *_t80 + _t80;
																	_pop(es);
																	 *_t80 =  *_t80 + _t80;
																	_pop(es);
																	 *_t80 =  *_t80 + _t80;
																	_pop(es);
																	 *_t80 =  *_t80 + _t80;
																	_pop(es);
																	 *_t80 =  *_t80 + _t80;
																	L32:
																	 *_t123 =  *_t123 + _t80;
																	 *_t80 =  *_t80 + _t80;
																	_pop(es);
																	 *_t80 =  *_t80 + _t80;
																	_pop(es);
																	 *_t80 =  *_t80 + _t80;
																	_pop(es);
																	 *_t80 =  *_t80 + _t80;
																	_pop(es);
																	 *_t80 =  *_t80 + 0xa359c8bf;
																	return _t80;
																}
															}
														}
														 *_t80 =  *_t80 + _t80;
														_pop(es);
														 *_t80 =  *_t80 + _t80;
														goto L8;
													}
												}
											}
										}
									}
									goto L5;
								}
							}
						}
					}
				}
			}

0x0040673c
0x0040673c
0x0040673c
0x0040673f
0x00406744
0x00406745
0x00406746
0x00406747
0x00406748
0x00406749
0x0040674a
0x0040674c
0x0040674d
0x0040674f
0x00406750
0x00406752
0x00406753
0x00406755
0x00406756
0x00406758
0x00406759
0x0040675b
0x0040675c
0x0040675e
0x0040675f
0x00406761
0x00406761
0x00406761
0x00406762
0x00406764
0x00406765
0x0040676b
0x0040676d
0x0040676e
0x00406770
0x00406771
0x00406773
0x00406774
0x00406776
0x00406777
0x00406779
0x0040677a
0x0040677c
0x0040677d
0x0040677f
0x00406780
0x00406780
0x00406782
0x00406783
0x00406785
0x00406786
0x00406788
0x00406789
0x0040678b
0x0040678b
0x0040678b
0x00406793
0x00406794
0x00406798
0x00406799
0x0040679a
0x0040679b
0x0040679c
0x0040679d
0x0040679e
0x0040679f
0x004067a0
0x004067a3
0x004067a4
0x004067a7
0x004067a8
0x004067aa
0x004067ab
0x004067ae
0x004067af
0x004067b1
0x004067b2
0x004067b4
0x004067b5
0x004067b7
0x004067b8
0x004067ba
0x004067bb
0x004067bd
0x004067be
0x004067c0
0x004067c1
0x004067c3
0x004067c4
0x004067c6
0x004067c7
0x004067c7
0x004067c9
0x004067ca
0x00000000
0x00000000
0x004067cc
0x004067cd
0x004067d2
0x00000000
0x00000000
0x004067d4
0x004067e2
0x004067ea
0x004067eb
0x004067ee
0x004067f0
0x004067f1
0x004067f3
0x004067f4
0x004067f6
0x004067f7
0x004067f9
0x004067fa
0x004067fc
0x004067fd
0x004067ff
0x00406800
0x00406802
0x00406803
0x00406805
0x00406806
0x00406808
0x00406808
0x00406808
0x00406809
0x00406810
0x00406815
0x00406817
0x0040681f
0x00406821
0x00406823
0x00406826
0x00406827
0x00406828
0x0040682a
0x0040682b
0x0040682d
0x0040682e
0x00406830
0x00406831
0x00406833
0x00406834
0x00406836
0x00406837
0x00406839
0x0040683a
0x0040683c
0x0040683d
0x0040683f
0x00406840
0x00406840
0x00406842
0x00406843
0x00406844
0x00406844
0x00406844
0x00406846
0x00406848
0x00406849
0x0040684a
0x0040684c
0x0040684d
0x00406852
0x00406853
0x00406854
0x00406858
0x00406858
0x0040685b
0x0040685f
0x00406860
0x00406864
0x00406865
0x00406866
0x00406866
0x0040686d
0x0040686f
0x00406870
0x00406870
0x00406871
0x00406873
0x00406878
0x00406878
0x00406879
0x0040687b
0x0040687c
0x0040687c
0x0040687d
0x0040687e
0x0040687f
0x00406880
0x00406880
0x00406882
0x00406884
0x00406884
0x00406885
0x0040688a
0x0040688b
0x0040688c
0x0040688c
0x00406891
0x00406892
0x00000000
0x00000000
0x00406894
0x00406895
0x00406896
0x00406844
0x00406844
0x00406846
0x00406848
0x00406849
0x0040684a
0x0040684c
0x0040684d
0x00406852
0x00406853
0x00406854
0x00000000
0x00406854
0x0040689b
0x0040689c
0x004068f5
0x004068fb
0x004068fc
0x004068fd
0x00406900
0x00406906
0x0040690e
0x0040690f
0x00406912
0x00406914
0x00406915
0x00406917
0x00406918
0x00406919
0x00406919
0x0040691b
0x0040691d
0x0040691e
0x00406920
0x00406921
0x00406923
0x00406924
0x0040689e
0x0040689e
0x0040689f
0x004068a0
0x004068a3
0x004068a4
0x004068a4
0x004068a7
0x004068a8
0x004068aa
0x00000000
0x004068ac
0x004068ac
0x004068af
0x004068b0
0x004068b3
0x004068b4
0x004068b6
0x00406865
0x00406866
0x00406866
0x0040686d
0x0040686f
0x00000000
0x004068b8
0x004068b8
0x004068b8
0x004068bc
0x004068be
0x004068c0
0x004068c1
0x004068c2
0x00406870
0x00406871
0x00406873
0x00000000
0x004068c4
0x004068c4
0x004068c7
0x004068c8
0x004068c9
0x004068ca
0x00406878
0x00406879
0x0040687b
0x00000000
0x004068cc
0x004068cc
0x004068ce
0x0040687c
0x0040687d
0x0040687e
0x0040687f
0x00000000
0x004068d0
0x004068d0
0x004068d2
0x00000000
0x004068d4
0x004068e1
0x004068e3
0x004068e7
0x004068ed
0x004068ee
0x004068ef
0x004068f2
0x004068f4
0x00000000
0x004068f4
0x004068d2
0x004068ce
0x004068cc
0x004068ca
0x004068c2
0x004068b6
0x004068aa
0x00406925
0x00406927
0x00406929
0x0040692a
0x0040692c
0x0040692d
0x0040692f
0x00406930
0x00406932
0x00406933
0x00406936
0x00406937
0x00406938
0x0040693d
0x0040693d
0x00406940
0x0040697e
0x00000000
0x00406980
0x00406980
0x00406980
0x00406982
0x00000000
0x00406984
0x00406984
0x0040698b
0x00406992
0x00406993
0x0040699c
0x0040699f
0x004069a2
0x004069a4
0x004069a6
0x004069a7
0x004069a9
0x004069aa
0x004069ac
0x004069ad
0x004069af
0x004069b0
0x004069b2
0x004069b3
0x004069b5
0x004069b6
0x004069b8
0x004069b9
0x004069bb
0x004069bc
0x004069be
0x004069bf
0x004069c1
0x004069c2
0x004069c4
0x004069c6
0x004069c8
0x004069c9
0x004069cb
0x004069cc
0x004069ce
0x004069cf
0x004069d1
0x004069d2
0x004069d4
0x004069d5
0x004069d7
0x004069d8
0x004069da
0x004069db
0x004069dd
0x004069de
0x004069e0
0x004069e1
0x004069ea
0x004069eb
0x004069ee
0x004069f1
0x004069f2
0x004069f4
0x004069f5
0x004069f7
0x004069f8
0x004069fa
0x004069fb
0x004069fd
0x004069fe
0x00406a00
0x00406a01
0x00406a03
0x00406a04
0x00406a06
0x00406a07
0x00406a09
0x00406a0a
0x00406a0c
0x00406a10
0x00406a16
0x00406a17
0x00406a1d
0x00406a1f
0x00406a21
0x00406a23
0x00406a25
0x00406a27
0x00406a2d
0x00406a2f
0x00406a36
0x00406a37
0x00406a39
0x00406a3a
0x00406a3c
0x00406a3d
0x00406a3f
0x00406a40
0x00406a42
0x00406a43
0x00406a45
0x00406a46
0x00406a48
0x00406a49
0x00406a4b
0x00406a4c
0x00406a4e
0x00406a4f
0x00406a51
0x00406a52
0x00406a59
0x00406a5b
0x00406a5c
0x00406a5d
0x00406a5e
0x00406a60
0x00406a60
0x00406a64
0x00406a67
0x00406a68
0x00406a6b
0x00406a6e
0x00406a70
0x00406a71
0x00406a79
0x00406a7f
0x00406a83
0x00406a84
0x00406a86
0x00406a8a
0x00406a8c
0x00406a91
0x00406a94
0x00406a96
0x00406a98
0x00406aab
0x00406aac
0x00406aad
0x00406ab0
0x00406ab1
0x00406ab3
0x00406ab4
0x00406ab9
0x00406abf
0x00406ac1
0x00406ac6
0x00406ac6
0x00406aca
0x00406acc
0x00406ace
0x00406ad4
0x00406ad7
0x00406ade
0x00406ade
0x00406ae0
0x00406ae4
0x00406ae6
0x00406ae7
0x00406ae9
0x00406aec
0x00406af0
0x00406af2
0x00406af8
0x00406afd
0x00406b00
0x00406b05
0x00406b06
0x00406b08
0x00406b09
0x00406b0b
0x00406b0e
0x00406b0f
0x00406b0f
0x00406b12
0x00406b18
0x00406b19
0x00406b1a
0x00406b1d
0x00406b1e
0x00406b22
0x00406b22
0x00406b24
0x00000000
0x00000000
0x00406b26
0x00406b28
0x00406b2e
0x00406b30
0x00406b32
0x00406b41
0x00406b42
0x00406b44
0x00406b44
0x00406982
0x00406942
0x00406942
0x00000000
0x00406944
0x00406946
0x00406946
0x00406947
0x00406948
0x0040694a
0x0040694b
0x0040694d
0x0040694e
0x00406950
0x00406951
0x00406953
0x00406954
0x00406956
0x00406957
0x00406958
0x00406958
0x0040695a
0x0040695c
0x0040695d
0x0040695f
0x00406960
0x00406962
0x00406963
0x00406965
0x00406966
0x0040696f
0x0040696f
0x00406942
0x00406940
0x00406840
0x00406842
0x00406843
0x00000000
0x00406843
0x0040687c
0x00406878
0x00406870
0x00406864
0x00000000
0x00406858
0x00406844
0x00406840
0x00406808
0x00406780

