Play interactive tour

Edit tour

Analysis Report NP__000009116_11-05-2021_08_40_37.exe

Overview

General Information

Sample Name:	NP__000009116_11-05-2021_08_40_37.exe
Analysis ID:	410830
MD5:	3f695fa46992bd20300728e9245c87f8
SHA1:	83d7a6cb77eff285ed7b1950438fa3573d5b31fd
SHA256:	e0f53d67eb5d4a5bab2f6d0bbaff502896e12572b97bf0350c88cfac3fcc5b8f
Tags:	GuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

NP__000009116_11-05-2021_08_40_37.exe (PID: 480 cmdline: 'C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe' MD5: 3F695FA46992BD20300728E9245C87F8)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1RnNEBf_Y19f_pduK4zvHqPJHGwMdQKtO"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: NP__000009116_11-05-2021_08_40_37.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1RnNEBf_Y19f_pduK4zvHqPJHGwMdQKtO"}

Multi AV Scanner detection for submitted file

Show sources

Source: NP__000009116_11-05-2021_08_40_37.exe

Virustotal: Detection: 25%

Perma Link

Source: NP__000009116_11-05-2021_08_40_37.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1RnNEBf_Y19f_pduK4zvHqPJHGwMdQKtO

Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.762821302.00000000006FA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F1B8C NtAllocateVirtualMemory,	1_2_029F1B8C
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F33B5 NtProtectVirtualMemory,	1_2_029F33B5
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F375D NtProtectVirtualMemory,	1_2_029F375D

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_0040157B	1_2_0040157B
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_0040176A	1_2_0040176A
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_004017B7	1_2_004017B7

Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000000.237164633.0000000000414000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamerammier.exe vs NP__000009116_11-05-2021_08_40_37.exe
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763380076.0000000002110000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs NP__000009116_11-05-2021_08_40_37.exe
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.767126185.0000000002A10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamerammier.exeFE2X vs NP__000009116_11-05-2021_08_40_37.exe
Source: NP__000009116_11-05-2021_08_40_37.exe	Binary or memory string: OriginalFilenamerammier.exe vs NP__000009116_11-05-2021_08_40_37.exe

Source: NP__000009116_11-05-2021_08_40_37.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe

File created: C:\Users\user\AppData\Local\Temp\~DFAFF35D8849DF2CC2.TMP

Jump to behavior

Source: NP__000009116_11-05-2021_08_40_37.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: NP__000009116_11-05-2021_08_40_37.exe

Virustotal: Detection: 25%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_00405570 push ecx; ret		1_2_00405580
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_004067EB push esi; iretd		1_2_004067ED

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F1EC9	1_2_029F1EC9
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F1E0F	1_2_029F1E0F
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F2DBA	1_2_029F2DBA

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F18AB second address: 00000000029F18AB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, 00001000h 0x0000000f test edx, ebx 0x00000011 div ecx 0x00000013 cmp edx, 00000000h 0x00000016 jne 00007F37C500D3A2h 0x00000018 dec ebx 0x00000019 xor edx, edx 0x0000001b cmp bl, al 0x0000001d mov eax, ebx 0x0000001f pushad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2C6B second address: 00000000029F2C6B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl eax, 05h 0x0000000d add eax, ebx 0x0000000f movzx ecx, byte ptr [esi] 0x00000012 cmp edx, eax 0x00000014 add eax, ecx 0x00000016 xor eax, A06C3E3Fh 0x0000001b cmp edx, F2FD7140h 0x00000021 inc esi 0x00000022 cmp byte ptr [esi], 00000000h 0x00000025 jne 00007F37C443C430h 0x00000027 cmp byte ptr [esi], FFFFFFA4h 0x0000002a jnc 00007F37C443C49Fh 0x0000002c test bx, ax 0x0000002f mov ebx, eax 0x00000031 pushad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2BAA second address: 00000000029F2BAA instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2AB4 second address: 00000000029F2AB4 instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F1D14 second address: 00000000029F1D14 instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2DBE second address: 00000000029F2DBE instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2E84 second address: 00000000029F2E84 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F18AB second address: 00000000029F18AB instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a mov ecx, 00001000h 0x0000000f test edx, ebx 0x00000011 div ecx 0x00000013 cmp edx, 00000000h 0x00000016 jne 00007F37C500D3A2h 0x00000018 dec ebx 0x00000019 xor edx, edx 0x0000001b cmp bl, al 0x0000001d mov eax, ebx 0x0000001f pushad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2C6B second address: 00000000029F2C6B instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a shl eax, 05h 0x0000000d add eax, ebx 0x0000000f movzx ecx, byte ptr [esi] 0x00000012 cmp edx, eax 0x00000014 add eax, ecx 0x00000016 xor eax, A06C3E3Fh 0x0000001b cmp edx, F2FD7140h 0x00000021 inc esi 0x00000022 cmp byte ptr [esi], 00000000h 0x00000025 jne 00007F37C443C430h 0x00000027 cmp byte ptr [esi], FFFFFFA4h 0x0000002a jnc 00007F37C443C49Fh 0x0000002c test bx, ax 0x0000002f mov ebx, eax 0x00000031 pushad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2BAA second address: 00000000029F2BAA instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2AB4 second address: 00000000029F2AB4 instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F1D14 second address: 00000000029F1D14 instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2DBE second address: 00000000029F2DBE instructions:
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	RDTSC instruction interceptor: First address: 00000000029F2E84 second address: 00000000029F2E84 instructions:

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe

Code function: 1_2_029F2C97 rdtsc

1_2_029F2C97

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe

Code function: 1_2_029F2C97 rdtsc

1_2_029F2C97

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F1885 mov eax, dword ptr fs:[00000030h]	1_2_029F1885
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F2AD8 mov eax, dword ptr fs:[00000030h]	1_2_029F2AD8
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F0CE5 mov eax, dword ptr fs:[00000030h]	1_2_029F0CE5
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F3118 mov eax, dword ptr fs:[00000030h]	1_2_029F3118
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F1127 mov eax, dword ptr fs:[00000030h]	1_2_029F1127
Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe	Code function: 1_2_029F2D21 mov eax, dword ptr fs:[00000030h]	1_2_029F2D21

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: NP__000009116_11-05-2021_08_40_37.exe, 00000001.00000002.763076829.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe

Code function: 1_2_029F2C97 cpuid

1_2_029F2C97

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery41	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NP__000009116_11-05-2021_08_40_37.exe	26%	Virustotal		Browse
NP__000009116_11-05-2021_08_40_37.exe	9%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	410830
Start date:	11.05.2021
Start time:	11:15:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NP__000009116_11-05-2021_08_40_37.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	36
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 18% (good quality ratio 4.8%) Quality average: 14.4% Quality standard deviation: 24.7%
HCA Information:	Successful, ratio: 53% Number of executed functions: 23 Number of non-executed functions: 19
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.68647587130183
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	NP__000009116_11-05-2021_08_40_37.exe
File size:	81920
MD5:	3f695fa46992bd20300728e9245c87f8
SHA1:	83d7a6cb77eff285ed7b1950438fa3573d5b31fd
SHA256:	e0f53d67eb5d4a5bab2f6d0bbaff502896e12572b97bf0350c88cfac3fcc5b8f
SHA512:	04e7fdd44934be48435ae8ccb143b8d0d95a1ea002a549da5ed7b7a39e9bdcb1be1d942200ce39b3119d4bf29d0eacc9fdefed3dc38e1d25b689e747f9348aef
SSDEEP:	1536:1HDgHBRiC/5r4b01V/M7FWf0Nq7Iz/a2GeD:JY4+542/YFWfea2Ge
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L......`.....................0............... ....@................

File Icon


Icon Hash:	b09298b8cc8a19c6

Static PE Info

General
Entrypoint:	0x4013f0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6099E2D3 [Tue May 11 01:50:11 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	ec8e962978786706cf0189109090c85e

Entrypoint Preview

Instruction
push 00401FC8h
call 00007F37C4DD6B53h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], bl
xchg eax, edi
push edi
out dx, eax
inc edx
push edi
imul ecx, dword ptr [ecx-47h], 23h
mov ebp, 6200D058h
cmp al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11074	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0xc04	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x158	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x10674	0x11000	False	0.414435891544	data	6.16645068295	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x12000	0x11f4	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0xc04	0x1000	False	0.287353515625	data	3.00270676998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1435c	0x8a8	data
RT_GROUP_ICON	0x14348	0x14	data
RT_VERSION	0x140f0	0x258	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenVar, _adj_fdiv_m32, __vbaAryDestruct, __vbaVarForInit, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaVarCopy, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, __vbaVarForNext, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	rammier
FileVersion	1.00
CompanyName	Asso Filler
ProductName	Asso Filler
ProductVersion	1.00
FileDescription	Asso Filler
OriginalFilename	rammier.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: NP__000009116_11-05-2021_08_40_37.exe PID: 480 Parent PID: 5648

General

Start time:	11:16:09
Start date:	11/05/2021
Path:	C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\NP__000009116_11-05-2021_08_40_37.exe'
Imagebase:	0x400000
File size:	81920 bytes
MD5 hash:	3F695FA46992BD20300728E9245C87F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: NP__000009116_11-05-2021_08_40_37.exe PID: 480 Parent PID: 5648 NP__000009116_11-05-2021_08_40_37.exeCOMMON

Executed Functions

Function 029F1B8C, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 365memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000), ref: 029F1C6A

Strings

8, xrefs: 029F1D57

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: 8
API String ID: 2167126740-4194326291
Opcode ID: ef0f6b9bdeeaf2e9d9460e1447c45dab9408f0a66569ba85c33b2b49aed70577
Instruction ID: 84e9f94f002c3ffb9067962a2403292cde8eb955f8f2d4e9860cb3787d1e3ccf
Opcode Fuzzy Hash: ef0f6b9bdeeaf2e9d9460e1447c45dab9408f0a66569ba85c33b2b49aed70577
Instruction Fuzzy Hash: 5FC127B0680306AFFBB11E64CC55BE93B6AEF45754F640228FF889B2D0D7B994849B44

Uniqueness

Uniqueness Score: -1.00%

Function 029F33B5, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,029F3182,00000040,029F12F0,00000000,00000000,00000000,00000000,?,00000000,00000000,029F01B8), ref: 029F33CE

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 004082E4, Relevance: 197.1, APIs: 104, Strings: 8, Instructions: 1073
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E004082E4(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v48;
				short _v72;
				void* _v76;
				intOrPtr _v84;
				intOrPtr _v88;
				char _v92;
				long long _v116;
				signed int _v120;
				intOrPtr _v124;
				long long _v136;
				char _v140;
				short _v144;
				char _v164;
				short _v168;
				short _v180;
				void* _v184;
				void* _v192;
				long long _v800;
				long long _v808;
				void* _v812;
				intOrPtr _v820;
				char _v828;
				void* _v832;
				signed int _v836;
				char _v840;
				char _v848;
				signed int _v852;
				intOrPtr _v864;
				char _v872;
				char _v888;
				intOrPtr _v916;
				char _v924;
				char _v944;
				signed int _v948;
				char _v952;
				intOrPtr _v956;
				long long _v960;
				intOrPtr _v964;
				char _v968;
				signed int _v972;
				signed int _v976;
				signed int _v980;
				signed int _v984;
				signed int _v1320;
				signed int _v1324;
				signed int _v1328;
				signed int _v1332;
				signed int _v1336;
				signed int _v1364;
				intOrPtr* _v1368;
				signed int _v1372;
				signed int _v1376;
				intOrPtr* _v1380;
				signed int _v1384;
				signed int _v1388;
				intOrPtr* _v1392;
				signed int _v1396;
				signed int _v1400;
				intOrPtr* _v1404;
				signed int _v1408;
				signed int _v1412;
				intOrPtr* _v1416;
				signed int _v1420;
				intOrPtr* _v1424;
				signed int _v1428;
				signed int _v1432;
				intOrPtr* _v1436;
				signed int _v1440;
				signed int _v1444;
				intOrPtr* _v1448;
				signed int _v1452;
				signed int _v1456;
				signed int _v1460;
				signed int _v1464;
				signed int _v1468;
				signed int _v1472;
				intOrPtr* _v1476;
				signed int _v1480;
				signed int _v1484;
				intOrPtr* _v1488;
				signed int _v1492;
				signed int _v1496;
				signed int _v1500;
				intOrPtr* _v1504;
				signed int _v1508;
				signed int _v1512;
				intOrPtr* _v1516;
				signed int _v1520;
				signed int _v1524;
				char* _t588;
				signed int _t592;
				signed int _t597;
				signed int _t611;
				signed int _t617;
				signed int _t622;
				signed int _t627;
				signed int _t631;
				signed int _t635;
				char* _t640;
				signed int _t644;
				signed int _t651;
				signed int _t655;
				signed int _t657;
				signed int _t664;
				signed int _t670;
				signed int _t674;
				signed int _t678;
				signed int _t684;
				signed int _t688;
				signed int _t692;
				signed int _t698;
				char* _t703;
				signed int _t710;
				signed int _t715;
				signed int _t722;
				signed int _t727;
				signed int _t734;
				signed int _t739;
				signed int _t745;
				signed int _t750;
				char* _t754;
				signed int _t762;
				signed int _t767;
				signed int _t774;
				signed int _t779;
				signed int _t786;
				signed int _t792;
				char* _t796;
				signed int _t799;
				void* _t800;
				void* _t857;
				void* _t861;
				intOrPtr _t866;
				long long _t919;

