Play interactive tour

Edit tour

Analysis Report New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Overview

General Information

Sample Name:	New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
Analysis ID:	432028
MD5:	e766a80e73cd62b0aadf800f0e8bfe2c
SHA1:	25de6008b7f77121d432811376b4703e727e902f
SHA256:	664bf09b6f40a8f36643766189b1ec1cbf9578ff7d207b9f23803ac7676a119e
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	96
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Detected potential crypto function

Found large amount of non-executed APIs

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe (PID: 4608 cmdline: 'C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe' MD5: E766A80E73CD62B0AADF800F0E8BFE2C)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://tebogodigital.co.za/frim/build_mmHXva107.bin, https://tebogodigital.co.za/frib/build_mmHXva107.bin"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000000.204310575.0000000000401000.00000020.00020000.sdmp	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.2.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://tebogodigital.co.za/frim/build_mmHXva107.bin, https://tebogodigital.co.za/frib/build_mmHXva107.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Virustotal: Detection: 71%	Perma Link
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Metadefender: Detection: 28%	Perma Link
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	ReversingLabs: Detection: 72%

Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://tebogodigital.co.za/frim/build_mmHXva107.bin, https://tebogodigital.co.za/frib/build_mmHXva107.bin

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD88D0 NtProtectVirtualMemory,	0_2_02BD88D0
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7037 NtAllocateVirtualMemory,	0_2_02BD7037
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7280 NtAllocateVirtualMemory,	0_2_02BD7280
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD722F NtAllocateVirtualMemory,	0_2_02BD722F
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7094 NtAllocateVirtualMemory,	0_2_02BD7094
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD70C8 NtAllocateVirtualMemory,	0_2_02BD70C8
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7001 NtAllocateVirtualMemory,	0_2_02BD7001
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD71BE NtAllocateVirtualMemory,	0_2_02BD71BE
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD890F NtProtectVirtualMemory,	0_2_02BD890F
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD717E NtAllocateVirtualMemory,	0_2_02BD717E
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7159 NtAllocateVirtualMemory,	0_2_02BD7159

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_00401664	0_2_00401664
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_00403EC9	0_2_00403EC9
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7EA4	0_2_02BD7EA4
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7EF9	0_2_02BD7EF9
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD32E8	0_2_02BD32E8
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD3270	0_2_02BD3270
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD2A5F	0_2_02BD2A5F
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7E48	0_2_02BD7E48
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD33AC	0_2_02BD33AC
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7FEC	0_2_02BD7FEC
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7FE5	0_2_02BD7FE5
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7BC3	0_2_02BD7BC3
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7F38	0_2_02BD7F38
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7B33	0_2_02BD7B33
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7B77	0_2_02BD7B77
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7F6F	0_2_02BD7F6F
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD3364	0_2_02BD3364
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD8088	0_2_02BD8088
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7CE8	0_2_02BD7CE8
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD5825	0_2_02BD5825
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD341E	0_2_02BD341E
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7C04	0_2_02BD7C04
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7C48	0_2_02BD7C48
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD8042	0_2_02BD8042
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7DBA	0_2_02BD7DBA
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD31B4	0_2_02BD31B4
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD319D	0_2_02BD319D
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD8198	0_2_02BD8198
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD31FD	0_2_02BD31FD
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7DFD	0_2_02BD7DFD
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD2134	0_2_02BD2134
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7D36	0_2_02BD7D36
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD810C	0_2_02BD810C
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD8154	0_2_02BD8154

Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000000.204331251.0000000000419000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameMuslingernes.exe vs New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730698816.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Binary or memory string: OriginalFilenameMuslingernes.exe vs New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal96.rans.troj.evad.winEXE@1/0@0/0

Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Virustotal: Detection: 71%
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Metadefender: Detection: 28%
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	ReversingLabs: Detection: 72%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.204310575.0000000000401000.00000020.00020000.sdmp, type: MEMORY
Source: Yara match	File source: 0.0.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_004068DF push ecx; ret	0_2_004068E1
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_00402D66 push dword ptr [ebp-44h]; ret	0_2_00413024
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_00408972 push esi; iretd	0_2_00408976
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD837B push eax; ret	0_2_02BD83B2
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD3F7A push ss; retf	0_2_02BD3F84
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD3F53 push ss; retf	0_2_02BD3F5D

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

RDTSC instruction interceptor: First address: 0000000002BD849A second address: 0000000002BD849A instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	RDTSC instruction interceptor: First address: 0000000002BD849A second address: 0000000002BD849A instructions:
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	RDTSC instruction interceptor: First address: 0000000002BD1B35 second address: 0000000002BD1B35 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 0008B41Ah 0x00000007 sub eax, FFF0F724h 0x0000000c add eax, FFF6636Fh 0x00000011 sub eax, 000E2064h 0x00000016 cpuid 0x00000018 jmp 00007FF648847D52h 0x0000001a test eax, edx 0x0000001c popad 0x0000001d call 00007FF648847D1Bh 0x00000022 lfence 0x00000025 mov edx, 7FFD13E2h 0x0000002a sub edx, 000005CFh 0x00000030 sub edx, FFFF6315h 0x00000036 sub edx, FFFFAAEAh 0x0000003c mov edx, dword ptr [edx] 0x0000003e lfence 0x00000041 ret 0x00000042 sub edx, esi 0x00000044 ret 0x00000045 pop ecx 0x00000046 add edi, edx 0x00000048 dec ecx 0x00000049 jmp 00007FF648847D46h 0x0000004b test cl, FFFFFF80h 0x0000004e cmp ecx, 00000000h 0x00000051 jne 00007FF648847CCAh 0x00000053 push ecx 0x00000054 call 00007FF648847D64h 0x00000059 call 00007FF648847D80h 0x0000005e lfence 0x00000061 mov edx, 7FFD13E2h 0x00000066 sub edx, 000005CFh 0x0000006c sub edx, FFFF6315h 0x00000072 sub edx, FFFFAAEAh 0x00000078 mov edx, dword ptr [edx] 0x0000007a lfence 0x0000007d ret 0x0000007e mov esi, edx 0x00000080 pushad 0x00000081 rdtsc

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Code function: 0_2_02BD32E8 rdtsc

0_2_02BD32E8

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

API coverage: 6.5 %

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Code function: 0_2_02BD32E8 rdtsc

0_2_02BD32E8

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD6AAF mov eax, dword ptr fs:[00000030h]	0_2_02BD6AAF
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD3EF4 mov eax, dword ptr fs:[00000030h]	0_2_02BD3EF4
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD2A65 mov eax, dword ptr fs:[00000030h]	0_2_02BD2A65
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD2A5F mov eax, dword ptr fs:[00000030h]	0_2_02BD2A5F
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7BC3 mov eax, dword ptr fs:[00000030h]	0_2_02BD7BC3
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7B33 mov eax, dword ptr fs:[00000030h]	0_2_02BD7B33
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD2B00 mov eax, dword ptr fs:[00000030h]	0_2_02BD2B00
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7B77 mov eax, dword ptr fs:[00000030h]	0_2_02BD7B77
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7C04 mov eax, dword ptr fs:[00000030h]	0_2_02BD7C04
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD7C48 mov eax, dword ptr fs:[00000030h]	0_2_02BD7C48
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD2134 mov eax, dword ptr fs:[00000030h]	0_2_02BD2134
Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	Code function: 0_2_02BD611B mov eax, dword ptr fs:[00000030h]	0_2_02BD611B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe, 00000000.00000002.730562695.0000000000DC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Code function: 0_2_02BD58FF cpuid

0_2_02BD58FF

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery31	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	71%	Virustotal		Browse
New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	29%	Metadefender		Browse
New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe	72%	ReversingLabs	Win32.Trojan.Vebzenpak

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://tebogodigital.co.za/frim/build_mmHXva107.bin, https://tebogodigital.co.za/frib/build_mmHXva107.bin	false		high

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	432028
Start date:	09.06.2021
Start time:	17:07:24
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 51s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	32
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Successful, ratio: 100%
HDC Information:	Successful, ratio: 4.4% (good quality ratio 0.3%) Quality average: 6% Quality standard deviation: 18.9%
HCA Information:	Successful, ratio: 53% Number of executed functions: 15 Number of non-executed functions: 61
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, UsoClient.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.348240538768836
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
File size:	102400
MD5:	e766a80e73cd62b0aadf800f0e8bfe2c
SHA1:	25de6008b7f77121d432811376b4703e727e902f
SHA256:	664bf09b6f40a8f36643766189b1ec1cbf9578ff7d207b9f23803ac7676a119e
SHA512:	d6a7cf44697203050428d250206fcc442790a897da51658572a909110e03d226f22c71bd9e459a2df7ba574ea5d82fb84e8155e18d6327c1b52a5a98f1ca4a69
SSDEEP:	3072:/J9gS1jzW9LZrlHaxNNdgGI3lTEudD14hJRub:/L1nW9dlHaxDuGcTl514hJRu
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....)N.................`...0......d........p....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401664
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4E29F905 [Fri Jul 22 22:26:13 2011 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	329714ba87b5b72d54f447a30ad0c5e2

Entrypoint Preview

Instruction
push 00401AB8h
call 00007FF648900CE5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], ch
xchg eax, esp
jecxz 00007FF648900C83h
cmp al, BFh
inc esp
sbb dword ptr [eax-75h], FFFFFFC6h
enter 30F4h, 16h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
nop
imul ebx, dword ptr [eax], 03h
push ebp
jne 00007FF648900D61h
jnc 00007FF648900D66h
imul esp, dword ptr [edi+73h], 00736574h
or byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
jnp 00007FF6085A4BB5h
cmp al, 20h
dec ecx
mov edx, 2548A01Ch
sbb al, CEh
sbb ebp, dword ptr [esi+615C9713h]
sub dword ptr [edi+46h], edx
stosd
jmp 00007FF5D6B1F58Ch
mov ebx, AD4F3ADAh
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
test eax, 52000002h
add byte ptr [eax], al
add byte ptr [eax], al
adc al, byte ptr [eax]
jo 00007FF648900D65h
jns 00007FF648900D55h
push 6E61706Fh
outsb
jns 00007FF648900D55h
push 69747369h
arpl word ptr [eax], ax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x15bb4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x19000	0x9c4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x15c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1514c	0x16000	False	0.340520685369	data	5.70712688032	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x17000	0x1288	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x19000	0x9c4	0x1000	False	0.18115234375	data	2.12843856561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x19894	0x130	data
RT_ICON	0x195ac	0x2e8	data
RT_ICON	0x19484	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x19454	0x30	data
RT_VERSION	0x19150	0x304	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaI2Str, __vbaFPException, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaLateMemCallLd, _CIatan, __vbaStrMove, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	Payscale
InternalName	Muslingernes
FileVersion	2.00
CompanyName	Payscale
LegalTrademarks	Payscale
Comments	Payscale
ProductName	Payscale
ProductVersion	2.00
FileDescription	Payscale
OriginalFilename	Muslingernes.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe PID: 4608 Parent PID: 5768

General

Start time:	17:09:04
Start date:	09/06/2021
Path:	C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe'
Imagebase:	0x400000
File size:	102400 bytes
MD5 hash:	E766A80E73CD62B0AADF800F0E8BFE2C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader_1, Description: Yara detected GuLoader, Source: 00000000.00000000.204310575.0000000000401000.00000020.00020000.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe PID: 4608 Parent PID: 5768 New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCOMMON

Execution Graph

Execution Coverage:	0.9%
Dynamic/Decrypted Code Coverage:	15%
Signature Coverage:	12.5%
Total number of Nodes:	80
Total number of Limit Nodes:	12

Executed Functions

Function 00403EC9, Relevance: 11.7, APIs: 1, Strings: 6, Instructions: 1194
memoryCOMMONCrypto

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 99%

			E00403EC9() {
				signed int _t20;
				intOrPtr* _t27;
				void* _t41;
				intOrPtr* _t55;
				signed int _t60;
				void* _t69;
				void* _t71;
				intOrPtr* _t73;
				void* _t74;

				 *((intOrPtr*)(_t71 - 0xd)) =  *((intOrPtr*)(_t71 - 0xd)) + _t55;
				asm("lodsb");
				ds =  *0;
				 *_t55 =  *_t55 + _t55;
				 *0xcad00a7 = 0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				 *0 =  *0;
				do {
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					 *0 =  *0;
					asm("cmpsd");
					_t69 = _t69 -  *_t73;
				} while (_t69 >= 0);
				asm("lahf");
				asm("insd");
				_t60 = (_t55 - 0x000f66d2 + 0xfffe4e88 ^ 0x000681ce) - 0xfff2ef50 ^ 0x0007e54b;
				do {
					_t20 = 0 ^ _t60;
					_t60 = _t60 + 1;
				} while (_t20 != 0x536fd28);
				_t27 =  *((intOrPtr*)(0x40100c));
				do {
					_t27 = _t27 + 0xffffffff;
					asm("pushfd");
					asm("popfd");
				} while ( *_t27 != 0x90126c);
				_t41 = VirtualAlloc(0, 0xe000, 0x1000, 0x40); // executed
				_t74 = _t41;
				goto L8;
				 *0x00009D70 =  *((intOrPtr*)(0x9d70)) + _t41;
				asm("lodsd");
			}

