Loading ...

Play interactive tourEdit tour

Windows Analysis Report sVNHE4jjOw.exe

Overview

General Information

Sample Name:sVNHE4jjOw.exe
Analysis ID:449805
MD5:72fe87cb4fd41cf172a9caecbdc6887f
SHA1:2c8c745378f4a80e96dbabf574d1ac2d6408df69
SHA256:6d26df7a7163053aa756f62ee4504af93020696cee98a1fc891c600ac76acc1c
Tags:exe
Infos:

Most interesting Screenshot:

Detection

Score:64
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to detect hardware virtualization (CPUID execution measurement)
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to read the PEB
Creates a DirectInput object (often for capturing keystrokes)
Detected potential crypto function
PE / OLE file has an invalid certificate
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • sVNHE4jjOw.exe (PID: 4072 cmdline: 'C:\Users\user\Desktop\sVNHE4jjOw.exe' MD5: 72FE87CB4FD41CF172A9CAECBDC6887F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

No yara matches

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: sVNHE4jjOw.exeVirustotal: Detection: 34%Perma Link
Source: sVNHE4jjOw.exeReversingLabs: Detection: 23%
Source: sVNHE4jjOw.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb source: sVNHE4jjOw.exe
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb@ source: sVNHE4jjOw.exe
Source: sVNHE4jjOw.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: sVNHE4jjOw.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: sVNHE4jjOw.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: sVNHE4jjOw.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: sVNHE4jjOw.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: sVNHE4jjOw.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: sVNHE4jjOw.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: sVNHE4jjOw.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: sVNHE4jjOw.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: sVNHE4jjOw.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: sVNHE4jjOw.exe, 00000000.00000002.748037096.000000000081A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeProcess Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0080561F NtAllocateVirtualMemory,0_2_0080561F
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00805608 NtAllocateVirtualMemory,0_2_00805608
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00805761 NtAllocateVirtualMemory,0_2_00805761
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_004014700_2_00401470
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0080561F0_2_0080561F
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_008080B40_2_008080B4
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_008059850_2_00805985
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_008022A20_2_008022A2
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00805AB80_2_00805AB8
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00805AE60_2_00805AE6
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00805A620_2_00805A62
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_008056080_2_00805608
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00808F740_2_00808F74
Source: sVNHE4jjOw.exeStatic PE information: invalid certificate
Source: sVNHE4jjOw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sVNHE4jjOw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sVNHE4jjOw.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: sVNHE4jjOw.exe, 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameDragt1.exe vs sVNHE4jjOw.exe
Source: sVNHE4jjOw.exeBinary or memory string: OriginalFilenameDragt1.exe vs sVNHE4jjOw.exe
Source: sVNHE4jjOw.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engineClassification label: mal64.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeFile created: C:\Users\user\AppData\Local\Temp\~DFB3D8909A7274E24A.TMPJump to behavior
Source: sVNHE4jjOw.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: sVNHE4jjOw.exeVirustotal: Detection: 34%
Source: sVNHE4jjOw.exeReversingLabs: Detection: 23%
Source: sVNHE4jjOw.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb source: sVNHE4jjOw.exe
Source: Binary string: C:\Program Files (x86)\Administrator-Cloud\Projects\Dragt1.pdb@ source: sVNHE4jjOw.exe
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00404960 push es; ret 0_2_00404965
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00611774 push edx; ret 0_2_006117A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00613063 push edx; ret 0_2_00613091
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00611863 push edx; ret 0_2_00611891
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00614863 push edx; ret 0_2_00614891
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00616065 push edx; ret 0_2_00616091
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00610068 push edx; ret 0_2_00610091
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00616875 push edx; ret 0_2_006168A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00612074 push edx; ret 0_2_006120A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00613874 push edx; ret 0_2_006138A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00615074 push edx; ret 0_2_006150A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00610878 push edx; ret 0_2_006108A1
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00610843 push edx; ret 0_2_00610871
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00612043 push edx; ret 0_2_00612071
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00613843 push edx; ret 0_2_00613871
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00615043 push edx; ret 0_2_00615071
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00616844 push edx; ret 0_2_00616871
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00611054 push edx; ret 0_2_00611081
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00612854 push edx; ret 0_2_00612881
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00614054 push edx; ret 0_2_00614081
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00615854 push edx; ret 0_2_00615881
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00617054 push edx; ret 0_2_00617081
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00611023 push edx; ret 0_2_00611051
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00612823 push edx; ret 0_2_00612851
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00614023 push edx; ret 0_2_00614051
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00615825 push edx; ret 0_2_00615851
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00617024 push edx; ret 0_2_00617051
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00614833 push edx; ret 0_2_00614861
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00613033 push edx; ret 0_2_00613061
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00611833 push edx; ret 0_2_00611861
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00616034 push edx; ret 0_2_00616061
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect hardware virtualization (CPUID execution measurement)Show sources
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_008080B4 0_2_008080B4
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00805A62 0_2_00805A62
Detected RDTSC dummy instruction sequence (likely for instruction hammering)Show sources
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeRDTSC instruction interceptor: First address: 0000000000807129 second address: 0000000000807129 instructions:
Tries to detect virtualization through RDTSC time measurementsShow sources
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeRDTSC instruction interceptor: First address: 0000000000807129 second address: 0000000000807129 instructions:
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeRDTSC instruction interceptor: First address: 00000000008092E8 second address: 00000000008092E8 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp edx, dword ptr [ebp+44h] 0x0000000e jne 00007F282C8B58F9h 0x00000010 sub edx, 04h 0x00000013 xor dword ptr [edx], ecx 0x00000015 pushad 0x00000016 lfence 0x00000019 rdtsc
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_008080B4 rdtsc 0_2_008080B4
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)Show sources
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeProcess Stats: CPU usage > 90% for more than 60s
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_008080B4 rdtsc 0_2_008080B4
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_008080B4 mov eax, dword ptr fs:[00000030h]0_2_008080B4
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_0080527E mov eax, dword ptr fs:[00000030h]0_2_0080527E
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_008074A3 mov eax, dword ptr fs:[00000030h]0_2_008074A3
Source: C:\Users\user\Desktop\sVNHE4jjOw.exeCode function: 0_2_00806F30 mov eax, dword ptr fs:[00000030h]0_2_00806F30
Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmpBinary or memory string: Progman
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
Source: sVNHE4jjOw.exe, 00000000.00000002.748249870.0000000000EA0000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion11Input Capture1Security Software Discovery41Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion11Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery31Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
sVNHE4jjOw.exe35%VirustotalBrowse
sVNHE4jjOw.exe24%ReversingLabsWin32.Trojan.AgentTesla

