Play interactive tour

Edit tour

Windows Analysis Report n#U00ba410000512664.exe

Overview

General Information

Sample Name:	n#U00ba410000512664.exe
Analysis ID:	526313
MD5:	7c91db57c98a1f0e38ba65ed651b4779
SHA1:	28cb0d40a73c1a421a9720808d49da010f9ff4ef
SHA256:	12992fe3f998693d92625c53bf5aa6723e87c8c3fb7057dbba4b334742cab376
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Process Tree

System is w10x64

n#U00ba410000512664.exe (PID: 3232 cmdline: "C:\Users\user\Desktop\n#U00ba410000512664.exe" MD5: 7C91DB57C98A1F0E38BA65ED651B4779)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=downlo_"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=downlo_"}

Machine Learning detection for sample

Show sources

Source: n#U00ba410000512664.exe

Joe Sandbox ML: detected

Source: n#U00ba410000512664.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=downlo_

Source: n#U00ba410000512664.exe	String found in binary or memory: http://topqualityfreeware.com
Source: n#U00ba410000512664.exe	String found in binary or memory: http://www.topqualityfreeware.com/

Source: n#U00ba410000512664.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: n#U00ba410000512664.exe, 00000000.00000000.252485383.0000000000426000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameObumbration1.exe vs n#U00ba410000512664.exe
Source: n#U00ba410000512664.exe	Binary or memory string: OriginalFilenameObumbration1.exe vs n#U00ba410000512664.exe

Source: n#U00ba410000512664.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: n#U00ba410000512664.exe	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004090A6	0_2_004090A6
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_02206B59	0_2_02206B59
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FE22D	0_2_021FE22D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9E78	0_2_021F9E78
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9AAB	0_2_021F9AAB
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F92A8	0_2_021F92A8
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FAADB	0_2_021FAADB
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FAED8	0_2_021FAED8
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_02204AF5	0_2_02204AF5
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9314	0_2_021F9314
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F0B33	0_2_021F0B33
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA320	0_2_021FA320
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA75D	0_2_021FA75D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA364	0_2_021FA364
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9FAC	0_2_021F9FAC
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9BD3	0_2_021F9BD3
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9836	0_2_021F9836
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FAC2E	0_2_021FAC2E
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9858	0_2_021F9858
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FB044	0_2_021FB044
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA878	0_2_021FA878
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FD4B3	0_2_021FD4B3
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA4CC	0_2_021FA4CC
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA0EF	0_2_021FA0EF
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_02202D07	0_2_02202D07
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9950	0_2_021F9950
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F9D50	0_2_021F9D50
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FAD6F	0_2_021FAD6F
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FB186	0_2_021FB186
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FA9B7	0_2_021FA9B7

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

File created: C:\Users\user\AppData\Local\Temp\~DFE27628A3FBE5D858.TMP

Jump to behavior

Source: n#U00ba410000512664.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404401 pushfd ; retf	0_2_0040441E
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00403826 push es; ret	0_2_00403828
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004044E5 pushfd ; retf	0_2_004044E6
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404584 pushfd ; retf	0_2_00404596
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404599 pushfd ; retf	0_2_004045AA
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004051BE push dword ptr [esi]; iretd	0_2_004051C5
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_0040665D pushfd ; retf	0_2_0040665E
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404279 pushfd ; retf	0_2_0040427A
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004062C1 pushfd ; retf	0_2_004062C2
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004072E1 pushfd ; retf	0_2_0040730E
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004096FC push eax; iretd	0_2_004096FF
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404349 pushfd ; retf	0_2_0040434A
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_00404335 pushfd ; retf	0_2_00404346
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_0040633D pushfd ; retf	0_2_0040634A
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_004067DE pushfd ; retf	0_2_004067E6
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_0040A784 push 18165C0Eh; iretd	0_2_0040A789
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F423B push 81528D88h; ret	0_2_021F4240
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F2644 push ss; retf	0_2_021F2645
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F6E73 push E8000002h; retf	0_2_021F6E78
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F5ECB push edi; ret	0_2_021F5EC2
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F0EF4 push eax; retf	0_2_021F0F07
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F5C22 push edi; ret	0_2_021F5EC2
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F1447 push ds; ret	0_2_021F1449
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F48A7 pushfd ; ret	0_2_021F4A0D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F491D pushfd ; ret	0_2_021F4A0D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F191A push ebx; retf	0_2_021F1920
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F4924 pushfd ; ret	0_2_021F4A0D
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F5DDC push edi; ret	0_2_021F5EC2
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F5DC1 push edi; ret	0_2_021F5EC2

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Code function: 0_2_021FCAA8 rdtsc

0_2_021FCAA8

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021FC664 mov eax, dword ptr fs:[00000030h]	0_2_021FC664
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_022032C9 mov eax, dword ptr fs:[00000030h]	0_2_022032C9
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_021F8730 mov eax, dword ptr fs:[00000030h]	0_2_021F8730
Source: C:\Users\user\Desktop\n#U00ba410000512664.exe	Code function: 0_2_0220286B mov eax, dword ptr fs:[00000030h]	0_2_0220286B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Code function: 0_2_021FCAA8 rdtsc

0_2_021FCAA8

Source: C:\Users\user\Desktop\n#U00ba410000512664.exe

Code function: 0_2_02206B59 RtlAddVectoredExceptionHandler,

0_2_02206B59

Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: SProgram Managerl
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd,
Source: n#U00ba410000512664.exe, 00000000.00000002.781493325.0000000000C70000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
n#U00ba410000512664.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://topqualityfreeware.com	0%	Virustotal		Browse
http://topqualityfreeware.com	0%	Avira URL Cloud	safe
http://www.topqualityfreeware.com/	0%	Virustotal		Browse
http://www.topqualityfreeware.com/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://topqualityfreeware.com	n#U00ba410000512664.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://www.topqualityfreeware.com/	n#U00ba410000512664.exe	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	526313
Start date:	22.11.2021
Start time:	14:04:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	n#U00ba410000512664.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 54.1% (good quality ratio 41%) Quality average: 47.9% Quality standard deviation: 35%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, HxTsr.exe, RuntimeBroker.exe, WMIADAP.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DFE27628A3FBE5D858.TMP Download File
Process:	C:\Users\user\Desktop\n#U00ba410000512664.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	32768
Entropy (8bit):	4.01191323271951
Encrypted:	false
SSDEEP:	384:wcZ0tADSVlx6JQhynrV7Vr9wrCIM/ZUYVPzBAPN:wcZeADSV/6qhynrV7VxwrrMvqPN
MD5:	6C4C01A4316CD9338DE51EC175EBF11D
SHA1:	8C5D5B07E0ED6AAC72705F516E25BEAEA891EFA0
SHA-256:	95876F7C1242672418DB201C02D70276EE9CC4345394DEAD3500619A39DA28F0
SHA-512:	9F60729E865B0414DB4792F76465EDCE1595D22E884D01C07389A312474D1CE916E4CF73275D5AA0CB411D8EBB0617EF661CD10467AD838FD1B0B388C44823D5
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.926810109816392
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	n#U00ba410000512664.exe
File size:	192512
MD5:	7c91db57c98a1f0e38ba65ed651b4779
SHA1:	28cb0d40a73c1a421a9720808d49da010f9ff4ef
SHA256:	12992fe3f998693d92625c53bf5aa6723e87c8c3fb7057dbba4b334742cab376
SHA512:	2ca3ac7de708b85262bd7e9d42b0cd78cd0af4f92c1da9c7be9d2e473bcc238a5935030eff688049d8c75fd3c3fd8fd80a5703eca4ab112e3a0997e74d6ac58a
SSDEEP:	3072:tdejCYyLGrRDAfor5hlNZI71PAMrc0yvhXeJ:tdeiGrRDAfA5XXMrcbeJ
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L.....&T.................0..........L........@....@........

File Icon


Icon Hash:	0ceefedec6f67c0c

Static PE Info

General
Entrypoint:	0x40134c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x54260EAF [Sat Sep 27 01:11:11 2014 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f27a613fda76c14f4eab7dc0085d799e

Entrypoint Preview

Instruction
push 00407F64h
call 00007F9A7CBA9A93h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi+6Eh], ch
jl 00007F9A7CBA9ACFh
iretd
je 00007F9A7CBA9A80h
inc edi
mov ebp, 13705FC0h
ror byte ptr [eax+00000034h], 00000000h
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
sub byte ptr [ebp-2B77FF20h], bh
jne 00007F9A7CBA9B06h
jo 00007F9A7CBA9B07h
outsb
jnc 00007F9A7CBA9B0Eh
outsb
add cl, bl
add byte ptr [esi], al
mov byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
add eax, 79A2685Bh
out B9h, eax
mov eax, dword ptr [A56F894Ah]
sbb dword ptr [esi+33505045h], ebp
in eax, ABh
movsd
pushfd
push ds
inc edi
inc eax
scasd
push edi
jc 00007F9A7CBA9A3Bh
je 00007F9A7CBA9ABAh
push ebx
jnle 00007F9A7CBA9ADCh
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
je 00007F9A7CBA9B0Bh
add byte ptr [eax], al
call far 0009h : 00000068h
push ebp
outsb
jo 00007F9A7CBA9B17h
jnc 00007F9A7CBA9B0Ah
xor eax, dword ptr fs:[eax]
or eax, 51000901h
jne 00007F9A7CBA9B07h
jc 00007F9A7CBA9B0Ch

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x23554	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x26000	0x90d5	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x100	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x229ac	0x23000	False	0.354959542411	data	5.0849300681	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x24000	0x13f0	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x26000	0x90d5	0xa000	False	0.346411132813	data	4.35437576998	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x2e817	0x8be	MS Windows icon resource - 1 icon, 32x32, 8 bits/pixel	English	United States
INSTALL	0x2d39d	0x8be	MS Windows icon resource - 1 icon, 32x32	English	United States
INSTALL	0x2ce9a	0x503	ISO-8859 text, with CRLF line terminators	English	United States
SETUP	0x2e519	0x2fe	MS Windows icon resource - 1 icon, 32x32, 16 colors	English	United States
SETUP	0x2dc5b	0x8be	MS Windows icon resource - 1 icon, 32x32	English	United States
RT_ICON	0x2bff2	0xea8	data
RT_ICON	0x2b74a	0x8a8	data
RT_ICON	0x2b082	0x6c8	data
RT_ICON	0x2ab1a	0x568	GLS_BINARY_LSB_FIRST
RT_ICON	0x28572	0x25a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x274ca	0x10a8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x26b42	0x988	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x266da	0x468	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x26664	0x76	data
RT_VERSION	0x263a0	0x2c4	data	Turkmen	Turkmenistan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaStrVarMove, __vbaFreeVarList, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFPFix, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaNew2, __vbaVar2Vec, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0442 0x04b0
LegalCopyright	Identiv
InternalName	Obumbration1
FileVersion	1.00
CompanyName	Identiv
LegalTrademarks	Identiv
ProductName	Identiv
ProductVersion	1.00
FileDescription	Identiv
OriginalFilename	Obumbration1.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Turkmen	Turkmenistan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: n#U00ba410000512664.exe PID: 3232 Parent PID: 5476

General

Start time:	14:05:13
Start date:	22/11/2021
Path:	C:\Users\user\Desktop\n#U00ba410000512664.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\n#U00ba410000512664.exe"
Imagebase:	0x400000
File size:	192512 bytes
MD5 hash:	7C91DB57C98A1F0E38BA65ED651B4779
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: n#U00ba410000512664.exe PID: 3232 Parent PID: 5476 n#U00ba410000512664.exeCOMMON

Executed Functions

Function 02206B59, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON

Download Yara Rule

APIs

RtlAddVectoredExceptionHandler.NTDLL ref: 02207913

Strings

vI^^, xrefs: 022074A6

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID: ExceptionHandlerVectored
String ID: vI^^
API String ID: 3310709589-3098581562
Opcode ID: 39b878f89f5b8c3569eb505e92ba11154311da5e125d226ee74c7d4780dcd4e4
Instruction ID: 7403cf1541442e0bda3e23e7d476ac2e2a2ad9be9bd710ae20514e337f263a0b
Opcode Fuzzy Hash: 39b878f89f5b8c3569eb505e92ba11154311da5e125d226ee74c7d4780dcd4e4
Instruction Fuzzy Hash: 3A61D070624349CFDB34DE64C9D57EA77A2EF49310F10812ACC4A8F69AD330AA41CB91