0x00403ecb
0x00403ed0
0x00403ed1
0x00403ed7
0x00403ed9
0x00403edf
0x00403ee1
0x00403ee3
0x00403ee5
0x00403ee7
0x00403ee9
0x00403eeb
0x00403eed
0x00403eef
0x00403ef1
0x00403ef3
0x00403ef5
0x00403ef7
0x00403ef9
0x00403efb
0x00403efd
0x00403eff
0x00403f01
0x00403f03
0x00403f05
0x00403f07
0x00403f09
0x00403f0b
0x00403f0d
0x00403f0f
0x00403f11
0x00403f13
0x00403f15
0x00403f17
0x00403f19
0x00403f1b
0x00403f1d
0x00403f1f
0x00403f21
0x00403f23
0x00403f25
0x00403f27
0x00403f29
0x00403f2b
0x00403f2d
0x00403f2f
0x00403f31
0x00403f33
0x00403f35
0x00403f37
0x00403f39
0x00403f3b
0x00403f3d
0x00403f3f
0x00403f41
0x00403f43
0x00403f45
0x00403f47
0x00403f49
0x00403f4b
0x00403f4d
0x00403f4f
0x00403f51
0x00403f53
0x00403f55
0x00403f57
0x00403f59
0x00403f5b
0x00403f5d
0x00403f5f
0x00403f61
0x00403f63
0x00403f65
0x00403f67
0x00403f69
0x00403f6b
0x00403f6d
0x00403f6f
0x00403f71
0x00403f73
0x00403f75
0x00403f77
0x00403f79
0x00403f7b
0x00403f7d
0x00403f7f
0x00403f81
0x00403f83
0x00403f85
0x00403f87
0x00403f89
0x00403f8b
0x00403f8d
0x00403f8f
0x00403f91
0x00403f93
0x00403f95
0x00403f97
0x00403f99
0x00403f9b
0x00403f9d
0x00403f9f
0x00403fa1
0x00403fa3
0x00403fa5
0x00403fa7
0x00403fa9
0x00403fab
0x00403fad
0x00403faf
0x00403fb1
0x00403fb3
0x00403fb5
0x00403fb7
0x00403fb9
0x00403fbb
0x00403fbd
0x00403fbf
0x00403fc1
0x00403fc3
0x00403fc5
0x00403fc7
0x00403fc9
0x00403fcb
0x00403fcd
0x00403fcf
0x00403fd1
0x00403fd3
0x00403fd5
0x00403fd7
0x00403fd9
0x00403fdb
0x00403fdd
0x00403fdf
0x00403fe1
0x00403fe3
0x00403fe5
0x00403fe7
0x00403fe9
0x00403feb
0x00403fed
0x00403fef
0x00403ff1
0x00403ff3
0x00403ff5
0x00403ff7
0x00403ff9
0x00403ffb
0x00403ffd
0x00403fff
0x00404001
0x00404003
0x00404005
0x00404007
0x00404009
0x0040400b
0x0040400d
0x0040400f
0x00404011
0x00404013
0x00404015
0x00404017
0x00404019
0x0040401b
0x0040401d
0x0040401f
0x00404021
0x00404023
0x00404025
0x00404027
0x00404029
0x0040402b
0x0040402d
0x0040402f
0x00404031
0x00404033
0x00404035
0x00404037
0x00404039
0x0040403b
0x0040403d
0x0040403f
0x00404041
0x00404043
0x00404045
0x00404047
0x00404049
0x0040404b
0x0040404d
0x0040404f
0x00404051
0x00404053
0x00404055
0x00404057
0x00404059
0x0040405b
0x0040405d
0x0040405f
0x00404061
0x00404063
0x00404065
0x00404067
0x00404069
0x0040406b
0x0040406d
0x0040406f
0x00404071
0x00404073
0x00404075
0x00404077
0x00404079
0x0040407b
0x0040407d
0x0040407f
0x00404081
0x00404083
0x00404085
0x00404087
0x00404089
0x0040408b
0x0040408d
0x0040408f
0x00404091
0x00404093
0x00404095
0x00404097
0x00404099
0x0040409b
0x0040409d
0x0040409f
0x004040a1
0x004040a3
0x004040a5
0x004040a7
0x004040a9
0x004040ab
0x004040ad
0x004040af
0x004040b1
0x004040b3
0x004040b5
0x004040b7
0x004040b9
0x004040bb
0x004040bd
0x004040bf
0x004040c1
0x004040c3
0x004040c5
0x004040c7
0x004040c9
0x004040cb
0x004040cd
0x004040cf
0x004040d1
0x004040d3
0x004040d5
0x004040d7
0x004040d9
0x004040db
0x004040dd
0x004040df
0x004040e1
0x004040e3
0x004040e5
0x004040e7
0x004040e9
0x004040eb
0x004040ed
0x004040ef
0x004040f1
0x004040f3
0x004040f5
0x004040f7
0x004040f9
0x004040fb
0x004040fd
0x004040ff
0x00404101
0x00404103
0x00404105
0x00404107
0x00404109
0x0040410b
0x0040410d
0x0040410f
0x00404111
0x00404113
0x00404115
0x00404117
0x00404119
0x0040411b
0x0040411d
0x0040411f
0x00404121
0x00404123
0x00404125
0x00404127
0x00404129
0x0040412b
0x0040412d
0x0040412f
0x00404131
0x00404133
0x00404135
0x00404137
0x00404139
0x0040413b
0x0040413d
0x0040413f
0x00404141
0x00404143
0x00404145
0x00404147
0x00404149
0x0040414b
0x0040414d
0x0040414f
0x00404151
0x00404153
0x00404155
0x00404157
0x00404159
0x0040415b
0x0040415d
0x0040415f
0x00404161
0x00404163
0x00404165
0x00404167
0x00404169
0x0040416b
0x0040416d
0x0040416f
0x00404171
0x00404173
0x00404175
0x00404177
0x00404179
0x0040417b
0x0040417d
0x0040417f
0x00404181
0x00404183
0x00404185
0x00404187
0x00404189
0x0040418b
0x0040418d
0x0040418f
0x00404191
0x00404193
0x00404195
0x00404197
0x00404199
0x0040419b
0x0040419d
0x0040419f
0x004041a1
0x004041a3
0x004041a5
0x004041a7
0x004041a9
0x004041ab
0x004041ad
0x004041af
0x004041b1
0x004041b3
0x004041b5
0x004041b7
0x004041b9
0x004041bb
0x004041bd
0x004041bf
0x004041c1
0x004041c3
0x004041c5
0x004041c7
0x004041c9
0x004041cb
0x004041cd
0x004041cf
0x004041d1
0x004041d3
0x004041d5
0x004041d7
0x004041d9
0x004041db
0x004041dd
0x004041df
0x004041e1
0x004041e3
0x004041e5
0x004041e7
0x004041e9
0x004041eb
0x004041ed
0x004041ef
0x004041f1
0x004041f3
0x004041f5
0x004041f7
0x004041f9
0x004041fb
0x004041fd
0x004041ff
0x00404201
0x00404203
0x00404205
0x00404207
0x00404209
0x0040420b
0x0040420d
0x0040420f
0x00404211
0x00404213
0x00404215
0x00404217
0x00404219
0x0040421b
0x0040421d
0x0040421f
0x00404221
0x00404223
0x00404225
0x00404227
0x00404229
0x0040422b
0x0040422d
0x0040422f
0x00404231
0x00404233
0x00404235
0x00404237
0x00404239
0x0040423b
0x0040423d
0x0040423f
0x00404241
0x00404243
0x00404245
0x00404247
0x00404249
0x0040424b
0x0040424d
0x0040424f
0x00404251
0x00404253
0x00404255
0x00404257
0x00404259
0x0040425b
0x0040425d
0x0040425f
0x00404261
0x00404263
0x00404265
0x00404267
0x00404269
0x0040426b
0x0040426d
0x0040426f
0x00404271
0x00404273
0x00404275
0x00404277
0x00404279
0x0040427b
0x0040427d
0x0040427f
0x00404281
0x00404283
0x00404285
0x00404287
0x00404289
0x0040428b
0x0040428d
0x0040428f
0x00404291
0x00404293
0x00404295
0x00404297
0x00404299
0x0040429b
0x0040429d
0x0040429f
0x004042a1
0x004042a3
0x004042a5
0x004042a7
0x004042a9
0x004042ab
0x004042ad
0x004042af
0x004042b1
0x004042b3
0x004042b5
0x004042b7
0x004042b9
0x004042bb
0x004042bd
0x004042bf
0x004042c1
0x004042c3
0x004042c5
0x004042c7
0x004042c9
0x004042cb
0x004042cd
0x004042cf
0x004042d1
0x004042d3
0x004042d5
0x004042d7
0x004042d9
0x004042db
0x004042dd
0x004042df
0x004042e1
0x004042e3
0x004042e5
0x004042e7
0x004042e9
0x004042eb
0x004042ed
0x004042ef
0x004042f1
0x004042f3
0x004042f5
0x004042f7
0x004042f9
0x004042fb
0x004042fd
0x004042ff
0x00404301
0x00404303
0x00404305
0x00404307
0x00404309
0x0040430b
0x0040430d
0x0040430f
0x00404311
0x00404313
0x00404315
0x00404317
0x00404319
0x0040431b
0x0040431d
0x0040431f
0x00404321
0x00404323
0x00404325
0x00404327
0x00404329
0x0040432b
0x0040432d
0x0040432f
0x00404331
0x00404333
0x00404335
0x00404337
0x00404339
0x0040433b
0x0040433d
0x0040433f
0x00404341
0x00404343
0x00404345
0x00404347
0x00404349
0x0040434b
0x0040434d
0x0040434f
0x00404351
0x00404353
0x00404355
0x00404357
0x00404359
0x0040435b
0x0040435d
0x0040435f
0x00404361
0x00404363
0x00404365
0x00404367
0x00404369
0x0040436b
0x0040436d
0x0040436f
0x00404371
0x00404373
0x00404375
0x00404377
0x00404379
0x0040437b
0x0040437d
0x0040437f
0x00404381
0x00404383
0x00404385
0x00404387
0x00404389
0x0040438b
0x0040438d
0x0040438f
0x00404391
0x00404393
0x00404395
0x00404397
0x00404399
0x0040439b
0x0040439d
0x0040439f
0x004043a1
0x004043a3
0x004043a5
0x004043a7
0x004043a9
0x004043ab
0x004043ad
0x004043af
0x004043b1
0x004043b3
0x004043b5
0x004043b7
0x004043b9
0x004043bb
0x004043bd
0x004043bf
0x004043c1
0x004043c3
0x004043c5
0x004043c7
0x004043c9
0x004043cb
0x004043cd
0x004043cf
0x004043d1
0x004043d3
0x004043d5
0x004043d7
0x004043d9
0x004043db
0x004043dd
0x004043df
0x004043e1
0x004043e3
0x004043e5
0x004043e7
0x004043e9
0x004043eb
0x004043ed
0x004043ef
0x004043f1
0x004043f3
0x004043f5
0x004043f7
0x004043f9
0x004043fb
0x004043fd
0x004043ff
0x00404401
0x00404403
0x00404405
0x00404407
0x00404409
0x0040440b
0x0040440d
0x0040440f
0x00404411
0x00404413
0x00404415
0x00404417
0x00404419
0x0040441b
0x0040441d
0x0040441f
0x00404421
0x00404423
0x00404425
0x00404427
0x00404429
0x0040442b
0x0040442d
0x0040442f
0x00404431
0x00404433
0x00404435
0x00404437
0x00404439
0x0040443b
0x0040443d
0x0040443f
0x00404441
0x00404443
0x00404445
0x00404447
0x00404449
0x0040444b
0x0040444d
0x0040444f
0x00404451
0x00404453
0x00404455
0x00404457
0x00404459
0x0040445b
0x0040445d
0x0040445f
0x00404461
0x00404463
0x00404465
0x00404467
0x00404469
0x0040446b
0x0040446d
0x0040446f
0x00404471
0x00404473
0x00404475
0x00404477
0x00404479
0x0040447b
0x0040447d
0x0040447f
0x00404481
0x00404483
0x00404485
0x00404487
0x00404489
0x0040448b
0x0040448d
0x0040448f
0x00404491
0x00404493
0x00404495
0x00404497
0x00404499
0x0040449b
0x0040449d
0x0040449f
0x004044a1
0x004044a3
0x004044a5
0x004044a7
0x004044a9
0x004044ab
0x004044ad
0x004044af
0x004044b1
0x004044b3
0x004044b5
0x004044b7
0x004044b9
0x004044bb
0x004044bd
0x004044bf
0x004044c1
0x004044c3
0x004044c5
0x004044c7
0x004044c9
0x004044cb
0x004044cd
0x004044cf
0x004044d1
0x004044d3
0x004044d5
0x004044d7
0x004044d9
0x004044db
0x004044dd
0x004044df
0x004044e1
0x004044e3
0x004044e5
0x004044e7
0x004044e9
0x004044eb
0x004044ed
0x004044ef
0x004044f1
0x004044f3
0x004044f5
0x004044f7
0x004044f9
0x004044fb
0x004044fd
0x004044ff
0x00404501
0x00404503
0x00404505
0x00404507
0x00404509
0x0040450b
0x0040450d
0x0040450f
0x00404511
0x00404513
0x00404515
0x00404517
0x00404519
0x0040451b
0x0040451d
0x0040451f
0x00404521
0x00404523
0x00404525
0x00404527
0x00404529
0x0040452b
0x0040452d
0x0040452f
0x00404531
0x00404533
0x00404535
0x00404537
0x00404539
0x0040453b
0x0040453d
0x0040453f
0x00404541
0x00404543
0x00404545
0x00404547
0x00404549
0x0040454b
0x0040454d
0x0040454f
0x00404551
0x00404553
0x00404555
0x00404557
0x00404559
0x0040455b
0x0040455d
0x0040455f
0x00404561
0x00404563
0x00404565
0x00404567
0x00404569
0x0040456b
0x0040456d
0x0040456f
0x00404571
0x00404573
0x00404575
0x00404577
0x00404579
0x0040457b
0x0040457d
0x0040457f
0x00404581
0x00404583
0x00404585
0x00404587
0x00404589
0x0040458b
0x0040458d
0x0040458f
0x00404591
0x00404593
0x00404595
0x00404597
0x00404599
0x0040459b
0x0040459d
0x0040459f
0x004045a1
0x004045a3
0x004045a5
0x004045a7
0x004045a9
0x004045ab
0x004045ad
0x004045af
0x004045b1
0x004045b3
0x004045b5
0x004045b7
0x004045b9
0x004045bb
0x004045bd
0x004045bf
0x004045c1
0x004045c3
0x004045c5
0x004045c7
0x004045c9
0x004045cb
0x004045cd
0x004045cf
0x004045d1
0x004045d3
0x004045d5
0x004045d7
0x004045d9
0x004045db
0x004045dd
0x004045df
0x004045e1
0x004045e3
0x004045e5
0x004045e7
0x004045e9
0x004045eb
0x004045ed
0x004045ef
0x004045f1
0x004045f3
0x004045f5
0x004045f7
0x004045f9
0x004045fb
0x004045fd
0x004045ff
0x00404601
0x00404603
0x00404605
0x00404607
0x00404609
0x0040460b
0x0040460d
0x0040460f
0x00404611
0x00404613
0x00404615
0x00404617
0x00404619
0x0040461b
0x0040461d
0x0040461f
0x00404621
0x00404621
0x00404623
0x00404625
0x00404627
0x00404629
0x0040462b
0x0040462d
0x0040462f
0x00404631
0x00404633
0x00404635
0x00404637
0x00404639
0x0040463b
0x0040463d
0x0040463f
0x00404641
0x00404643
0x00404645
0x00404647
0x00404649
0x0040464b
0x0040464d
0x0040464f
0x00404651
0x00404653
0x00404655
0x00404657
0x00404659
0x0040465b
0x0040465d
0x0040465f
0x00404661
0x00404663
0x00404664
0x00404664
0x00404668
0x00404669
0x004046af
0x004046bb
0x00404712
0x0040471a
0x00404722
0x00404792
0x004047f5
0x004047fe
0x0040480f
0x00404810
0x00404810
0x0040493d
0x00404946
0x00404972
0x004049c6
0x004049c9