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 508d007da5d314206e4f78103fd4db99df8b807b40f4f5e81e201ce94b4e7427
Instruction ID: 6df2c9051debc74a02cc9cd21c6aa3c0e966590db734b1af996f169e470300ad
Opcode Fuzzy Hash: 508d007da5d314206e4f78103fd4db99df8b807b40f4f5e81e201ce94b4e7427
Instruction Fuzzy Hash: E0E1341219E7F25FC70347B4A8625E27F759D4353535A03DBE0818B8E3D2294BA9C3E6

Uniqueness

Uniqueness Score: -1.00%

Function 020E176F, Relevance: .5, Instructions: 462COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5351653ffb21cac467f465ef9fdc6fa2ba9dc614e404cdc3c81868b9d71420a
Instruction ID: 49c4afeb540bc78ae7b085ed0e62f203c7e72365073b01bbe30df434392e3147
Opcode Fuzzy Hash: d5351653ffb21cac467f465ef9fdc6fa2ba9dc614e404cdc3c81868b9d71420a
Instruction Fuzzy Hash: ECE10771700702AFEB159E68CDD0BE9B7A5FF09350F544229EC9E93280D774A8C5DB91

Uniqueness

Uniqueness Score: -1.00%

Function 020E179A, Relevance: .3, Instructions: 297COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7e695c3a658d73a342539c810571795baa2a112c09a4109ab2dd976b94dffb82
Instruction ID: 506994105e3a142569b86eb6e4b9f819780a3a8cfba778f2fb77e5165b97b674
Opcode Fuzzy Hash: 7e695c3a658d73a342539c810571795baa2a112c09a4109ab2dd976b94dffb82
Instruction Fuzzy Hash: 67A13670700B02AFEB148E28CDD0BDAB3A5BF09354F548229ED9E93280D734A8D5DB90

Uniqueness

Uniqueness Score: -1.00%

Function 020E17F6, Relevance: .3, Instructions: 293COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01fa6b8db9b1fa0166dbd5522d6cca36af41f03e0ca3611d399535d01fd36b28
Instruction ID: c9f3826f07811e77c5c74cf078e9f3f95150300065f24e4b3c0e12adfb0816b1
Opcode Fuzzy Hash: 01fa6b8db9b1fa0166dbd5522d6cca36af41f03e0ca3611d399535d01fd36b28
Instruction Fuzzy Hash: 12913670704B02AFEB158E68CDD0BDAF7A5FF09354F54822DE99A83280D735A8D4DB91

Uniqueness

Uniqueness Score: -1.00%

Function 020E600B, Relevance: .3, Instructions: 290COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4655d0d203c0da29a99ed59e306c36c6390a6f8cc503e7bb2be700e0be1eeb10
Instruction ID: e7e8783cb2a4e5bbdb9658ddfe9abdf12dcb8e9d6012a810071f57559322809a
Opcode Fuzzy Hash: 4655d0d203c0da29a99ed59e306c36c6390a6f8cc503e7bb2be700e0be1eeb10
Instruction Fuzzy Hash: 98A12A70A04342CFDF25CE3898D4759BAD59F62364F988299CDE78B2DAD33280C2D712

Uniqueness

Uniqueness Score: -1.00%

Function 020E17C9, Relevance: .3, Instructions: 285COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d70cbd5b6ebc447ff7b550f563b2d9927af5ddab069d79356b913a9b29841f0
Instruction ID: f7f507d8c9a3523225d63c2729c7265cd19ffcb01109b1fdd06637c97ecb4a73
Opcode Fuzzy Hash: 5d70cbd5b6ebc447ff7b550f563b2d9927af5ddab069d79356b913a9b29841f0
Instruction Fuzzy Hash: 50912371700B02AFEB158E28CDD1BEAF3A1FF05354F54822DE99A83280D735A895DB91

