Play interactive tour

Edit tour

Windows Analysis Report justificante de la transfer.exe

Overview

General Information

Sample Name:	justificante de la transfer.exe
Analysis ID:	526293
MD5:	e565201ac69a8a2fa7ee22e0809f7b3c
SHA1:	fed196aeff9aca57c198b0b99a9c9bc6e01d31b9
SHA256:	b6fad861abae70b69d7f0ef4e51756b181149e165ada09aee47e3d2bd5f9a0c6
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Found potential dummy code loops (likely to delay analysis)

Uses 32bit PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

Contains functionality to call native functions

Program does not show much activity (idle)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Classification

Process Tree

System is w10x64

justificante de la transfer.exe (PID: 6224 cmdline: "C:\Users\user\Desktop\justificante de la transfer.exe" MD5: E565201AC69A8A2FA7EE22E0809F7B3C)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?exporto"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?exporto"}

Source: justificante de la transfer.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?exporto

Source: justificante de la transfer.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: justificante de la transfer.exe, 00000000.00000000.345440290.0000000000445000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCappuccino.exe vs justificante de la transfer.exe
Source: justificante de la transfer.exe	Binary or memory string: OriginalFilenameCappuccino.exe vs justificante de la transfer.exe

Source: justificante de la transfer.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: justificante de la transfer.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228BB0F	0_2_0228BB0F
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228776F	0_2_0228776F
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02285A00	0_2_02285A00
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02287814	0_2_02287814
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02280463	0_2_02280463
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02285E50	0_2_02285E50
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02286051	0_2_02286051
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02285854	0_2_02285854
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228628D	0_2_0228628D
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02285CEC	0_2_02285CEC
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_022870C5	0_2_022870C5
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_022870C7	0_2_022870C7
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02285AD9	0_2_02285AD9
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_022856D3	0_2_022856D3
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02285F26	0_2_02285F26
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228AB72	0_2_0228AB72
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02286149	0_2_02286149
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_022863AA	0_2_022863AA
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02285989	0_2_02285989
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228059C	0_2_0228059C
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228579C	0_2_0228579C
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228779F	0_2_0228779F
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02285BE5	0_2_02285BE5
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228A9F1	0_2_0228A9F1
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02289BC7	0_2_02289BC7

Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228776F NtAllocateVirtualMemory,	0_2_0228776F
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02287814 NtAllocateVirtualMemory,	0_2_02287814
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_022878F8 NtAllocateVirtualMemory,	0_2_022878F8
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228779F NtAllocateVirtualMemory,	0_2_0228779F

Source: C:\Users\user\Desktop\justificante de la transfer.exe

Process Stats: CPU usage > 98%

Source: justificante de la transfer.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\justificante de la transfer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\justificante de la transfer.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\justificante de la transfer.exe

File created: C:\Users\user\AppData\Local\Temp\~DFEB935E0BE46A145A.TMP

Jump to behavior

Source: classification engine

Classification label: mal64.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_00406467 push esi; iretd	0_2_00406468
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_00404E11 push eax; ret	0_2_00404E19
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_00403CFC push cs; retf	0_2_00403D26
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_004045D2 push cs; iretd	0_2_004045ED
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_00404B97 push eax; retf	0_2_00404B99
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_00404DB7 push cs; retf	0_2_00404DBB
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02287E7E push esi; retf	0_2_02287E86
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_022806B9 push eax; iretd	0_2_022806D8
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02282CEB push es; ret	0_2_02282CF0
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_022820E0 push edi; ret	0_2_02282106
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02280FDB push 83025563h; ret	0_2_02280FF1
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_022835DB push eax; ret	0_2_022835DC

Source: C:\Users\user\Desktop\justificante de la transfer.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: C:\Users\user\Desktop\justificante de la transfer.exe	Window / User API: threadDelayed 6236			Jump to behavior
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Window / User API: threadDelayed 3764			Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\justificante de la transfer.exe

Code function: 0_2_0228707C rdtsc

0_2_0228707C

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\justificante de la transfer.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02286EA3 mov eax, dword ptr fs:[00000030h]	0_2_02286EA3
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_02289E9A mov eax, dword ptr fs:[00000030h]	0_2_02289E9A
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228AB72 mov eax, dword ptr fs:[00000030h]	0_2_0228AB72
Source: C:\Users\user\Desktop\justificante de la transfer.exe	Code function: 0_2_0228994C mov eax, dword ptr fs:[00000030h]	0_2_0228994C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\justificante de la transfer.exe

Code function: 0_2_0228707C rdtsc

0_2_0228707C

Source: C:\Users\user\Desktop\justificante de la transfer.exe

Code function: 0_2_0228BB0F RtlAddVectoredExceptionHandler,

0_2_0228BB0F

Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: &Program Manager
Source: justificante de la transfer.exe, 00000000.00000002.870177230.0000000000C50000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	System Information Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	526293
Start date:	22.11.2021
Start time:	13:42:12
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	justificante de la transfer.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	16
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@1/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 29.8% (good quality ratio 16.4%) Quality average: 30.6% Quality standard deviation: 31.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, WMIADAP.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFEB935E0BE46A145A.TMP Download File
Process:	C:\Users\user\Desktop\justificante de la transfer.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.351590352286438
Encrypted:	false
SSDEEP:	48:rSTIhbzrJeuFpbB5KivFyAEcSRRfPD9PPba:7bzrJFFVB5KityAEcSLL9La
MD5:	D3984E0D0AAA56BBDF17314D4CFF0945
SHA1:	C0C7838BB49133CAD3B9DD5DE562DDE05463D379
SHA-256:	2EE69010A71F26BFCFB8DDA0379733605F5A7EE0C91ABB012F766E32C3D94D24
SHA-512:	C81FA9FCCAB4DD2984E1BD27C76D253EB667115A65475FAD5A7D2EBB726376BB048E4795EB2F79FEF386B06547EF976D762899CA1EAB0026656254E3A5062944
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.187050367832804
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	justificante de la transfer.exe
File size:	286720
MD5:	e565201ac69a8a2fa7ee22e0809f7b3c
SHA1:	fed196aeff9aca57c198b0b99a9c9bc6e01d31b9
SHA256:	b6fad861abae70b69d7f0ef4e51756b181149e165ada09aee47e3d2bd5f9a0c6
SHA512:	b40afaa6d2f831ef3ec0f8170cc0fa2d8cb8be978861613f0f1149451ad06c4e75e6cb9341ce7ee2173f0bff87c92d1eab6cc0b0584c03174860cc47825d6e24
SSDEEP:	3072:KUDFBR3qusY6Ric7RnqRNiY61rsS1IHK2looQkoW2nLEHHDSG:H5B1R6Riyci4GUFf2noH
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L.....OS.................0... ...............@....@

File Icon


Icon Hash:	f89ea9acb4b0b092

Static PE Info

General
Entrypoint:	0x4013fc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x534FFE1F [Thu Apr 17 16:15:27 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d7d4adb5e5d083da305ede89b87ddf22

Entrypoint Preview

Instruction
push 004152B8h
call 00007F568C7C40D5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov edi, 242E4449h
pop ss
cmp al, 46h
xchg eax, ebx
rol ch, cl
movsb
mov eax, dword ptr [00402E03h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add dl, al
or dword ptr [edi+00h], ecx
add byte ptr [eax+72617073h], al
add byte ptr [ebp+64h], ah
imul eax, dword ptr [eax], FF000000h
int3
xor dword ptr [eax], eax
cmp byte ptr [edi+6C4C0488h], ah
and ah, byte ptr [ebx]
inc esp
mov edx, 7AA65DE5h
jnle 00007F568C7C4085h
mov esi, dword ptr [edi]
cmp dh, byte ptr [ebp+395CD42Bh]
dec ebp
sbb dword ptr [ebx], 5Ch
push 00000049h
outsd
mov eax, AD4F3A62h
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
sar byte ptr [ebx], cl
add dword ptr [eax], eax
inc ebx
or al, byte ptr [eax]
add byte ptr [eax], al
or byte ptr [eax], al
inc edi
dec edi
dec esi
dec edi
inc ebx
pop ecx
push esp
inc ebp
add byte ptr [48000501h], cl
dec ecx
push edx
inc ebp
dec esi
add byte ptr [ecx], bl
add dword ptr [eax], eax
inc edx
add byte ptr [edx], ah
add esp, dword ptr [ebx]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x42ca4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x45000	0xdbe	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x14c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x42204	0x43000	False	0.333820399953	data	6.29830429337	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x44000	0xd78	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x45000	0xdbe	0x1000	False	0.4873046875	data	4.27786524894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x45d92	0x2c	ASCII text, with CRLF line terminators	English	United States
RT_ICON	0x4582a	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x453c2	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x453a0	0x22	data
RT_VERSION	0x45170	0x230	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaAryConstruct2, __vbaI2I4, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, __vbaUI1I2, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaInStrVar, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, __vbaDerefAry1, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Cappuccino
FileVersion	4.00
CompanyName	Fastly
ProductName	medicinalfirmaerne
ProductVersion	4.00
OriginalFilename	Cappuccino.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: justificante de la transfer.exe PID: 6224 Parent PID: 3628

General

Start time:	13:43:11
Start date:	22/11/2021
Path:	C:\Users\user\Desktop\justificante de la transfer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\justificante de la transfer.exe"
Imagebase:	0x400000
File size:	286720 bytes
MD5 hash:	E565201AC69A8A2FA7EE22E0809F7B3C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: justificante de la transfer.exe PID: 6224 Parent PID: 3628 justificante de la transfer.exeCOMMON

Executed Functions

Function 0228BB0F, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 101496dd1d67276d80b754cc2b503798bdbb2f63b92ae31a8743a98b37abc197
Instruction ID: d96451304b5d589fda778db822245f5a1d87415e039b37fdad05e118dac1379d
Opcode Fuzzy Hash: 101496dd1d67276d80b754cc2b503798bdbb2f63b92ae31a8743a98b37abc197
Instruction Fuzzy Hash: E4711571526685CFDF78EEA88D553EA77A2AF85314F51412FCC0ACB298DB31CA85CB01

Uniqueness

Uniqueness Score: -1.00%

Function 0228776F, Relevance: 1.6, APIs: 1, Instructions: 116memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(23093284,00000004), ref: 02287989

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 06116b3363920a658ac62c4cd75ecf2c7a9047345135d7031faba9fc037b5cf3
Instruction ID: 745b1c070f4ea055d0f4a31d901529356127810cae91a9e74e86f450d9bc473d
Opcode Fuzzy Hash: 06116b3363920a658ac62c4cd75ecf2c7a9047345135d7031faba9fc037b5cf3
Instruction Fuzzy Hash: C641E175515388DFCB78AF74DC957EA7BA2AF0A340F40412DDD8E5B2A1D7708A84CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0228779F, Relevance: 1.6, APIs: 1, Instructions: 106memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(23093284,00000004), ref: 02287989

