Play interactive tour

Edit tour

Windows Analysis Report Arrival Notice, CIA Awb Inv Form.pdf.exe

Overview

General Information

Sample Name:	Arrival Notice, CIA Awb Inv Form.pdf.exe
Analysis ID:	527894
MD5:	ff71941571d8930c1125b3931d400d86
SHA1:	0a417bf568a5978777021e433bf4693893facd3e
SHA256:	bf952f1cd44de7bf63c63e502670d3a6a97eca1b5f7fd9981ed0d235351e975f
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Initial sample is a PE file and has a suspicious name

Executable has a suspicious name (potential lure to open the executable)

C2 URLs / IPs found in malware configuration

Uses an obfuscated file name to hide its real file extension (double extension)

Machine Learning detection for sample

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

PE file contains strange resources

Contains functionality to read the PEB

Uses code obfuscation techniques (call, push, ret)

Detected potential crypto function

PE / OLE file has an invalid certificate

Program does not show much activity (idle)

Classification

Process Tree

System is w10x64

Arrival Notice, CIA Awb Inv Form.pdf.exe (PID: 6260 cmdline: "C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe" MD5: FF71941571D8930C1125B3931D400D86)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=16igyruBe"}

Multi AV Scanner detection for submitted file

Show sources

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	Virustotal: Detection: 37%			Perma Link
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	ReversingLabs: Detection: 31%

Machine Learning detection for sample

Show sources

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Joe Sandbox ML: detected

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=16igyruBe

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://s.symcd.com06
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	String found in binary or memory: https://d.symcb.com/rpa0.

System Summary:

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: initial sample	Static PE information: Filename: Arrival Notice, CIA Awb Inv Form.pdf.exe

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static file information: Suspicious name

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000000.250570072.000000000042C000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	Binary or memory string: OriginalFilenameBEGRLIGHED.exe vs Arrival Notice, CIA Awb Inv Form.pdf.exe

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_0040430D	1_2_0040430D
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BC15AA	1_2_04BC15AA
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BBFFF2	1_2_04BBFFF2

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: invalid certificate

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	Virustotal: Detection: 37%
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe	ReversingLabs: Detection: 31%

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

File created: C:\Users\user~1\AppData\Local\Temp\~DF09CCCFC54315C8A8.TMP

Jump to behavior

Source: classification engine

Classification label: mal84.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_00403EA8 push es; ret	1_2_00403EB7
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_00406105 pushfd ; ret	1_2_00406106
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_004057C0 push esp; ret	1_2_004057C1
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BB3C50 pushad ; retf	1_2_04BB3C51
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BB593E push di; ret	1_2_04BB5969
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BB590E push di; ret	1_2_04BB5969
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BB5372 pushfd ; ret	1_2_04BB5379
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BB255E push edx; retf	1_2_04BB255F

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: Arrival Notice, CIA Awb Inv Form.pdf.exe

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BBF8FD mov eax, dword ptr fs:[00000030h]	1_2_04BBF8FD
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BC0232 mov eax, dword ptr fs:[00000030h]	1_2_04BC0232
Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe	Code function: 1_2_04BBC602 mov eax, dword ptr fs:[00000030h]	1_2_04BBC602

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmp	Binary or memory string: uProgram Manager
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: Arrival Notice, CIA Awb Inv Form.pdf.exe, 00000001.00000002.523260487.0000000000C90000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Masquerading1	OS Credential Dumping	Process Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	System Information Discovery11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information11	Security Account Manager	Query Registry	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Arrival Notice, CIA Awb Inv Form.pdf.exe	37%	Virustotal		Browse
Arrival Notice, CIA Awb Inv Form.pdf.exe	31%	ReversingLabs	Win32.Trojan.Tnega
Arrival Notice, CIA Awb Inv Form.pdf.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	527894
Start date:	24.11.2021
Start time:	14:57:05
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Arrival Notice, CIA Awb Inv Form.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@1/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 13.7% (good quality ratio 2.3%) Quality average: 12.8% Quality standard deviation: 25.3%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 23.211.6.115 Excluded domains from analysis (whitelisted): e12564.dspb.akamaiedge.net, client.wns.windows.com, fs.microsoft.com, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com Not all processes where analyzed, report is missing behavior information

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF09CCCFC54315C8A8.TMP Download File
Process:	C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	1.5280837450206026
Encrypted:	false
SSDEEP:	96:GNVdtlevDRZpak7m8llj9myGr0qLjLu3FM:GNVgvckac9my8LjL
MD5:	419FC2EF2A5F8F91499B182A69484E4A
SHA1:	7A4D9A94112A8FEA9067C9B02BF29384141ED15E
SHA-256:	B2ED57A9BB9C772B2F9D21D49EBA91BFD412B3135DAD6EFC05777FAADDA10540
SHA-512:	6A51467436A003C1357B9111D002F87F1A0DB9628C692AD2EA32652F1D12F790271F164B731D81E76665D28A07ED5C31EDEA51A414E4C46B46B074E9962210E4
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	6.490437985451051
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Arrival Notice, CIA Awb Inv Form.pdf.exe
File size:	214328
MD5:	ff71941571d8930c1125b3931d400d86
SHA1:	0a417bf568a5978777021e433bf4693893facd3e
SHA256:	bf952f1cd44de7bf63c63e502670d3a6a97eca1b5f7fd9981ed0d235351e975f
SHA512:	19ba70c75a615446c3c482d3732b373f85a4622ebc0ef652a7e9b368eb30db1a096d6a4e71cc7c118d7192817c18c6aa84429e6a5e2fadb9e8edad8ed4615528
SSDEEP:	1536:uZVG0Dx+5ddSVTrCH+Gbe99P0ezrHSjetlvrrs2gb16A7OsJ4AdDuZxnRVxekC3S:4G12TrQ4zOC5g7OK4AdD4re3RVa
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........`.....................................Rich....................PE..L....}.O..........................................@........

File Icon


Icon Hash:	c4ccccccc4cc9391

Static PE Info

General
Entrypoint:	0x401598
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4FE77DAE [Sun Jun 24 20:50:54 2012 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	0866620dbb47fce5dcf62fd73a28087e

Authenticode Signature

Signature Valid:	false
Signature Issuer:	E=Princeless@Pauperise9.LA, CN=Determinerede, OU=saddles, O=Organozinc1, L=stikordet, S=albueben, C=GN
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	11/22/2021 10:40:02 AM 11/22/2022 10:40:02 AM
Subject Chain	E=Princeless@Pauperise9.LA, CN=Determinerede, OU=saddles, O=Organozinc1, L=stikordet, S=albueben, C=GN
Version:	3
Thumbprint MD5:	7034EF897C224C9C7BDB83E97DFC0132
Thumbprint SHA-1:	EF1AC1E686A6F1DE495F0BFD6280EE73EC06795C
Thumbprint SHA-256:	675A574FC88003464890E2D25C543E3FB3A82739956E09B5D312053E83CDCA9D
Serial:	00

Entrypoint Preview

Instruction
push 0041B55Ch
call 00007F0488F8D8E5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ch, ch
cld
aad 89h
xor ecx, dword ptr [ecx]
stosb
dec ebp
mov ch, 79h
aas
pop ss
xchg eax, edx
mov dword ptr [00003B11h], eax
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
cwde
and dword ptr [edi], ebx
add ecx, dword ptr [ebp+75h]
jnc 00007F0488F8D953h
insb
insd
popad
outsb
imul esi, dword ptr [edi], B1CC0000h
pop ds
add eax, dword ptr [eax]
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
and eax, 2037265Ch
leave
dec eax
push eax
dec ecx
test eax, 234F786Ah
je 00007F0488F8D8A4h
xor byte ptr [ecx+55AEB60Ah], bh
out D9h, eax
dec esi
cmp byte ptr [edx+ebx*8], 0000002Dh
pop ecx
cmp ecx, dword ptr [eax+3Ah]
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
jno 00007F0488F8D88Eh
add dword ptr [eax], eax
and eax, 0000000Bh
push es
add byte ptr [edx+6Fh], ah
jc 00007F0488F8D956h
jnc 00007F0488F8D8F3h
or eax, 41000701h
jc 00007F0488F8D959h
insb
bound eax, dword ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2a274	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x2c000	0x6638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x33000	0x1538
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x194	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x29880	0x2a000	False	0.45206124442	data	6.79025168082	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x2b000	0xe88	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x2c000	0x6638	0x7000	False	0.391427176339	data	4.79823535625	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
LOCK	0x2ce62	0x57d6	MS Windows icon resource - 6 icons, 48x48, 8 bits/pixel, 32x32, 8 bits/pixel	English	United States
RT_ICON	0x2c71a	0x748	data
RT_ICON	0x2c3b2	0x368	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x2c390	0x22	data
RT_VERSION	0x2c170	0x220	data