Uniqueness

Uniqueness Score: -1.00%

Function 020E184D, Relevance: .3, Instructions: 272COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe1d2ed45e58935d324f2adaf8a49796627046f431a07651f77f45b5f24ca302
Instruction ID: 8389af150f404a8140538ec0f8b58e208b81a6025a1edef38f211825271da527
Opcode Fuzzy Hash: fe1d2ed45e58935d324f2adaf8a49796627046f431a07651f77f45b5f24ca302
Instruction Fuzzy Hash: 96910470700B02AFEB158E28CDD1BEAF7A5FF09354F54822DD99A83280D735A8D4DB91

Uniqueness

Uniqueness Score: -1.00%

Function 020E18B2, Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a396c0dbf9a24834342bb6708c337596a96f63a6e35e397feca08d4d54b79b94
Instruction ID: 557f77b34667d7112ddfbe1de370eaf0dd2eeb67b9c31cf0b81afe767647bd27
Opcode Fuzzy Hash: a396c0dbf9a24834342bb6708c337596a96f63a6e35e397feca08d4d54b79b94
Instruction Fuzzy Hash: 10813671700B02AFEB158E28CDD17EAF7A5FF45350F54822DE99A83280D735A8D8DB91

Uniqueness

Uniqueness Score: -1.00%

Function 020E1925, Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345d2652d31c88bdfac08119c76e745aa4e59ab4641998b314b4c751432298ab
Instruction ID: e8d9b9b2a4cc016d8a916b518ffca278d75dea111804783808db9ac277774dc3
Opcode Fuzzy Hash: 345d2652d31c88bdfac08119c76e745aa4e59ab4641998b314b4c751432298ab
Instruction Fuzzy Hash: 96616871300702AFFF158A68CDD1BEAF7A5BF45350F18822DED9A92180D7759CC89AA1

Uniqueness

Uniqueness Score: -1.00%

Function 020E1958, Relevance: .2, Instructions: 232COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd8e7796929f8bea9b760f303ba683c3270026b6a937d381f60b35f302a39540
Instruction ID: e581ab9bf02ba152359eea1a115046164651ade6b9c595bc05bc212458d61f52
Opcode Fuzzy Hash: bd8e7796929f8bea9b760f303ba683c3270026b6a937d381f60b35f302a39540
Instruction Fuzzy Hash: EB715771300702AFEB158A28CDD1BEAB3A2FF05350F54822DE99A83180D7359CD59A91

Uniqueness

Uniqueness Score: -1.00%

Function 020E1993, Relevance: .2, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70359d69acc80dea897ae85fce31ba3d3880fa37bc5841a4174c9bd418e923e8
Instruction ID: d36efa8945561d7893c80efa34af06d08b850d68a0d0519071dcdaf41867b046
Opcode Fuzzy Hash: 70359d69acc80dea897ae85fce31ba3d3880fa37bc5841a4174c9bd418e923e8
Instruction Fuzzy Hash: 2B515771300702AFEF158A68CDC17EAF3A5BF45350F28822DE99A82180D7759CC89BE1

Uniqueness

Uniqueness Score: -1.00%

Function 020E19D9, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fafd992c28caad7971617497c598c8b1d1b3a3fc23461e439268f3d1d43d4b4
Instruction ID: ec31e0e63ad600d218a7dae6ce95528e0bef5541e373d4ed84e065a43ac51463
Opcode Fuzzy Hash: 0fafd992c28caad7971617497c598c8b1d1b3a3fc23461e439268f3d1d43d4b4
Instruction Fuzzy Hash: C1513631300702AFEB158A68CDD1BEAF6E5BF05350F64423DE99A93180D7759CD89BE1

Uniqueness

Uniqueness Score: -1.00%

Function 020E600D, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0278489f9aa1e9ffc6cbc3a617d4748819b56e0f6caea025e0b37175716591ae
Instruction ID: f2255fef7f181fa5a469a939ae664b8f1c7f701fcb87ad5c942834ba22490e2f
Opcode Fuzzy Hash: 0278489f9aa1e9ffc6cbc3a617d4748819b56e0f6caea025e0b37175716591ae
Instruction Fuzzy Hash: 63512B64A08382CEDF118E2898D4795BBD5AF63370F5882AEDDD74B2D6D33284C6D712

Uniqueness

Uniqueness Score: -1.00%

Function 020E1A30, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7595f4066f032a24414f51c24c5ddac9ab0de94aa3b9db41a61f77e651c5e4ec
Instruction ID: aeb29ec472d71f5a58a7d66a92d44a0b2ec10e6a3d60154b2c1edcc3a90dde56
Opcode Fuzzy Hash: 7595f4066f032a24414f51c24c5ddac9ab0de94aa3b9db41a61f77e651c5e4ec
Instruction Fuzzy Hash: F6511630300B02AFEB158A68CDC0BEAF791BF05310F64462DE99A83180D775A8D8DBD1

Uniqueness

Uniqueness Score: -1.00%

Function 020E1AA6, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e827c93bb80c520fa0264d1162b86f27f99df7ddd48369f3838bce05c2920e11
Instruction ID: 09160365b654cc9146828199158c61a6bf970115fe86852f1666bad165ed94c7
Opcode Fuzzy Hash: e827c93bb80c520fa0264d1162b86f27f99df7ddd48369f3838bce05c2920e11
Instruction Fuzzy Hash: 7C41C271300B029FEB298E68CDC17EAF6D5BF05310F548239E9AA83280D775A895DAD5

Uniqueness

Uniqueness Score: -1.00%

Function 020E1FCA, Relevance: .1, Instructions: 144COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e5b4098705bcba3c992a64c1f7e09be33d3d998ae52d784db0462adfe87b41c
Instruction ID: 39729a57f94bc41377cdb90b7442620e3e8c25370c70ce506893e31c90c2810b
Opcode Fuzzy Hash: 8e5b4098705bcba3c992a64c1f7e09be33d3d998ae52d784db0462adfe87b41c
Instruction Fuzzy Hash: 9A4168707403059FFF216B24CDA8BEAB7AAAF15390F554269ED574B1D1D37188C0EA42

Uniqueness

Uniqueness Score: -1.00%

Function 020E1D52, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656e960711b20b60986805727ac084a988c5b6480da42c235219c11f9681046b
Instruction ID: 2931ed3f3dce5e5e5e0dc9ae52ebb9692762632028a4908a4e644ff016127ce0
Opcode Fuzzy Hash: 656e960711b20b60986805727ac084a988c5b6480da42c235219c11f9681046b
Instruction Fuzzy Hash: 544127757003129FEB659A68CC90BE9B2A9BF05360F544238EC5AD3281D764DCC59B91

