Play interactive tour

Edit tour

Analysis Report EXErprijFY

Overview

General Information

Sample Name:	EXErprijFY (renamed file extension from none to exe)
Analysis ID:	433989
MD5:	ee83942376ea5717149517fcc832ab9f
SHA1:	ec75b10c6ef046cb63eaa20470ac94529fb4873a
SHA256:	b3498937a71913d7101fafb04eb48a791106bec97e21839b2e1be8bb55a3f5fc
Tags:	32exeGuLoadertrojan
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Found malware configuration

Potential malicious icon found

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains strange resources

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

EXErprijFY.exe (PID: 6896 cmdline: 'C:\Users\user\Desktop\EXErprijFY.exe' MD5: EE83942376EA5717149517FCC832AB9F)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin"}

Yara Overview

Initial Sample

Source	Rule	Description	Author	Strings
EXErprijFY.exe	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1164652170.0000000002230000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.EXErprijFY.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security
0.2.EXErprijFY.exe.400000.0.unpack	JoeSecurity_GuLoader_1	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: EXErprijFY.exe

Avira: detected

Antivirus detection for URL or domain

Show sources

Source: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin

Avira URL Cloud: Label: malware

Found malware configuration

Show sources

Source: EXErprijFY.exe

Malware Configuration Extractor: GuLoader {"Payload URL": "https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin"}

Source: EXErprijFY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin

Source: EXErprijFY.exe, 00000000.00000002.1164512673.00000000006FA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\EXErprijFY.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\EXErprijFY.exe	Code function: 0_2_004018A4		0_2_004018A4
Source: C:\Users\user\Desktop\EXErprijFY.exe	Code function: 0_2_00405732		0_2_00405732

Source: EXErprijFY.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: EXErprijFY.exe, 00000000.00000000.641912573.0000000000424000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamepetered.exe vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepetered.exeFE2X2 vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepetered.exeFE2X vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepetered.exeFE2XpJ4 vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepetered.exeFE2X_I vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepetered.exeFE2X>N~ vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164581076.00000000020E0000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenamepetered.exeFE2XxO< vs EXErprijFY.exe
Source: EXErprijFY.exe, 00000000.00000002.1164564990.00000000020A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs EXErprijFY.exe
Source: EXErprijFY.exe	Binary or memory string: OriginalFilenamepetered.exe vs EXErprijFY.exe

Source: EXErprijFY.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@1/0@0/0

Source: EXErprijFY.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\EXErprijFY.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\EXErprijFY.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.1164652170.0000000002230000.00000040.00000001.sdmp, type: MEMORY

Yara detected GuLoader

Show sources

Source: Yara match	File source: EXErprijFY.exe, type: SAMPLE
Source: Yara match	File source: 0.0.EXErprijFY.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.EXErprijFY.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\EXErprijFY.exe	Code function: 0_2_004059CC pushfd ; iretd	0_2_004059D5
Source: C:\Users\user\Desktop\EXErprijFY.exe	Code function: 0_2_00406199 push ss; ret	0_2_004062BA
Source: C:\Users\user\Desktop\EXErprijFY.exe	Code function: 0_2_00407E0A push ecx; iretd	0_2_00407E0C
Source: C:\Users\user\Desktop\EXErprijFY.exe	Code function: 0_2_004062BD push ss; ret	0_2_004062BA
Source: C:\Users\user\Desktop\EXErprijFY.exe	Code function: 0_2_00402F0B push dword ptr [ebp-1Ch]; ret	0_2_0041B724
Source: C:\Users\user\Desktop\EXErprijFY.exe	Code function: 0_2_00409B16 push ecx; retf	0_2_00409B23

Source: C:\Users\user\Desktop\EXErprijFY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\EXErprijFY.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\EXErprijFY.exe	RDTSC instruction interceptor: First address: 0000000002237154 second address: 0000000002237154 instructions:
Source: C:\Users\user\Desktop\EXErprijFY.exe	RDTSC instruction interceptor: First address: 000000000223A078 second address: 000000000223A078 instructions:

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\EXErprijFY.exe	RDTSC instruction interceptor: First address: 0000000002237154 second address: 0000000002237154 instructions:
Source: C:\Users\user\Desktop\EXErprijFY.exe	RDTSC instruction interceptor: First address: 000000000223A021 second address: 000000000223A078 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 53673179h 0x00000007 sub eax, 2CF91FC3h 0x0000000c xor eax, 4DAF12BEh 0x00000011 sub eax, 6BC10307h 0x00000016 cpuid 0x00000018 jmp 00007F311485C18Eh 0x0000001a pushad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\EXErprijFY.exe	RDTSC instruction interceptor: First address: 000000000223A078 second address: 000000000223A078 instructions:

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\EXErprijFY.exe

Process Stats: CPU usage > 90% for more than 60s

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: EXErprijFY.exe, 00000000.00000002.1164536037.0000000000C80000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery3	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery21	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
EXErprijFY.exe	9%	ReversingLabs	Win32.Malware.Generic
EXErprijFY.exe	100%	Avira	HEUR/AGEN.1134908

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.2.EXErprijFY.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1134908		Download File
0.0.EXErprijFY.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1134908		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://bara-seck.com/bin_NpuMLUuCfC62.bin, http://farmersschool.ge/bin_NpuMLUuCfC62.bin	true	Avira URL Cloud: malware	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	32.0.0 Black Diamond
Analysis ID:	433989
Start date:	14.06.2021
Start time:	09:17:28
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	EXErprijFY (renamed file extension from none to exe)
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 44.8% (good quality ratio 14.8%) Quality average: 16.1% Quality standard deviation: 26.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe VT rate limit hit for: /opt/package/joesandbox/database/analysis/433989/sample/EXErprijFY.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.822963661672907
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	EXErprijFY.exe
File size:	147456
MD5:	ee83942376ea5717149517fcc832ab9f
SHA1:	ec75b10c6ef046cb63eaa20470ac94529fb4873a
SHA256:	b3498937a71913d7101fafb04eb48a791106bec97e21839b2e1be8bb55a3f5fc
SHA512:	431cdd7e43fd6a4c4df862297eebc42e9cb68909647b57288a63bfe036d9d0560cc0e97d759bda096e1389e3cd18d243e627cce692660e2a384be430623b2551
SSDEEP:	1536:zK7pvMMhAYlnYgtuELhUQwe6KjEw5bMNccnuMG5reMFbCJQ:zCBqg197dvjEw5yccw5r7d
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L...@.`R.....................0............... ....@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4018a4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5260BB40 [Fri Oct 18 04:38:24 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	2c08d8f9644132654eb702b279083d5c

Entrypoint Preview

Instruction
push 00401C44h
call 00007F31147D6CF5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esp+ebp-2Eh], cl
adc esi, dword ptr [ebx-49h]
inc edx
test cl, ah
outsd
add esi, dword ptr [ebx+00978FBDh]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [ebx], al
add ecx, dword ptr [ecx]
add byte ptr [eax], al
add byte ptr [ebx+6Fh], al
arpl word ptr [ebx+65h], bp
jc 00007F31147D6D67h
add byte ptr fs:[eax], cl
inc ecx
add al, dh
pop es
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x217c4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x24000	0x930	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1dc	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x20e9c	0x21000	False	0.381784150095	data	6.07881532282	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x22000	0x1278	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x24000	0x930	0x1000	False	0.16943359375	data	2.02923021572	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x24800	0x130	data
RT_ICON	0x24518	0x2e8	data
RT_ICON	0x243f0	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x243c0	0x30	data
RT_VERSION	0x24150	0x270	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaBoolStr, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaErase, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaVarTstEq, __vbaR4Str, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, _CIlog, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaVarDup, __vbaStrToAnsi, __vbaFpI4, __vbaVarCopy, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	petered
FileVersion	1.00
CompanyName	Workday
Comments	Workday
ProductName	Workday
ProductVersion	1.00
FileDescription	Workday
OriginalFilename	petered.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: EXErprijFY.exe PID: 6896 Parent PID: 5956

General

Start time:	09:18:13
Start date:	14/06/2021
Path:	C:\Users\user\Desktop\EXErprijFY.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\EXErprijFY.exe'
Imagebase:	0x400000
File size:	147456 bytes
MD5 hash:	EE83942376EA5717149517FCC832AB9F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1164652170.0000000002230000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: EXErprijFY.exe PID: 6896 Parent PID: 5956 EXErprijFY.exeCOMMON

Executed Functions

Function 004018A4, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 416
COMMONCrypto

Download Yara Rule

C-Code - Quality: 68%

			_entry_(signed int __eax, signed int __ebx, intOrPtr* __ecx, void* __edx, intOrPtr* __edi, void* __esi, void* __fp0, char _a1, void* _a36, void* _a64, void* _a83, void* _a781254720, intOrPtr _a1191182338, intOrPtr _a1207959553, intOrPtr _a1959342778) {
				void* _v1;
				void* _v28;
				void* _v32;
				void* _v36;
				void* _v41;
				char _v46;
				void* _v53;
				void* _v57;
				void* _v73;
				void* _v77;
				void* _v81;
				void* _v97;
				void* _v113;
				void* _v129;
				void* _v136;
				void* _v145;
				void* _v161;
				void* _v169;
				void* _v177;
				void* _v181;
				signed int _t369;
				signed int _t370;
				signed int _t371;
				signed char _t373;
				signed char _t375;
				signed char _t376;
				signed int _t377;
				signed char _t379;
				intOrPtr* _t380;
				signed int _t381;
				signed char _t382;
				signed int _t383;
				intOrPtr* _t385;
				signed int _t386;
				intOrPtr* _t387;
				intOrPtr* _t388;
				intOrPtr* _t390;
				intOrPtr _t391;
				intOrPtr* _t630;
				intOrPtr* _t631;
				signed int _t634;
				signed int _t636;
				signed char _t638;
				signed int _t639;
				signed int _t640;
				signed int _t641;
				signed int _t642;
				intOrPtr* _t645;
				signed char _t649;
				signed int _t651;
				void* _t652;
				signed char _t654;
				void* _t655;
				signed int _t657;
				signed int _t658;
				signed int _t660;
				signed char _t662;
				signed int _t664;
				intOrPtr* _t666;
				intOrPtr* _t667;
				void* _t686;
				signed int* _t688;
				intOrPtr* _t689;
				void* _t690;
				void* _t692;
				intOrPtr* _t710;
				signed char _t715;
				void* _t716;
				intOrPtr* _t736;
				intOrPtr _t737;
				void* _t741;
				signed int _t745;
				intOrPtr* _t746;
				void* _t757;
				signed int _t760;
				signed int _t762;
				void* _t776;
				signed int _t777;
				void* _t778;
				void* _t791;
				intOrPtr* _t795;
				signed int _t799;
				void* _t801;
				signed char _t803;
				signed int _t806;
				intOrPtr _t813;
				signed int _t825;
				intOrPtr _t830;