Uniqueness

Uniqueness Score: -1.00%

Function 004090A6, Relevance: 1.5, APIs: 1, Instructions: 279
memoryCOMMONCrypto

Download Yara Rule

C-Code - Quality: 41%

			E004090A6() {
				void* _t95;

				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *((intOrPtr*)(_t95 - 1))(_t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95, _t95);
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				 *((intOrPtr*)(_t95 - 1))();
				asm("arpl [ebp+0x31], sp");
			}

0x004090a6
0x004090a9
0x004090ac
0x004090af
0x004090b2
0x004090b5
0x004090b8
0x004090ba
0x004090bd
0x004090c0
0x004090c3
0x004090c6
0x004090c9
0x004090cc
0x004090cf
0x004090d2
0x004090d5
0x004090d8
0x004090db
0x004090de
0x004090e1
0x004090e4
0x004090e7
0x004090ea
0x004090ed
0x004090f0
0x004090f3
0x004090f6
0x004090f9
0x004090fc
0x004090ff
0x00409102
0x00409105
0x00409108
0x0040910b
0x0040910e
0x00409111
0x00409114
0x00409117
0x0040911a
0x0040911d
0x00409120
0x00409123
0x00409126
0x00409129
0x0040912c
0x0040912f
0x00409130
0x00409133
0x00409136
0x00409139
0x0040913c
0x0040913f
0x00409142
0x00409145
0x00409148
0x0040914b
0x0040914e
0x00409151
0x00409154
0x00409157
0x0040915a
0x0040915d
0x00409160
0x00409163
0x00409166
0x00409169
0x0040916c
0x0040916f
0x00409172
0x00409175
0x00409178
0x0040917b
0x0040917e
0x00409181
0x00409184
0x00409187
0x0040918a
0x0040918d
0x00409190
0x00409193
0x00409196
0x00409199
0x0040919c
0x0040919f
0x004091a2
0x004091a5
0x004091a8

APIs

VirtualAlloc.KERNELBASE(00000000,-760665F9,-D2FD2477,-457D82B5), ref: 004093A1

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 9af425cb16f488050c1cee96c630ccc42989450789e9ccd9fec85aba6ce82fda
Instruction ID: 83c7e78455ad517ca35449e9a4c06ec8ae45d743bf9e7ff757a8edb1f19fab3b
Opcode Fuzzy Hash: 9af425cb16f488050c1cee96c630ccc42989450789e9ccd9fec85aba6ce82fda
Instruction Fuzzy Hash: 6A9168B2804718AFEBC45F60D58A79E7BF0FF143A9F926409FC8252091D7BC89C58B81

Uniqueness

Uniqueness Score: -1.00%

Function 004224BC, Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 246
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E004224BC(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				char _v40;
				void* _v44;
				intOrPtr _v48;
				void* _v52;
				signed int _v56;
				char _v60;
				intOrPtr _v68;
				char _v76;
				char _v92;
				char _v96;
				char* _v104;
				char _v112;
				void* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v152;
				signed int _v156;
				intOrPtr* _v160;
				signed int _v164;
				signed int _v168;
				intOrPtr* _v172;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				char* _t126;
				char* _t128;
				signed int _t136;
				signed int _t141;
				char* _t146;
				signed int _t150;
				signed int _t160;
				void* _t192;
				void* _t194;
				intOrPtr _t195;

				_t195 = _t194 - 0x18;
				 *[fs:0x0] = _t195;
				L004011D0();
				_v28 = _t195;
				_v24 = 0x401120;
				_v20 = 0;
				_v16 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011d6, _t192);
				_v8 = 1;
				_v8 = 2;
				_v104 = L"1-1-1";
				_v112 = 8;
				L004012F6();
				_t126 =  &_v76;
				_push(_t126); // executed
				L004012C6(); // executed
				_v116 =  ~(0 | _t126 != 0x0000ffff);
				L00401314();
				if(_v116 != 0) {
					_v8 = 3;
					_push(0);
					L004012C0();
					_v8 = 4;
					_push(1);
					_push(1);
					_push(1);
					_push( &_v76);
					L004012B4();
					_push( &_v76);
					L004012BA();
					L00401302();
					L00401314();
					_v8 = 5;
					_push(0xffffffff);
					L004012C0();
					_v8 = 6;
					if( *0x4245b4 != 0) {
						_v160 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v160 = 0x4245b4;
					}
					_v116 =  *_v160;
					_t136 =  *((intOrPtr*)( *_v116 + 0x14))(_v116,  &_v60);
					asm("fclex");
					_v120 = _t136;
					if(_v120 >= 0) {
						_v164 = _v164 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v116);
						_push(_v120);
						L0040132C();
						_v164 = _t136;
					}
					_v124 = _v60;
					_t141 =  *((intOrPtr*)( *_v124 + 0xe8))(_v124,  &_v56);
					asm("fclex");
					_v128 = _t141;
					if(_v128 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0xe8);
						_push(0x408cac);
						_push(_v124);
						_push(_v128);
						L0040132C();
						_v168 = _t141;
					}
					_v152 = _v56;
					_v56 = _v56 & 0x00000000;
					L00401302();
					L004012EA();
					_v8 = 7;
					_v8 = 8;
					if( *0x424010 != 0) {
						_v172 = 0x424010;
					} else {
						_push(0x424010);
						_push(0x4083f0);
						L00401320();
						_v172 = 0x424010;
					}
					_t146 =  &_v60;
					L00401326();
					_v116 = _t146;
					_t150 =  *((intOrPtr*)( *_v116 + 0x170))(_v116,  &_v56, _t146,  *((intOrPtr*)( *((intOrPtr*)( *_v172)) + 0x30c))( *_v172));
					asm("fclex");
					_v120 = _t150;
					if(_v120 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x170);
						_push(0x408ce0);
						_push(_v116);
						_push(_v120);
						L0040132C();
						_v176 = _t150;
					}
					if( *0x4245b4 != 0) {
						_v180 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v180 = 0x4245b4;
					}
					_v124 =  *_v180;
					_v156 = _v56;
					_v56 = _v56 & 0x00000000;
					_v68 = _v156;
					_v76 = 8;
					_v104 = 0xc4;
					_v112 = 2;
					L004011D0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011D0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t160 =  *((intOrPtr*)( *_v124 + 0x38))(_v124, 0x10, 0x10,  &_v92);
					asm("fclex");
					_v128 = _t160;
					if(_v128 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x408c8c);
						_push(_v124);
						_push(_v128);
						L0040132C();
						_v184 = _t160;
					}
					_push( &_v92);
					_push( &_v96);
					L004012A8();
					_push( &_v96);
					_push( &_v40);
					L004012AE();
					L004012EA();
					_push( &_v92);
					_push( &_v76);
					_push(2);
					L004012CC();
				}
				_v8 = 0xa;
				_v48 = 0x78a6b3;
				_push(0x422881);
				_t128 =  &_v40;
				_push(_t128);
				_push(0);
				L004012A2();
				L004012F0();
				L004012F0();
				return _t128;
			}

0x004224bf
0x004224ce
0x004224da
0x004224e2
0x004224e5
0x004224ec
0x004224f3
0x00422502
0x00422505
0x0042250c
0x00422513
0x0042251a
0x00422527
0x0042252c
0x0042252f
0x00422530
0x00422540
0x00422547
0x00422552
0x00422558
0x0042255f
0x00422561
0x00422566
0x0042256d
0x0042256f
0x00422571
0x00422576
0x00422577
0x0042257f
0x00422580
0x0042258a
0x00422592
0x00422597
0x0042259e
0x004225a0
0x004225a5
0x004225b3
0x004225d0
0x004225b5
0x004225b5
0x004225ba
0x004225bf
0x004225c4
0x004225c4
0x004225e2
0x004225f1
0x004225f4
0x004225f6
0x004225fd
0x00422619
0x004225ff
0x004225ff
0x00422601
0x00422606
0x00422609
0x0042260c
0x00422611
0x00422611
0x00422623
0x00422632
0x00422638
0x0042263a
0x00422641
0x00422660
0x00422643
0x00422643
0x00422648
0x0042264d
0x00422650
0x00422653
0x00422658
0x00422658
0x0042266a
0x00422670
0x0042267d
0x00422685
0x0042268a
0x00422691
0x0042269f
0x004226bc
0x004226a1
0x004226a1
0x004226a6
0x004226ab
0x004226b0
0x004226b0
0x004226e0
0x004226e4
0x004226e9
0x004226f8
0x004226fe
0x00422700
0x00422707
0x00422726
0x00422709
0x00422709
0x0042270e
0x00422713
0x00422716
0x00422719
0x0042271e
0x0042271e
0x00422734
0x00422751
0x00422736
0x00422736
0x0042273b
0x00422740
0x00422745
0x00422745
0x00422763
0x00422769
0x0042276f
0x00422779
0x0042277c
0x00422783
0x0042278a
0x00422798
0x004227a2
0x004227a3
0x004227a4
0x004227a5
0x004227a9
0x004227b3
0x004227b4
0x004227b5
0x004227b6
0x004227bf
0x004227c2
0x004227c4
0x004227cb
0x004227e7
0x004227cd
0x004227cd
0x004227cf
0x004227d4
0x004227d7
0x004227da
0x004227df
0x004227df
0x004227f1
0x004227f5
0x004227f6
0x004227fe
0x00422802
0x00422803
0x0042280b
0x00422813
0x00422817
0x00422818
0x0042281a
0x0042281f
0x00422822
0x00422829
0x00422830
0x00422865
0x00422868
0x00422869
0x0042286b
0x00422873
0x0042287b
0x00422880

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 004224DA
__vbaVarDup.MSVBVM60 ref: 00422527
#557.MSVBVM60(?), ref: 00422530
__vbaFreeVar.MSVBVM60(?), ref: 00422547
__vbaOnError.MSVBVM60(00000000,?), ref: 00422561
#539.MSVBVM60(?,00000001,00000001,00000001,00000000,?), ref: 00422577
__vbaStrVarMove.MSVBVM60(?,?,00000001,00000001,00000001,00000000,?), ref: 00422580
__vbaStrMove.MSVBVM60(?,?,00000001,00000001,00000001,00000000,?), ref: 0042258A
__vbaFreeVar.MSVBVM60(?,?,00000001,00000001,00000001,00000000,?), ref: 00422592
__vbaOnError.MSVBVM60(000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 004225A0
__vbaNew2.MSVBVM60(00408C9C,004245B4,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 004225BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C8C,00000014,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 0042260C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,000000E8,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422653
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 0042267D
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 00422685
__vbaNew2.MSVBVM60(004083F0,00424010,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 004226AB
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000,?), ref: 004226E4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CE0,00000170,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001), ref: 00422719
__vbaNew2.MSVBVM60(00408C9C,004245B4,?,?,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001), ref: 00422740
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000), ref: 00422798
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,000000FF,?,?,00000001,00000001,00000001,00000000), ref: 004227A9
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C8C,00000038,?,?,?,?,?,?,?,?,000000FF,?,?,00000001), ref: 004227DA
__vbaVar2Vec.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,000000FF,?,?,00000001), ref: 004227F6
__vbaAryMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,?), ref: 00422803
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,000000FF,?), ref: 0042280B
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,?,?,?,?), ref: 0042281A
__vbaAryDestruct.MSVBVM60(00000000,?,00422881,?), ref: 0042286B
__vbaFreeStr.MSVBVM60(00000000,?,00422881,?), ref: 00422873
__vbaFreeStr.MSVBVM60(00000000,?,00422881,?), ref: 0042287B

Strings

1-1-1, xrefs: 00422513

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$ChkstkNew2$Error$#539#557DestructListVar2
String ID: 1-1-1
API String ID: 3049740634-1550238906
Opcode ID: 387cd591570286525ff3356044a243cd23a5dad8bcf11dab72fc859641b9700b
Instruction ID: 266805509d46f1263df445320976800c9ec1b5ea9bc499dbbfa868dfaf758611
Opcode Fuzzy Hash: 387cd591570286525ff3356044a243cd23a5dad8bcf11dab72fc859641b9700b
Instruction Fuzzy Hash: 17B10A70A00218EFDB20EFA1D945BDDBBB4BF08304F50416EE505B72A1D7B95A85CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00421C84, Relevance: 21.2, APIs: 14, Instructions: 220
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00421C84(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				signed int _v32;
				char _v36;
				char _v40;
				char _v56;
				char _v60;
				char _v64;
				signed int _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				intOrPtr* _v84;
				signed int _v88;
				signed int _v92;
				signed int _v104;
				signed int _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _t136;
				signed int _t140;
				signed int _t143;
				signed int _t147;
				signed int _t151;
				char* _t155;
				signed int _t159;
				signed int _t165;
				signed int _t171;
				intOrPtr _t178;
				void* _t182;
				void* _t184;
				intOrPtr _t185;