Uniqueness

Uniqueness Score: -1.00%

Function 020E1AE3, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7148bb200c77c4d40c51b848ae225adef35ce576cac94e6edcd2a1ffb9fc5962
Instruction ID: 15859ed26fb4255ca0a0e9b6c091b9fff18953feacbc13205cfec85a1e19f121
Opcode Fuzzy Hash: 7148bb200c77c4d40c51b848ae225adef35ce576cac94e6edcd2a1ffb9fc5962
Instruction Fuzzy Hash: 3441F371304702AFEB168FA8CDC17E9FB91BF06310F24422DE59A87191D3756898DAE1

Uniqueness

Uniqueness Score: -1.00%

Function 020E1D81, Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddf085cec5e78930bcab92a6a6e00eab63781fb72f0fb615e599d49dd976b50d
Instruction ID: e821f2a920986ea62d3a92d378ee799b6e2390b43a49c868a0548e2ebf3b19c6
Opcode Fuzzy Hash: ddf085cec5e78930bcab92a6a6e00eab63781fb72f0fb615e599d49dd976b50d
Instruction Fuzzy Hash: CB416834700302AFEB159A64CC95BEAB3A5BF41360F544239FC9A93281D721DCC99BD1

Uniqueness

Uniqueness Score: -1.00%

Function 020E1B49, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ce72fcd3b7056cd354e31f92fff66b62e8e6feb7a6f60d0f3f2c53f4eec0826
Instruction ID: fd81997a1af1af21e30ad337e192cb1bd87c865fb277923013680201b6e5ae24
Opcode Fuzzy Hash: 3ce72fcd3b7056cd354e31f92fff66b62e8e6feb7a6f60d0f3f2c53f4eec0826
Instruction Fuzzy Hash: 7531E471304702AFEB158E68DDC07D9F7D4BF0A310F244239E55A87291D3756C98EAE1

Uniqueness

Uniqueness Score: -1.00%

Function 020E1D2D, Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b90cd02f212c87d08a0476e719ca53559ee1549b25e971bde3964ee307f044e
Instruction ID: 867248d50d022cb2195f2ac71d65dc27423745b1c81896e2c1b6bef3c2b4f434
Opcode Fuzzy Hash: 5b90cd02f212c87d08a0476e719ca53559ee1549b25e971bde3964ee307f044e
Instruction Fuzzy Hash: 9A31E231304702AFEB158AA8DDC1BD9F7D4BF06320F244239E56A87290D3756898EAE1

Uniqueness

Uniqueness Score: -1.00%

Function 020E1FE0, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e07433f57c5b829468e83b967e6f631d855d163c3a8ad8543a64e02449120b
Instruction ID: e4a788fab4ec2a4b017589a1e96a5526dcd3c574e81589204a1f7892fd8ed21e
Opcode Fuzzy Hash: 06e07433f57c5b829468e83b967e6f631d855d163c3a8ad8543a64e02449120b
Instruction Fuzzy Hash: DF218834244305AEFF216B14DD65FFA7AB9DF52BA0F04422AEE870B0E1936188C4D953

Uniqueness

Uniqueness Score: -1.00%

Function 020E1D2B, Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9eb850da8ea702608096f8297288ea1c496cc73575bea8b2cb6d590af115e9
Instruction ID: f332ecefb6c3c2112851c0c8603201e94e60c05c93f0fe593ef8058684ebf6b0
Opcode Fuzzy Hash: ab9eb850da8ea702608096f8297288ea1c496cc73575bea8b2cb6d590af115e9
Instruction Fuzzy Hash: E721A071304B029FFB698AA8CDC07E9F6D4BF0A310F544239956AC7280D3746895EAD5

Uniqueness

Uniqueness Score: -1.00%

Function 020E1C63, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfbbdd0839c204f06d563c705afcf3679db21cf38051702e0b2db083d73ef6ac
Instruction ID: 2dd2796b52df2c5950e0dd21be47f2ef81ab68f45ffefbd21a6b3a1b3705b171
Opcode Fuzzy Hash: cfbbdd0839c204f06d563c705afcf3679db21cf38051702e0b2db083d73ef6ac
Instruction Fuzzy Hash: 6B21F271304701AFEB21CE68EDC0BE9FBA4FF06274F24022AD56987651D37128989BE1

Uniqueness

Uniqueness Score: -1.00%

Function 020E1616, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: feaa274e83d28f455f5f1c1cf6bd0cb6443dca952fb1e3c2bd9b240a01a248d0
Instruction ID: 354f829eb518d70c4466972269e889c7d743807409e91b7a5a3aa7513e3ad66f
Opcode Fuzzy Hash: feaa274e83d28f455f5f1c1cf6bd0cb6443dca952fb1e3c2bd9b240a01a248d0
Instruction Fuzzy Hash: 211136B02403017EFE3049248C46BDB269BDF51BA0F148609BDAA770C0C7B19CC2E951

Uniqueness

Uniqueness Score: -1.00%

Function 020E56CF, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17beb8a86747f519d491edabeb17f8a50748e064afffdb0139aa9337b7567751
Instruction ID: dec3fc13c60293b4b8246329247208e6b0afcc8bd6a2e6e607e7ff30c6d85630
Opcode Fuzzy Hash: 17beb8a86747f519d491edabeb17f8a50748e064afffdb0139aa9337b7567751
Instruction Fuzzy Hash: AB014E1A209185AEEF320554BC527EE7F85DF83670FB05A2DE8C30A4A3A2564ED85023

Uniqueness

Uniqueness Score: -1.00%

Function 020E57D8, Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4904dcf1f870c19caa58a8cdd23c087151a28dcd65611959145d46166ae79623
Instruction ID: c5c4053f361e9d90e78eabdf2272b3ed91d87e1acb266ccd4e9b49ebec661ec5
Opcode Fuzzy Hash: 4904dcf1f870c19caa58a8cdd23c087151a28dcd65611959145d46166ae79623
Instruction Fuzzy Hash: 15015E753013119FCB19DA28CB80B9A77E2AB96754FA18865E857AB621C730D8C4EB21

Uniqueness

Uniqueness Score: -1.00%

Function 020E56D2, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a427803b956e06e2e3152728f0072b40bde68cea0cc962fd63cd8de16846b23
Instruction ID: 069032fccef184a7499678113725e125278ea959c2848137aa0e46616dd64e4d
Opcode Fuzzy Hash: 3a427803b956e06e2e3152728f0072b40bde68cea0cc962fd63cd8de16846b23
Instruction Fuzzy Hash: 3DF02766705255CEEF760504B5A27ED2A829F03264FF0502DECC30B043B2A98AE4A403

Uniqueness

Uniqueness Score: -1.00%

Function 020E56A5, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bba48511433527846b48a99e3f6445e9545fb6dd76135f7d51725f98a7dc53e7
Instruction ID: 8c099f8eba7c612b2ab4e7bdef0a5d0c18bc0f46ff15cb9cb86b576d03e3621f
Opcode Fuzzy Hash: bba48511433527846b48a99e3f6445e9545fb6dd76135f7d51725f98a7dc53e7
Instruction Fuzzy Hash: EBC04C7550105EBFCF525F54DA0CBCE3F66BF09361F008410F91A99051D676C9A49B15