				_t734 = __edi;
				_t665 = __ebx;
				_push("VB5!6&*"); // executed
				L0040189E(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t369 = 1 + __eax;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *((intOrPtr*)(_t776 +  &_v46)) =  *((intOrPtr*)(_t776 +  &_v46)) + __ecx;
				asm("adc esi, [ss:ebx-0x49]");
				_t715 = __edx + 1;
				asm("outsd");
				_t745 = __esi +  *((intOrPtr*)(__ebx + 0x978fbd));
				 *_t369 =  *_t369 + _t369;
				 *_t369 =  *_t369 + _t369;
				 *__ecx =  *__ecx + _t369;
				 *_t369 =  *_t369 + _t369;
				 *__ebx =  *__ebx + _t369;
				_t688 = __ecx +  *__ecx;
				 *_t369 =  *_t369 + _t369;
				_t8 = __ebx + 0x6f;
				 *_t8 =  *((intOrPtr*)(__ebx + 0x6f)) + _t369;
				asm("arpl [ebx+0x65], bp");
				if( *_t8 < 0) {
					L5:
					_a1191182338 = _a1191182338 + _t715;
					 *_t369 =  *_t369 + _t369;
					 *_t369 =  *_t369 + _t369;
					_t370 = _t369 | 0x72646100;
					_t777 = _t688[0x1d] * 0x61687265;
					_t799 = _t777;
					goto L6;
				} else {
					 *[fs:eax] = _t688 +  *[fs:eax];
					_t664 = _t369 + _t715;
					_pop(es);
					_t688 =  &(_t688[0]);
					 *_t664 =  *_t664 + _t664;
					 *_t664 =  *_t664 + _t664;
					_t665 = __ebx + __ebx;
					asm("int3");
					 *_t664 =  *_t664 ^ _t664;
					asm("invalid");
					_pop(_t745);
					asm("stc");
					_pop(_t777);
					_t734 = __edi - 1;
					_t795 = _t734;
					asm("movsb");
					_pop(_t657);
					_t715 = _t715 >> 0xc;
					asm("invalid");
					asm("scasb");
					if(_t795 <= 0) {
						if(_t801 >= 0) {
							L23:
							 *_t665 =  *_t665 + 1;
							_t658 = _t657 ^  *_t657;
							 *_t658 =  *_t658 + _t658;
							_t371 = _t658 +  *_t745;
							 *((intOrPtr*)(_t665 + 0x68)) =  *((intOrPtr*)(_t665 + 0x68)) + _t371;
							asm("arpl [gs:ebx+0x32], bp");
							 *0x45001301 =  *0x45001301 + _t371;
							_t665 = _t665 - 1;
							_push(_t665);
							_push(_t371);
							_push(_t715);
							_push(_t777);
							_push(_t715);
							_push(_t715);
							_push(_t777);
							_t688 = _t688 - 1;
							_t745 = 1 + _t745;
							_t734 = _t734 + 1;
							_t760 =  &_a1;
							_push(_t715);
							 *0x5ef02d8 =  *0x5ef02d8 + _t371;
							goto L24;
						} else {
							asm("gs outsb");
							if (_t801 >= 0) goto L13;
							_t660 = _t657 ^ 0x00001538;
							asm("aas");
							_pop(ds);
							 *_t660 =  *_t660 + _t660;
							asm("aad 0x12");
							 *_t660 =  *_t660 + _t660;
							asm("adc eax, 0x440000");
							_t745 = 1 + _t745;
							_t665 = _t665 + _t665;
							 *((intOrPtr*)(_t660 + _t660)) =  *((intOrPtr*)(_t660 + _t660)) + _t760;
							 *_t660 =  *_t660 + _t660;
							 *0x78655400 =  *0x78655400 + _t660;
							if( *0x78655400 == 0) {
								L18:
								_t371 = _t660;
								_t806 = _t371;
								_push(_t715);
								asm("gs insb");
								asm("popad");
								if(_t806 == 0) {
									goto L29;
								} else {
									if(_t806 <= 0) {
										goto L30;
									} else {
										if(_t806 != 0) {
											if(_t806 != 0) {
												 *0x79a02fb =  *0x79a02fb + _t371;
												_t657 = _t371 + 0xa12066f;
												_t665 = _t665 + _t665;
												goto L23;
											}
											L24:
											asm("out dx, eax");
											_t652 = _t371 + 0x491047b;
										}
										goto L29;
									}
								}
							} else {
								 *_t715 =  *_t715 + _t660;
								_t760 = _t760 + _t745 +  *((intOrPtr*)(_t745 + 0xb02f602));
								_t654 = _t660 + 0x00000083 | 0x73694800;
								_t803 = _t654;
								if(_t803 == 0) {
									L28:
									 *_t654 =  *_t654 ^ _t654;
									 *_t654 =  *_t654 + _t654;
									_t655 = _t654 + 6;
									 *((intOrPtr*)(_t665 + 0x6f)) =  *((intOrPtr*)(_t665 + 0x6f)) + _t655;
									asm("insd");
									asm("bound ebp, [edi+0x32]");
									 *_t734 =  *_t734 + _t655;
									_t371 = _t655 + 0x6bc0546;
									_t688 = _t688 +  *((intOrPtr*)(_t688 + _t715));
									_t33 = _t715 + 0x65;
									 *_t33 =  *((intOrPtr*)(_t715 + 0x65)) + _t371;
									_t813 =  *_t33;
									_push(0x6473766f);
									L29:
									if(_t813 < 0) {
										L30:
										_t760 =  *[gs:esi+0x69] * 0x6974;
										asm("outsd");
										asm("outsb");
										 *_t371 =  *_t371 ^ _t371;
										asm("adc ecx, [eax]");
										 *_t371 =  *_t371 + _t371;
										 *0x53480008 =  *0x53480008 + _t371;
										asm("arpl [edx+0x6f], si");
										asm("insb");
										asm("insb");
										 *_t371 =  *_t371 ^ _t371;
										 *_t715 =  *_t715 | _t371;
										_t649 = _t371 - 0x3607ef02 + 0x22;
										_pop(es);
										_t686 = _t665 + _t665 +  *_t745 + _t665 + _t665 +  *_t745 +  *_t745;
										 *_t649 =  *_t649 + _t649;
										 *_t745 =  *_t745 + _t649;
										 *_t649 =  *_t649 | _t649;
										_push(_t745);
										asm("arpl [edx+0x6f], si");
										asm("insb");
										asm("insb");
										 *_t649 =  *_t649 ^ _t649;
										asm("movsd");
										_t665 = _t686 + _t688;
										_t651 = (_t649 |  *_t715) +  *_t715;
										 *((intOrPtr*)(_t715 + 0x60907)) =  *((intOrPtr*)(_t715 + 0x60907)) + _t715;
										 *_t665 =  *_t665 + 1;
										ds = _t686;
										 *_t651 =  *_t651 + _t651;
										 *_t734 =  *_t734 + _t651;
										 *_t651 =  *_t651 | _t651;
										_push(_t745);
										_push(_t665);
										asm("arpl [edx+0x6f], si");
										asm("insb");
										asm("insb");
										_t715 = _t715 ^  *_t688;
										 *_t715 = _t688 +  *_t715;
										_t371 = _t651 +  *((intOrPtr*)(_t715 + 0x4022001));
									}
								} else {
									if(_t803 < 0) {
										 *_t654 =  *_t654 | _t654;
										_t665 = _t665 + _t665;
										_t745 = _t745 +  *_t688;
										goto L28;
									} else {
										asm("arpl [ecx+0x73], bp");
										_t760 =  *(_t745 + 0x67) * 0xc1200;
										 *_t665 =  *_t665 + 1;
										_t662 = _t654;
										 *_t662 =  *_t662 + _t662;
										 *_t715 =  *_t715 + _t662;
										_push(es);
										 *((intOrPtr*)(_t745 + 0x72)) =  *((intOrPtr*)(_t745 + 0x72)) + _t662;
										asm("popad");
										asm("insd");
										_t660 = (_t662 ^  *[gs:eax]) +  *_t688;
										goto L18;
									}
								}
							}
						}
					} else {
						asm("enter 0x92eb, 0xe4");
						if(_t795 >= 0) {
							asm("stosb");
							 *_t715 = _t688;
							_t734 = _t734 - 1;
							asm("lodsd");
							_t665 = _t665 ^  *(_t688 - 0x48ee309a);
							asm("cdq");
							asm("iretw");
							asm("adc [edi+0xaa000c], esi");
							asm("pushad");
							asm("rcl dword [ebx], cl");
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							 *_t657 =  *_t657 + _t657;
							goto L5;
						}
						L6:
						_push(0x74657661);
					}
				}
				_t373 =  *0xd0903;
				 *_t665 =  *_t665 + 1;
				asm("sbb eax, [eax]");
				 *_t373 =  *_t373 + _t373;
				 *0x73694c00 =  *0x73694c00 | _t373;
				if( *0x73694c00 != 0) {
					 *_t373 =  *_t373 + _t688;
					_t688 = _t688 +  *((intOrPtr*)(_t734 + 0x11040b05));
					_t645 = _t373 + 0x2403ffd9;
					 *_t645 =  *_t645 + _t645;
					 *_t688 = _t688 +  *_t688;
					_push(es);
					 *((intOrPtr*)(_t665 + 0x6f)) =  *((intOrPtr*)(_t665 + 0x6f)) + _t645;
					asm("insd");
					asm("bound ebp, [edi+0x31]");
					 *_t734 =  *_t734 + _t645;
					asm("rol byte [edi], cl");
					_t373 = _t645 + 0x042100d8 | 0x00000004;
					 *((intOrPtr*)(_t760 + _t745 + 0x70 + _t745 * 2)) =  *((intOrPtr*)(_t760 + _t745 + 0x70 + _t745 * 2)) + _t688;
					 *[gs:ebx] =  *[gs:ebx] + _t715;
				}
				 *_t665 =  *_t665 + 1;
				_t375 = _t373 -  *_t373;
				 *_t375 =  *_t375 + _t375;
				_t376 = _t375 |  *_t745;
				 *((intOrPtr*)(_t665 + 0x68)) =  *((intOrPtr*)(_t665 + 0x68)) + _t376;
				asm("arpl [gs:ebx+0x31], bp");
				 *0x54000a01 =  *0x54000a01 + _t376;
				_t746 = _t745 - 1;
				_push(_t665);
				_push(_t777);
				_t736 = _t734;
				_push(_t665);
				_t689 = _t688 - 1;
				 *0x210081f =  *0x210081f + _t376;
				_t377 =  *_t715;
				asm("in eax, 0x0");
				asm("adc al, [ebx]");
				_t666 = _t665 + _t665;
				_t762 =  &_a1 +  *_t689;
				 *_t377 =  *_t377 + _t377;
				 *_t666 =  *_t666 + _t689;
				es = _t665;
				_t50 = _t736 + 0x70;
				 *_t50 =  *((intOrPtr*)(_t736 + 0x70)) + _t689;
				if( *_t50 == 0) {
					L38:
					_push(_t777);
					_t689 = _t689 - 1;
					_t736 = _t736 - 1;
					_t746 = _t746 - 1;
					 *0x2650752 =  *0x2650752 + _t377;
					_t666 = _t666 - 1;
					_t379 =  *_t689 + 0x12;
					 *_t379 =  *_t379 + _t379;
					 *_t666 =  *_t666 + 1;
					_t377 = _t379 ^  *_t379;
					 *_t377 =  *_t377 + _t377;
					_push(cs);
				} else {
					asm("outsd");
					asm("outsb");
					 *_t377 =  *_t377 ^ _t377;
					_push(es);
					 *_t377 =  *_t377 + _t689;
					_t52 = _t715 + 0x72;
					 *_t52 =  *((intOrPtr*)(_t715 + 0x72)) + _t377;
					asm("popad");
					if( *_t52 != 0) {
						asm("popad");
						asm("arpl [eax], bp");
						asm("rol byte [ecx], 1");
						asm("les eax, [edx+edx]");
						_t638 = _t377 + 0x83507fd +  *((intOrPtr*)(_t377 + 0x83507fd));
						 *_t666 =  *_t666 + 1;
						 *_t638 =  *_t638 ^ _t638;
						 *_t638 =  *_t638 + _t638;
						_t639 = _t638 | 0x00000008;
						 *((intOrPtr*)(_t666 + 0x6f)) =  *((intOrPtr*)(_t666 + 0x6f)) + _t639;
						asm("insd");
						asm("insd");
						asm("popad");
						asm("outsb");
						 *[fs:eax] =  *[fs:eax] ^ _t639;
						_t640 = 1 + _t639;
						_push(cs);
						 *((intOrPtr*)(_t715 + 0x49)) =  *((intOrPtr*)(_t715 + 0x49)) + _t640;
						_t791 = 1 + _t777;
						_push(_t791);
						_t777 = _t791 - 1;
						_t762 =  &_a1;
						_t741 = _t736 - 1;
						_t757 = _t746 + 1 - 1;
						_push(_t666);
						 *((intOrPtr*)(_t666 + _t640 * 4)) =  *((intOrPtr*)(_t666 + _t640 * 4)) + _t640;
						_t710 = _t689 + _t666;
						_push(es);
						if(_t710 == 0) {
							_t666 = _t666 - 1;
						}
						_t715 = _t715 +  *_t710;
						 *_t640 =  *_t640 + _t640;
						 *_t666 =  *_t666 + 1;
						_t641 = _t640 -  *_t640;
						 *_t641 =  *_t641 + _t641;
						_t642 = _t641 | 0x72460006;
						asm("popad");
						asm("insd");
						 *[gs:eax] =  *[gs:eax] ^ _t642;
						_t377 = _t642 +  *_t710 |  *(_t642 +  *_t710);
						_t746 = _t757 - 1;
						_push(_t666);
						_push(_t777);
						_t736 = _t741 + 1;
						_t689 = _t710 + 1;
						goto L38;
					}
				}
				_push(es);
				 *((intOrPtr*)(_t689 + 0x62)) =  *((intOrPtr*)(_t689 + 0x62)) + _t689;
				asm("gs insb");
				 *_t377 =  *_t377 ^ _t377;
				 *_t689 =  *_t689 + _t377;
				asm("adc al, [eax]");
				_push(_t762);
				if( *_t689 < 0) {
					L44:
					asm("aaa");
					_t380 = 1 + _t377;
					 *_t736 =  *_t736 + _t380;
					 *_t380 =  *_t380 + _t380;
					 *((intOrPtr*)(_t380 + 0x7004036)) =  *((intOrPtr*)(_t380 + 0x7004036)) + _t715;
					 *_t380 =  *_t380 + _t380;
					 *((intOrPtr*)(_t380 + 0x36)) =  *((intOrPtr*)(_t380 + 0x36)) + _t666;
					_t377 = _t380 + 1;
					 *_t736 =  *_t736 + _t377;
				} else {
					_t762 =  *(_t666 + 0x65) * 0x70;
					_t825 = _t762;
					if(_t825 >= 0) {
						asm("a16 jb 0x64");
						asm("insd");
						asm("insd");
						if(_t825 != 0) {
							 *0x61104b6 =  *0x61104b6 + _t377;
							asm("daa");
							asm("lds eax, [edi]");
							asm("adc cl, [ebx]");
							_t666 = _t666 + _t666;
							_t777 = _t777 +  *_t666;
							 *_t377 =  *_t377 + _t377;
							 *_t736 =  *_t736 + _t689;
							_t634 = _t377 + 0x6e694c00;
							 *[gs:eax] =  *[gs:eax] ^ _t634;
							ss = es;
							_t689 = _t689 +  *_t634;
							_pop(es);
							 *_t634 =  *_t634 + _t634;
							_t636 = _t634 + 0x00000098 | 0x00050000;
							asm("sldt word [eax]");
							_push(es);
							asm("rcl byte [ecx], 1");
							 *_t636 =  *_t636 + _t636;
							 *_t715 = 1 +  *_t715;
							_t377 = _t636;
						}
						 *_t746 =  *_t746 + _t377;
						 *_t377 =  *_t377 + _t377;
						_t377 = _t377 + _t666 + 2;
						 *_t736 =  *_t736 + _t377;
						 *_t377 =  *_t377 + _t377;
						 *((intOrPtr*)(_t377 + 0x7004037)) =  *((intOrPtr*)(_t377 + 0x7004037)) + _t377;
						 *_t377 =  *_t377 + _t377;
						 *((intOrPtr*)(_t736 + _t746 + 0x40)) =  *((intOrPtr*)(_t736 + _t746 + 0x40)) + _t666;
						 *_t736 =  *_t736 + _t377;
						 *_t377 =  *_t377 + _t377;
						 *((intOrPtr*)(_t736 + _t746)) =  *((intOrPtr*)(_t736 + _t746)) + _t689;
						goto L44;
					}
				}
				 *_t377 =  *_t377 + _t377;
				 *_t377 =  *_t377 + _t666;
				_t381 = 1 + _t377;
				 *_t736 =  *_t736 + _t381;
				 *_t381 =  *_t381 + _t381;
				 *((intOrPtr*)(_t762 + _t746 + 0x42560040)) =  *((intOrPtr*)(_t762 + _t746 + 0x42560040)) + _t715;
				_t382 = _t381 ^ 0x2a263621;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t746 =  *_t746 + _t666;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				 *_t382 =  *_t382 + _t382;
				_t383 = _t382 |  *_t382;
				 *(_t383 + _t383) =  *(_t383 + _t383) | _t383;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				 *_t383 =  *_t383 + _t383;
				 *((intOrPtr*)(_t736 + _t666 - 0x801ffc0)) =  *((intOrPtr*)(_t736 + _t666 - 0x801ffc0)) + _t666;
				_t667 = _t666 + _t666;
				asm("invalid");
				 *1 =  *1 | 0x00000001;
				 *1 = 1 +  *1;
				 *1 = 1 +  *1;
				 *1 = 1 +  *1;
				_t385 = 1 +  *1;
				 *_t385 =  *_t385 + _t385;
				goto 0xdc401c91;
				asm("sbb al, 0x40");
				 *((intOrPtr*)(_t762 + _t667 + 0x40)) =  *((intOrPtr*)(_t762 + _t667 + 0x40)) + _t667;
				 *((intOrPtr*)(_t385 + 0x78004018)) =  *((intOrPtr*)(_t385 + 0x78004018)) + _t715;
				 *_t385 =  *_t385 + 1;
				 *((intOrPtr*)(_t385 - 0x74000000)) =  *((intOrPtr*)(_t385 - 0x74000000)) + 1;
				 *_t385 =  *_t385 + 1;
				 *_t762 =  *_t762 + _t689;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				 *_t385 =  *_t385 + 1;
				_t95 = _t385 + 0x65;
				 *_t95 =  *((intOrPtr*)(_t385 + 0x65)) + _t715;
				_t830 =  *_t95;
				if(_t830 == 0) {
					L50:
					asm("sbb [eax], al");
					goto L51;
				} else {
					if(_t830 < 0) {
						L51:
						 *((intOrPtr*)(_t385 + _t385)) =  *((intOrPtr*)(_t385 + _t385)) + _t689;
						 *_t385 =  *_t385 + _t715;
						 *_t385 =  *_t385 + _t385;
						_t386 = _t762;
						asm("lock scasd");
						if( *_t385 < 0) {
							_t385 = _t386 - 0xde + 1;
							_pop(_t667);
							asm("adc edx, ecx");
							goto L53;
						}
					} else {
						 *[fs:ecx+0x53] =  *[fs:ecx+0x53] + 1;
						_push(_t385);
						_t689 = _t689;
						_t715 = _t777;
						_t762 =  &_a1;
						_t777 = 1 + _t777;
						 *_t385 =  *_t385 + 1;
						_t667 = _t667 + 2;
						asm("outsd");
						asm("arpl [ebx+0x65], bp");
						if(_t667 < 0) {
							L53:
							asm("clc");
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t715 =  *_t715 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							asm("cmc");
							asm("in al, dx");
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							 *_t385 =  *_t385 + _t385;
							asm("cld");
							_t777 = 1 + _t777;
							_t386 = _t385 + 1;
							 *((intOrPtr*)(_t386 + _t386 + 0x2200000)) =  *((intOrPtr*)(_t386 + _t386 + 0x2200000)) + _t667;
							 *_t386 =  *_t386 + _t386;
							 *_t386 =  *_t386 + _t386;
							 *_t386 =  *_t386 + _t386;
						} else {
							 *[fs:eax] = 1 +  *[fs:eax];
							 *_t385 =  *_t385 + _t715;
							 *_t385 =  *_t385 + 1;
							asm("stc");
							_pop(_t777);
							_t736 = _t736 - 1;
							asm("movsb");
							_pop(_t630);
							_t715 = _t715 >> 0xc;
							asm("invalid");
							asm("scasb");
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							_pop(es);
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							 *_t630 =  *_t630 + 1;
							_push(cs);
							_t631 = _t630 +  *_t630;
							 *_t631 =  *_t631 + 1;
							 *_t631 =  *_t631 + 1;
							_t385 = _t631 + _t715;
							goto L50;
						}
					}
				}
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				 *_t386 =  *_t386 + _t386;
				_t387 = _t386 + _t715;
				 *_t387 =  *_t387 + _t387;
				_t388 = _t387 + _t667;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t689;
				 *_t388 =  *_t388 + _t388;
				_a1207959553 = _a1207959553 + _t689;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t388;
				 *_t388 =  *_t388 + _t388;
				_t690 = _t689 + _t715;
				 *_t388 =  *_t388 + _t388;
				 *_t715 =  *_t715 + _t388;
				 *_t667 =  *_t667 + _t715;
				_t390 = _t388 +  *_t388 +  *((intOrPtr*)(_t388 +  *_t388));
				 *_t390 =  *_t390 + _t390;
				 *_t390 =  *_t390 + _t390;
				_a1959342778 = _a1959342778 + _t390;
				asm("sbb edx, [eax]");
				asm("movsd");
				asm("insb");
				 *((intOrPtr*)(_t715 - 0x2397ca00)) =  *((intOrPtr*)(_t715 - 0x2397ca00)) + _t690;
				_t110 = _t715 + 0x4374c932;
				_t737 =  *_t110;
				 *_t110 = _t736;
				asm("sbb edx, [eax]");
				asm("movsd");
				asm("insb");
				 *((intOrPtr*)(_t715 - 0x2397ca00)) =  *((intOrPtr*)(_t715 - 0x2397ca00)) + _t690;
				_t391 =  *0x774d6cc9;
				asm("fxch7 st7");
				asm("adc [esi-0x365fff8c], ecx");
				asm("invalid");
				asm("clc");
				asm("aaa");
				asm("salc");
				asm("pushad");
				_t778 = 1 + _t777;
				asm("popad");
				asm("fcomip st0, st4");
				_t716 = 1 + _t715;
				asm("das");
				_push(0x533441b0);
				_t692 = 0xcd;
				switch(0xa982957b) {
				}
			}