				 *[fs:0x0] = _t866;
				L004011F0();
				_v16 = _t866;
				_v12 = 0x401180;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t857, _t861, _t800,  *[fs:0x0], 0x4011f6);
				_push(3);
				_push(0x403208);
				_t588 =  &_v48;
				_push(_t588);
				L004013D0();
				_push(0x402fe0);
				_push(0x402fe0);
				L004013BE();
				_v864 = _t588;
				_v872 = 8;
				_push(1);
				_push( &_v872);
				_push( &_v888);
				L004013C4();
				_v916 = 0x402fe0;
				_v924 = 0x8008;
				_push( &_v888);
				_t592 =  &_v924;
				_push(_t592);
				L004013CA();
				_v972 = _t592;
				_push( &_v888);
				_push( &_v872);
				_push(2);
				L004013B8();
				if(_v972 != 0) {
					_v864 = 2;
					_v872 = 2;
					L004013AC();
					L004013B2();
					L004013A6();
					_v864 = 1;
					_v872 = 2;
					_t796 =  &_v872;
					L004013A0();
					L004013B2();
					L004013A6();
					_t919 =  *0x401178;
					L0040139A();
					_t799 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t796, _t796, 0xffffffff, 0xfffffffe, 0xfffffffe, 0xfffffffe,  &_v872);
					asm("fclex");
					_v972 = _t799;
					if(_v972 >= 0) {
						_v1364 = _v1364 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x402adc);
						_push(_a4);
						_push(_v972);
						L00401394();
						_v1364 = _t799;
					}
				}
				_v864 = 2;
				_v872 = 2;
				_push( &_v872);
				L004013AC();
				L004013B2();
				L004013A6();
				_t597 =  &_v828;
				_push(_t597);
				E00402D94();
				_v948 = _t597;
				L0040138E();
				if(_v948 == 0x58) {
					if( *0x4123c0 != 0) {
						_v1368 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1368 = 0x4123c0;
					}
					_v972 =  *_v1368;
					_t762 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t762;
					if(_v976 >= 0) {
						_v1372 = _v1372 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1372 = _t762;
					}
					_v980 = _v848;
					_t767 =  *((intOrPtr*)( *_v980 + 0xc0))(_v980,  &_v944);
					asm("fclex");
					_v984 = _t767;
					if(_v984 >= 0) {
						_v1376 = _v1376 & 0x00000000;
					} else {
						_push(0xc0);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1376 = _t767;
					}
					_v168 = _v944;
					L00401382();
					if( *0x4123c0 != 0) {
						_v1380 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1380 = 0x4123c0;
					}
					_v972 =  *_v1380;
					_t774 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t774;
					if(_v976 >= 0) {
						_v1384 = _v1384 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1384 = _t774;
					}
					_v980 = _v848;
					_t779 =  *((intOrPtr*)( *_v980 + 0xf8))(_v980,  &_v836);
					asm("fclex");
					_v984 = _t779;
					if(_v984 >= 0) {
						_v1388 = _v1388 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1388 = _t779;
					}
					_v1320 = _v836;
					_v836 = _v836 & 0x00000000;
					L004013B2();
					L00401382();
					if( *0x4123c0 != 0) {
						_v1392 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1392 = 0x4123c0;
					}
					_v972 =  *_v1392;
					_t786 =  *((intOrPtr*)( *_v972 + 0x1c))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t786;
					if(_v976 >= 0) {
						_v1396 = _v1396 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1396 = _t786;
					}
					_v980 = _v848;
					_v916 = 0x80020004;
					_v924 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t792 =  *((intOrPtr*)( *_v980 + 0x54))(_v980, 0x10,  &_v852);
					asm("fclex");
					_v984 = _t792;
					if(_v984 >= 0) {
						_v1400 = _v1400 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x403024);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1400 = _t792;
					}
					_v1324 = _v852;
					_v852 = _v852 & 0x00000000;
					_v864 = _v1324;
					_v872 = 9;
					_t597 = 0x10;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v820);
					L0040137C();
					L00401382();
					L004013A6();
				}
				_push(0x8966da);
				E00402EBC();
				_v948 = _t597;
				L0040138E();
				if(_v948 == 0x1e61) {
					if( *0x4123c0 != 0) {
						_v1404 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1404 = 0x4123c0;
					}
					_v972 =  *_v1404;
					_t745 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t745;
					if(_v976 >= 0) {
						_v1408 = _v1408 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1408 = _t745;
					}
					_v980 = _v848;
					_t750 =  *((intOrPtr*)( *_v980 + 0x110))(_v980,  &_v836);
					asm("fclex");
					_v984 = _t750;
					if(_v984 >= 0) {
						_v1412 = _v1412 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1412 = _t750;
					}
					_v1328 = _v836;
					_v836 = _v836 & 0x00000000;
					L004013B2();
					L00401382();
					L00401376();
					_v124 = _t919;
					if( *0x4123c0 != 0) {
						_v1416 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1416 = 0x4123c0;
					}
					_v972 =  *_v1416;
					_t754 =  &_v848;
					L00401370();
					_t597 =  *((intOrPtr*)( *_v972 + 0x10))(_v972, _t754, _t754, _a4);
					asm("fclex");
					_v976 = _t597;
					if(_v976 >= 0) {
						_v1420 = _v1420 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1420 = _t597;
					}
					L00401382();
				}
				_push(0x4c5969);
				E00402EFC();
				_v948 = _t597;
				L0040138E();
				if(_v948 == 0x1e60) {
					if( *0x4123c0 != 0) {
						_v1424 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1424 = 0x4123c0;
					}
					_v972 =  *_v1424;
					_t710 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t710;
					if(_v976 >= 0) {
						_v1428 = _v1428 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1428 = _t710;
					}
					_v980 = _v848;
					_t715 =  *((intOrPtr*)( *_v980 + 0x108))(_v980,  &_v944);
					asm("fclex");
					_v984 = _t715;
					if(_v984 >= 0) {
						_v1432 = _v1432 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1432 = _t715;
					}
					_v72 = _v944;
					L00401382();
					if( *0x4123c0 != 0) {
						_v1436 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1436 = 0x4123c0;
					}
					_v972 =  *_v1436;
					_t722 =  *((intOrPtr*)( *_v972 + 0x14))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t722;
					if(_v976 >= 0) {
						_v1440 = _v1440 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1440 = _t722;
					}
					_v980 = _v848;
					_t727 =  *((intOrPtr*)( *_v980 + 0xc8))(_v980,  &_v944);
					asm("fclex");
					_v984 = _t727;
					if(_v984 >= 0) {
						_v1444 = _v1444 & 0x00000000;
					} else {
						_push(0xc8);
						_push(0x403014);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1444 = _t727;
					}
					_v144 = _v944;
					L00401382();
					if( *0x4123c0 != 0) {
						_v1448 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v1448 = 0x4123c0;
					}
					_v972 =  *_v1448;
					_t734 =  *((intOrPtr*)( *_v972 + 0x1c))(_v972,  &_v848);
					asm("fclex");
					_v976 = _t734;
					if(_v976 >= 0) {
						_v1452 = _v1452 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402ff4);
						_push(_v972);
						_push(_v976);
						L00401394();
						_v1452 = _t734;
					}
					_v980 = _v848;
					_v916 = 0x80020004;
					_v924 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t739 =  *((intOrPtr*)( *_v980 + 0x60))(_v980, L"Receptionsassistenter4", 0x10);
					asm("fclex");
					_v984 = _t739;
					if(_v984 >= 0) {
						_v1456 = _v1456 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x403024);
						_push(_v980);
						_push(_v984);
						L00401394();
						_v1456 = _t739;
					}
					L00401382();
				}
				_v968 = 0x8b685910;
				_v964 = 0x5afc;
				_v960 = 0xe92196e0;
				_v956 = 0x5af5;
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4, L"Enervous", 0x69ca,  &_v960,  &_v968,  &_v944);
				_v180 = _v944;
				_v968 = 0x4e4866f0;
				_v964 = 0x5b02;
				_v960 =  *0x401170;
				_v948 = 0x1d68ea;
				_t611 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v948, L"Holmberry5",  &_v960,  &_v968,  &_v952);
				_v972 = _t611;
				if(_v972 >= 0) {
					_v1460 = _v1460 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402b0c);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1460 = _t611;
				}
				_v140 = _v952;
				_v944 = 0x5fc6;
				_t617 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, L"disuniter",  &_v944,  &_v948);
				_v972 = _t617;
				if(_v972 >= 0) {
					_v1464 = _v1464 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402b0c);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1464 = _t617;
				}
				_v120 = _v948;
				L0040136A();
				_t622 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v836, 0xe1,  &_v960);
				_v972 = _t622;
				if(_v972 >= 0) {
					_v1468 = _v1468 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402b0c);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1468 = _t622;
				}
				_v136 = _v960;
				L00401364();
				L0040136A();
				_t627 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v836, 0x5188,  &_v960);
				_v972 = _t627;
				if(_v972 >= 0) {
					_v1472 = _v1472 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402b0c);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1472 = _t627;
				}
				_v808 = _v960;
				L00401364();
				if( *0x412010 != 0) {
					_v1476 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x402464);
					L00401388();
					_v1476 = 0x412010;
				}
				_t631 =  &_v848;
				L00401358();
				_v972 = _t631;
				_t635 =  *((intOrPtr*)( *_v972 + 0x1b8))(_v972,  &_v852, _t631,  *((intOrPtr*)( *((intOrPtr*)( *_v1476)) + 0x304))( *_v1476));
				asm("fclex");
				_v976 = _t635;
				if(_v976 >= 0) {
					_v1480 = _v1480 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x4030f0);
					_push(_v972);
					_push(_v976);
					L00401394();
					_v1480 = _t635;
				}
				L0040135E(); // executed
				_v968 = 0x5f6bf5a0;
				_v964 = 0x5af8;
				_v960 =  *0x401168;
				_v948 = 0x841700;
				_t640 =  &_v872;
				L00401352();
				L004013B2();
				_t644 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v948, _t640, _t640,  &_v960,  &_v968,  &_v952,  &_v872, _v852, 0, 0);
				_v980 = _t644;
				if(_v980 >= 0) {
					_v1484 = _v1484 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402b0c);
					_push(_a4);
					_push(_v980);
					L00401394();
					_v1484 = _t644;
				}
				_v92 = _v952;
				L00401364();
				_push( &_v852);
				_push( &_v848);
				_push(2);
				L0040134C();
				L004013A6();
				if( *0x412010 != 0) {
					_v1488 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x402464);
					L00401388();
					_v1488 = 0x412010;
				}
				_t651 =  &_v848;
				L00401358();
				_v972 = _t651;
				_t655 =  *((intOrPtr*)( *_v972 + 0x100))(_v972,  &_v852, _t651,  *((intOrPtr*)( *((intOrPtr*)( *_v1488)) + 0x300))( *_v1488));
				asm("fclex");
				_v976 = _t655;
				if(_v976 >= 0) {
					_v1492 = _v1492 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x403100);
					_push(_v972);
					_push(_v976);
					L00401394();
					_v1492 = _t655;
				}
				L0040135E();
				_v968 = 0xef1aa800;
				_v964 = 0x5afc;
				_v960 =  *0x401160;
				_t657 =  &_v872;
				L00401346();
				_v948 = _t657;
				_t664 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v948, L"SLAVESJLENE",  &_v960,  &_v968,  &_v952, _t657,  &_v872, _v852, 0, 0);
				_v980 = _t664;
				if(_v980 >= 0) {
					_v1496 = _v1496 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x402b0c);
					_push(_a4);
					_push(_v980);
					L00401394();
					_v1496 = _t664;
				}
				_v88 = _v952;
				L0040134C();
				L004013A6();
				_t670 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 2,  &_v848,  &_v852);
				asm("fclex");
				_v972 = _t670;
				if(_v972 >= 0) {
					_v1500 = _v1500 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402adc);
					_push(_a4);
					_push(_v972);
					L00401394();
					_v1500 = _t670;
				}
				L112:
				L112:
				if( *0x412010 != 0) {
					_v1504 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x402464);
					L00401388();
					_v1504 = 0x412010;
				}
				_t674 =  &_v848;
				L00401358();
				_v972 = _t674;
				_t678 =  *((intOrPtr*)( *_v972 + 0x150))(_v972,  &_v836, _t674,  *((intOrPtr*)( *((intOrPtr*)( *_v1504)) + 0x308))( *_v1504));
				asm("fclex");
				_v976 = _t678;
				if(_v976 >= 0) {
					_v1508 = _v1508 & 0x00000000;
				} else {
					_push(0x150);
					_push(0x4030f0);
					_push(_v972);
					_push(_v976);
					L00401394();
					_v1508 = _t678;
				}
				_v1332 = _v836;
				_v836 = _v836 & 0x00000000;
				L004013B2();
				_t684 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v840, 0x55c3,  &_v960);
				_v980 = _t684;
				if(_v980 >= 0) {
					_v1512 = _v1512 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402b0c);
					_push(_a4);
					_push(_v980);
					L00401394();
					_v1512 = _t684;
				}
				_v800 = _v960;
				L00401364();
				L00401382();
				if( *0x412010 != 0) {
					_v1516 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x402464);
					L00401388();
					_v1516 = 0x412010;
				}
				_t688 =  &_v848;
				L00401358();
				_v972 = _t688;
				_t692 =  *((intOrPtr*)( *_v972 + 0x150))(_v972,  &_v836, _t688,  *((intOrPtr*)( *((intOrPtr*)( *_v1516)) + 0x304))( *_v1516));
				asm("fclex");
				_v976 = _t692;
				if(_v976 >= 0) {
					_v1520 = _v1520 & 0x00000000;
				} else {
					_push(0x150);
					_push(0x4030f0);
					_push(_v972);
					_push(_v976);
					L00401394();
					_v1520 = _t692;
				}
				_v1336 = _v836;
				_v836 = _v836 & 0x00000000;
				L004013B2();
				_t698 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v840, 0x5e86,  &_v960);
				_v980 = _t698;
				if(_v980 >= 0) {
					_v1524 = _v1524 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x402b0c);
					_push(_a4);
					_push(_v980);
					L00401394();
					_v1524 = _t698;
				}
				_v116 = _v960;
				L00401364();
				L00401382();
				_v916 = 1;
				_v924 = 2;
				_push( &_v164);
				_push( &_v924);
				_push( &_v872);
				L0040133A();
				L00401340();
				_v916 = 0x1ffff;
				_v924 = 0x8003;
				_push( &_v164);
				_t703 =  &_v924;
				_push(_t703);
				L00401334();
				if(_t703 == 0) {
					goto L132;
				}
				goto L112;
				L132:
				_v84 = 0;
				_push(0x407164);
				goto ( *__edx);
			}