Uniqueness

Uniqueness Score: -1.00%

Function 020E2E36, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9a6adde7c4056567394ddd5b6e687ef04dfffdbeb048ff30f50c01c5a66ded14
Instruction ID: 5e18597a216c85d99621159478446e6dc058b6e6d135ef8847fd36dc9917a488
Opcode Fuzzy Hash: 9a6adde7c4056567394ddd5b6e687ef04dfffdbeb048ff30f50c01c5a66ded14
Instruction Fuzzy Hash: 85B092B6202580CFEF12CA08C4A2B4073A4F719684B4905D0E802CFB11D224ED01CB00

Uniqueness

Uniqueness Score: -1.00%

Function 020E530A, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.725972254.00000000020E0000.00000040.00000001.sdmp, Offset: 020E0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf4f37c84c4e4331dfeb8a1a2462da7add6499f5ec2150a1550c45ce60efda5
Instruction ID: 1cb61ef897cf4aacc833d6fc7063f8c64a39d2e5b85d98a48788a66aaa1a4cea
Opcode Fuzzy Hash: 6cf4f37c84c4e4331dfeb8a1a2462da7add6499f5ec2150a1550c45ce60efda5
Instruction Fuzzy Hash: 64C04C30611544CFCE55CE29C1A4B917364AB15640BC24580E8518B611D354D840C700

Uniqueness

Uniqueness Score: -1.00%

Function 0040B3D8, Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 343COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00401F28,HqE,?,?), ref: 0040B40C
__vbaObjSet.MSVBVM60(?,00000000,?,?), ref: 0040B445
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00401D38,00000218,?,?), ref: 0040B48F
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,?,?), ref: 0040B4B6
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?), ref: 0040B4EF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D28,00000138,?,?,?,?), ref: 0040B53C
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,?,?,?,?), ref: 0040B563
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?), ref: 0040B59C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D08,00000188,?,?,?,?,?,?), ref: 0040B5E9
__vbaAryDestruct.MSVBVM60(00000000,?,0040B924,?,?), ref: 0040B916
__vbaFreeVar.MSVBVM60(00000000,?,0040B924,?,?), ref: 0040B91E
__vbaErrorOverflow.MSVBVM60 ref: 0040B943
__vbaChkstk.MSVBVM60(?,00401196), ref: 0040B963
__vbaStrCopy.MSVBVM60(?,?,?,?,00401196), ref: 0040B97B
_CItan.MSVBVM60(?,?,?,?,00401196), ref: 0040B982
__vbaFpR8.MSVBVM60(?,?,?,?,00401196), ref: 0040B987
__vbaNew2.MSVBVM60(00401CF8,0040D33C,?,?,?,?,00401196), ref: 0040B9AE
__vbaCastObj.MSVBVM60(?,00401D60,Filmbyer,?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040B9D8
__vbaObjSet.MSVBVM60(?,00000000,?,00401D60,Filmbyer,?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040B9E2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401CE8,00000040,?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040BA0B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040BA1C
__vbaFreeStr.MSVBVM60(0040BA43,?,?,?,?,00401196), ref: 0040BA35
__vbaFreeObj.MSVBVM60(0040BA43,?,?,?,?,00401196), ref: 0040BA3D

Strings

Filmbyer, xrefs: 0040B9CB
HqE, xrefs: 0040B3F9, 0040B402, 0040B411, 0040B4A3, 0040B4AC, 0040B4BB, 0040B550, 0040B559, 0040B568, 0040B6E9, 0040B6F2, 0040B701

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$CastChkstkCopyDestructErrorItanOverflow
String ID: Filmbyer$HqE
API String ID: 2409742240-3099326478
Opcode ID: ccc81ec272d6cb434831a03732301ee2183e78414cac7eb2d3206be724ab5ee7
Instruction ID: 44f7599dd9f6395f5164d209ca55f5de8c58b53400cfb5fd5132f15e0eba8b39
Opcode Fuzzy Hash: ccc81ec272d6cb434831a03732301ee2183e78414cac7eb2d3206be724ab5ee7
Instruction Fuzzy Hash: 9DE1F374941219EFDB20DF90CC45BDDBBB4EB08304F1084FAE509BB2A1DB795A859F98

Uniqueness

Uniqueness Score: -1.00%

Function 0040BB84, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 95
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040BB84(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				char _v36;
				char _v52;
				char _v68;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				intOrPtr* _v136;
				signed int _v140;
				short _t50;
				signed int _t53;
				char* _t57;
				void* _t71;
				void* _t73;
				intOrPtr _t74;

				_t74 = _t73 - 0xc;
				 *[fs:0x0] = _t74;
				L00401190();
				_v16 = _t74;
				_v12 = 0x401138;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x74,  *[fs:0x0], 0x401196, _t71);
				_v92 = 0x401d74;
				_v100 = 8;
				L00401298();
				_push( &_v52);
				_push( &_v68);
				L0040122C();
				_v108 = 0x401d80;
				_v116 = 0x8008;
				_push( &_v68);
				_t50 =  &_v116;
				_push(_t50);
				L004012A4();
				_v120 = _t50;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L00401292();
				_t53 = _v120;
				if(_t53 != 0) {
					if( *0x40d010 != 0) {
						_v136 = 0x40d010;
					} else {
						_push("HqE");
						_push(0x401f28);
						L00401286();
						_v136 = 0x40d010;
					}
					_t57 =  &_v36;
					L0040128C();
					_v120 = _t57;
					_t53 =  *((intOrPtr*)( *_v120 + 0x48))(_v120,  &_v32, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v136)) + 0x310))( *_v136));
					asm("fclex");
					_v124 = _t53;
					if(_v124 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x401d18);
						_push(_v120);
						_push(_v124);
						L00401280();
						_v140 = _t53;
					}
					_push(_v32);
					L00401226();
					L00401268();
					L0040126E();
				}
				_push(E0040BCFD);
				return _t53;
			}

0x0040bb87
0x0040bb96
0x0040bba0
0x0040bba8
0x0040bbab
0x0040bbb2
0x0040bbc1
0x0040bbc4
0x0040bbcb
0x0040bbd8
0x0040bbe0
0x0040bbe4
0x0040bbe5
0x0040bbea
0x0040bbf1
0x0040bbfb
0x0040bbfc
0x0040bbff
0x0040bc00
0x0040bc05
0x0040bc0c
0x0040bc10
0x0040bc11
0x0040bc13
0x0040bc1b
0x0040bc21
0x0040bc2e
0x0040bc4b
0x0040bc30
0x0040bc30
0x0040bc35
0x0040bc3a
0x0040bc3f
0x0040bc3f
0x0040bc6f
0x0040bc73
0x0040bc78
0x0040bc87
0x0040bc8a
0x0040bc8c
0x0040bc93
0x0040bcaf
0x0040bc95
0x0040bc95
0x0040bc97
0x0040bc9c
0x0040bc9f
0x0040bca2
0x0040bca7
0x0040bca7
0x0040bcb6
0x0040bcb9
0x0040bcc1
0x0040bcc9
0x0040bcc9
0x0040bcce
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401196), ref: 0040BBA0
__vbaVarDup.MSVBVM60 ref: 0040BBD8
#522.MSVBVM60(?,?), ref: 0040BBE5
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 0040BC00
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 0040BC13
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,00401196), ref: 0040BC3A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040BC73
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D18,00000048), ref: 0040BCA2
#532.MSVBVM60(?), ref: 0040BCB9
__vbaFreeStr.MSVBVM60(?), ref: 0040BCC1
__vbaFreeObj.MSVBVM60(?), ref: 0040BCC9