0x004018a4
0x004018a4
0x004018a4
0x004018a9
0x004018ae
0x004018b0
0x004018b2
0x004018b4
0x004018b6
0x004018b8
0x004018b9
0x004018bb
0x004018bd
0x004018bf
0x004018c3
0x004018c7
0x004018ca
0x004018cb
0x004018d1
0x004018d3
0x004018d5
0x004018d7
0x004018d9
0x004018db
0x004018dd
0x004018df
0x004018df
0x004018e2
0x004018e5
0x0040194c
0x0040194c
0x00401952
0x00401954
0x00401956
0x0040195b
0x0040195b
0x00000000
0x004018e7
0x004018e7
0x004018eb
0x004018ed
0x004018ee
0x004018ef
0x004018f1
0x004018f3
0x004018f5
0x004018f6
0x004018f8
0x004018fa
0x004018fc
0x004018ff
0x00401900
0x00401900
0x00401901
0x00401902
0x00401903
0x00401906
0x00401908
0x00401909
0x0040197c
0x004019f1
0x004019f1
0x004019f3
0x004019f5
0x004019f7
0x004019f9
0x004019fc
0x00401a00
0x00401a06
0x00401a07
0x00401a08
0x00401a0a
0x00401a0b
0x00401a0e
0x00401a0f
0x00401a11
0x00401a13
0x00401a14
0x00401a15
0x00401a16
0x00401a17
0x00401a18
0x00000000
0x0040197e
0x0040197e
0x00401980
0x00401982
0x00401987
0x00401988
0x00401989
0x0040198b
0x0040198d
0x0040198f
0x00401995
0x00401996
0x00401998
0x0040199b
0x0040199d
0x004019a3
0x004019d6
0x004019d6
0x004019d6
0x004019d8
0x004019d9
0x004019db
0x004019dc
0x00000000
0x004019de
0x004019de
0x00000000
0x004019e0
0x004019e0
0x004019e2
0x004019e4
0x004019ea
0x004019f0
0x00000000
0x004019f0
0x00401a1c
0x00401a1c
0x00401a1d
0x00401a1d
0x00000000
0x004019e0
0x004019de
0x004019a5
0x004019a5
0x004019ab
0x004019b1
0x004019b1
0x004019b6
0x00401a27
0x00401a27
0x00401a29
0x00401a2b
0x00401a2d
0x00401a30
0x00401a31
0x00401a34
0x00401a3b
0x00401a3e
0x00401a41
0x00401a41
0x00401a41
0x00401a44
0x00401a47
0x00401a47
0x00401a49
0x00401a49
0x00401a50
0x00401a51
0x00401a52
0x00401a54
0x00401a5a
0x00401a5c
0x00401a62
0x00401a65
0x00401a66
0x00401a67
0x00401a69
0x00401a72
0x00401a74
0x00401a77
0x00401a79
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a81
0x00401a84
0x00401a85
0x00401a86
0x00401a8a
0x00401a8b
0x00401a8d
0x00401a8f
0x00401a95
0x00401a97
0x00401a98
0x00401a9a
0x00401a9c
0x00401a9e
0x00401a9f
0x00401aa0
0x00401aa3
0x00401aa4
0x00401aa5
0x00401aa7
0x00401aa9
0x00401aa9
0x004019b8
0x004019b8
0x00401a23
0x00401a24
0x00401a26
0x00000000
0x004019ba
0x004019ba
0x004019bd
0x004019c4
0x004019c6
0x004019c8
0x004019c9
0x004019cb
0x004019cc
0x004019cf
0x004019d0
0x004019d4
0x00000000
0x004019d4
0x004019b8
0x004019b6
0x004019a3
0x0040190b
0x0040190b
0x0040190f
0x00401911
0x00401912
0x0040191a
0x0040191b
0x0040191c
0x0040191d
0x0040191e
0x00401920
0x00401926
0x00401927
0x0040192d
0x0040192f
0x00401931
0x00401933
0x00401935
0x00401937
0x00401939
0x0040193b
0x0040193d
0x0040193f
0x00401941
0x00401943
0x00401945
0x00401947
0x00401949
0x0040194b
0x00000000
0x0040194b
0x00401960
0x00401960
0x00401960
0x00401909
0x00401ab0
0x00401ab5
0x00401ab7
0x00401ab9
0x00401abb
0x00401ac1
0x00401ac3
0x00401ac9
0x00401acf
0x00401ad4
0x00401ad6
0x00401ad8
0x00401ad9
0x00401adc
0x00401add
0x00401ae0
0x00401ae7
0x00401aeb
0x00401aed
0x00401af1
0x00401af1
0x00401af6
0x00401af8
0x00401afa
0x00401afc
0x00401afe
0x00401b01
0x00401b05
0x00401b0c
0x00401b0e
0x00401b0f
0x00401b10
0x00401b11
0x00401b12
0x00401b14
0x00401b1a
0x00401b1c
0x00401b1e
0x00401b20
0x00401b22
0x00401b24
0x00401b26
0x00401b28
0x00401b29
0x00401b29
0x00401b2c
0x00401b97
0x00401b97
0x00401b98
0x00401b99
0x00401b9a
0x00401b9b
0x00401ba3
0x00401ba4
0x00401ba6
0x00401ba8
0x00401baa
0x00401bac
0x00401bae
0x00401b2e
0x00401b2e
0x00401b2f
0x00401b30
0x00401b32
0x00401b33
0x00401b35
0x00401b35
0x00401b38
0x00401b39
0x00401b3b
0x00401b3c
0x00401b44
0x00401b46
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b56
0x00401b57
0x00401b58
0x00401b59
0x00401b5a
0x00401b5d
0x00401b5f
0x00401b60
0x00401b66
0x00401b67
0x00401b69
0x00401b6a
0x00401b6c
0x00401b6d
0x00401b6e
0x00401b6f
0x00401b72
0x00401b74
0x00401b75
0x00401b77
0x00401b77
0x00401b78
0x00401b7a
0x00401b7c
0x00401b7e
0x00401b80
0x00401b82
0x00401b87
0x00401b88
0x00401b89
0x00401b8e
0x00401b91
0x00401b92
0x00401b93
0x00401b95
0x00401b96
0x00000000
0x00401b96
0x00401b39
0x00401baf
0x00401bb0
0x00401bb4
0x00401bb6
0x00401bb8
0x00401bba
0x00401bbc
0x00401bbd
0x00401c21
0x00401c21
0x00401c22
0x00401c23
0x00401c25
0x00401c27
0x00401c2d
0x00401c2f
0x00401c32
0x00401c33
0x00401bc0
0x00401bc0
0x00401bc0
0x00401bc4
0x00401bc6
0x00401bc9
0x00401bca
0x00401bcb
0x00401bce
0x00401bd4
0x00401bd6
0x00401bd8
0x00401bda
0x00401bdc
0x00401bde
0x00401be0
0x00401be2
0x00401be7
0x00401bea
0x00401beb
0x00401bed
0x00401bee
0x00401bf2
0x00401bf7
0x00401bfa
0x00401bfb
0x00401bfd
0x00401bff
0x00401c01
0x00401c01
0x00401c03
0x00401c05
0x00401c0a
0x00401c0b
0x00401c0d
0x00401c0f
0x00401c15
0x00401c17
0x00401c1b
0x00401c1d
0x00401c1f
0x00000000
0x00401c1f
0x00401bc4
0x00401c35
0x00401c37
0x00401c39
0x00401c3b
0x00401c3d
0x00401c3f
0x00401c46
0x00401c4b
0x00401c4d
0x00401c4f
0x00401c51
0x00401c53
0x00401c55
0x00401c57
0x00401c5a
0x00401c5c
0x00401c5e
0x00401c60
0x00401c62
0x00401c64
0x00401c66
0x00401c68
0x00401c6b
0x00401c6d
0x00401c6f
0x00401c71
0x00401c73
0x00401c7c
0x00401c7e
0x00401c80
0x00401c82
0x00401c84
0x00401c86
0x00401c88
0x00401c8a
0x00401c8c
0x00401c91
0x00401c93
0x00401c97
0x00401c9d
0x00401c9f
0x00401ca5
0x00401ca7
0x00401cad
0x00401caf
0x00401cb1
0x00401cb3
0x00401cb5
0x00401cb7
0x00401cb9
0x00401cbb
0x00401cbb
0x00401cbb
0x00401cbe
0x00401d25
0x00401d25
0x00000000
0x00401cc0
0x00401cc0
0x00401d27
0x00401d27
0x00401d2b
0x00401d2e
0x00401d30
0x00401d31
0x00401d33
0x00401d37
0x00401d3a
0x00401d3b
0x00000000
0x00401d3b
0x00401cc2
0x00401cc2
0x00401cc7
0x00401ccb
0x00401ccc
0x00401ccd
0x00401cce
0x00401ccf
0x00401cd1
0x00401cd2
0x00401cd3
0x00401cd6
0x00401d3d
0x00401d3e
0x00401d40
0x00401d42
0x00401d44
0x00401d46
0x00401d48
0x00401d4a
0x00401d4c
0x00401d4e
0x00401d50
0x00401d52
0x00401d54
0x00401d56
0x00401d58
0x00401d5a
0x00401d5c
0x00401d5e
0x00401d60
0x00401d62
0x00401d64
0x00401d66
0x00401d68
0x00401d6a
0x00401d6c
0x00401d6d
0x00401d6e
0x00401d70
0x00401d72
0x00401d74
0x00401d75
0x00401d76
0x00401d77
0x00401d7e
0x00401d82
0x00401d84
0x00401cd8
0x00401cd8
0x00401cdb
0x00401cde
0x00401ce3
0x00401ce6
0x00401ce7
0x00401ce8
0x00401ce9
0x00401cea
0x00401ced
0x00401cef
0x00401cf0
0x00401cf2
0x00401cf4
0x00401cf6
0x00401cf8
0x00401cfa
0x00401cfc
0x00401cfe
0x00401d00
0x00401d02
0x00401d05
0x00401d06
0x00401d08
0x00401d0a
0x00401d0c
0x00401d0e
0x00401d10
0x00401d12
0x00401d14
0x00401d16
0x00401d18
0x00401d1a
0x00401d1c
0x00401d1d
0x00401d1f
0x00401d21
0x00401d23
0x00000000
0x00401d23
0x00401cd6
0x00401cc0
0x00401d85
0x00401d87
0x00401d89
0x00401d8b
0x00401d8d
0x00401d8f
0x00401d91
0x00401d93
0x00401d95
0x00401d97
0x00401d9d
0x00401d9f
0x00401da1
0x00401da3
0x00401da5
0x00401da7
0x00401dab
0x00401dad
0x00401daf
0x00401db1
0x00401db3
0x00401dba
0x00401dbc
0x00401dbd
0x00401dbe
0x00401dc4
0x00401dc4
0x00401dc4
0x00401dca
0x00401dcc
0x00401dcd
0x00401dce
0x00401dd4
0x00401dd9
0x00401ddb
0x00401de1
0x00401de3
0x00401de4
0x00401de5
0x00401de6
0x00401de7
0x00401de8
0x00401de9
0x00401deb
0x00401df1
0x00401df4
0x00401df5
0x00401df8
0x00000000