APIs

VirtualAlloc.KERNELBASE(00000000,0000E000,-00000001FFF879B1,-00179B6E), ref: 0040493D

Strings

?, xrefs: 004046C6
g, xrefs: 0040486C
2, xrefs: 00404759
\, xrefs: 00404778
X, xrefs: 0040470F
a, xrefs: 00404756

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocVirtual
String ID: 2$?$X$\$a$g
API String ID: 4275171209-4045036488
Opcode ID: fa80d6594c80d5ce072c6dd645fb780af8dc5f2615d5206b7a7b970f909dd807
Instruction ID: 14a0eac50d6936c83cf47915cbed64851dabec40c153e470c88a36c43e7558ba
Opcode Fuzzy Hash: fa80d6594c80d5ce072c6dd645fb780af8dc5f2615d5206b7a7b970f909dd807
Instruction Fuzzy Hash: 2861BD41646B4246FF781478CAE032E2642DF96700F349E3BDA93D6ECACA6EC1C14657

Uniqueness

Uniqueness Score: -1.00%

Function 00401664, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 708
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401669

Strings

VB5!6&*, xrefs: 00401664

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: a4c53829b396f8fe1e8330efbc28c138e1229abf664406d876d15b402ee34bb2
Instruction ID: 0ea171562deaeeb63759306fe01eb5d4f4490ec543404ee493a6751173ffe114
Opcode Fuzzy Hash: a4c53829b396f8fe1e8330efbc28c138e1229abf664406d876d15b402ee34bb2
Instruction Fuzzy Hash: 9922436144E7C19FC7138BB48CA56A27FB4AE1321471E46EBC4C1CF0B3E22C695AD766

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7001, Relevance: 1.6, APIs: 1, Instructions: 121
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 02BD72D8

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: f9ef21de19f54d02801d0843c7dab7a800fb32ae2dce3fbe70bdb644fac8997a
Instruction ID: fe0d37a3461bf2f33764d2851ec809b3035ef5842fabf1b9e5805afb1728a5f1
Opcode Fuzzy Hash: f9ef21de19f54d02801d0843c7dab7a800fb32ae2dce3fbe70bdb644fac8997a
Instruction Fuzzy Hash: 5631777100CA81CFCB234E70DC467EA7FD5EFA6311F088749ED9A9A255EB714182AB53

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7159, Relevance: 1.6, APIs: 1, Instructions: 116
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 02BD72D8

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 231d9688ce59780b42db026a7cf531c15a89a8c7791d88f0c39d8cae3260de2e
Instruction ID: 96279d60f64e77782f0d8592e3e153444671375cb7ae64673b1efb2974d4b637
Opcode Fuzzy Hash: 231d9688ce59780b42db026a7cf531c15a89a8c7791d88f0c39d8cae3260de2e
Instruction Fuzzy Hash: FD41EC71409682EFCB218F70DC867DA7FA4FF96314F08074CE9958A260E7315682DB53

Uniqueness

Uniqueness Score: -1.00%

Function 02BD717E, Relevance: 1.6, APIs: 1, Instructions: 102
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 02BD72D8

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 37042a2d96061c30f2702389c049eb9f19a0ee4ae561d2ae70b0590c59482b65
Instruction ID: cdacc24b181e6dfcb326e729e88bec72e7edbfee01d47b57cbaec41f070993ce
Opcode Fuzzy Hash: 37042a2d96061c30f2702389c049eb9f19a0ee4ae561d2ae70b0590c59482b65
Instruction Fuzzy Hash: 9F319971409681DFCB368F70DC467DA7FA4FF56314F080748ED8A9A260EB3156829B93

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7094, Relevance: 1.6, APIs: 1, Instructions: 88
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 02BD72D8

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 99d16d9f502fac2152348e71ece62d19f3d290654d414a296a42d763be7ce8b7
Instruction ID: cc9a7a9bbd46929069d604a1763d00ad11a7d1cd3c69760349647d39f3b7c954
Opcode Fuzzy Hash: 99d16d9f502fac2152348e71ece62d19f3d290654d414a296a42d763be7ce8b7
Instruction Fuzzy Hash: 2231767000C685DFDB365E70DC41BEDBBA0EF55310F084748ED8A991A4EB314682EB53

Uniqueness

Uniqueness Score: -1.00%

Function 02BD70C8, Relevance: 1.6, APIs: 1, Instructions: 87
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 02BD72D8

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: e9ad4408118f599bd54799a7a701f1ee2da615da807e379aeada87694b61cd1b
Instruction ID: ffbd010ea138c5add9db2360ec4d5a24897774cec817ac10d23393b37d6bcc2f
Opcode Fuzzy Hash: e9ad4408118f599bd54799a7a701f1ee2da615da807e379aeada87694b61cd1b
Instruction Fuzzy Hash: C7314670008681DFDB365E74DC45BED7BA0EF55310F084758ED9A9A2A4EB314681EB53

Uniqueness

Uniqueness Score: -1.00%

Function 02BD71BE, Relevance: 1.6, APIs: 1, Instructions: 87
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 02BD72D8

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 87c41731665f9b27401f1fe7627bebe17a1428400d4ab11a24ae8514f4a00c18
Instruction ID: 37acb4ad5b014c5844101ce3d75a77c5a053a96acf7b2bdb909abf67c7576570
Opcode Fuzzy Hash: 87c41731665f9b27401f1fe7627bebe17a1428400d4ab11a24ae8514f4a00c18
Instruction Fuzzy Hash: EA217971008681CFDB364E74DC817E93FA5EF9A314F084748ED9A9A261EB7145829B43

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7037, Relevance: 1.6, APIs: 1, Instructions: 82
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 02BD72D8

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 43bfe127cdc68883c3dda6f25d4969b0ef9b68a75d3053ae19c00f8a93131a50
Instruction ID: 7cbb59738a14463d09805cddf3c3f2445c036fcddfed1b3b4cdeb580f70b853c
Opcode Fuzzy Hash: 43bfe127cdc68883c3dda6f25d4969b0ef9b68a75d3053ae19c00f8a93131a50
Instruction Fuzzy Hash: 7821FE70108685DFEB755E34CC40BEDBAA1EF45364F080A59ED8A9A1A0FB714A81EB53

Uniqueness

Uniqueness Score: -1.00%

Function 02BD722F, Relevance: 1.6, APIs: 1, Instructions: 70
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 02BD72D8

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: ade71986dd0bea2007b2df39a410b1b025bf5c2c0e396619e3ef0cbd63a94a23
Instruction ID: 604ab8605664c683d4d5a080732afe243f3ad6976121eb1bb9557953d3024d25
Opcode Fuzzy Hash: ade71986dd0bea2007b2df39a410b1b025bf5c2c0e396619e3ef0cbd63a94a23
Instruction Fuzzy Hash: 671138B0108681DFDF338E64AC45BDE3F95EB6A325F084744ED1EDE261EA324581AB53

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7280, Relevance: 1.6, APIs: 1, Instructions: 65
memorynativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtAllocateVirtualMemory.NTDLL(000000FF,?,00000000,?,00003000,00000004), ref: 02BD72D8

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a8852df1582192b8726d47e6a81a7cd8adf1ef7f47742f65bfdf2872e2801c78
Instruction ID: 30094090328761d3f997fe437342f3cbd8e66254c7d42bcfa12579a6e3674436
Opcode Fuzzy Hash: a8852df1582192b8726d47e6a81a7cd8adf1ef7f47742f65bfdf2872e2801c78
Instruction Fuzzy Hash: C2113A71008986DFCB338E64DC857DA3F95EFAA325F084744DC1A9E265D7328582AB53

Uniqueness

Uniqueness Score: -1.00%

Function 02BD88D0, Relevance: 1.5, APIs: 1, Instructions: 35
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02BD7DAF,00000040,02BD0565,00000000,00000000,00000000,00000000,?,00000000,00000000,02BD4C01), ref: 02BD8928

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 53333ad283ad18a509f78070f5effa3c69c5db4a7c3d5d0b5cf017e48a297199
Instruction ID: bfc5979c91d2f2e75634070e99ae88326db1752616c76643b1167c59f6522652
Opcode Fuzzy Hash: 53333ad283ad18a509f78070f5effa3c69c5db4a7c3d5d0b5cf017e48a297199
Instruction Fuzzy Hash: 68E0EDC212A9821CD5038AB89A8F4532F9EC8F641B70CD32898B32A78EC050844311B7

Uniqueness

Uniqueness Score: -1.00%

Function 02BD890F, Relevance: 1.5, APIs: 1, Instructions: 13
nativeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,02BD7DAF,00000040,02BD0565,00000000,00000000,00000000,00000000,?,00000000,00000000,02BD4C01), ref: 02BD8928