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 586148c2ef55418524c3cbf2566ecd9d1df9dd9d41a4d90232c413e0f6dc815c
Instruction ID: 7db146156b518c3657dbda9714abc60428cfdfab658f02e969e82c07bf878c6e
Opcode Fuzzy Hash: 586148c2ef55418524c3cbf2566ecd9d1df9dd9d41a4d90232c413e0f6dc815c
Instruction Fuzzy Hash: EF41CE74605388DFDB78AF74DC917EA77A2AF09300F80411DDD8E5B291C7714A84CB02

Uniqueness

Uniqueness Score: -1.00%

Function 02287814, Relevance: 1.6, APIs: 1, Instructions: 96memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(23093284,00000004), ref: 02287989

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9ba94e64a9e66fdd0254ca6c51a5b931f30f5270feb42168c16cf540bf9848e0
Instruction ID: 8f8b50a8f17b9122e47b7e18d5ef2fbfa71afd19639b359fdd68c227930212e7
Opcode Fuzzy Hash: 9ba94e64a9e66fdd0254ca6c51a5b931f30f5270feb42168c16cf540bf9848e0
Instruction Fuzzy Hash: E931A174615389DFDB78AF74DC917EA7BA2AF09340F40411DDD8D5B295CB318A84CB06

Uniqueness

Uniqueness Score: -1.00%

Function 022878F8, Relevance: 1.6, APIs: 1, Instructions: 87memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL(23093284,00000004), ref: 02287989

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 9aeee88db52804428ce2678951d0ccb55485e962f1eee02c4a970dc343a0b161
Instruction ID: e09789ced9940db0d10de757708d6982a0887361e6960687a8b913e45932998d
Opcode Fuzzy Hash: 9aeee88db52804428ce2678951d0ccb55485e962f1eee02c4a970dc343a0b161
Instruction Fuzzy Hash: D421043112A2C55BEB22CA205C656F77FC1EF4E320F440259EC898F583EA31125ADBC8

Uniqueness

Uniqueness Score: -1.00%

Function 004013FC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189
COMMON

Download Yara Rule

C-Code - Quality: 80%

			_entry_() {
				signed int _t32;
				signed int* _t34;
				signed char _t35;
				signed char _t36;
				signed char _t39;
				signed char _t40;
				intOrPtr* _t41;
				signed int _t43;
				signed char _t49;
				void* _t50;
				intOrPtr* _t51;
				signed int _t63;
				void* _t64;
				void* _t67;
				void* _t68;
				void* _t69;

				L004013F6(); // executed
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 ^ _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				 *_t32 =  *_t32 + _t32;
				ss = 0x4152b8;
				_t43 = _t32;
				asm("rol ch, cl");
				asm("movsb");
				_t34 =  *0x402e03; // 0xc84e00c8
				 *_t34 = _t34 +  *_t34;
				 *_t34 = _t34 +  *_t34;
				 *_t49 =  *_t49 + _t34;
				 *_t34 = _t34 +  *_t34;
				 *0x242e4449 =  *0x242e4449 | _t49;
				_t34[0x1c985c1c] = _t34 + _t34[0x1c985c1c];
				 *((intOrPtr*)(_t64 + 0x64)) =  *((intOrPtr*)(_t64 + 0x64)) + _t34;
				_t35 =  *_t34 * 0xff000000;
				asm("int3");
				 *_t35 =  *_t35 ^ _t35;
				_t36 = _t35 &  *_t43;
				_t69 = _t68 + 1;
				if(_t36 <= 0) {
					asm("sbb dword [ebx], 0x5c");
					asm("outsd");
					asm("stosb");
					 *0xFFFFFFFFAD4F3A35 =  *((intOrPtr*)(0xffffffffad4f3a35)) + 0xad4f3a62;
					_t39 = _t43 ^  *(_t49 - 0x48ee309a);
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *_t39 =  *_t39 + _t39;
					 *0xad4f3a62 =  *0xad4f3a62 >> _t49;
					 *_t39 =  *_t39 + _t39;
					_t40 = _t39 |  *_t39;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 | _t40;
					_t50 = 0x49;
					_push(_t69);
					 *0x48000501 =  *0x48000501 + _t50;
					_t51 = _t50 - 1;
					_push(0x7aa65de5);
					_t67 = _t64 - 1 + 2;
					_t63 =  *0x242e4449;
					 *_t51 =  *_t51 + 0xffffffffad4f3a64;
					 *_t40 =  *_t40 + _t40;
					 *0x7aa65de5 =  *0x7aa65de5 + _t40;
					 *_t51 =  *_t51 - 1;
					 *_t40 =  *_t40 + _t40;
					asm("insb");
					if ( *_t40 == 0) goto L3;
					 *_t40 =  *_t40 | _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t51 =  *_t51 + _t40;
					 *0x7aa65de5 =  *0x7aa65de5 + _t40;
					 *_t40 =  *_t40 + 0xf54cbbcc;
					asm("adc [eax], al");
					 *_t51 =  *_t51 + _t40;
					 *_t40 =  *_t40 + _t51;
					 *((intOrPtr*)(_t40 + 5)) =  *((intOrPtr*)(_t40 + 5)) + _t51;
					 *_t40 =  *_t40 + _t40;
					 *[es:eax] =  *[es:eax] + _t40;
					 *_t40 =  *_t40 + 0xf54cbbcc;
					asm("adc [eax], al");
					 *_t51 =  *_t51 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *((intOrPtr*)(_t40 + 4)) =  *((intOrPtr*)(_t40 + 4)) + _t51;
					 *_t40 =  *_t40 + _t40;
					es =  *0x280000;
					 *_t40 =  *_t40 + _t40;
					asm("adc [eax], al");
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 & _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 | _t40;
					 *_t40 =  *_t40 + _t40;
					 *_t40 =  *_t40 + _t40;
					_t41 = _t40 + 1;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *_t41 =  *_t41 + _t41;
					 *((intOrPtr*)(_t67 + 0x648d003b)) =  *((intOrPtr*)(_t67 + 0x648d003b)) + _t51;
					asm("lodsb");
					 *(_t63 - 0x1d00ff73) =  *(_t63 - 0x1d00ff73) >> 0x8d;
					 *((intOrPtr*)(_t67 - 0xffca9c)) =  *((intOrPtr*)(_t67 - 0xffca9c)) + 0xf54cbbcc;
					asm("out 0x9d, al");
					 *((intOrPtr*)(_t63 + 0xf046bbdb)) =  *((intOrPtr*)(_t63 + 0xf046bbdb)) + _t41;
					asm("cli");
					asm("out dx, al");
					asm("stosd");
					 *0x5EA69648 =  *0xD94CF42F + _t51;
					asm("in al, 0xdb");
					asm("int 0x0");
					goto __edi;
				}
				 *((intOrPtr*)(_t36 - 0x48)) =  *((intOrPtr*)(_t36 - 0x48)) + _t49;
			}

0x00401401
0x00401406
0x00401408
0x0040140a
0x0040140c
0x0040140e
0x00401412
0x00401414
0x00401416
0x0040141d
0x00401420
0x00401421
0x00401423
0x00401424
0x00401429
0x0040142b
0x0040142d
0x0040142f
0x00401433
0x00401436
0x0040143c
0x0040143f
0x00401445
0x00401446
0x0040144e
0x00401450
0x00401456
0x00401461
0x00401466
0x00401474
0x00401475
0x00401478
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401481
0x00401483
0x00401485
0x00401487
0x00401489
0x0040148b
0x0040148d
0x0040148f
0x00401491
0x00401493
0x00401495
0x00401497
0x00401499
0x0040149b
0x0040149d
0x0040149f
0x004014a2
0x004014a4
0x004014a6
0x004014ad
0x004014ae
0x004014b0
0x004014b6
0x004014b7
0x004014b8
0x004014b9
0x004014ba
0x004014bc
0x004014bf
0x004014c3
0x004014c5
0x004014c7
0x004014c8
0x004014cc
0x004014ce
0x004014d0
0x004014d2
0x004014d4
0x004014d6
0x004014d8
0x004014da
0x004014dc
0x004014df
0x004014e1
0x004014e4
0x004014e6
0x004014e8
0x004014ea
0x004014ec
0x004014ef
0x004014f1
0x004014f7
0x004014f9
0x004014fb
0x004014fd
0x004014ff
0x00401501
0x00401503
0x00401505
0x00401507
0x00401509
0x0040150a
0x0040150c
0x0040150e
0x00401510
0x00401512
0x00401514
0x00401516
0x00401518
0x0040151a
0x0040151c
0x0040151e
0x00401520
0x00401522
0x00401524
0x00401525
0x0040152d
0x00401534
0x0040153a
0x0040153c
0x00401543
0x00401546
0x00401547
0x00401548
0x0040154d
0x0040154f
0x00401551
0x00401551
0x004013fb

APIs

#100.MSVBVM60(004152B8), ref: 00401401

Strings

ID.$, xrefs: 00401418

Memory Dump Source

Source File: 00000000.00000002.869969881.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.869963238.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.870029590.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.870039501.0000000000445000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: ID.$
API String ID: 1341478452-2278490186
Opcode ID: 62704888449ad2e6ccae4c2d1de487ecbbd86283e778afc8b47cbece0b921617
Instruction ID: 53a369cfb81c2b1f01367d1b48c4f2c2bdd7e96e06fab5a3e660ccb736a351fe
Opcode Fuzzy Hash: 62704888449ad2e6ccae4c2d1de487ecbbd86283e778afc8b47cbece0b921617
Instruction Fuzzy Hash: 3E51FB6254E7C16FE3039B348C6A2913FB19E6322871E45EBC4C1CF0B3E1191C0AD766