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:33.0.0 White Diamond
Analysis ID:449805
Start date:16.07.2021
Start time:11:40:22
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 28s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:sVNHE4jjOw.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:30
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis Mode:default
Analysis stop reason:Timeout
Detection:MAL
Classification:mal64.evad.winEXE@1/0@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 53%
  • Number of executed functions: 6
  • Number of non-executed functions: 24
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
  • Override analysis time to 240s for sample files taking high CPU consumption
Warnings:
Show All
  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
  • Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General

File type:PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):4.800085383449222
TrID:
  • Win32 Executable (generic) a (10002005/4) 99.15%
  • Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81%
  • Generic Win/DOS Executable (2004/3) 0.02%
  • DOS Executable Generic (2002/1) 0.02%
  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:sVNHE4jjOw.exe
File size:267408
MD5:72fe87cb4fd41cf172a9caecbdc6887f
SHA1:2c8c745378f4a80e96dbabf574d1ac2d6408df69
SHA256:6d26df7a7163053aa756f62ee4504af93020696cee98a1fc891c600ac76acc1c
SHA512:6fa975b8ba69692b6eb278f4145d13fea8d3c64c33d7f9267172f1718f4a4a1f0852cc65f4b16691d152afe9035f038c4c203deecf85e56ecf451448f8a6f60a
SSDEEP:1536:35/ikBkzm219ZmFtg5sfrWrNjosvNmmCUibm84t3TxY/n:35/pkdPAw0iNVvNnbVZxY/
File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........y.....................................Rich............PE..L..... L.................`..........p........p....@................

File Icon

Icon Hash:e8ccce8e8ececce8

Static PE Info

General

Entrypoint:0x401470
Entrypoint Section:.text
Digitally signed:true
Imagebase:0x400000
Subsystem:windows gui
Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:0x4C20BCC1 [Tue Jun 22 13:38:09 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:4
OS Version Minor:0
File Version Major:4
File Version Minor:0
Subsystem Version Major:4
Subsystem Version Minor:0
Import Hash:a6a8fddf213e725d12277ffa52409c50

Authenticode Signature

Signature Valid:false
Signature Issuer:E=Unstaunch1@Strygeork.GUN, CN=ryper, OU=Nonpropa4, O=Twisti8, L=Efterspil4, S=FORDUMM, C=AD
Signature Validation Error:A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:-2146762487
Not Before, Not After
  • 7/15/2021 2:48:16 PM 7/15/2022 2:48:16 PM
Subject Chain
  • E=Unstaunch1@Strygeork.GUN, CN=ryper, OU=Nonpropa4, O=Twisti8, L=Efterspil4, S=FORDUMM, C=AD
Version:3
Thumbprint MD5:74A7224C73056759B33CA9EB4F1649A0
Thumbprint SHA-1:C9DACC639E15797636E4B8185A4E5522E877B0B9
Thumbprint SHA-256:CEEC9E9D00E6C96EE6ECF708C8F2812C2BC31DADAF84E625E66CEA556F34ABA7
Serial:00

Entrypoint Preview

Instruction
push 0043195Ch
call 00007F282D1051A3h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
pop es
pop ds
mov dword ptr [ecx+4B63D25Ch], edx
lodsb
mov dx, fs
dec ebx
push FFFFFFDBh
call far 0000h : 000000B2h
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx+6Eh], cl
add byte ptr fs:[eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
adc bh, byte ptr [edx-74h]
sbb al, 48h
dec ebp
into
dec esp
dec edi
mov cl, BEh
stc
and byte ptr [ebx-53h], bh
add dword ptr [edi-08h], 08h
lodsd
push ebx
sbb esp, edx
dec ebx
test esp, esi
xchg eax, edi
fmul st(0), st(1)
and eax, 4F3ADC4Eh
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, dword ptr [ebx]
add eax, dword ptr [eax]
xor esi, dword ptr [ebp+00h]
add byte ptr [eax], al
push es
add byte ptr [edi+ebp*2+6Ch], al
imul esp, dword ptr [ebx+37h], 06010D00h
add byte ptr [ebx+74h], dh
jne 00007F282D105216h
imul esp, dword ptr [ebp+00h], 42000119h
add byte ptr [edx], ah
add byte ptr [ebx], ah
out dx, al

Data Directories

NameVirtual AddressVirtual Size Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
IMAGE_DIRECTORY_ENTRY_IMPORT0x366840x28.text
IMAGE_DIRECTORY_ENTRY_RESOURCE0x380000x7a8a.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
IMAGE_DIRECTORY_ENTRY_SECURITY0x400500x1440
IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
IMAGE_DIRECTORY_ENTRY_DEBUG0x11200x1c.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
IMAGE_DIRECTORY_ENTRY_TLS0x00x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2280x20
IMAGE_DIRECTORY_ENTRY_IAT0x10000x118.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

Sections

NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
.text0x10000x35bb00x36000False0.257260923032data4.74248188384IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data0x370000xbd40x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc0x380000x7a8a0x8000False0.294769287109data4.40772584771IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