0x004082f6
0x00408302
0x0040830a
0x0040830d
0x0040831a
0x00408323
0x0040832e
0x00408331
0x00408333
0x00408338
0x0040833b
0x0040833c
0x00408341
0x00408346
0x0040834b
0x00408350
0x00408356
0x00408360
0x00408368
0x0040836f
0x00408370
0x00408375
0x0040837f
0x0040838f
0x00408390
0x00408396
0x00408397
0x0040839c
0x004083a9
0x004083b0
0x004083b1
0x004083b3
0x004083c4
0x004083ca
0x004083d4
0x004083e5
0x004083f2
0x004083fd
0x00408402
0x0040840c
0x0040841e
0x00408425
0x0040842f
0x0040843a
0x0040843f
0x00408445
0x00408453
0x00408456
0x00408458
0x00408465
0x00408484
0x00408467
0x00408467
0x00408469
0x0040846e
0x00408471
0x00408477
0x0040847c
0x0040847c
0x00408465
0x0040848b
0x00408495
0x004084a5
0x004084a6
0x004084b3
0x004084be
0x004084c3
0x004084c9
0x004084ca
0x004084cf
0x004084d5
0x004084e1
0x004084ee
0x0040850b
0x004084f0
0x004084f0
0x004084f5
0x004084fa
0x004084ff
0x004084ff
0x0040851d
0x00408538
0x0040853b
0x0040853d
0x0040854a
0x0040856c
0x0040854c
0x0040854c
0x0040854e
0x00408553
0x00408559
0x0040855f
0x00408564
0x00408564
0x00408579
0x00408594
0x0040859a
0x0040859c
0x004085a9
0x004085ce
0x004085ab
0x004085ab
0x004085b0
0x004085b5
0x004085bb
0x004085c1
0x004085c6
0x004085c6
0x004085dc
0x004085e9
0x004085f5
0x00408612
0x004085f7
0x004085f7
0x004085fc
0x00408601
0x00408606
0x00408606
0x00408624
0x0040863f
0x00408642
0x00408644
0x00408651
0x00408673
0x00408653
0x00408653
0x00408655
0x0040865a
0x00408660
0x00408666
0x0040866b
0x0040866b
0x00408680
0x0040869b
0x004086a1
0x004086a3
0x004086b0
0x004086d5
0x004086b2
0x004086b2
0x004086b7
0x004086bc
0x004086c2
0x004086c8
0x004086cd
0x004086cd
0x004086e2
0x004086e8
0x004086fb
0x00408706
0x00408712
0x0040872f
0x00408714
0x00408714
0x00408719
0x0040871e
0x00408723
0x00408723
0x00408741
0x0040875c
0x0040875f
0x00408761
0x0040876e
0x00408790
0x00408770
0x00408770
0x00408772
0x00408777
0x0040877d
0x00408783
0x00408788
0x00408788
0x0040879d
0x004087a3
0x004087ad
0x004087c1
0x004087ce
0x004087cf
0x004087d0
0x004087d1
0x004087e0
0x004087e3
0x004087e5
0x004087f2
0x00408814
0x004087f4
0x004087f4
0x004087f6
0x004087fb
0x00408801
0x00408807
0x0040880c
0x0040880c
0x00408821
0x00408827
0x00408834
0x0040883a
0x00408846
0x00408847
0x00408854
0x00408855
0x00408856
0x00408857
0x00408858
0x0040885a
0x00408860
0x0040886b
0x00408876
0x00408876
0x0040887b
0x00408880
0x00408885
0x0040888b
0x0040889a
0x004088a7
0x004088c4
0x004088a9
0x004088a9
0x004088ae
0x004088b3
0x004088b8
0x004088b8
0x004088d6
0x004088f1
0x004088f4
0x004088f6
0x00408903
0x00408925
0x00408905
0x00408905
0x00408907
0x0040890c
0x00408912
0x00408918
0x0040891d
0x0040891d
0x00408932
0x0040894d
0x00408953
0x00408955
0x00408962
0x00408987
0x00408964
0x00408964
0x00408969
0x0040896e
0x00408974
0x0040897a
0x0040897f
0x0040897f
0x00408994
0x0040899a
0x004089ad
0x004089b8
0x004089bd
0x004089c2
0x004089cc
0x004089e9
0x004089ce
0x004089ce
0x004089d3
0x004089d8
0x004089dd
0x004089dd
0x004089fb
0x00408a04
0x00408a0b
0x00408a1f
0x00408a22
0x00408a24
0x00408a31
0x00408a53
0x00408a33
0x00408a33
0x00408a35
0x00408a3a
0x00408a40
0x00408a46
0x00408a4b
0x00408a4b
0x00408a60
0x00408a60
0x00408a65
0x00408a6a
0x00408a6f
0x00408a75
0x00408a84
0x00408a91
0x00408aae
0x00408a93
0x00408a93
0x00408a98
0x00408a9d
0x00408aa2
0x00408aa2
0x00408ac0
0x00408adb
0x00408ade
0x00408ae0
0x00408aed
0x00408b0f
0x00408aef
0x00408aef
0x00408af1
0x00408af6
0x00408afc
0x00408b02
0x00408b07
0x00408b07
0x00408b1c
0x00408b37
0x00408b3d
0x00408b3f
0x00408b4c
0x00408b71
0x00408b4e
0x00408b4e
0x00408b53
0x00408b58
0x00408b5e
0x00408b64
0x00408b69
0x00408b69
0x00408b7f
0x00408b89
0x00408b95
0x00408bb2
0x00408b97
0x00408b97
0x00408b9c
0x00408ba1
0x00408ba6
0x00408ba6
0x00408bc4
0x00408bdf
0x00408be2
0x00408be4
0x00408bf1
0x00408c13
0x00408bf3
0x00408bf3
0x00408bf5
0x00408bfa
0x00408c00
0x00408c06
0x00408c0b
0x00408c0b
0x00408c20
0x00408c3b
0x00408c41
0x00408c43
0x00408c50
0x00408c75
0x00408c52
0x00408c52
0x00408c57
0x00408c5c
0x00408c62
0x00408c68
0x00408c6d
0x00408c6d
0x00408c83
0x00408c90
0x00408c9c
0x00408cb9
0x00408c9e
0x00408c9e
0x00408ca3
0x00408ca8
0x00408cad
0x00408cad
0x00408ccb
0x00408ce6
0x00408ce9
0x00408ceb
0x00408cf8
0x00408d1a
0x00408cfa
0x00408cfa
0x00408cfc
0x00408d01
0x00408d07
0x00408d0d
0x00408d12
0x00408d12
0x00408d27
0x00408d2d
0x00408d37
0x00408d44
0x00408d51
0x00408d52
0x00408d53
0x00408d54
0x00408d68
0x00408d6b
0x00408d6d
0x00408d7a
0x00408d9c
0x00408d7c
0x00408d7c
0x00408d7e
0x00408d83
0x00408d89
0x00408d8f
0x00408d94
0x00408d94
0x00408da9
0x00408da9
0x00408dae
0x00408db8
0x00408dc2
0x00408dcc
0x00408dfd
0x00408e0a
0x00408e11
0x00408e1b
0x00408e2b
0x00408e31
0x00408e64
0x00408e6a
0x00408e77
0x00408e99
0x00408e79
0x00408e79
0x00408e7e
0x00408e83
0x00408e86
0x00408e8c
0x00408e91
0x00408e91
0x00408ea6
0x00408eac
0x00408ed0
0x00408ed6
0x00408ee3
0x00408f05
0x00408ee5
0x00408ee5
0x00408eea
0x00408eef
0x00408ef2
0x00408ef8
0x00408efd
0x00408efd
0x00408f12
0x00408f20
0x00408f40
0x00408f46
0x00408f53
0x00408f75
0x00408f55
0x00408f55
0x00408f5a
0x00408f5f
0x00408f62
0x00408f68
0x00408f6d
0x00408f6d
0x00408f82
0x00408f8e
0x00408f9e
0x00408fbe
0x00408fc4
0x00408fd1
0x00408ff3
0x00408fd3
0x00408fd3
0x00408fd8
0x00408fdd
0x00408fe0
0x00408fe6
0x00408feb
0x00408feb
0x00409000
0x0040900c
0x00409018
0x00409035
0x0040901a
0x0040901a
0x0040901f
0x00409024
0x00409029
0x00409029
0x00409059
0x00409060
0x00409065
0x00409080
0x00409086
0x00409088
0x00409095
0x004090ba
0x00409097
0x00409097
0x0040909c
0x004090a1
0x004090a7
0x004090ad
0x004090b2
0x004090b2
0x004090d2
0x004090da
0x004090e4
0x004090f4
0x004090fa
0x00409119
0x00409120
0x0040912d
0x00409142
0x00409148
0x00409155
0x00409177
0x00409157
0x00409157
0x0040915c
0x00409161
0x00409164
0x0040916a
0x0040916f
0x0040916f
0x00409184
0x0040918d
0x00409198
0x0040919f
0x004091a0
0x004091a2
0x004091b0
0x004091bc
0x004091d9
0x004091be
0x004091be
0x004091c3
0x004091c8
0x004091cd
0x004091cd
0x004091fd
0x00409204
0x00409209
0x00409224
0x0040922a
0x0040922c
0x00409239
0x0040925e
0x0040923b
0x0040923b
0x00409240
0x00409245
0x0040924b
0x00409251
0x00409256
0x00409256
0x00409276
0x0040927e
0x00409288
0x00409298
0x0040929e
0x004092a5
0x004092aa
0x004092d9
0x004092df
0x004092ec
0x0040930e
0x004092ee
0x004092ee
0x004092f3
0x004092f8
0x004092fb
0x00409301
0x00409306
0x00409306
0x0040931b
0x0040932e
0x0040933c
0x00409349
0x0040934f
0x00409351
0x0040935e
0x00409380
0x00409360
0x00409360
0x00409365
0x0040936a
0x0040936d
0x00409373
0x00409378
0x00409378
0x00000000
0x00409387
0x0040938e
0x004093ab
0x00409390
0x00409390
0x00409395
0x0040939a
0x0040939f
0x0040939f
0x004093cf
0x004093d6
0x004093db
0x004093f6
0x004093fc
0x004093fe
0x0040940b
0x00409430
0x0040940d
0x0040940d
0x00409412
0x00409417
0x0040941d
0x00409423
0x00409428
0x00409428
0x0040943d
0x00409443
0x00409456
0x00409476
0x0040947c
0x00409489
0x004094ab
0x0040948b
0x0040948b
0x00409490
0x00409495
0x00409498
0x0040949e
0x004094a3
0x004094a3
0x004094b8
0x004094c4
0x004094cf
0x004094db
0x004094f8
0x004094dd
0x004094dd
0x004094e2
0x004094e7
0x004094ec
0x004094ec
0x0040951c
0x00409523
0x00409528
0x00409543
0x00409549
0x0040954b
0x00409558
0x0040957d
0x0040955a
0x0040955a
0x0040955f
0x00409564
0x0040956a
0x00409570
0x00409575
0x00409575
0x0040958a
0x00409590
0x004095a3
0x004095c3
0x004095c9
0x004095d6
0x004095f8
0x004095d8
0x004095d8
0x004095dd
0x004095e2
0x004095e5
0x004095eb
0x004095f0
0x004095f0
0x00409605
0x0040960e
0x00409619
0x0040961e
0x00409628
0x00409638
0x0040963f
0x00409646
0x00409647
0x00409654
0x00409659
0x00409663
0x00409673
0x00409674
0x0040967a
0x0040967b
0x00409685
0x00000000
0x00000000
0x00000000
0x0040968c
0x0040968c
0x00409698
0x0040969b