Strings

HqE, xrefs: 0040BC27, 0040BC30, 0040BC3F, 0040BC4B

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#522#532CheckChkstkHresultListNew2
String ID: HqE
API String ID: 332616431-2975529154
Opcode ID: 0ed1ab30c345625e0d22c848138abfd1185511ca2eeaa65281d925ec6ee7ca79
Instruction ID: 4b5cfa95756290dfb0ec1e02c29a0794bbce996c465309c21f9491360733246e
Opcode Fuzzy Hash: 0ed1ab30c345625e0d22c848138abfd1185511ca2eeaa65281d925ec6ee7ca79
Instruction Fuzzy Hash: AB410871900218ABDB10DFA1C945BADBBB8BF08704F2045BEE105BB1A1DB785949DF98

Uniqueness

Uniqueness Score: -1.00%

Function 0040B948, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E0040B948(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v28;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				signed int _t25;
				intOrPtr* _t27;
				char* _t28;
				intOrPtr _t42;

				_push(0x401196);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_t25 = 0x28;
				L00401190();
				_v12 = _t42;
				_v8 = 0x401110;
				L00401244();
				asm("fldz");
				L00401214();
				L0040123E();
				asm("fcomp qword [0x401108]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x40d33c != 0) {
						_v56 = 0x40d33c;
					} else {
						_push(0x40d33c);
						_push(0x401cf8);
						L00401286();
						_v56 = 0x40d33c;
					}
					_t27 =  *_v56;
					_v44 = _t27;
					L00401238();
					_t28 =  &_v40;
					L0040128C();
					_t25 =  *((intOrPtr*)( *_v44 + 0x40))(_v44, _t28, _t28, _t27, _v28, 0x401d60, L"Filmbyer");
					asm("fclex");
					_v48 = _t25;
					if(_v48 >= 0) {
						_t19 =  &_v60;
						 *_t19 = _v60 & 0x00000000;
						__eflags =  *_t19;
					} else {
						_push(0x40);
						_push(0x401ce8);
						_push(_v44);
						_push(_v48);
						L00401280();
						_v60 = _t25;
					}
					L0040126E();
				}
				asm("wait");
				_push(E0040BA43);
				L00401268();
				L0040126E();
				return _t25;
			}

0x0040b94d
0x0040b958
0x0040b959
0x0040b962
0x0040b963
0x0040b96b
0x0040b96e
0x0040b97b
0x0040b980
0x0040b982
0x0040b987
0x0040b98c
0x0040b992
0x0040b994
0x0040b995
0x0040b9a2
0x0040b9bc
0x0040b9a4
0x0040b9a4
0x0040b9a9
0x0040b9ae
0x0040b9b3
0x0040b9b3
0x0040b9c6
0x0040b9c8
0x0040b9d8
0x0040b9de
0x0040b9e2
0x0040b9f0
0x0040b9f3
0x0040b9f5
0x0040b9fc
0x0040ba15
0x0040ba15
0x0040ba15
0x0040b9fe
0x0040b9fe
0x0040ba00
0x0040ba05
0x0040ba08
0x0040ba0b
0x0040ba10
0x0040ba10
0x0040ba1c
0x0040ba1c
0x0040ba21
0x0040ba22
0x0040ba35
0x0040ba3d
0x0040ba42

APIs

__vbaChkstk.MSVBVM60(?,00401196), ref: 0040B963
__vbaStrCopy.MSVBVM60(?,?,?,?,00401196), ref: 0040B97B
_CItan.MSVBVM60(?,?,?,?,00401196), ref: 0040B982
__vbaFpR8.MSVBVM60(?,?,?,?,00401196), ref: 0040B987
__vbaNew2.MSVBVM60(00401CF8,0040D33C,?,?,?,?,00401196), ref: 0040B9AE
__vbaCastObj.MSVBVM60(?,00401D60,Filmbyer,?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040B9D8
__vbaObjSet.MSVBVM60(?,00000000,?,00401D60,Filmbyer,?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040B9E2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401CE8,00000040,?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040BA0B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401196), ref: 0040BA1C
__vbaFreeStr.MSVBVM60(0040BA43,?,?,?,?,00401196), ref: 0040BA35
__vbaFreeObj.MSVBVM60(0040BA43,?,?,?,?,00401196), ref: 0040BA3D

Strings

Filmbyer, xrefs: 0040B9CB

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CastCheckChkstkCopyHresultItanNew2
String ID: Filmbyer
API String ID: 2758753910-3873735245
Opcode ID: 525dcb1ff121b0c4b11c9b8db5a86f7f60246f0cb1b30d929cbb2c5f78cdb6dc
Instruction ID: e1f6e29cd638ddd691156d75777f6a0f5e7921f6af8de38f2cfff956c6406c00
Opcode Fuzzy Hash: 525dcb1ff121b0c4b11c9b8db5a86f7f60246f0cb1b30d929cbb2c5f78cdb6dc
Instruction Fuzzy Hash: 6D21E970E41208ABCB00EBA5D946BEEBBB4EF18714F20447FF501B61E1D77859458BAD

Uniqueness

Uniqueness Score: -1.00%

Function 0040BD78, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E0040BD78(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v32;
				char _v36;
				char _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v92;
				char* _t50;
				char* _t54;
				signed int _t58;
				signed int _t62;
				char* _t64;
				intOrPtr _t80;

				_push(0x401196);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t80;
				_push(0x48);
				L00401190();
				_v12 = _t80;
				_v8 = 0x401148;
				if( *0x40d010 != 0) {
					_v80 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v80 = 0x40d010;
				}
				_push( *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x310))( *_v80));
				_t50 =  &_v40;
				_push(_t50);
				L0040128C();
				_v68 = _t50;
				_v48 = 0x80020004;
				_v56 = 0xa;
				if( *0x40d010 != 0) {
					_v84 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v84 = 0x40d010;
				}
				_t54 =  &_v36;
				L0040128C();
				_v60 = _t54;
				_t58 =  *((intOrPtr*)( *_v60 + 0x108))(_v60,  &_v32, _t54,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x2fc))( *_v84));
				asm("fclex");
				_v64 = _t58;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x108);
					_push(0x401d08);
					_push(_v60);
					_push(_v64);
					L00401280();
					_v88 = _t58;
				}
				L00401190();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_v68 + 0x1ec))(_v68, _v32, 0x10);
				asm("fclex");
				_v72 = _t62;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1ec);
					_push(0x401d18);
					_push(_v68);
					_push(_v72);
					L00401280();
					_v92 = _t62;
				}
				L00401268();
				_push( &_v40);
				_t64 =  &_v36;
				_push(_t64);
				_push(2);
				L00401262();
				asm("wait");
				_push(E0040BF07);
				return _t64;
			}