				_t185 = _t184 - 0xc;
				 *[fs:0x0] = _t185;
				L004011D0();
				_v16 = _t185;
				_v12 = 0x401100;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x4011d6, _t182);
				_v68 = 0x429ee4;
				 *((intOrPtr*)( *_a4 + 0x710))(_a4, 0x3b28, 0xa572be70, 0x5b03,  &_v68,  &_v60);
				_v28 = _v60;
				_t136 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v68);
				_v76 = _t136;
				if(_v76 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x408b14);
					_push(_a4);
					_push(_v76);
					L0040132C();
					_v104 = _t136;
				}
				_v32 = _v68;
				_t140 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4);
				_v76 = _t140;
				if(_v76 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x408b14);
					_push(_a4);
					_push(_v76);
					L0040132C();
					_v108 = _t140;
				}
				_t143 =  *((intOrPtr*)( *_a4 + 0x700))(_a4);
				_v76 = _t143;
				if(_v76 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x408b14);
					_push(_a4);
					_push(_v76);
					L0040132C();
					_v112 = _t143;
				}
				if( *0x424010 != 0) {
					_v116 = 0x424010;
				} else {
					_push(0x424010);
					_push(0x4083f0);
					L00401320();
					_v116 = 0x424010;
				}
				_t147 =  &_v36;
				L00401326();
				_v76 = _t147;
				_t151 =  *((intOrPtr*)( *_v76 + 0x1f0))(_v76,  &_v60, _t147,  *((intOrPtr*)( *((intOrPtr*)( *_v116)) + 0x300))( *_v116));
				asm("fclex");
				_v80 = _t151;
				if(_v80 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x1f0);
					_push(0x408c60);
					_push(_v76);
					_push(_v80);
					L0040132C();
					_v120 = _t151;
				}
				if( *0x424010 != 0) {
					_v124 = 0x424010;
				} else {
					_push(0x424010);
					_push(0x4083f0);
					L00401320();
					_v124 = 0x424010;
				}
				_t178 =  *((intOrPtr*)( *_v124));
				_t155 =  &_v40;
				L00401326();
				_v84 = _t155;
				_t159 =  *((intOrPtr*)( *_v84 + 0x68))(_v84,  &_v68, _t155,  *((intOrPtr*)(_t178 + 0x2fc))( *_v124));
				asm("fclex");
				_v88 = _t159;
				if(_v88 >= 0) {
					_v128 = _v128 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x408c60);
					_push(_v84);
					_push(_v88);
					L0040132C();
					_v128 = _t159;
				}
				_v72 = 1;
				_v64 = _v60;
				_v128 = _v68;
				_t165 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v64, _t178,  &_v72);
				_v92 = _t165;
				if(_v92 >= 0) {
					_v132 = _v132 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x408b14);
					_push(_a4);
					_push(_v92);
					L0040132C();
					_v132 = _t165;
				}
				L0040131A();
				_t171 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v56, 2,  &_v36,  &_v40);
				_v76 = _t171;
				if(_v76 >= 0) {
					_v136 = _v136 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x408b14);
					_push(_a4);
					_push(_v76);
					L0040132C();
					_v136 = _t171;
				}
				L00401314();
				_v8 = 0;
				asm("wait");
				_push(0x421f83);
				return _t171;
			}

0x00421c87
0x00421c96
0x00421ca0
0x00421ca8
0x00421cab
0x00421cb8
0x00421cc1
0x00421ccc
0x00421ccf
0x00421cf5
0x00421cff
0x00421d0f
0x00421d15
0x00421d1c
0x00421d38
0x00421d1e
0x00421d1e
0x00421d23
0x00421d28
0x00421d2b
0x00421d2e
0x00421d33
0x00421d33
0x00421d3f
0x00421d4a
0x00421d50
0x00421d57
0x00421d73
0x00421d59
0x00421d59
0x00421d5e
0x00421d63
0x00421d66
0x00421d69
0x00421d6e
0x00421d6e
0x00421d7f
0x00421d85
0x00421d8c
0x00421da8
0x00421d8e
0x00421d8e
0x00421d93
0x00421d98
0x00421d9b
0x00421d9e
0x00421da3
0x00421da3
0x00421db3
0x00421dcd
0x00421db5
0x00421db5
0x00421dba
0x00421dbf
0x00421dc4
0x00421dc4
0x00421de8
0x00421dec
0x00421df1
0x00421e00
0x00421e06
0x00421e08
0x00421e0f
0x00421e2b
0x00421e11
0x00421e11
0x00421e16
0x00421e1b
0x00421e1e
0x00421e21
0x00421e26
0x00421e26
0x00421e36
0x00421e50
0x00421e38
0x00421e38
0x00421e3d
0x00421e42
0x00421e47
0x00421e47
0x00421e61
0x00421e6b
0x00421e6f
0x00421e74
0x00421e83
0x00421e86
0x00421e88
0x00421e8f
0x00421ea8
0x00421e91
0x00421e91
0x00421e93
0x00421e98
0x00421e9b
0x00421e9e
0x00421ea3
0x00421ea3
0x00421eac
0x00421eb7
0x00421ec3
0x00421ed2
0x00421ed8
0x00421edf
0x00421efb
0x00421ee1
0x00421ee1
0x00421ee6
0x00421eeb
0x00421eee
0x00421ef1
0x00421ef6
0x00421ef6
0x00421f09
0x00421f1d
0x00421f23
0x00421f2a
0x00421f49
0x00421f2c
0x00421f2c
0x00421f31
0x00421f36
0x00421f39
0x00421f3c
0x00421f41
0x00421f41
0x00421f53
0x00421f58
0x00421f5f
0x00421f60
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00421CA0
__vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B14,000006F8), ref: 00421D2E
__vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B14,000006FC), ref: 00421D69
__vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B14,00000700), ref: 00421D9E
__vbaNew2.MSVBVM60(004083F0,00424010), ref: 00421DBF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421DEC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C60,000001F0), ref: 00421E21
__vbaNew2.MSVBVM60(004083F0,00424010), ref: 00421E42
__vbaObjSet.MSVBVM60(?,00000000), ref: 00421E6F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C60,00000068), ref: 00421E9E
__vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B14,00000704,?,00000001), ref: 00421EF1
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,00000001), ref: 00421F09
__vbaHresultCheckObj.MSVBVM60(00000000,00401100,00408B14,00000708), ref: 00421F3C
__vbaFreeVar.MSVBVM60(00000000,00401100,00408B14,00000708), ref: 00421F53

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$ChkstkList
String ID:
API String ID: 3534970231-0
Opcode ID: 707647235cb12848e6cd1c5957e942822c3f41b481e16c23d9bccf602e0a0f14
Instruction ID: 06049ec593bd119c9c6b2436696638d336533f58f4fb0c678c9d0fb946c2e4c9
Opcode Fuzzy Hash: 707647235cb12848e6cd1c5957e942822c3f41b481e16c23d9bccf602e0a0f14
Instruction Fuzzy Hash: C9A1F174A00218EFDB10DFA0D849BDDBBB5FF08305F60406AF905AB2A1C779A985DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004231BD, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004231BD(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L004011D0();
				_v12 = _t76;
				_v8 = 0x4011b8;
				L00401266();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x4011d6, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x408ae4);
					_push(_a4);
					_push(_v76);
					L0040132C();
					_v84 = _t50;
				}
				_v32 = _v72;
				L00401266();
				L00401260();
				_v28 = E0042343E( &_v36);
				L004012EA();
				_v32 = E0042343E(_v28) + 0x2b0;
				E0042337D(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011D0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x408ae4);
					_push(_a4);
					_push(_v76);
					L0040132C();
					_v88 = _t62;
				}
				_push(0x423300);
				L004012EA();
				return _t62;
			}

0x004231bd
0x004231ce
0x004231d8
0x004231e0
0x004231e3
0x004231f1
0x00423202
0x00423205
0x00423207
0x0042320e
0x00423227
0x00423210
0x00423210
0x00423212
0x00423217
0x0042321a
0x0042321d
0x00423222
0x00423222
0x0042322e
0x00423238
0x00423241
0x0042324c
0x00423252
0x00423264
0x0042326d
0x00423272
0x00423279
0x00423280
0x00423287
0x00423291
0x0042329b
0x0042329c
0x0042329d
0x0042329e
0x004232a2
0x004232ac
0x004232ad
0x004232ae
0x004232af
0x004232b8
0x004232be
0x004232c0
0x004232c7
0x004232e3
0x004232c9
0x004232c9
0x004232ce
0x004232d3
0x004232d6
0x004232d9
0x004232de
0x004232de
0x004232e7
0x004232fa
0x004232ff

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 004231D8
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,004011D6), ref: 004231F1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408AE4,00000058), ref: 0042321D
__vbaObjSetAddref.MSVBVM60(?,?), ref: 00423238
#644.MSVBVM60(?,?,?), ref: 00423241
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 00423252
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 00423291
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 004232A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408AE4,000002B0), ref: 004232D9
__vbaFreeObj.MSVBVM60(00423300), ref: 004232FA

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: df93c6eebebb03e5c7ec028111eaf47f5a5ad80a155a08bf4a2f570f89c85dfa
Instruction ID: 35e3565e91d48bafe10480dd2871606d4474985bee7c760e1338b44c535c9c52
Opcode Fuzzy Hash: df93c6eebebb03e5c7ec028111eaf47f5a5ad80a155a08bf4a2f570f89c85dfa
Instruction Fuzzy Hash: 30413771900618EFDF01EFA1D846B9EBBB5FF08305F50042AF900BB1A0C7BD9A459B58

Uniqueness

Uniqueness Score: -1.00%

Function 00423087, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E00423087(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v72;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				signed int _v108;
				signed int _v120;
				signed int _t42;
				char* _t46;
				void* _t49;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				L004011D0();
				_v16 = _t62;
				_v12 = 0x4011a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x4011d6, _t59);
				 *_a8 =  *_a8 & 0x00000000;
				_t42 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v108 = _t42;
				if(_v108 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x408ae4);
					_push(_a4);
					_push(_v108);
					L0040132C();
					_v120 = _t42;
				}
				E004234B0();
				_v96 = 2;
				_v104 = 2;
				L004012E4();
				_v96 = 0x812358;
				_v104 = 3;
				L004012E4();
				_t46 =  &_v88;
				L0040126C();
				L00401272();
				_t49 =  *((intOrPtr*)( *_a4 + 0x714))(_a4, _t46, _t46, _t46,  &_v40,  &_v72);
				_push(0x423194);
				L00401314();
				L00401314();
				return _t49;
			}

0x0042308a
0x00423099
0x004230a3
0x004230ab
0x004230ae
0x004230b5
0x004230c4
0x004230ca
0x004230d5
0x004230db
0x004230dd
0x004230e4
0x00423100
0x004230e6
0x004230e6
0x004230eb
0x004230f0
0x004230f3
0x004230f6
0x004230fb
0x004230fb
0x00423104
0x00423109
0x00423110
0x0042311d
0x00423122
0x00423129
0x00423136
0x00423143
0x00423147
0x0042314d
0x0042315b
0x00423161
0x00423186
0x0042318e
0x00423193

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 004230A3
__vbaHresultCheckObj.MSVBVM60(00000000,004011A8,00408AE4,000002B4), ref: 004230F6
__vbaVarMove.MSVBVM60(00000000,004011A8,00408AE4,000002B4), ref: 0042311D
__vbaVarMove.MSVBVM60(00000000,004011A8,00408AE4,000002B4), ref: 00423136
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 00423147
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0042314D
__vbaFreeVar.MSVBVM60(00423194), ref: 00423186
__vbaFreeVar.MSVBVM60(00423194), ref: 0042318E

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$CheckChkstkHresultIdiv
String ID:
API String ID: 3577542843-0
Opcode ID: b2889f3ed02d0fc0c7166160f61c0f8569b10a4a35a12072140a15e3ea59228b
Instruction ID: 47a2f8ca0f5dd4149621c678aa3206a8ebfb250f515c7ac63d6253f28e915492
Opcode Fuzzy Hash: b2889f3ed02d0fc0c7166160f61c0f8569b10a4a35a12072140a15e3ea59228b
Instruction Fuzzy Hash: C831C971900208AFDB00EFA5C98ABDDBBB4FF04705F50406AF509BB1A1D779AA55CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040134C, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 182COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401351