NameRVASizeTypeLanguageCountry
RT_ICON0x3f4220x668data
RT_ICON0x3f13a0x2e8dBase IV DBT of @.DBF, block length 512, next free block index 40, next free block 998965248, next used block 48059
RT_ICON0x3ef520x1e8data
RT_ICON0x3ee2a0x128GLS_BINARY_LSB_FIRST
RT_ICON0x3df820xea8data
RT_ICON0x3d6da0x8a8dBase IV DBT of @.DBF, block length 1024, next free block index 40, next free block 0, next used block 0
RT_ICON0x3d0120x6c8data
RT_ICON0x3caaa0x568GLS_BINARY_LSB_FIRST
RT_ICON0x3a5020x25a8data
RT_ICON0x3945a0x10a8data
RT_ICON0x38ad20x988data
RT_ICON0x3866a0x468GLS_BINARY_LSB_FIRST
RT_GROUP_ICON0x385bc0xaedata
RT_VERSION0x383000x2bcdataSwahiliKenya
RT_VERSION0x383000x2bcdataSwahiliMozambiq

Imports

DLLImport
MSVBVM60.DLL_CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryVar, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaAryCopy, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

DescriptionData
Translation0x0441 0x04b0
LegalCopyrightON24
InternalNameDragt1
FileVersion7.00
CompanyNameON24
LegalTrademarksON24
CommentsON24
ProductNameON24
ProductVersion7.00
FileDescriptionON24
OriginalFilenameDragt1.exe

Possible Origin

Language of compilation systemCountry where language is spokenMap
SwahiliKenya
SwahiliMozambiq

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

General

Start time:11:41:12
Start date:16/07/2021
Path:C:\Users\user\Desktop\sVNHE4jjOw.exe
Wow64 process (32bit):true
Commandline:'C:\Users\user\Desktop\sVNHE4jjOw.exe'
Imagebase:0x400000
File size:267408 bytes
MD5 hash:72FE87CB4FD41CF172A9CAECBDC6887F
Has elevated privileges:true
Has administrator privileges:true
Programmed in:Visual Basic
Reputation:low