APIs

#100.MSVBVM60(VB5!6&*), ref: 004018A9

Strings

VB5!6&*, xrefs: 004018A4, 00401A07

Memory Dump Source

Source File: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: caa4062a53d87e7c6a5da01327214e39470ec7781a7ae026b9700bf00363b776
Instruction ID: 9fd2e5d62127e0354352e12a12072ef1d464c6871ef3d51b8bf72fcd551c9c89
Opcode Fuzzy Hash: caa4062a53d87e7c6a5da01327214e39470ec7781a7ae026b9700bf00363b776
Instruction Fuzzy Hash: F1E1767144E7C18FD3039B749CA56A27FB4EE1331431E05EBC8C1CA4A3E22CA95AD766

Uniqueness

Uniqueness Score: -1.00%

Function 0041AC70, Relevance: 45.7, APIs: 23, Strings: 3, Instructions: 237COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041ACD4
#679.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 0041AD0A
__vbaFpR8.MSVBVM60 ref: 0041AD10
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041AD43
__vbaVarDup.MSVBVM60 ref: 0041ADA0
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041ADC5
__vbaStrMove.MSVBVM60 ref: 0041ADD0
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041ADF7
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041AE0F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041AE28
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403A44,000001E8), ref: 0041AE55
__vbaFreeObj.MSVBVM60 ref: 0041AE5E
__vbaVarDup.MSVBVM60 ref: 0041AE81
#553.MSVBVM60(?,?), ref: 0041AE8F
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041AEB4
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041AECA
__vbaVarDup.MSVBVM60 ref: 0041AF24
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041AF49
__vbaStrMove.MSVBVM60 ref: 0041AF54
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041AF7B
__vbaFreeStr.MSVBVM60(0041AFD2), ref: 0041AFC5
__vbaFreeStr.MSVBVM60 ref: 0041AFCA
__vbaFreeStr.MSVBVM60 ref: 0041AFCF

Strings

Maumeenondesignateunlimited, xrefs: 0041AD8C
Skrivelrer1, xrefs: 0041AF10
01/01/01, xrefs: 0041AE6D

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$List$#596Move$#553#679CheckCopyHresultNew2
String ID: 01/01/01$Maumeenondesignateunlimited$Skrivelrer1
API String ID: 207475868-2032125864
Opcode ID: 4e10663e69e309cf603048c8a64a471e794caeb7a5d263f0c05d6596f74d239b
Instruction ID: 018f394ebee93f089f8a44db1c9addc907839332b93b3c4fae77a834dbb09327
Opcode Fuzzy Hash: 4e10663e69e309cf603048c8a64a471e794caeb7a5d263f0c05d6596f74d239b
Instruction Fuzzy Hash: F7A1C2B1C0022DAFCB14CF94DD84AEEBBB8FB58704F14416EE509A7250DBB41A89CF94

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00405732, Relevance: 1.4, Strings: 1, Instructions: 173COMMON

Download Yara Rule

Strings

b, xrefs: 004057F7

Memory Dump Source

Source File: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: b
API String ID: 0-1908338681
Opcode ID: 92d9907c276d14e365a2c5d8e6f9b3c194eddd72ca00c21e4bc4e74d4d7a2355
Instruction ID: e1d358a33af9db13b131593085ce10dff2893e2deee6b8da4c4f0d93a73660f0
Opcode Fuzzy Hash: 92d9907c276d14e365a2c5d8e6f9b3c194eddd72ca00c21e4bc4e74d4d7a2355
Instruction Fuzzy Hash: B441E1A16663028AFF780464C5F073E2196EF5A340FB09D3BC983EAEC6DA1EC4C04523

Uniqueness

Uniqueness Score: -1.00%

Function 00420FF0, Relevance: 54.5, APIs: 30, Strings: 1, Instructions: 214COMMON

Download Yara Rule

APIs

#517.MSVBVM60(00403A08), ref: 0042104A
__vbaStrMove.MSVBVM60 ref: 00421055
__vbaStrCmp.MSVBVM60(00403994,00000000), ref: 00421061
__vbaFreeStr.MSVBVM60 ref: 00421074
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00421091
__vbaLateMemCallLd.MSVBVM60(?,?,uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233,00000000), ref: 004210AD
__vbaObjVar.MSVBVM60(00000000), ref: 004210B7
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 004210C2
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,0000000C), ref: 004210DC
__vbaFreeObj.MSVBVM60 ref: 004210E5
__vbaFreeVar.MSVBVM60 ref: 004210EE
__vbaVarDup.MSVBVM60 ref: 00421110
#562.MSVBVM60(?), ref: 0042111A
__vbaFreeVar.MSVBVM60 ref: 00421131
_adj_fdiv_m64.MSVBVM60 ref: 00421163
__vbaFpI4.MSVBVM60(42820000,?,434A0000), ref: 00421194
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002C0,?,434A0000), ref: 004211C8
#610.MSVBVM60(?), ref: 004211D8
#610.MSVBVM60(?), ref: 004211DE
__vbaVarAdd.MSVBVM60(?,00000009,?,00000001,00000001), ref: 00421206
#662.MSVBVM60(?,004038C4,?,00000000), ref: 0042121A
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042123B
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00421256
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00421276
__vbaObjVar.MSVBVM60(?), ref: 00421288
__vbaObjSetAddref.MSVBVM60(?,00000000), ref: 00421293
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000010), ref: 004212AD
__vbaFreeObj.MSVBVM60 ref: 004212B6
__vbaFreeObj.MSVBVM60(00421309), ref: 004212F9
__vbaFreeVar.MSVBVM60 ref: 00421302