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0228AB72, Relevance: 7.5, Strings: 5, Instructions: 1221COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
dB, xrefs: 02285C6E
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$dB$|{0$R9g
API String ID: 0-1983312253
Opcode ID: f7175c1d65a986d92402e5f3dce72ae5986427de07857a705668d2704822c1b9
Instruction ID: 8f59814ac47478b2b5d14c6553ab66b592b94340d4d19b16c35dc161838041a8
Opcode Fuzzy Hash: f7175c1d65a986d92402e5f3dce72ae5986427de07857a705668d2704822c1b9
Instruction Fuzzy Hash: 51B224716183898FCB35DF78CC987EABBA2BF55310F45816EDC899B299D3308641CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02285854, Relevance: 6.9, Strings: 5, Instructions: 624COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
dB, xrefs: 02285C6E
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$dB$|{0$R9g
API String ID: 0-1983312253
Opcode ID: 8d276f4f91e318d5829dd915f4638856cc0a5f4daa64bd3782eff0e09afac6c8
Instruction ID: ef3d2948960c8b6ffe3011c636e189051fe93f7cf7ff3757c15453138af8026d
Opcode Fuzzy Hash: 8d276f4f91e318d5829dd915f4638856cc0a5f4daa64bd3782eff0e09afac6c8
Instruction Fuzzy Hash: 3F42EAB16183899FCB749F65DC847EABBB2FF59300F45422EDC499B254D7309A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 022856D3, Relevance: 6.9, Strings: 5, Instructions: 624COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
dB, xrefs: 02285C6E
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$dB$|{0$R9g
API String ID: 0-1983312253
Opcode ID: 8e945c17bdbf5cd8aceb2e23394af95a7f3fa8de9a2662bce9c93bfa42bf9d9a
Instruction ID: 222e06e552cdf991b40beabb0f5fb08f571908b5579f29a768ebc63dc3db1b0d
Opcode Fuzzy Hash: 8e945c17bdbf5cd8aceb2e23394af95a7f3fa8de9a2662bce9c93bfa42bf9d9a
Instruction Fuzzy Hash: 5152DAB16143899FCB789F65CD847EABBB2FF59300F41812EDD899B254D7309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 0228579C, Relevance: 6.9, Strings: 5, Instructions: 615COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
dB, xrefs: 02285C6E
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$dB$|{0$R9g
API String ID: 0-1983312253
Opcode ID: ab0c6065ad007da3b9f83a55843bda34b81a1fb6867218734d99e46eca3089cb
Instruction ID: 71606a0439a972d34a1782154db75d80a31e8cedd06075de6b0a4ec6cd6be6cf
Opcode Fuzzy Hash: ab0c6065ad007da3b9f83a55843bda34b81a1fb6867218734d99e46eca3089cb
Instruction Fuzzy Hash: CE52D9B16143899FCB789F65CD847EABBB2FF59300F41822EDD899B254D7309A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02285989, Relevance: 6.8, Strings: 5, Instructions: 570COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
dB, xrefs: 02285C6E
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$dB$|{0$R9g
API String ID: 0-1983312253
Opcode ID: 027c0e78f679772ed98b671f223d3528413be958ed950cc642118ffa30db115f
Instruction ID: 29a7844d3d82115855c7b648953a361f103c8ff3f8535154e7b78461c908a59e
Opcode Fuzzy Hash: 027c0e78f679772ed98b671f223d3528413be958ed950cc642118ffa30db115f
Instruction Fuzzy Hash: 7132EAB26143899FCB78DF65DD857EABBB2FF59300F40812ADC499B254D7309A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02285A00, Relevance: 6.8, Strings: 5, Instructions: 537COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
dB, xrefs: 02285C6E
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$dB$|{0$R9g
API String ID: 0-1983312253
Opcode ID: bad0b4f570be23f6b9aa05b02592a65986a414f5f9c6391134fc05800af3767b
Instruction ID: eb9e674579da61cc5af2c9c761e2204a077f108daea43024ab7c3e6445a60d9c
Opcode Fuzzy Hash: bad0b4f570be23f6b9aa05b02592a65986a414f5f9c6391134fc05800af3767b
Instruction Fuzzy Hash: 0A32E9B26143899FCB789F69DD847EABBB2FF58340F41812EDC499B254D7309A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02285AD9, Relevance: 6.8, Strings: 5, Instructions: 513COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
dB, xrefs: 02285C6E
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$dB$|{0$R9g
API String ID: 0-1983312253
Opcode ID: 954cb1822e34ac0b4f437e96db50e718c9e4d56a188b50d6fcb734de8efcf068
Instruction ID: bfb54a8f2a1cf78466ed6035f5b3540e943b0d67c7b5a8e402742ac9775efef3
Opcode Fuzzy Hash: 954cb1822e34ac0b4f437e96db50e718c9e4d56a188b50d6fcb734de8efcf068
Instruction Fuzzy Hash: 9B22FBB16143899FCB78DF65DD857EABBB2FF59300F40822ADC499B254D7309A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02285BE5, Relevance: 6.7, Strings: 5, Instructions: 466COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
dB, xrefs: 02285C6E
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$dB$|{0$R9g
API String ID: 0-1983312253
Opcode ID: 4d3274d44072d3fb752b15d217885efb7f411af2ca987cd480d79aaf31bf2c97
Instruction ID: 23bc8235a0d73744962cd4c6d41d8b555bb0448d9ddef7e2666779ccaf5b0d67
Opcode Fuzzy Hash: 4d3274d44072d3fb752b15d217885efb7f411af2ca987cd480d79aaf31bf2c97
Instruction Fuzzy Hash: 6A12FAB26143899FCB78DF65DD857EA7BB2FF59300F40422AEC499B254D7309A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02285CEC, Relevance: 5.4, Strings: 4, Instructions: 437COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$|{0$R9g
API String ID: 0-4131303168
Opcode ID: 856d63e1ef85bab09dca81ae53c247955f4bb8e1ac37eaada1e0d074a481f56a
Instruction ID: 1979aec1d7224c924d43a94ee3a6b6dbe384211067e501284faf843b2fb6a9ac
Opcode Fuzzy Hash: 856d63e1ef85bab09dca81ae53c247955f4bb8e1ac37eaada1e0d074a481f56a
Instruction Fuzzy Hash: D5020B726143899FCF79DE64DC957EA7BA2FF59340F40412EEC899B254D7308A81CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02285E50, Relevance: 5.4, Strings: 4, Instructions: 356COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$|{0$R9g
API String ID: 0-4131303168
Opcode ID: a20b1e9745021da5d8db2ef9273e3ac36edba00492aa8cdd7ceb70be50e744cc
Instruction ID: 1fb292c462d28e472c1507462f23e0f72354679615b8789450b064d7b0240747
Opcode Fuzzy Hash: a20b1e9745021da5d8db2ef9273e3ac36edba00492aa8cdd7ceb70be50e744cc
Instruction Fuzzy Hash: C6F1EBB26143899FCF789E64CD847EA3BB2FF59340F40402EED899B264D7309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02285F26, Relevance: 5.3, Strings: 4, Instructions: 348COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$|{0$R9g
API String ID: 0-4131303168
Opcode ID: 252f69c6dc253d850c7078ee8f3c8e94ff5faa4ed3c2502a6d6363f6fa2d3004
Instruction ID: 02ee264594877e2859e27bf55452a6cf0b3c006a5c6091371a0e86a7969b43ab
Opcode Fuzzy Hash: 252f69c6dc253d850c7078ee8f3c8e94ff5faa4ed3c2502a6d6363f6fa2d3004
Instruction Fuzzy Hash: ACE10C722143899FDF79DE64DC957EA7BA2FF59340F40402EEC898B254E7309A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02286051, Relevance: 5.3, Strings: 4, Instructions: 300COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$|{0$R9g
API String ID: 0-4131303168
Opcode ID: 24e3c5e1587c0d3119fa7a5e9f7cc07febba14bf04fd7317987198ef94d9fa42
Instruction ID: 511e762a685e7a802c1484a948da1a38ebb12f32297ec155984c420c767c54d2
Opcode Fuzzy Hash: 24e3c5e1587c0d3119fa7a5e9f7cc07febba14bf04fd7317987198ef94d9fa42
Instruction Fuzzy Hash: 78D10B726242898FDF79DE64DC957EA3BA2FF59340F40402AED498B254E7309A85CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02286149, Relevance: 5.3, Strings: 4, Instructions: 260COMMON

Download Yara Rule

Strings

X\e,, xrefs: 02286664
R9g, xrefs: 02286472
3(\;, xrefs: 022861FF
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 3(\;$X\e,$|{0$R9g
API String ID: 0-4131303168
Opcode ID: a7f7aea970910fce6ef22cb0c6455c493d29621acf71d1d9c1b20c64bba8ed8f
Instruction ID: 5a92caf871d152d1d191f29b40ab7c4ef68a945fa2666a81c8f9356f7e7205d4
Opcode Fuzzy Hash: a7f7aea970910fce6ef22cb0c6455c493d29621acf71d1d9c1b20c64bba8ed8f
Instruction Fuzzy Hash: 0BB11B726242898FDF79DF64DC957EA7BA2FF18340F40002EED499B254E7309A81CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0228628D, Relevance: 4.0, Strings: 3, Instructions: 212COMMON

Download Yara Rule

Strings

R9g, xrefs: 02286472
X\e,, xrefs: 02286664
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: X\e,$|{0$R9g
API String ID: 0-679545427
Opcode ID: a83d0f11cd2fd5a4223911fefb6cc4c07de440bcdd8db69a5ccb8b78ebd55bc6
Instruction ID: d7e136bf3e38dec01fd30a7b3aefbf541808f10c281f65663d682735c07538a1
Opcode Fuzzy Hash: a83d0f11cd2fd5a4223911fefb6cc4c07de440bcdd8db69a5ccb8b78ebd55bc6
Instruction Fuzzy Hash: 8791FB712243888FDF39DE60DD857EA7BA2FF59340F80012DED888B255D7305A86CB84

Uniqueness

Uniqueness Score: -1.00%

Function 022863AA, Relevance: 3.9, Strings: 3, Instructions: 163COMMON

Download Yara Rule

Strings

R9g, xrefs: 02286472
X\e,, xrefs: 02286664
|{0, xrefs: 0228640D

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: X\e,$|{0$R9g
API String ID: 0-679545427
Opcode ID: 106e52b069da48d815c5e10e65b6d99e05a1cdd23e3d64dc98fa2c05b91356ea
Instruction ID: 4f28283cf8c6c9bcc7781ca8a80e0842fbee59f7ca482f1bc7861ddfa64b33c0
Opcode Fuzzy Hash: 106e52b069da48d815c5e10e65b6d99e05a1cdd23e3d64dc98fa2c05b91356ea
Instruction Fuzzy Hash: 1761ECB12152889FDF3ADF60DD847EA3BA2FF59340F800129ED4C9B255D7319A96CB84

Uniqueness

Uniqueness Score: -1.00%

Function 022870C7, Relevance: 2.6, Strings: 2, Instructions: 97COMMON

Download Yara Rule

Strings

`, xrefs: 02287224
@ , xrefs: 022871FC

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `$@
API String ID: 0-2424134981
Opcode ID: f0d2aba43e2767a6c2bac36a02ec63a47e971eba88eec6db31a7e916ac936775
Instruction ID: 5263c10d2a0ee51638e933fa20eb03c315c268d1c0d9d8b15faa3697d7a8eae9
Opcode Fuzzy Hash: f0d2aba43e2767a6c2bac36a02ec63a47e971eba88eec6db31a7e916ac936775
Instruction Fuzzy Hash: 28317A311292C54FFB76CA645C1A3F7BBD3EF85210F64011ADC058F996EA30119A8B89