Imports

DLL

Import

MSVBVM60.DLL

__vbaStrI2, _CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaCyI2, __vbaAryConstruct2, DllFunctionCall, __vbaVarLateMemSt, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaFpCmpCy, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaVarCopy, __vbaFpI4, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaStrCy, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0400 0x04b0
InternalName	BEGRLIGHED
FileVersion	1.00
CompanyName	Verkada
ProductName	Musalmani7
ProductVersion	1.00
OriginalFilename	BEGRLIGHED.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

System Behavior

Analysis Process: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 6260 Parent PID: 6132

General

Start time:	14:58:04
Start date:	24/11/2021
Path:	C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Arrival Notice, CIA Awb Inv Form.pdf.exe"
Imagebase:	0x400000
File size:	214328 bytes
MD5 hash:	FF71941571D8930C1125B3931D400D86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 6260 Parent PID: 6132 Arrival Notice, CIA Awb Inv Form.pdf.exeCOMMON

Executed Functions

Function 0041EA90, Relevance: 149.5, APIs: 75, Strings: 10, Instructions: 716COMMON

Download Yara Rule

APIs

#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041EB46
__vbaStrMove.MSVBVM60 ref: 0041EB51
__vbaFreeVar.MSVBVM60 ref: 0041EB5A
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041EB73
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EB8C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,0000021C), ref: 0041EBAF
__vbaFreeObj.MSVBVM60 ref: 0041EBB8
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041EBD1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EBEA
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,00000060), ref: 0041EC14
__vbaFreeObj.MSVBVM60 ref: 0041EC70
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,000006FC), ref: 0041ECD5
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000700), ref: 0041ECF0
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000704), ref: 0041ED12
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041ED27
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ED40
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C348,00000138), ref: 0041ED6A
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041ED83
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041ED9C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C358,00000088), ref: 0041EDCC
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000708), ref: 0041EE15
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041EE21
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,0000070C), ref: 0041EEA5
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000710), ref: 0041EEF3
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041EF08
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EF21
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C3A0,00000098), ref: 0041EF4B
__vbaStrCopy.MSVBVM60 ref: 0041EF63
__vbaFreeStr.MSVBVM60 ref: 0041EF87
__vbaFreeObj.MSVBVM60 ref: 0041EF90
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041EFA9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041EFC2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C3FC,00000090), ref: 0041EFE9
__vbaStrMove.MSVBVM60 ref: 0041EFF8
__vbaFreeStr.MSVBVM60 ref: 0041F01A
__vbaFreeObj.MSVBVM60 ref: 0041F023
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F03C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F055
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C40C,00000130), ref: 0041F07C
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041F08C
__vbaStrVarMove.MSVBVM60(00000002,?), ref: 0041F0AC
__vbaStrMove.MSVBVM60 ref: 0041F0B7
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000714), ref: 0041F0D5
__vbaFreeStr.MSVBVM60 ref: 0041F0E4
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F0F0
__vbaFreeVar.MSVBVM60 ref: 0041F0FC
__vbaStrCopy.MSVBVM60 ref: 0041F10A
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000718), ref: 0041F157
__vbaFreeStr.MSVBVM60 ref: 0041F160
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F194
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F1AD
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C484,00000128), ref: 0041F1D7
__vbaStrCopy.MSVBVM60 ref: 0041F1EB
__vbaStrCopy.MSVBVM60 ref: 0041F1F5
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,0000071C), ref: 0041F21F
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041F22F
__vbaFreeObj.MSVBVM60 ref: 0041F23B
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F254
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F26D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,000001A0), ref: 0041F297
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F2B0
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F2C9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,000001B8), ref: 0041F2F0
__vbaLateIdCallLd.MSVBVM60(00000002,?,00000000,00000000), ref: 0041F300
__vbaStrVarMove.MSVBVM60(00000002,EBD00000), ref: 0041F322
__vbaStrMove.MSVBVM60 ref: 0041F32D
__vbaHresultCheckObj.MSVBVM60(00000000,004011B8,0041BBA0,00000720), ref: 0041F35C
__vbaFreeStr.MSVBVM60 ref: 0041F365
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041F379
__vbaFreeVar.MSVBVM60 ref: 0041F385
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F3AE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F3C7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000070), ref: 0041F3EB
__vbaFreeObj.MSVBVM60 ref: 0041F41F
__vbaFreeStr.MSVBVM60(0041F46B), ref: 0041F464

Strings

&|ZK, xrefs: 0041EC5D
Civilhortonomens7, xrefs: 0041F127
Frikirkernes7, xrefs: 0041EF51
tankskib, xrefs: 0041F1ED
}%, xrefs: 0041EC53
Utilnrmeligheden2, xrefs: 0041F102
Variantfunktioner, xrefs: 0041F1E3
SALVAGEPROOF, xrefs: 0041EE57
tilmeldelsesfristen, xrefs: 0041F00B
Flytels5, xrefs: 0041EE4B

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$Move$CopyList$CallLate$#702
String ID: &|ZK$Civilhortonomens7$Flytels5$Frikirkernes7$SALVAGEPROOF$Utilnrmeligheden2$Variantfunktioner$tankskib$tilmeldelsesfristen$}%
API String ID: 692815630-3634593783
Opcode ID: c640d98424ebcb969f2669bafaea4e5a35d4f00c050958a4c247ce8956670af6
Instruction ID: 53d50e6dc9e1393511022345b10057311028959a61ce4b12e926c542496a49f1
Opcode Fuzzy Hash: c640d98424ebcb969f2669bafaea4e5a35d4f00c050958a4c247ce8956670af6
Instruction Fuzzy Hash: AC525CB4A40218AFCB149FA0CD88FEAB778FF48300F504569F549E72A5DB746985CF68

Uniqueness

Uniqueness Score: -1.00%

Function 00401598, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 373
COMMON

Download Yara Rule

C-Code - Quality: 82%

			_entry_() {
				signed char _t34;
				signed int _t35;
				signed int _t36;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				signed char _t42;
				intOrPtr* _t44;
				signed int _t54;
				signed int _t57;
				signed char _t61;
				signed int _t63;
				signed int* _t64;
				signed int _t69;
				void* _t73;
				intOrPtr _t82;
				void* _t89;