0x0040bd7d
0x0040bd88
0x0040bd89
0x0040bd90
0x0040bd93
0x0040bd9b
0x0040bd9e
0x0040bdac
0x0040bdc6
0x0040bdae
0x0040bdae
0x0040bdb3
0x0040bdb8
0x0040bdbd
0x0040bdbd
0x0040bde0
0x0040bde1
0x0040bde4
0x0040bde5
0x0040bdea
0x0040bded
0x0040bdf4
0x0040be02
0x0040be1c
0x0040be04
0x0040be04
0x0040be09
0x0040be0e
0x0040be13
0x0040be13
0x0040be37
0x0040be3b
0x0040be40
0x0040be4f
0x0040be55
0x0040be57
0x0040be5e
0x0040be7a
0x0040be60
0x0040be60
0x0040be65
0x0040be6a
0x0040be6d
0x0040be70
0x0040be75
0x0040be75
0x0040be81
0x0040be8b
0x0040be8c
0x0040be8d
0x0040be8e
0x0040be9a
0x0040bea0
0x0040bea2
0x0040bea9
0x0040bec5
0x0040beab
0x0040beab
0x0040beb0
0x0040beb5
0x0040beb8
0x0040bebb
0x0040bec0
0x0040bec0
0x0040becc
0x0040bed4
0x0040bed5
0x0040bed8
0x0040bed9
0x0040bedb
0x0040bee3
0x0040bee4
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401196), ref: 0040BD93
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,?,?,00401196), ref: 0040BDB8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040BDE5
__vbaNew2.MSVBVM60(00401F28,HqE,?,00000000), ref: 0040BE0E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040BE3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D08,00000108), ref: 0040BE70
__vbaChkstk.MSVBVM60 ref: 0040BE81
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D18,000001EC), ref: 0040BEBB
__vbaFreeStr.MSVBVM60 ref: 0040BECC
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040BEDB

Strings

HqE, xrefs: 0040BDA5, 0040BDAE, 0040BDBD, 0040BDC6, 0040BDFB, 0040BE04, 0040BE13, 0040BE1C

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2$List
String ID: HqE
API String ID: 2926503497-2975529154
Opcode ID: 286ced47d3c39722c1572a92a2fb83fbc2568e98346b3d258d6a326e49c03b41
Instruction ID: 13a34dbd62dc2414dc8a5856a6beec1f37735f97336c1312b307b4d43192663f
Opcode Fuzzy Hash: 286ced47d3c39722c1572a92a2fb83fbc2568e98346b3d258d6a326e49c03b41
Instruction Fuzzy Hash: E841E375D41208EFCB01DFD0C845BDEBBB9EF08704F20446AF501BB2A1C7B969469B98

Uniqueness

Uniqueness Score: -1.00%

Function 0040C0DB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040C0DB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				signed int _v52;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				char* _t46;
				signed int _t50;
				signed int _t53;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L00401190();
				_v16 = _t65;
				_v12 = 0x401180;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x30,  *[fs:0x0], 0x401196, _t62);
				if( *0x40d010 != 0) {
					_v64 = 0x40d010;
				} else {
					_push("HqE");
					_push(0x401f28);
					L00401286();
					_v64 = 0x40d010;
				}
				_t46 =  &_v40;
				L0040128C();
				_v44 = _t46;
				_t50 =  *((intOrPtr*)( *_v44 + 0x218))(_v44,  &_v36, _t46,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x310))( *_v64));
				asm("fclex");
				_v48 = _t50;
				if(_v48 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x401d18);
					_push(_v44);
					_push(_v48);
					L00401280();
					_v68 = _t50;
				}
				_t53 =  *((intOrPtr*)( *_a4 + 0x16c))(_a4, _v36);
				asm("fclex");
				_v52 = _t53;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x16c);
					_push(0x401b1c);
					_push(_a4);
					_push(_v52);
					L00401280();
					_v72 = _t53;
				}
				L00401268();
				L0040126E();
				_push(E0040C201);
				return _t53;
			}

0x0040c0de
0x0040c0ed
0x0040c0f7
0x0040c0ff
0x0040c102
0x0040c109
0x0040c118
0x0040c122
0x0040c13c
0x0040c124
0x0040c124
0x0040c129
0x0040c12e
0x0040c133
0x0040c133
0x0040c157
0x0040c15b
0x0040c160
0x0040c16f
0x0040c175
0x0040c177
0x0040c17e
0x0040c19a
0x0040c180
0x0040c180
0x0040c185
0x0040c18a
0x0040c18d
0x0040c190
0x0040c195
0x0040c195
0x0040c1a9
0x0040c1af
0x0040c1b1
0x0040c1b8
0x0040c1d4
0x0040c1ba
0x0040c1ba
0x0040c1bf
0x0040c1c4
0x0040c1c7
0x0040c1ca
0x0040c1cf
0x0040c1cf
0x0040c1db
0x0040c1e3
0x0040c1e8
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401196), ref: 0040C0F7
__vbaNew2.MSVBVM60(00401F28,HqE,?,?,?,?,00401196), ref: 0040C12E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C15B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00401D18,00000218), ref: 0040C190
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00401B1C,0000016C), ref: 0040C1CA
__vbaFreeStr.MSVBVM60 ref: 0040C1DB
__vbaFreeObj.MSVBVM60 ref: 0040C1E3

Strings

HqE, xrefs: 0040C11B, 0040C124, 0040C133, 0040C13C

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID: HqE
API String ID: 304406766-2975529154
Opcode ID: ef87e1847d43fd2f4001f0e3f73f377290697f6992d6f58c664698c93b1d415d
Instruction ID: 6480b5af391547198bf8adc1052956f72c6cfb263355d809668501bbccc08f1e
Opcode Fuzzy Hash: ef87e1847d43fd2f4001f0e3f73f377290697f6992d6f58c664698c93b1d415d
Instruction Fuzzy Hash: EB31DF74D40208EFCB00EFA5C889BDDBBB5BF08708F10416AF405BA2A2C7795945DFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0040BF22, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040BF22(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v56;
				signed int _v64;
				signed int _v76;
				signed int _t30;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L00401190();
				_v16 = _t43;
				_v12 = 0x401158;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401196, _t40);
				L00401298();
				L00401298();
				_t30 =  *((intOrPtr*)( *_a4 + 0x15c))(_a4, 0);
				asm("fclex");
				_v64 = _t30;
				if(_v64 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x15c);
					_push(0x401b1c);
					_push(_a4);
					_push(_v64);
					L00401280();
					_v76 = _t30;
				}
				asm("wait");
				_push(E0040BFC8);
				L0040125C();
				L0040125C();
				return _t30;
			}