Strings

uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233, xrefs: 004210A1

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#610AddrefNew2$#517#562#662CallLateListMove_adj_fdiv_m64
String ID: uQzYfoIri7ddvc3x8FN7bmsdWeJ3OQrppbhD233
API String ID: 3516706468-3714022841
Opcode ID: 0265971742b9b812ae83d87e345d26a61c91764e62c24ca1e1e5206881aa517c
Instruction ID: b1e4a98c6b326f0893f82495cd61aed876ab9f0f79a4e4bef3241ef4588b672b
Opcode Fuzzy Hash: 0265971742b9b812ae83d87e345d26a61c91764e62c24ca1e1e5206881aa517c
Instruction Fuzzy Hash: 3F815F71D00219EBDB149FA4EE48EEEBB78FB18701F50816AF646B21A0CB745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041BB10, Relevance: 49.2, APIs: 27, Strings: 1, Instructions: 177COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041BB5C
#670.MSVBVM60(?), ref: 0041BB66
__vbaVarTstEq.MSVBVM60(?,?), ref: 0041BB82
__vbaFreeVar.MSVBVM60 ref: 0041BB8E
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041BBB0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BBC9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,000001B8), ref: 0041BBF0
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000,00000000), ref: 0041BC01
__vbaStrVarMove.MSVBVM60(00000000), ref: 0041BC0B
__vbaStrMove.MSVBVM60 ref: 0041BC16
#716.MSVBVM60(?,00000000), ref: 0041BC21
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041BC48
__vbaFreeStr.MSVBVM60 ref: 0041BC51
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041BC61
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041BC71
__vbaI4Str.MSVBVM60(00403988), ref: 0041BC7F
#697.MSVBVM60(00000000), ref: 0041BC86
__vbaStrMove.MSVBVM60 ref: 0041BC91
__vbaStrCmp.MSVBVM60(00403994,00000000), ref: 0041BC9D
__vbaFreeStr.MSVBVM60 ref: 0041BCB0
#570.MSVBVM60(000000B9), ref: 0041BCC0
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041BCD9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BCF2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403D34,00000068), ref: 0041BD13
__vbaFreeObj.MSVBVM60 ref: 0041BD22
__vbaFreeStr.MSVBVM60(0041BD70), ref: 0041BD60
__vbaFreeObj.MSVBVM60 ref: 0041BD69

Strings

Spheniscomorphae1, xrefs: 0041BB74

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresultLateListNew2$#570#670#697#716CallCopy
String ID: Spheniscomorphae1
API String ID: 1019445086-1645407306
Opcode ID: 2ac47d34c8a531131c98dee220dd5a130f1987571e14a5ec68b55a1ae2803ae0
Instruction ID: 9b5e8f7010bd0a3ba230ffb29a4b8f83bf912ee26e65a1d0f2f7898da77b82e6
Opcode Fuzzy Hash: 2ac47d34c8a531131c98dee220dd5a130f1987571e14a5ec68b55a1ae2803ae0
Instruction Fuzzy Hash: 77612D74900209AFCB14DFA4DE49DEEBBB9FF58701B10852AF502B72A0DB745945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041AFF0, Relevance: 47.5, APIs: 25, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041B06A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B083
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,0000020C), ref: 0041B0A6
__vbaFreeObj.MSVBVM60 ref: 0041B0AF
__vbaVarDup.MSVBVM60 ref: 0041B0D8
#553.MSVBVM60(?,?), ref: 0041B0E2
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041B107
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041B120
__vbaVarDup.MSVBVM60 ref: 0041B182
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041B1A6
__vbaStrMove.MSVBVM60 ref: 0041B1B1
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041B1DB
__vbaLenBstr.MSVBVM60(00403EE8), ref: 0041B1E5
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041B207
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,0000001C), ref: 0041B22C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000054,?,?,?,?), ref: 0041B282
__vbaLateIdSt.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?), ref: 0041B2B9
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0041B2C2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?), ref: 0041B2CB
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041B2E4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B2FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,00000060), ref: 0041B321
__vbaFreeObj.MSVBVM60 ref: 0041B333
__vbaFreeObj.MSVBVM60(0041B391), ref: 0041B381
__vbaFreeStr.MSVBVM60 ref: 0041B38A

Strings

01/01/01, xrefs: 0041B0C4
Catecholamines, xrefs: 0041B16E

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$List$#553#596BstrLateMove
String ID: 01/01/01$Catecholamines
API String ID: 2020296758-1285120401
Opcode ID: fa60c4f50bd573b26e1a014c0050b4ac6b2ccb2dbc5e4d611e059d9d0dce5710
Instruction ID: 40aac326d15b72be1bb5cedaa3f80bd3ac1e84a7b8a3ea019cd04138fb00a925
Opcode Fuzzy Hash: fa60c4f50bd573b26e1a014c0050b4ac6b2ccb2dbc5e4d611e059d9d0dce5710
Instruction Fuzzy Hash: D8B15AB1900208AFCB14CFA5DE48BDEBBB8FF48700F10816AE549B72A0D7745A45CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420B10, Relevance: 45.8, APIs: 24, Strings: 2, Instructions: 250COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538,00422010), ref: 00420B7B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420B9A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001FC), ref: 00420BD9
__vbaFreeObj.MSVBVM60 ref: 00420BE8
#674.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 00420C24
__vbaFpR8.MSVBVM60 ref: 00420C2A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00420C50
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00420C77
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,0000004C), ref: 00420C9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F8C,0000001C,?,?,?,?), ref: 00420CE0
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 00420CFB
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00420D06
#519.MSVBVM60( rr), ref: 00420D0D
__vbaStrMove.MSVBVM60 ref: 00420D18
__vbaStrCmp.MSVBVM60(0040403C,00000000), ref: 00420D24
__vbaFreeStr.MSVBVM60 ref: 00420D37
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00420D59
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420D72
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001C0), ref: 00420D95
__vbaLateMemCall.MSVBVM60(?,O6LxHL51aTnkYsQDbH68,00000002), ref: 00420DF1
__vbaFreeObj.MSVBVM60 ref: 00420DFD
__vbaFreeVar.MSVBVM60 ref: 00420E02
__vbaFreeObj.MSVBVM60(00420E5C), ref: 00420E54
__vbaFreeObj.MSVBVM60 ref: 00420E59

Strings

rr, xrefs: 00420D08
O6LxHL51aTnkYsQDbH68, xrefs: 00420DCD

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#519#674CallLateListMove
String ID: rr$O6LxHL51aTnkYsQDbH68
API String ID: 13828861-3451368691
Opcode ID: 1b38ae19d75472d13e5f3342027d411ed6ccaacb946e193ce315aef659dcf5ee
Instruction ID: 257f7a41940d3495f599f54ffa96cb27963003f62e4059f44de18fdc2da59bb5
Opcode Fuzzy Hash: 1b38ae19d75472d13e5f3342027d411ed6ccaacb946e193ce315aef659dcf5ee
Instruction Fuzzy Hash: 9DA12FB1A00214ABDB14DFA8DD85B9EBBF8FF49700F10816AF905B73A5D7749805CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041BD90, Relevance: 40.5, APIs: 22, Strings: 1, Instructions: 201COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00403A2C,00000008), ref: 0041BDED
__vbaVarDup.MSVBVM60 ref: 0041BE07
#544.MSVBVM60(?,?), ref: 0041BE15
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041BE3A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041BE4D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002B0), ref: 0041BECA
__vbaStrCopy.MSVBVM60 ref: 0041BEDE
__vbaStrCopy.MSVBVM60 ref: 0041BEEB
__vbaVarDup.MSVBVM60 ref: 0041BF06
#710.MSVBVM60(00000008,?), ref: 0041BF2D
__vbaStrMove.MSVBVM60 ref: 0041BF38
__vbaStrCmp.MSVBVM60(00403A10,00000000), ref: 0041BF44
__vbaFreeStr.MSVBVM60 ref: 0041BF57
__vbaFreeVar.MSVBVM60 ref: 0041BF60
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041BF81
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,0000001C), ref: 0041BFA6
__vbaCastObj.MSVBVM60(?,00403964), ref: 0041BFDB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BFE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000058), ref: 0041C000
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041C010

Strings

20:20:20, xrefs: 0041BDF9

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyList$#544#710CastConstruct2MoveNew2
String ID: 20:20:20
API String ID: 1246080522-1725373740
Opcode ID: 767995dfe7fc8b9f225c04cc86634aabf66ac4d87b9d961deb8ab57626f23349
Instruction ID: cd5d7455f274fd969b305e4ea03c0a6a338486a7e267371eae6951bd723cdc28
Opcode Fuzzy Hash: 767995dfe7fc8b9f225c04cc86634aabf66ac4d87b9d961deb8ab57626f23349
Instruction Fuzzy Hash: 5E8156B0D00209EFDB14DFA8C989ADEBBB8FF48700F10816AE549B72A1D7745945CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 00420010, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 191COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420089
__vbaStrCopy.MSVBVM60 ref: 00420091
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 004200A5
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000014), ref: 004200D0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000F0), ref: 004200FE
__vbaStrMove.MSVBVM60 ref: 00420109
__vbaFreeObj.MSVBVM60 ref: 00420112
#693.MSVBVM60(00403994), ref: 0042011D
#532.MSVBVM60(DEDD), ref: 0042012C
#660.MSVBVM60(?,?,?,00000001,00000001), ref: 0042015F
__vbaVarTstNe.MSVBVM60(?,?), ref: 00420180
__vbaFreeVarList.MSVBVM60(00000003,00000002,0000000A,?), ref: 00420197
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 004201BB
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,0000004C), ref: 004201E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F8C,0000001C,?,?,?,?), ref: 0042022D
__vbaObjSet.MSVBVM60(?,?,?,?,?,?), ref: 0042023E
__vbaFreeObj.MSVBVM60(?,?,?,?), ref: 00420247
__vbaFreeStr.MSVBVM60(004202B7), ref: 004202A1
__vbaFreeObj.MSVBVM60 ref: 004202A6
__vbaFreeStr.MSVBVM60 ref: 004202AF
__vbaFreeStr.MSVBVM60 ref: 004202B4

Strings

DEDD, xrefs: 00420127

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#532#660#693ListMove
String ID: DEDD
API String ID: 303901731-2798080213
Opcode ID: f64a82e656d701049c55be138da368291e98e56cb130f6e964b121acc5dda068
Instruction ID: 6139f0d168f3508e347f1088a4fb11033b61709c2d1bed7e2d022a60db6cf542
Opcode Fuzzy Hash: f64a82e656d701049c55be138da368291e98e56cb130f6e964b121acc5dda068
Instruction Fuzzy Hash: 69712B71A00219EFDB10DF94D985ADEBBB9FF48B00F20816AF505B72A1C7745945CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C6A0, Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

#616.MSVBVM60(00403A10,00000001), ref: 0041C6E7
__vbaStrMove.MSVBVM60 ref: 0041C6F8
__vbaStrCmp.MSVBVM60(00403A08,00000000), ref: 0041C700
__vbaFreeStr.MSVBVM60 ref: 0041C713
#571.MSVBVM60(0000002B), ref: 0041C720
__vbaI4Str.MSVBVM60(00403988), ref: 0041C72B
#697.MSVBVM60(00000000), ref: 0041C732
__vbaStrMove.MSVBVM60 ref: 0041C73D
__vbaStrCmp.MSVBVM60(00403994,00000000), ref: 0041C745
__vbaFreeStr.MSVBVM60 ref: 0041C758
#570.MSVBVM60(000000AD), ref: 0041C768
__vbaStrCopy.MSVBVM60 ref: 0041C776
#524.MSVBVM60(?,?), ref: 0041C791
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041C7AD
__vbaFreeVar.MSVBVM60 ref: 0041C7B9
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041C7DA
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,0000001C), ref: 0041C7FF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000060), ref: 0041C84E
__vbaFreeObj.MSVBVM60 ref: 0041C857
__vbaFreeStr.MSVBVM60(0041C894), ref: 0041C88D

Strings

Parisiskes8, xrefs: 0041C827

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#524#570#571#616#697CopyNew2
String ID: Parisiskes8
API String ID: 4051536704-4275025436
Opcode ID: a0d8201f83035a1e13171de6400a8e410e8d2ff0fe1a993d6b806bd1b6fa954e
Instruction ID: 5a894491484c489be6a88484649d1b485b1ec9239a522c53758eb936433725ec
Opcode Fuzzy Hash: a0d8201f83035a1e13171de6400a8e410e8d2ff0fe1a993d6b806bd1b6fa954e
Instruction Fuzzy Hash: CE515071A40219EFCB14DFA4DE89ADEBBB8FB48701F20412AE506B72A0D7785D45CF58

Uniqueness

Uniqueness Score: -1.00%

Function 004147D0, Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 168COMMON