Disassembly

Code Analysis

Reset < >

    Executed Functions

    APIs
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: #100
    • String ID: VB5!6%*
    • API String ID: 1341478452-4246263594
    • Opcode ID: c58653350585d6d98adc73b0093502f6cdad12910b50824b152bc7e5a367362e
    • Instruction ID: e4185a9a695d556fc2b0c62350280a669328ec9fed1297f78330eef47098c6c1
    • Opcode Fuzzy Hash: c58653350585d6d98adc73b0093502f6cdad12910b50824b152bc7e5a367362e
    • Instruction Fuzzy Hash: 8522179660E7C04FD7234B649AA56593F71DF2B248F0A04DBC681CF2E7E5181D0AD7A3
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • NtAllocateVirtualMemory.NTDLL(44FC89A7), ref: 008057C2
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID: AllocateMemoryVirtual
    • String ID:
    • API String ID: 2167126740-0
    • Opcode ID: cb114759bcf9c0c52395cb2f9e99e8696689aef030b1c41870a4967b705baeb4
    • Instruction ID: dd5dbbe0529cd6c394b23f496ba6c3a7c061fbc5b1a73a609e24f34d097ccbd9
    • Opcode Fuzzy Hash: cb114759bcf9c0c52395cb2f9e99e8696689aef030b1c41870a4967b705baeb4
    • Instruction Fuzzy Hash: 6261257521474A8FDB749E28DCA17EB37A1FF45394F94412EDC89CB282D73099868B12
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • NtAllocateVirtualMemory.NTDLL(44FC89A7), ref: 008057C2
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID: AllocateMemoryVirtual
    • String ID:
    • API String ID: 2167126740-0
    • Opcode ID: fe294b25091511530e7fc04e49222f20fff917e68f708454bf6c8c02204d7a73
    • Instruction ID: 61cbcf09713af4b902e0d62159dcf345bfaa487df5af7e1f829028239d3b7741
    • Opcode Fuzzy Hash: fe294b25091511530e7fc04e49222f20fff917e68f708454bf6c8c02204d7a73
    • Instruction Fuzzy Hash: 7751363520478ACFDB689E78DCA17EE77A1FF45354F84412DDC8ADB282C73099468B12
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • NtAllocateVirtualMemory.NTDLL(44FC89A7), ref: 008057C2
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID: AllocateMemoryVirtual
    • String ID:
    • API String ID: 2167126740-0
    • Opcode ID: 144e46f01a765c84403434fe4e4dc10e6f49be08d517596cf802daa6b8b1acce
    • Instruction ID: ea2e52df7e0ca85cd02f01dc9e2bf728894aac102b4ee8c7f4550c00b1331256
    • Opcode Fuzzy Hash: 144e46f01a765c84403434fe4e4dc10e6f49be08d517596cf802daa6b8b1acce
    • Instruction Fuzzy Hash: E431553121578ADFCB648E78DCA17EB3BA1FF4A358F645128CC89CB652C3318846DB21
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 004339B0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004339CB
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F68,00000138), ref: 004339ED
    • __vbaFreeObj.MSVBVM60(00000000,00000000,00432F68,00000138), ref: 004339F8
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00433A10
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433A2B
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00432F78,000001C8), ref: 00433A79
    • __vbaFreeObj.MSVBVM60(00000000,?,00432F78,000001C8), ref: 00433A84
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00433A9C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433AB7
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F88,00000098), ref: 00433AE1
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00433B00
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433B1B
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F88,00000130), ref: 00433B40
    • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00433B56
    • __vbaStrVarMove.MSVBVM60(00000000), ref: 00433B5F
    • __vbaStrMove.MSVBVM60(00000000), ref: 00433B6C
    • __vbaFreeStr.MSVBVM60 ref: 00433B9F
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00433BBB
    • __vbaFreeVar.MSVBVM60 ref: 00433BC9
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00433BE1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433BFC
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F88,00000130), ref: 00433C21
    • __vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00433C37
    • __vbaStrVarMove.MSVBVM60(?), ref: 00433C46
    • __vbaStrMove.MSVBVM60(?), ref: 00433C53
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000710), ref: 00433C8B
    • __vbaFreeStr.MSVBVM60(00000000,00401198,00432A0C,00000710), ref: 00433C9D
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00433CB2
    • __vbaFreeVar.MSVBVM60(00401198,00432A0C,00000710), ref: 00433CC0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000708), ref: 00433CE1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000714), ref: 00433D29
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000718), ref: 00433D43
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00433D5B
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433D76
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F68,000000A8), ref: 00433D9F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000704), ref: 00433DF7
    • __vbaFreeObj.MSVBVM60(00000000,00401198,00432A0C,00000704), ref: 00433E02
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,0000070C), ref: 00433E23
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,000006FC), ref: 00433E44
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000704), ref: 00433E9A
    • __vbaStrCopy.MSVBVM60(00000000,00401198,00432A0C,00000704), ref: 00433EAA
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000710), ref: 00433EDD
    • __vbaFreeStr.MSVBVM60(00000000,00401198,00432A0C,00000710), ref: 00433EE8
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,0000071C), ref: 00433F1F
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00433F37
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433F52
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FE0,00000058), ref: 00433F75
    • __vbaFreeObj.MSVBVM60 ref: 00433FA7
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00433FBF
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00433FDA
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,000001D0), ref: 00434003
    • __vbaFreeObj.MSVBVM60 ref: 0043402E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000708), ref: 0043404F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000700), ref: 00434069
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,000006F8), ref: 00434098
    • __vbaStrCopy.MSVBVM60(00000000,00401198,00432A0C,000006F8), ref: 004340A8
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000710), ref: 004340DB
    • __vbaFreeStr.MSVBVM60(00000000,00401198,00432A0C,00000710), ref: 004340E6
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 004340FE
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00434119
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F68,000000F0), ref: 00434142
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 0043415A
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00434175
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,000001D0), ref: 0043419E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000714), ref: 004341E9
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004341FE
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00434268
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00434283
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,00000110), ref: 004342AC
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,0000071C), ref: 004342E4
    • __vbaFreeObj.MSVBVM60(00000000,00401198,00432A0C,0000071C), ref: 004342EF
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00434307
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00434322
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,00000130), ref: 0043434B
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00434363
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043437E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,00000130), ref: 004343A7
    • __vbaStrMove.MSVBVM60(00000000,00000000,00432F78,00000130), ref: 004343BF
    • __vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 004343FB
    • __vbaFreeObjList.MSVBVM60(00000002,?,?,00000002,?,?), ref: 00434410
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000708), ref: 00434434
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 0043444C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00434467
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,00000198), ref: 00434490
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 004344A8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004344C3
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,00000190), ref: 004344EC
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00434504
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043451F
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,00000198), ref: 00434548
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000714), ref: 00434595
    • __vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004345B1
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000700), ref: 004345CE
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 004345E6
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00434601
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,00000190), ref: 0043462A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000704), ref: 00434682
    • __vbaFreeObj.MSVBVM60(00000000,00401198,00432A0C,00000704), ref: 0043468D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000700), ref: 004346A7
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 004346BF
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004346DA
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,00000218), ref: 00434703
    • __vbaStrMove.MSVBVM60(00000000,00000000,00432FF0,00000218), ref: 0043471B
    • __vbaFreeStr.MSVBVM60 ref: 0043474C
    • __vbaFreeObj.MSVBVM60 ref: 00434757
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,0000071C), ref: 0043478E
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,00000718), ref: 004347A8
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 004347C0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004347DB
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F88,00000180), ref: 00434804
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 0043481C
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00434837
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,000000E0), ref: 00434860
    • __vbaHresultCheckObj.MSVBVM60(00000000,00401198,00432A0C,0000071C), ref: 00434899
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 004348AE
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckHresult$Free$New2$List$Move$CallCopyLate
    • String ID: Fejlstatistik8$HETEROINTOXICATION$enteromesenteric$pKbU$untransplanted$D
    • API String ID: 4096466292-1851894414
    • Opcode ID: a239745b342ede122dd1d60b379abfa45515bdd6e32997a8a929edc85935cdb1
    • Instruction ID: b07bd04ad431df16e05008aaf64c7b7b6cde514a794b4b75967a9fc9f5e11353
    • Opcode Fuzzy Hash: a239745b342ede122dd1d60b379abfa45515bdd6e32997a8a929edc85935cdb1
    • Instruction Fuzzy Hash: 22A262B0940219ABDB25DF65CC99FEA77BCAF08744F0014EAF149E71A1DB786B448F24
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.747675576.0000000000610000.00000020.00000001.sdmp, Offset: 00610000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: 1154e5c14f28737cef3cfaa4b546c445e2020ba7a8afe98d0788a6e9725b14d5
    • Instruction ID: 03eefb2902f4466599843825c999a36cd5ef03fa178100fdad489b1d18889840
    • Opcode Fuzzy Hash: 1154e5c14f28737cef3cfaa4b546c445e2020ba7a8afe98d0788a6e9725b14d5
    • Instruction Fuzzy Hash: E7D05EB230E280AFD349DB24CD269D53FF0DB43221B0948EEE144CF293E6149C468762
    Uniqueness