				_push("VB5!0&*"); // executed
				L00401592(); // executed
				 *_t34 =  *_t34 + _t34;
				 *_t34 =  *_t34 + _t34;
				 *_t34 =  *_t34 + _t34;
				 *_t34 =  *_t34 ^ _t34;
				 *_t34 =  *_t34 + _t34;
				_t35 = _t34 + 1;
				 *_t35 =  *_t35 + _t35;
				while(1) {
					 *_t35 =  *_t35 + _t35;
					 *_t35 =  *_t35 + _t35;
					 *_t35 =  *_t35 + _t35;
					asm("in eax, dx");
					asm("cld");
					asm("aad 0x89");
					asm("stosb");
					asm("aas");
					_pop(ss);
					_t36 = _t63;
					_t63 = _t35;
					 *0x3b11 = _t36;
					 *_t36 =  *_t36 + _t36;
					 *_t36 =  *_t36 + _t36;
					 *_t36 =  *_t36 + _t36;
					 *_t36 =  *_t36 + _t36;
					 *_t36 =  *_t36 + _t36;
					_t37 = _t36;
					 *_t64 =  *_t64 & _t54;
					_t61 = 0x79 +  *0xFFFFFFFFDDAB625E;
					if(_t61 >= 0) {
						goto L5;
					}
					asm("insb");
					asm("insd");
					asm("popad");
					asm("outsb");
					_t69 =  *_t64 * 0xb1cc0000;
					L3:
					_t39 = _t37 + _t61 +  *((intOrPtr*)(_t37 + _t61));
					 *_t39 =  *_t39 + _t39;
					_t54 = _t54 + _t54;
					asm("int3");
					 *_t39 =  *_t39 ^ _t39;
					_t73 = 0xffffffffddab61e9;
					_pop(0xddab61ea);
					_t35 = (_t39 & 0x2037265c) - 1;
					_push(_t35);
					if((_t35 & 0x234f786a) == 0) {
						continue;
					}
					 *0x55AEB628 =  *0x55AEB628 ^ _t54;
					asm("out 0xd9, eax");
					_t69 = _t69 - 1;
					_pop(_t61);
					_t64 = _t64 - 1;
					asm("lodsd");
					_t41 = _t35;
					asm("stosb");
					 *((intOrPtr*)(_t41 - 0x2d)) =  *((intOrPtr*)(_t41 - 0x2d)) + _t41;
					_t37 = _t54 ^  *(_t61 - 0x48ee309a);
					_t54 = _t41;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					L5:
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					 *_t37 =  *_t37 + _t37;
					if( *_t37 >= 0) {
						goto L3;
					}
					 *_t37 =  *_t37 + _t37;
					_t42 = _t37 & 0x0000000b;
					_push(es);
					_t14 = _t63 + 0x6f;
					 *_t14 =  *((intOrPtr*)(_t63 + 0x6f)) + _t42;
					_t82 =  *_t14;
					if(_t82 < 0) {
						L10:
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						L11:
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						 *_t42 =  *_t42 + _t42;
						while(1) {
							 *_t42 =  *_t42 + _t42;
							 *_t42 =  *_t42 + _t42;
							asm("in eax, 0x6c");
							 *0xdf =  *0xdf + 0xdf;
							 *0xdf =  *0xdf + 0xdf;
							 *0xdf =  *0xdf + 0xdf;
							 *0xdf =  *0xdf + 0xdf;
							 *0xdf =  *0xdf + 0xdf;
							 *0xdf =  *0xdf + 0xdf;
							 *0xdf =  *0xdf + 0xdf;
							 *0xdf =  *0xdf + 0xdf;
							 *0xdf =  *0xdf + 0xdf;
							asm("bound ebp, [edx-0x2e6dc724]");
							_t61 = _t61 ^  *0xFFFFFFFFB447AAB8;
							while(1) {
								asm("invalid");
								_t44 = 0xdf - 1;
								asm("pushfd");
								asm("salc");
								asm("in eax, 0x0");
								 *_t44 =  *_t44 + _t44;
								 *_t44 =  *_t44 + _t44;
								 *_t44 =  *_t44 + _t44;
								 *_t44 =  *_t44 + _t44;
								 *_t44 =  *_t44 + _t44;
								 *_t44 =  *_t44 + _t44;
								 *_t44 =  *_t44 + _t44;
								asm("in eax, 0x6c");
								_t42 = 0xdf;
								 *0xdf =  *0xdf + 0xdf;
								 *0xdf =  *0xdf + 0xdf;
								while(1) {
									 *_t42 =  *_t42 + _t42;
									 *_t42 =  *_t42 + _t42;
									 *_t42 =  *_t42 + _t42;
									_t89 =  *_t42;
									if (_t89 != 0) goto L12;
									_t61 = 0xdf;
								}
							}
						}
					}
					if (_t82 >= 0) goto L8;
					_t42 = _t42 | 0x41000701;
					if(_t42 < 0) {
						goto L11;
					}
					asm("gs insb");
					asm("bound eax, [gs:eax]");
					asm("sbb [ecx], eax");
					 *_t63 =  *_t63 + _t42;
					_t57 = _t54 & _t69;
					 *((intOrPtr*)(_t73 + _t69 * 2)) =  *((intOrPtr*)(_t73 + _t69 * 2)) + _t61;
					_t63 = _t63 + _t63;
					_t42 = _t42 &  *_t54 |  *(_t42 &  *_t54) |  *(_t42 &  *_t54 |  *(_t42 &  *_t54));
					 *_t42 =  *_t42 + _t42;
					 *_t61 =  *_t61 + _t42;
					 *_t63 =  *_t63 + _t42;
					 *_t42 =  *_t42 + _t57;
					asm("sbb [eax], al");
					 *_t61 =  *_t61 + _t42;
					 *_t42 =  *_t42 + _t57;
					 *((intOrPtr*)(_t42 + 7)) =  *((intOrPtr*)(_t42 + 7)) + _t61;
					 *_t42 =  *_t42 + _t42;
					 *[es:eax] =  *[es:eax] + _t42;
					 *_t42 =  *_t42 + _t63;
					asm("adc [eax], al");
					 *_t61 =  *_t61 + _t42;
					 *_t42 =  *_t42 + _t57;
					 *((intOrPtr*)(_t42 + 3)) =  *((intOrPtr*)(_t42 + 3)) + _t61;
					 *_t42 =  *_t42 + _t42;
					asm("outsb");
					_pop(es);
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 - _t42;
					 *_t42 =  *_t42 + _t42;
					asm("sbb [eax], al");
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 ^ _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					asm("sbb [eax], al");
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t64 =  *_t64 & _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					 *_t42 =  *_t42 + _t42;
					goto L10;
				}
			}

0x00401598
0x0040159d
0x004015a2
0x004015a4
0x004015a6
0x004015a8
0x004015aa
0x004015ac
0x004015ad
0x004015ae
0x004015ae
0x004015b0
0x004015b2
0x004015b4
0x004015b5
0x004015b6
0x004015ba
0x004015be
0x004015bf
0x004015c0
0x004015c0
0x004015c1
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015ce
0x004015d0
0x004015d1
0x004015d3
0x004015d6
0x00000000
0x00000000
0x004015d8
0x004015d9
0x004015da
0x004015db
0x004015dc
0x004015df
0x004015e3
0x004015e5
0x004015e7
0x004015e9
0x004015ea
0x004015f1
0x004015f1
0x004015f2
0x004015f3
0x004015fa
0x00000000
0x00000000
0x004015fc
0x00401602
0x00401604
0x00401609
0x0040160e
0x0040160f
0x00401616
0x00401618
0x00401619
0x0040161c
0x0040161c
0x0040161d
0x0040161f
0x00401621
0x00401623
0x00401625
0x00401627
0x00401629
0x0040162b
0x0040162d
0x0040162f
0x00401631
0x00401633
0x00401635
0x00401637
0x00401639
0x00401639
0x0040163b
0x0040163d
0x0040163f
0x00401641
0x00000000
0x00000000
0x00401643
0x00401645
0x0040164a
0x0040164b
0x0040164b
0x0040164b
0x0040164e
0x004016b4
0x004016b4
0x004016b6
0x004016b8
0x004016ba
0x004016bc
0x004016be
0x004016c0
0x004016c1
0x004016c1
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016cb
0x004016cd
0x004016cf
0x004016d1
0x004016d3
0x004016d5
0x004016d7
0x004016d9
0x004016db
0x004016dd
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f1
0x004016f3
0x004016f5
0x004016f7
0x004016f9
0x004016fb
0x004016fd
0x004016ff
0x00401701
0x00401703
0x00401705
0x00401707
0x00401709
0x0040170b
0x0040170d
0x0040170f
0x00401711
0x00401713
0x00401715
0x00401717
0x00401719
0x0040171b
0x0040171d
0x0040171f
0x00401721
0x00401723
0x00401725
0x00401727
0x00401729
0x0040172b
0x0040172d
0x0040172f
0x00401731
0x00401733
0x00401735
0x00401737
0x00401739
0x0040173b
0x0040173d
0x0040173f
0x00401741
0x00401743
0x00401745
0x00401747
0x00401749
0x0040174b
0x0040174d
0x0040174f
0x00401750
0x00401750
0x00401752
0x00401756
0x0040175a
0x0040175c
0x0040175e
0x00401760
0x00401762
0x00401764
0x00401766
0x00401768
0x0040176a
0x0040176c
0x00401772
0x00401773
0x00401773
0x00401775
0x00401776
0x00401777
0x0040177a
0x0040177c
0x0040177e
0x00401780
0x00401782
0x00401784
0x00401786
0x00401788
0x0040178c
0x0040178e
0x00401790
0x00401792
0x00401793
0x00401793
0x00401795
0x00401797
0x00401797
0x00401799
0x0040179a
0x0040179a
0x00401793
0x00401773
0x00401750
0x00401650
0x00401653
0x00401658
0x00000000
0x00000000
0x0040165a
0x0040165c
0x0040165f
0x00401661
0x00401666
0x0040166a
0x0040166e
0x00401670
0x00401672
0x00401674
0x00401676
0x00401678
0x0040167a
0x0040167c
0x0040167e
0x00401680
0x00401683
0x00401685
0x00401688
0x0040168a
0x0040168c
0x0040168e
0x00401690
0x00401693
0x00401695
0x00401696
0x00401697
0x00401699
0x0040169b
0x0040169d
0x0040169f
0x004016a1
0x004016a3
0x004016a5
0x004016a7
0x004016a9
0x004016ab
0x004016ad
0x004016af
0x004016b1
0x004016b3
0x00000000
0x004016b3