Uniqueness

Uniqueness Score: -1.00%

Function 022870C5, Relevance: 2.6, Strings: 2, Instructions: 63COMMON

Download Yara Rule

Strings

`, xrefs: 02287224
@ , xrefs: 022871FC

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID: `$@
API String ID: 0-2424134981
Opcode ID: 94629683bc1e61202f417aefd851105846abccabf8f9fbc5309e8523cc3973b2
Instruction ID: f28c023e8dae846af46f70de5650ffdd2dca38205fd04961d51741cddab79bc4
Opcode Fuzzy Hash: 94629683bc1e61202f417aefd851105846abccabf8f9fbc5309e8523cc3973b2
Instruction Fuzzy Hash: 81213A352143858BEF78DE699C197F972A3AF54304F34011FDC0A8BAECCB7086858B45

Uniqueness

Uniqueness Score: -1.00%

Function 02280463, Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cec2ad8da920bb305dd659ffb84d0ae86794c419f88b047c2427e7485a8ce217
Instruction ID: 565e88d0c9be3beb746e1a5521259782831cdcb9033d2be2766fe1105fe7e2d6
Opcode Fuzzy Hash: cec2ad8da920bb305dd659ffb84d0ae86794c419f88b047c2427e7485a8ce217
Instruction Fuzzy Hash: DB41F13261A3855FD716DE34A8952EB7FE2AF95200FA4040DED868B543E730170ECF8A

Uniqueness

Uniqueness Score: -1.00%

Function 0228A9F1, Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5bf90a029d1a941cfa8cdc6afd887178deab62b75df3362b7e2104a90f6ae6d
Instruction ID: 79f3c384ccfa5b3cfbc49507cc558b7b3f85049a6da78628aec4daeccf862da1
Opcode Fuzzy Hash: e5bf90a029d1a941cfa8cdc6afd887178deab62b75df3362b7e2104a90f6ae6d
Instruction Fuzzy Hash: 462129382153474BCB24AFBCC5917E663A2BF4A310F85812EEC968B789EF74D482C745

Uniqueness

Uniqueness Score: -1.00%

Function 02289BC7, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c93567854cde5a17073beb1b507390c36478051f0ae9f7a25d5df03ab80bc65
Instruction ID: f7706e47a77bfaba2b6cb51d425d285827b488f907c4dbba76883ff53542cb20
Opcode Fuzzy Hash: 0c93567854cde5a17073beb1b507390c36478051f0ae9f7a25d5df03ab80bc65
Instruction Fuzzy Hash: 2F216BB3A1A3859FDF388EB489E03E67F556B26200F98842FCD8687745D7304784C745

Uniqueness

Uniqueness Score: -1.00%

Function 0228059C, Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad2c674eb7ac34a0ce459e2ac96a64e92f6d7793cbbae02c9248562ed39d572d
Instruction ID: 2b9ea252b89ba9e9f26fdbe357b50dfa81f3fbb9d635248a77943e1ca339818c
Opcode Fuzzy Hash: ad2c674eb7ac34a0ce459e2ac96a64e92f6d7793cbbae02c9248562ed39d572d
Instruction Fuzzy Hash: E3115935A092048BC34CAF35E45586A7BB2AF65205F52480DE2E39B56AD7304F908E17

Uniqueness

Uniqueness Score: -1.00%

Function 02289E9A, Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79a293e1c5a32ea86977c4088ed4dbf221c8ed8be3088d92beaa5877f1d83ed0
Instruction ID: 12cd8a2057121eb39c26832abb0f3567a63e6cd6e5830ecd92e7f8fe54aa7a46
Opcode Fuzzy Hash: 79a293e1c5a32ea86977c4088ed4dbf221c8ed8be3088d92beaa5877f1d83ed0
Instruction Fuzzy Hash: 05115E72521645DFCB35EE44C9D4BE9B3A2BFA8310F15002AE91C8B355C770EA81DB54

Uniqueness

Uniqueness Score: -1.00%

Function 0228707C, Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7351403722acc696caa20e536fd81ceca0fe3cebc28c50e3a59b08707e4d7d37
Instruction ID: fe0eb557d415aa3b3ef455fb2096185662f2141070e8310aecf5225b77f5dd3f
Opcode Fuzzy Hash: 7351403722acc696caa20e536fd81ceca0fe3cebc28c50e3a59b08707e4d7d37
Instruction Fuzzy Hash: 75C08C8B9351261D5AA13DB862052A6D8032390310721CA00584881A4EFC49CD281A53

Uniqueness

Uniqueness Score: -1.00%

Function 02286EA3, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 739d69066fa43589e4dacea944d090c3f31d23e0b63fe6bfa8137955f9feb62b
Instruction ID: ec353ebd8c1f86348e5da9ccf83ecebdb1806159a62d2c677bcedde3098a8dc6
Opcode Fuzzy Hash: 739d69066fa43589e4dacea944d090c3f31d23e0b63fe6bfa8137955f9feb62b
Instruction Fuzzy Hash: 42B092B62015808FEF06CE08C481B4073B6F705644B4804D0E002CB752C228ED04CA00