    Uniqueness Score: -1.00%

    Non-executed Functions

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID:
    • String ID: #Tj1$)TN*$NJ$3$\*aO$cxX%$mSNg
    • API String ID: 0-2614204796
    • Opcode ID: 782dfefb3707127505d58d29228dc6a1a21f334d8fa02c34e50e6d95a2ebada3
    • Instruction ID: 1cce99211b276fadb06c4b2b8bdf7effd8049d859aca36f2fd8a93d02a0b206f
    • Opcode Fuzzy Hash: 782dfefb3707127505d58d29228dc6a1a21f334d8fa02c34e50e6d95a2ebada3
    • Instruction Fuzzy Hash: 48D254716043899FCB749F38CC957DA7BA2FF56350F45822EDC898B296D7308A85CB12
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID: AllocateMemoryVirtual
    • String ID: #Tj1$NJ$3$O]9{$\*aO$cxX%$mSNg
    • API String ID: 2167126740-4196490922
    • Opcode ID: 9b5b6b2c328ac004c414748c4dd7fc69a8e6fb5c932df52f1411b95e7693e76d
    • Instruction ID: 9dfa272c1dc14422279b3054569206c7a1fa69c84cb300861b2041dc50ae6eb1
    • Opcode Fuzzy Hash: 9b5b6b2c328ac004c414748c4dd7fc69a8e6fb5c932df52f1411b95e7693e76d
    • Instruction Fuzzy Hash: 8C922F7160438ADFDB749E38CD957EA7BA2FF55340F95462EDC8A8B250D7308A85CB02
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID: AllocateMemoryVirtual
    • String ID: #Tj1$NJ$3$\*aO$cxX%$mSNg
    • API String ID: 2167126740-1921171324
    • Opcode ID: 7a3aa414ce7df02fb596ef8c8179ba7674976c9ef2c7376b2fd4b5c0ff1831d7
    • Instruction ID: a5bddf0ca1ac63a8620a582efce645fe55956eff8ca72e998f18378072672312
    • Opcode Fuzzy Hash: 7a3aa414ce7df02fb596ef8c8179ba7674976c9ef2c7376b2fd4b5c0ff1831d7
    • Instruction Fuzzy Hash: 3C824FB16043899FDB749F38CC957DA7BA2FF55310F95422EDD898B290DB308A85CB02
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID:
    • String ID: ZR
    • API String ID: 0-3287778290
    • Opcode ID: 9bf39a3acc0d320f8fb68e2ea464245aaaf33b47e7277f9fc0ef198546fdfbc9
    • Instruction ID: 7c3c36f6833b8fa223334205b70964ecad1fa468bf9f25c97635950f60e7c16e
    • Opcode Fuzzy Hash: 9bf39a3acc0d320f8fb68e2ea464245aaaf33b47e7277f9fc0ef198546fdfbc9
    • Instruction Fuzzy Hash: 07B12E716043499FDF789E74CDA83DA37A2FFA5310F85802ACC8A8B295D7319A85CB05
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID:
    • String ID: O]9{
    • API String ID: 0-1325666202
    • Opcode ID: fb5fa888624d347613a1af3ab4bcf0de323e25ef8725189b226fd38fbbfe1f9a
    • Instruction ID: 10eec6c9853b80c452b988a0779153b611b55ffaccda100c85e31ca07d088c74
    • Opcode Fuzzy Hash: fb5fa888624d347613a1af3ab4bcf0de323e25ef8725189b226fd38fbbfe1f9a
    • Instruction Fuzzy Hash: 4791313164434AAFDB749E398D507EA77E2FF85380F8A402DDCCA9B155E73089829B12
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID:
    • String ID: O]9{
    • API String ID: 0-1325666202
    • Opcode ID: 843cd7b4939cc3dc0e37414b9d471094faf1800861c33cae66f57cb0c184e02e
    • Instruction ID: 73131aacc321bf50e20627f7915eeb751336e12ae6033dbd2d2e10a149783f55
    • Opcode Fuzzy Hash: 843cd7b4939cc3dc0e37414b9d471094faf1800861c33cae66f57cb0c184e02e
    • Instruction Fuzzy Hash: C881123164434A9FEB749E398D517EA77A2FF45380F8A842DDCCADB154E73089858B02
    Uniqueness

    Uniqueness Score: -1.00%

    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID: AllocateMemoryVirtual
    • String ID: Uox
    • API String ID: 2167126740-744209107
    • Opcode ID: 4940e080c8676d6dffaea8884e41476dd6a8b270036a47231dd3791ac93b16ae
    • Instruction ID: 5f973f15031144686624bfbbdb1e312e7dd8ccb3847bb58641db996cefd491fe
    • Opcode Fuzzy Hash: 4940e080c8676d6dffaea8884e41476dd6a8b270036a47231dd3791ac93b16ae
    • Instruction Fuzzy Hash: 7E710171B042499BDF74AE25CCA57DE37A3FF95350F958029EC8CDB244EB319A868702
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: ea2139f074e8ab99042bb1ef435b076415dfc7ebe856eda6ce3412f0ad0937e8
    • Instruction ID: cd8f7bf2709550b37c4256bb2ad2c62fb74bd1256bc4b0f62a2007a0df098cab
    • Opcode Fuzzy Hash: ea2139f074e8ab99042bb1ef435b076415dfc7ebe856eda6ce3412f0ad0937e8
    • Instruction Fuzzy Hash: FF1135B4A087898FCB74CE18CD84AEA73A2FFA9310F804169DD49DB395D330AE41CB14
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: afab344c9bc11521552a4e4faffe94cc60c6466edd4067beea56d100289e70a0
    • Instruction ID: 56aa34291ad5490450a25feb3bf6d9f4839442233fce1c05af8ce1bf69ce4307
    • Opcode Fuzzy Hash: afab344c9bc11521552a4e4faffe94cc60c6466edd4067beea56d100289e70a0
    • Instruction Fuzzy Hash: FEC04C39B51750CFD746CE5AC684BC073A0BB15A50FD508E4A8119B753D35CED009A00
    Uniqueness