APIs

#100.MSVBVM60(VB5!0&*), ref: 0040159D

Strings

VB5!0&*, xrefs: 00401598

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!0&*
API String ID: 1341478452-3535337563
Opcode ID: e71dba32bc670d7ca926d0c3dd929c1e19be919c7229144698211527947aa45e
Instruction ID: 6f8cb7d0e9a5cfb220fa47692fe608e7d342d794ba964a3ff551185cfd3acb06
Opcode Fuzzy Hash: e71dba32bc670d7ca926d0c3dd929c1e19be919c7229144698211527947aa45e
Instruction Fuzzy Hash: 6951212604E3C29FD7038B758868691BFB0AE1321471E55EBC4C1CF1B3D62C9D4ADB66

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 04BBFFF2, Relevance: 2.7, Strings: 2, Instructions: 154COMMON

Download Yara Rule

Strings

t;, xrefs: 04BC0088
p!, xrefs: 04BBFA36

Memory Dump Source

Source File: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: p!$t;
API String ID: 0-3242210463
Opcode ID: 16eb961d65c8fd500560e87c0d3e15884e3bca94a6c7a069e40c459d66173b02
Instruction ID: c256dd89493ea8563ce23ded357889612e229ce587ed00c8fcbc76a8cb0a652c
Opcode Fuzzy Hash: 16eb961d65c8fd500560e87c0d3e15884e3bca94a6c7a069e40c459d66173b02
Instruction Fuzzy Hash: 9B51F07170034BDBDF34AEA98DE47EA27A6EF56340F95816DDC9ACB201E7309981C742

Uniqueness

Uniqueness Score: -1.00%

Function 04BC0232, Relevance: 1.3, Strings: 1, Instructions: 46COMMON

Download Yara Rule

Strings

u(nt, xrefs: 04BC02A3

Memory Dump Source

Source File: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Yara matches

Similarity

API ID:
String ID: u(nt
API String ID: 0-3891096550
Opcode ID: 407be6b48f0f69150b005457f8c79d5e032f0a4b257e34e23af008821b6d1216
Instruction ID: c6263e1957a00839e39e63e268fd8b0b25cd47c4a96e8ec3b9d0563866c7a6ab
Opcode Fuzzy Hash: 407be6b48f0f69150b005457f8c79d5e032f0a4b257e34e23af008821b6d1216
Instruction Fuzzy Hash: 7F115574605A44DFDB34DF68C9D8BDA33A0FB48700F1080ADD8098F224D370AA41CB50

Uniqueness

Uniqueness Score: -1.00%

Function 0040430D, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 340c4f2df067ddc752539978ff7b2671b4e8b97287845807bb71162ef46cbe7c
Instruction ID: d0f2fbe90b277a102ce7c6ac6250ff22b22def6822ae4febdf8d6c0cd1017e20
Opcode Fuzzy Hash: 340c4f2df067ddc752539978ff7b2671b4e8b97287845807bb71162ef46cbe7c
Instruction Fuzzy Hash: DE31288125C3C1AED71B1B7140653F67FA09D8336472CA2EEC9D24B5A3C5368447A3CA

Uniqueness

Uniqueness Score: -1.00%

Function 04BC15AA, Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e37e7a2b2360a1598ac3ef856fa8b648d23af02dd711a61f77324d9e26cb8a
Instruction ID: 2f32c83852d410bc1b2c9431c53ec431065a2dbec34f0141c7aeeb4336e3c0b7
Opcode Fuzzy Hash: 90e37e7a2b2360a1598ac3ef856fa8b648d23af02dd711a61f77324d9e26cb8a
Instruction Fuzzy Hash: 0F3187757083498BDB388D288DB43FA23A3EFD2390FC5816FDC879B244CB3019449A02

Uniqueness

Uniqueness Score: -1.00%

Function 04BBF8FD, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0105730e4e1897a8e47e93a2ddb67f4ffb42cf94f2ae241c1535781571442ad2
Instruction ID: bd762d7b62c678fa5fba100de3e3dd72c2c60299660c2034dc7cd99963b1ac6f
Opcode Fuzzy Hash: 0105730e4e1897a8e47e93a2ddb67f4ffb42cf94f2ae241c1535781571442ad2
Instruction Fuzzy Hash: A6C04C30711540CFDA95CA29C150BA173B1BB64A04B814494A485CB611D264E800CB00

Uniqueness

Uniqueness Score: -1.00%

Function 04BBC602, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.589123852.0000000004BB0000.00000040.00000001.sdmp, Offset: 04BB0000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 833e60185906836c724e700a743ddec3d2f94a23220a40fb7a05f18ca21770d5
Instruction ID: c35b81834fe16a26633c95567891ede761b5471621ba8976de7cf073b750e71a
Opcode Fuzzy Hash: 833e60185906836c724e700a743ddec3d2f94a23220a40fb7a05f18ca21770d5
Instruction Fuzzy Hash: 7FB092B62016808FEF06CE08C482B4073B0FB05A84B0904D0E402CB712C228E904CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00429B40, Relevance: 93.1, APIs: 51, Strings: 2, Instructions: 373COMMON

Download Yara Rule

APIs

#534.MSVBVM60 ref: 00429BA4
__vbaVarDup.MSVBVM60 ref: 00429BBE
#520.MSVBVM60(?,?), ref: 00429BCC
__vbaVarTstNe.MSVBVM60(?,?), ref: 00429BF1
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00429C04
#594.MSVBVM60(?), ref: 00429C28
__vbaFreeVar.MSVBVM60 ref: 00429C31
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429C49
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 00429C74
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000E0), ref: 00429CA2
__vbaStrMove.MSVBVM60 ref: 00429CB3
__vbaFreeObj.MSVBVM60 ref: 00429CB8
#539.MSVBVM60(0000000A,00000001,00000001,00000001), ref: 00429CC8
__vbaStrVarMove.MSVBVM60(0000000A), ref: 00429CD8
__vbaStrMove.MSVBVM60 ref: 00429CDF
__vbaFreeVar.MSVBVM60 ref: 00429CE4
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429CFD
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 00429D22
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000C8), ref: 00429D4B
__vbaFreeObj.MSVBVM60 ref: 00429D50
#593.MSVBVM60(0000000A), ref: 00429D68
__vbaFreeVar.MSVBVM60 ref: 00429D73
#613.MSVBVM60(?,0000000A), ref: 00429D8C
__vbaStrVarMove.MSVBVM60(?), ref: 00429D96
__vbaStrMove.MSVBVM60 ref: 00429D9D
__vbaFreeVarList.MSVBVM60(00000002,0000000A,?), ref: 00429DAC
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429DCE
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 00429DF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000D8), ref: 00429E1D
__vbaStrMove.MSVBVM60 ref: 00429E2C
__vbaFreeObj.MSVBVM60 ref: 00429E35
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00429E4E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429E63
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C730,00000098), ref: 00429E8A
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429E9F
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,0000004C), ref: 00429EC0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C590,00000024), ref: 00429EE9
__vbaStrMove.MSVBVM60 ref: 00429EF8
__vbaFreeStr.MSVBVM60 ref: 00429F01
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00429F11
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429F36
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 00429F5B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000058), ref: 00429F7B
__vbaStrMove.MSVBVM60 ref: 00429F86
__vbaFreeObj.MSVBVM60 ref: 00429F8F
__vbaFreeStr.MSVBVM60(00429FFA), ref: 00429FDE
__vbaFreeStr.MSVBVM60 ref: 00429FE3
__vbaFreeStr.MSVBVM60 ref: 00429FE8
__vbaFreeStr.MSVBVM60 ref: 00429FED
__vbaFreeStr.MSVBVM60 ref: 00429FF2
__vbaFreeStr.MSVBVM60 ref: 00429FF7