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 0040EC30, Relevance: 350.4, APIs: 190, Strings: 9, Instructions: 2127COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401466), ref: 0040EC4E
__vbaI2Str.MSVBVM60(004035A0,?,?,?,?,00401466), ref: 0040EC98
__vbaNew2.MSVBVM60(00402314,00417010,?,?,?,?,00401466), ref: 0040ECC9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040ED06
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035A4,000001E0), ref: 0040ED57
__vbaNew2.MSVBVM60(00402314,00417010), ref: 0040ED82
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EDBF
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035B4,00000068), ref: 0040EE0A
__vbaNew2.MSVBVM60(00402314,00417010), ref: 0040EE35
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EE72
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035C4,00000100), ref: 0040EEC3
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 0040EEEE
__vbaChkstk.MSVBVM60(?), ref: 0040EFBA
__vbaChkstk.MSVBVM60(?), ref: 0040EFE9
__vbaChkstk.MSVBVM60(?), ref: 0040F018
__vbaChkstk.MSVBVM60(?), ref: 0040F047
__vbaChkstk.MSVBVM60(?), ref: 0040F076
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035E4,00000044), ref: 0040F0D8
__vbaChkstk.MSVBVM60 ref: 0040F121
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0040F154
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040F171
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,00401466), ref: 0040F191
__vbaNew2.MSVBVM60(00402314,00417010,?,?,?,?,00401466), ref: 0040F1B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F1F1
__vbaChkstk.MSVBVM60 ref: 0040F216
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035A4,000001C8), ref: 0040F27E
__vbaFreeObj.MSVBVM60 ref: 0040F29C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F88,000006F8), ref: 0040F2E3
__vbaNew2.MSVBVM60(00402314,00417010), ref: 0040F37B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F3B8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403628,000000E0), ref: 0040F409
__vbaStrCopy.MSVBVM60 ref: 0040F42C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F88,000006FC), ref: 0040F47F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040F4B3
__vbaFreeObj.MSVBVM60(?,?,00401466), ref: 0040F4C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F88,00000700), ref: 0040F523
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F58,000002B4), ref: 0040F58F
__vbaVarAdd.MSVBVM60(?,00000003,?), ref: 0040F5D7
__vbaVarMove.MSVBVM60 ref: 0040F5E5
__vbaVarTstLt.MSVBVM60(00008003,?), ref: 0040F614
__vbaOnError.MSVBVM60(000000FF), ref: 0040F62C
#595.MSVBVM60(00000003,00000000,0000000A,0000000A,0000000A), ref: 0040F6BF
__vbaFreeVarList.MSVBVM60(00000004,00000003,0000000A,0000000A,0000000A), ref: 0040F6E3
__vbaSetSystemError.MSVBVM60(005A46D8,?,?,?,?,?,?,?,00401466), ref: 0040F704
__vbaNew2.MSVBVM60(00402314,00417010,?,?,?,?,?,?,?,00401466), ref: 0040F73E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F77B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403638,000000F0), ref: 0040F7CC
#666.MSVBVM60(?,00000008), ref: 0040F81E
__vbaVarMove.MSVBVM60 ref: 0040F82D
__vbaFreeObj.MSVBVM60 ref: 0040F839
__vbaFreeVar.MSVBVM60 ref: 0040F845
__vbaNew2.MSVBVM60(00402314,00417010,?,?,?,?,?,?,?,00401466), ref: 0040F865
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F8A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403638,00000050), ref: 0040F8ED
__vbaStrToAnsi.MSVBVM60(?,?,zK), ref: 0040F924
__vbaSetSystemError.MSVBVM60(00000000), ref: 0040F937
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040F968
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401466), ref: 0040F977
__vbaNew2.MSVBVM60(004035F4,004173C0,?,?,?,?,?,?,?,?,?,?,00401466), ref: 0040F9AD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035E4,0000001C), ref: 0040FA16
__vbaChkstk.MSVBVM60(?), ref: 0040FA5A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403648,00000054), ref: 0040FABC
__vbaChkstk.MSVBVM60 ref: 0040FB05
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0040FB38
__vbaFreeObj.MSVBVM60 ref: 0040FB44
__vbaFreeVar.MSVBVM60 ref: 0040FB50
__vbaNew2.MSVBVM60(00402314,00417010,?,?,?,?,?,?,?,?,?,?,00401466), ref: 0040FB70
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FBAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035A4,00000068), ref: 0040FBF8
__vbaUI1I2.MSVBVM60 ref: 0040FC15
__vbaSetSystemError.MSVBVM60(?,00219FF2,?), ref: 0040FC3F
__vbaNew2.MSVBVM60(00402314,00417010), ref: 0040FC58
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FC95
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035C4,00000160), ref: 0040FCE6
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040FD10
__vbaI4Var.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401466), ref: 0040FD1A
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040FD4B
__vbaFreeVar.MSVBVM60 ref: 0040FD5A
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 0040FD90
__vbaLateMemCallLd.MSVBVM60(?,?,pUsAX2WKZEfBpPKnuw1DHc50,00000000), ref: 0040FDCF
__vbaObjVar.MSVBVM60(00000000), ref: 0040FDD9
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0040FDE7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035E4,0000000C), ref: 0040FE26
__vbaFreeObj.MSVBVM60 ref: 0040FE44
__vbaFreeVar.MSVBVM60 ref: 0040FE50
__vbaNew2.MSVBVM60(00402314,00417010), ref: 0040FE70
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FEAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040368C,00000158), ref: 0040FEFE
__vbaStrToAnsi.MSVBVM60(?,?,005179C0), ref: 0040FF29
__vbaSetSystemError.MSVBVM60(00000000), ref: 0040FF3B
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040FF69
__vbaFreeObj.MSVBVM60 ref: 0040FF78
__vbaNew2.MSVBVM60(00402314,00417010), ref: 0040FFAE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040FFEB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403628,000000F0), ref: 0041003C
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410067
__vbaObjSet.MSVBVM60(?,00000000), ref: 004100A4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403628,00000048), ref: 004100EF
__vbaInStr.MSVBVM60(00000000,?,Pantries,?), ref: 0041011E
__vbaFreeStr.MSVBVM60 ref: 00410130
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410146
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410169
__vbaObjSet.MSVBVM60(?,00000000), ref: 004101A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035A4,00000148), ref: 004101F7
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00410221
__vbaNew2.MSVBVM60(00402314,00417010), ref: 0041023D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041027A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040368C,00000060), ref: 004102C5
__vbaStrVarMove.MSVBVM60(?,?), ref: 004102EB
__vbaStrMove.MSVBVM60 ref: 004102F9
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 00410307
__vbaSetSystemError.MSVBVM60(006574C1,00000000), ref: 0041031E
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041034C
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041036C
__vbaFreeVar.MSVBVM60 ref: 0041037B
__vbaChkstk.MSVBVM60 ref: 004103CB
__vbaChkstk.MSVBVM60 ref: 004103FA
__vbaLateMemCall.MSVBVM60(?,rt9Ldo0Et6CO83,00000002), ref: 0041042F
__vbaSetSystemError.MSVBVM60 ref: 0041044A
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410463
__vbaObjSet.MSVBVM60(?,00000000), ref: 004104A0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004036E8,00000100), ref: 004104F1
__vbaFreeObj.MSVBVM60 ref: 00410529
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410558
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410595
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035B4,00000188), ref: 004105E6
#580.MSVBVM60(?,00000001), ref: 00410607
__vbaFreeStr.MSVBVM60 ref: 00410613
__vbaFreeObj.MSVBVM60 ref: 0041061F
__vbaSetSystemError.MSVBVM60 ref: 00410637
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410650
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041068D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403638,00000120), ref: 004106DE
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00410708
__vbaI4Var.MSVBVM60(00000000), ref: 00410712
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041073C
__vbaFreeVar.MSVBVM60 ref: 0041074B
#570.MSVBVM60(00000031), ref: 0041076C
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410792
__vbaObjSet.MSVBVM60(?,00000000), ref: 004107CF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403734,00000158), ref: 00410820
__vbaNew2.MSVBVM60(00402314,00417010), ref: 0041084B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410888
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403734,00000060), ref: 004108D3
__vbaNew2.MSVBVM60(00402314,00417010), ref: 004108FE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041093B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040368C,00000188), ref: 0041098C
__vbaNew2.MSVBVM60(00402314,00417010), ref: 004109B7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004109F4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035B4,00000178), ref: 00410A45
__vbaObjSet.MSVBVM60(?,?), ref: 00410A81
__vbaStrToAnsi.MSVBVM60(?,Stobbed,?,?), ref: 00410AA1
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,00000000), ref: 00410AD3
__vbaStrToAnsi.MSVBVM60(?,Basisordenes,00000000), ref: 00410AE6
__vbaSetSystemError.MSVBVM60(00000000), ref: 00410AF8
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410B11
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410B4E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403758,00000128), ref: 00410B9F
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?), ref: 00410BEF
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 00410C24
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410C5D
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410C9A
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035A4,00000110), ref: 00410CEB
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 00410D16
__vbaChkstk.MSVBVM60(?,?), ref: 00410D68
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035E4,00000034), ref: 00410DCA
__vbaObjSet.MSVBVM60(?,?), ref: 00410E06
__vbaFreeObj.MSVBVM60 ref: 00410E12
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410E32
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410E6F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035C4,00000138), ref: 00410EC0
__vbaSetSystemError.MSVBVM60(?), ref: 00410EEA
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00410F03
__vbaObjSet.MSVBVM60(?,00000000), ref: 00410F40
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403638,00000178), ref: 00410F91
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410FD3
#570.MSVBVM60(0000003A), ref: 00410FF7
__vbaSetSystemError.MSVBVM60(006F032E), ref: 00411017
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00411030
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041106D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004035C4,00000138), ref: 004110BE
__vbaFreeObj.MSVBVM60 ref: 004110F6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F58,00000084), ref: 00411169
__vbaFreeObj.MSVBVM60(0041126D), ref: 00411221
__vbaFreeVar.MSVBVM60 ref: 0041122A
__vbaFreeObj.MSVBVM60 ref: 00411236
__vbaFreeVar.MSVBVM60 ref: 00411242
__vbaFreeObj.MSVBVM60 ref: 0041124E
__vbaFreeObj.MSVBVM60 ref: 0041125A
__vbaFreeObj.MSVBVM60 ref: 00411266

Strings

Basisordenes, xrefs: 00410ADA
8, xrefs: 00411107
Pantries, xrefs: 00410110
FILASSE, xrefs: 0041039E
zK, xrefs: 0040F90F, 0040F915
Stobbed, xrefs: 00410A95
pUsAX2WKZEfBpPKnuw1DHc50, xrefs: 0040FDBC
Fremkaldervsken, xrefs: 0040F421
rt9Ldo0Et6CO83, xrefs: 00410426

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$List$Chkstk$Error$System$Late$Ansi$Call$Move$#570$#580#595#666AddrefCopy
String ID: 8$Basisordenes$FILASSE$Fremkaldervsken$Pantries$Stobbed$pUsAX2WKZEfBpPKnuw1DHc50$rt9Ldo0Et6CO83$zK
API String ID: 1504869957-1101650819
Opcode ID: c9c5ee10fa4c14085cbefc33d6472fa3f5a609b22884ff94a0f884da9d02e1ba
Instruction ID: 3550d25823806b25cdfd3247a335549e5af39f9d9587c39891ad8cb987904096
Opcode Fuzzy Hash: c9c5ee10fa4c14085cbefc33d6472fa3f5a609b22884ff94a0f884da9d02e1ba
Instruction Fuzzy Hash: 39330974901229DFDB24DF50CD88BDABBB4BB48305F1085EAE50AB72A0DB749AC5CF54

Uniqueness

Uniqueness Score: -1.00%

Function 004112A0, Relevance: 24.1, APIs: 16, Instructions: 119
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#609.MSVBVM60 ref: 004112E6
#557.MSVBVM60(?), ref: 004112FA
__vbaFreeVar.MSVBVM60 ref: 00411311
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 0041132E
__vbaObjVar.MSVBVM60(?), ref: 00411340
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041134B
__vbaHresultCheckObj.MSVBVM60(00000000,0227EF84,004035E4,00000010), ref: 00411365
__vbaFreeObj.MSVBVM60 ref: 0041136E
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00411387
__vbaObjSet.MSVBVM60(?,00000000), ref: 004113A0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004035A4,00000178), ref: 004113C7
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000), ref: 004113D7
__vbaI4Var.MSVBVM60(00000000), ref: 004113E1
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004113F4
__vbaFreeVar.MSVBVM60 ref: 00411400
__vbaFreeVar.MSVBVM60(00411434), ref: 0041142D