    Uniqueness Score: -1.00%

    Memory Dump Source
    • Source File: 00000000.00000002.747969290.0000000000800000.00000040.00000001.sdmp, Offset: 00800000, based on PE: false
    Similarity
    • API ID:
    • String ID:
    • API String ID:
    • Opcode ID: aec569029de622107c39b421a501121588691ea660c6ca7c8c1a22a8fbddb3b5
    • Instruction ID: b4db71f02d225d4ff055be8085d339f4d75578800c5bba710ed50f24e835a723
    • Opcode Fuzzy Hash: aec569029de622107c39b421a501121588691ea660c6ca7c8c1a22a8fbddb3b5
    • Instruction Fuzzy Hash: E0C04CB6201A818BFB45DE09C595B4173A4EF40988F484494E403DB711D714E9018600
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaStrCat.MSVBVM60(00433194,0043318C,?,000000FF,00000000), ref: 004356EB
    • __vbaStrMove.MSVBVM60(00433194,0043318C,?,000000FF,00000000), ref: 004356F5
    • #711.MSVBVM60(?,00000000,00433194,0043318C,?,000000FF,00000000), ref: 004356FF
    • __vbaAryVar.MSVBVM60(00002008,?,?,00000000,00433194,0043318C,?,000000FF,00000000), ref: 0043570D
    • __vbaAryCopy.MSVBVM60(?,?,00002008,?,?,00000000,00433194,0043318C,?,000000FF,00000000), ref: 0043571D
    • __vbaFreeStr.MSVBVM60(?,?,00002008,?,?,00000000,00433194,0043318C,?,000000FF,00000000), ref: 00435725
    • __vbaFreeVarList.MSVBVM60(00000002,0000000A,?,?,?,00002008,?,?,00000000,00433194,0043318C,?,000000FF,00000000), ref: 00435734
    • __vbaStrCmp.MSVBVM60(0043318C,?), ref: 0043574D
    • __vbaNew2.MSVBVM60(00431C24,00437010,0043318C,?), ref: 00435769
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00435781
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,00000048), ref: 004357A1
    • #531.MSVBVM60(?), ref: 004357A9
    • __vbaFreeStr.MSVBVM60(?), ref: 004357B1
    • __vbaFreeObj.MSVBVM60(?), ref: 004357B9
    • __vbaNew2.MSVBVM60(00431C24,00437010,0043318C,?), ref: 004357D1
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004357E9
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,000001A0), ref: 0043580F
    • __vbaFreeObj.MSVBVM60(00000000,00000000,00432FF0,000001A0), ref: 0043581D
    • __vbaAryDestruct.MSVBVM60(00000000,?,00435858), ref: 00435852
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$Free$CheckHresultNew2$#531#711CopyDestructListMove
    • String ID:
    • API String ID: 1202614378-0
    • Opcode ID: 6d4ee972678a61cc01895cbefd215d88c39464dca7460562e7b4d90468fada1f
    • Instruction ID: f7dac62c94e08aa78d36ead32f3abe99409fdb5454d1b1890c2925d5d35a7b8c
    • Opcode Fuzzy Hash: 6d4ee972678a61cc01895cbefd215d88c39464dca7460562e7b4d90468fada1f
    • Instruction Fuzzy Hash: AB414DB1940208ABDB14EB96CC86EEEB7BCBF48304F50052BF511F71A1DB7C99058B69
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaStrCat.MSVBVM60(00433238,00433230,00000001,?), ref: 004363E6
    • __vbaStrMove.MSVBVM60(00433238,00433230,00000001,?), ref: 004363F0
    • __vbaStrCat.MSVBVM60(00433244,00000000,00433238,00433230,00000001,?), ref: 004363FB
    • __vbaStrMove.MSVBVM60(00433244,00000000,00433238,00433230,00000001,?), ref: 00436405
    • #628.MSVBVM60(00000000,00433244,00000000,00433238,00433230,00000001,?), ref: 0043640B
    • __vbaStrMove.MSVBVM60(00000000,00433244,00000000,00433238,00433230,00000001,?), ref: 00436415
    • __vbaStrCmp.MSVBVM60(00433230,00000000,00000000,00433244,00000000,00433238,00433230,00000001,?), ref: 0043641C
    • __vbaFreeStrList.MSVBVM60(00000003,?,?,?,00433230,00000000,00000000,00433244,00000000,00433238,00433230,00000001,?), ref: 00436439
    • __vbaFreeVar.MSVBVM60(?), ref: 00436444
    • __vbaNew2.MSVBVM60(00431C24,00437010,?), ref: 00436465
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 0043647D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F68,00000100), ref: 004364A3
    • __vbaFpI4.MSVBVM60(?,?,?,00000000,00000000,00432F68,00000100), ref: 004364D4
    • __vbaHresultCheckObj.MSVBVM60(00000000,004012B0,004329DC,000002C0,?,?,?,00000000), ref: 00436513
    • __vbaFreeObj.MSVBVM60(?,?,?,00000000), ref: 0043651B
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$FreeMove$CheckHresult$#628ListNew2
    • String ID:
    • API String ID: 2062027099-0
    • Opcode ID: 8ea6bd03793b0cd7877c46ddd1dcd1bce42c694eb6b25204928ababac1361c69
    • Instruction ID: 65d17a42b40308c94f943232d66aa1480430f8ad313fb9853db275cfea4ef536
    • Opcode Fuzzy Hash: 8ea6bd03793b0cd7877c46ddd1dcd1bce42c694eb6b25204928ababac1361c69
    • Instruction Fuzzy Hash: 1F418FB1941204ABCB10EBA6DD45EAEBBBCAF18704F10456BF481F71A1D77859008B69
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • #589.MSVBVM60(00000001,?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 004362AA
    • __vbaNew2.MSVBVM60(004330CC,0043746C,00000001), ref: 004362C8
    • __vbaHresultCheckObj.MSVBVM60(00000000,0079E8B4,004330BC,0000004C), ref: 004362EC
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,004330DC,00000024), ref: 00436319
    • __vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 00436327
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004012D6), ref: 0043632F
    • __vbaFreeStr.MSVBVM60(0043635C,00000001), ref: 00436356
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresult$#589MoveNew2
    • String ID: 3+$Gennemlyste$Trespassory7
    • API String ID: 1767156754-2597507220
    • Opcode ID: f3fa20612280f9dd8dd467ab4b07332bd906c6e2eb3bcd48d41c6b8b6ce84fc5
    • Instruction ID: 9479bfb80c0b5d016d2c82e49f4063419fddc8fda3916af59eac4d8dc7df2546
    • Opcode Fuzzy Hash: f3fa20612280f9dd8dd467ab4b07332bd906c6e2eb3bcd48d41c6b8b6ce84fc5
    • Instruction Fuzzy Hash: 39215370940205ABCB10EF96C846EAEBBF8EF58704F20905BF500B72A1D77C6905CF69
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaNew2.MSVBVM60(004330CC,0043746C), ref: 00435B3B
    • __vbaHresultCheckObj.MSVBVM60(00000000,0079E8B4,004330BC,00000014), ref: 00435B5F
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00433198,00000058), ref: 00435B82
    • __vbaStrMove.MSVBVM60 ref: 00435B90
    • __vbaFreeObj.MSVBVM60 ref: 00435B98
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00435BB0
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00435BC8
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0043307C,00000058), ref: 00435BE8
    • __vbaFreeObj.MSVBVM60 ref: 00435BF6
    • __vbaFreeStr.MSVBVM60(00435C1D), ref: 00435C17
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresult$New2$Move
    • String ID:
    • API String ID: 2227187868-0
    • Opcode ID: 5aeca0e5cae3b9576908e918e5abcc3fdcbd88e15badc8f7d1c84b569cbb3f44
    • Instruction ID: 31de7c2387061f1f3ba53c5379dc1487b8b4fba2d6f67467f26b87f0ac11bb2d
    • Opcode Fuzzy Hash: 5aeca0e5cae3b9576908e918e5abcc3fdcbd88e15badc8f7d1c84b569cbb3f44
    • Instruction Fuzzy Hash: 7C318270940608ABCB14EF96CC45EEEBBB8EF5C704F20541AF001B72A1D67CA905CF69
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaNew2.MSVBVM60(004330CC,0043746C), ref: 004365BC
    • __vbaHresultCheckObj.MSVBVM60(00000000,0079E8B4,004330BC,00000014), ref: 004365E0
    • __vbaHresultCheckObj.MSVBVM60(00000000,?,00433198,00000050), ref: 00436603
    • __vbaStrCmp.MSVBVM60(00000000,?), ref: 0043660C
    • __vbaFreeStr.MSVBVM60(00000000,?), ref: 0043661D
    • __vbaFreeObj.MSVBVM60(00000000,?), ref: 00436625
    • __vbaFileOpen.MSVBVM60(00000020,000000FF,000000CC,gladeligt,00000000,?), ref: 0043663D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresult$FileNew2Open