Uniqueness

Uniqueness Score: -1.00%

Function 0228994C, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.870508386.0000000002280000.00000040.00000001.sdmp, Offset: 02280000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 0044230F, Relevance: 89.7, APIs: 45, Strings: 6, Instructions: 464
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0044230F(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				void* _v32;
				short _v36;
				short _v40;
				void* _v44;
				char _v48;
				signed int _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				intOrPtr _v104;
				char _v112;
				signed int _v120;
				intOrPtr _v128;
				void* _v164;
				void* _v168;
				signed int _v172;
				void* _v176;
				signed int _v180;
				char _v184;
				signed int _v188;
				signed int _v196;
				void* _v200;
				signed int _v204;
				char _v208;
				signed int _v212;
				signed int _v216;
				char _v220;
				signed int _v224;
				signed int _v228;
				intOrPtr* _v232;
				signed int _v236;
				char _v240;
				signed int _v244;
				signed int _v248;
				char _v252;
				signed int _v256;
				signed int _v260;
				char _v264;
				signed int _v268;
				signed int _v272;
				signed int _t238;
				short _t239;
				signed int _t246;
				signed int _t251;
				signed int _t258;
				signed int _t263;
				char* _t268;
				signed int _t272;
				signed int _t279;
				char* _t281;
				signed int _t284;
				signed int _t299;
				signed int _t304;
				signed int _t311;
				char* _t332;
				intOrPtr _t346;
				void* _t347;
				void* _t348;
				char _t370;
				long long _t371;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t346;
				L00401210();
				_v12 = _t346;
				_v8 = 0x4011f0;
				_v88 = 0x80020004;
				_v96 = 0xa;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_push( &_v96);
				_push( &_v80);
				_t370 =  *0x4011e8;
				_v48 = _t370;
				asm("fld1");
				_v56 = _t370;
				asm("fld1");
				_v64 = _t370;
				L004012B2();
				L004012B8();
				asm("fcomp qword [0x4011e0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t10 =  &_v204;
					 *_t10 = _v204 & 0x00000000;
					__eflags =  *_t10;
				} else {
					_v204 = 1;
				}
				_v168 =  ~_v204;
				_push( &_v96);
				_push( &_v80);
				_push(2);
				L00401318();
				_t347 = _t346 + 0xc;
				_t238 = _v168;
				if(_t238 != 0) {
					_v72 = 0x80020004;
					_v80 = 0xa;
					_t239 =  &_v80;
					_push(_t239);
					L0040138A();
					_v40 = _t239;
					L004013AE();
					_v72 = 1;
					_v80 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v80);
					L004012CA();
					L004013A8();
					L004013AE();
					if( *0x44463c != 0) {
						_v208 = 0x44463c;
					} else {
						_push(0x44463c);
						_push(0x417dc4);
						L004013A2();
						_v208 = 0x44463c;
					}
					_t29 =  &_v208; // 0x44463c
					_v168 =  *((intOrPtr*)( *_t29));
					_t246 =  *((intOrPtr*)( *_v168 + 0x14))(_v168,  &_v56);
					asm("fclex");
					_v172 = _t246;
					if(_v172 >= 0) {
						_t40 =  &_v212;
						 *_t40 = _v212 & 0x00000000;
						__eflags =  *_t40;
					} else {
						_push(0x14);
						_push(0x417db4);
						_push(_v168);
						_push(_v172);
						L0040139C();
						_v212 = _t246;
					}
					_v176 = _v56;
					_t251 =  *((intOrPtr*)( *_v176 + 0x68))(_v176,  &_v164);
					asm("fclex");
					_v180 = _t251;
					if(_v180 >= 0) {
						_t53 =  &_v216;
						 *_t53 = _v216 & 0x00000000;
						__eflags =  *_t53;
					} else {
						_push(0x68);
						_push(0x417dd4);
						_push(_v176);
						_push(_v180);
						L0040139C();
						_v216 = _t251;
					}
					_v36 = _v164;
					L00401396();
					if( *0x44463c != 0) {
						_v220 = 0x44463c;
					} else {
						_push(0x44463c);
						_push(0x417dc4);
						L004013A2();
						_v220 = 0x44463c;
					}
					_t60 =  &_v220; // 0x44463c
					_v168 =  *((intOrPtr*)( *_t60));
					_t258 =  *((intOrPtr*)( *_v168 + 0x14))(_v168,  &_v56);
					asm("fclex");
					_v172 = _t258;
					if(_v172 >= 0) {
						_t71 =  &_v224;
						 *_t71 = _v224 & 0x00000000;
						__eflags =  *_t71;
					} else {
						_push(0x14);
						_push(0x417db4);
						_push(_v168);
						_push(_v172);
						L0040139C();
						_v224 = _t258;
					}
					_v176 = _v56;
					_t263 =  *((intOrPtr*)( *_v176 + 0xe0))(_v176,  &_v52);
					asm("fclex");
					_v180 = _t263;
					if(_v180 >= 0) {
						_t84 =  &_v228;
						 *_t84 = _v228 & 0x00000000;
						__eflags =  *_t84;
					} else {
						_push(0xe0);
						_push(0x417dd4);
						_push(_v176);
						_push(_v180);
						L0040139C();
						_v228 = _t263;
					}
					_v196 = _v52;
					_v52 = _v52 & 0x00000000;
					L004013A8();
					L00401396();
					if( *0x444010 != 0) {
						_v232 = 0x444010;
					} else {
						_push("X�E");
						_push(0x415590);
						L004013A2();
						_v232 = 0x444010;
					}
					_t268 =  &_v56;
					L00401378();
					_v168 = _t268;
					_t272 =  *((intOrPtr*)( *_v168 + 0x130))(_v168,  &_v60, _t268,  *((intOrPtr*)( *((intOrPtr*)( *_v232)) + 0x370))( *_v232));
					asm("fclex");
					_v172 = _t272;
					if(_v172 >= 0) {
						_t109 =  &_v236;
						 *_t109 = _v236 & 0x00000000;
						__eflags =  *_t109;
					} else {
						_push(0x130);
						_push(0x417de4);
						_push(_v168);
						_push(_v172);
						L0040139C();
						_v236 = _t272;
					}
					_push(0);
					_push(0);
					_push(_v60);
					_push( &_v80);
					L00401348();
					_t348 = _t347 + 0x10;
					if( *0x44463c != 0) {
						_v240 = 0x44463c;
					} else {
						_push(0x44463c);
						_push(0x417dc4);
						L004013A2();
						_v240 = 0x44463c;
					}
					_t115 =  &_v240; // 0x44463c
					_v176 =  *((intOrPtr*)( *_t115));
					_t279 =  *((intOrPtr*)( *_v176 + 0x14))(_v176,  &_v64);
					asm("fclex");
					_v180 = _t279;
					if(_v180 >= 0) {
						_t126 =  &_v244;
						 *_t126 = _v244 & 0x00000000;
						__eflags =  *_t126;
					} else {
						_push(0x14);
						_push(0x417db4);
						_push(_v176);
						_push(_v180);
						L0040139C();
						_v244 = _t279;
					}
					_v184 = _v64;
					_t281 =  &_v80;
					L0040134E();
					L004013A8();
					_t284 =  *((intOrPtr*)( *_v184 + 0x138))(_v184, _t281, _t281, 1);
					asm("fclex");
					_v188 = _t284;
					if(_v188 >= 0) {
						_t140 =  &_v248;
						 *_t140 = _v248 & 0x00000000;
						__eflags =  *_t140;
					} else {
						_push(0x138);
						_push(0x417dd4);
						_push(_v184);
						_push(_v188);
						L0040139C();
						_v248 = _t284;
					}
					L004013C6();
					_push( &_v64);
					_push( &_v60);
					_push( &_v56);
					_push(3);
					L00401372();
					_t332 =  &_v80;
					L004013AE();
					_v104 = 0x80020004;
					_v112 = 0xa;
					_v88 = 0x80020004;
					_v96 = 0xa;
					_v72 = 0x80020004;
					_v80 = 0xa;
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_t371 =  *0x4011d8;
					_push(_t332);
					_push(_t332);
					_v184 = _t371;
					asm("fld1");
					_push(_t332);
					_push(_t332);
					 *((long long*)(_t348 + 0x10)) = _t371;
					asm("fld1");
					_push(_t332);
					_push(_t332);
					_v200 = _t371;
					L004012AC();
					_v28 = _t371;
					_push( &_v112);
					_push( &_v96);
					_push( &_v80);
					_push(3);
					L00401318();
					if( *0x44463c != 0) {
						_v252 = 0x44463c;
					} else {
						_push(0x44463c);
						_push(0x417dc4);
						L004013A2();
						_v252 = 0x44463c;
					}
					_t162 =  &_v252; // 0x44463c
					_v168 =  *((intOrPtr*)( *_t162));
					_t299 =  *((intOrPtr*)( *_v168 + 0x14))(_v168,  &_v56);
					asm("fclex");
					_v172 = _t299;
					if(_v172 >= 0) {
						_t173 =  &_v256;
						 *_t173 = _v256 & 0x00000000;
						__eflags =  *_t173;
					} else {
						_push(0x14);
						_push(0x417db4);
						_push(_v168);
						_push(_v172);
						L0040139C();
						_v256 = _t299;
					}
					_v176 = _v56;
					_t304 =  *((intOrPtr*)( *_v176 + 0xd8))(_v176,  &_v52);
					asm("fclex");
					_v180 = _t304;
					if(_v180 >= 0) {
						_t186 =  &_v260;
						 *_t186 = _v260 & 0x00000000;
						__eflags =  *_t186;
					} else {
						_push(0xd8);
						_push(0x417dd4);
						_push(_v176);
						_push(_v180);
						L0040139C();
						_v260 = _t304;
					}
					_v200 = _v52;
					_v52 = _v52 & 0x00000000;
					L004013A8();
					L00401396();
					if( *0x44463c != 0) {
						_v264 = 0x44463c;
					} else {
						_push(0x44463c);
						_push(0x417dc4);
						L004013A2();
						_v264 = 0x44463c;
					}
					_t197 =  &_v264; // 0x44463c
					_v168 =  *((intOrPtr*)( *_t197));
					_t311 =  *((intOrPtr*)( *_v168 + 0x4c))(_v168,  &_v56);
					asm("fclex");
					_v172 = _t311;
					if(_v172 >= 0) {
						_t208 =  &_v268;
						 *_t208 = _v268 & 0x00000000;
						__eflags =  *_t208;
					} else {
						_push(0x4c);
						_push(0x417db4);
						_push(_v168);
						_push(_v172);
						L0040139C();
						_v268 = _t311;
					}
					_v176 = _v56;
					_v120 = _v120 & 0x00000000;
					_v128 = 2;
					L00401210();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t238 =  *((intOrPtr*)( *_v176 + 0x2c))(_v176, 0x10);
					asm("fclex");
					_v180 = _t238;
					if(_v180 >= 0) {
						_t224 =  &_v272;
						 *_t224 = _v272 & 0x00000000;
						__eflags =  *_t224;
					} else {
						_push(0x2c);
						_push(0x418d04);
						_push(_v176);
						_push(_v180);
						L0040139C();
						_v272 = _t238;
					}
					L00401396();
				}
				asm("wait");
				_push(0x442ac8);
				L004013C6();
				L004013C6();
				L004013C6();
				return _t238;
			}

0x00442314
0x0044231f
0x00442320
0x0044232c
0x00442334
0x00442337
0x0044233e
0x00442345
0x0044234c
0x00442353
0x0044235d
0x00442361
0x00442362
0x0044236a
0x0044236d
0x00442371
0x00442374
0x00442378
0x0044237b
0x00442380
0x00442385
0x0044238b
0x0044238d
0x0044238e
0x0044239c
0x0044239c
0x0044239c
0x00442390
0x00442390
0x00442390
0x004423ab
0x004423b5
0x004423b9
0x004423ba
0x004423bc
0x004423c1
0x004423c4
0x004423cd
0x004423d3
0x004423da
0x004423e1
0x004423e4
0x004423e5
0x004423ea
0x004423f1
0x004423f6
0x004423fd
0x00442404
0x00442406
0x00442408
0x0044240a
0x0044240f
0x00442410
0x0044241a
0x00442422
0x0044242e
0x0044244b
0x00442430
0x00442430
0x00442435
0x0044243a
0x0044243f
0x0044243f
0x00442455
0x0044245d
0x00442475
0x00442478
0x0044247a
0x00442487
0x004424a9
0x004424a9
0x004424a9
0x00442489
0x00442489
0x0044248b
0x00442490
0x00442496
0x0044249c
0x004424a1
0x004424a1
0x004424b3
0x004424ce
0x004424d1
0x004424d3
0x004424e0
0x00442502
0x00442502
0x00442502
0x004424e2
0x004424e2
0x004424e4
0x004424e9
0x004424ef
0x004424f5
0x004424fa
0x004424fa
0x00442510
0x00442517
0x00442523
0x00442540
0x00442525
0x00442525
0x0044252a
0x0044252f
0x00442534
0x00442534
0x0044254a
0x00442552
0x0044256a
0x0044256d
0x0044256f
0x0044257c
0x0044259e
0x0044259e
0x0044259e
0x0044257e
0x0044257e
0x00442580
0x00442585
0x0044258b
0x00442591
0x00442596
0x00442596
0x004425a8
0x004425c0
0x004425c6
0x004425c8
0x004425d5
0x004425fa
0x004425fa
0x004425fa
0x004425d7
0x004425d7
0x004425dc
0x004425e1
0x004425e7
0x004425ed
0x004425f2
0x004425f2
0x00442604
0x0044260a
0x00442617
0x0044261f
0x0044262b
0x00442648
0x0044262d
0x0044262d
0x00442632
0x00442637
0x0044263c
0x0044263c
0x0044266c
0x00442670
0x00442675
0x0044268d
0x00442693
0x00442695
0x004426a2
0x004426c7
0x004426c7
0x004426c7
0x004426a4
0x004426a4
0x004426a9
0x004426ae
0x004426b4
0x004426ba
0x004426bf
0x004426bf
0x004426ce
0x004426d0
0x004426d2
0x004426d8
0x004426d9
0x004426de
0x004426e8
0x00442705
0x004426ea
0x004426ea
0x004426ef
0x004426f4
0x004426f9
0x004426f9
0x0044270f
0x00442717
0x0044272f
0x00442732
0x00442734
0x00442741
0x00442763
0x00442763
0x00442763
0x00442743
0x00442743
0x00442745
0x0044274a
0x00442750
0x00442756
0x0044275b
0x0044275b
0x0044276d
0x00442775
0x00442779
0x00442783
0x00442797
0x0044279d
0x0044279f
0x004427ac
0x004427d1
0x004427d1
0x004427d1
0x004427ae
0x004427ae
0x004427b3
0x004427b8
0x004427be
0x004427c4
0x004427c9
0x004427c9
0x004427db
0x004427e3
0x004427e7
0x004427eb
0x004427ec
0x004427ee
0x004427f6
0x004427f9
0x004427fe
0x00442805
0x0044280c
0x00442813
0x0044281a
0x00442821
0x0044282b
0x0044282f
0x00442833
0x00442834
0x0044283a
0x0044283b
0x0044283c
0x0044283f
0x00442841
0x00442842
0x00442843
0x00442846
0x00442848
0x00442849
0x0044284a
0x0044284d
0x00442852
0x00442858
0x0044285c
0x00442860
0x00442861
0x00442863
0x00442872
0x0044288f
0x00442874
0x00442874
0x00442879
0x0044287e
0x00442883
0x00442883
0x00442899
0x004428a1
0x004428b9
0x004428bc
0x004428be
0x004428cb
0x004428ed
0x004428ed
0x004428ed
0x004428cd
0x004428cd
0x004428cf
0x004428d4
0x004428da
0x004428e0
0x004428e5
0x004428e5
0x004428f7
0x0044290f
0x00442915
0x00442917
0x00442924
0x00442949
0x00442949
0x00442949
0x00442926
0x00442926
0x0044292b
0x00442930
0x00442936
0x0044293c
0x00442941
0x00442941
0x00442953
0x00442959
0x00442966
0x0044296e
0x0044297a
0x00442997
0x0044297c
0x0044297c
0x00442981
0x00442986
0x0044298b
0x0044298b
0x004429a1
0x004429a9
0x004429c1
0x004429c4
0x004429c6
0x004429d3
0x004429f5
0x004429f5
0x004429f5
0x004429d5
0x004429d5
0x004429d7
0x004429dc
0x004429e2
0x004429e8
0x004429ed
0x004429ed
0x004429ff
0x00442a05
0x00442a09
0x00442a13
0x00442a1d
0x00442a1e
0x00442a1f
0x00442a20
0x00442a2f
0x00442a32
0x00442a34
0x00442a41
0x00442a63
0x00442a63
0x00442a63
0x00442a43
0x00442a43
0x00442a45
0x00442a4a
0x00442a50
0x00442a56
0x00442a5b
0x00442a5b
0x00442a6d
0x00442a6d
0x00442a72
0x00442a73
0x00442ab2
0x00442aba
0x00442ac2
0x00442ac7