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#557#609AddrefCallLateList
String ID:
API String ID: 345172682-0
Opcode ID: d998e27909ea6e90f1d2e9debcb36d1710b5623998ffd3988cb0005c9ab79c2c
Instruction ID: e8143ab98e40f595c0038f772cc1e1275e4ffb66381a72a8c1276cf0a71ea187
Opcode Fuzzy Hash: d998e27909ea6e90f1d2e9debcb36d1710b5623998ffd3988cb0005c9ab79c2c
Instruction Fuzzy Hash: 424128B4900248EFDB009FA5DD49AEEBBB8FB48701F10852AF942B35B0D7745985CB68

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02BD2A5F, Relevance: 1.7, Strings: 1, Instructions: 418COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: 2434ae6bdf38ac516b8b1005dd7a1914d2e24b30e59055dba2c5bc921fdba23e
Instruction ID: be99b056a183fe211792c54d8faf1b4836201b5ee955b81e30336881563837de
Opcode Fuzzy Hash: 2434ae6bdf38ac516b8b1005dd7a1914d2e24b30e59055dba2c5bc921fdba23e
Instruction Fuzzy Hash: 86F12571600746EFEB255F30CC48BE97BA2FF01318F148299E9855B1E1E7B8A885CF46

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2134, Relevance: 1.6, Strings: 1, Instructions: 384COMMON

Download Yara Rule

Strings

+u<|, xrefs: 02BD0AB6

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: +u<|
API String ID: 0-772610416
Opcode ID: 3dfc82fa4ff4bd8c9928d40acf42c1497d3298daab06371ebfb1551670215b11
Instruction ID: 6306a7c2085c703622875c6a36cdbe1e06a75b044b5ad8436472e531f811603e
Opcode Fuzzy Hash: 3dfc82fa4ff4bd8c9928d40acf42c1497d3298daab06371ebfb1551670215b11
Instruction Fuzzy Hash: 29E1F471600346EFDB64DF28CC80BE5B7A5FF08314F0542A9ECA997682EB74A855CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 02BD5825, Relevance: 1.6, Strings: 1, Instructions: 356COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: 8ffcc5aa95c802f4c2b1977fc7648ca79c0b53cd5ae54cd2bfe9f38c50e2ec20
Instruction ID: 4872438030c1cab6782abd0b4c5281205da8f2ad9768a531525bd9900f3c87c4
Opcode Fuzzy Hash: 8ffcc5aa95c802f4c2b1977fc7648ca79c0b53cd5ae54cd2bfe9f38c50e2ec20
Instruction Fuzzy Hash: 90D177B1200746AFEB314F30CD49BE57BA2FF51318F148298EA859B1D1E3B9A495CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD319D, Relevance: 1.6, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: e5cd87db007237b3062fcdb40fd28c26ebc031aa05c516d3554ab8dae2841023
Instruction ID: 10b08a65da1047784750e263d8c26cb0c3ad814a8b014361d9b5448e15c94258
Opcode Fuzzy Hash: e5cd87db007237b3062fcdb40fd28c26ebc031aa05c516d3554ab8dae2841023
Instruction Fuzzy Hash: D8D155B1600746EFEB315F30CD49BE97BA2FF01318F148298EA855A1E0E7B96495CF46

Uniqueness

Uniqueness Score: -1.00%

Function 02BD31B4, Relevance: 1.6, Strings: 1, Instructions: 314COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: a48dc47bf615eee74b836948bc8b7863f4079efdb9eb22749cb60a5aa6dbe1a3
Instruction ID: cdcfbb51fbf43ff2fa2e164d881b32e9326966f937b2a7b1cbb96d06a925ad88
Opcode Fuzzy Hash: a48dc47bf615eee74b836948bc8b7863f4079efdb9eb22749cb60a5aa6dbe1a3
Instruction Fuzzy Hash: EDC176B1600746EFEB215F30CD49BE97BB2FF51318F148298EA855B1A1E3B89495CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD31FD, Relevance: 1.6, Strings: 1, Instructions: 310COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: c082c3110e08dcf73a844a3cdafb3f5009243e568da2f22ed15c290d1507cc37
Instruction ID: d83f02c5e003becc0a4d0853db206b1d0f20bb0bc320a5565b5a5f1623199073
Opcode Fuzzy Hash: c082c3110e08dcf73a844a3cdafb3f5009243e568da2f22ed15c290d1507cc37
Instruction Fuzzy Hash: 4DC177B1200746EFEB215F30CD49BE97BA2FF51308F148298ED855B1A1E7B89495CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3270, Relevance: 1.6, Strings: 1, Instructions: 302COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: b30128d559784702fd52aff0ba85ff5c393ac89f2b8dc6ebc7db5c3e9cac92fe
Instruction ID: d6d1e0b0ca4fd4bdccf19b15186a3f7c51dce9f52c77ae76335a385cf4b68fa2
Opcode Fuzzy Hash: b30128d559784702fd52aff0ba85ff5c393ac89f2b8dc6ebc7db5c3e9cac92fe
Instruction Fuzzy Hash: C0B178B1200706EFEB315F30CD49BE97BA2FF51314F148298E9855B1A1E7B99495CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD32E8, Relevance: 1.5, Strings: 1, Instructions: 282COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: a68063d1b62df4e86201771952a3d7be2c9e5a52185e79f42edeffdb2375bd60
Instruction ID: ba1251a4d88e290a2ddbb17b83bc0d8facbb24fb75993081d66a344298f007e7
Opcode Fuzzy Hash: a68063d1b62df4e86201771952a3d7be2c9e5a52185e79f42edeffdb2375bd60
Instruction Fuzzy Hash: 89B166B1200746EFEB215F30CD897E97BA2FF15314F048298E9859B1A1E7B994D5CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3364, Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: 76eccd4679a68b68d3e4d8c1e462cced5a4458194eee92cc948c5d64b8f8a98d
Instruction ID: 25bacbd270f4d73a502094adfe43bd15d803518e7ba849d1380469aac828f653
Opcode Fuzzy Hash: 76eccd4679a68b68d3e4d8c1e462cced5a4458194eee92cc948c5d64b8f8a98d
Instruction Fuzzy Hash: 25A156B1200706EFEB355F30CD497E97BA2FF11308F148298E9859A1A1E7B895D5CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02BD33AC, Relevance: 1.5, Strings: 1, Instructions: 254COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: 9ca40b49d0bf3d8b4f6fda4ac80dbccdb1334f8852bdea0855448c4b1d750183
Instruction ID: 9de34996ecdb23e5b239f2f62afcd6f412ef05ee33efe3d93678d7db49d80e1d
Opcode Fuzzy Hash: 9ca40b49d0bf3d8b4f6fda4ac80dbccdb1334f8852bdea0855448c4b1d750183
Instruction Fuzzy Hash: 6CA155B1200746AFEB215F30CD457E97BA2FF15308F048299E9859B1A1E7B895D5CF82

Uniqueness

Uniqueness Score: -1.00%

Function 02BD341E, Relevance: 1.5, Strings: 1, Instructions: 243COMMON

Download Yara Rule

Strings

#[, xrefs: 02BD3570

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID: #[
API String ID: 0-3856211344
Opcode ID: 689b627dbb6651d9f8311534c7bb6fd497beb603f8fcc8745483ab486f8bb476
Instruction ID: 4b7bf0571142e679109cbdaf4e1236600b050bc26030f76d565334abd97ac6aa
Opcode Fuzzy Hash: 689b627dbb6651d9f8311534c7bb6fd497beb603f8fcc8745483ab486f8bb476
Instruction Fuzzy Hash: 649158B1200B46AFEB315F30DC497E53BA2FF15304F148299E9859A1A1E3B995C5CF83

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7B33, Relevance: .3, Instructions: 347COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: ac9ef09910acffbe52b973827189c180ef1919a7c16c1ddff8d13168ea7c0ee2
Instruction ID: 62e9dbab0bdbb84e07175df20c8595662a1812d9800d395bb3cafa4c82246ea1
Opcode Fuzzy Hash: ac9ef09910acffbe52b973827189c180ef1919a7c16c1ddff8d13168ea7c0ee2
Instruction Fuzzy Hash: 44D17F6190C7818FDB218B38C89CBA5BF919F12325F09C3DAC8A64F1E7E7748546C726

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7C48, Relevance: .3, Instructions: 256COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: f02857f20af2a95a58ffc039f3f1cafe0739caebfc71b33241a73800006d944a
Instruction ID: b213ff55745a09c33cccfe735c75f4361a6f0ef4a96633431506b9b6b3becd2e
Opcode Fuzzy Hash: f02857f20af2a95a58ffc039f3f1cafe0739caebfc71b33241a73800006d944a
Instruction Fuzzy Hash: 99A1726150C7818FDB228B388899B91BFD19F67225F0DC3DAC8A64F2E7E3658446C717