    • String ID: gladeligt
    • API String ID: 1550884760-4246425414
    • Opcode ID: 9049f8e29801350512b86484853b2a030858235602e7f08d168064574545b56b
    • Instruction ID: 7bda6aae60033b2489757eb64935a3564af75cc60e73bd287da992f0d2be90c7
    • Opcode Fuzzy Hash: 9049f8e29801350512b86484853b2a030858235602e7f08d168064574545b56b
    • Instruction Fuzzy Hash: 6221C270940205BBDB10EF55CC47EAFBBB8EF58B08F20915BF501B72E1C67C69058A99
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 004358C8
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 004358E0
    • __vbaNew2.MSVBVM60(00431C24,00437010,?,00000000), ref: 00435908
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00435920
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,000000A8), ref: 00435946
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,000001EC), ref: 00435975
    • __vbaFreeStr.MSVBVM60 ref: 0043597D
    • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0043598C
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresultNew2$List
    • String ID:
    • API String ID: 2509323985-0
    • Opcode ID: 93d6a5530ab2d7473611fee3573ac0a96f839664d98f24fcae66029713ff2ce2
    • Instruction ID: 429f00b2bdf67678c4ac73345b944a71e5aab7511b63a52155dadad3dd9f30a9
    • Opcode Fuzzy Hash: 93d6a5530ab2d7473611fee3573ac0a96f839664d98f24fcae66029713ff2ce2
    • Instruction Fuzzy Hash: B83194B0940608AFCB10EF96CD45FAEBBBCFF19704F10442AF451E72A1D77855058B69
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaR8Str.MSVBVM60(004331C0,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435E0B
    • __vbaFPFix.MSVBVM60(004331C0,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435E10
    • __vbaNew2.MSVBVM60(00431C24,00437010,004331C0,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435E33
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435E4B
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F88,00000120,?,?,?,?,?,?,?,?,?,004012D6), ref: 00435E71
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 00435E7F
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: 278b3b3b0a730a393c26f6c68a68aed03ab184ca722b16e33b7ab0f3f619730d
    • Instruction ID: e79c5fa09ad77a21b4ba630f18cba9caaa7a5d7e8dd27f0fb46aafc0cc02b961
    • Opcode Fuzzy Hash: 278b3b3b0a730a393c26f6c68a68aed03ab184ca722b16e33b7ab0f3f619730d
    • Instruction Fuzzy Hash: C6117FB0940608ABCB10EFA6C94AE9EBBB8FF5C744F10446BF441F72A1C77C55018BA9
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaStrCopy.MSVBVM60 ref: 0043602A
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00436042
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 0043605A
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FE0,0000022C), ref: 0043607C
    • __vbaFreeObj.MSVBVM60 ref: 00436084
    • __vbaFreeStr.MSVBVM60(004360A2), ref: 0043609C
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$Free$CheckCopyHresultNew2
    • String ID:
    • API String ID: 4138333463-0
    • Opcode ID: 36613312ab492e9358695ba11fbccf6cda8efdc2db30f2856c308a0b9ba205db
    • Instruction ID: e48029ab23fb007ea36e5496160f2c505108519730d10295afc22bd63cc1df0e
    • Opcode Fuzzy Hash: 36613312ab492e9358695ba11fbccf6cda8efdc2db30f2856c308a0b9ba205db
    • Instruction Fuzzy Hash: F8113370500205ABCB14EBA5CD47FAB77B8EF08744F20446EF041B71A2D778590586A9
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00435D3C
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435D54
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,000001EC), ref: 00435D95
    • __vbaFreeObj.MSVBVM60 ref: 00435D9D
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID: BNHRER
    • API String ID: 1645334062-761458040
    • Opcode ID: 84bfe97d4967023a21041f9cb7f9f0f2377187cc6a46cc68d357031bdd371966
    • Instruction ID: 2b03c716da4483d1b36c3bd561785eaf27d35925c8e4916a896ed6fced1d618f
    • Opcode Fuzzy Hash: 84bfe97d4967023a21041f9cb7f9f0f2377187cc6a46cc68d357031bdd371966
    • Instruction Fuzzy Hash: B911C6B1540704ABDB10EF95CE4AFAF76BCFB09744F10446AF401B7191D7B85A0086A9
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00435EFA
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435F12
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432FF0,000001EC), ref: 00435F53
    • __vbaFreeObj.MSVBVM60 ref: 00435F5B
    Strings
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID: Polyodontidae9
    • API String ID: 1645334062-980055670
    • Opcode ID: ed3529d86243c056590d57a9d1f872870e2af1d65d24c285b897593e4e82eeeb
    • Instruction ID: 653945141c1330fca278a6de20c868fb1ae5cffa07f40b31d0b2ebba51152a11
    • Opcode Fuzzy Hash: ed3529d86243c056590d57a9d1f872870e2af1d65d24c285b897593e4e82eeeb
    • Instruction Fuzzy Hash: B21186B0540704ABDB00EF95CD46FAF77BCEB09745F10146AF500B7191D7B85A058B69
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaLenBstrB.MSVBVM60(004331EC,?,?,?,?,?,?,?,?,?,004012D6), ref: 004361CD
    • __vbaNew2.MSVBVM60(004330CC,0043746C,004331EC,?,?,?,?,?,?,?,?,?,004012D6), ref: 004361E9
    • __vbaObjSetAddref.MSVBVM60(?,00401260,004331EC,?,?,?,?,?,?,?,?,?,004012D6), ref: 004361FE
    • __vbaHresultCheckObj.MSVBVM60(00000000,0079E8B4,004330BC,00000010,?,?,?,?,?,?,?,?,?,004012D6), ref: 0043621A
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,004012D6), ref: 00436222
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$AddrefBstrCheckFreeHresultNew2
    • String ID:
    • API String ID: 2151688750-0
    • Opcode ID: 0c8ba21fe08009671950e0b20dfadcc2272213018114137e1847778260a8baf2
    • Instruction ID: 57d63ecabe4d970145b6cc49c9cc02efb27be6de824f819af2760c9b94f02266
    • Opcode Fuzzy Hash: 0c8ba21fe08009671950e0b20dfadcc2272213018114137e1847778260a8baf2
    • Instruction Fuzzy Hash: 5D113070900205BBC710BF95D886A9FBBB8BB08B04F61946BB504A3292D77895458A59
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00435A24
    • __vbaObjSet.MSVBVM60(?,00000000), ref: 00435A3C
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,000001CC), ref: 00435AA6
    • __vbaFreeObj.MSVBVM60 ref: 00435AAE
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: 5a9a5be15538af17d9a9108e2be54a032cb04bfe2f04b5c213519136d661dda5
    • Instruction ID: c6c656c1c3fbc29a26f3201755892c1265b2855b3b24bb4f794fd794d35dc295
    • Opcode Fuzzy Hash: 5a9a5be15538af17d9a9108e2be54a032cb04bfe2f04b5c213519136d661dda5
    • Instruction Fuzzy Hash: 582180B1D40708AFCB00EFA9C985ADEBBB9EF09700F10846AF911FB291C77959058B95
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaNew2.MSVBVM60(00431C24,00437010,?,?,?,?,?,?,?,?,004012D6), ref: 00436105
    • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,004012D6), ref: 0043611D
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,000001C0,?,?,?,?,?,?,?,?,004012D6), ref: 0043613F
    • __vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,004012D6), ref: 00436147
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: 96ddea5afa9e402999fadd9ff3512618f724d1f4e988d0dfea299e69c1a23a39
    • Instruction ID: 7fa54fc630de8b60cb5177469e001ad92d41683cb358e0a48d5e832f616c6b50
    • Opcode Fuzzy Hash: 96ddea5afa9e402999fadd9ff3512618f724d1f4e988d0dfea299e69c1a23a39
    • Instruction Fuzzy Hash: 6E11C674940204BBCB10EF96C945F9ABBBCEF48704F20546BF455E72A1C77C59018B98
    Uniqueness