Strings

VB5!6&*, xrefs: 0040134C

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 947d84dd350a229915c56cfc55d153a84666ebd25babe5bdad98e3a3005d6114
Instruction ID: 111a99d32bcfc37a4f4cdf578b0a46f67812d941b1e43c4b2dc6784c35cfbcd7
Opcode Fuzzy Hash: 947d84dd350a229915c56cfc55d153a84666ebd25babe5bdad98e3a3005d6114
Instruction Fuzzy Hash: B15165A249E7C15FD3435BB498255923FB0AE5326471B44EBC4C1DF4B3E2684D0AC736

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 021FE22D, Relevance: 8.5, Strings: 6, Instructions: 973COMMON

Download Yara Rule

Strings

L, xrefs: 021FA0A2
?[d), xrefs: 021FE4A3
lYf., xrefs: 021FE378
QXj4, xrefs: 021FB240
m,, xrefs: 02202994
*0X5, xrefs: 021FEB2C

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: *0X5$?[d)$L$QXj4$lYf.$m,
API String ID: 0-1186540388
Opcode ID: 6e8ff2c4e00e26d5a852359f3af432e4b7046cecce3c1a1a5d3428f1ffff04aa
Instruction ID: 8b60bedfbc136661115da65ddae25577ef0702e61674bafc643a34e498a7f11b
Opcode Fuzzy Hash: 6e8ff2c4e00e26d5a852359f3af432e4b7046cecce3c1a1a5d3428f1ffff04aa
Instruction Fuzzy Hash: A39211B1644389DFDB749F28CD45BEA7BB2FF48300F51812ADD999B254D3309A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 021F9836, Relevance: 4.5, Strings: 3, Instructions: 797COMMON

Download Yara Rule

Strings

L, xrefs: 021FA0A2
QXj4, xrefs: 021FB240
m,, xrefs: 02202994

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: L$QXj4$m,
API String ID: 0-2799479184
Opcode ID: b7e5ce26afefa02bcfb089cbf1b3f3559fe1d47208fb253ff1b3dc5542b250df
Instruction ID: fb7f254ce2c4572c8e61428fec16b472cb6d77f87629a508ee055257da934d94
Opcode Fuzzy Hash: b7e5ce26afefa02bcfb089cbf1b3f3559fe1d47208fb253ff1b3dc5542b250df
Instruction Fuzzy Hash: CA720FB2644349DFDB749F29CD857DA7BB2FF98300F46812ADD999B214D3309A81CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021F9858, Relevance: 3.2, Strings: 2, Instructions: 738COMMON

Download Yara Rule

Strings

L, xrefs: 021FA0A2
QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: L$QXj4
API String ID: 0-1386316327
Opcode ID: 8ab2d652c02f913347cf21fa33989ffd17a8fef73622957fb064d6d27db994b3
Instruction ID: d57e0579797fdbe0b9c02addafa0c1711dfe06a60de198cc92e75ec5b323c7ae
Opcode Fuzzy Hash: 8ab2d652c02f913347cf21fa33989ffd17a8fef73622957fb064d6d27db994b3
Instruction Fuzzy Hash: D86221B1A44349CFDBB49F68C9857DA7BB2FF48300F42452DDDA99B214D3319A94CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021F9950, Relevance: 3.2, Strings: 2, Instructions: 729COMMON

Download Yara Rule

Strings

L, xrefs: 021FA0A2
QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: L$QXj4
API String ID: 0-1386316327
Opcode ID: 3ec236bfad5f39cc219da13bf627d433e05cc4938c3d2ad5c8536a5683148219
Instruction ID: 5ee7363a69a33b283cd18602b00b68fc1d690552cb5e0be2a0a21dbb9285b0b3
Opcode Fuzzy Hash: 3ec236bfad5f39cc219da13bf627d433e05cc4938c3d2ad5c8536a5683148219
Instruction Fuzzy Hash: 226221B1A44349CFDBB49F28C9897DA7BB2FF88300F42452DDD999B214D3315A95CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021F9AAB, Relevance: 3.2, Strings: 2, Instructions: 698COMMON

Download Yara Rule

Strings

L, xrefs: 021FA0A2
QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: L$QXj4
API String ID: 0-1386316327
Opcode ID: 93ffbbaaf83685123de453fba580a58abe0d6d3757a4f21331d172d5b6b998c8
Instruction ID: 39b96ee82901b7aa52c9ee7cad6bff5bbe05bc24016b16c7ee8d184585afbb8d
Opcode Fuzzy Hash: 93ffbbaaf83685123de453fba580a58abe0d6d3757a4f21331d172d5b6b998c8
Instruction Fuzzy Hash: 175220B1A40349CFDBB49F28C9897DA7BB2FF88300F41452DDDA99B214D3719A94CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021F9BD3, Relevance: 3.2, Strings: 2, Instructions: 684COMMON

Download Yara Rule

Strings

L, xrefs: 021FA0A2
QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: L$QXj4
API String ID: 0-1386316327
Opcode ID: 2d5d57e16b2ddf8295d743236ac1a44f6bb1d074828c85a9472e7f4cac8d4357
Instruction ID: 19cf918bdcfa3c0ac40386cd7cfb2022bd6268e5cc987578f118e67b8c53a76d
Opcode Fuzzy Hash: 2d5d57e16b2ddf8295d743236ac1a44f6bb1d074828c85a9472e7f4cac8d4357
Instruction Fuzzy Hash: C65221B1A40349CFDB749F68C9897DA7BB2FF88300F41452DDDA99B214D3319A95CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021F9D50, Relevance: 3.1, Strings: 2, Instructions: 646COMMON

Download Yara Rule

Strings

L, xrefs: 021FA0A2
QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: L$QXj4
API String ID: 0-1386316327
Opcode ID: 2c3c0e0da26673123c7eeb87a21a0f1ffd42afe4abaa7c71fffad86e6cf6aaa3
Instruction ID: 184ae6823f64d90946e43de0c437d3acdeb980cf7ecae248451f4cb882b4afc5
Opcode Fuzzy Hash: 2c3c0e0da26673123c7eeb87a21a0f1ffd42afe4abaa7c71fffad86e6cf6aaa3
Instruction Fuzzy Hash: A54211B2A40389CFDBB49F28CD857DA7BB2FF88300F414529DDA99B214D3315A95CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021F9E78, Relevance: 3.1, Strings: 2, Instructions: 626COMMON

Download Yara Rule

Strings

L, xrefs: 021FA0A2
QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: L$QXj4
API String ID: 0-1386316327
Opcode ID: 1e2d93d1e6e816346497ea2f943e28d6d9178c1f8463271a083d1478e81c487a
Instruction ID: c9ab3e710163207ce07c9a5147e942f380377681e9ac96d893d756468a7c4495
Opcode Fuzzy Hash: 1e2d93d1e6e816346497ea2f943e28d6d9178c1f8463271a083d1478e81c487a
Instruction Fuzzy Hash: D34222B1A40389CFDFB49F68C9897DA7BB2FF48300F414529DDA89B214D3315A94CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021F9FAC, Relevance: 3.1, Strings: 2, Instructions: 602COMMON

Download Yara Rule

Strings

L, xrefs: 021FA0A2
QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: L$QXj4
API String ID: 0-1386316327
Opcode ID: f5893a7f1fad31939a8789963b6451a40a2e212028956141b2e7a7263d062b7b
Instruction ID: 4463e7cbc2cede2a47623aab54c69c15aaa6a3392df6b6c31f4c639fe9d5aa2c
Opcode Fuzzy Hash: f5893a7f1fad31939a8789963b6451a40a2e212028956141b2e7a7263d062b7b
Instruction Fuzzy Hash: 2C4231B1A44389CFDFB49F68C9897DA7BB2FF48300F414529DDA89B214D3315A94CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021FA0EF, Relevance: 1.8, Strings: 1, Instructions: 563COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: 995695b6bf936a7a9d429bf72d89eca50dcbe4fc4e9da078a7ef9964303829ac
Instruction ID: ae28c5b4926391bb990ca49fbb49032be3a05df460bed47b959564313514fdd5
Opcode Fuzzy Hash: 995695b6bf936a7a9d429bf72d89eca50dcbe4fc4e9da078a7ef9964303829ac
Instruction Fuzzy Hash: 5F321FB1944389CFCBB49F68CD897DA7BB2FF48300F424529DDA98B214D3315A94CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021FA364, Relevance: 1.8, Strings: 1, Instructions: 513COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: f5cac3b6c39496a227cfd2c2515bfec6a4b6a54a97bc6bedc3f9fe0e855d3fac
Instruction ID: 5e911bd63379657ce11e79e65fdd05c4b90fb0ebf159d10b1e83d5ad7bb71a0c
Opcode Fuzzy Hash: f5cac3b6c39496a227cfd2c2515bfec6a4b6a54a97bc6bedc3f9fe0e855d3fac
Instruction Fuzzy Hash: 4C2220B1944389CFCFB49F68C9897EA3BB2FF48300F414529DDA99B214D3715A94CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021FA4CC, Relevance: 1.7, Strings: 1, Instructions: 477COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: 6e15722088ed7bcc81bcb1c5b4c55731bb4bdd9890e40a1739ff61411e98d17c
Instruction ID: d917adb4df2ca7adf82f8ce965d0f57af2fecc3850735ecbaf4bb1bacff7373e
Opcode Fuzzy Hash: 6e15722088ed7bcc81bcb1c5b4c55731bb4bdd9890e40a1739ff61411e98d17c
Instruction Fuzzy Hash: 301220B1944388CFCFB49F68C9897EA37B2FF88300F424529DDA99B254D3315A94CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021FA320, Relevance: 1.7, Strings: 1, Instructions: 460COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: 91323befbb0d5eed078c5e5011ed1ef730662584b0931211546e56c04f73159b
Instruction ID: a45ee6ca8b4192706e1cf2343eaf06861f90f7b70550a3769f357144fb459408
Opcode Fuzzy Hash: 91323befbb0d5eed078c5e5011ed1ef730662584b0931211546e56c04f73159b
Instruction Fuzzy Hash: C51212B2A44349DFCBB49F28CD457DA7BB2FF58300F468529DD999B214D3309A81CB82

Uniqueness

Uniqueness Score: -1.00%

Function 021FA75D, Relevance: 1.7, Strings: 1, Instructions: 420COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: 5865564c2128b329233bcbf0eef2fad4e7e8a1aaedc39faef5f5062159280180
Instruction ID: a545673aa85cffb135f9bbc2e0b57bd7e14db4a49b0e6d33733c9e6d29b097fc
Opcode Fuzzy Hash: 5865564c2128b329233bcbf0eef2fad4e7e8a1aaedc39faef5f5062159280180
Instruction Fuzzy Hash: D60221B1980388CFCFB49F68C9857EA37B2FF88300F414529DDA99B214D3725A94CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021FA878, Relevance: 1.6, Strings: 1, Instructions: 398COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: b03ef88d1ebb563ea696be7b206d9e0bbd8bfad133bdbcdcee99ea7cfdd0f428
Instruction ID: 86c46a64e3dfa22cd31beb594107a3118046ff5d88a52fbddad4f7ce6a0999b5
Opcode Fuzzy Hash: b03ef88d1ebb563ea696be7b206d9e0bbd8bfad133bdbcdcee99ea7cfdd0f428
Instruction Fuzzy Hash: E4F121B1980388CFCFB49F68D9897EA37B2FF48300F450429DDA99B214D3725A95CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021FA9B7, Relevance: 1.6, Strings: 1, Instructions: 368COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: d697eaa29d656c7b0a268555a15079a9aec6c09f950ae2a2a8259d7cfcb85403
Instruction ID: 30ad4c42a87650de2bfa91cdcd2fa1250ca09d9f7871d80b18e44e99757924bb
Opcode Fuzzy Hash: d697eaa29d656c7b0a268555a15079a9aec6c09f950ae2a2a8259d7cfcb85403
Instruction Fuzzy Hash: 5DF111B1980388CFCFB49F68C9897EA37B2FF48304F464429DDA99B214D3725A94CB51