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00408302
__vbaAryConstruct2.MSVBVM60(?,00403208,00000003,?,?,?,?,004011F6), ref: 0040833C
__vbaStrCat.MSVBVM60(00402FE0,00402FE0,?,00403208,00000003,?,?,?,?,004011F6), ref: 0040834B
#617.MSVBVM60(?,00000008,00000001), ref: 00408370
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,00000008,00000001), ref: 00408397
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004083B3
#536.MSVBVM60(00000002), ref: 004083E5
__vbaStrMove.MSVBVM60(00000002), ref: 004083F2
__vbaFreeVar.MSVBVM60(00000002), ref: 004083FD
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 00408425
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 0040842F
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 0040843A
__vbaFpI4.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,00000002), ref: 00408445
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402ADC,00000064), ref: 00408477
#536.MSVBVM60(00000002), ref: 004084A6
__vbaStrMove.MSVBVM60(00000002), ref: 004084B3
__vbaFreeVar.MSVBVM60(00000002), ref: 004084BE
__vbaSetSystemError.MSVBVM60(?,00000002), ref: 004084D5
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 004084FA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 0040855F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000C0), ref: 004085C1
__vbaFreeObj.MSVBVM60(00000000,?,00403014,000000C0), ref: 004085E9
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 00408601
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00408666
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000F8), ref: 004086C8
__vbaStrMove.MSVBVM60(00000000,?,00403014,000000F8), ref: 004086FB
__vbaFreeObj.MSVBVM60(00000000,?,00403014,000000F8), ref: 00408706
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 0040871E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,0000001C), ref: 00408783
__vbaChkstk.MSVBVM60(?), ref: 004087C1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403024,00000054), ref: 00408807
__vbaChkstk.MSVBVM60(00000000,?,00403024,00000054), ref: 00408847
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00408860
__vbaFreeObj.MSVBVM60(?,00000000), ref: 0040886B
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00408876
__vbaSetSystemError.MSVBVM60(008966DA), ref: 0040888B
__vbaNew2.MSVBVM60(00403004,004123C0,008966DA), ref: 004088B3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00408918
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,00000110), ref: 0040897A
__vbaStrMove.MSVBVM60(00000000,?,00403014,00000110), ref: 004089AD
__vbaFreeObj.MSVBVM60(00000000,?,00403014,00000110), ref: 004089B8
#535.MSVBVM60(00000000,?,00403014,00000110), ref: 004089BD
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 004089D8
__vbaObjSetAddref.MSVBVM60(?,00401180), ref: 00408A0B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000010), ref: 00408A46
__vbaFreeObj.MSVBVM60(00000000,?,00402FF4,00000010), ref: 00408A60
__vbaSetSystemError.MSVBVM60(004C5969,008966DA), ref: 00408A75
__vbaNew2.MSVBVM60(00403004,004123C0,004C5969,008966DA), ref: 00408A9D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00408B02
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,00000108), ref: 00408B64
__vbaFreeObj.MSVBVM60(00000000,?,00403014,00000108), ref: 00408B89
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 00408BA1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00408C06
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000C8), ref: 00408C68
__vbaFreeObj.MSVBVM60(00000000,?,00403014,000000C8), ref: 00408C90
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 00408CA8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,0000001C), ref: 00408D0D
__vbaChkstk.MSVBVM60(00000000,?,00402FF4,0000001C), ref: 00408D44
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403024,00000060), ref: 00408D8F
__vbaFreeObj.MSVBVM60(00000000,?,00403024,00000060), ref: 00408DA9
__vbaHresultCheckObj.MSVBVM60(?,00401180,00402B0C,000006FC,?,?,?,004C5969,008966DA), ref: 00408E8C
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B0C,000006F8), ref: 00408EF8
__vbaStrCopy.MSVBVM60(00000000,00401180,00402B0C,000006F8), ref: 00408F20
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 00408F68
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 00408F8E
__vbaStrCopy.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 00408F9E
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 00408FE6
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 0040900C
__vbaNew2.MSVBVM60(00402464,00412010), ref: 00409024
__vbaObjSet.MSVBVM60(?,00000000), ref: 00409060
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030F0,000001B8), ref: 004090AD
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 004090D2
__vbaStrVarMove.MSVBVM60(?,?,5F6BF5A0,?), ref: 00409120
__vbaStrMove.MSVBVM60(?,?,5F6BF5A0,?), ref: 0040912D
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B0C,000006FC), ref: 0040916A
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B0C,000006FC), ref: 0040918D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004091A2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,004011F6), ref: 004091B0
__vbaNew2.MSVBVM60(00402464,00412010,?,?,?,?,?,?,?,?,?,004011F6), ref: 004091C8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00409204
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403100,00000100), ref: 00409251
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00409276
__vbaI4Var.MSVBVM60(?), ref: 004092A5
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B0C,000006FC), ref: 00409301
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040932E
__vbaFreeVar.MSVBVM60(?,?,?,?,?,00402464,00412010), ref: 0040933C
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402ADC,000002B4), ref: 00409373
__vbaNew2.MSVBVM60(00402464,00412010,00008003,?,?,00000002,?), ref: 0040939A
__vbaObjSet.MSVBVM60(?,00000000), ref: 004093D6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030F0,00000150), ref: 00409423
__vbaStrMove.MSVBVM60(00000000,00000000,004030F0,00000150), ref: 00409456
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 0040949E
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 004094C4
__vbaFreeObj.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 004094CF
__vbaNew2.MSVBVM60(00402464,00412010,00000000,00401180,00402B0C,00000700), ref: 004094E7
__vbaObjSet.MSVBVM60(?,00000000), ref: 00409523
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004030F0,00000150), ref: 00409570
__vbaStrMove.MSVBVM60(00000000,00000000,004030F0,00000150), ref: 004095A3
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 004095EB
__vbaFreeStr.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 0040960E
__vbaFreeObj.MSVBVM60(00000000,00401180,00402B0C,00000700), ref: 00409619
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00409647
__vbaVarMove.MSVBVM60(?,00000002,?), ref: 00409654
__vbaVarTstLt.MSVBVM60(00008003,?,?,00000002,?), ref: 0040967B

Strings

disuniter, xrefs: 00408EC3
SLAVESJLENE, xrefs: 004092C5
JUVENILT, xrefs: 00408F15
X, xrefs: 004084DA
Holmberry5, xrefs: 00408E50
Enervous, xrefs: 00408DF0
Receptionsassistenter4, xrefs: 00408D55
LYDIA, xrefs: 00408F93

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$Move$Chkstk$ErrorLateListSystem$#536CallCopy$#535#617#703AddrefConstruct2
String ID: Enervous$Holmberry5$JUVENILT$LYDIA$Receptionsassistenter4$SLAVESJLENE$X$disuniter
API String ID: 2543599168-4206013832
Opcode ID: 937c61e4d50819c363d7b335d62d27f7015389d6ff7126195d57dc3bda393ebb
Instruction ID: 95baf80ed235850a6639481e8bde27742c5c137e2d47df5cd5deec38ebc2888b
Opcode Fuzzy Hash: 937c61e4d50819c363d7b335d62d27f7015389d6ff7126195d57dc3bda393ebb
Instruction Fuzzy Hash: B1B206709016289FEB22DF50CD45BDEBBB8BF08705F0050EAE509B62A1DBB85B94DF54

Uniqueness

Uniqueness Score: -1.00%

Function 0041040A, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 34
COMMON

Download Yara Rule

C-Code - Quality: 75%

			E0041040A() {
				void* _t22;
				void* _t32;
				intOrPtr _t33;

				 *((intOrPtr*)(_t32 - 0xc)) = _t33;
				 *((intOrPtr*)(_t32 - 8)) = 0x401198;
				 *((intOrPtr*)(_t32 - 4)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t32 + 8)))) + 4))( *((intOrPtr*)(_t32 + 8)));
				L0040136A();
				 *(_t32 - 0x38) = L"TINCHILL";
				 *((intOrPtr*)(_t32 - 0x40)) = 8;
				L004012CE();
				_push(0);
				_t22 = _t32 - 0x30;
				_push(_t22); // executed
				L004012D4(); // executed
				L004013B2();
				L004013A6();
				 *((intOrPtr*)(_t32 - 0x1c)) =  *0x401190;
				asm("wait");
				_push(0x410492);
				L00401364();
				L00401364();
				return _t22;
			}

0x0041040a
0x0041040d
0x00410414
0x00410423
0x0041042c
0x00410431
0x00410438
0x00410445
0x0041044a
0x0041044c
0x0041044f
0x00410450
0x0041045a
0x00410462
0x0041046d
0x00410470
0x00410471
0x00410484
0x0041048c
0x00410491

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0041042C
__vbaVarDup.MSVBVM60 ref: 00410445
#645.MSVBVM60(?,00000000), ref: 00410450
__vbaStrMove.MSVBVM60(?,00000000), ref: 0041045A
__vbaFreeVar.MSVBVM60(?,00000000), ref: 00410462
__vbaFreeStr.MSVBVM60(00410492,?,00000000), ref: 00410484
__vbaFreeStr.MSVBVM60(00410492,?,00000000), ref: 0041048C

Strings

TINCHILL, xrefs: 00410431

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#645CopyMove
String ID: TINCHILL
API String ID: 666893520-1301385301
Opcode ID: 54c1680a2323871a77d8d4ead5c3575d9ad94ceb9a51ebdeb053cb1259deb2be
Instruction ID: 893c17902c1746db04020758e323e56b4c477a6b5dcf75cbda1f95b8f980adce
Opcode Fuzzy Hash: 54c1680a2323871a77d8d4ead5c3575d9ad94ceb9a51ebdeb053cb1259deb2be
Instruction Fuzzy Hash: 4A01E870910119EBDF04EF91D895AEDBBB4FF04308F40846AF5017B1E1DB785A4ACB48