Download Yara Rule

APIs

__vbaAryConstruct2.MSVBVM60(?,00403A2C,00000008), ref: 00414821
__vbaStrCopy.MSVBVM60 ref: 00414835
__vbaStrCopy.MSVBVM60 ref: 00414842
__vbaVarDup.MSVBVM60 ref: 00414854
#710.MSVBVM60(?,?), ref: 00414875
__vbaStrMove.MSVBVM60 ref: 00414880
__vbaStrCmp.MSVBVM60(00403A10,00000000), ref: 0041488C
__vbaFreeStr.MSVBVM60 ref: 0041489F
__vbaFreeVar.MSVBVM60 ref: 004148A8
__vbaNew2.MSVBVM60(00402538,00422010), ref: 004148CA
__vbaObjSet.MSVBVM60(?,00000000), ref: 004148E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,00000170), ref: 0041490C
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00414925
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041493E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,00000120), ref: 00414961
__vbaFpI4.MSVBVM60 ref: 00414972
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002C8), ref: 004149BE
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004149CE
__vbaAryDestruct.MSVBVM60(00000000,?,00414A1F), ref: 00414A18

Strings

R(, xrefs: 004149D7

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$CopyNew2$#710Construct2DestructListMove
String ID: R(
API String ID: 799147137-4242638291
Opcode ID: 144d532d19584cfb64e306300f81ce66c0511d07998030c263a89a64a014fd0e
Instruction ID: f89f4764041a3cff66dd0ebf4ef591700158c50258332b355639901c2299eb44
Opcode Fuzzy Hash: 144d532d19584cfb64e306300f81ce66c0511d07998030c263a89a64a014fd0e
Instruction Fuzzy Hash: E5514F70900218ABDB10DFA4DD89EDEBBB9FF88701F10412AF546B72A0DB745945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041B8B0, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B90E
__vbaStrCopy.MSVBVM60 ref: 0041B916
__vbaRedim.MSVBVM60(00000880,00000010,?,00000000,00000001,00000003,00000000), ref: 0041B929
__vbaVarMove.MSVBVM60 ref: 0041B959
__vbaVarCopy.MSVBVM60 ref: 0041B985
__vbaVarMove.MSVBVM60 ref: 0041B9A9
__vbaVarCopy.MSVBVM60 ref: 0041B9D1
#668.MSVBVM60(?,?), ref: 0041B9DB
__vbaErase.MSVBVM60(00000000,?), ref: 0041B9E6
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041BA0B
__vbaFreeVar.MSVBVM60 ref: 0041BA17
__vbaEnd.MSVBVM60 ref: 0041BA22
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041BA3B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041BA54
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 0041BAA2
__vbaFreeObj.MSVBVM60 ref: 0041BAAB
__vbaFreeStr.MSVBVM60(0041BAF2), ref: 0041BAEA
__vbaFreeStr.MSVBVM60 ref: 0041BAEF

Strings

plums, xrefs: 0041BA7B

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CopyFree$Move$#668CheckEraseHresultNew2Redim
String ID: plums
API String ID: 975322020-90554558
Opcode ID: 76d98b712feaad2dbd820f7e66720d4991474fd29080f208e09ef9f974a800b9
Instruction ID: d611292d753ef31067a6ff7dd4d4a543c0b910300aa605a3d0eace2b4d9eb5f6
Opcode Fuzzy Hash: 76d98b712feaad2dbd820f7e66720d4991474fd29080f208e09ef9f974a800b9
Instruction Fuzzy Hash: 73613E70D00259DFDB14DFA8DD88AADBBB9FF48700F10812AE505BB2A0D7B46945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041FCA0, Relevance: 31.7, APIs: 21, Instructions: 206COMMON

Download Yara Rule

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000000A8), ref: 0041FD08
__vbaStrCmp.MSVBVM60(00000000,?), ref: 0041FD13
__vbaFreeStr.MSVBVM60 ref: 0041FD25
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041FD4D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FD70
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,00000198), ref: 0041FD93
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041FDAC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FDC1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A54,00000048), ref: 0041FDDE
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041FDF7
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,0000004C), ref: 0041FE18
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403F8C,00000024), ref: 0041FE44
__vbaStrMove.MSVBVM60 ref: 0041FE57
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041FE67
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041FE7B
__vbaOnError.MSVBVM60(00000000), ref: 0041FE94
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041FEAD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FEC2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,000001A8), ref: 0041FEE1
__vbaFreeObj.MSVBVM60 ref: 0041FEEA
__vbaFreeStr.MSVBVM60(0041FF2D), ref: 0041FF26

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$List$ErrorMove
String ID:
API String ID: 2931715464-0
Opcode ID: 2c08c767f456c8a4a4c79318e4eb178d1547ed1a3774c7c0e36532c7ca2f4aa9
Instruction ID: ec151b8cb17f23dde6b9af846ab5b2a9cc21f680057af3cc83a836b88ffd1411
Opcode Fuzzy Hash: 2c08c767f456c8a4a4c79318e4eb178d1547ed1a3774c7c0e36532c7ca2f4aa9
Instruction Fuzzy Hash: D2718F71A00214ABDB10DFA5DD48EEAB7BCFF49700F10442AF946F72A0D7B49905CB68

Uniqueness

Uniqueness Score: -1.00%

Function 0041C090, Relevance: 31.7, APIs: 21, Instructions: 176COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041C0F1
__vbaVarDup.MSVBVM60 ref: 0041C10B
#564.MSVBVM60(?,?), ref: 0041C119
__vbaHresultCheck.MSVBVM60(00000000), ref: 0041C124
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041C140
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041C153
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041C173
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000048), ref: 0041C19A
__vbaStrMove.MSVBVM60 ref: 0041C1A9
#554.MSVBVM60 ref: 0041C1AF
__vbaR4Str.MSVBVM60(004039D4), ref: 0041C1BA
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041C1E4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C1FD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,00000130), ref: 0041C224
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0041C236
__vbaI4Var.MSVBVM60(00000000), ref: 0041C240
__vbaHresultCheckObj.MSVBVM60(00000000,00401460,004033B0,00000084), ref: 0041C297
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041C2A7
__vbaFreeVar.MSVBVM60 ref: 0041C2B3
__vbaFreeStr.MSVBVM60(0041C30A), ref: 0041C302
__vbaFreeStr.MSVBVM60 ref: 0041C307

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ListNew2$#554#564CallCopyLateMove
String ID:
API String ID: 668867254-0
Opcode ID: b7c20a943137120603e760c580a764477b74dcae45569850fdea19e19bf2b030
Instruction ID: d52f8851183cd2bae6c7b947f343bfc54a0fadf65c82303792a140c611cbde7f
Opcode Fuzzy Hash: b7c20a943137120603e760c580a764477b74dcae45569850fdea19e19bf2b030
Instruction Fuzzy Hash: 5F615970D40209AFCB109FA5DD89AEEBBB8FF58701F10815AF946B72A0CB741945CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00421400, Relevance: 31.6, APIs: 21, Instructions: 150COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00421464
__vbaStrCopy.MSVBVM60 ref: 0042146C
__vbaStrCopy.MSVBVM60 ref: 00421474
__vbaStrCopy.MSVBVM60 ref: 0042147C
#676.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 004214AE
__vbaFpR8.MSVBVM60 ref: 004214B4
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 004214E0
__vbaEnd.MSVBVM60 ref: 004214EC
__vbaVarDup.MSVBVM60 ref: 00421506
#564.MSVBVM60(?,?), ref: 00421514
__vbaHresultCheck.MSVBVM60(00000000), ref: 0042151F
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042153B
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0042154E
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0042156A
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000048), ref: 00421594
__vbaStrMove.MSVBVM60 ref: 004215A3
__vbaFreeStr.MSVBVM60(004215F2), ref: 004215DB
__vbaFreeStr.MSVBVM60 ref: 004215E0
__vbaFreeStr.MSVBVM60 ref: 004215E5
__vbaFreeStr.MSVBVM60 ref: 004215EA
__vbaFreeStr.MSVBVM60 ref: 004215EF

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$CheckHresultList$#564#676MoveNew2
String ID:
API String ID: 2576684927-0
Opcode ID: bc0beaf49f89aa413556bcaa03bbda2352d22150f10b3f53335f4308c260a5ff
Instruction ID: 5eb6b5d7211f242b73befd1024cc9620ac07e58f62734c70e4e3d714348f3788
Opcode Fuzzy Hash: bc0beaf49f89aa413556bcaa03bbda2352d22150f10b3f53335f4308c260a5ff
Instruction Fuzzy Hash: 6E5137B1D00219ABCB04DFA4DD45AEEBBB8FF58700F10811AF415B7260DB746946CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414A40, Relevance: 28.7, APIs: 19, Instructions: 165COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538,00422010), ref: 00414A9F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414ABE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,000000D0), ref: 00414AE1
#592.MSVBVM60(?), ref: 00414AFA
__vbaFreeObj.MSVBVM60 ref: 00414B0F
__vbaFreeVar.MSVBVM60 ref: 00414B1E
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00414B3C
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414B55
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,00000050), ref: 00414B72
#716.MSVBVM60(00000002,?,00000000), ref: 00414B82
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 00414BAA
__vbaFreeStr.MSVBVM60 ref: 00414BB3
__vbaFreeObj.MSVBVM60 ref: 00414BBC
__vbaFreeVar.MSVBVM60 ref: 00414BC5
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00414BDA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414BF3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A54,00000068), ref: 00414C10
__vbaFreeObj.MSVBVM60 ref: 00414C1F
__vbaFreeObj.MSVBVM60(00414C53), ref: 00414C4C

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#592#716Late
String ID:
API String ID: 3616571326-0
Opcode ID: d9a600d61b36685952013ccfbab2f8fc250623819a1ae1a1f0a599b24772849f
Instruction ID: db6b14e7f2650b22175c0259d718396d71688c208649d96eb37420172cc49baa
Opcode Fuzzy Hash: d9a600d61b36685952013ccfbab2f8fc250623819a1ae1a1f0a599b24772849f
Instruction Fuzzy Hash: 74512B74A00205ABCB14DFA5DA88EDEBBB8BF48701F10852AF545F72A0D7749945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041CC30, Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 139COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041CC6A
__vbaBoolStr.MSVBVM60(True), ref: 0041CC75
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041CC98
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CCB1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403B60,00000178), ref: 0041CCD8
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041CD01
__vbaFpI4.MSVBVM60(436A0000,?,42900000), ref: 0041CD2F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002C0,?,42900000), ref: 0041CD68
__vbaFreeObj.MSVBVM60(?,42900000), ref: 0041CD71
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041CD8A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CDA3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 0041CDEB
__vbaFreeObj.MSVBVM60 ref: 0041CDF4
__vbaFreeStr.MSVBVM60(0041CE16), ref: 0041CE0F

Strings

True, xrefs: 0041CC70
Pleurococcaceae, xrefs: 0041CDBA

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$BoolCopy_adj_fdiv_m64
String ID: Pleurococcaceae$True
API String ID: 3244786466-1036221138
Opcode ID: 91b75709e2577e54168c62a88a46019da263f9ceaab43c9d3c7df24dc0516644
Instruction ID: d0a2330d2c190f402f8198728395e3e325d5a234f2ac42231bce47de3b5382fb
Opcode Fuzzy Hash: 91b75709e2577e54168c62a88a46019da263f9ceaab43c9d3c7df24dc0516644
Instruction Fuzzy Hash: 32519074A40205EBCB109F94DE8DFAE7BB9FB49701F104425F946B72B0C7749942CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00420E90, Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420ECD
#706.MSVBVM60(00000001,00000000,00000000), ref: 00420ED7
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420EE8
__vbaI4Str.MSVBVM60(00403988,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420EEF
#537.MSVBVM60(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420EF6
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F01
__vbaStrCmp.MSVBVM60(00403994,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F09
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F1C
__vbaEnd.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F27
__vbaNew2.MSVBVM60(00402538,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F40
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420F59
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 00420FA1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420FAA
__vbaFreeStr.MSVBVM60(00420FDB,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420FD3
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00420FD8

Strings

tippernes, xrefs: 00420F70

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#537#706CheckCopyHresultNew2
String ID: tippernes
API String ID: 999016634-1619208553
Opcode ID: 5562e214cd76c2bb6dc2f7f6357bd7833f9ba4969c5ac546db435edf87e17029
Instruction ID: ae8388f7ed8b08bb89c54329fd7b5d6b07dab32cd7ce3476efe28ca13dffb140
Opcode Fuzzy Hash: 5562e214cd76c2bb6dc2f7f6357bd7833f9ba4969c5ac546db435edf87e17029
Instruction Fuzzy Hash: 78315275A40214AFCB14DFA4DE49AAEBBB8FB48701F504126F906F72A0DB745901CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 004206C0, Relevance: 27.1, APIs: 18, Instructions: 149COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420715
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0042072D
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000014), ref: 00420758
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000C0), ref: 00420786
__vbaFreeObj.MSVBVM60 ref: 00420791
__vbaNew2.MSVBVM60(00402538,00422010), ref: 004207A6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004207BF
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403974,00000180), ref: 004207E2
__vbaFreeObj.MSVBVM60 ref: 004207E7
__vbaI4Str.MSVBVM60(00403988), ref: 004207EE
#608.MSVBVM60(?,00000000), ref: 004207F9
__vbaVarTstNe.MSVBVM60(?,?), ref: 00420815
__vbaFreeVar.MSVBVM60 ref: 00420821
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0042083F
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000048), ref: 00420866
__vbaStrMove.MSVBVM60 ref: 00420875
__vbaFreeStr.MSVBVM60(004208B9), ref: 004208B1
__vbaFreeStr.MSVBVM60 ref: 004208B6