Strings

rr, xrefs: 00429BB0
YOVEN, xrefs: 00429ECF

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$New2$List$#520#534#539#593#594#613
String ID: rr$YOVEN
API String ID: 153930923-4016629446
Opcode ID: 888e98c9204eac545b8df020c085c2c4944a1119fd0f3ba57c977cd9d0b45f8e
Instruction ID: d1ea98bccbdd50894b3ebb1123db0d0e43fb6c87e4d0b1ae19cfc5870940c6cd
Opcode Fuzzy Hash: 888e98c9204eac545b8df020c085c2c4944a1119fd0f3ba57c977cd9d0b45f8e
Instruction Fuzzy Hash: B3E17D70E40219AFCB14DFA4ED88ADEBBB9FF54701F10412AE105F72A0DBB45945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004293B0, Relevance: 82.6, APIs: 43, Strings: 4, Instructions: 395COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00429432
#583.MSVBVM60(00000000,00000000), ref: 0042943A
__vbaFpR8.MSVBVM60 ref: 00429440
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429469
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,0000004C), ref: 00429494
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C590,00000028), ref: 004294B8
__vbaFreeObj.MSVBVM60 ref: 004294C3
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 004294D8
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 004294FD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000068), ref: 00429520
__vbaFreeObj.MSVBVM60 ref: 00429525
#690.MSVBVM60(pladsbestillingen,mesothelae,Disnaturalise,preoutfitted), ref: 0042953B
#705.MSVBVM60(?,00000000), ref: 00429555
__vbaStrMove.MSVBVM60 ref: 00429566
__vbaFreeVar.MSVBVM60 ref: 0042956B
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429584
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 004295A9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000108), ref: 004295D2
__vbaFreeObj.MSVBVM60 ref: 004295D7
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 004295F0
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 00429615
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000060), ref: 00429635
__vbaStrMove.MSVBVM60 ref: 00429644
__vbaFreeObj.MSVBVM60 ref: 0042964F
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 00429664
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 00429689
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000C0), ref: 004296B2
__vbaFreeObj.MSVBVM60 ref: 004296B7
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042970F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429728
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000178), ref: 0042974F
#596.MSVBVM60(00000002,?,?,?,?,?,?), ref: 00429791
__vbaStrMove.MSVBVM60 ref: 0042979C
__vbaFreeObj.MSVBVM60 ref: 004297A5
__vbaFreeVarList.MSVBVM60(00000007,00000009,?,?,?,?,?,?), ref: 004297D5
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004297FF
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429818
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,00000220), ref: 0042985B
__vbaFreeObj.MSVBVM60 ref: 00429864
__vbaFreeStr.MSVBVM60(004298E8), ref: 004298D6
__vbaFreeStr.MSVBVM60 ref: 004298DB
__vbaFreeStr.MSVBVM60 ref: 004298E0
__vbaFreeStr.MSVBVM60 ref: 004298E5

Strings

preoutfitted, xrefs: 00429527
Disnaturalise, xrefs: 0042952C
pladsbestillingen, xrefs: 00429536
mesothelae, xrefs: 00429531

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$New2$Move$#583#596#690#705CopyList
String ID: Disnaturalise$mesothelae$pladsbestillingen$preoutfitted
API String ID: 1306337204-3129089085
Opcode ID: e77d65441bbb11f156c978375846083aa7de462f37469e8b576dad2175880851
Instruction ID: 73ca830af1a87315c4bc212fbb2592d8f6d2f672a3729e2c52f8f47c7d0d7950
Opcode Fuzzy Hash: e77d65441bbb11f156c978375846083aa7de462f37469e8b576dad2175880851
Instruction Fuzzy Hash: 49E17CB1A40229AFCB10DFA4DD84BDEBBB8FF58700F10816AE505E72A0D7B45945CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E3B0, Relevance: 82.6, APIs: 44, Strings: 3, Instructions: 357COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E424
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041E449
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000060), ref: 0041E46D
__vbaStrCat.MSVBVM60(?,About ), ref: 0041E487
__vbaStrMove.MSVBVM60 ref: 0041E494
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041BB70,00000054), ref: 0041E4AF
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041E4BF
__vbaFreeObj.MSVBVM60 ref: 0041E4CB
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E4E4
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041E509
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000B8), ref: 0041E533
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E54C
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041E571
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000C0), ref: 0041E59B
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E5B4
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041E5D9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000C8), ref: 0041E606
__vbaStrI2.MSVBVM60(?,Version ), ref: 0041E61B
__vbaStrMove.MSVBVM60 ref: 0041E622
__vbaStrCat.MSVBVM60(00000000), ref: 0041E625
__vbaStrMove.MSVBVM60 ref: 0041E62C
__vbaStrCat.MSVBVM60(0041C314,00000000), ref: 0041E634
__vbaStrMove.MSVBVM60 ref: 0041E63B
__vbaStrI2.MSVBVM60(?,00000000), ref: 0041E642
__vbaStrMove.MSVBVM60 ref: 0041E649
__vbaStrCat.MSVBVM60(00000000), ref: 0041E64C
__vbaStrMove.MSVBVM60 ref: 0041E653
__vbaStrCat.MSVBVM60(0041C314,00000000), ref: 0041E65B
__vbaStrMove.MSVBVM60 ref: 0041E662
__vbaStrI2.MSVBVM60(?,00000000), ref: 0041E66C
__vbaStrMove.MSVBVM60 ref: 0041E673
__vbaStrCat.MSVBVM60(00000000), ref: 0041E676
__vbaVarLateMemSt.MSVBVM60(?,Caption), ref: 0041E6A8
__vbaFreeStrList.MSVBVM60(00000007,?,?,?,?,?,?,?), ref: 0041E6C8
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0041E6DC
__vbaFreeVar.MSVBVM60 ref: 0041E6EE
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041E703
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041E728
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000060), ref: 0041E74C
__vbaVarLateMemSt.MSVBVM60(?,Caption), ref: 0041E786
__vbaFreeObj.MSVBVM60 ref: 0041E78B
__vbaFreeVar.MSVBVM60 ref: 0041E794
__vbaFreeVar.MSVBVM60(0041E7F3), ref: 0041E7EB
__vbaFreeVar.MSVBVM60 ref: 0041E7F0

Strings

Version , xrefs: 0041E615
Caption, xrefs: 0041E693, 0041E76A
About , xrefs: 0041E47F

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$Move$New2$List$Late
String ID: About $Caption$Version
API String ID: 2652319797-2818086185
Opcode ID: 4b483d554745248ad95a73765f8c5a8eb2ab3fde1f70b308d32b0ab875829bea
Instruction ID: 9e4d474a8e294db2507eb257a92b6946c5d0aa0ec29416ed85690fdd17d78f2c
Opcode Fuzzy Hash: 4b483d554745248ad95a73765f8c5a8eb2ab3fde1f70b308d32b0ab875829bea
Instruction Fuzzy Hash: 96D16EB4A40209AFDB00DFA5DD88EDEBBB9FF58700B10412AF505E72A0DB749945CB98