Uniqueness

Uniqueness Score: -1.00%

Function 004013F0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013F5

Strings

VB5!6&*, xrefs: 004013F0

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: ad298eca3dc021056ec95c647d4db76b5177e0467e0ca0bc37667d6eb7a70499
Instruction ID: d5e9038491a4d6a6f3cd4b5930523e2f2901524b5875f2305791e6b0bde2073f
Opcode Fuzzy Hash: ad298eca3dc021056ec95c647d4db76b5177e0467e0ca0bc37667d6eb7a70499
Instruction Fuzzy Hash: B7F00B2088E3C20EE317237508649167FB48D8368431A00EBC4C1CF0E3D458184AC322

Uniqueness

Uniqueness Score: -1.00%

Function 00407119, Relevance: 1.5, APIs: 1, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad149e60f6250ed524b01aaf87397c7813cd3437657da310d894555d1ed8fb5
Instruction ID: e91b5ce836ed0338ac32df5cc422907ada3483eeca9e56ba8c2e26f1c401d59e
Opcode Fuzzy Hash: 7ad149e60f6250ed524b01aaf87397c7813cd3437657da310d894555d1ed8fb5
Instruction Fuzzy Hash: D0811163F19B418AFF351028C9D05AD6513DB82344F32863BCE5A33DD5973E29C25A9B

Uniqueness

Uniqueness Score: -1.00%

Function 004070F8, Relevance: 1.5, APIs: 1, Instructions: 250COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17093016d563f7bc5b79c9c4b6be442084adf5170842444b26bc114816cac2f2
Instruction ID: fdc30cc76a9647678457613442921cc584b351ffccb085ebdb3f0a96a64051ae
Opcode Fuzzy Hash: 17093016d563f7bc5b79c9c4b6be442084adf5170842444b26bc114816cac2f2
Instruction Fuzzy Hash: 74811153F09A458AFF351028C9D06AD6513CB82344F32873BCE6A33DD59B3E29C25697

Uniqueness

Uniqueness Score: -1.00%

Function 00407195, Relevance: 1.5, APIs: 1, Instructions: 237COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1c2d5e76eb1e30530acb1f555879e52d11898574f4f1fa71a206d374fa7198
Instruction ID: 810d46b490e666580ff014431396269a8c326084990665447a11e15e8a8ef833
Opcode Fuzzy Hash: 0a1c2d5e76eb1e30530acb1f555879e52d11898574f4f1fa71a206d374fa7198
Instruction Fuzzy Hash: 7F812213F09B4189FF351028C9D05AE6523CB92340F33867BDE5A33DD6963E2AC6569B

Uniqueness

Uniqueness Score: -1.00%

Function 00407154, Relevance: 1.5, APIs: 1, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 806a6ece8a15e8549a761d572e84a188a5ed86b0af64b2cbe4443ba7337b254b
Instruction ID: 60016c2e892111523b4cfcc95e3e685cd1ec5420bad776a9d80cdeab0850ae52
Opcode Fuzzy Hash: 806a6ece8a15e8549a761d572e84a188a5ed86b0af64b2cbe4443ba7337b254b
Instruction Fuzzy Hash: 12711F53F09B0586FF351028C9D06AD6113DB82344F32863BDE5A33DC59B3E29D26A9B

Uniqueness

Uniqueness Score: -1.00%

Function 0040728B, Relevance: 1.5, APIs: 1, Instructions: 212memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 92daf33d74a687983c732dfa95f4dd9c5d6c119e48787363eb19e068e7d32213
Instruction ID: 92946750461c0fc718288b9130cf97732f002473f4c05204558ab30e4e4f56e7
Opcode Fuzzy Hash: 92daf33d74a687983c732dfa95f4dd9c5d6c119e48787363eb19e068e7d32213
Instruction Fuzzy Hash: 9B51FE63F19A0589FF351028C9D05AD6113DB86344F32863BCE5A33DC55B3E2AD26A9B

Uniqueness

Uniqueness Score: -1.00%

Function 004071E9, Relevance: 1.5, APIs: 1, Instructions: 212memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: e7efc53ca056ec5273160caf00b3a6a867169168aaa6cf50f38b87c192db79d5
Instruction ID: 8f573615eedb6b2d5325c5ebecfde74722d7a78b0c4af8c263ca0b69db504ca5
Opcode Fuzzy Hash: e7efc53ca056ec5273160caf00b3a6a867169168aaa6cf50f38b87c192db79d5
Instruction Fuzzy Hash: B3611F63F19B4185FF351028C9D02AD6513DB82344F32863BDE5A33DC19B3E29C26A9B

Uniqueness

Uniqueness Score: -1.00%

Function 00407237, Relevance: 1.5, APIs: 1, Instructions: 206memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 331e4dba63b8de823e47a6cd10d359c0db2c5bab2ea5ad807ed8a169aed67e47
Instruction ID: c4be0389a953337afa7b8c52ccd8e3de00da85403eaa71919291c08f555077de
Opcode Fuzzy Hash: 331e4dba63b8de823e47a6cd10d359c0db2c5bab2ea5ad807ed8a169aed67e47
Instruction Fuzzy Hash: 77611023F19B0585FF351028C9D02AC6513DB82344F32863BDE5A33DD55A3E2AC26A9B

Uniqueness

Uniqueness Score: -1.00%

Function 004072D0, Relevance: 1.5, APIs: 1, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 98ff530934c67565681c6a346ed1e445563a533199846063cf44bfb659e87def
Instruction ID: a49a340715644d672bdc93dbf467395c4475760bb967a6a7460f2841b504a07c
Opcode Fuzzy Hash: 98ff530934c67565681c6a346ed1e445563a533199846063cf44bfb659e87def
Instruction Fuzzy Hash: D9610363F09B4589FF351028C9D01AD6522DF82344F32867BDE5A73CC2963E19D26A9B

Uniqueness

Uniqueness Score: -1.00%

Function 00407319, Relevance: 1.4, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9631e31922de6b503a652badf17f98082904c01cedfbaeb4b99b4958c72d2eb4
Instruction ID: 07918ff626cab690be132ad6084d88c5c96afb62d5391f7787d6355fe475dcb2
Opcode Fuzzy Hash: 9631e31922de6b503a652badf17f98082904c01cedfbaeb4b99b4958c72d2eb4
Instruction Fuzzy Hash: CC51ED63F19B4189FF351028C9D05AD6513DB82344F32863BCE5A33DC55A3E29D2669B

Uniqueness

Uniqueness Score: -1.00%

Function 00407370, Relevance: 1.4, APIs: 1, Instructions: 182memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a49fcd815b2cecc546c64b6051962bac1110422f195c4e4aea59bf4bff68db69
Instruction ID: ce675d4be1494c9c83a8fb09738780b760f9df7262f22ded3ebd59b16fd911dc
Opcode Fuzzy Hash: a49fcd815b2cecc546c64b6051962bac1110422f195c4e4aea59bf4bff68db69
Instruction Fuzzy Hash: AB51FF63F19B4489FF351028CDD05AD6113DB86344F32863BCE5A33DC55A3E29D2669B

Uniqueness

Uniqueness Score: -1.00%

Function 004073C5, Relevance: 1.4, APIs: 1, Instructions: 152memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c3f4913e212053ab5be4e17ab73d042bb12a4be752b721d32502bf1c7c39a737
Instruction ID: 63236a72af91c09cccda930d989b9cd9aefd7c5e661806a059430b380d98d6ea
Opcode Fuzzy Hash: c3f4913e212053ab5be4e17ab73d042bb12a4be752b721d32502bf1c7c39a737
Instruction Fuzzy Hash: 31411363F1D74489FF351028CCD05AD6512CB86380F32863BDA1A23DC19A3E29D26697

Uniqueness

Uniqueness Score: -1.00%

Function 00407415, Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 0cbdf1878244567d183fef9693271b988efafa62acfb6816eca50ab309964204
Instruction ID: a22a75332da91f8c11c323ab63295ef373929c7d7dd8987cd2724847ea72c7a1
Opcode Fuzzy Hash: 0cbdf1878244567d183fef9693271b988efafa62acfb6816eca50ab309964204
Instruction Fuzzy Hash: 17411153F19B4489FF391068CCD42AD2113CBC6344F32863BDA1E23DC25A3E29D2655B

Uniqueness

Uniqueness Score: -1.00%

Function 0040746D, Relevance: 1.4, APIs: 1, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 97b12fe8cb041854978d3350909e5dc70ad9bd0c53aab2034010e40e6d2b3d1b
Instruction ID: f6a7812ff9ea392014fd1def1c02585247e72d3b07623ed3bfb4c42f9876da1c
Opcode Fuzzy Hash: 97b12fe8cb041854978d3350909e5dc70ad9bd0c53aab2034010e40e6d2b3d1b
Instruction Fuzzy Hash: 56412152F1D7418AFF351074C8D45AD2622CF82384F36867FCA5A238C2963E19D2965B

Uniqueness

Uniqueness Score: -1.00%

Function 004074BD, Relevance: 1.4, APIs: 1, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b2e32fef440a155b922c8bb9e58a10520e6a690a199c8cf298689e4a6b16e5fc
Instruction ID: d6727e0a7d35fbf60fbce49b7a985283933483f6f05c1c750dac3be368f8fbff
Opcode Fuzzy Hash: b2e32fef440a155b922c8bb9e58a10520e6a690a199c8cf298689e4a6b16e5fc
Instruction Fuzzy Hash: 0B31D053F19B0585FF392028C8D46AD6113CB92384F32863BDA1A339C16A7E29D2655B

Uniqueness

Uniqueness Score: -1.00%

Function 00407512, Relevance: 1.4, APIs: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3f16f39588e452dd28b762a3660736e9e6638e465a4f8be3ec097ac77783c5f1
Instruction ID: 7c30525a435f35ab117cc5d96dded1551a1d4ec405681ae9be0348bc83067a11
Opcode Fuzzy Hash: 3f16f39588e452dd28b762a3660736e9e6638e465a4f8be3ec097ac77783c5f1
Instruction Fuzzy Hash: 6A312652F1D34189FF255174C8D41AD2622CF82344F36867FCA0A278C29A3F25D7965B

Uniqueness

Uniqueness Score: -1.00%

Function 004075B3, Relevance: 1.4, APIs: 1, Instructions: 105memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: ffd78d702fe96e30d0167e1f11df9367fad91abc20c3dfaffb6c7ce2f84644f4
Instruction ID: 6c33bb29348302123314468c8c1552d683acfe5ad04b3cc2e042436367efe08d
Opcode Fuzzy Hash: ffd78d702fe96e30d0167e1f11df9367fad91abc20c3dfaffb6c7ce2f84644f4
Instruction Fuzzy Hash: A4216F52F2970445FF392068C9E42AD6112DF96384F32867BDE1B338C16B3E2AD29657

Uniqueness

Uniqueness Score: -1.00%

Function 00407561, Relevance: 1.4, APIs: 1, Instructions: 103memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 935392498d60973d2847a4c0f9a4b05b7ee59c792266e49a627a24c7e43b44ff
Instruction ID: 796df9e334b070cf276edf25705a7b42f046bdbb80be2809575e07df44dad992
Opcode Fuzzy Hash: 935392498d60973d2847a4c0f9a4b05b7ee59c792266e49a627a24c7e43b44ff
Instruction Fuzzy Hash: CA31E162F1970549FF391068C8E42AD7112DF82384F32867FDA0B238D26B3E29D29657

Uniqueness

Uniqueness Score: -1.00%

Function 0040760D, Relevance: 1.3, APIs: 1, Instructions: 81memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(-000BD099,00008000,-003C64F4,-001D33DF), ref: 00407645

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: cc757328d89774066b39999a105ba82cc2ba5eee3249530ce0e37a5d480cf4d5
Instruction ID: e25547ebe67bc9b2b83ec77105a6d253efceb80d46137183aafccc1b5a784e1e
Opcode Fuzzy Hash: cc757328d89774066b39999a105ba82cc2ba5eee3249530ce0e37a5d480cf4d5
Instruction Fuzzy Hash: 1F11B652E2974449FF392168C8E81BD3511DF86394F32857FDA0B338C25A7E29C29657