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#608CopyMove
String ID:
API String ID: 4240346833-0
Opcode ID: 9f80f2afa9eac97bb3696f72e309538a9c81d9ff20948a5571441350db8673fe
Instruction ID: dedfcc62f1964e43ae3d11785218289cbd5ff21e23dea3d8a30fa316b4a95b1e
Opcode Fuzzy Hash: 9f80f2afa9eac97bb3696f72e309538a9c81d9ff20948a5571441350db8673fe
Instruction Fuzzy Hash: 0A514D71A00219AFCB10DFA5DD88E9EBBF8FF98705F504026F505B72A0D7B46905CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00414400, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 136COMMON

Download Yara Rule

APIs

__vbaI4Str.MSVBVM60(00403988), ref: 00414451
#608.MSVBVM60(?,00000000), ref: 0041445C
__vbaVarTstNe.MSVBVM60(?,?), ref: 00414478
__vbaFreeVar.MSVBVM60 ref: 00414484
__vbaNew2.MSVBVM60(00402538,00422010), ref: 004144A6
__vbaObjSet.MSVBVM60(?,00000000), ref: 004144C5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,00000120), ref: 004144E8
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00414501
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041451A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A8,00000148), ref: 0041453D
__vbaInStrVar.MSVBVM60(?,00000000,00008008,?,?), ref: 00414574
__vbaI4Var.MSVBVM60(00000000), ref: 0041457B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041458B
__vbaFreeVarList.MSVBVM60(00000002,00000009,?), ref: 0041459B

Strings

passulate, xrefs: 00414566

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultListNew2$#608
String ID: passulate
API String ID: 821347214-629239217
Opcode ID: 043552ca83b47cd60f0dee6fe8753cce1958c57d247fbcf17945a6dd88337b53
Instruction ID: a720e0adc94b0af0eddaba7418f4cb1a1fba3a3998fb902d047809e2c34e987c
Opcode Fuzzy Hash: 043552ca83b47cd60f0dee6fe8753cce1958c57d247fbcf17945a6dd88337b53
Instruction Fuzzy Hash: 00512FB5901208AFCB10DF94DA88EEEBBB9FB48701F60452AF545F72A0D7745A09CF64

Uniqueness

Uniqueness Score: -1.00%

Function 0041C8B0, Relevance: 25.7, APIs: 17, Instructions: 199COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041C8FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C916
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,000001E0), ref: 0041C93D
#592.MSVBVM60(?), ref: 0041C956
__vbaFreeObj.MSVBVM60 ref: 0041C96B
__vbaFreeVar.MSVBVM60 ref: 0041C974
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041C995
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,0000001C), ref: 0041C9BA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000054), ref: 0041CA00
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041CA32
__vbaFreeObj.MSVBVM60 ref: 0041CA3B
__vbaFreeVar.MSVBVM60 ref: 0041CA44
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041CA5D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041CA76
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A8,000001CC), ref: 0041CAFD
__vbaFreeObj.MSVBVM60 ref: 0041CB06
__vbaFreeObj.MSVBVM60(0041CB49), ref: 0041CB42

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$#592Late
String ID:
API String ID: 134990064-0
Opcode ID: 81e948f94d92f329acfc6fa031ecceb3211a7196cb4107929989e4d8db2dc9bd
Instruction ID: b509c2604339dbf0085ab4d999977600bf5699fff768f83eaad053ed6d65819e
Opcode Fuzzy Hash: 81e948f94d92f329acfc6fa031ecceb3211a7196cb4107929989e4d8db2dc9bd
Instruction Fuzzy Hash: BF813C74A40204AFCB04DFA8D989A9EBBF9FF49701F10816AE509F73A0D7749941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041B3B0, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B3F6
#594.MSVBVM60(?), ref: 0041B40F
__vbaFreeVar.MSVBVM60 ref: 0041B418
__vbaVarDup.MSVBVM60 ref: 0041B432
#544.MSVBVM60(?,?), ref: 0041B440
__vbaVarTstNe.MSVBVM60(?,?), ref: 0041B45C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041B46F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004033B0,000002B0), ref: 0041B4E1
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041B4FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B513
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,000001E8), ref: 0041B536
__vbaFreeObj.MSVBVM60 ref: 0041B53F
__vbaFreeStr.MSVBVM60(0041B577), ref: 0041B570

Strings

20:20:20, xrefs: 0041B424

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#544#594CopyListNew2
String ID: 20:20:20
API String ID: 225108240-1725373740
Opcode ID: 757014df9ee4521e68bb7cc143de70918ada4509e6dde8cc2b0843e9f0338677
Instruction ID: ee1e54eec1dcaa09972d400c28673cca990cab8acd99310e0dced0f90cde25ae
Opcode Fuzzy Hash: 757014df9ee4521e68bb7cc143de70918ada4509e6dde8cc2b0843e9f0338677
Instruction Fuzzy Hash: F8511BB4900249EFCB04DF98D989ADEBFB9FF48704F10812AE909BB260D7745945CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00414C80, Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 108COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538,00422010,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414CD3
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414CF2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 00414D36
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414D45
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00414D5A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414D73
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A8,000001C0), ref: 00414D92
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414D9B
#587.MSVBVM60(00000000,3FF00000), ref: 00414DA4
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414DAA
#580.MSVBVM60(Styringscomputeren,00000001), ref: 00414DC4

Strings

KANTSTENENS, xrefs: 00414D05
Styringscomputeren, xrefs: 00414DBF

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$#580#587
String ID: KANTSTENENS$Styringscomputeren
API String ID: 1664163399-2963900404
Opcode ID: 9335fc03d02f5c424b1e54372d79ae5e4314ce2a69b3d0e7fd475ee54491acaf
Instruction ID: c8ebd09f39fcf37296da11699790869e3dee045319de64c2d087418750487dcf
Opcode Fuzzy Hash: 9335fc03d02f5c424b1e54372d79ae5e4314ce2a69b3d0e7fd475ee54491acaf
Instruction Fuzzy Hash: 1B416574A00214AFCB109FA4DE49F9A7BB8FF49B01F10456AF945F72A1C6789941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004202F0, Relevance: 22.7, APIs: 15, Instructions: 205COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538,00422010), ref: 0042034C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042036B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403998,00000098), ref: 0042038E
__vbaNew2.MSVBVM60(00402538,00422010), ref: 004203A7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004203C0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403D34,00000130), ref: 0042044D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042045D
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00420479
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420498
__vbaNew2.MSVBVM60(00402538,00422010), ref: 004204B4
__vbaObjSet.MSVBVM60(?,00000000), ref: 004204CD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000000A8), ref: 004204F0
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,000001EC), ref: 00420530
__vbaFreeStr.MSVBVM60 ref: 00420539
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420549

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$Free$List
String ID:
API String ID: 191279167-0
Opcode ID: 40199db7d708fb033e86378b15d701dadd134fa3ebd38a31c48cda00700d4295
Instruction ID: 74279410bca1b3e7ca9d61c40f0efe7bf6e55f79ab09a01a866bb73c3b431b47
Opcode Fuzzy Hash: 40199db7d708fb033e86378b15d701dadd134fa3ebd38a31c48cda00700d4295
Instruction Fuzzy Hash: 58816070A00204AFCB10DFA8D988B9ABBF9FB49704F60806AE905F7291D7759906CF94

Uniqueness

Uniqueness Score: -1.00%

Function 0041C450, Relevance: 22.7, APIs: 15, Instructions: 166COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041C49F
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 0041C4B7
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000014), ref: 0041C4DC
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000C0), ref: 0041C506
__vbaFreeObj.MSVBVM60 ref: 0041C50F
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041C528
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C541
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403974,00000178), ref: 0041C5C8
__vbaFreeObj.MSVBVM60 ref: 0041C5D7
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041C5EC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041C605
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,000000F8), ref: 0041C62C
__vbaFreeObj.MSVBVM60 ref: 0041C63B
__vbaFreeStr.MSVBVM60(0041C66C), ref: 0041C65C
__vbaFreeObj.MSVBVM60 ref: 0041C665

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Copy
String ID:
API String ID: 1628389849-0
Opcode ID: b16d6ce05760164fdbe2a8987959a748e3703a42c54345e31a52fedaf433c698
Instruction ID: e50764de76a802701bd03165d6391219022da2dda5244231135dae49099bfa7b
Opcode Fuzzy Hash: b16d6ce05760164fdbe2a8987959a748e3703a42c54345e31a52fedaf433c698
Instruction Fuzzy Hash: 92615D74A40205AFCB04DF69DD88A9EBBB9FF49700F14806AF805B72A0C7749841CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 004208E0, Relevance: 22.6, APIs: 15, Instructions: 147COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00420941
__vbaStrCopy.MSVBVM60 ref: 0042094B
#524.MSVBVM60(?,?), ref: 00420962
__vbaVarTstNe.MSVBVM60(?,?), ref: 0042097E
__vbaFreeVar.MSVBVM60 ref: 0042098A
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 004209AB
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,0000001C), ref: 004209D0
__vbaNew2.MSVBVM60(00402538,00422010), ref: 004209FA
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420A13
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000000A8), ref: 00420A3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403E48,00000060), ref: 00420A75
__vbaFreeStr.MSVBVM60 ref: 00420A7E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420A8E
__vbaFreeStr.MSVBVM60(00420AE3), ref: 00420ADB
__vbaFreeStr.MSVBVM60 ref: 00420AE0

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$CopyNew2$#524List
String ID:
API String ID: 592294731-0
Opcode ID: 89048570029fffa1f91386bcbfdd8a3cb8ea5f3de96dec376b2b756c6e2c6859
Instruction ID: b184b76a7f354287624ead317bd2e79e775bdd7692784707268617388805fbdd
Opcode Fuzzy Hash: 89048570029fffa1f91386bcbfdd8a3cb8ea5f3de96dec376b2b756c6e2c6859
Instruction Fuzzy Hash: 25515EB4E00219EFCB04DF95D989ADEBBB8FF98701F50802AE505B72A1C7B45905CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00413D90, Relevance: 21.1, APIs: 14, Instructions: 132COMMON

Download Yara Rule

APIs

#610.MSVBVM60(?), ref: 00413DE9
#661.MSVBVM60(?,004038C4,00000000,3FF00000,?), ref: 00413DFE
#610.MSVBVM60(?), ref: 00413E08
__vbaVarAdd.MSVBVM60(?,?,?,?), ref: 00413E28
__vbaVarTstNe.MSVBVM60(00000000), ref: 00413E2F
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 00413E4A
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00413E6A
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000048), ref: 00413E94
__vbaStrMove.MSVBVM60 ref: 00413EA3
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00413EBB
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000014), ref: 00413EE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000B8), ref: 00413F0D
__vbaFreeObj.MSVBVM60 ref: 00413F16
__vbaFreeStr.MSVBVM60(00413F60), ref: 00413F59

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#610New2$#661ListMove
String ID:
API String ID: 4150538313-0
Opcode ID: b907206e50fd801bdd7e5a96b71378b5c4d7d00ffc30da550df5c7dad7ad6f28
Instruction ID: 7c13e0e12ee1b0e69ea596fb58e85e17f580676734c9801b62a85d0cd6cd226f
Opcode Fuzzy Hash: b907206e50fd801bdd7e5a96b71378b5c4d7d00ffc30da550df5c7dad7ad6f28
Instruction Fuzzy Hash: 09413A71D00219ABCB10DF94DD89EEEBBB8FF58702F10412AF505B71A0D7B85A45CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004140B0, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 004140F0
#676.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,3FF00000,?,?), ref: 00414126
__vbaFpR8.MSVBVM60 ref: 0041412C
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00414157
__vbaNew2.MSVBVM60(004038E8,00422390), ref: 00414177
__vbaCastObj.MSVBVM60(?,00403964,ekspeditricerne), ref: 00414193
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041419E
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000040), ref: 004141B8
__vbaFreeObj.MSVBVM60 ref: 004141C1
__vbaFreeObj.MSVBVM60(0041420D), ref: 004141FD
__vbaFreeStr.MSVBVM60 ref: 00414206