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0044232C
#677.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 0044237B
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A), ref: 00442380
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 004423BC
#648.MSVBVM60(0000000A), ref: 004423E5
__vbaFreeVar.MSVBVM60(0000000A), ref: 004423F1
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,0000000A), ref: 00442410
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,0000000A), ref: 0044241A
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE,0000000A), ref: 00442422
__vbaNew2.MSVBVM60(00417DC4,0044463C,00000002,000000FF,000000FE,000000FE,000000FE,0000000A), ref: 0044243A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DB4,00000014), ref: 0044249C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DD4,00000068), ref: 004424F5
__vbaFreeObj.MSVBVM60(00000000,?,00417DD4,00000068), ref: 00442517
__vbaNew2.MSVBVM60(00417DC4,0044463C), ref: 0044252F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DB4,00000014), ref: 00442591
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DD4,000000E0), ref: 004425ED
__vbaStrMove.MSVBVM60(00000000,?,00417DD4,000000E0), ref: 00442617
__vbaFreeObj.MSVBVM60(00000000,?,00417DD4,000000E0), ref: 0044261F
__vbaNew2.MSVBVM60(00415590,XE), ref: 00442637
__vbaObjSet.MSVBVM60(?,00000000), ref: 00442670
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DE4,00000130), ref: 004426BA
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 004426D9
__vbaNew2.MSVBVM60(00417DC4,0044463C), ref: 004426F4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DB4,00000014), ref: 00442756
__vbaStrVarMove.MSVBVM60(?,00000001), ref: 00442779
__vbaStrMove.MSVBVM60(?,00000001), ref: 00442783
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DD4,00000138), ref: 004427C4
__vbaFreeStr.MSVBVM60(00000000,?,00417DD4,00000138), ref: 004427DB
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 004427EE
__vbaFreeVar.MSVBVM60 ref: 004427F9
#680.MSVBVM60(?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 0044284D
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,?,?,?,?,?,0000000A,0000000A,0000000A), ref: 00442863
__vbaNew2.MSVBVM60(00417DC4,0044463C), ref: 0044287E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DB4,00000014), ref: 004428E0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DD4,000000D8), ref: 0044293C
__vbaStrMove.MSVBVM60(00000000,?,00417DD4,000000D8), ref: 00442966
__vbaFreeObj.MSVBVM60(00000000,?,00417DD4,000000D8), ref: 0044296E
__vbaNew2.MSVBVM60(00417DC4,0044463C), ref: 00442986
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DB4,0000004C), ref: 004429E8
__vbaChkstk.MSVBVM60(00000000,?,00417DB4,0000004C), ref: 00442A13
__vbaHresultCheckObj.MSVBVM60(00000000,?,00418D04,0000002C), ref: 00442A56
__vbaFreeObj.MSVBVM60(00000000,?,00418D04,0000002C), ref: 00442A6D
__vbaFreeStr.MSVBVM60(00442AC8), ref: 00442AB2
__vbaFreeStr.MSVBVM60(00442AC8), ref: 00442ABA
__vbaFreeStr.MSVBVM60(00442AC8), ref: 00442AC2

Strings

<FD, xrefs: 00442899
XE, xrefs: 00442624, 0044262D, 0044263C, 00442648
<FD, xrefs: 00442455
<FD, xrefs: 004429A1
<FD, xrefs: 0044254A
<FD, xrefs: 0044270F

Memory Dump Source

Source File: 00000000.00000002.869969881.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.869963238.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.870029590.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.870039501.0000000000445000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$List$Chkstk$#648#677#680#703CallLate
String ID: <FD$<FD$<FD$<FD$<FD$XE
API String ID: 1455495044-178649953
Opcode ID: 2552c94ac0372d298668202701a339bfaace4d3862327fbdd55024a42727f6e4
Instruction ID: bf3f7d8dec92b1b6913e9188d507462cdc457200ca4cc4c5216268ffaf51d86c
Opcode Fuzzy Hash: 2552c94ac0372d298668202701a339bfaace4d3862327fbdd55024a42727f6e4
Instruction Fuzzy Hash: E12206B1900228EFEB20DF91CD45BDDB7B5BF05304F1081EAF549B62A1DBB85A858F19

Uniqueness

Uniqueness Score: -1.00%

Function 0044212D, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 126
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0044212D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				short _v32;
				char _v36;
				char _v44;
				char _v52;
				char _v68;
				void* _v88;
				intOrPtr* _v92;
				signed int _v96;
				intOrPtr* _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				char* _t59;
				signed int _t62;
				char* _t71;
				signed int _t75;
				short _t76;
				intOrPtr _t97;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t97;
				_push(0x60);
				L00401210();
				_v12 = _t97;
				_v8 = 0x4011c8;
				L0040135A();
				if( *0x444010 != 0) {
					_v104 = 0x444010;
				} else {
					_push("X�E");
					_push(0x415590);
					L004013A2();
					_v104 = 0x444010;
				}
				_t59 =  &_v36;
				L00401378();
				_v92 = _t59;
				_t62 =  *((intOrPtr*)( *_v92 + 0x1ac))(_v92, _t59,  *((intOrPtr*)( *((intOrPtr*)( *_v104)) + 0x34c))( *_v104));
				asm("fclex");
				_v96 = _t62;
				if(_v96 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x417de4);
					_push(_v92);
					_push(_v96);
					L0040139C();
					_v108 = _t62;
				}
				L00401396();
				_v44 = 2;
				_v52 = 2;
				_push( &_v52);
				_push( &_v68);
				L00401312();
				_push( &_v68);
				L0040134E();
				L004013A8();
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L00401318();
				if( *0x444010 != 0) {
					_v112 = 0x444010;
				} else {
					_push("X�E");
					_push(0x415590);
					L004013A2();
					_v112 = 0x444010;
				}
				_t71 =  &_v36;
				L00401378();
				_v92 = _t71;
				_t75 =  *((intOrPtr*)( *_v92 + 0xd0))(_v92,  &_v88, _t71,  *((intOrPtr*)( *((intOrPtr*)( *_v112)) + 0x324))( *_v112));
				asm("fclex");
				_v96 = _t75;
				if(_v96 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0xd0);
					_push(0x417de4);
					_push(_v92);
					_push(_v96);
					L0040139C();
					_v116 = _t75;
				}
				_t76 = _v88;
				_v32 = _t76;
				L00401396();
				_push(0x4422f2);
				L004013C6();
				L004013C6();
				return _t76;
			}

0x00442132
0x0044213d
0x0044213e
0x00442145
0x00442148
0x00442150
0x00442153
0x00442160
0x0044216c
0x00442186
0x0044216e
0x0044216e
0x00442173
0x00442178
0x0044217d
0x0044217d
0x004421a1
0x004421a5
0x004421aa
0x004421b5
0x004421bb
0x004421bd
0x004421c4
0x004421e0
0x004421c6
0x004421c6
0x004421cb
0x004421d0
0x004421d3
0x004421d6
0x004421db
0x004421db
0x004421e7
0x004421ec
0x004421f3
0x004421fd
0x00442201
0x00442202
0x0044220a
0x0044220b
0x00442215
0x0044221d
0x00442221
0x00442222
0x00442224
0x00442233
0x0044224d
0x00442235
0x00442235
0x0044223a
0x0044223f
0x00442244
0x00442244
0x00442268
0x0044226c
0x00442271
0x00442280
0x00442286
0x00442288
0x0044228f
0x004422ab
0x00442291
0x00442291
0x00442296
0x0044229b
0x0044229e
0x004422a1
0x004422a6
0x004422a6
0x004422af
0x004422b3
0x004422ba
0x004422bf
0x004422e4
0x004422ec
0x004422f1

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00442148
__vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 00442160
__vbaNew2.MSVBVM60(00415590,XE,?,?,?,?,00401216), ref: 00442178
__vbaObjSet.MSVBVM60(?,00000000), ref: 004421A5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DE4,000001AC), ref: 004421D6
__vbaFreeObj.MSVBVM60(00000000,?,00417DE4,000001AC), ref: 004421E7
#613.MSVBVM60(?,00000002), ref: 00442202
__vbaStrVarMove.MSVBVM60(?,?,00000002), ref: 0044220B
__vbaStrMove.MSVBVM60(?,?,00000002), ref: 00442215
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002), ref: 00442224
__vbaNew2.MSVBVM60(00415590,XE), ref: 0044223F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044226C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DE4,000000D0), ref: 004422A1
__vbaFreeObj.MSVBVM60(00000000,?,00417DE4,000000D0), ref: 004422BA
__vbaFreeStr.MSVBVM60(004422F2), ref: 004422E4
__vbaFreeStr.MSVBVM60(004422F2), ref: 004422EC

Strings

XE, xrefs: 00442165, 0044216E, 0044217D, 00442186, 0044222C, 00442235, 00442244, 0044224D

Memory Dump Source

Source File: 00000000.00000002.869969881.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.869963238.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.870029590.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.870039501.0000000000445000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMoveNew2$#613ChkstkCopyList
String ID: XE
API String ID: 1093097441-3649240766
Opcode ID: 29ecd422d2d99734bc5c9f64671b63ed07c34aa743e78397b641413feb4cc4b6
Instruction ID: 13d90ab24ceda039fbf87f31e8e09e163588efdb3fa6cd17e6695b9accc01b97
Opcode Fuzzy Hash: 29ecd422d2d99734bc5c9f64671b63ed07c34aa743e78397b641413feb4cc4b6
Instruction Fuzzy Hash: 46510770D00218AFEB00DFD1C946BEDB7B8BF49304F50446AF501BB6A1DBB95945DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00441ED0, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00441ED0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				char _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _t82;
				signed int _t85;
				signed int _t88;
				signed int _t92;
				signed int _t95;
				signed int _t99;
				signed int _t103;
				short _t104;
				void* _t120;
				void* _t122;
				intOrPtr _t123;