    Uniqueness Score: -1.00%

    APIs
    • __vbaNew2.MSVBVM60(00431C24,00437010), ref: 00435C88
    • __vbaObjSet.MSVBVM60(00000000,00000000), ref: 00435CA0
    • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,00432F78,000001D4), ref: 00435CC2
    • __vbaFreeObj.MSVBVM60 ref: 00435CCA
    Memory Dump Source
    • Source File: 00000000.00000002.747240520.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
    • Associated: 00000000.00000002.747221292.0000000000400000.00000002.00020000.sdmp Download File
    • Associated: 00000000.00000002.747296164.0000000000437000.00000004.00020000.sdmp Download File
    • Associated: 00000000.00000002.747307091.0000000000438000.00000002.00020000.sdmp Download File
    Similarity
    • API ID: __vba$CheckFreeHresultNew2
    • String ID:
    • API String ID: 1645334062-0
    • Opcode ID: 4c55c2f3e0074b6de72a186779b13cf0089bbd6132b6fdf18027f3b6dd960965
    • Instruction ID: 5bac763c3475b96e08677be56cc6229423b2c5d30bbe17820171010b033d250c
    • Opcode Fuzzy Hash: 4c55c2f3e0074b6de72a186779b13cf0089bbd6132b6fdf18027f3b6dd960965
    • Instruction Fuzzy Hash: B61184B4540708ABC710EFA5C94AF9B7BBCBF08748F10546AF445F72A1D77C98058B99
    Uniqueness

    Uniqueness Score: -1.00%