Uniqueness

Uniqueness Score: -1.00%

Function 021FAADB, Relevance: 1.6, Strings: 1, Instructions: 349COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: e3ebe9e53c491e3d6c12b53327fffda10ef46144b9a57d457e70a9ef38c41c83
Instruction ID: c9b5ba78c95c32c2228d70bc3c3bf286dddcf1e5aed584899173011b9a2b3246
Opcode Fuzzy Hash: e3ebe9e53c491e3d6c12b53327fffda10ef46144b9a57d457e70a9ef38c41c83
Instruction Fuzzy Hash: 70E10FB1980388CFCFB49F68D9897EA37B2FF48304F450429DDA98B214D3725A94CB51

Uniqueness

Uniqueness Score: -1.00%

Function 021FAC2E, Relevance: 1.6, Strings: 1, Instructions: 321COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: 41410bcc504d6b765aa4fe2187602bba448d2fd20d006c26059dfb0775449c9b
Instruction ID: 7734ea7c9f8daa20485f3f3fee6cb1cf793453562149238e889481c859136a72
Opcode Fuzzy Hash: 41410bcc504d6b765aa4fe2187602bba448d2fd20d006c26059dfb0775449c9b
Instruction Fuzzy Hash: 37D1F0B1940748CFCFB49F68D9897EA37B2FF84304F414529DDA98B254C3725A68CB91

Uniqueness

Uniqueness Score: -1.00%

Function 021FAD6F, Relevance: 1.5, Strings: 1, Instructions: 295COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: 17ec5ddc4ad7cece7ab56687f38eb559aedf7be19eae994ca6d26c09c167b56e
Instruction ID: 39bb6c64b3c1082b8678deb8c8cd3a24ef28cac60a46c2a696a3d0e1084fc451
Opcode Fuzzy Hash: 17ec5ddc4ad7cece7ab56687f38eb559aedf7be19eae994ca6d26c09c167b56e
Instruction Fuzzy Hash: E0C104B1940248CFCFB49F68D9887EE37B2FF88304F414519DD694B245C7725A68CB81

Uniqueness

Uniqueness Score: -1.00%

Function 021FAED8, Relevance: 1.5, Strings: 1, Instructions: 269COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: 509f950b1097f8de7b8824f5af1265ab751ea36561fe8786b3031e59612a54c7
Instruction ID: cfabfc84b8b0c707ef8b9c1445344fa1237bd7e0cec779557ab02d770386a91e
Opcode Fuzzy Hash: 509f950b1097f8de7b8824f5af1265ab751ea36561fe8786b3031e59612a54c7
Instruction Fuzzy Hash: 84B1D0B1980244CFDFB49F68D8897EE37B2FF88304F814528DDA94B249D3725A68CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021FB044, Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

QXj4, xrefs: 021FB240

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: QXj4
API String ID: 0-2398928715
Opcode ID: b255ce4e08f0c6e64fafd6c0ece853f5aa121baf53764dea965ec26ffd1cec5e
Instruction ID: d5c415c30cf3af07ab7640b7c656cd23924a27135e41d19df9493acdeb9a9a50
Opcode Fuzzy Hash: b255ce4e08f0c6e64fafd6c0ece853f5aa121baf53764dea965ec26ffd1cec5e
Instruction Fuzzy Hash: 28A1CFB1994244CBDF78AF68D9C87EE37B2FF88304F804528DD694B259C3721668CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F8730, Relevance: 1.4, Strings: 1, Instructions: 156COMMON

Download Yara Rule

Strings

5}v, xrefs: 021F8868

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: 5}v
API String ID: 0-3834742670
Opcode ID: 8b0a111b3208f9a602bcfeb0f318beab8f0a39287bcfe57b5a7d87ae6cf90c11
Instruction ID: 8c2c14c7efcc63928befcb05dde7f7fe1ee07b7bf9bfbc719c1a345e7c2a7727
Opcode Fuzzy Hash: 8b0a111b3208f9a602bcfeb0f318beab8f0a39287bcfe57b5a7d87ae6cf90c11
Instruction Fuzzy Hash: AB51E4B0CA0681CFCF799F6CA1D86A93B62BB81344B550A9DDD720B28BD7B31139C751

Uniqueness

Uniqueness Score: -1.00%

Function 02204AF5, Relevance: 1.3, Strings: 1, Instructions: 98COMMON

Download Yara Rule

Strings

_2, xrefs: 02204BF2

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: _2
API String ID: 0-3022848740
Opcode ID: eb3a249bbf13bbb25c1980c7aeb8a29e5af1fb5546f66fe61a9390f69dae562e
Instruction ID: 7e6155eae0155de2855ec5cd1d53aa7505b1a547f5a3272f5fd8d8394541142a
Opcode Fuzzy Hash: eb3a249bbf13bbb25c1980c7aeb8a29e5af1fb5546f66fe61a9390f69dae562e
Instruction Fuzzy Hash: 67316779218345CBCB34EF68C9C47EB7362BF96310F95812EDD4A8B20AE7B04506C701

Uniqueness

Uniqueness Score: -1.00%

Function 02202D07, Relevance: 1.3, Strings: 1, Instructions: 94COMMON

Download Yara Rule

Strings

_,Hm, xrefs: 02202D25

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: _,Hm
API String ID: 0-2296293252
Opcode ID: ebe6a589a58e716a4717753ea7431e3d8f147f0e766e9083d3a1c32dcd434904
Instruction ID: db9847e36a26e0f5d6109df4bb89adc99a93294f5b50b7678e57812ee43957de
Opcode Fuzzy Hash: ebe6a589a58e716a4717753ea7431e3d8f147f0e766e9083d3a1c32dcd434904
Instruction Fuzzy Hash: 7F315972650345DBD7B18E7889C83CBB6A26FA8300F94CA2F9E89D730AD730CA41C744

Uniqueness

Uniqueness Score: -1.00%

Function 022032C9, Relevance: 1.3, Strings: 1, Instructions: 89COMMON

Download Yara Rule

Strings

m,, xrefs: 02202994

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: m,
API String ID: 0-3298887948
Opcode ID: 6f8a5a56c160b4f27c1107a30f5d13374875f7530665e7636d12a4a71b5f537b
Instruction ID: 495a58f5dd97f5e570ca6a242d01c9f615a52a87fcb89951c880ea7e40fc6b2e
Opcode Fuzzy Hash: 6f8a5a56c160b4f27c1107a30f5d13374875f7530665e7636d12a4a71b5f537b
Instruction Fuzzy Hash: EB317A74624789DFDB70DF69C9C8BDA37E1AF88720F518466E809CB29AD770DA40CB11

Uniqueness

Uniqueness Score: -1.00%

Function 021FB186, Relevance: .2, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 759ac4f92187867b4596e7b45ca871aac3ff6130d2abf66560d4a9c8b5e92a7b
Instruction ID: 8ec4785c9ecc76232f71a181c8972b0ce18b99e7cce4f0170b1978c7075bf200
Opcode Fuzzy Hash: 759ac4f92187867b4596e7b45ca871aac3ff6130d2abf66560d4a9c8b5e92a7b
Instruction Fuzzy Hash: A091AFB0994684CFDFB4AF68E9C97EE37A2FF48304F404518DD694B255C3725A68CB41

Uniqueness

Uniqueness Score: -1.00%

Function 021F0B33, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c605604eb2c843ac7930e31ec2c31cd029b043e9fd1a27e8774b4231e0c5f24
Instruction ID: 9e0d4a212d13070c498e4df1fbcf7a80f15a7d9f95e898d0a2a300936854e802
Opcode Fuzzy Hash: 4c605604eb2c843ac7930e31ec2c31cd029b043e9fd1a27e8774b4231e0c5f24
Instruction Fuzzy Hash: 5251E6718A4781CFCBB4AF78A1D96A93BA6FF49340B50095DDDB10B65FD3A30129CB42

Uniqueness

Uniqueness Score: -1.00%

Function 021F9314, Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2974f383a1f8782345de5fd74c64d863e3c2d1e810f743bfd29dcfde5ce1f3f4
Instruction ID: 0de12cb3a9b168a57bd47c77dd799b58c1a0680a6ad9bbe6b40a82bd0a0f38c5
Opcode Fuzzy Hash: 2974f383a1f8782345de5fd74c64d863e3c2d1e810f743bfd29dcfde5ce1f3f4
Instruction Fuzzy Hash: CB518371990744CBDFB8AF69A1D57EF37A2BB88304F80052DCD7A0B289C7726529CB51

Uniqueness

Uniqueness Score: -1.00%

Function 021F92A8, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc8f1c137f07904484c88c1217c00db2c40521dc7f3fc8b5c7c22cc5243a19de
Instruction ID: 4cba0bde626e059bff458ea9f906d61549098f2637750b8029e08af3bc8e1e40
Opcode Fuzzy Hash: dc8f1c137f07904484c88c1217c00db2c40521dc7f3fc8b5c7c22cc5243a19de
Instruction Fuzzy Hash: F151F472645388CFDBB89E6585E07DB73F2AF58200F55012FCA6E5B750C734AA41CB45

Uniqueness

Uniqueness Score: -1.00%

Function 021FD4B3, Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58a526ef954f41ad5734385cc7ac758fa4b1f605979f415ddb884e5c3e2f0060
Instruction ID: 64c36c19ffb31525b68a2353b1940a35ceed9eaeb5f6cf976869ec8039ece91e
Opcode Fuzzy Hash: 58a526ef954f41ad5734385cc7ac758fa4b1f605979f415ddb884e5c3e2f0060
Instruction Fuzzy Hash: E611E1792083458FEB24AE75C955AAFB7F2AF80340F82891DD9DA87510C3709984CB03

Uniqueness

Uniqueness Score: -1.00%

Function 021FCAA8, Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4881f776ef4f6a70351bc4c905b6b64301b5952d694321bdc965d66733012720
Instruction ID: 347fef50bd15a79e6c31f4453caec9009dd873e783d85af25cb221d137dd7e5c
Opcode Fuzzy Hash: 4881f776ef4f6a70351bc4c905b6b64301b5952d694321bdc965d66733012720
Instruction Fuzzy Hash: 43C08C029E63390F05D69A34A32422F29038A81AAC30286851D2CFA58DEF04CF5A24EA

Uniqueness

Uniqueness Score: -1.00%

Function 021FC664, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 0220286B, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.781957449.00000000021F0000.00000040.00000001.sdmp, Offset: 021F0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Function 00421FA2, Relevance: 68.6, APIs: 37, Strings: 2, Instructions: 307
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00421FA2(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v28;
				void* _v32;
				void* _v48;
				long long _v56;
				signed int _v60;
				short _v64;
				signed int _v68;
				char _v72;
				char _v88;
				char _v104;
				char* _v112;
				intOrPtr _v120;
				void* _v124;
				void* _v128;
				signed int _v132;
				signed int _v136;
				void* _v140;
				signed int _v144;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				intOrPtr* _v176;
				signed int _v180;
				signed int _v184;
				intOrPtr* _v188;
				signed int _v192;
				signed int _v196;
				intOrPtr* _v200;
				signed int _v204;
				signed int _t169;
				signed int _t170;
				signed int _t178;
				signed int _t182;
				short _t183;
				signed int _t189;
				signed int _t194;
				signed int _t201;
				signed int _t206;
				signed int _t213;
				signed int _t218;
				void* _t254;
				intOrPtr _t256;
				long long _t271;