				_t123 = _t122 - 0xc;
				 *[fs:0x0] = _t123;
				L00401210();
				_v16 = _t123;
				_v12 = 0x4011b8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401216, _t120);
				if( *0x444010 != 0) {
					_v56 = 0x444010;
				} else {
					_push("X�E");
					_push(0x415590);
					L004013A2();
					_v56 = 0x444010;
				}
				_t82 =  &_v32;
				L00401378();
				_v40 = _t82;
				_t85 =  *((intOrPtr*)( *_v40 + 0x1bc))(_v40, _t82,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x338))( *_v56));
				asm("fclex");
				_v44 = _t85;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x417de4);
					_push(_v40);
					_push(_v44);
					L0040139C();
					_v60 = _t85;
				}
				L00401396();
				_v60 =  *0x4011b0;
				_t88 =  *((intOrPtr*)( *_a4 + 0x8c))(_a4,  &_v32);
				asm("fclex");
				_v40 = _t88;
				if(_v40 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x8c);
					_push(0x4177b8);
					_push(_a4);
					_push(_v40);
					L0040139C();
					_v64 = _t88;
				}
				if( *0x444010 != 0) {
					_v68 = 0x444010;
				} else {
					_push("X�E");
					_push(0x415590);
					L004013A2();
					_v68 = 0x444010;
				}
				_t92 =  &_v32;
				L00401378();
				_v40 = _t92;
				_t95 =  *((intOrPtr*)( *_v40 + 0x1a8))(_v40, _t92,  *((intOrPtr*)( *((intOrPtr*)( *_v68)) + 0x3b0))( *_v68));
				asm("fclex");
				_v44 = _t95;
				if(_v44 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x1a8);
					_push(0x417de4);
					_push(_v40);
					_push(_v44);
					L0040139C();
					_v72 = _t95;
				}
				L00401396();
				if( *0x444010 != 0) {
					_v76 = 0x444010;
				} else {
					_push("X�E");
					_push(0x415590);
					L004013A2();
					_v76 = 0x444010;
				}
				_t99 =  &_v32;
				L00401378();
				_v40 = _t99;
				_t103 =  *((intOrPtr*)( *_v40 + 0x178))(_v40,  &_v36, _t99,  *((intOrPtr*)( *((intOrPtr*)( *_v76)) + 0x338))( *_v76));
				asm("fclex");
				_v44 = _t103;
				if(_v44 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x417de4);
					_push(_v40);
					_push(_v44);
					L0040139C();
					_v80 = _t103;
				}
				_t104 = _v36;
				_v28 = _t104;
				L00401396();
				asm("wait");
				_push(0x442104);
				return _t104;
			}

0x00441ed3
0x00441ee2
0x00441eec
0x00441ef4
0x00441ef7
0x00441efe
0x00441f0d
0x00441f17
0x00441f31
0x00441f19
0x00441f19
0x00441f1e
0x00441f23
0x00441f28
0x00441f28
0x00441f4c
0x00441f50
0x00441f55
0x00441f60
0x00441f66
0x00441f68
0x00441f6f
0x00441f8b
0x00441f71
0x00441f71
0x00441f76
0x00441f7b
0x00441f7e
0x00441f81
0x00441f86
0x00441f86
0x00441f92
0x00441f9e
0x00441fa9
0x00441faf
0x00441fb1
0x00441fb8
0x00441fd4
0x00441fba
0x00441fba
0x00441fbf
0x00441fc4
0x00441fc7
0x00441fca
0x00441fcf
0x00441fcf
0x00441fdf
0x00441ff9
0x00441fe1
0x00441fe1
0x00441fe6
0x00441feb
0x00441ff0
0x00441ff0
0x00442014
0x00442018
0x0044201d
0x00442028
0x0044202e
0x00442030
0x00442037
0x00442053
0x00442039
0x00442039
0x0044203e
0x00442043
0x00442046
0x00442049
0x0044204e
0x0044204e
0x0044205a
0x00442066
0x00442080
0x00442068
0x00442068
0x0044206d
0x00442072
0x00442077
0x00442077
0x0044209b
0x0044209f
0x004420a4
0x004420b3
0x004420b9
0x004420bb
0x004420c2
0x004420de
0x004420c4
0x004420c4
0x004420c9
0x004420ce
0x004420d1
0x004420d4
0x004420d9
0x004420d9
0x004420e2
0x004420e6
0x004420ed
0x004420f2
0x004420f3
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00441EEC
__vbaNew2.MSVBVM60(00415590,XE,?,?,?,?,00401216), ref: 00441F23
__vbaObjSet.MSVBVM60(?,00000000), ref: 00441F50
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DE4,000001BC), ref: 00441F81
__vbaFreeObj.MSVBVM60 ref: 00441F92
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,004177B8,0000008C), ref: 00441FCA
__vbaNew2.MSVBVM60(00415590,XE), ref: 00441FEB
__vbaObjSet.MSVBVM60(?,00000000), ref: 00442018
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00417DE4,000001A8), ref: 00442049
__vbaFreeObj.MSVBVM60 ref: 0044205A
__vbaNew2.MSVBVM60(00415590,XE), ref: 00442072
__vbaObjSet.MSVBVM60(?,00000000), ref: 0044209F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00417DE4,00000178), ref: 004420D4
__vbaFreeObj.MSVBVM60 ref: 004420ED

Strings

XE, xrefs: 00441F10, 00441F19, 00441F28, 00441F31, 00441FD8, 00441FE1, 00441FF0, 00441FF9, 0044205F, 00442068, 00442077, 00442080

Memory Dump Source

Source File: 00000000.00000002.869969881.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.869963238.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.870029590.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.870039501.0000000000445000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$Chkstk
String ID: XE
API String ID: 2989710064-3649240766
Opcode ID: 18cda3402241648f80d23a7b8f50025620869ee47adb25fd2d44b62247acb786
Instruction ID: 619df3b2086bd2d1600e7eb3b375d79f2e2dab6e628e16cf111393784c92491c
Opcode Fuzzy Hash: 18cda3402241648f80d23a7b8f50025620869ee47adb25fd2d44b62247acb786
Instruction Fuzzy Hash: EF610974900208EFEB10DF90D949BEDBBF5BF48305F20446AF501BB6A0CB7A5995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 00441CEA, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00441CEA(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr* _v28;
				signed int _v32;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				char* _t62;
				signed int _t65;
				char* _t69;
				signed int _t72;
				char* _t76;
				signed int _t79;
				intOrPtr _t98;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t98;
				_push(0x28);
				L00401210();
				_v12 = _t98;
				_v8 = 0x4011a0;
				if( *0x444010 != 0) {
					_v40 = 0x444010;
				} else {
					_push("X�E");
					_push(0x415590);
					L004013A2();
					_v40 = 0x444010;
				}
				_t62 =  &_v24;
				L00401378();
				_v28 = _t62;
				_t65 =  *((intOrPtr*)( *_v28 + 0x1bc))(_v28, _t62,  *((intOrPtr*)( *((intOrPtr*)( *_v40)) + 0x3c8))( *_v40));
				asm("fclex");
				_v32 = _t65;
				if(_v32 >= 0) {
					_v44 = _v44 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x417de4);
					_push(_v28);
					_push(_v32);
					L0040139C();
					_v44 = _t65;
				}
				L00401396();
				if( *0x444010 != 0) {
					_v48 = 0x444010;
				} else {
					_push("X�E");
					_push(0x415590);
					L004013A2();
					_v48 = 0x444010;
				}
				_t69 =  &_v24;
				L00401378();
				_v28 = _t69;
				_t72 =  *((intOrPtr*)( *_v28 + 0x1a8))(_v28, _t69,  *((intOrPtr*)( *((intOrPtr*)( *_v48)) + 0x33c))( *_v48));
				asm("fclex");
				_v32 = _t72;
				if(_v32 >= 0) {
					_v52 = _v52 & 0x00000000;
				} else {
					_push(0x1a8);
					_push(0x417de4);
					_push(_v28);
					_push(_v32);
					L0040139C();
					_v52 = _t72;
				}
				L00401396();
				if( *0x444010 != 0) {
					_v56 = 0x444010;
				} else {
					_push("X�E");
					_push(0x415590);
					L004013A2();
					_v56 = 0x444010;
				}
				_t76 =  &_v24;
				L00401378();
				_v28 = _t76;
				_t79 =  *((intOrPtr*)( *_v28 + 0x1ac))(_v28, _t76,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x3a8))( *_v56));
				asm("fclex");
				_v32 = _t79;
				if(_v32 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x417de4);
					_push(_v28);
					_push(_v32);
					L0040139C();
					_v60 = _t79;
				}
				L00401396();
				_push(0x441ebd);
				return _t79;
			}

0x00441cef
0x00441cfa
0x00441cfb
0x00441d02
0x00441d05
0x00441d0d
0x00441d10
0x00441d1e
0x00441d38
0x00441d20
0x00441d20
0x00441d25
0x00441d2a
0x00441d2f
0x00441d2f
0x00441d53
0x00441d57
0x00441d5c
0x00441d67
0x00441d6d
0x00441d6f
0x00441d76
0x00441d92
0x00441d78
0x00441d78
0x00441d7d
0x00441d82
0x00441d85
0x00441d88
0x00441d8d
0x00441d8d
0x00441d99
0x00441da5
0x00441dbf
0x00441da7
0x00441da7
0x00441dac
0x00441db1
0x00441db6
0x00441db6
0x00441dda
0x00441dde
0x00441de3
0x00441dee
0x00441df4
0x00441df6
0x00441dfd
0x00441e19
0x00441dff
0x00441dff
0x00441e04
0x00441e09
0x00441e0c
0x00441e0f
0x00441e14
0x00441e14
0x00441e20
0x00441e2c
0x00441e46
0x00441e2e
0x00441e2e
0x00441e33
0x00441e38
0x00441e3d
0x00441e3d
0x00441e61
0x00441e65
0x00441e6a
0x00441e75
0x00441e7b
0x00441e7d
0x00441e84
0x00441ea0
0x00441e86
0x00441e86
0x00441e8b
0x00441e90
0x00441e93
0x00441e96
0x00441e9b
0x00441e9b
0x00441ea7
0x00441eac
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00441D05
__vbaNew2.MSVBVM60(00415590,XE,?,?,?,?,00401216), ref: 00441D2A
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,00401216), ref: 00441D57
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DE4,000001BC,?,?,?,?,?,?,00401216), ref: 00441D88
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,00401216), ref: 00441D99
__vbaNew2.MSVBVM60(00415590,XE,?,?,?,?,?,?,00401216), ref: 00441DB1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00401216), ref: 00441DDE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DE4,000001A8,?,?,?,?,?,?,?,?,00401216), ref: 00441E0F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00401216), ref: 00441E20
__vbaNew2.MSVBVM60(00415590,XE,?,?,?,?,?,?,?,?,00401216), ref: 00441E38
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401216), ref: 00441E65
__vbaHresultCheckObj.MSVBVM60(00000000,?,00417DE4,000001AC,?,?,?,?,?,?,?,?,?,?,00401216), ref: 00441E96
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401216), ref: 00441EA7