Uniqueness

Uniqueness Score: -1.00%

Function 0041F850, Relevance: 79.2, APIs: 40, Strings: 5, Instructions: 414COMMON

Download Yara Rule

APIs

#672.MSVBVM60(00000000,40080000,00000000,3FF00000,00000000,3FF00000,00000000,3FF00000), ref: 0041F8E7
__vbaFpR8.MSVBVM60 ref: 0041F8ED
#680.MSVBVM60(00000000,3FF00000,00000000,3FF00000,00000000,40490000,?,?,?), ref: 0041F93E
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 0041F954
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041F970
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041F99B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000060), ref: 0041F9C3
__vbaStrMove.MSVBVM60 ref: 0041F9CE
__vbaFreeObj.MSVBVM60 ref: 0041F9D7
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041F9EF
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041FA14
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000078), ref: 0041FA37
__vbaFreeObj.MSVBVM60 ref: 0041FA3C
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041FA54
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041FA79
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000130), ref: 0041FA9F
__vbaStrMove.MSVBVM60 ref: 0041FAAA
__vbaFreeObj.MSVBVM60 ref: 0041FAB3
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041FACB
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041FAF0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000110), ref: 0041FB16
__vbaStrMove.MSVBVM60 ref: 0041FB21
__vbaFreeObj.MSVBVM60 ref: 0041FB2A
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041FB42
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041FB67
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,000000B8), ref: 0041FB90
__vbaFreeObj.MSVBVM60 ref: 0041FB95
#690.MSVBVM60(Analyserne,Faggoty1,WHAN,RETSFORFLGELSENS), ref: 0041FBAF
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FBC8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FBE1
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000198), ref: 0041FC0B
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041FC1F
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000044), ref: 0041FD04
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0041FD3B
__vbaFreeObj.MSVBVM60 ref: 0041FD44
__vbaFreeVar.MSVBVM60 ref: 0041FD4D
__vbaFreeObj.MSVBVM60(0041FDAB), ref: 0041FD8F
__vbaFreeStr.MSVBVM60 ref: 0041FD9E
__vbaFreeStr.MSVBVM60 ref: 0041FDA3
__vbaFreeStr.MSVBVM60 ref: 0041FDA8

Strings

RETSFORFLGELSENS, xrefs: 0041FB9B
Faggoty1, xrefs: 0041FBA5
Analyserne, xrefs: 0041FBAA
SKAGS, xrefs: 0041FCE1
WHAN, xrefs: 0041FBA0

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$New2$Move$#672#680#690LateList
String ID: Analyserne$Faggoty1$RETSFORFLGELSENS$SKAGS$WHAN
API String ID: 1830049070-1073787339
Opcode ID: 10bb4586c31a7163b8df31bb5b6b9fc27eed6e4bd201ce9d2930cb43a5c787fd
Instruction ID: 37370e4a99ccd965547789cd16b9886d87194e6f0d0d531b9d896c4da0f24ab0
Opcode Fuzzy Hash: 10bb4586c31a7163b8df31bb5b6b9fc27eed6e4bd201ce9d2930cb43a5c787fd
Instruction Fuzzy Hash: 8CF13CB0E40219AFCB14DFA4DC84ADDBBB5FF58305F20816AE509E72A1D7745886CF98

Uniqueness

Uniqueness Score: -1.00%

Function 0041E810, Relevance: 36.2, APIs: 24, Instructions: 173COMMON

Download Yara Rule

APIs

#632.MSVBVM60(?,?,00000000,?), ref: 0041E8A9
__vbaStrVarVal.MSVBVM60(?,?), ref: 0041E8B7
#516.MSVBVM60(00000000), ref: 0041E8BE
__vbaFreeStr.MSVBVM60 ref: 0041E8D2
__vbaFreeVarList.MSVBVM60(00000002,00000002,?), ref: 0041E8E2
#617.MSVBVM60(00000002,?,?), ref: 0041E90C
#617.MSVBVM60(00000002,?,?), ref: 0041E933
__vbaStrVarMove.MSVBVM60(00000002), ref: 0041E93D
__vbaStrMove.MSVBVM60 ref: 0041E948
__vbaFreeVar.MSVBVM60 ref: 0041E951
__vbaI4Var.MSVBVM60(?), ref: 0041E961
__vbaStrToAnsi.MSVBVM60(?,?,?), ref: 0041E97B
__vbaStrToAnsi.MSVBVM60(?,?,00000000,?,00000000), ref: 0041E990
__vbaI4Var.MSVBVM60(?,00000000,?,00000000,?,00000000), ref: 0041E997
__vbaSetSystemError.MSVBVM60(00000000,?,00000000,?,00000000), ref: 0041E9A1
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0041E9B2
__vbaVarCopy.MSVBVM60(?,00000000,?,00000000), ref: 0041E9D1
__vbaStrToUnicode.MSVBVM60(?,?,?,00000000,?,00000000), ref: 0041E9DF
__vbaVarMove.MSVBVM60(?,00000000,?,00000000), ref: 0041E9F6
__vbaFreeStrList.MSVBVM60(00000002,?,?,?,00000000,?,00000000), ref: 0041EA06
__vbaFreeVar.MSVBVM60(0041EA59,?,?,00000000), ref: 0041EA43
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0041EA48
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0041EA4D
__vbaFreeStr.MSVBVM60(?,?,00000000), ref: 0041EA52

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#617AnsiListUnicode$#516#632CopyErrorSystem
String ID:
API String ID: 2884289542-0
Opcode ID: 710ac1cc7b42445dc8530192f94292157d36740529efb235e756e21f9608266e
Instruction ID: 3b63e64c9d87e29209db17615ca97dcdad15d0288a5fceed70330e37cd8203b5
Opcode Fuzzy Hash: 710ac1cc7b42445dc8530192f94292157d36740529efb235e756e21f9608266e
Instruction Fuzzy Hash: C371F6B5C002199FDB14DFA5DD84ADDFBB8FF88304F10815AE50AA7224DB746A89CF54

Uniqueness

Uniqueness Score: -1.00%

Function 00420230, Relevance: 28.7, APIs: 19, Instructions: 238COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00420289
__vbaObjSet.MSVBVM60(?,00000000), ref: 004202A8
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004202BF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004202D8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000170), ref: 00420301
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 0042034A
__vbaFreeStr.MSVBVM60 ref: 0042034F
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0042035F
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042037B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00420394
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000000E0), ref: 004203B7
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004203CC
__vbaObjSet.MSVBVM60(?,00000000), ref: 004203E5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000204), ref: 00420474
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420484
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004204A0
__vbaObjSet.MSVBVM60(?,00000000), ref: 004204B9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C56C,00000110), ref: 004204E0
__vbaFreeObj.MSVBVM60 ref: 004204EF

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresultNew2$Free$List
String ID:
API String ID: 191279167-0
Opcode ID: b2e7c93401f1a76cf467abdbcfa4bea6573d9b274fbd592eddd6a4b12cb9c9d0
Instruction ID: 1c8ffb9f8754a05481df741ef04a031bd358440136ff0387472566c784596098
Opcode Fuzzy Hash: b2e7c93401f1a76cf467abdbcfa4bea6573d9b274fbd592eddd6a4b12cb9c9d0
Instruction Fuzzy Hash: 7C914E70A00218AFCB15DFA8DD89FAABBF8FF48700F108469E505E7361D7749941CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041FDD0, Relevance: 28.7, APIs: 19, Instructions: 219COMMON

Download Yara Rule

APIs

#702.MSVBVM60(?,000000FF,000000FE,000000FE,000000FE), ref: 0041FE33
__vbaStrMove.MSVBVM60 ref: 0041FE3E
__vbaFreeVar.MSVBVM60 ref: 0041FE47
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FE60
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FE7F
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,00000158), ref: 0041FEA2
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FEBB
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FED4
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000204), ref: 0041FF6D
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041FF7D
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FF99
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FFB8
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041FFD4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041FFED
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,00000198), ref: 00420010
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 00420050
__vbaFreeStr.MSVBVM60 ref: 00420059
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00420069
__vbaFreeStr.MSVBVM60(004200AA), ref: 004200A3