				 *[fs:0x0] = _t256;
				L004011D0();
				_v12 = _t256;
				_v8 = 0x401110;
				_t169 =  *((intOrPtr*)( *_a4 + 0xe8))(_a4,  &_v128, __edi, __esi, __ebx,  *[fs:0x0], 0x4011d6, __ecx, __ecx, _t254);
				asm("fclex");
				_v132 = _t169;
				if(_v132 >= 0) {
					_v160 = _v160 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x408ae4);
					_push(_a4);
					_push(_v132);
					L0040132C();
					_v160 = _t169;
				}
				_t271 = _v128;
				L0040130E();
				_v60 = _t169;
				_v112 = 0x408c74;
				_v120 = 8;
				L004012F6();
				_t170 =  &_v88;
				_push(_t170);
				L004012FC();
				L00401302();
				_push(_t170);
				_push(0);
				L00401308();
				asm("sbb eax, eax");
				_v132 =  ~( ~_t170 + 1);
				L004012F0();
				L00401314();
				if(_v132 != 0) {
					if( *0x4245b4 != 0) {
						_v164 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v164 = 0x4245b4;
					}
					_v132 =  *_v164;
					_t189 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v72);
					asm("fclex");
					_v136 = _t189;
					if(_v136 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v132);
						_push(_v136);
						L0040132C();
						_v168 = _t189;
					}
					_v140 = _v72;
					_t194 =  *((intOrPtr*)( *_v140 + 0x68))(_v140,  &_v124);
					asm("fclex");
					_v144 = _t194;
					if(_v144 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x408cac);
						_push(_v140);
						_push(_v144);
						L0040132C();
						_v172 = _t194;
					}
					_v64 = _v124;
					L004012EA();
					if( *0x4245b4 != 0) {
						_v176 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v176 = 0x4245b4;
					}
					_v132 =  *_v176;
					_t201 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v72);
					asm("fclex");
					_v136 = _t201;
					if(_v136 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v132);
						_push(_v136);
						L0040132C();
						_v180 = _t201;
					}
					_v140 = _v72;
					_t206 =  *((intOrPtr*)( *_v140 + 0xd0))(_v140,  &_v68);
					asm("fclex");
					_v144 = _t206;
					if(_v144 >= 0) {
						_v184 = _v184 & 0x00000000;
					} else {
						_push(0xd0);
						_push(0x408cac);
						_push(_v140);
						_push(_v144);
						L0040132C();
						_v184 = _t206;
					}
					_v152 = _v68;
					_v68 = _v68 & 0x00000000;
					L00401302();
					L004012EA();
					if( *0x4245b4 != 0) {
						_v188 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v188 = 0x4245b4;
					}
					_v132 =  *_v188;
					_t213 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v72);
					asm("fclex");
					_v136 = _t213;
					if(_v136 >= 0) {
						_v192 = _v192 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v132);
						_push(_v136);
						L0040132C();
						_v192 = _t213;
					}
					_v140 = _v72;
					_t218 =  *((intOrPtr*)( *_v140 + 0x110))(_v140,  &_v68);
					asm("fclex");
					_v144 = _t218;
					if(_v144 >= 0) {
						_v196 = _v196 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x408cac);
						_push(_v140);
						_push(_v144);
						L0040132C();
						_v196 = _t218;
					}
					_v156 = _v68;
					_v68 = _v68 & 0x00000000;
					L00401302();
					L004012EA();
					_push( &_v88);
					L004012D8();
					_push(1);
					_push( &_v88);
					_push( &_v104);
					L004012DE();
					L004012E4();
					L00401314();
					_v112 = L"UNCHIC";
					_v120 = 8;
					L004012F6();
					_push(2);
					_push( &_v88);
					L004012D2();
					_v56 = _t271;
					L00401314();
				}
				if( *0x424010 != 0) {
					_v200 = 0x424010;
				} else {
					_push(0x424010);
					_push(0x4083f0);
					L00401320();
					_v200 = 0x424010;
				}
				_t178 =  &_v72;
				L00401326();
				_v132 = _t178;
				_t182 =  *((intOrPtr*)( *_v132 + 0xf8))(_v132,  &_v124, _t178,  *((intOrPtr*)( *((intOrPtr*)( *_v200)) + 0x2fc))( *_v200));
				asm("fclex");
				_v136 = _t182;
				if(_v136 >= 0) {
					_v204 = _v204 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x408c60);
					_push(_v132);
					_push(_v136);
					L0040132C();
					_v204 = _t182;
				}
				_t183 = _v124;
				_v28 = _t183;
				L004012EA();
				asm("wait");
				_push(0x42249f);
				L004012F0();
				L004012F0();
				L00401314();
				return _t183;
			}

0x00421fb3
0x00421fbf
0x00421fc7
0x00421fca
0x00421fdd
0x00421fe3
0x00421fe5
0x00421fec
0x0042200b
0x00421fee
0x00421fee
0x00421ff3
0x00421ff8
0x00421ffb
0x00421ffe
0x00422003
0x00422003
0x00422012
0x00422015
0x0042201a
0x0042201d
0x00422024
0x00422031
0x00422036
0x00422039
0x0042203a
0x00422044
0x00422049
0x0042204a
0x0042204c
0x00422053
0x00422058
0x0042205f
0x00422067
0x00422072
0x0042207f
0x0042209c
0x00422081
0x00422081
0x00422086
0x0042208b
0x00422090
0x00422090
0x004220ae
0x004220bd
0x004220c0
0x004220c2
0x004220cf
0x004220ee
0x004220d1
0x004220d1
0x004220d3
0x004220d8
0x004220db
0x004220e1
0x004220e6
0x004220e6
0x004220f8
0x00422110
0x00422113
0x00422115
0x00422122
0x00422144
0x00422124
0x00422124
0x00422126
0x0042212b
0x00422131
0x00422137
0x0042213c
0x0042213c
0x0042214f
0x00422156
0x00422162
0x0042217f
0x00422164
0x00422164
0x00422169
0x0042216e
0x00422173
0x00422173
0x00422191
0x004221a0
0x004221a3
0x004221a5
0x004221b2
0x004221d1
0x004221b4
0x004221b4
0x004221b6
0x004221bb
0x004221be
0x004221c4
0x004221c9
0x004221c9
0x004221db
0x004221f3
0x004221f9
0x004221fb
0x00422208
0x0042222d
0x0042220a
0x0042220a
0x0042220f
0x00422214
0x0042221a
0x00422220
0x00422225
0x00422225
0x00422237
0x0042223d
0x0042224a
0x00422252
0x0042225e
0x0042227b
0x00422260
0x00422260
0x00422265
0x0042226a
0x0042226f
0x0042226f
0x0042228d
0x0042229c
0x0042229f
0x004222a1
0x004222ae
0x004222cd
0x004222b0
0x004222b0
0x004222b2
0x004222b7
0x004222ba
0x004222c0
0x004222c5
0x004222c5
0x004222d7
0x004222ef
0x004222f5
0x004222f7
0x00422304
0x00422329
0x00422306
0x00422306
0x0042230b
0x00422310
0x00422316
0x0042231c
0x00422321
0x00422321
0x00422333
0x00422339
0x00422346
0x0042234e
0x00422356
0x00422357
0x0042235c
0x00422361
0x00422365
0x00422366
0x00422371
0x00422379
0x0042237e
0x00422385
0x00422392
0x00422397
0x0042239c
0x0042239d
0x004223a2
0x004223a8
0x004223a8
0x004223b4
0x004223d1
0x004223b6
0x004223b6
0x004223bb
0x004223c0
0x004223c5
0x004223c5
0x004223f5
0x004223f9
0x004223fe
0x0042240d
0x00422413
0x00422415
0x00422422
0x00422444
0x00422424
0x00422424
0x00422429
0x0042242e
0x00422431
0x00422437
0x0042243c
0x0042243c
0x0042244b
0x0042244f
0x00422456
0x0042245b
0x0042245c
0x00422489
0x00422491
0x00422499
0x0042249e

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00421FBF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408AE4,000000E8), ref: 00421FFE
__vbaFpI4.MSVBVM60(00000000,?,00408AE4,000000E8), ref: 00422015
__vbaVarDup.MSVBVM60(00000000,?,00408AE4,000000E8), ref: 00422031
#667.MSVBVM60(?), ref: 0042203A
__vbaStrMove.MSVBVM60(?), ref: 00422044
__vbaStrCmp.MSVBVM60(00000000,00000000,?), ref: 0042204C
__vbaFreeStr.MSVBVM60(00000000,00000000,?), ref: 0042205F
__vbaFreeVar.MSVBVM60(00000000,00000000,?), ref: 00422067
__vbaNew2.MSVBVM60(00408C9C,004245B4,00000000,00000000,?), ref: 0042208B
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C8C,00000014), ref: 004220E1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,00000068), ref: 00422137
__vbaFreeObj.MSVBVM60(00000000,?,00408CAC,00000068), ref: 00422156
__vbaNew2.MSVBVM60(00408C9C,004245B4), ref: 0042216E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C8C,00000014), ref: 004221C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,000000D0), ref: 00422220
__vbaStrMove.MSVBVM60(00000000,?,00408CAC,000000D0), ref: 0042224A
__vbaFreeObj.MSVBVM60(00000000,?,00408CAC,000000D0), ref: 00422252
__vbaNew2.MSVBVM60(00408C9C,004245B4), ref: 0042226A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C8C,00000014), ref: 004222C0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,00000110), ref: 0042231C
__vbaStrMove.MSVBVM60(00000000,?,00408CAC,00000110), ref: 00422346
__vbaFreeObj.MSVBVM60(00000000,?,00408CAC,00000110), ref: 0042234E
#610.MSVBVM60(?), ref: 00422357
#552.MSVBVM60(?,?,00000001,?), ref: 00422366
__vbaVarMove.MSVBVM60(?,?,00000001,?), ref: 00422371
__vbaFreeVar.MSVBVM60(?,?,00000001,?), ref: 00422379
__vbaVarDup.MSVBVM60(?,?,00000001,?), ref: 00422392
#600.MSVBVM60(?,00000002,?,?,00000001,?), ref: 0042239D
__vbaFreeVar.MSVBVM60(?,00000002,?,?,00000001,?), ref: 004223A8
__vbaNew2.MSVBVM60(004083F0,00424010,00000000,00000000,?), ref: 004223C0
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,00000000,00000000,?), ref: 004223F9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00408C60,000000F8,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00422437
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00000000,00000000,?), ref: 00422456
__vbaFreeStr.MSVBVM60(0042249F,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00422489
__vbaFreeStr.MSVBVM60(0042249F,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00422491
__vbaFreeVar.MSVBVM60(0042249F,?,?,?,?,?,?,?,00000000,00000000,?), ref: 00422499

Strings

UNCHIC, xrefs: 0042237E
tmp, xrefs: 0042201D

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#552#600#610#667Chkstk
String ID: UNCHIC$tmp
API String ID: 1871007200-2985027313
Opcode ID: 9ad8e065df39061f8e28265bc0f5dffd092d2080742a64c6a69feea9bdc9b07a
Instruction ID: 6fb35b097a5337e82dc70571f4ad1c4ccb1c2ccd9c26a615760a73bc172cc5ac
Opcode Fuzzy Hash: 9ad8e065df39061f8e28265bc0f5dffd092d2080742a64c6a69feea9bdc9b07a
Instruction Fuzzy Hash: 50E1F970A00228EFDB20EFA5DD45BDDB7B4BF04308F5080AAE549B71A1DB785A85DF19

Uniqueness

Uniqueness Score: -1.00%

Function 00422D43, Relevance: 54.5, APIs: 26, Strings: 5, Instructions: 220
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00422D43(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				short _v32;
				void* _v36;
				signed int _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				void* _v80;
				void* _v84;
				signed int _v88;
				void* _v92;
				signed int _v96;
				signed int _v108;
				signed int _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				signed int _t117;
				char* _t121;
				signed int _t127;
				signed int _t132;
				signed int _t139;
				signed int _t144;
				char* _t149;
				signed int _t153;
				void* _t176;
				void* _t178;
				intOrPtr _t179;