0x0040bf25
0x0040bf34
0x0040bf3e
0x0040bf46
0x0040bf49
0x0040bf50
0x0040bf5f
0x0040bf68
0x0040bf73
0x0040bf82
0x0040bf88
0x0040bf8a
0x0040bf91
0x0040bfad
0x0040bf93
0x0040bf93
0x0040bf98
0x0040bf9d
0x0040bfa0
0x0040bfa3
0x0040bfa8
0x0040bfa8
0x0040bfb1
0x0040bfb2
0x0040bfba
0x0040bfc2
0x0040bfc7

APIs

__vbaChkstk.MSVBVM60(?,00401196), ref: 0040BF3E
__vbaVarDup.MSVBVM60(?,?,?,?,00401196), ref: 0040BF68
__vbaVarDup.MSVBVM60(?,?,?,?,00401196), ref: 0040BF73
__vbaHresultCheckObj.MSVBVM60(00000000,00401158,00401B1C,0000015C), ref: 0040BFA3
__vbaFreeVar.MSVBVM60(0040BFC8), ref: 0040BFBA
__vbaFreeVar.MSVBVM60(0040BFC8), ref: 0040BFC2

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult
String ID:
API String ID: 3894782938-0
Opcode ID: e6f625621c3692c6d17994f36a9f425e17aab6bd78540c283efdfba171df97e1
Instruction ID: f23bab028250d5015c0d7e37575b0ad89815ac23ee72110de67794145352345a
Opcode Fuzzy Hash: e6f625621c3692c6d17994f36a9f425e17aab6bd78540c283efdfba171df97e1
Instruction Fuzzy Hash: 2411E334900209AFCB04EF95D986BDDBBB4EF45744F10846AF505BB1A1D7785A45CF88

Uniqueness

Uniqueness Score: -1.00%

Function 0040BAB1, Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Download Yara Rule

C-Code - Quality: 45%

			E0040BAB1(void* __ebx, void* __edi, void* __esi, signed int* _a24) {
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v48;
				char _v56;
				char _v72;
				intOrPtr _v112;
				char _v120;
				short _v124;
				short _t21;
				char* _t23;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				_push(0x401196);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t30;
				_push(0x6c);
				L00401190();
				_v16 = _t30;
				_v12 = 0x401128;
				 *_a24 =  *_a24 & 0x00000000;
				_v48 =  *0x401120;
				_v56 = 5;
				_push(0);
				_push( &_v56);
				_push( &_v72);
				L00401232();
				_v112 = 1;
				_v120 = 0x8002;
				_push( &_v72);
				_t21 =  &_v120;
				_push(_t21);
				L004012A4();
				_v124 = _t21;
				_push( &_v72);
				_t23 =  &_v56;
				_push(_t23);
				_push(2);
				L00401292();
				asm("wait");
				_push(E0040BB67);
				return _t23;
			}

0x0040bab4
0x0040bab7
0x0040bac2
0x0040bac3
0x0040baca
0x0040bacd
0x0040bad5
0x0040bad8
0x0040bae2
0x0040baeb
0x0040baee
0x0040baf5
0x0040bafa
0x0040bafe
0x0040baff
0x0040bb04
0x0040bb0b
0x0040bb15
0x0040bb16
0x0040bb19
0x0040bb1a
0x0040bb1f
0x0040bb26
0x0040bb27
0x0040bb2a
0x0040bb2b
0x0040bb2d
0x0040bb35
0x0040bb36
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401196), ref: 0040BACD
#714.MSVBVM60(?,00000005,00000000), ref: 0040BAFF
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040BB1A
__vbaFreeVarList.MSVBVM60(00000002,00000005,?,00008002,?), ref: 0040BB2D

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#714ChkstkFreeList
String ID:
API String ID: 1770595079-0
Opcode ID: d53d1ec2f6f9481d6e3cee3a812abd8f29560f2f15dba2814944d964734102f7
Instruction ID: 63de42c37e1bf9202df8cc586e75b376d99fdc1417d6a131d669ce9a7c9070ab
Opcode Fuzzy Hash: d53d1ec2f6f9481d6e3cee3a812abd8f29560f2f15dba2814944d964734102f7
Instruction Fuzzy Hash: 7D012D71C00208ABDB01DFD1D946BDEB7BCEB08704F20402BF500BB191D7786A148B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040B8C7, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON

Download Yara Rule

C-Code - Quality: 21%

			E0040B8C7() {
				void* _t15;
				void* _t17;

				L00401268();
				_push(_t17 - 0x64);
				_push(_t17 - 0x60);
				_push(_t17 - 0x5c);
				_push(3);
				L00401262();
				_push(_t17 - 0x94);
				_push(_t17 - 0x84);
				_push(_t17 - 0x74);
				_push(3);
				L00401292();
				_t15 = _t17 - 0x98;
				_push(_t15);
				_push(0);
				L00401250();
				return _t15;
			}

0x0040b8ca
0x0040b8d2
0x0040b8d6
0x0040b8da
0x0040b8db
0x0040b8dd
0x0040b8eb
0x0040b8f2
0x0040b8f6
0x0040b8f7
0x0040b8f9
0x0040b901
0x0040b907
0x0040b908
0x0040b90a
0x0040b90f

APIs

__vbaFreeStr.MSVBVM60 ref: 0040B8CA
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040B8DD
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0040B8F9
__vbaAryDestruct.MSVBVM60(00000000,?), ref: 0040B90A

Memory Dump Source

Source File: 00000001.00000002.724834238.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.724807709.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.724905766.000000000040D000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.724928330.000000000040F000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$Destruct
String ID:
API String ID: 3099906924-0
Opcode ID: 4a17a95bcd0c174900bfbd8311b5ac95bfb2ea0f77ab9c1ced18ded18028d5d1
Instruction ID: 964588bb2faed70f4d7e614628e25e8f72b33493092df665ad207290d4404638
Opcode Fuzzy Hash: 4a17a95bcd0c174900bfbd8311b5ac95bfb2ea0f77ab9c1ced18ded18028d5d1
Instruction Fuzzy Hash: 35E0757284411CAAEB11EAD1CD41FEE737CAF14304F4041ABB609F6096EA345B458B65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report FAKTURA I UWAGI.bat

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: FAKTURA I UWAGI.exe PID: 6492 Parent PID: 5660

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: FAKTURA I UWAGI.exe PID: 6492 Parent PID: 5660 FAKTURA I UWAGI.exeCOMMON

Executed Functions

Function 0040AA14, Relevance: 126.9, APIs: 70, Strings: 2, Instructions: 878COMMON

Function 004012C4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 13COMMON

Function 00409561, Relevance: 1.8, APIs: 1, Instructions: 510memoryCOMMON

Non-executed Functions

Function 0040AA14, Relevance: 126.9, APIs: 70, Strings: 2, Instructions: 878
COMMON

Function 0040673C, Relevance: .5, Instructions: 540
COMMONCrypto

Function 0040BB84, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 95
COMMON

Function 0040B948, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 72
COMMON

Function 0040BD78, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 115
COMMON

Function 0040C0DB, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Function 0040BF22, Relevance: 9.0, APIs: 6, Instructions: 50
COMMON

Function 0040BAB1, Relevance: 6.0, APIs: 4, Instructions: 45
COMMON

Function 0040B8C7, Relevance: 6.0, APIs: 4, Instructions: 25
COMMON