Strings

ekspeditricerne, xrefs: 00414186

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#676CastCheckCopyHresultListNew2
String ID: ekspeditricerne
API String ID: 2764453826-1880822252
Opcode ID: ec92d1c641b4a8588fa01a44b40a8784de6df7df5981043949c6abdfad48be37
Instruction ID: 55a529942a2abef0ef53804cd337b9b1c43d544943ff176434d9c9e8e7f1001f
Opcode Fuzzy Hash: ec92d1c641b4a8588fa01a44b40a8784de6df7df5981043949c6abdfad48be37
Instruction Fuzzy Hash: FE314174900209ABCB14DFA5DE49BEEBBB8FB58701F20412AF905B72A0D7781941CF5C

Uniqueness

Uniqueness Score: -1.00%

Function 00414230, Relevance: 18.1, APIs: 12, Instructions: 130COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041427A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414299
__vbaNew2.MSVBVM60(00402538,00422010), ref: 004142B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004142C9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,00000218), ref: 004142EC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 00414331
__vbaFreeStr.MSVBVM60 ref: 0041433A
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041434A
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00414366
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041437F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403974,00000088), ref: 004143A2
__vbaFreeObj.MSVBVM60 ref: 004143B1

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$List
String ID:
API String ID: 2509323985-0
Opcode ID: 89b09fe7a8c0bad75112c16c5a4f821adb67216c5b0d2b90f0d5626c721011e8
Instruction ID: bd4f3bcfdd3a49b310a1186cc953aee4e5bb32ad326e297d90bc9e54f9a459bf
Opcode Fuzzy Hash: 89b09fe7a8c0bad75112c16c5a4f821adb67216c5b0d2b90f0d5626c721011e8
Instruction Fuzzy Hash: 6741A574A40205AFC710DFA8CD89FAE7BB8FB48701F508529F945F72A0D7749942CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00413F80, Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 79COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00413FCF
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00413FD7
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00413FEC
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414005
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 0041404D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00414056
__vbaFreeStr.MSVBVM60(00414086), ref: 0041407E
__vbaFreeStr.MSVBVM60 ref: 00414083

Strings

GENFREMSTILLINGEN, xrefs: 0041401C
IO"K, xrefs: 0041405C

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$CheckHresultNew2
String ID: GENFREMSTILLINGEN$IO"K
API String ID: 1874231197-1947186289
Opcode ID: 6cd19fc0849da6ca61c3d8a1900d49aad4d84394a17de8e708caac429ded8e77
Instruction ID: 3bcccc7e19efbcd55cc66d024347dc0deea4c05fa5420e31236ea7d2334462a8
Opcode Fuzzy Hash: 6cd19fc0849da6ca61c3d8a1900d49aad4d84394a17de8e708caac429ded8e77
Instruction Fuzzy Hash: B3313C71A00219AFCB04DFA9D985ADEBFB9FF58700F10816AE905F72A0C7749941CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00414600, Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041466D
__vbaR4Str.MSVBVM60(004039D4), ref: 00414678
__vbaVarDup.MSVBVM60 ref: 004146E3
#596.MSVBVM60(?,?,?,?,?,?,?), ref: 0041470B
__vbaStrMove.MSVBVM60 ref: 00414716
__vbaFreeVarList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 00414740
__vbaFreeStr.MSVBVM60(0041479E), ref: 00414796
__vbaFreeStr.MSVBVM60 ref: 0041479B

Strings

Bibeskftigelsernes, xrefs: 004146CF

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#596CopyListMove
String ID: Bibeskftigelsernes
API String ID: 2863382718-3164189337
Opcode ID: 4ce8b09bf23f6c0191436d399202ad902e09a7404220aca9b66ff6dbeca060c6
Instruction ID: de3136ded7a5595d174bebf7e2866268750d11e733ede43361adfcdc4523819f
Opcode Fuzzy Hash: 4ce8b09bf23f6c0191436d399202ad902e09a7404220aca9b66ff6dbeca060c6
Instruction Fuzzy Hash: A741C5B1D01219DFCB14CF99DA44ADEBBB8FB48700F20816BE20AB7250DB741A49CF94

Uniqueness

Uniqueness Score: -1.00%

Function 00414E20, Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaVarTstNe.MSVBVM60(?,?), ref: 00414E75
#531.MSVBVM60(Luksusvrelsernes), ref: 00414E85
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00414E9E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414EB7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403930,000001EC), ref: 00414F05
__vbaFreeObj.MSVBVM60 ref: 00414F0E

Strings

Balancegangs8, xrefs: 00414EDE
0:|J, xrefs: 00414F14
Luksusvrelsernes, xrefs: 00414E80

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#531CheckFreeHresultNew2
String ID: 0:|J$Balancegangs8$Luksusvrelsernes
API String ID: 1326136531-2358188216
Opcode ID: a330ef5ed6b7e1984ea38177a7e7ec729ea7b025d703b2c5aa28ee44440ee5c4
Instruction ID: 9f25caa90e27e1664336a2ba5c0307f928233f21a46b5a30845424e885f1fdc7
Opcode Fuzzy Hash: a330ef5ed6b7e1984ea38177a7e7ec729ea7b025d703b2c5aa28ee44440ee5c4
Instruction Fuzzy Hash: 30314CB4E00209AFCB14DF99D989B9EBBB8FB48701F50802AF545B7390C7B85905CF99

Uniqueness

Uniqueness Score: -1.00%

Function 0041B590, Relevance: 15.1, APIs: 10, Instructions: 95COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041B5D9
__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041B5F2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041B60B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403974,0000016C), ref: 0041B62E
__vbaFreeObj.MSVBVM60 ref: 0041B637
#516.MSVBVM60(00403994), ref: 0041B642
__vbaVarDup.MSVBVM60 ref: 0041B67E
#595.MSVBVM60(?,00000000,?,?,?), ref: 0041B695
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041B6AD
__vbaFreeStr.MSVBVM60(0041B6EC), ref: 0041B6E5

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#516#595CheckCopyHresultListNew2
String ID:
API String ID: 1659224419-0
Opcode ID: b2aeb65142573d5fe901c87d83c742be09dee556bc16f3c26c4b1b00d0ebedeb
Instruction ID: 53ed29f74fde7952dee4cd02d1fbb33472ec7d7b610a23b2bce9233dcf64fd20
Opcode Fuzzy Hash: b2aeb65142573d5fe901c87d83c742be09dee556bc16f3c26c4b1b00d0ebedeb
Instruction Fuzzy Hash: C0414AB0900209AFCB14DF94D988EEEBFB9FF58705F10412AF506B72A0D7745985CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041C340, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 0041C386
#516.MSVBVM60(00403994), ref: 0041C391
__vbaVarDup.MSVBVM60 ref: 0041C3CD
#595.MSVBVM60(?,00000000,?,?,?), ref: 0041C3E4
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?), ref: 0041C3FC
__vbaFreeStr.MSVBVM60(0041C432), ref: 0041C42B

Strings

Udmarvnings8, xrefs: 0041C3BF

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#516#595CopyList
String ID: Udmarvnings8
API String ID: 515552688-761385786
Opcode ID: 408322e763dd10158d6e3776d23a99670f517de8c50d4ddd17832d1dd6156e3f
Instruction ID: 49d2027c464da82284c17f3e9689f89c85e0de5fc845965763aa3ed5e69a16e5
Opcode Fuzzy Hash: 408322e763dd10158d6e3776d23a99670f517de8c50d4ddd17832d1dd6156e3f
Instruction Fuzzy Hash: 3921EAB1C41249AFCB04DFD8DA45ADEBBB8EB08705F20812AF506B7254D7746E09CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 004205C0, Relevance: 12.1, APIs: 8, Instructions: 60COMMON

Download Yara Rule

APIs

#705.MSVBVM60(?,00000000), ref: 00420604
__vbaStrMove.MSVBVM60 ref: 0042060F
__vbaFreeVar.MSVBVM60 ref: 00420618
__vbaNew2.MSVBVM60(00402538,00422010), ref: 00420631
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042064A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A44,00000208), ref: 0042066D
__vbaFreeObj.MSVBVM60 ref: 00420676
__vbaFreeStr.MSVBVM60(004206A0), ref: 00420699

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#705CheckHresultMoveNew2
String ID:
API String ID: 1968677507-0
Opcode ID: fab06b37da449edf582610412f231e52382c7487734dfef446431d987ebf08e5
Instruction ID: 23c9b0eb187dba5e8bc8e66f1088f350938ecd144d8c5ebf8ff0a6bc68b44767
Opcode Fuzzy Hash: fab06b37da449edf582610412f231e52382c7487734dfef446431d987ebf08e5
Instruction Fuzzy Hash: B4214D74A00205ABCB10DF94DE4DEAEBBB8FB98705F500026F542F71B1D7745945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FF50, Relevance: 12.0, APIs: 8, Instructions: 46COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FF93
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FF9B
#536.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFAC
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFB7
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFC0
__vbaFreeStr.MSVBVM60(0041FFED,?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFE0
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFE5
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 0041FFEA

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$#536Move
String ID:
API String ID: 754517999-0
Opcode ID: 21e99b8c78357edbfd649c1c832de24053ce3619fc89fbf2dca17c843f49990a
Instruction ID: 12b37190ffe7c97bb950fafe5263ae1af75b7324872d312aeb5bda6267af02bc
Opcode Fuzzy Hash: 21e99b8c78357edbfd649c1c832de24053ce3619fc89fbf2dca17c843f49990a
Instruction Fuzzy Hash: 5D11EC71D0020D9FCB04DFA8D945AEEBBB4FB58700F108126E506F72A4EB746A06CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00421620, Relevance: 10.6, APIs: 7, Instructions: 121COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538,00422010), ref: 00421667
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421686
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A18,000000F8), ref: 004216A9
__vbaNew2.MSVBVM60(00402538,00422010), ref: 004216C2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004216DB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00403A54,00000130), ref: 0042176A
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042177A

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$FreeList
String ID:
API String ID: 1549294082-0
Opcode ID: b144720532af0f174dfe7049aa8cbfc755f69c2e3176ddb03c5aa06d11b26231
Instruction ID: e24e6cc5932cab99e0d4c568653f0320fc3929ff0aa7a0eb869659f49d6de306
Opcode Fuzzy Hash: b144720532af0f174dfe7049aa8cbfc755f69c2e3176ddb03c5aa06d11b26231
Instruction Fuzzy Hash: 58413174A00204AFCB14DF98D989A9EBBF9FF48700F50846AE905F73A1D7749905CFA9

Uniqueness

Uniqueness Score: -1.00%

Function 00421330, Relevance: 6.1, APIs: 4, Instructions: 56COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(004038E8,00422390,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00421374
__vbaHresultCheckObj.MSVBVM60(00000000,0222EF84,004038D8,00000014,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 00421399
__vbaHresultCheckObj.MSVBVM60(00000000,?,004038F8,000000B8,?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004213C3
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004015E6), ref: 004213CC

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2
String ID:
API String ID: 4261391273-0
Opcode ID: b515260320fe76fb677e92dd8e01a5912bc5a618f5e908fc7f1979c0ea3bcda1
Instruction ID: aee08d0c6e21a8c7150545432cd667b8fa7e227a0db0c120837919a44c6660a4
Opcode Fuzzy Hash: b515260320fe76fb677e92dd8e01a5912bc5a618f5e908fc7f1979c0ea3bcda1
Instruction Fuzzy Hash: 6A11BF34A40215BBDB10DFA4DD8AEABBBBDEB29701F504026F905F35B0C6785801CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041CB70, Relevance: 6.0, APIs: 4, Instructions: 45COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(00402538,00422010), ref: 0041CBB3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041CBCC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004039A8,000001C4), ref: 0041CBEF
__vbaFreeObj.MSVBVM60 ref: 0041CBF8

Memory Dump Source

Source File: 00000000.00000002.1164419190.0000000000413000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1164405026.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1164409912.0000000000401000.00000020.00020000.sdmp Download File
Associated: 00000000.00000002.1164426532.0000000000422000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1164430930.0000000000424000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: c4edb178d12cbf06ecc128d12321ad9ca0e2ce49e406342767f62a5529b52c87
Instruction ID: 02b16019189cf2fa7e54c6553fd848a62561e2699fc34765bfc5cab9c1e798bd
Opcode Fuzzy Hash: c4edb178d12cbf06ecc128d12321ad9ca0e2ce49e406342767f62a5529b52c87
Instruction Fuzzy Hash: A2018C74680205BBD7109F64DE89FAA7BBCFB04B01F500466F941F72A0E6B89904CAA9

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report EXErprijFY

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: EXErprijFY.exe PID: 6896 Parent PID: 5956

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: EXErprijFY.exe PID: 6896 Parent PID: 5956 EXErprijFY.exeCOMMON

Function 004018A4, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 416
COMMONCrypto