				_t179 = _t178 - 0xc;
				 *[fs:0x0] = _t179;
				L004011D0();
				_v16 = _t179;
				_v12 = 0x401198;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x4011d6, _t176);
				_v52 = 0x4b;
				_v60 = 2;
				_t117 =  &_v60;
				_push(_t117);
				L00401284();
				L00401302();
				_push(_t117);
				_push(0x408cfc);
				L00401308();
				asm("sbb eax, eax");
				_v84 =  ~( ~( ~_t117));
				L004012F0();
				L00401314();
				_t121 = _v84;
				if(_t121 != 0) {
					_push(L"COINVENTORS");
					_push(L"Teknologiseringers2");
					_push(L"ACHOO");
					_push(L"garantien");
					L0040127E();
					L00401278();
					if( *0x4245b4 != 0) {
						_v116 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v116 = 0x4245b4;
					}
					_v84 =  *_v116;
					_t127 =  *((intOrPtr*)( *_v84 + 0x14))(_v84,  &_v44);
					asm("fclex");
					_v88 = _t127;
					if(_v88 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v84);
						_push(_v88);
						L0040132C();
						_v120 = _t127;
					}
					_v92 = _v44;
					_t132 =  *((intOrPtr*)( *_v92 + 0x78))(_v92,  &_v80);
					asm("fclex");
					_v96 = _t132;
					if(_v96 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x78);
						_push(0x408cac);
						_push(_v92);
						_push(_v96);
						L0040132C();
						_v124 = _t132;
					}
					_v32 = _v80;
					L004012EA();
					if( *0x4245b4 != 0) {
						_v128 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v128 = 0x4245b4;
					}
					_v84 =  *_v128;
					_t139 =  *((intOrPtr*)( *_v84 + 0x14))(_v84,  &_v44);
					asm("fclex");
					_v88 = _t139;
					if(_v88 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v84);
						_push(_v88);
						L0040132C();
						_v132 = _t139;
					}
					_v92 = _v44;
					_t144 =  *((intOrPtr*)( *_v92 + 0x110))(_v92,  &_v40);
					asm("fclex");
					_v96 = _t144;
					if(_v96 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x408cac);
						_push(_v92);
						_push(_v96);
						L0040132C();
						_v136 = _t144;
					}
					_v108 = _v40;
					_v40 = _v40 & 0x00000000;
					L00401302();
					L004012EA();
					if( *0x424010 != 0) {
						_v140 = 0x424010;
					} else {
						_push(0x424010);
						_push(0x4083f0);
						L00401320();
						_v140 = 0x424010;
					}
					_t149 =  &_v44;
					L00401326();
					_v84 = _t149;
					_t153 =  *((intOrPtr*)( *_v84 + 0x50))(_v84,  &_v40, _t149,  *((intOrPtr*)( *((intOrPtr*)( *_v140)) + 0x304))( *_v140));
					asm("fclex");
					_v88 = _t153;
					if(_v88 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x408ce0);
						_push(_v84);
						_push(_v88);
						L0040132C();
						_v144 = _t153;
					}
					_v112 = _v40;
					_v40 = _v40 & 0x00000000;
					_v52 = _v112;
					_v60 = 8;
					_t121 =  &_v60;
					_push(_t121);
					L004012FC();
					L00401302();
					L004012EA();
					L00401314();
				}
				_push(0x423068);
				L004012F0();
				L004012F0();
				return _t121;
			}

0x00422d46
0x00422d55
0x00422d5f
0x00422d67
0x00422d6a
0x00422d71
0x00422d80
0x00422d83
0x00422d8a
0x00422d91
0x00422d94
0x00422d95
0x00422d9f
0x00422da4
0x00422da5
0x00422daa
0x00422db1
0x00422db7
0x00422dbe
0x00422dc6
0x00422dcb
0x00422dd1
0x00422dd7
0x00422ddc
0x00422de1
0x00422de6
0x00422deb
0x00422df0
0x00422dfc
0x00422e16
0x00422dfe
0x00422dfe
0x00422e03
0x00422e08
0x00422e0d
0x00422e0d
0x00422e22
0x00422e31
0x00422e34
0x00422e36
0x00422e3d
0x00422e56
0x00422e3f
0x00422e3f
0x00422e41
0x00422e46
0x00422e49
0x00422e4c
0x00422e51
0x00422e51
0x00422e5d
0x00422e6c
0x00422e6f
0x00422e71
0x00422e78
0x00422e91
0x00422e7a
0x00422e7a
0x00422e7c
0x00422e81
0x00422e84
0x00422e87
0x00422e8c
0x00422e8c
0x00422e99
0x00422ea0
0x00422eac
0x00422ec6
0x00422eae
0x00422eae
0x00422eb3
0x00422eb8
0x00422ebd
0x00422ebd
0x00422ed2
0x00422ee1
0x00422ee4
0x00422ee6
0x00422eed
0x00422f06
0x00422eef
0x00422eef
0x00422ef1
0x00422ef6
0x00422ef9
0x00422efc
0x00422f01
0x00422f01
0x00422f0d
0x00422f1c
0x00422f22
0x00422f24
0x00422f2b
0x00422f4a
0x00422f2d
0x00422f2d
0x00422f32
0x00422f37
0x00422f3a
0x00422f3d
0x00422f42
0x00422f42
0x00422f54
0x00422f57
0x00422f61
0x00422f69
0x00422f75
0x00422f92
0x00422f77
0x00422f77
0x00422f7c
0x00422f81
0x00422f86
0x00422f86
0x00422fb6
0x00422fba
0x00422fbf
0x00422fce
0x00422fd1
0x00422fd3
0x00422fda
0x00422ff6
0x00422fdc
0x00422fdc
0x00422fde
0x00422fe3
0x00422fe6
0x00422fe9
0x00422fee
0x00422fee
0x00423000
0x00423003
0x0042300a
0x0042300d
0x00423014
0x00423017
0x00423018
0x00423022
0x0042302a
0x00423032
0x00423032
0x00423037
0x0042305a
0x00423062
0x00423067

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 00422D5F
#572.MSVBVM60(00000002), ref: 00422D95
__vbaStrMove.MSVBVM60(00000002), ref: 00422D9F
__vbaStrCmp.MSVBVM60(00408CFC,00000000,00000002), ref: 00422DAA
__vbaFreeStr.MSVBVM60(00408CFC,00000000,00000002), ref: 00422DBE
__vbaFreeVar.MSVBVM60(00408CFC,00000000,00000002), ref: 00422DC6
#690.MSVBVM60(garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408CFC,00000000,00000002), ref: 00422DEB
#598.MSVBVM60(garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408CFC,00000000,00000002), ref: 00422DF0
__vbaNew2.MSVBVM60(00408C9C,004245B4,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408CFC,00000000,00000002), ref: 00422E08
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C8C,00000014,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408CFC), ref: 00422E4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,00000078,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408CFC), ref: 00422E87
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408CFC,00000000,00000002), ref: 00422EA0
__vbaNew2.MSVBVM60(00408C9C,004245B4,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408CFC), ref: 00422EB8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C8C,00000014,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2), ref: 00422EFC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,00000110,?,?,?,?,?,?,?,?,?,?,?,garantien), ref: 00422F3D
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408CFC), ref: 00422F61
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2,COINVENTORS,00408CFC), ref: 00422F69
__vbaNew2.MSVBVM60(004083F0,00424010,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO,Teknologiseringers2), ref: 00422F81
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien), ref: 00422FBA
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CE0,00000050), ref: 00422FE9
#667.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO), ref: 00423018
__vbaStrMove.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO), ref: 00423022
__vbaFreeObj.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO), ref: 0042302A
__vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?,?,?,?,?,?,?,?,?,garantien,ACHOO), ref: 00423032
__vbaFreeStr.MSVBVM60(00423068,00408CFC,00000000,00000002), ref: 0042305A
__vbaFreeStr.MSVBVM60(00423068,00408CFC,00000000,00000002), ref: 00423062

Strings

garantien, xrefs: 00422DE6
Teknologiseringers2, xrefs: 00422DDC
K, xrefs: 00422D83
COINVENTORS, xrefs: 00422DD7
ACHOO, xrefs: 00422DE1

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$MoveNew2$#572#598#667#690Chkstk
String ID: ACHOO$COINVENTORS$K$Teknologiseringers2$garantien
API String ID: 2768728735-653337235
Opcode ID: dc78c297acb85df2a6cfbe451764bcc9da44060729d2e0a31415743d495dfbe6
Instruction ID: be4dc866ebf3a2cd984e5d5d6b58c9c9169174c6ed46c65b5a6d7adf680101a2
Opcode Fuzzy Hash: dc78c297acb85df2a6cfbe451764bcc9da44060729d2e0a31415743d495dfbe6
Instruction Fuzzy Hash: 3EA1D370A00218EFDB10EFE5D945BDDBBB4BF18304F50406AE501BB2A5DBB85989DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004229BA, Relevance: 33.2, APIs: 22, Instructions: 250
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E004229BA(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				short _v32;
				short _v36;
				short _v40;
				signed int _v44;
				char _v48;
				void* _v52;
				void* _v56;
				intOrPtr* _v60;
				signed int _v64;
				void* _v68;
				signed int _v72;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				signed int _v108;
				intOrPtr* _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				short _t140;
				signed int _t146;
				signed int _t151;
				signed int _t158;
				signed int _t163;
				signed int _t170;
				signed int _t175;
				signed int _t182;
				signed int _t187;
				void* _t198;
				void* _t200;
				intOrPtr _t201;

				_t201 = _t200 - 0xc;
				 *[fs:0x0] = _t201;
				L004011D0();
				_v16 = _t201;
				_v12 = 0x401188;
				_v8 = 0;
				_t140 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x6c,  *[fs:0x0], 0x4011d6, _t198);
				_push(0x408cf4);
				L0040128A();
				L00401290();
				L00401296();
				asm("fcomp qword [0x401180]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x4245b4 != 0) {
						_v88 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v88 = 0x4245b4;
					}
					_v60 =  *_v88;
					_t146 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v48);
					asm("fclex");
					_v64 = _t146;
					if(_v64 >= 0) {
						_t20 =  &_v92;
						 *_t20 = _v92 & 0x00000000;
						__eflags =  *_t20;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v60);
						_push(_v64);
						L0040132C();
						_v92 = _t146;
					}
					_v68 = _v48;
					_t151 =  *((intOrPtr*)( *_v68 + 0x140))(_v68,  &_v52);
					asm("fclex");
					_v72 = _t151;
					if(_v72 >= 0) {
						_t33 =  &_v96;
						 *_t33 = _v96 & 0x00000000;
						__eflags =  *_t33;
					} else {
						_push(0x140);
						_push(0x408cac);
						_push(_v68);
						_push(_v72);
						L0040132C();
						_v96 = _t151;
					}
					_v36 = _v52;
					L004012EA();
					if( *0x4245b4 != 0) {
						_v100 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v100 = 0x4245b4;
					}
					_v60 =  *_v100;
					_t158 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v48);
					asm("fclex");
					_v64 = _t158;
					if(_v64 >= 0) {
						_t51 =  &_v104;
						 *_t51 = _v104 & 0x00000000;
						__eflags =  *_t51;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v60);
						_push(_v64);
						L0040132C();
						_v104 = _t158;
					}
					_v68 = _v48;
					_t163 =  *((intOrPtr*)( *_v68 + 0x108))(_v68,  &_v52);
					asm("fclex");
					_v72 = _t163;
					if(_v72 >= 0) {
						_t64 =  &_v108;
						 *_t64 = _v108 & 0x00000000;
						__eflags =  *_t64;
					} else {
						_push(0x108);
						_push(0x408cac);
						_push(_v68);
						_push(_v72);
						L0040132C();
						_v108 = _t163;
					}
					_v32 = _v52;
					L004012EA();
					if( *0x4245b4 != 0) {
						_v112 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v112 = 0x4245b4;
					}
					_v60 =  *_v112;
					_t170 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v48);
					asm("fclex");
					_v64 = _t170;
					if(_v64 >= 0) {
						_t82 =  &_v116;
						 *_t82 = _v116 & 0x00000000;
						__eflags =  *_t82;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v60);
						_push(_v64);
						L0040132C();
						_v116 = _t170;
					}
					_v68 = _v48;
					_t175 =  *((intOrPtr*)( *_v68 + 0xf0))(_v68,  &_v44);
					asm("fclex");
					_v72 = _t175;
					if(_v72 >= 0) {
						_t95 =  &_v120;
						 *_t95 = _v120 & 0x00000000;
						__eflags =  *_t95;
					} else {
						_push(0xf0);
						_push(0x408cac);
						_push(_v68);
						_push(_v72);
						L0040132C();
						_v120 = _t175;
					}
					_v84 = _v44;
					_v44 = _v44 & 0x00000000;
					L00401302();
					L004012EA();
					if( *0x4245b4 != 0) {
						_v124 = 0x4245b4;
					} else {
						_push(0x4245b4);
						_push(0x408c9c);
						L00401320();
						_v124 = 0x4245b4;
					}
					_v60 =  *_v124;
					_t182 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v48);
					asm("fclex");
					_v64 = _t182;
					if(_v64 >= 0) {
						_t117 =  &_v128;
						 *_t117 = _v128 & 0x00000000;
						__eflags =  *_t117;
					} else {
						_push(0x14);
						_push(0x408c8c);
						_push(_v60);
						_push(_v64);
						L0040132C();
						_v128 = _t182;
					}
					_v68 = _v48;
					_t187 =  *((intOrPtr*)( *_v68 + 0x118))(_v68,  &_v56);
					asm("fclex");
					_v72 = _t187;
					if(_v72 >= 0) {
						_t130 =  &_v132;
						 *_t130 = _v132 & 0x00000000;
						__eflags =  *_t130;
					} else {
						_push(0x118);
						_push(0x408cac);
						_push(_v68);
						_push(_v72);
						L0040132C();
						_v132 = _t187;
					}
					_t140 = _v56;
					_v40 = _t140;
					L004012EA();
				}
				asm("wait");
				_push(0x422d24);
				L004012F0();
				return _t140;
			}