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 029F0CE5, Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6edae4fa982463c7eddd62ed7cc425c3860027cee0856a88d19a03fb36889431
Instruction ID: 85dd74d36912f06f6a8ee99229b77f977fd6bf7567aa36600cf3aace74166f38
Opcode Fuzzy Hash: 6edae4fa982463c7eddd62ed7cc425c3860027cee0856a88d19a03fb36889431
Instruction Fuzzy Hash: DB1227B1740306AFEBA49F28CC90FD977A6FF45750F544228EE98972C0C778A8958B94

Uniqueness

Uniqueness Score: -1.00%

Function 029F3118, Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 630b4044eb84ab0a9d8def2546d133dbdf10fb965a49ed6ff277c73da66dacb3
Instruction ID: d0f42699249ed7d01e96d16fc207630df898386e422fbf3137929a36a899b2f9
Opcode Fuzzy Hash: 630b4044eb84ab0a9d8def2546d133dbdf10fb965a49ed6ff277c73da66dacb3
Instruction Fuzzy Hash: 7D81B524A043C28FDFA1DF28C4D4755BB95AF52360F88C2D9DAE58F2E6D7788442C726

Uniqueness

Uniqueness Score: -1.00%

Function 0040157B, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727

Uniqueness

Uniqueness Score: -1.00%

Function 029F2DBA, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 409e9b63c17c0b0d7ac679238359892bca25db827f479b84420dd71322952e24
Instruction ID: 51dac3a39a52c15c2f6eb33a11eae6cc712d918b283d68c31079e541ab3de770
Opcode Fuzzy Hash: 409e9b63c17c0b0d7ac679238359892bca25db827f479b84420dd71322952e24
Instruction Fuzzy Hash: 1F3179319002015FE7F55B6889843E6768EEF8B364F700239EEA5931C4E3A898C2C796

Uniqueness

Uniqueness Score: -1.00%

Function 029F1EC9, Relevance: .1, Instructions: 126COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 31f8cb25ace3a6dbc8720f2cafb37df4762917b233d1df96f87b377d5cc7003e
Instruction ID: 222a5eb0fd19f0dfb81ac89e4b3174192f8cb469126ce08d37d326be39ff6935
Opcode Fuzzy Hash: 31f8cb25ace3a6dbc8720f2cafb37df4762917b233d1df96f87b377d5cc7003e
Instruction Fuzzy Hash: 76419171280387AEEBF14E64CD84BED3A56EF04350F508425EE4E9A584E7B689C4DB11

Uniqueness

Uniqueness Score: -1.00%

Function 029F1E0F, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: db8791a89a076c2d5640eec10d5893883e1c5b0ce8547efd781b0733036896bc
Instruction ID: 2eb7b6a960335ffb40ea01ab378e563b5fde018fea4872939c86c72b91987146
Opcode Fuzzy Hash: db8791a89a076c2d5640eec10d5893883e1c5b0ce8547efd781b0733036896bc
Instruction Fuzzy Hash: F4213034A047898BCBB0AFB4D9A43CC3753BF8A350F94422ECD8A9B294D7718581CB52

Uniqueness

Uniqueness Score: -1.00%

Function 004017B7, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727

Uniqueness

Uniqueness Score: -1.00%

Function 029F1127, Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32cd4315fe74780fe3068de6a945bc07f1bac8cdba06ee3ed9473d21d739b95b
Instruction ID: c527718807078e313e12a493d204bddd4f234f9f7e5666ddbbc1adfe3d3a6c9d
Opcode Fuzzy Hash: 32cd4315fe74780fe3068de6a945bc07f1bac8cdba06ee3ed9473d21d739b95b
Instruction Fuzzy Hash: 9B11A170380381FEEBA4AF20CC95FD4B7A2BF55B50F548469EE899B1C0C379A884CB45

Uniqueness

Uniqueness Score: -1.00%

Function 0040176A, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 029F2D21, Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 37888fbd1b3afb63eb863ce2255adfde02446dc6e2df130f1cf316f8559b4fb2
Instruction ID: 05ff2d75ae3b9ee4f7e8d665eccdf01aca075a368f95399c7cd6da320461b142
Opcode Fuzzy Hash: 37888fbd1b3afb63eb863ce2255adfde02446dc6e2df130f1cf316f8559b4fb2
Instruction Fuzzy Hash: CCE012727112018FC799DB14C5C4F667369EF99710F568866EA05CB225C734EC50CB14

Uniqueness

Uniqueness Score: -1.00%

Function 029F2C97, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c38f98cf8afde6c21ebed619ec6c5cc869697061ac5cbc84b6c531d1ca33431
Instruction ID: 4ea59e5f3cfa933d9a450b1331f45d8526cddf1701bafce551d7a27d0bc467ea
Opcode Fuzzy Hash: 7c38f98cf8afde6c21ebed619ec6c5cc869697061ac5cbc84b6c531d1ca33431
Instruction Fuzzy Hash: A9A002AA21615649D3A2416456087C6A44557663A1F20C5312909D5189F5DECD94A069

Uniqueness

Uniqueness Score: -1.00%

Function 029F1885, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1e61eebe7347633efebe0dfc35614e25f53531dac65f50693b35a44a9e7663f
Instruction ID: e6cf5c31ac034bd7fdf526c8c83856a14079859202b6f4c1ff735f2df4b4c3b1
Opcode Fuzzy Hash: b1e61eebe7347633efebe0dfc35614e25f53531dac65f50693b35a44a9e7663f
Instruction Fuzzy Hash: 9FB092B62415818FEF06CA08C491B4473E0FB04644B0804E0E003CBB51D228ED40CA00

Uniqueness

Uniqueness Score: -1.00%

Function 029F2AD8, Relevance: .0, Instructions: 5COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3456c44615becbbf92c14a0b6d0f506b960fb2701593c6136c14eaeba68d6327
Instruction ID: bd705d07828b39f580eb5c0475f40883a7ebfd01c59f2cad520cafd0806f7d92
Opcode Fuzzy Hash: 3456c44615becbbf92c14a0b6d0f506b960fb2701593c6136c14eaeba68d6327
Instruction Fuzzy Hash: 60B002752516448FC655CA19C1A0E4577A5BB45690F915490E4518BA11C264E9548911

Uniqueness

Uniqueness Score: -1.00%

Function 029F375D, Relevance: .0, Instructions: 3COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.767064760.00000000029F0000.00000040.00000001.sdmp, Offset: 029F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0c8f37602407b42b35ef7aacf05cc312efe666885c06882f1515a6558f2bd5d
Instruction ID: 4573e360562278d28744abafb709674ac9cabb185852673af0797beae4900924
Opcode Fuzzy Hash: e0c8f37602407b42b35ef7aacf05cc312efe666885c06882f1515a6558f2bd5d
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 004104B9, Relevance: 57.4, APIs: 38, Instructions: 368
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E004104B9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v40;
				signed int _v44;
				char _v48;
				char _v52;
				signed int _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				intOrPtr _v128;
				intOrPtr _v136;
				intOrPtr _v144;
				intOrPtr _v152;
				void* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				intOrPtr* _v216;
				signed int _v220;
				signed int _v224;
				intOrPtr* _v228;
				signed int _v232;
				intOrPtr* _v236;
				signed int _v240;
				signed int _v244;
				intOrPtr* _v248;
				signed int _v252;
				intOrPtr* _v256;
				signed int _v260;
				signed int _t172;
				char* _t178;
				signed int _t184;
				signed int _t189;
				char* _t194;
				signed int _t198;
				signed int _t204;
				signed int _t208;
				char* _t214;
				signed int _t218;
				signed int _t231;
				void* _t271;
				void* _t273;
				intOrPtr _t274;

				_t274 = _t273 - 0xc;
				 *[fs:0x0] = _t274;
				L004011F0();
				_v16 = _t274;
				_v12 = 0x4011a8;
				_v8 = 0;
				_t172 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t271);
				L0040136A();
				_push(1);
				_push(0x402fe0);
				_push(0x402fe0);
				L004013BE();
				L004013B2();
				_push(_t172);
				L004012C2();
				L004013B2();
				_push(_t172);
				_push(0x402fe0);
				L004012C8();
				asm("sbb eax, eax");
				_v172 =  ~( ~( ~_t172));
				_push( &_v48);
				_push( &_v44);
				_push(2);
				L0040131C();
				_t178 = _v172;
				if(_t178 != 0) {
					if( *0x4123c0 != 0) {
						_v216 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v216 = 0x4123c0;
					}
					_v172 =  *_v216;
					_t184 =  *((intOrPtr*)( *_v172 + 0x14))(_v172,  &_v52);
					asm("fclex");
					_v176 = _t184;
					if(_v176 >= 0) {
						_v220 = _v220 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v172);
						_push(_v176);
						L00401394();
						_v220 = _t184;
					}
					_v180 = _v52;
					_t189 =  *((intOrPtr*)( *_v180 + 0xe0))(_v180,  &_v44);
					asm("fclex");
					_v184 = _t189;
					if(_v184 >= 0) {
						_v224 = _v224 & 0x00000000;
					} else {
						_push(0xe0);
						_push(0x403014);
						_push(_v180);
						_push(_v184);
						L00401394();
						_v224 = _t189;
					}
					_v204 = _v44;
					_v44 = _v44 & 0x00000000;
					L004013B2();
					L00401382();
					if( *0x412010 != 0) {
						_v228 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x402464);
						L00401388();
						_v228 = 0x412010;
					}
					_t194 =  &_v52;
					L00401358();
					_v172 = _t194;
					_t198 =  *((intOrPtr*)( *_v172 + 0x48))(_v172,  &_v44, _t194,  *((intOrPtr*)( *((intOrPtr*)( *_v228)) + 0x30c))( *_v228));
					asm("fclex");
					_v176 = _t198;
					if(_v176 >= 0) {
						_v232 = _v232 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x40317c);
						_push(_v172);
						_push(_v176);
						L00401394();
						_v232 = _t198;
					}
					if( *0x4123c0 != 0) {
						_v236 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v236 = 0x4123c0;
					}
					_v180 =  *_v236;
					_t204 =  *((intOrPtr*)( *_v180 + 0x14))(_v180,  &_v56);
					asm("fclex");
					_v184 = _t204;
					if(_v184 >= 0) {
						_v240 = _v240 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x402ff4);
						_push(_v180);
						_push(_v184);
						L00401394();
						_v240 = _t204;
					}
					_v188 = _v56;
					_t208 =  *((intOrPtr*)( *_v188 + 0x138))(_v188, _v44, 1);
					asm("fclex");
					_v192 = _t208;
					if(_v192 >= 0) {
						_v244 = _v244 & 0x00000000;
					} else {
						_push(0x138);
						_push(0x403014);
						_push(_v188);
						_push(_v192);
						L00401394();
						_v244 = _t208;
					}
					L00401364();
					_push( &_v56);
					_push( &_v52);
					_push(2);
					L0040134C();
					if( *0x412010 != 0) {
						_v248 = 0x412010;
					} else {
						_push(0x412010);
						_push(0x402464);
						L00401388();
						_v248 = 0x412010;
					}
					_t214 =  &_v52;
					L00401358();
					_v172 = _t214;
					_t218 =  *((intOrPtr*)( *_v172 + 0x50))(_v172,  &_v44, _t214,  *((intOrPtr*)( *((intOrPtr*)( *_v248)) + 0x310))( *_v248));
					asm("fclex");
					_v176 = _t218;
					if(_v176 >= 0) {
						_v252 = _v252 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x40317c);
						_push(_v172);
						_push(_v176);
						L00401394();
						_v252 = _t218;
					}
					if( *0x4123c0 != 0) {
						_v256 = 0x4123c0;
					} else {
						_push(0x4123c0);
						_push(0x403004);
						L00401388();
						_v256 = 0x4123c0;
					}
					_v180 =  *_v256;
					_v144 = 0x5a0eba;
					_v152 = 3;
					_v128 = 0x67f6f8;
					_v136 = 3;
					_v112 = 0x18;
					_v120 = 2;
					_v96 = 0x53c0ac;
					_v104 = 3;
					_v208 = _v44;
					_v44 = _v44 & 0x00000000;
					_v64 = _v208;
					_v72 = 8;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t231 =  *((intOrPtr*)( *_v180 + 0x44))(_v180, 0x10, 0x10, 0x10, 0x10, 0x10,  &_v56);
					asm("fclex");
					_v184 = _t231;
					if(_v184 >= 0) {
						_v260 = _v260 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x402ff4);
						_push(_v180);
						_push(_v184);
						L00401394();
						_v260 = _t231;
					}
					_v212 = _v56;
					_v56 = _v56 & 0x00000000;
					_v80 = _v212;
					_v88 = 9;
					_push(0x10);
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v40);
					L0040137C();
					L00401382();
					_push( &_v88);
					_t178 =  &_v72;
					_push(_t178);
					_push(2);
					L004013B8();
				}
				_v32 = 0x485fa3;
				_push(0x410aae);
				L00401364();
				L00401364();
				L00401382();
				return _t178;
			}

0x004104bc
0x004104cb
0x004104d7
0x004104df
0x004104e2
0x004104e9
0x004104f8
0x00410501
0x00410506
0x00410508
0x0041050d
0x00410512
0x0041051c
0x00410521
0x00410522
0x0041052c
0x00410531
0x00410532
0x00410537
0x0041053e
0x00410544
0x0041054e
0x00410552
0x00410553
0x00410555
0x0041055d
0x00410566
0x00410573
0x00410590
0x00410575
0x00410575
0x0041057a
0x0041057f
0x00410584
0x00410584
0x004105a2
0x004105ba
0x004105bd
0x004105bf
0x004105cc
0x004105ee
0x004105ce
0x004105ce
0x004105d0
0x004105d5
0x004105db
0x004105e1
0x004105e6
0x004105e6
0x004105f8
0x00410610
0x00410616
0x00410618
0x00410625
0x0041064a
0x00410627
0x00410627
0x0041062c
0x00410631
0x00410637
0x0041063d
0x00410642
0x00410642
0x00410654
0x0041065a
0x00410667
0x0041066f
0x0041067b
0x00410698
0x0041067d
0x0041067d
0x00410682
0x00410687
0x0041068c
0x0041068c
0x004106bc
0x004106c0
0x004106c5
0x004106dd
0x004106e0
0x004106e2
0x004106ef
0x00410711
0x004106f1
0x004106f1
0x004106f3
0x004106f8
0x004106fe
0x00410704
0x00410709
0x00410709
0x0041071f
0x0041073c
0x00410721
0x00410721
0x00410726
0x0041072b
0x00410730
0x00410730
0x0041074e
0x00410766
0x00410769
0x0041076b
0x00410778
0x0041079a
0x0041077a
0x0041077a
0x0041077c
0x00410781
0x00410787
0x0041078d
0x00410792
0x00410792
0x004107a4
0x004107bd
0x004107c3
0x004107c5
0x004107d2
0x004107f7
0x004107d4
0x004107d4
0x004107d9
0x004107de
0x004107e4
0x004107ea
0x004107ef
0x004107ef
0x00410801
0x00410809
0x0041080d
0x0041080e
0x00410810
0x0041081f
0x0041083c
0x00410821
0x00410821
0x00410826
0x0041082b
0x00410830
0x00410830
0x00410860
0x00410864
0x00410869
0x00410881
0x00410884
0x00410886
0x00410893
0x004108b5
0x00410895
0x00410895
0x00410897
0x0041089c
0x004108a2
0x004108a8
0x004108ad
0x004108ad
0x004108c3
0x004108e0
0x004108c5
0x004108c5
0x004108ca
0x004108cf
0x004108d4
0x004108d4
0x004108f2
0x004108f8
0x00410902
0x0041090c
0x00410913
0x0041091d
0x00410924
0x0041092b
0x00410932
0x0041093c
0x00410942
0x0041094c
0x0041094f
0x0041095d
0x0041096a
0x0041096b
0x0041096c
0x0041096d
0x00410971
0x0041097e
0x0041097f
0x00410980
0x00410981
0x00410985
0x0041098f
0x00410990
0x00410991
0x00410992
0x00410996
0x004109a0
0x004109a1
0x004109a2
0x004109a3
0x004109a7
0x004109b1
0x004109b2
0x004109b3
0x004109b4
0x004109c3
0x004109c6
0x004109c8
0x004109d5
0x004109f7
0x004109d7
0x004109d7
0x004109d9
0x004109de
0x004109e4
0x004109ea
0x004109ef
0x004109ef
0x00410a01
0x00410a07
0x00410a11
0x00410a14
0x00410a1b
0x00410a1e
0x00410a28
0x00410a29
0x00410a2a
0x00410a2b
0x00410a2c
0x00410a2e
0x00410a31
0x00410a39
0x00410a41
0x00410a42
0x00410a45
0x00410a46
0x00410a48
0x00410a4d
0x00410a50
0x00410a57
0x00410a98
0x00410aa0
0x00410aa8
0x00410aad

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 004104D7
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 00410501
__vbaStrCat.MSVBVM60(00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 00410512
__vbaStrMove.MSVBVM60(00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 0041051C
#616.MSVBVM60(00000000,00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 00410522
__vbaStrMove.MSVBVM60(00000000,00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 0041052C
__vbaStrCmp.MSVBVM60(00402FE0,00000000,00000000,00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 00410537
__vbaFreeStrList.MSVBVM60(00000002,00402FE0,00402FE0,00402FE0,00000000,00000000,00402FE0,00402FE0,00000001,?,?,?,?,004011F6), ref: 00410555
__vbaNew2.MSVBVM60(00403004,004123C0,?,?,004011F6), ref: 0041057F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 004105E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000E0), ref: 0041063D
__vbaStrMove.MSVBVM60(00000000,?,00403014,000000E0), ref: 00410667
__vbaFreeObj.MSVBVM60(00000000,?,00403014,000000E0), ref: 0041066F
__vbaNew2.MSVBVM60(00402464,00412010), ref: 00410687
__vbaObjSet.MSVBVM60(?,00000000), ref: 004106C0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040317C,00000048), ref: 00410704
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 0041072B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 0041078D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,00000138), ref: 004107EA
__vbaFreeStr.MSVBVM60(00000000,?,00403014,00000138), ref: 00410801
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410810
__vbaNew2.MSVBVM60(00402464,00412010,?,?,?,?,?,004011F6), ref: 0041082B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410864
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040317C,00000050), ref: 004108A8
__vbaNew2.MSVBVM60(00403004,004123C0), ref: 004108CF
__vbaChkstk.MSVBVM60(?), ref: 0041095D
__vbaChkstk.MSVBVM60(?), ref: 00410971
__vbaChkstk.MSVBVM60(?), ref: 00410985
__vbaChkstk.MSVBVM60(?), ref: 00410996
__vbaChkstk.MSVBVM60(?), ref: 004109A7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000044), ref: 004109EA
__vbaChkstk.MSVBVM60(00000000,?,00402FF4,00000044), ref: 00410A1E
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00410A31
__vbaFreeObj.MSVBVM60(?,00000000), ref: 00410A39
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000009,?,00000000), ref: 00410A48
__vbaFreeStr.MSVBVM60(00410AAE), ref: 00410A98
__vbaFreeStr.MSVBVM60(00410AAE), ref: 00410AA0
__vbaFreeObj.MSVBVM60(00410AAE), ref: 00410AA8

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$New2$ListMove$#616CopyLate
String ID:
API String ID: 709077215-0
Opcode ID: 50c0877a618d521e69fd2889432b80bf9725d6a0abb2604fd799ddc16d24afe2
Instruction ID: 21abc154211bbd367b968c1fb7b84091b1262ce023f2c8c133c69e52ded64e13
Opcode Fuzzy Hash: 50c0877a618d521e69fd2889432b80bf9725d6a0abb2604fd799ddc16d24afe2
Instruction Fuzzy Hash: C9F12670900218EFDB20DF61C945BDDBBB5BF09304F1040AAEA09BB2A1D7B85AD59F59

Uniqueness

Uniqueness Score: -1.00%

Function 00410D5C, Relevance: 42.2, APIs: 28, Instructions: 178
COMMON

Download Yara Rule

C-Code - Quality: 46%

			E00410D5C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v56;
				char _v72;
				char _v88;
				void* _v104;
				char _v120;
				char _v124;
				intOrPtr _v132;
				char _v140;
				intOrPtr _v148;
				char _v156;
				short _v164;
				char _v172;
				char _v188;
				char _v204;
				signed int _v212;
				char _v220;
				intOrPtr _v228;
				char _v236;
				char _v252;
				char _v268;
				char _v284;
				intOrPtr _v296;
				char* _t83;
				char* _t86;
				char* _t90;
				char* _t94;
				char* _t97;
				char* _t99;
				short _t103;
				char* _t115;
				char* _t119;
				void* _t140;
				void* _t142;
				intOrPtr _t143;

				_t143 = _t142 - 0xc;
				 *[fs:0x0] = _t143;
				L004011F0();
				_v16 = _t143;
				_v12 = 0x4011e0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t140);
				L004012BC();
				_push( &_v252);
				_t83 =  &_v72;
				_push(_t83);
				L004012B6();
				if(_t83 == 0) {
					_push( &_v252);
					_t86 =  &_v88;
					_push(_t86);
					L004012B6();
					if(_t86 != 0) {
						_v212 = _v212 | 0xffffffff;
						_v220 = 2;
						_v228 = 1;
						_v236 = 2;
						_push( &_v220);
						_push( &_v236);
						_push( &_v120);
						_t94 =  &_v140;
						_push(_t94);
						L004012AA();
						_push(_t94);
						_push( &_v284);
						_push( &_v268);
						_t97 =  &_v40;
						_push(_t97);
						L004012B0();
						_v296 = _t97;
						while(_v296 != 0) {
							_v132 = 1;
							_v140 = 2;
							_push( &_v140);
							_t99 =  &_v40;
							_push(_t99);
							L00401346();
							_push(_t99);
							_push( &_v120);
							_push( &_v156);
							L00401292();
							_push( &_v156);
							_t103 =  &_v124;
							_push(_t103);
							L00401298();
							_push(_t103);
							L0040129E();
							_v164 = _t103;
							_v172 = 2;
							_push( &_v172);
							_push( &_v188);
							L004012A4();
							_push( &_v56);
							_push( &_v188);
							_push( &_v204);
							L0040133A();
							L00401340();
							L00401364();
							_push( &_v188);
							_push( &_v172);
							_push( &_v156);
							_push( &_v140);
							_push(4);
							L004013B8();
							_t143 = _t143 + 0x14;
							_push( &_v284);
							_push( &_v268);
							_t115 =  &_v40;
							_push(_t115);
							L0040128C();
							_v296 = _t115;
						}
						_v148 = 0x80020004;
						_v156 = 0xa;
						_v212 = 0x40323c;
						_v220 = 8;
						_push(1);
						_push(1);
						_push( &_v156);
						_push( &_v220);
						_push( &_v56);
						_t119 =  &_v140;
						_push(_t119);
						L0040133A();
						_push(_t119);
						L00401286();
						_v164 = _t119;
						_v172 = 8;
						L00401340();
						_push( &_v156);
						_push( &_v140);
						_push(2);
						L004013B8();
						_t143 = _t143 + 0xc;
					}
				} else {
					L004012BC();
				}
				_push(0x41104c);
				_push( &_v284);
				_push( &_v268);
				_t90 =  &_v252;
				_push(_t90);
				_push(3);
				L004013B8();
				L004013A6();
				L004013A6();
				L004013A6();
				L004013A6();
				L004013A6();
				L004013A6();
				return _t90;
			}

0x00410d5f
0x00410d6e
0x00410d7a
0x00410d82
0x00410d85
0x00410d8c
0x00410d9b
0x00410da7
0x00410db2
0x00410db3
0x00410db6
0x00410db7
0x00410dc1
0x00410dd9
0x00410dda
0x00410ddd
0x00410dde
0x00410de8
0x00410dee
0x00410df5
0x00410dff
0x00410e09
0x00410e19
0x00410e20
0x00410e24
0x00410e25
0x00410e2b
0x00410e2c
0x00410e31
0x00410e38
0x00410e3f
0x00410e40
0x00410e43
0x00410e44
0x00410e49
0x00410f2c
0x00410e54
0x00410e5b
0x00410e6b
0x00410e6c
0x00410e6f
0x00410e70
0x00410e75
0x00410e79
0x00410e80
0x00410e81
0x00410e8c
0x00410e8d
0x00410e90
0x00410e91
0x00410e96
0x00410e97
0x00410e9c
0x00410ea3
0x00410eb3
0x00410eba
0x00410ebb
0x00410ec3
0x00410eca
0x00410ed1
0x00410ed2
0x00410edc
0x00410ee4
0x00410eef
0x00410ef6
0x00410efd
0x00410f04
0x00410f05
0x00410f07
0x00410f0c
0x00410f15
0x00410f1c
0x00410f1d
0x00410f20
0x00410f21
0x00410f26
0x00410f26
0x00410f39
0x00410f43
0x00410f4d
0x00410f57
0x00410f61
0x00410f63
0x00410f6b
0x00410f72
0x00410f76
0x00410f77
0x00410f7d
0x00410f7e
0x00410f83
0x00410f84
0x00410f89
0x00410f8f
0x00410fa2
0x00410fad
0x00410fb4
0x00410fb5
0x00410fb7
0x00410fbc
0x00410fbc
0x00410dc3
0x00410dc9
0x00410dc9
0x00410fbf
0x00411002
0x00411009
0x0041100a
0x00411010
0x00411011
0x00411013
0x0041101e
0x00411026
0x0041102e
0x00411036
0x0041103e
0x00411046
0x0041104b

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410D7A
__vbaVarCopy.MSVBVM60(?,?,?,?,004011F6), ref: 00410DA7
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,004011F6), ref: 00410DB7
__vbaVarCopy.MSVBVM60(?,?,?,?,?,?,004011F6), ref: 00410DC9
__vbaVarTstEq.MSVBVM60(?,?,?,?,?,?,?,?,004011F6), ref: 00410DDE
__vbaLenVar.MSVBVM60(?,?,00000002,00000002), ref: 00410E2C
__vbaVarForInit.MSVBVM60(?,?,?,00000000,?,?,00000002,00000002), ref: 00410E44
__vbaVarAdd.MSVBVM60(?,?,00000008,0000000A,00000001,00000001), ref: 00410F7E
#650.MSVBVM60(00000000,?,?,00000008,0000000A,00000001,00000001), ref: 00410F84
__vbaVarMove.MSVBVM60(00000000,?,?,00000008,0000000A,00000001,00000001), ref: 00410FA2
__vbaFreeVarList.MSVBVM60(00000002,?,0000000A,00000000,?,?,00000008,0000000A,00000001,00000001), ref: 00410FB7
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,0041104C,?,?,?,?,?,?,?,?,004011F6), ref: 00411013
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 0041101E
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 00411026
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 0041102E
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 00411036
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 0041103E
__vbaFreeVar.MSVBVM60(?,?,?,004011F6), ref: 00411046

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CopyList$#650ChkstkInitMove
String ID:
API String ID: 4075068740-0
Opcode ID: 29914212bc63a11e773de09b3860eca94a806af7a9a241dfb1cb2ea8ca46d89f
Instruction ID: 9ab08e3f08da333d3873bc0845e5d97effea3911108fae3c671cef8fd1f41e64
Opcode Fuzzy Hash: 29914212bc63a11e773de09b3860eca94a806af7a9a241dfb1cb2ea8ca46d89f
Instruction Fuzzy Hash: 0D71CFB180021C9ADB51DB91CD86FDEB7BCAF04304F5081EBA509F6191EF78AB898F55

Uniqueness

Uniqueness Score: -1.00%

Function 00410AD5, Relevance: 19.6, APIs: 13, Instructions: 125
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00410AD5(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				void* _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				void* _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _t70;
				signed int _t75;
				char* _t80;
				signed int _t84;
				short _t85;
				intOrPtr _t103;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t103;
				_push(0x44);
				L004011F0();
				_v12 = _t103;
				_v8 = 0x4011b8;
				L0040136A();
				if( *0x4123c0 != 0) {
					_v72 = 0x4123c0;
				} else {
					_push(0x4123c0);
					_push(0x403004);
					L00401388();
					_v72 = 0x4123c0;
				}
				_v48 =  *_v72;
				_t70 =  *((intOrPtr*)( *_v48 + 0x14))(_v48,  &_v40);
				asm("fclex");
				_v52 = _t70;
				if(_v52 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402ff4);
					_push(_v48);
					_push(_v52);
					L00401394();
					_v76 = _t70;
				}
				_v56 = _v40;
				_t75 =  *((intOrPtr*)( *_v56 + 0xe8))(_v56,  &_v36);
				asm("fclex");
				_v60 = _t75;
				if(_v60 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x403014);
					_push(_v56);
					_push(_v60);
					L00401394();
					_v80 = _t75;
				}
				_v68 = _v36;
				_v36 = _v36 & 0x00000000;
				L004013B2();
				L00401382();
				if( *0x412010 != 0) {
					_v84 = 0x412010;
				} else {
					_push(0x412010);
					_push(0x402464);
					L00401388();
					_v84 = 0x412010;
				}
				_t80 =  &_v40;
				L00401358();
				_v48 = _t80;
				_t84 =  *((intOrPtr*)( *_v48 + 0xf8))(_v48,  &_v44, _t80,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x300))( *_v84));
				asm("fclex");
				_v52 = _t84;
				if(_v52 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403100);
					_push(_v48);
					_push(_v52);
					L00401394();
					_v88 = _t84;
				}
				_t85 = _v44;
				_v24 = _t85;
				L00401382();
				_push(0x410c8c);
				L00401364();
				L00401364();
				return _t85;
			}

0x00410ada
0x00410ae5
0x00410ae6
0x00410aed
0x00410af0
0x00410af8
0x00410afb
0x00410b08
0x00410b14
0x00410b2e
0x00410b16
0x00410b16
0x00410b1b
0x00410b20
0x00410b25
0x00410b25
0x00410b3a
0x00410b49
0x00410b4c
0x00410b4e
0x00410b55
0x00410b6e
0x00410b57
0x00410b57
0x00410b59
0x00410b5e
0x00410b61
0x00410b64
0x00410b69
0x00410b69
0x00410b75
0x00410b84
0x00410b8a
0x00410b8c
0x00410b93
0x00410baf
0x00410b95
0x00410b95
0x00410b9a
0x00410b9f
0x00410ba2
0x00410ba5
0x00410baa
0x00410baa
0x00410bb6
0x00410bb9
0x00410bc3
0x00410bcb
0x00410bd7
0x00410bf1
0x00410bd9
0x00410bd9
0x00410bde
0x00410be3
0x00410be8
0x00410be8
0x00410c0c
0x00410c10
0x00410c15
0x00410c24
0x00410c2a
0x00410c2c
0x00410c33
0x00410c4f
0x00410c35
0x00410c35
0x00410c3a
0x00410c3f
0x00410c42
0x00410c45
0x00410c4a
0x00410c4a
0x00410c53
0x00410c57
0x00410c5e
0x00410c63
0x00410c7e
0x00410c86
0x00410c8b

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410AF0
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 00410B08
__vbaNew2.MSVBVM60(00403004,004123C0,?,?,?,?,004011F6), ref: 00410B20
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000014), ref: 00410B64
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000E8), ref: 00410BA5
__vbaStrMove.MSVBVM60 ref: 00410BC3
__vbaFreeObj.MSVBVM60 ref: 00410BCB
__vbaNew2.MSVBVM60(00402464,00412010), ref: 00410BE3
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410C10
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403100,000000F8), ref: 00410C45
__vbaFreeObj.MSVBVM60 ref: 00410C5E
__vbaFreeStr.MSVBVM60(00410C8C), ref: 00410C7E
__vbaFreeStr.MSVBVM60(00410C8C), ref: 00410C86

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$ChkstkCopyMove
String ID:
API String ID: 4110455518-0
Opcode ID: 455f466b2f09b6be174b2fed120ae2c6de98646bfc17f39d4f8117017e11020d
Instruction ID: 16e3a6cfb89f2eda43c2fb955475d184cb225f178cb80604778d0b483c8c7b67
Opcode Fuzzy Hash: 455f466b2f09b6be174b2fed120ae2c6de98646bfc17f39d4f8117017e11020d
Instruction Fuzzy Hash: 3C51F370D00208AFDB04DFE5C985BDDBBB4BF08709F20852AF501B72A0D7B86995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00401B60, Relevance: 18.1, APIs: 12, Instructions: 104COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?), ref: 00410971
__vbaChkstk.MSVBVM60(?), ref: 00410985
__vbaChkstk.MSVBVM60(?), ref: 00410996
__vbaChkstk.MSVBVM60(?), ref: 004109A7
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402FF4,00000044), ref: 004109EA
__vbaChkstk.MSVBVM60(00000000,?,00402FF4,00000044), ref: 00410A1E
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00410A31
__vbaFreeObj.MSVBVM60(?,00000000), ref: 00410A39
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000009,?,00000000), ref: 00410A48
__vbaFreeStr.MSVBVM60(00410AAE), ref: 00410A98
__vbaFreeStr.MSVBVM60(00410AAE), ref: 00410AA0
__vbaFreeObj.MSVBVM60(00410AAE), ref: 00410AA8

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$CheckHresultLateList
String ID:
API String ID: 2752720002-0
Opcode ID: bf71db307800a7d1f6d00aeb370325482533090ab7fa64810cb49e8b43837a6e
Instruction ID: 46ed5267665a5ce0931d968784214bd66346cd94e8025f3039cb82d6b5972478
Opcode Fuzzy Hash: bf71db307800a7d1f6d00aeb370325482533090ab7fa64810cb49e8b43837a6e
Instruction Fuzzy Hash: EF316F318107189BDB12EFA5C802BDE77B26F09314F1005AABA00BF1E2C7F95A859B55

Uniqueness

Uniqueness Score: -1.00%

Function 00410CA9, Relevance: 7.5, APIs: 5, Instructions: 38
COMMON

Download Yara Rule

C-Code - Quality: 80%

			E00410CA9(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				void* _v36;
				char _v44;
				char _v52;
				char* _t19;
				void* _t27;
				void* _t29;
				intOrPtr _t30;

				_t30 = _t29 - 0xc;
				 *[fs:0x0] = _t30;
				L004011F0();
				_v16 = _t30;
				_v12 = 0x4011d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x4011f6, _t27);
				_v44 = 2;
				_v52 = 2;
				_t19 =  &_v52;
				_push(_t19);
				L004013AC();
				L004013B2();
				L004013A6();
				_v32 =  *0x4011c8;
				asm("wait");
				_push(0x410d35);
				L00401364();
				return _t19;
			}

0x00410cac
0x00410cbb
0x00410cc5
0x00410ccd
0x00410cd0
0x00410cd7
0x00410ce6
0x00410ce9
0x00410cf0
0x00410cf7
0x00410cfa
0x00410cfb
0x00410d05
0x00410d0d
0x00410d18
0x00410d1b
0x00410d1c
0x00410d2f
0x00410d34

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 00410CC5
#536.MSVBVM60(00000002), ref: 00410CFB
__vbaStrMove.MSVBVM60(00000002), ref: 00410D05
__vbaFreeVar.MSVBVM60(00000002), ref: 00410D0D
__vbaFreeStr.MSVBVM60(00410D35,00000002), ref: 00410D2F

Memory Dump Source

Source File: 00000001.00000002.761865369.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.761821637.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.762027259.0000000000412000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.762074895.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#536ChkstkMove
String ID:
API String ID: 2104488870-0
Opcode ID: 632ae273f27fa686ee252422aa86f0a73c4132722e5699eb3d0cfe8180a281e6
Instruction ID: 630cd64aa8ff487f9fbb6df132e944be8b69921dc5f8c15f70ce45abdc089d46
Opcode Fuzzy Hash: 632ae273f27fa686ee252422aa86f0a73c4132722e5699eb3d0cfe8180a281e6
Instruction Fuzzy Hash: EE014F71810208ABDB04EF95DD86FDEBBB4BF08704F40842AF501BB1A1DBBC6544CB59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report NP__000009116_11-05-2021_08_40_37.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: NP__000009116_11-05-2021_08_40_37.exe PID: 480 Parent PID: 5648

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: NP__000009116_11-05-2021_08_40_37.exe PID: 480 Parent PID: 5648 NP__000009116_11-05-2021_08_40_37.exeCOMMON

Function 004082E4, Relevance: 197.1, APIs: 104, Strings: 8, Instructions: 1073
COMMON

Function 0041040A, Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 34
COMMON

Function 004104B9, Relevance: 57.4, APIs: 38, Instructions: 368
COMMON

Function 00410D5C, Relevance: 42.2, APIs: 28, Instructions: 178
COMMON

Function 00410AD5, Relevance: 19.6, APIs: 13, Instructions: 125
COMMON

Function 00410CA9, Relevance: 7.5, APIs: 5, Instructions: 38
COMMON