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7B77, Relevance: .3, Instructions: 255COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 45b0956b881b40e518ce076bca3a7881dfd0cb943cc0d62b82a1f3a293efcb9e
Instruction ID: 5f587c144c7015d272dfddd775f45da37537a305792f6c791fa29cb85f37d9d7
Opcode Fuzzy Hash: 45b0956b881b40e518ce076bca3a7881dfd0cb943cc0d62b82a1f3a293efcb9e
Instruction Fuzzy Hash: E2A14F6150C7818FDB228B388898B96BFD19F17225F0DC3DAC8A64F2E7E3758546C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7BC3, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 0c8865ef924645ef113c8dfb09d22d8acc476ae509dc333e1d53b66acd430969
Instruction ID: 6e5cb7c2dbb1cf0ab6f1fda921a9530ceb2988a1fd4d8f06df2f05ba0e7a64c5
Opcode Fuzzy Hash: 0c8865ef924645ef113c8dfb09d22d8acc476ae509dc333e1d53b66acd430969
Instruction Fuzzy Hash: B2915F6150C7818FDB228B388898B96BFD19F16225F0DC3DAC8EA4F1E7E3658446C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7C04, Relevance: .2, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 93e8dd3ed0b6a135b1fa2727be00bf018c42ace52626eb909785f8bc672c67f8
Instruction ID: 4eb155c21a2a71d7b0b69ec9c4e7bdf452b8a997341abe050f2097f89fef4489
Opcode Fuzzy Hash: 93e8dd3ed0b6a135b1fa2727be00bf018c42ace52626eb909785f8bc672c67f8
Instruction Fuzzy Hash: 1C91516150C7818FDB228B388898B96BFD19F17225F0DC3DAC9E64F2E7E3658446C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7D36, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: c2e995be2e11c77b42d75813fffbd439f0dfad25aeb1208a4a04c3bfea031ab0
Instruction ID: 50f15a4ff4e844b29d45c8dbe181186c899b8793d6d1b49d223857e934d4b2e6
Opcode Fuzzy Hash: c2e995be2e11c77b42d75813fffbd439f0dfad25aeb1208a4a04c3bfea031ab0
Instruction Fuzzy Hash: D581635150C7C28EDB228B34889DB92BED18F63225F0DC3DAC9E64E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7CE8, Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: 5a0b62320b6db21289bd53129c1dbc4a93e939db59f15c350cd2a4a12ac87ff3
Instruction ID: 07c2bf6cf5744fc1b028f8c3b46a324accc484aab02542261b176b6e0c9872a2
Opcode Fuzzy Hash: 5a0b62320b6db21289bd53129c1dbc4a93e939db59f15c350cd2a4a12ac87ff3
Instruction Fuzzy Hash: 94815E5150C7C28FDB228B38889CB96BED19F13225F4DC3DAC8E64E1E7E3658546C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7DBA, Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5352513c4d93ebf25e017e9a52b07026916658a37764c714fca90cd53cc0efe3
Instruction ID: 58ba281e4cbe75c992fa1dc28786c62844e817f8b2fdf85950931fbc58be1f9e
Opcode Fuzzy Hash: 5352513c4d93ebf25e017e9a52b07026916658a37764c714fca90cd53cc0efe3
Instruction Fuzzy Hash: FF713F5150C7C28EDB228B38889DB92BED19F23225F4DC3DAC9E64E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7DFD, Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b84c956937850fd1a6857dff71f85e900cdb84d98508dce61ae5c91f20394a8
Instruction ID: 8727c9a3115deefb25b4d40adb7bf8f55880d4b9e8fec4fb29aa9921b1a11c15
Opcode Fuzzy Hash: 9b84c956937850fd1a6857dff71f85e900cdb84d98508dce61ae5c91f20394a8
Instruction Fuzzy Hash: BE71305150C7C28EDB228B38889DB92BED19F23225F4DC3DAC9E64E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7EA4, Relevance: .2, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f22a1a19b3d69f46ce0ab904169c65900925512c161dce5eb7e9af7252681fb6
Instruction ID: 1d3a2b39d0aae782cc456972eddf31cb8d486941b61a956d2c63a79e0018ff91
Opcode Fuzzy Hash: f22a1a19b3d69f46ce0ab904169c65900925512c161dce5eb7e9af7252681fb6
Instruction Fuzzy Hash: DB71305150C7C28EDB228B38889DB92AED19F63235F4DC3DAC8E64E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7E48, Relevance: .2, Instructions: 190COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb764a9dfa7d0b7af506af8a39695c2ad155349f8dacc3c98a221f6b48871838
Instruction ID: 20e1837d0799b43bd9feef46906e09bc2399ee8a46b90497d05b0de480adfefd
Opcode Fuzzy Hash: cb764a9dfa7d0b7af506af8a39695c2ad155349f8dacc3c98a221f6b48871838
Instruction Fuzzy Hash: 34713E5150C7C28EDB228B38889CB92BED19F13225F4DC3DAC8EA4E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7EF9, Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d854b4fdefc391a257f90363fc1d20c96375ec8b17b2a377fd4be423ed7738b4
Instruction ID: 6592f51318c5485d99419bba9304598d448ce4be3c7c3c06e01f71052db8075a
Opcode Fuzzy Hash: d854b4fdefc391a257f90363fc1d20c96375ec8b17b2a377fd4be423ed7738b4
Instruction Fuzzy Hash: 7871215150C7C28EDB228B38889DB92AED19F23235F4DC3DAC9E64E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7F6F, Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3776ef766593399c98a570b3b9a96d0d902c122dbc575153b552f6dfb8219202
Instruction ID: 79514babf07d3ce6c699b3e4e318f71ebd38373abe9e6eb62415398a557a6922
Opcode Fuzzy Hash: 3776ef766593399c98a570b3b9a96d0d902c122dbc575153b552f6dfb8219202
Instruction Fuzzy Hash: 8B61325150C7C28EDB228B34889DB92AED19F23225F4DC3DAC9EA4E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7F38, Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca734f44c03b4f276a386f652e91a96b0a951193cc506b46f6ea9fe253ffe078
Instruction ID: cbabdf1cbeab381656cf4672b96b360993ceeeb19b7665981d82ee15907cd1d3
Opcode Fuzzy Hash: ca734f44c03b4f276a386f652e91a96b0a951193cc506b46f6ea9fe253ffe078
Instruction Fuzzy Hash: AB611B5150C7C28EDB228B38889DB92BE919F13225F4DC3DAC8EA4E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD8088, Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23feb00597d7d89e81cb077127af0b8c6ed5ac3b41720dd641ba85a07ec9c387
Instruction ID: 891ef80e764eb3788d6fef699430fcff99a45144c0a6673c4e9437d080bf630d
Opcode Fuzzy Hash: 23feb00597d7d89e81cb077127af0b8c6ed5ac3b41720dd641ba85a07ec9c387
Instruction Fuzzy Hash: 9751885150CBC28EDB228B34889D791BED19F63225F0DC3DAC9E64E1EBE3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7FEC, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fcf45003468b81f6873edc9a2a456df9f4f79943ead11bc742c5401df73f635
Instruction ID: 2b26488e8e6b5678d98823e45061f6d5ce9d791d6ae47858545813d3d7ef99d2
Opcode Fuzzy Hash: 4fcf45003468b81f6873edc9a2a456df9f4f79943ead11bc742c5401df73f635
Instruction Fuzzy Hash: 2961535150C7C28EDB228B34889DB92BED19F13225F0DC3DAC9E64E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD8042, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c764dcdc526452c8309e8afe0e267c03c0a5a3282183efb47a3edc6277e80fc
Instruction ID: 1cf9fd8d27df5e849c09ccc76b8eb92d910c8a7f29d8a781f14a013f686dbbda
Opcode Fuzzy Hash: 2c764dcdc526452c8309e8afe0e267c03c0a5a3282183efb47a3edc6277e80fc
Instruction Fuzzy Hash: 6E51305150C7C28EDB268B34889DB92BED19B13235F4DC3DAC8E64E1E7E3648147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD7FE5, Relevance: .2, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75ecf2d6a42783b2f889971be35f99a924eb9b96deef7830ca6df308c3112f84
Instruction ID: b4accae18dd7459c0079acfbf8ce7e8a2746a909fa66111936bed3d3384f9561
Opcode Fuzzy Hash: 75ecf2d6a42783b2f889971be35f99a924eb9b96deef7830ca6df308c3112f84
Instruction Fuzzy Hash: B1512E5150C7C28EDB268B38889CB92BED19B13235F4DC3DAC9EA4E1E7E3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD810C, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92a5effbcfff52725f73d96ce331df7aae67f51bac854f74921f85d49b199f85
Instruction ID: 30074d5dc62646bb57891940e525ccf710eb955852f37f1d400e279b9b96bd82
Opcode Fuzzy Hash: 92a5effbcfff52725f73d96ce331df7aae67f51bac854f74921f85d49b199f85
Instruction Fuzzy Hash: D551525190C7828EDB228B34889CB92BED19F13235F4DC3DAC8E64E1EBE3658147C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD8154, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5209946bfbb57e2650ebd201d13b34e2e87b987fffb4cc925a90939b233e691f
Instruction ID: c431db41b5c8e23f2424c971826a4c3cafdf445a7fd1e6d17f37854266a75669
Opcode Fuzzy Hash: 5209946bfbb57e2650ebd201d13b34e2e87b987fffb4cc925a90939b233e691f
Instruction Fuzzy Hash: 1E51535150C7828EDB268B34889DB92BED19F63236F0DC3DAC9E64E1DBE3658047C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD8198, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eb49f57ecad1fd536dd84eef7289129b0cbadf13b7b09b5c50a70a01ea2cac1
Instruction ID: 2be01d6b389ebb81aaa8c4fe25d530740829289927c639742254f100878ae513
Opcode Fuzzy Hash: 4eb49f57ecad1fd536dd84eef7289129b0cbadf13b7b09b5c50a70a01ea2cac1
Instruction Fuzzy Hash: AD51545190C7828EDB268B34889DB92BED19F13235F0DC3EAC9E64E1DBE3658143C617

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2A65, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3809faad4a627fcc4eb8feafe217636b1f3600943df64edfe6b50a4de981b04b
Instruction ID: e45e228fb3a97c766004f669eaa817ddf6b4818700c272f25e4e326674701583
Opcode Fuzzy Hash: 3809faad4a627fcc4eb8feafe217636b1f3600943df64edfe6b50a4de981b04b
Instruction Fuzzy Hash: 3E311471204B818FEB268F74CC89B953BA1EF12721F0983C9D9565F1F6E3A09482CA13

Uniqueness

Uniqueness Score: -1.00%

Function 02BD2B00, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfe735cd83143340c85bc8e4887730ed7c513b64e442dcbfb9ee1a598ed036ae
Instruction ID: 76d3b07c179c80a8f771f6873e8537727a8d56e5f78ad1fbd2ce6c899af4996a
Opcode Fuzzy Hash: cfe735cd83143340c85bc8e4887730ed7c513b64e442dcbfb9ee1a598ed036ae
Instruction Fuzzy Hash: 93216A70640780DFEB249F64CC48F9477A2EF00724F5586D9E6195A1F2E7B09980CF16

Uniqueness

Uniqueness Score: -1.00%

Function 02BD58FF, Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00dc138872549e3fe2c7ff064402dcef142d2326292ad692eb39fc46f97232e6
Instruction ID: e179fe4a9cfaef2d6ffcf9c1d2c87fd9d91ecdcf4afed4fb262d7339c1638d1e
Opcode Fuzzy Hash: 00dc138872549e3fe2c7ff064402dcef142d2326292ad692eb39fc46f97232e6
Instruction Fuzzy Hash: 02E048965083465FCB3A9A54D8D27EA7F849F3A224FC840D1D6828B345F1B89540C356

Uniqueness

Uniqueness Score: -1.00%

Function 02BD6AAF, Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f71d58557ea2a3c06e26352e5ad8b9c14ba587d229cbcd59b0c8b897764090fe
Instruction ID: 51dec8083a8fd5e92e65097d5e118294021c1c9c38474f15148e5dca07d827e0
Opcode Fuzzy Hash: f71d58557ea2a3c06e26352e5ad8b9c14ba587d229cbcd59b0c8b897764090fe
Instruction Fuzzy Hash: 9BE01279301200AFC714CB08E6C5FA6B3A9EB48700F1688E0E9518B621FB38EC80CB20

Uniqueness

Uniqueness Score: -1.00%

Function 02BD3EF4, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 02BD611B, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.734424591.0000000002BD0000.00000040.00000001.sdmp, Offset: 02BD0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2bd0000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 004123E0, Relevance: 28.7, APIs: 19, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__vbaStrCopy.MSVBVM60 ref: 00412429
#521.MSVBVM60(004037EC), ref: 00412434
__vbaStrMove.MSVBVM60 ref: 0041243F
__vbaStrCmp.MSVBVM60(004037F8,00000000), ref: 0041244B
__vbaFreeStr.MSVBVM60 ref: 0041245E
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00412480
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041249F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403638,000000F8), ref: 004124C8
__vbaNew2.MSVBVM60(00402314,00417010), ref: 004124E5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004124FE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004035A4,00000050), ref: 0041251B
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 00412530
__vbaHresultCheckObj.MSVBVM60(00000000,0227EF84,004035E4,0000004C), ref: 00412555
__vbaHresultCheckObj.MSVBVM60(00000000,?,004037FC,00000024), ref: 0041257D
__vbaStrMove.MSVBVM60 ref: 0041258C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041259C
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004125B0
__vbaFreeStr.MSVBVM60(004125FD), ref: 004125F5
__vbaFreeStr.MSVBVM60 ref: 004125FA

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresult$New2$ListMove$#521Copy
String ID:
API String ID: 3727748095-0
Opcode ID: c24619b8a0fe6d34dd1c289711314e558ddac4af9281414039ea30f42127c8bf
Instruction ID: 9b9315aeb58762c01b9835d24a90cd51daed12535bf53a0375bf87fae952f691
Opcode Fuzzy Hash: c24619b8a0fe6d34dd1c289711314e558ddac4af9281414039ea30f42127c8bf
Instruction Fuzzy Hash: 9D516170A00215AFCB00DFA5DD89EEEBBB8FB18701F10452AF545F72A0D7749945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411CD0, Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 207COMMON

Download Yara Rule

APIs

#672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 00411D40
__vbaFpR8.MSVBVM60 ref: 00411D46
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00411D70
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411D8F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040377C,00000110), ref: 00411DB2
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00411DCB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411DE4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004035B4,00000068), ref: 00411E04
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 00411E1C
__vbaHresultCheckObj.MSVBVM60(00000000,0227EF84,004035E4,00000044), ref: 00411EEF
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00411F26
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00411F36
__vbaFreeVarList.MSVBVM60(00000002,00000009,?), ref: 00411F46
__vbaFreeObj.MSVBVM60(00411F8D), ref: 00411F86

Strings

sonedkkernes, xrefs: 00411ECC

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List$#672Late
String ID: sonedkkernes
API String ID: 1051946965-2399110942
Opcode ID: 369a6dcfbdb314799dc34072c9af5a93ca9bef719afc1aa5c5d6c431756b44c0
Instruction ID: fefb535106ca63fa01af59b2d6b503163a8305446fc205846c28158e4ade5867
Opcode Fuzzy Hash: 369a6dcfbdb314799dc34072c9af5a93ca9bef719afc1aa5c5d6c431756b44c0
Instruction Fuzzy Hash: 00812FB0A012089FCB10DFA9C985B9DBBB4FF48704F20856EE509E73A1D7759946CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00412620, Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 87COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00412682
#629.MSVBVM60(?,?,00000001,?), ref: 00412696
__vbaVarTstNe.MSVBVM60(?,?), ref: 004126BB
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 004126D2
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 004126F2
__vbaObjVar.MSVBVM60(?), ref: 00412704
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 0041270F
__vbaHresultCheckObj.MSVBVM60(00000000,0227EF84,004035E4,00000010), ref: 00412729
__vbaFreeObj.MSVBVM60 ref: 00412732
__vbaFreeVar.MSVBVM60(0041276E), ref: 00412767

Strings

FGFG, xrefs: 00412674

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$#629AddrefCheckHresultListNew2
String ID: FGFG
API String ID: 451959755-2759163656
Opcode ID: c9dded58df5d52dd9f1d9278128f9f8eb4e2391cee6504b844b25cd1740f3b4b
Instruction ID: 6169b3bb650a2fba6391465ad51c73500e0d563466074471c9ed7cf179a5cb47
Opcode Fuzzy Hash: c9dded58df5d52dd9f1d9278128f9f8eb4e2391cee6504b844b25cd1740f3b4b
Instruction Fuzzy Hash: C6314CB1801249AFDB10DFA5DE49ADEFBB8FB48701F10816AF505B31A0D7B41A49CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00411B50, Relevance: 16.6, APIs: 11, Instructions: 102COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00411BA6
#562.MSVBVM60(?), ref: 00411BB0
__vbaFreeVar.MSVBVM60 ref: 00411BC7
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 00411BE4
__vbaObjSetAddref.MSVBVM60(?,004012F8), ref: 00411BFA
__vbaHresultCheckObj.MSVBVM60(00000000,0227EF84,004035E4,00000010), ref: 00411C17
__vbaFreeObj.MSVBVM60 ref: 00411C20
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00411C39
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411C52
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403628,00000100), ref: 00411C79
__vbaFreeObj.MSVBVM60 ref: 00411C88

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckHresultNew2$#562Addref
String ID:
API String ID: 2819199164-0
Opcode ID: 7499b0c507c49997433edc0c582ee60b74cb0dc4bbc18a801a185acac0214c94
Instruction ID: 19217fadc63713ee5a400a659d8b1a21003011853843560a543b32bf5f0cd16b
Opcode Fuzzy Hash: 7499b0c507c49997433edc0c582ee60b74cb0dc4bbc18a801a185acac0214c94
Instruction Fuzzy Hash: 0B412C75900209AFCB10DFA5DD88ADEBBB8FB08701F10853AF556B72A0D7785945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00412DA0, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402314,00417010), ref: 00412DF6
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412E15
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00412E31
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412E4A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004035A4,00000108), ref: 00412E6D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040377C,000001EC), ref: 00412EAD
__vbaFreeStr.MSVBVM60 ref: 00412EB6
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00412EC6

Strings

]KH, xrefs: 00412ECF

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID: ]KH
API String ID: 2509323985-4038015901
Opcode ID: b5fa604f20f425bbe5ebb4ccc43228b990f56f2d4bb4010bb403e11c708e76e9
Instruction ID: 71977a5abc3c5e4ba4fa079cd226f2b8a4535f60cccfe7bd21df1a2e8127ec71
Opcode Fuzzy Hash: b5fa604f20f425bbe5ebb4ccc43228b990f56f2d4bb4010bb403e11c708e76e9
Instruction Fuzzy Hash: 1F41FF70A00315AFCB00DFA8C989EDEBBB8FB4CB40F10856AF545E7291D77999458BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412B30, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaVarDup.MSVBVM60 ref: 00412B90
#543.MSVBVM60(?,?), ref: 00412B9E
__vbaVarTstNe.MSVBVM60(?,?), ref: 00412BBA
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00412BCD
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 00412BED
__vbaHresultCheckObj.MSVBVM60(00000000,0227EF84,004035E4,00000034,?,?,000031C1,?), ref: 00412C3D
__vbaObjSet.MSVBVM60(?,?,?,?,000031C1,?), ref: 00412C4E
__vbaFreeObj.MSVBVM60(00412C86), ref: 00412C7F

Strings

14:14:14, xrefs: 00412B82

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$#543CheckHresultListNew2
String ID: 14:14:14
API String ID: 2422930825-4170531969
Opcode ID: a9559c063da387c18852e0933252ea180664beaea9b6c3277f9291621674f939
Instruction ID: 3256a3d6d5ed22b76d3e67279d16bb562ebd100baa16450c83aace3f1dda9f07
Opcode Fuzzy Hash: a9559c063da387c18852e0933252ea180664beaea9b6c3277f9291621674f939
Instruction Fuzzy Hash: 654118B0D00249AFCB04DF99D949AEEFBB8FF48704F10801AE515AB2A4D7B45A49CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004115F0, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 61COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401466), ref: 00411639
#588.MSVBVM60(00000002,00000001,00000000), ref: 00411644
#716.MSVBVM60(?,Tyggegummi3,00000000), ref: 0041165B
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00411682
__vbaFreeVar.MSVBVM60 ref: 0041168B
__vbaFreeStr.MSVBVM60(004116BC), ref: 004116AC
__vbaFreeObj.MSVBVM60 ref: 004116B5

Strings

j/E, xrefs: 00411691
Tyggegummi3, xrefs: 00411655

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$#588#716CopyLate
String ID: Tyggegummi3$j/E
API String ID: 333341757-109497277
Opcode ID: 71d2165dd299494c62cf1422dab5586fdcdb0784bfed68b63dc0ba401d19f7a4
Instruction ID: 705386e34005bf6b3472e1c475aea4d821a4498ec57417a6e29ad9426aeddd0c
Opcode Fuzzy Hash: 71d2165dd299494c62cf1422dab5586fdcdb0784bfed68b63dc0ba401d19f7a4
Instruction Fuzzy Hash: 372116B4D10219AFCB04DF98DA89ADEBBB8FF48701F10812AF505B7260D7785945CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00415910, Relevance: 14.0, APIs: 6, Strings: 2, Instructions: 45COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401466), ref: 0041594A
__vbaVarDup.MSVBVM60 ref: 00415964
#557.MSVBVM60(?), ref: 0041596E
__vbaFreeVar.MSVBVM60 ref: 00415984
#580.MSVBVM60(Aftrringen4,00000001), ref: 00415996
__vbaFreeStr.MSVBVM60(004159B7), ref: 004159B0

Strings

Aftrringen4, xrefs: 00415991
10-10-10, xrefs: 00415956

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$#557#580Copy
String ID: 10-10-10$Aftrringen4
API String ID: 1011610088-3533649026
Opcode ID: 38ad9e1e2426495406351055bf9e94a71f5d49b20d85354a21b2b99c56355e9b
Instruction ID: d6065a630f924e44c537bbc52b22dc02d13de4eab7f33fea6a26df8d4d58548d
Opcode Fuzzy Hash: 38ad9e1e2426495406351055bf9e94a71f5d49b20d85354a21b2b99c56355e9b
Instruction Fuzzy Hash: 35115275801209DBCB04DFA4DB49ADDBBB4EF48701F60412AF102B75A0D7745E49CF69

Uniqueness

Uniqueness Score: -1.00%

Function 004116F0, Relevance: 13.6, APIs: 9, Instructions: 129COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 00411758
__vbaHresultCheckObj.MSVBVM60(00000000,0227EF84,004035E4,00000014), ref: 00411783
__vbaHresultCheckObj.MSVBVM60(00000000,?,004037A8,00000128), ref: 004117B4
__vbaFreeObj.MSVBVM60 ref: 004117CA
#685.MSVBVM60 ref: 004117D9
__vbaObjSet.MSVBVM60(?,00000000), ref: 004117E4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004037B8,00000044), ref: 00411838
__vbaFreeObj.MSVBVM60 ref: 0041183D
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00411855

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresult$#685ListNew2
String ID:
API String ID: 3031769890-0
Opcode ID: 3d264de6553ac39f974f1bd343ba74626e49524206d6295306398ea99325fee0
Instruction ID: b819fe846f6d29589d9a08f1baab0c1376a2fbe172c29c9b2e5221a48f853277
Opcode Fuzzy Hash: 3d264de6553ac39f974f1bd343ba74626e49524206d6295306398ea99325fee0
Instruction Fuzzy Hash: A84139B1D00219AFCB10DF94CD84AEEBBB9FF58700F14412AE605F72A0D7785945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00411960, Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401466), ref: 0041199D
#707.MSVBVM60(00000001,00000000,?,?,?,?,?,?,?,?,?,?,00401466), ref: 004119A6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401466), ref: 004119B1
__vbaNew2.MSVBVM60(00402314,00417010,?,?,?,?,?,?,?,?,?,?,00401466), ref: 004119CA
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401466), ref: 004119E3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403628,000000A8,?,?,?,?,?,?,?,?,?,?,00401466), ref: 00411A0A
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401466), ref: 00411A19
__vbaFreeStr.MSVBVM60(00411A41,?,?,?,?,?,?,?,?,?,?,00401466), ref: 00411A39
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401466), ref: 00411A3E

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$#707CheckCopyHresultMoveNew2
String ID:
API String ID: 429726519-0
Opcode ID: 11c1484a9575c3c0cb50270b081ae0c83c94d7668e659fbb41616ccdbe1fde28
Instruction ID: 41a26aee8a52d98e12b8d03f57b603384a47389c0bb4f92d4cacd1d0cea476ee
Opcode Fuzzy Hash: 11c1484a9575c3c0cb50270b081ae0c83c94d7668e659fbb41616ccdbe1fde28
Instruction Fuzzy Hash: 2E219270A00209AFCB00DF90DD49AEEBBB8FF48740F104426F542B32A0D7746945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412790, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004127C8
#712.MSVBVM60(00000000,00403834,00000000,00000001,000000FF,00000000), ref: 004127DF
__vbaStrMove.MSVBVM60 ref: 004127EA
__vbaStrCmp.MSVBVM60(0040383C,00000000), ref: 004127F9
#569.MSVBVM60(000000DC), ref: 00412808
__vbaFreeStr.MSVBVM60(0041281D), ref: 00412816

Strings

val, xrefs: 004127B9

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$#569#712CopyFreeMove
String ID: val
API String ID: 513144385-2548021861
Opcode ID: aa60d10ba02a2d6872b3d6250c44caae6d3a2fdc44dca464bdf4e2cd4dc84a82
Instruction ID: 4b5a5f8d03bbd867b6edba9f7ecb3d1d116a80b8e2649a1920a4d863ea42fa2c
Opcode Fuzzy Hash: aa60d10ba02a2d6872b3d6250c44caae6d3a2fdc44dca464bdf4e2cd4dc84a82
Instruction Fuzzy Hash: 59014471A40245ABDB00AF94CE4AF9E7FB8EB04B01F204136B641B66E0D7B45585CA99

Uniqueness

Uniqueness Score: -1.00%

Function 004159D0, Relevance: 12.1, APIs: 8, Instructions: 101COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402314,00417010), ref: 00415A23
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415A42
__vbaNew2.MSVBVM60(00402314,00417010), ref: 00415A5E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415A77
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040377C,00000120), ref: 00415A9A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040377C,000001EC), ref: 00415ADA
__vbaFreeStr.MSVBVM60 ref: 00415AE3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00415AF3

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: 6f0cbef0939fce925c4c0363a2347c717aeaf4500c994fc3c4a9ac9c3ece9580
Instruction ID: e9681ff8fbf811f67bb583ddb6c9c9130793e3db7be508b0c79c562b77bcaba9
Opcode Fuzzy Hash: 6f0cbef0939fce925c4c0363a2347c717aeaf4500c994fc3c4a9ac9c3ece9580
Instruction Fuzzy Hash: D03130B0A40215AFCB00DFA8C989FDA7BFCFB4CB40F10856AF505E7291D77899418BA4

Uniqueness

Uniqueness Score: -1.00%

Function 00412090, Relevance: 12.1, APIs: 8, Instructions: 87COMMON

Download Yara Rule

APIs

#678.MSVBVM60(00000000,3FF00000,00000000,40000000,00000000,40080000,?,?), ref: 004120F3
__vbaFpR8.MSVBVM60 ref: 004120F9
__vbaFpR8.MSVBVM60 ref: 00412112
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041213A
__vbaNew2.MSVBVM60(004035F4,004173C0), ref: 0041215B
__vbaObjSetAddref.MSVBVM60(00000000,?), ref: 00412171
__vbaHresultCheckObj.MSVBVM60(00000000,0227EF84,004035E4,00000010), ref: 0041218B
__vbaFreeObj.MSVBVM60 ref: 00412194

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$#678AddrefCheckHresultListNew2
String ID:
API String ID: 1931364835-0
Opcode ID: b6ecaa3d123f7b3e3e8166a82f8992d9589a43f6d60f9e8388138a6dac90ba52
Instruction ID: 962af6c1827d62c8102530271e9b31edd3da9e2e197148b685c638bd4c3a4add
Opcode Fuzzy Hash: b6ecaa3d123f7b3e3e8166a82f8992d9589a43f6d60f9e8388138a6dac90ba52
Instruction Fuzzy Hash: D231A470900249BBDB00CFA4DE49BEE7B78FB04B00F20402AFA45F21A0D77859958B6D

Uniqueness

Uniqueness Score: -1.00%

Function 00412CB0, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 55COMMON

Download Yara Rule

APIs

#709.MSVBVM60(ABC,00403894,000000FF,00000000,?,?,?,?,?,?,?,?,?,?,00401466), ref: 00412CEE
__vbaNew2.MSVBVM60(004035F4,004173C0,?,?,?,?,?,?,?,?,?,?,00401466), ref: 00412D0B
__vbaHresultCheckObj.MSVBVM60(00000000,0227EF84,004035E4,00000048,?,?,?,?,?,?,?,?,?,?,00401466), ref: 00412D32
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401466), ref: 00412D41
__vbaFreeStr.MSVBVM60(00412D71), ref: 00412D6A

Strings

ABC, xrefs: 00412CE3

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$#709CheckFreeHresultMoveNew2
String ID: ABC
API String ID: 3370719295-2743272264
Opcode ID: cab62efd264c87a1277eae840970613206878f1f1bba15acd8e1acd42955c57e
Instruction ID: 5246cab498b2e2e78ed033e486194b2201820faea3a5dc2aadb883ccfdfaff78
Opcode Fuzzy Hash: cab62efd264c87a1277eae840970613206878f1f1bba15acd8e1acd42955c57e
Instruction Fuzzy Hash: BA119070940248ABCB00DF91DE49AEEBBB8FB04701F20412BF801B32E0C77C1541CB59

Uniqueness

Uniqueness Score: -1.00%

Function 00412310, Relevance: 9.1, APIs: 6, Instructions: 52COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,00401466), ref: 00412347
__vbaNew2.MSVBVM60(00402314,00417010,?,?,?,?,?,?,?,00401466), ref: 00412360
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00401466), ref: 00412379
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004035C4,000001AC,?,?,?,?,?,?,?,00401466), ref: 0041239C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00401466), ref: 004123A5
__vbaFreeStr.MSVBVM60(004123C6,?,?,?,?,?,?,?,00401466), ref: 004123BF

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: 2b369cddb6ba09e7ca5bc8d5892ab3789d2104bed8f0aa8138f9502fe9ed84b7
Instruction ID: 5226c7efbb9fc58ec15cc54dcbd184d48f1e88dce938648d723dd9dbd8e4d288
Opcode Fuzzy Hash: 2b369cddb6ba09e7ca5bc8d5892ab3789d2104bed8f0aa8138f9502fe9ed84b7
Instruction Fuzzy Hash: 0E114274500205AFC710DFA4CE49EEE7BB8FB48741F104426F942F71A0D7785945CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411460, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402314,00417010), ref: 004114A3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004114BC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040377C,000001EC), ref: 00411504
__vbaFreeObj.MSVBVM60 ref: 0041150D

Strings

umbrian, xrefs: 004114D3

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: umbrian
API String ID: 1645334062-611882586
Opcode ID: cb39ef0691ad285416be275ab1c36866456a4e763141a36705045d0c1cade6a7
Instruction ID: be9065554c9b3793cbd69a6f82d14c4aeaba6fc4b88bedbace866c26b557b669
Opcode Fuzzy Hash: cb39ef0691ad285416be275ab1c36866456a4e763141a36705045d0c1cade6a7
Instruction Fuzzy Hash: 311166B0600305AFC710DFA8CD49F9ABFB8FB48B01F108529F545F72A0D77899458B99

Uniqueness

Uniqueness Score: -1.00%

Function 004128E0, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402314,00417010), ref: 00412923
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041293C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040377C,000001EC), ref: 00412984
__vbaFreeObj.MSVBVM60 ref: 0041298D

Strings

servicegarantier, xrefs: 00412953

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: servicegarantier
API String ID: 1645334062-2390481660
Opcode ID: 41f155c102eca4f303c7a72f5817bcbc0c48b83feea00ce7b08dbc8c05f5d947
Instruction ID: e29f48f68c9240904f0c4e64e13d95c8500058b8d0c58e8b65d70820c4f7831d
Opcode Fuzzy Hash: 41f155c102eca4f303c7a72f5817bcbc0c48b83feea00ce7b08dbc8c05f5d947
Instruction Fuzzy Hash: 721163B0A00305ABD700DF68CE49F9ABFB8FB0DB01F10852AF545F7690D77899458BA9

Uniqueness

Uniqueness Score: -1.00%

Function 004157D0, Relevance: 6.1, APIs: 4, Instructions: 81COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402314,00417010), ref: 00415813
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041582C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004035A4,000001CC), ref: 004158B3
__vbaFreeObj.MSVBVM60 ref: 004158BC

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 1843c9315041a4e3a028fd44b8b7d1c8b2436f6a79f12fa000020479e69c77cb
Instruction ID: 3684839fb7eaf3ebbad43cde9c877d06d05e20c190793c577672c4f4305ca1c8
Opcode Fuzzy Hash: 1843c9315041a4e3a028fd44b8b7d1c8b2436f6a79f12fa000020479e69c77cb
Instruction Fuzzy Hash: 1E312EB4A01304DFDB04DF69D985A99BBF4FF49700F10C46AE905AB391D3399841CF95

Uniqueness

Uniqueness Score: -1.00%

Function 004121E0, Relevance: 6.1, APIs: 4, Instructions: 80COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402314,00417010), ref: 00412223
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041223C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403628,00000130), ref: 004122C3
__vbaFreeObj.MSVBVM60 ref: 004122CC

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 9d4195bceab28b5ed5ade58267cad0ef9f11a50483d8e2b5beda20a8be40f922
Instruction ID: cbf89bb8cdb5058e9ceb6648411e35e5f4a774b719ef1f1f584711bdf1c1939a
Opcode Fuzzy Hash: 9d4195bceab28b5ed5ade58267cad0ef9f11a50483d8e2b5beda20a8be40f922
Instruction Fuzzy Hash: 5B312EB4A003049FCB04DFA8C945A9ABBF5FB4D700F10C46AE905EB351D7759841CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 00412F30, Relevance: 6.1, APIs: 4, Instructions: 55COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402314,00417010), ref: 00412F73
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00412F8C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004035A4,000001C8), ref: 00412FCF
__vbaFreeObj.MSVBVM60 ref: 00412FD8

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: c66311c690696da285a31308fe97f133952801f93b539c0bedb48c812a04d8a2
Instruction ID: cae729367a80b0b87e3176177ac3609d66b8f7d2a4f685c9539e235278ced81c
Opcode Fuzzy Hash: c66311c690696da285a31308fe97f133952801f93b539c0bedb48c812a04d8a2
Instruction Fuzzy Hash: 1A1182B0640305AFD700DFA8CA49F9ABBB8FB08704F10852AF505F7690D77899419BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00411FB0, Relevance: 6.1, APIs: 4, Instructions: 53
COMMON

Download Yara Rule

C-Code - Quality: 18%

			E00411FB0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				intOrPtr* _t14;
				intOrPtr* _t16;
				intOrPtr* _t18;
				void* _t19;
				intOrPtr* _t28;
				void* _t29;
				void* _t31;
				intOrPtr _t32;

				_t32 = _t31 - 0xc;
				 *[fs:0x0] = _t32;
				_v16 = _t32 - 0x18;
				_v12 = 0x401320;
				_v8 = 0;
				_t14 = _a4;
				 *((intOrPtr*)( *_t14 + 4))(_t14, __edi, __esi, __ebx,  *[fs:0x0], 0x401466, _t29);
				_t16 =  *0x417010; // 0x636a18
				_v28 = 0;
				_v32 = 0;
				if(_t16 == 0) {
					__imp____vbaNew2(0x402314, 0x417010);
					_t16 =  *0x417010; // 0x636a18
				}
				_t18 =  &_v32;
				__imp____vbaObjSet(_t18,  *((intOrPtr*)( *_t16 + 0x330))(_t16));
				_t28 = _t18;
				_t19 =  *((intOrPtr*)( *_t28 + 0x1d8))(_t28);
				asm("fclex");
				if(_t19 < 0) {
					__imp____vbaHresultCheckObj(_t19, _t28, 0x403638, 0x1d8);
				}
				__imp____vbaFreeObj();
				_v28 = 0x426;
				_push(0x412064);
				return _t19;
			}

0x00411fb3
0x00411fc2
0x00411fcf
0x00411fd2
0x00411fdb
0x00411fde
0x00411fe4
0x00411fe7
0x00411fec
0x00411ff1
0x00411ff4
0x00412000
0x00412006
0x00412006
0x00412015
0x00412019
0x0041201f
0x00412024
0x0041202c
0x0041202e
0x0041203c
0x0041203c
0x00412045
0x0041204b
0x00412052
0x00000000

APIs

__vbaNew2.MSVBVM60(00402314,00417010,?,?,?,?,?,?,?,?,00401466), ref: 00412000
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401466), ref: 00412019
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403638,000001D8,?,?,?,?,?,?,?,?,00401466), ref: 0041203C
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401466), ref: 00412045

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 23036c5b4b44485e74c61ab1c6616b797815740d6aba648b2ea92d88168533df
Instruction ID: 942ef269a392a00ad07f61809a240f25a503f82e0f8307c40fe4368f51b1a1ba
Opcode Fuzzy Hash: 23036c5b4b44485e74c61ab1c6616b797815740d6aba648b2ea92d88168533df
Instruction Fuzzy Hash: 85115E74A40204AFC710DF95CE89ADABFBCFB58741F108526F941F72A0C7B85945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00411540, Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

#703.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041158A
__vbaStrMove.MSVBVM60 ref: 00411595
__vbaFreeVar.MSVBVM60 ref: 0041159E
__vbaFreeStr.MSVBVM60(004115CD), ref: 004115C6

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$#703Move
String ID:
API String ID: 2099753968-0
Opcode ID: 760747807753bfa8c4be4cb321e14cb08b106d93f9276dfb070b7bb5b50d8871
Instruction ID: 89aca186949f78cf63d27577cc11b66fadd65a7a10ce394d831cb5d35d397c6e
Opcode Fuzzy Hash: 760747807753bfa8c4be4cb321e14cb08b106d93f9276dfb070b7bb5b50d8871
Instruction Fuzzy Hash: 5E01F470804249EBCB00DFA8DE49BDEBBB8EB45715F204325E522726E0D7741604CF65

Uniqueness

Uniqueness Score: -1.00%

Function 00412840, Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

#703.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041288A
__vbaStrMove.MSVBVM60 ref: 00412895
__vbaFreeVar.MSVBVM60 ref: 0041289E
__vbaFreeStr.MSVBVM60(004128BF), ref: 004128B8

Memory Dump Source

Source File: 00000000.00000002.730196240.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.730183877.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.730234172.0000000000417000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.730246760.0000000000419000.00000002.00020000.sdmp Download File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.jbxd

Yara matches

Similarity

API ID: __vba$Free$#703Move
String ID:
API String ID: 2099753968-0
Opcode ID: 334abca798f4dcaad8319b9faa0ec80292330b3efd2451f64185b4022e554c34
Instruction ID: d575264129aec6ebe4a1e801b1656dab86ab9010ce29ce6b47f1e128d5cb43cf
Opcode Fuzzy Hash: 334abca798f4dcaad8319b9faa0ec80292330b3efd2451f64185b4022e554c34
Instruction Fuzzy Hash: 20F01970844209EBDB00DF94CF49BDEBBB8AB19725F204369E422B25E4DB781A048B65

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe PID: 4608 Parent PID: 5768

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exe PID: 4608 Parent PID: 5768 New_Contract_ontractNo-S-2104-0036_Business_Sales_confirmation.exeCOMMON

Function 00403EC9, Relevance: 11.7, APIs: 1, Strings: 6, Instructions: 1194
memoryCOMMONCrypto

Function 00401664, Relevance: 4.2, APIs: 1, Strings: 1, Instructions: 708
COMMON

Function 02BD7001, Relevance: 1.6, APIs: 1, Instructions: 121
memorynativeCOMMON

Function 02BD7159, Relevance: 1.6, APIs: 1, Instructions: 116
memorynativeCOMMON

Function 02BD717E, Relevance: 1.6, APIs: 1, Instructions: 102
memorynativeCOMMON

Function 02BD7094, Relevance: 1.6, APIs: 1, Instructions: 88
memorynativeCOMMON

Function 02BD70C8, Relevance: 1.6, APIs: 1, Instructions: 87
memorynativeCOMMON

Function 02BD71BE, Relevance: 1.6, APIs: 1, Instructions: 87
memorynativeCOMMON

Function 02BD7037, Relevance: 1.6, APIs: 1, Instructions: 82
memorynativeCOMMON

Function 02BD722F, Relevance: 1.6, APIs: 1, Instructions: 70
memorynativeCOMMON

Function 02BD7280, Relevance: 1.6, APIs: 1, Instructions: 65
memorynativeCOMMON

Function 02BD88D0, Relevance: 1.5, APIs: 1, Instructions: 35
nativeCOMMON

Function 02BD890F, Relevance: 1.5, APIs: 1, Instructions: 13
nativeCOMMON

Function 004112A0, Relevance: 24.1, APIs: 16, Instructions: 119
COMMON