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$List$#702Move
String ID:
API String ID: 2162597328-0
Opcode ID: 040a041879a0f4218a25492db1e59c014cc9171130d84dfee934099175ffcfb4
Instruction ID: 61df15d877eb089602405cff6ea7be37bdd6f2846dc5f89c8a896a5a32d02b7b
Opcode Fuzzy Hash: 040a041879a0f4218a25492db1e59c014cc9171130d84dfee934099175ffcfb4
Instruction Fuzzy Hash: E4815E70A00208AFCB14DFA8DD89F9ABBB8FF49700F108169F519E73A1D7759946CB94

Uniqueness

Uniqueness Score: -1.00%

Function 0042A010, Relevance: 28.7, APIs: 19, Instructions: 157COMMON

Download Yara Rule

APIs

__vbaCyI2.MSVBVM60(00000001), ref: 0042A066
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042A087
__vbaStrCy.MSVBVM60(00000000,?,0041C82C), ref: 0042A09E
__vbaStrMove.MSVBVM60 ref: 0042A0A9
__vbaStrCat.MSVBVM60(00000000), ref: 0042A0B0
__vbaStrMove.MSVBVM60 ref: 0042A0BB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000054), ref: 0042A0D8
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042A0E8
__vbaFreeObj.MSVBVM60 ref: 0042A0F4
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042A108
__vbaStrCy.MSVBVM60(?,?,0041C58C), ref: 0042A13F
__vbaStrMove.MSVBVM60 ref: 0042A14A
__vbaStrCat.MSVBVM60(00000000), ref: 0042A151
__vbaStrMove.MSVBVM60 ref: 0042A15C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 0042A17C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0042A18C
__vbaFreeObj.MSVBVM60 ref: 0042A198
__vbaHresultCheckObj.MSVBVM60(00000000,00401330,0041BB70,000002B4), ref: 0042A1B9
__vbaFpCmpCy.MSVBVM60(?,?), ref: 0042A1CD

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$CheckHresult$List
String ID:
API String ID: 890835711-0
Opcode ID: 7de2ef56a9b5b6d445aa1d470c02758474a54fc0dd7b9111599cae72e25a62ac
Instruction ID: 5d8f41b033f547a22ecdef87c2bd39d127c61e47bf48685fdd108d8bb6fd0526
Opcode Fuzzy Hash: 7de2ef56a9b5b6d445aa1d470c02758474a54fc0dd7b9111599cae72e25a62ac
Instruction Fuzzy Hash: A6512E71A00209AFC7049FA4DE89AEEBBB8FF0C701F148129F945F7261DB349945CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00428CF0, Relevance: 25.7, APIs: 17, Instructions: 207COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00428D3C
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00428D55
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428D74
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000158), ref: 00428D97
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00428DB0
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428DC9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C348,000001E4), ref: 00428E56
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00428E66
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00428E82
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428EA1
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00428EBD
__vbaObjSet.MSVBVM60(?,00000000), ref: 00428ED6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,00000048), ref: 00428EF3
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 00428F33
__vbaFreeStr.MSVBVM60 ref: 00428F3C
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00428F4C
__vbaFreeStr.MSVBVM60(00428F84), ref: 00428F7D

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2$List$Copy
String ID:
API String ID: 1781121178-0
Opcode ID: 58db5851f6a9e2aa14a7bca8ac55826374952ed6c4a2acb16a8ae43fe9a21d17
Instruction ID: a2a00705b3d9f27f17ab9f16957318283173ed53f6e2ba379a0676fc4d006940
Opcode Fuzzy Hash: 58db5851f6a9e2aa14a7bca8ac55826374952ed6c4a2acb16a8ae43fe9a21d17
Instruction Fuzzy Hash: A9814CB0A00218AFCB04DFA8D989F9EBBB8FF48700F10856DE505E7351D7359946CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 00429920, Relevance: 25.6, APIs: 17, Instructions: 148COMMON

Download Yara Rule

APIs

#594.MSVBVM60(?), ref: 0042996C
__vbaFreeVar.MSVBVM60 ref: 00429975
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042998E
__vbaObjSet.MSVBVM60(?,00000000), ref: 004299AD
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004299D2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004299EB
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C720,00000048), ref: 00429A08
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001EC), ref: 00429A49
__vbaFreeStr.MSVBVM60 ref: 00429A52
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00429A62
#707.MSVBVM60(00000001,00000000), ref: 00429A6F
__vbaStrMove.MSVBVM60 ref: 00429A7A
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00429A93
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429AAC
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C40C,00000068), ref: 00429AC9
__vbaFreeObj.MSVBVM60 ref: 00429AD8
__vbaFreeStr.MSVBVM60(00429B16), ref: 00429B0F

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#594#707ListMove
String ID:
API String ID: 2949391266-0
Opcode ID: b77c8bc1060e72ddf29c665f75b8fb88064a58b0e119ef9ce970ee6f2af9bcf6
Instruction ID: c0caab5d5f17cbb3b86649ad4d3803f059e342f5091dad5fd32a2bc607f30864
Opcode Fuzzy Hash: b77c8bc1060e72ddf29c665f75b8fb88064a58b0e119ef9ce970ee6f2af9bcf6
Instruction Fuzzy Hash: 3B5139B0A40318AFCB14DFA4DD89FAE7BB8FB48701F108029F441A72A1D7745941CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F610, Relevance: 24.2, APIs: 16, Instructions: 169COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F65A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F679
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F690
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F6A9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,00000048), ref: 0041F6C6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001EC), ref: 0041F70B
__vbaFreeStr.MSVBVM60 ref: 0041F714
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041F724
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F740
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041F759
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001E8), ref: 0041F77E
__vbaFreeObj.MSVBVM60 ref: 0041F791
__vbaNew2.MSVBVM60(0041C2D8,0042B6DC), ref: 0041F7A6
__vbaHresultCheckObj.MSVBVM60(00000000,020DE8C4,0041C2C8,00000014), ref: 0041F7CB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0041C2E8,00000108), ref: 0041F7F1
__vbaFreeObj.MSVBVM60 ref: 0041F7F6

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$List
String ID:
API String ID: 3473554973-0
Opcode ID: 5a675a062ed2f80e2e615862e574737e2b0d43b6ee46d4b074cffea09795dbfd
Instruction ID: 718c260e5d98e997187a8167dd0469fe2dddccca854fed8684b633d4cb4b9e97
Opcode Fuzzy Hash: 5a675a062ed2f80e2e615862e574737e2b0d43b6ee46d4b074cffea09795dbfd
Instruction Fuzzy Hash: 13517170A40218AFCB10DFA8DD89FEE77B8FB48700F104469F545F72A1D774A9468BA8

Uniqueness

Uniqueness Score: -1.00%

Function 004224E0, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 114COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00422523
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00422542
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C40C,000001A8), ref: 00422561
__vbaFreeObj.MSVBVM60 ref: 0042256A
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00422583
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042259C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001EC), ref: 004225E0
__vbaFreeObj.MSVBVM60 ref: 004225EF
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00422604
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042261D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,000001D4), ref: 0042263C
__vbaFreeObj.MSVBVM60 ref: 00422645

Strings

Domspraksisernes5, xrefs: 004225AF

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Domspraksisernes5
API String ID: 1645334062-1971972423
Opcode ID: 84b337afc1a1581deb58eb12290dec22e3f1ea31101c4050fcc73e9b954f29fe
Instruction ID: 7ae1173f5d2f8a870f1c1551a7c1fe4c4310adeda4e7feb34c68db144c5c299e
Opcode Fuzzy Hash: 84b337afc1a1581deb58eb12290dec22e3f1ea31101c4050fcc73e9b954f29fe
Instruction Fuzzy Hash: 4F419D70740319ABD710EF64DE89FAA7BA8EF18701F504429F841F72A1D7B899418BA9

Uniqueness

Uniqueness Score: -1.00%

Function 00420F00, Relevance: 18.1, APIs: 12, Instructions: 91COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00401346), ref: 00420F40
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,00401346), ref: 00420F48
__vbaNew2.MSVBVM60(0041CAC0,0042B010,?,?,?,?,?,?,?,?,?,00401346), ref: 00420F5D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00401346), ref: 00420F7C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001E8,?,?,?,?,?,?,?,?,?,00401346), ref: 00420F9B
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00401346), ref: 00420FAA
__vbaNew2.MSVBVM60(0041CAC0,0042B010,?,?,?,?,?,?,?,?,?,00401346), ref: 00420FBF
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00401346), ref: 00420FD8
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C3FC,000000C4,?,?,?,?,?,?,?,?,?,00401346), ref: 00420FF7
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,00401346), ref: 00421000
__vbaFreeStr.MSVBVM60(0042102B), ref: 00421023
__vbaFreeStr.MSVBVM60 ref: 00421028

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckCopyHresultNew2
String ID:
API String ID: 4138333463-0
Opcode ID: 5da2c23f720effbd1f60fa15ca1664a4ab6a6fcc47e780782644021d24723638
Instruction ID: e9ff65c06c2645ecdf35d1341f5c5707c7186867e91e91aabe9eb39c557ac1ef
Opcode Fuzzy Hash: 5da2c23f720effbd1f60fa15ca1664a4ab6a6fcc47e780782644021d24723638
Instruction Fuzzy Hash: F6318070A40219ABCB10DF64DD85FEE7BB8FF18700F50442AE941F72A1D7786945CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 0041F490, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F4D3
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F4F2
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,000001C8), ref: 0041F537
__vbaFreeObj.MSVBVM60 ref: 0041F540
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0041F559
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0041F572
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001EC), ref: 0041F5B3
__vbaFreeObj.MSVBVM60 ref: 0041F5BC

Strings

Badass3, xrefs: 0041F585

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: Badass3
API String ID: 1645334062-2400041744
Opcode ID: 3ab6717af0607a03af4cf727ca8abef43e240294a5fee80cefb9ba222cc2f61a
Instruction ID: 70b1e41bce938b90e2f261df8772c834ee2046e30f5ded5721f854294bb3f344
Opcode Fuzzy Hash: 3ab6717af0607a03af4cf727ca8abef43e240294a5fee80cefb9ba222cc2f61a
Instruction Fuzzy Hash: D1319FB0A40309ABC714DF69DD89F9ABBB8FF18700F108529E515E7391E7789842CF98

Uniqueness

Uniqueness Score: -1.00%

Function 00429200, Relevance: 12.1, APIs: 8, Instructions: 124COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042924D
__vbaObjSet.MSVBVM60(?,00000000), ref: 0042926C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C3FC,000000C8), ref: 004292AB
__vbaFreeObj.MSVBVM60 ref: 004292B4
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004292CD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004292E6
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,00000204), ref: 00429369
__vbaFreeObj.MSVBVM60 ref: 00429372

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 1ae6717b4359f693bf7288795a4bcaa8e9981e46e0b2e6f232fd28e0f0236f3f
Instruction ID: 5baa1043d334e56103f527f32974d8bbe12837cd9480d26d1b068978ffa16f0d
Opcode Fuzzy Hash: 1ae6717b4359f693bf7288795a4bcaa8e9981e46e0b2e6f232fd28e0f0236f3f
Instruction Fuzzy Hash: 5F411AB4A40214ABCB14DF68D989B9ABBF4EB49700F14C569E909EB391D7349841CF98

Uniqueness

Uniqueness Score: -1.00%

Function 004200D0, Relevance: 12.1, APIs: 8, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010,?,?,?,?,?,?,?,?,?,?,?,?,?,00401346), ref: 00420123
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00401346), ref: 00420142
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000001FC), ref: 00420181
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401346), ref: 00420190
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 004201A5
__vbaObjSet.MSVBVM60(?,00000000), ref: 004201BE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4E0,000000E0), ref: 004201E1
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401346), ref: 004201F0

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: d2ee1ddf179d6b8ee3ef74aa69284257205790941af2274de96c8eacdc4c28ef
Instruction ID: 614b6244230a34d6ec55f8388e52f56b13fabc30f73c9528b18b65488e25d052
Opcode Fuzzy Hash: d2ee1ddf179d6b8ee3ef74aa69284257205790941af2274de96c8eacdc4c28ef
Instruction Fuzzy Hash: F6316F74A40318ABCB15DFA8DD89FAABBF8FF08700F10856AF541E7351D77898418B98

Uniqueness

Uniqueness Score: -1.00%

Function 00420DF0, Relevance: 12.1, APIs: 8, Instructions: 75COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00420E33
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00420E52
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C328,00000218), ref: 00420E71
__vbaFreeObj.MSVBVM60 ref: 00420E80
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00420E95
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 00420EAE
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C4BC,000001C0), ref: 00420ECD
__vbaFreeObj.MSVBVM60 ref: 00420ED6

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID:
API String ID: 1645334062-0
Opcode ID: 3bde3afa0ddcb207336f163c69716cf72c419de81583c8e4301706cf5d15b15b
Instruction ID: b377f76b0c7ee03cd9d0f007185ff0e177010ad872b081f33ca0d0925bd46087
Opcode Fuzzy Hash: 3bde3afa0ddcb207336f163c69716cf72c419de81583c8e4301706cf5d15b15b
Instruction Fuzzy Hash: 57219070780218AFD711EF64DD89FAB77E8EF18701F500865F841F72A1D778A9418AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00428FB0, Relevance: 10.6, APIs: 7, Instructions: 97COMMON

Download Yara Rule

APIs

__vbaStrCopy.MSVBVM60 ref: 00428FFF
__vbaOnError.MSVBVM60(00000000), ref: 00429006
__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 0042901F
__vbaObjSet.MSVBVM60(?,00000000), ref: 00429038
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C40C,000001B4), ref: 004290BF
__vbaFreeObj.MSVBVM60 ref: 004290C8
__vbaFreeStr.MSVBVM60(004290EA), ref: 004290E3

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckCopyErrorHresultNew2
String ID:
API String ID: 3491321472-0
Opcode ID: 96477fc00a958c7d78dd9a998b428fe8a43b08d23a1112b460b8e775fb5ebabd
Instruction ID: ca2b48f9e0d9b1b6ea7d5ee35ecfdd2dbb7030999c882f28ead3c5a2e823b51c
Opcode Fuzzy Hash: 96477fc00a958c7d78dd9a998b428fe8a43b08d23a1112b460b8e775fb5ebabd
Instruction Fuzzy Hash: 3541D9B4E10218AFCB04DFA8D989A9EBBF4FF49700F14C16AE815A7351D7749902CF95

Uniqueness

Uniqueness Score: -1.00%

Function 00429110, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57COMMON

Download Yara Rule

APIs

__vbaNew2.MSVBVM60(0041CAC0,0042B010), ref: 00429153
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0042916C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0041C338,000001EC), ref: 004291B4
__vbaFreeObj.MSVBVM60 ref: 004291BD

Strings

perimeters, xrefs: 00429183

Memory Dump Source

Source File: 00000001.00000002.523124693.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.523119695.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.523143639.000000000042B000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.523148959.000000000042C000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresultNew2
String ID: perimeters
API String ID: 1645334062-1754290069
Opcode ID: 11f83ca443122cb2636b5c52aa2ab0496517a6bd211949e7d2cd7dec634daf37
Instruction ID: a56c3f86c6a81bf6b9c5abc5d9ef58ab4d19b2f4e01c022668475e9f8af8efac
Opcode Fuzzy Hash: 11f83ca443122cb2636b5c52aa2ab0496517a6bd211949e7d2cd7dec634daf37
Instruction Fuzzy Hash: 3C1181B0A4030AABD700DF69DD89BABBBB8FB18700F108429F905E3390D77859418BD8

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report Arrival Notice, CIA Awb Inv Form.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

System Behavior

Analysis Process: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 6260 Parent PID: 6132

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Arrival Notice, CIA Awb Inv Form.pdf.exe PID: 6260 Parent PID: 6132 Arrival Notice, CIA Awb Inv Form.pdf.exeCOMMON

Function 00401598, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 373
COMMON