Strings

XE, xrefs: 00441D17, 00441D20, 00441D2F, 00441D38, 00441D9E, 00441DA7, 00441DB6, 00441DBF, 00441E25, 00441E2E, 00441E3D, 00441E46

Memory Dump Source

Source File: 00000000.00000002.869969881.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.869963238.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.870029590.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.870039501.0000000000445000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$Chkstk
String ID: XE
API String ID: 3581712425-3649240766
Opcode ID: 19a9fbb3e161f4b0099d781cf1729611180983a91655fb80310a3b122b1d5377
Instruction ID: a6aa98b4f13efd412f1798e44767c1c0abc34628462bc6605bb6be43f40289ec
Opcode Fuzzy Hash: 19a9fbb3e161f4b0099d781cf1729611180983a91655fb80310a3b122b1d5377
Instruction Fuzzy Hash: 845109B4D00209EFEB00DF91D84ABEEBBB5BF49305F20446AE501B76A0C7791991DF69

Uniqueness

Uniqueness Score: -1.00%

Function 00442ADB, Relevance: 19.6, APIs: 13, Instructions: 100
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00442ADB(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v36;
				intOrPtr _v44;
				char _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				char _v84;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr* _t58;
				char* _t66;
				void* _t91;
				intOrPtr _t93;

				 *[fs:0x0] = _t93;
				L00401210();
				_v12 = _t93;
				_v8 = 0x401200;
				_v92 = 0x10ca9;
				asm("clc");
				asm("adc dword [esp], 0x84ae8");
				_t58 = _v36(__esi, 2, 0x38a795, __edi, __esi, __ebx, 0x74,  *[fs:0x0], 0x401216, __ecx, __ecx, _t91);
				 *((intOrPtr*)(_t58 +  *_t58)) =  *((intOrPtr*)(_t58 +  *_t58)) + _t58 +  *_t58;
				L00401324();
				_v92 = 0x32ab32ab;
				_v100 = 3;
				L00401324();
				_v92 = 0x32ab32ab;
				_v100 = 3;
				L00401324();
				_v92 = 0x32ab32ab;
				_v100 = 3;
				L00401324();
				_v92 = 0x32ab32ab;
				_v100 = 3;
				L00401324();
				_v92 = 0x32ab32ab;
				_v100 = 3;
				L00401324();
				_v92 = 0x32ab32ab;
				_v100 = 3;
				L00401324();
				_v92 = 0x32ab32ab;
				_v100 = 3;
				L00401324();
				_v92 = 0x32ab32ab;
				_v100 = 3;
				L00401324();
				_v76 = 0x80020004;
				_v84 = 0xa;
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				_push( &_v84);
				_push( &_v68);
				_push( &_v52);
				_push(0);
				_push( &_v36);
				L004012A6();
				_push( &_v84);
				_push( &_v68);
				_t66 =  &_v52;
				_push(_t66);
				_push(3);
				L00401318();
				_push(0x442c80);
				L004013AE();
				return _t66;
			}

0x00442aec
0x00442af6
0x00442afe
0x00442b01
0x00442b08
0x00442b0f
0x00442b15
0x00442b1f
0x00442b2d
0x00442b35
0x00442b3a
0x00442b41
0x00442b4e
0x00442b53
0x00442b5a
0x00442b67
0x00442b6c
0x00442b73
0x00442b80
0x00442b85
0x00442b8c
0x00442b99
0x00442b9e
0x00442ba5
0x00442bb2
0x00442bb7
0x00442bbe
0x00442bcb
0x00442bd0
0x00442bd7
0x00442be4
0x00442be9
0x00442bf0
0x00442bfd
0x00442c02
0x00442c09
0x00442c10
0x00442c17
0x00442c1e
0x00442c25
0x00442c2f
0x00442c33
0x00442c37
0x00442c38
0x00442c3d
0x00442c3e
0x00442c46
0x00442c4a
0x00442c4b
0x00442c4e
0x00442c4f
0x00442c51
0x00442c59
0x00442c7a
0x00442c7f

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00442AF6
__vbaVarMove.MSVBVM60(?,00000002,0038A795), ref: 00442B35
__vbaVarMove.MSVBVM60(?,00000002,0038A795), ref: 00442B4E
__vbaVarMove.MSVBVM60(?,00000002,0038A795), ref: 00442B67
__vbaVarMove.MSVBVM60(?,00000002,0038A795), ref: 00442B80
__vbaVarMove.MSVBVM60(?,00000002,0038A795), ref: 00442B99
__vbaVarMove.MSVBVM60(?,00000002,0038A795), ref: 00442BB2
__vbaVarMove.MSVBVM60(?,00000002,0038A795), ref: 00442BCB
__vbaVarMove.MSVBVM60(?,00000002,0038A795), ref: 00442BE4
__vbaVarMove.MSVBVM60(?,00000002,0038A795), ref: 00442BFD
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A,?,00000002,0038A795), ref: 00442C3E
__vbaFreeVarList.MSVBVM60(00000003,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A,?,00000002,0038A795), ref: 00442C51
__vbaFreeVar.MSVBVM60(00442C80), ref: 00442C7A

Memory Dump Source

Source File: 00000000.00000002.869969881.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.869963238.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.870029590.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.870039501.0000000000445000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$#595ChkstkList
String ID:
API String ID: 3203110844-0
Opcode ID: 93b193c118a40f73cfd5d750192bc47cace3b102f1343e35c35ab4a605442f37
Instruction ID: c4549f8e4bb98d00638d6471c3f782834e69a9dca5c98400b2279266a9d2df6a
Opcode Fuzzy Hash: 93b193c118a40f73cfd5d750192bc47cace3b102f1343e35c35ab4a605442f37
Instruction Fuzzy Hash: 1741A0B18102AE9BEF01EFC0C999BDDBBB9FF54304F50015AE4057B1A5D7B82A09CB95

Uniqueness

Uniqueness Score: -1.00%

Function 0041A0B4, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 42%

			E0041A0B4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v36;
				char _v40;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char* _t30;
				char* _t33;
				char* _t37;
				void* _t42;
				void* _t44;
				intOrPtr _t45;

				_t45 = _t44 - 0xc;
				 *[fs:0x0] = _t45;
				L00401210();
				_v16 = _t45;
				_v12 = 0x401150;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401216, _t42);
				_push( &_v56);
				_push(_v52);
				_t30 =  &_v64;
				_push(_t30);
				L004013DE();
				_push(_t30);
				_push( &_v40);
				_push(0);
				_push( *_a16);
				_t33 =  &_v60;
				_push(_t33);
				L004013DE();
				_push(_t33);
				_push(_v28);
				E00417D60();
				_v68 = _t33;
				L004013D8();
				_push(_v60);
				_push(_a16);
				L004013D2();
				_push(_v64);
				_push( &_v52);
				L004013D2();
				_v36 = _v68;
				_push( &_v64);
				_t37 =  &_v60;
				_push(_t37);
				_push(2);
				L004013CC();
				_push(0x41a17c);
				L004013C6();
				return _t37;
			}

0x0041a0b7
0x0041a0c6
0x0041a0d0
0x0041a0d8
0x0041a0db
0x0041a0e2
0x0041a0f1
0x0041a0f7
0x0041a0f8
0x0041a0fb
0x0041a0fe
0x0041a0ff
0x0041a104
0x0041a108
0x0041a109
0x0041a10e
0x0041a110
0x0041a113
0x0041a114
0x0041a119
0x0041a11a
0x0041a11d
0x0041a122
0x0041a125
0x0041a12a
0x0041a12d
0x0041a130
0x0041a135
0x0041a13b
0x0041a13c
0x0041a144
0x0041a14a
0x0041a14b
0x0041a14e
0x0041a14f
0x0041a151
0x0041a159
0x0041a176
0x0041a17b

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041A0D0
__vbaStrToAnsi.MSVBVM60(?,?,?,?,?,?,?,00401216), ref: 0041A0FF
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00401216), ref: 0041A114
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,?,00000000,?,?,?,?,?,?,?,00401216), ref: 0041A125
__vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?), ref: 0041A130
__vbaStrToUnicode.MSVBVM60(00000000,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?,?), ref: 0041A13C
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,00000000,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,?), ref: 0041A151
__vbaFreeStr.MSVBVM60(0041A17C,?,?,00401216), ref: 0041A176

Memory Dump Source

Source File: 00000000.00000002.869969881.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.869963238.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.870029590.0000000000444000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.870039501.0000000000445000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiFreeUnicode$ChkstkErrorListSystem
String ID:
API String ID: 3908248399-0
Opcode ID: 6c5a68d394d96a16c61150f34c05bc0737732bdf6cf8bc8ad76b9b6043de427b
Instruction ID: 4dd943446bf7c0f985604d7b1edf6a77db17a805cc37133a011fe8edcc2d2e0d
Opcode Fuzzy Hash: 6c5a68d394d96a16c61150f34c05bc0737732bdf6cf8bc8ad76b9b6043de427b
Instruction Fuzzy Hash: 7211A47190020DBBDF01EFD1E946EDEBBB9AF08704F00406AF900B65A1D779A9548B99

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report justificante de la transfer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: justificante de la transfer.exe PID: 6224 Parent PID: 3628

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: justificante de la transfer.exe PID: 6224 Parent PID: 3628 justificante de la transfer.exeCOMMON

Executed Functions

Function 0228BB0F, Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Function 0228776F, Relevance: 1.6, APIs: 1, Instructions: 116memorynativeCOMMON

Function 0228779F, Relevance: 1.6, APIs: 1, Instructions: 106memorynativeCOMMON

Function 004013FC, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 189
COMMON

Function 0044230F, Relevance: 89.7, APIs: 45, Strings: 6, Instructions: 464
COMMON

Function 0044212D, Relevance: 29.9, APIs: 16, Strings: 1, Instructions: 126
COMMON

Function 00441ED0, Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 161
COMMON

Function 00441CEA, Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 133
COMMON

Function 00442ADB, Relevance: 19.6, APIs: 13, Instructions: 100
COMMON

Function 0041A0B4, Relevance: 12.1, APIs: 8, Instructions: 61
COMMON