0x004229bd
0x004229cc
0x004229d6
0x004229de
0x004229e1
0x004229e8
0x004229f7
0x004229fa
0x004229ff
0x00422a04
0x00422a09
0x00422a0e
0x00422a14
0x00422a16
0x00422a17
0x00422a24
0x00422a3e
0x00422a26
0x00422a26
0x00422a2b
0x00422a30
0x00422a35
0x00422a35
0x00422a4a
0x00422a59
0x00422a5c
0x00422a5e
0x00422a65
0x00422a7e
0x00422a7e
0x00422a7e
0x00422a67
0x00422a67
0x00422a69
0x00422a6e
0x00422a71
0x00422a74
0x00422a79
0x00422a79
0x00422a85
0x00422a94
0x00422a9a
0x00422a9c
0x00422aa3
0x00422abf
0x00422abf
0x00422abf
0x00422aa5
0x00422aa5
0x00422aaa
0x00422aaf
0x00422ab2
0x00422ab5
0x00422aba
0x00422aba
0x00422ac7
0x00422ace
0x00422ada
0x00422af4
0x00422adc
0x00422adc
0x00422ae1
0x00422ae6
0x00422aeb
0x00422aeb
0x00422b00
0x00422b0f
0x00422b12
0x00422b14
0x00422b1b
0x00422b34
0x00422b34
0x00422b34
0x00422b1d
0x00422b1d
0x00422b1f
0x00422b24
0x00422b27
0x00422b2a
0x00422b2f
0x00422b2f
0x00422b3b
0x00422b4a
0x00422b50
0x00422b52
0x00422b59
0x00422b75
0x00422b75
0x00422b75
0x00422b5b
0x00422b5b
0x00422b60
0x00422b65
0x00422b68
0x00422b6b
0x00422b70
0x00422b70
0x00422b7d
0x00422b84
0x00422b90
0x00422baa
0x00422b92
0x00422b92
0x00422b97
0x00422b9c
0x00422ba1
0x00422ba1
0x00422bb6
0x00422bc5
0x00422bc8
0x00422bca
0x00422bd1
0x00422bea
0x00422bea
0x00422bea
0x00422bd3
0x00422bd3
0x00422bd5
0x00422bda
0x00422bdd
0x00422be0
0x00422be5
0x00422be5
0x00422bf1
0x00422c00
0x00422c06
0x00422c08
0x00422c0f
0x00422c2b
0x00422c2b
0x00422c2b
0x00422c11
0x00422c11
0x00422c16
0x00422c1b
0x00422c1e
0x00422c21
0x00422c26
0x00422c26
0x00422c32
0x00422c35
0x00422c3f
0x00422c47
0x00422c53
0x00422c6d
0x00422c55
0x00422c55
0x00422c5a
0x00422c5f
0x00422c64
0x00422c64
0x00422c79
0x00422c88
0x00422c8b
0x00422c8d
0x00422c94
0x00422cad
0x00422cad
0x00422cad
0x00422c96
0x00422c96
0x00422c98
0x00422c9d
0x00422ca0
0x00422ca3
0x00422ca8
0x00422ca8
0x00422cb4
0x00422cc3
0x00422cc9
0x00422ccb
0x00422cd2
0x00422cee
0x00422cee
0x00422cee
0x00422cd4
0x00422cd4
0x00422cd9
0x00422cde
0x00422ce1
0x00422ce4
0x00422ce9
0x00422ce9
0x00422cf2
0x00422cf6
0x00422cfd
0x00422cfd
0x00422d02
0x00422d03
0x00422d1e
0x00422d23

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 004229D6
__vbaR8Str.MSVBVM60(00408CF4,?,?,?,?,004011D6), ref: 004229FF
__vbaFPFix.MSVBVM60(00408CF4,?,?,?,?,004011D6), ref: 00422A04
__vbaFpR8.MSVBVM60(00408CF4,?,?,?,?,004011D6), ref: 00422A09
__vbaNew2.MSVBVM60(00408C9C,004245B4,00408CF4,?,?,?,?,004011D6), ref: 00422A30
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C8C,00000014), ref: 00422A74
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,00000140), ref: 00422AB5
__vbaFreeObj.MSVBVM60(00000000,?,00408CAC,00000140), ref: 00422ACE
__vbaNew2.MSVBVM60(00408C9C,004245B4), ref: 00422AE6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C8C,00000014), ref: 00422B2A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,00000108), ref: 00422B6B
__vbaFreeObj.MSVBVM60(00000000,?,00408CAC,00000108), ref: 00422B84
__vbaNew2.MSVBVM60(00408C9C,004245B4), ref: 00422B9C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C8C,00000014), ref: 00422BE0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,000000F0), ref: 00422C21
__vbaStrMove.MSVBVM60(00000000,?,00408CAC,000000F0), ref: 00422C3F
__vbaFreeObj.MSVBVM60(00000000,?,00408CAC,000000F0), ref: 00422C47
__vbaNew2.MSVBVM60(00408C9C,004245B4), ref: 00422C5F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C8C,00000014), ref: 00422CA3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408CAC,00000118), ref: 00422CE4
__vbaFreeObj.MSVBVM60(00000000,?,00408CAC,00000118), ref: 00422CFD
__vbaFreeStr.MSVBVM60(00422D24,00408CF4,?,?,?,?,004011D6), ref: 00422D1E

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$ChkstkMove
String ID:
API String ID: 1793851610-0
Opcode ID: 7e0df380d090418d9509ed22c99bf63253f20394923bb3f368a29979e36a73d1
Instruction ID: 3d28d080b8bd81d36fe6634af16f100ee60e42bcac585c1635f36a8f1b8202d9
Opcode Fuzzy Hash: 7e0df380d090418d9509ed22c99bf63253f20394923bb3f368a29979e36a73d1
Instruction Fuzzy Hash: 8BB1AF74E01218EFDB10EFA5EA45BDDBBB0BF18304F50402AE541BB2A1DBB85946DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004228A8, Relevance: 12.1, APIs: 8, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E004228A8(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v52;
				signed int _v56;
				char* _t35;
				signed int _t38;
				void* _t49;
				void* _t51;
				intOrPtr _t52;

				_t52 = _t51 - 0xc;
				 *[fs:0x0] = _t52;
				L004011D0();
				_v16 = _t52;
				_v12 = 0x401170;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x20,  *[fs:0x0], 0x4011d6, _t49);
				_push(0);
				_push(1);
				L0040129C();
				L00401302();
				if( *0x424010 != 0) {
					_v52 = 0x424010;
				} else {
					_push(0x424010);
					_push(0x4083f0);
					L00401320();
					_v52 = 0x424010;
				}
				_t35 =  &_v32;
				L00401326();
				_v36 = _t35;
				_t38 =  *((intOrPtr*)( *_v36 + 0x218))(_v36, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v52)) + 0x2fc))( *_v52));
				asm("fclex");
				_v40 = _t38;
				if(_v40 >= 0) {
					_v56 = _v56 & 0x00000000;
				} else {
					_push(0x218);
					_push(0x408c60);
					_push(_v36);
					_push(_v40);
					L0040132C();
					_v56 = _t38;
				}
				L004012EA();
				_push(0x42299b);
				L004012F0();
				return _t38;
			}

0x004228ab
0x004228ba
0x004228c4
0x004228cc
0x004228cf
0x004228d6
0x004228e5
0x004228e8
0x004228ea
0x004228ec
0x004228f6
0x00422902
0x0042291c
0x00422904
0x00422904
0x00422909
0x0042290e
0x00422913
0x00422913
0x00422937
0x0042293b
0x00422940
0x0042294b
0x00422951
0x00422953
0x0042295a
0x00422976
0x0042295c
0x0042295c
0x00422961
0x00422966
0x00422969
0x0042296c
0x00422971
0x00422971
0x0042297d
0x00422982
0x00422995
0x0042299a

APIs

__vbaChkstk.MSVBVM60(?,004011D6), ref: 004228C4
#707.MSVBVM60(00000001,00000000,?,?,?,?,004011D6), ref: 004228EC
__vbaStrMove.MSVBVM60(00000001,00000000,?,?,?,?,004011D6), ref: 004228F6
__vbaNew2.MSVBVM60(004083F0,00424010,00000001,00000000,?,?,?,?,004011D6), ref: 0042290E
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042293B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00408C60,00000218), ref: 0042296C
__vbaFreeObj.MSVBVM60(00000000,?,00408C60,00000218), ref: 0042297D
__vbaFreeStr.MSVBVM60(0042299B), ref: 00422995

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#707CheckChkstkHresultMoveNew2
String ID:
API String ID: 842392621-0
Opcode ID: d16ed440eaadd8c40da4fea09658e6e088f821eb80ba90642ce52d236c498301
Instruction ID: 74f8a0f32ca4d6b006657015dbe817ef52888bec368b78b4cea8220e144c7134
Opcode Fuzzy Hash: d16ed440eaadd8c40da4fea09658e6e088f821eb80ba90642ce52d236c498301
Instruction Fuzzy Hash: 2C213B70A40218EFCB00EFA5E94AF9DBBB4FF08704F50406AF501BB2A1CBB95945DB58

Uniqueness

Uniqueness Score: -1.00%

Function 004234B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E004234B0() {
				signed int _v8;
				signed int _t8;
				char _t10;
				signed int _t13;
				intOrPtr _t15;
				intOrPtr _t17;

				_push(4);
				L004011D0();
				_t8 = 1;
				_t13 = 1;
				_t15 =  *0x424034; // 0x5f6458
				_t17 =  *0x424034; // 0x5f6458
				_t10 =  *((intOrPtr*)(_t17 + _t8 * 0xffffffff));
				 *((char*)(_t15 + _t13 * 0xffffffff)) = _t10;
				_push( *0x424034);
				L00401260();
				 *0x424040 = _t10;
				_v8 = _v8 | 0x0000ffff;
				 *0x424044 = _v8;
				return _v8;
			}

0x004234b3
0x004234b6
0x004234be
0x004234c4
0x004234c8
0x004234ce
0x004234d4
0x004234d7
0x004234da
0x004234e0
0x004234e5
0x004234ea
0x004234f3
0x004234ff

APIs

__vbaChkstk.MSVBVM60(?,00423109), ref: 004234B6
#644.MSVBVM60(?,?,00423109), ref: 004234E0

Strings

Xd_, xrefs: 004234C8, 004234CE

Memory Dump Source

Source File: 00000000.00000002.781061159.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.781045482.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.781139093.0000000000424000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.781159229.0000000000426000.00000002.00020000.sdmp Download File

Similarity

API ID: #644Chkstk__vba
String ID: Xd_
API String ID: 3537395942-1739277532
Opcode ID: 5e534303c87f344431fd076bf005434d60a319ac16ef09960a374bead4e6ad88
Instruction ID: cf79175a96eb60699fbfbb66c342409cad1f239b11266a6b8f30f54d0a3a87e0
Opcode Fuzzy Hash: 5e534303c87f344431fd076bf005434d60a319ac16ef09960a374bead4e6ad88
Instruction Fuzzy Hash: FFF0E539202341A9C7346B64AD12695BF78EF89750F50006AFB01EF2F1D3705982E75C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report n#U00ba410000512664.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: n#U00ba410000512664.exe PID: 3232 Parent PID: 5476

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: n#U00ba410000512664.exe PID: 3232 Parent PID: 5476 n#U00ba410000512664.exeCOMMON

Executed Functions

Function 02206B59, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 166COMMON

Function 004090A6, Relevance: 1.5, APIs: 1, Instructions: 279memoryCOMMONCrypto

Function 004090A6, Relevance: 1.5, APIs: 1, Instructions: 279
memoryCOMMONCrypto

Function 004224BC, Relevance: 52.7, APIs: 29, Strings: 1, Instructions: 246
COMMON

Function 00421C84, Relevance: 21.2, APIs: 14, Instructions: 220
COMMON

Function 004231BD, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 00423087, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Function 00421FA2, Relevance: 68.6, APIs: 37, Strings: 2, Instructions: 307
COMMON

Function 00422D43, Relevance: 54.5, APIs: 26, Strings: 5, Instructions: 220
COMMON

Function 004229BA, Relevance: 33.2, APIs: 22, Instructions: 250
COMMON

Function 004228A8, Relevance: 12.1, APIs: 8, Instructions: 69
COMMON

Function 004234B0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON