Play interactive tour

Edit tour

Windows Analysis Report RFQ_TZDQP2110257921.exe

Overview

General Information

Sample Name:	RFQ_TZDQP2110257921.exe
Analysis ID:	528676
MD5:	de5e1ca79f9bc16726e87f9e04529a33
SHA1:	c688c1b2ea205aa37f7fe4a511d18f1bdead62a1
SHA256:	9f1956145a9bdc606ad1463721f38ea1c31c6aeabfb028a0b134c0f3e881db47
Tags:	exe
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	72
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Found potential dummy code loops (likely to delay analysis)

C2 URLs / IPs found in malware configuration

Uses 32bit PE files

Contains functionality to call native functions

Sample file is different than original file name gathered from version info

Contains functionality to read the PEB

Program does not show much activity (idle)

Uses code obfuscation techniques (call, push, ret)

Contains functionality for execution timing, often used to detect debuggers

Abnormal high CPU Usage

Detected potential crypto function

Classification

Process Tree

System is w10x64

RFQ_TZDQP2110257921.exe (PID: 5908 cmdline: "C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe" MD5: DE5E1CA79F9BC16726E87F9E04529A33)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=d_"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=d_"}

Multi AV Scanner detection for submitted file

Show sources

Source: RFQ_TZDQP2110257921.exe

ReversingLabs: Detection: 13%

Source: RFQ_TZDQP2110257921.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=d_

Source: RFQ_TZDQP2110257921.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Code function: 0_2_02B5DAC8 NtAllocateVirtualMemory,

0_2_02B5DAC8

Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe
Source: RFQ_TZDQP2110257921.exe	Binary or memory string: OriginalFilenameForlornity.exe vs RFQ_TZDQP2110257921.exe

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040153A	0_2_0040153A
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00401776	0_2_00401776
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00401729	0_2_00401729
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5DAC8	0_2_02B5DAC8
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B66BC4	0_2_02B66BC4
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B2CF	0_2_02B5B2CF
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B236	0_2_02B5B236
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B3F9	0_2_02B5B3F9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B0FE	0_2_02B5B0FE
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B6502F	0_2_02B6502F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A1AB	0_2_02B5A1AB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5E1FB	0_2_02B5E1FB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5F1D5	0_2_02B5F1D5
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B6B2	0_2_02B5B6B2
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A6CE	0_2_02B5A6CE
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B608	0_2_02B5B608
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A4C9	0_2_02B5A4C9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A464	0_2_02B5A464
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5A58F	0_2_02B5A58F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5B537	0_2_02B5B537
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B64A9C	0_2_02B64A9C
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AAF9	0_2_02B5AAF9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AAD3	0_2_02B5AAD3
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AB45	0_2_02B5AB45
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B599FD	0_2_02B599FD
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AEF7	0_2_02B5AEF7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B63ECA	0_2_02B63ECA
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AE6A	0_2_02B5AE6A
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AFC2	0_2_02B5AFC2
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B56CB7	0_2_02B56CB7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B56CCC	0_2_02B56CCC
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B56C30	0_2_02B56C30
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B62C28	0_2_02B62C28
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AD9F	0_2_02B5AD9F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5AD46	0_2_02B5AD46

Source: RFQ_TZDQP2110257921.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

File created: C:\Users\user\AppData\Local\Temp\~DF87EDA8D7970694A0.TMP

Jump to behavior

Source: RFQ_TZDQP2110257921.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: classification engine

Classification label: mal72.troj.evad.winEXE@1/1@0/0

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0041080B push CFB82872h; iretd	0_2_00410813
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040D0A1 push 223B155Fh; retf	0_2_0040D096
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040A954 push 00000079h; ret	0_2_0040A956
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00407242 push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00414248 push ss; iretd	0_2_00414303
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00407257 push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040AA76 push ecx; retf	0_2_0040AA82
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040721B push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00404A2C push ebx; iretd	0_2_00404A34
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040A2F8 push edx; ret	0_2_0040A2F9
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040F2FE push 0000002Eh; iretd	0_2_0040F3F7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040E2B4 push ss; iretd	0_2_0040E366
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00407357 push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040F32E push 0000002Eh; iretd	0_2_0040F3F7
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_004113CA push esi; ret	0_2_004113CB
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_004173D8 push ss; iretd	0_2_00417496
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040739E push eax; retf	0_2_00407351
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_004173AE push ss; iretd	0_2_00417496
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040CC41 push 00000043h; retf	0_2_0040CC4D
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040FC62 push ss; iretd	0_2_0040FD26
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040AC38 push FBEE8E6Ah; ret	0_2_0040AC42
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040FC3E push ss; iretd	0_2_0040FD26
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00417498 push ss; iretd	0_2_00417496
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040CCB7 push ebx; retf	0_2_0040CCDF
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040FD27 pushfd ; iretd	0_2_0040FD2B
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00416D28 push cs; iretd	0_2_00416D2F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040FD3A push ss; iretd	0_2_0040FD26
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_00414662 push FFFFFFDBh; iretd	0_2_00414666
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040B6FB push edx; iretd	0_2_0040B808
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0041676A push edx; iretd	0_2_0041686B
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_0040B7EA push edx; iretd	0_2_0040B808

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Code function: 0_2_02B63BCE rdtsc

0_2_02B63BCE

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B6225D mov eax, dword ptr fs:[00000030h]	0_2_02B6225D
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B6502F mov eax, dword ptr fs:[00000030h]	0_2_02B6502F
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B5D1B5 mov eax, dword ptr fs:[00000030h]	0_2_02B5D1B5
Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe	Code function: 0_2_02B62F6B mov eax, dword ptr fs:[00000030h]	0_2_02B62F6B

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Code function: 0_2_02B63BCE rdtsc

0_2_02B63BCE

Source: C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe

Code function: 0_2_02B66BC4 RtlAddVectoredExceptionHandler,

0_2_02B66BC4

Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Program Manager
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Progman
Source: RFQ_TZDQP2110257921.exe, 00000000.00000002.1180351535.0000000000DA0000.00000002.00020000.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	OS Credential Dumping	Security Software Discovery11	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
RFQ_TZDQP2110257921.exe	14%	ReversingLabs	Win32.Downloader.GuLoader

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	34.0.0 Boulder Opal
Analysis ID:	528676
Start date:	25.11.2021
Start time:	16:22:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	RFQ_TZDQP2110257921.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal72.troj.evad.winEXE@1/1@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 2.2% (good quality ratio 1.2%) Quality average: 29.8% Quality standard deviation: 31.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 92.122.145.220 Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, store-images.s-microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com VT rate limit hit for: /opt/package/joesandbox/database/analysis/528676/sample/RFQ_TZDQP2110257921.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Temp\~DF87EDA8D7970694A0.TMP Download File
Process:	C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe
File Type:	Composite Document File V2 Document, Cannot read section info
Category:	dropped
Size (bytes):	16384
Entropy (8bit):	0.9277305547216628
Encrypted:	false
SSDEEP:	48:rJSq2Upu8metqPrIXHimU7zdvP1vncU7pCr8P:VSKUpACLFcUVCrG
MD5:	19809EDD1FF00A1D7C105BC58A97CD02
SHA1:	26FB6D339CF2A7474DE6F785166163FA9B2ADBB1
SHA-256:	4745D04A4BB99D70866D722394D9E71F3FAE597AA84E229A1E3B40F31521594C
SHA-512:	434722936006B56B042FB5C72CAB98D8B7615A5A0E48EE6746DD6839BE029029E3BCECF7EFA49DDC8A9DB016FA472FB9EE1CE75126C13E06D66EAA12166A38F7
Malicious:	false
Reputation:	low
Preview:	......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	4.800736460840025
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	RFQ_TZDQP2110257921.exe
File size:	135168
MD5:	de5e1ca79f9bc16726e87f9e04529a33
SHA1:	c688c1b2ea205aa37f7fe4a511d18f1bdead62a1
SHA256:	9f1956145a9bdc606ad1463721f38ea1c31c6aeabfb028a0b134c0f3e881db47
SHA512:	c474e84731b9d0428d9bdac8df5b56f30e8738e709871c7a25e0fdb0eff304a095cbbc8a1602be113ffece0e4239ae69c7cde7442abbc9c437d6312930087b57
SSDEEP:	1536:thDtIiZk5GmFDOQbC91Ugi+yDWkzjHOredD:th25B7CffrEWWjMed
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........i.......................*..............Rich....................PE..L......J.....................0....................@........

File Icon


Icon Hash:	981dca909cee36b0

Static PE Info

General
Entrypoint:	0x4013b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4AC47F1B [Thu Oct 1 10:06:19 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d77040f4614bccfda7b8aa2e04863738

Entrypoint Preview

Instruction
push 00401FD0h
call 00007F4914BE9F55h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ebx], al
pushad
jc 00007F4914BE9F87h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x1df54	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x21000	0xf50	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x230	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x11c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x1d45c	0x1e000	False	0.353116861979	data	4.98754225046	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x1f000	0x141c	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x21000	0xf50	0x1000	False	0.339111328125	data	3.26324381728	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
CUSTOM	0x21e12	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
CUSTOM	0x21cd4	0x13e	MS Windows icon resource - 1 icon, 16x16, 16 colors	English	United States
RT_ICON	0x2142c	0x8a8	data
RT_GROUP_ICON	0x21418	0x14	data
RT_VERSION	0x21170	0x2a8	data	Turkmen	Turkmenistan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, __vbaVarIdiv, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaRecAnsiToUni, __vbaStrCat, __vbaSetSystemError, __vbaRecDestruct, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaOnError, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaRecUniToAnsi, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, _CIlog, __vbaInStr, __vbaNew2, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaStrToAnsi, __vbaVarDup, __vbaRecDestructAnsi, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0442 0x04b0
LegalCopyright	Lips
InternalName	Forlornity
FileVersion	1.00
CompanyName	Lips
LegalTrademarks	Lips
ProductName	Lips
ProductVersion	1.00
FileDescription	Lips
OriginalFilename	Forlornity.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States
Turkmen	Turkmenistan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: RFQ_TZDQP2110257921.exe PID: 5908 Parent PID: 2944

General

Start time:	16:23:00
Start date:	25/11/2021
Path:	C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\RFQ_TZDQP2110257921.exe"
Imagebase:	0x400000
File size:	135168 bytes
MD5 hash:	DE5E1CA79F9BC16726E87F9E04529A33
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: RFQ_TZDQP2110257921.exe PID: 5908 Parent PID: 2944 RFQ_TZDQP2110257921.exeCOMMON

Executed Functions

Function 02B66BC4, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a855128179c133c59a44e851e351228543b46eb40f450657532acdd9ed279ae
Instruction ID: 536dfbf8bdc3c5b1bff29282edc69122574da3c4071a556800cd8b3e6e7e374f
Opcode Fuzzy Hash: 0a855128179c133c59a44e851e351228543b46eb40f450657532acdd9ed279ae
Instruction Fuzzy Hash: 47612130604249CFDB38DF2AC9987FA77A2EF85344F1181AACC4A9B754D738EA40CB41

Uniqueness

Uniqueness Score: -1.00%

Function 02B5DAC8, Relevance: 1.6, APIs: 1, Instructions: 103memorynativeCOMMON

Download Yara Rule

APIs

NtAllocateVirtualMemory.NTDLL ref: 02B5DE69

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: a9027e07600523de054f0c9e0d9d402c2c097782adfb18adb8faf65d35e9eac1
Instruction ID: 7d9ca738c4a4aaaf8351f079546442a703584224c1f995712375d41dc598b24f
Opcode Fuzzy Hash: a9027e07600523de054f0c9e0d9d402c2c097782adfb18adb8faf65d35e9eac1
Instruction Fuzzy Hash: 7441CD71608389CBDB609F2ACC947DA7BB2AF89344F55452EDCCC9B261D7309685CB02

Uniqueness

Uniqueness Score: -1.00%

Function 0041C774, Relevance: 202.1, APIs: 105, Strings: 10, Instructions: 878
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041C774(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				short _v40;
				void* _v44;
				void* _v48;
				void* _v52;
				short _v56;
				void* _v60;
				void* _v64;
				void* _v68;
				void* _v72;
				short _v76;
				char _v136;
				intOrPtr _v140;
				void* _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				signed int _v156;
				char _v160;
				char _v164;
				char _v168;
				char _v172;
				signed int _v180;
				signed int _v188;
				signed int _v196;
				char _v204;
				signed int _v212;
				char _v220;
				signed int _v228;
				char _v236;
				signed int _v244;
				signed int _v252;
				void* _v304;
				char _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				char _v320;
				intOrPtr _v324;
				char _v328;
				signed int _v332;
				signed int _v336;
				void* _v340;
				signed int _v344;
				char _v404;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				intOrPtr* _v440;
				signed int _v444;
				signed int _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				signed int _v488;
				intOrPtr* _v492;
				signed int _v496;
				signed int _v500;
				intOrPtr* _v504;
				signed int _v508;
				signed int _v512;
				intOrPtr* _v516;
				signed int _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				signed int _v536;
				signed int _v540;
				void* _t466;
				char* _t469;
				signed int _t471;
				signed int _t475;
				signed int _t486;
				char* _t488;
				signed int _t489;
				signed int _t496;
				signed int* _t500;
				char* _t503;
				char* _t504;
				short _t511;
				char* _t513;
				signed int* _t520;
				char* _t526;
				signed int _t544;
				signed int _t549;
				signed int _t556;
				void* _t558;
				char* _t559;
				signed int _t562;
				signed int _t570;
				signed int _t575;
				signed int _t583;
				signed int _t588;
				signed int _t595;
				signed int _t600;
				signed int _t607;
				signed int _t612;
				signed int _t622;
				signed int _t627;
				signed int _t633;
				signed int _t638;
				void* _t697;
				void* _t699;
				intOrPtr _t700;

				_t700 = _t699 - 0x18;
				 *[fs:0x0] = _t700;
				L00401210();
				_v28 = _t700;
				_v24 = E00401120;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				_t466 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t697);
				_v8 = 1;
				_v8 = 2;
				_push(2);
				_push(0x40307c);
				_push(0x403088);
				L0040138A();
				L00401390();
				_push(_t466);
				_push(0x403088);
				_push(0);
				L00401396();
				_v332 =  ~(0 | _t466 != 0x00000003);
				L00401384();
				if(_v332 != 0) {
					_v8 = 3;
					_push(0xffffffff);
					L0040137E();
					_v8 = 4;
					_push(0xffffffff);
					L0040137E();
					_v8 = 5;
					if( *0x41f5f0 != 0) {
						_v440 = 0x41f5f0;
					} else {
						_push(0x41f5f0);
						_push(0x4030ac);
						L00401378();
						_v440 = 0x41f5f0;
					}
					_v332 =  *_v440;
					_t633 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
					asm("fclex");
					_v336 = _t633;
					if(_v336 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x40309c);
						_push(_v332);
						_push(_v336);
						L00401372();
						_v444 = _t633;
					}
					_v340 = _v168;
					_v244 = _v244 & 0x00000000;
					_v252 = 2;
					L00401210();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t638 =  *((intOrPtr*)( *_v340 + 0x2c))(_v340, 0x10);
					asm("fclex");
					_v344 = _t638;
					if(_v344 >= 0) {
						_v448 = _v448 & 0x00000000;
					} else {
						_push(0x2c);
						_push(0x4030bc);
						_push(_v340);
						_push(_v344);
						L00401372();
						_v448 = _t638;
					}
					L0040136C();
				}
				_v8 = 7;
				_v180 = 0x4b;
				_v188 = 2;
				_push( &_v188);
				_t469 =  &_v204;
				_push(_t469);
				L00401360();
				_push(0x4030d0);
				_push(0x4030d8);
				L0040138A();
				_v212 = _t469;
				_v220 = 0x8008;
				_push( &_v204);
				_t471 =  &_v220;
				_push(_t471);
				L00401366();
				_v332 = _t471;
				_push( &_v220);
				_push( &_v204);
				_push( &_v188);
				_push(3);
				L0040135A();
				_t475 = _v332;
				if(_t475 != 0) {
					_v8 = 8;
					L00401354();
					_v8 = 9;
					L0040134E();
					L00401390();
					_v8 = 0xa;
					L00401342();
					_t489 =  &_v168;
					L00401348();
					_v332 = _t489;
					_v228 = 0x80020004;
					_v236 = 0xa;
					_v212 = 0x80020004;
					_v220 = 0xa;
					_v196 = 0x80020004;
					_v204 = 0xa;
					_v180 = 0x80020004;
					_v188 = 0xa;
					_t496 =  *((intOrPtr*)( *_v332 + 0x44))(_v332, 0x291f,  &_v188,  &_v204,  &_v220,  &_v236, _t489, _t475);
					asm("fclex");
					_v336 = _t496;
					if(_v336 >= 0) {
						_v452 = _v452 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x4030dc);
						_push(_v332);
						_push(_v336);
						L00401372();
						_v452 = _t496;
					}
					L0040136C();
					_push( &_v236);
					_push( &_v220);
					_push( &_v204);
					_t500 =  &_v188;
					_push(_t500);
					_push(4);
					L0040135A();
					_v8 = 0xb;
					_v308 = 0x6317b;
					L00401336();
					_push(_t500);
					_push( &_v160);
					L0040133C();
					_push( &_v308);
					_push(0x297142);
					_push(L"ANDREWARTHA");
					_t503 =  &_v164;
					_push(_t503);
					L0040133C();
					_push(_t503);
					_t504 =  &_v160;
					_push(_t504);
					E00402F3C();
					_v312 = _t504;
					L00401330();
					_v332 =  ~(0 | _v312 == 0x001b827e);
					_push( &_v164);
					_push( &_v160);
					_push( &_v156);
					_push(3);
					L0040132A();
					_t511 = _v332;
					if(_t511 != 0) {
						_v8 = 0xc;
						_push(0x403130);
						_push("4:4");
						L0040138A();
						L00401390();
						_push(_t511);
						_push( &_v188);
						L0040131E();
						_push( &_v188);
						L00401324();
						L00401390();
						L00401384();
						L00401318();
						_v8 = 0xd;
						_v180 = 1;
						_v188 = 2;
						_push(0xfffffffe);
						_push(0xfffffffe);
						_push(0xfffffffe);
						_push(0xffffffff);
						_push( &_v188);
						L00401312();
						L00401390();
						L00401318();
						_v8 = 0xe;
						_v8 = 0xf;
						if( *0x41f5f0 != 0) {
							_v456 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030ac);
							L00401378();
							_v456 = 0x41f5f0;
						}
						_v332 =  *_v456;
						_t622 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t622;
						if(_v336 >= 0) {
							_v460 = _v460 & 0x00000000;
						} else {
							_push(0x1c);
							_push(0x40309c);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v460 = _t622;
						}
						_v340 = _v168;
						_t627 =  *((intOrPtr*)( *_v340 + 0x64))(_v340, 1,  &_v304);
						asm("fclex");
						_v344 = _t627;
						if(_v344 >= 0) {
							_v464 = _v464 & 0x00000000;
						} else {
							_push(0x64);
							_push(0x403144);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v464 = _t627;
						}
						_t511 = _v304;
						_v56 = _t511;
						L0040136C();
					}
					_v8 = 0x11;
					L00401336();
					_push(_t511);
					_push( &_v160);
					L0040133C();
					_t513 =  &_v160;
					_push(_t513);
					_push(0x83bcf2);
					_push(0x2ea394);
					_push(0x59ae9b);
					_push(0x4f0673);
					E00402F90();
					_v308 = _t513;
					L00401330();
					_v332 =  ~(0 | _v308 == 0x0066f1e8);
					_push( &_v160);
					_push( &_v156);
					_push(2);
					L0040132A();
					if(_v332 != 0) {
						_v8 = 0x12;
						if( *0x41f5f0 != 0) {
							_v468 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030ac);
							L00401378();
							_v468 = 0x41f5f0;
						}
						_v332 =  *_v468;
						_t595 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t595;
						if(_v336 >= 0) {
							_v472 = _v472 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x40309c);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v472 = _t595;
						}
						_v340 = _v168;
						_t600 =  *((intOrPtr*)( *_v340 + 0x60))(_v340,  &_v156);
						asm("fclex");
						_v344 = _t600;
						if(_v344 >= 0) {
							_v476 = _v476 & 0x00000000;
						} else {
							_push(0x60);
							_push(0x40316c);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v476 = _t600;
						}
						_v428 = _v156;
						_v156 = _v156 & 0x00000000;
						L00401390();
						L0040136C();
						_v8 = 0x13;
						if( *0x41f5f0 != 0) {
							_v480 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030ac);
							L00401378();
							_v480 = 0x41f5f0;
						}
						_v332 =  *_v480;
						_t607 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t607;
						if(_v336 >= 0) {
							_v484 = _v484 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x40309c);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v484 = _t607;
						}
						_v340 = _v168;
						_t612 =  *((intOrPtr*)( *_v340 + 0x140))(_v340,  &_v304);
						asm("fclex");
						_v344 = _t612;
						if(_v344 >= 0) {
							_v488 = _v488 & 0x00000000;
						} else {
							_push(0x140);
							_push(0x40316c);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v488 = _t612;
						}
						_v76 = _v304;
						L0040136C();
						_v8 = 0x14;
						L0040130C();
					}
					_v8 = 0x16;
					_push(L"Contangoes3");
					_t520 =  &_v156;
					_push(_t520);
					L0040133C();
					_push(_t520);
					E00402FEC();
					_v308 = _t520;
					L00401330();
					_v332 =  ~(0 | _v308 == 0x003c82f5);
					L00401384();
					if(_v332 != 0) {
						_v8 = 0x17;
						if( *0x41f5f0 != 0) {
							_v492 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030ac);
							L00401378();
							_v492 = 0x41f5f0;
						}
						_v332 =  *_v492;
						_t570 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t570;
						if(_v336 >= 0) {
							_v496 = _v496 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x40309c);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v496 = _t570;
						}
						_v340 = _v168;
						_t575 =  *((intOrPtr*)( *_v340 + 0x130))(_v340,  &_v156);
						asm("fclex");
						_v344 = _t575;
						if(_v344 >= 0) {
							_v500 = _v500 & 0x00000000;
						} else {
							_push(0x130);
							_push(0x40316c);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v500 = _t575;
						}
						_v432 = _v156;
						_v156 = _v156 & 0x00000000;
						L00401390();
						L0040136C();
						_v8 = 0x18;
						_v180 = 2;
						_v188 = 2;
						_push( &_v188);
						L00401306();
						L00401390();
						L00401318();
						_v8 = 0x19;
						_v8 = 0x1a;
						if( *0x41f5f0 != 0) {
							_v504 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030ac);
							L00401378();
							_v504 = 0x41f5f0;
						}
						_v332 =  *_v504;
						_t583 =  *((intOrPtr*)( *_v332 + 0x4c))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t583;
						if(_v336 >= 0) {
							_v508 = _v508 & 0x00000000;
						} else {
							_push(0x4c);
							_push(0x40309c);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v508 = _t583;
						}
						_v340 = _v168;
						_t588 =  *((intOrPtr*)( *_v340 + 0x24))(_v340, L"iliau", L"Lstes8",  &_v156);
						asm("fclex");
						_v344 = _t588;
						if(_v344 >= 0) {
							_v512 = _v512 & 0x00000000;
						} else {
							_push(0x24);
							_push(0x4030bc);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v512 = _t588;
						}
						_v436 = _v156;
						_v156 = _v156 & 0x00000000;
						L00401390();
						L0040136C();
					}
					_v8 = 0x1c;
					_push( &_v136);
					_t526 =  &_v404;
					_push(_t526);
					_push(0x402e8c);
					L00401300();
					_push(_t526);
					E00403048();
					_v308 = _t526;
					L00401330();
					_push( &_v404);
					_push( &_v136);
					_push(0x402e8c);
					L004012FA();
					_v332 =  ~(0 | _v308 == 0x0028d15d);
					_push( &_v404);
					_push(0x402e8c);
					L004012F4();
					if(_v332 != 0) {
						_v8 = 0x1d;
						_v180 = 2;
						_v188 = 2;
						_push( &_v188);
						_push( &_v204);
						L004012EE();
						_push( &_v204);
						L00401324();
						L00401390();
						_push( &_v204);
						_push( &_v188);
						_push(2);
						L0040135A();
						_v8 = 0x1e;
						if( *0x41f5f0 != 0) {
							_v516 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030ac);
							L00401378();
							_v516 = 0x41f5f0;
						}
						_v332 =  *_v516;
						_t544 =  *((intOrPtr*)( *_v332 + 0x14))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t544;
						if(_v336 >= 0) {
							_v520 = _v520 & 0x00000000;
						} else {
							_push(0x14);
							_push(0x40309c);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v520 = _t544;
						}
						_v340 = _v168;
						_t549 =  *((intOrPtr*)( *_v340 + 0x78))(_v340,  &_v304);
						asm("fclex");
						_v344 = _t549;
						if(_v344 >= 0) {
							_v524 = _v524 & 0x00000000;
						} else {
							_push(0x78);
							_push(0x40316c);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v524 = _t549;
						}
						_v40 = _v304;
						L0040136C();
						_v8 = 0x1f;
						_v8 = 0x20;
						if( *0x41f5f0 != 0) {
							_v528 = 0x41f5f0;
						} else {
							_push(0x41f5f0);
							_push(0x4030ac);
							L00401378();
							_v528 = 0x41f5f0;
						}
						_v332 =  *_v528;
						_t556 =  *((intOrPtr*)( *_v332 + 0x1c))(_v332,  &_v168);
						asm("fclex");
						_v336 = _t556;
						if(_v336 >= 0) {
							_v532 = _v532 & 0x00000000;
						} else {
							_push(0x1c);
							_push(0x40309c);
							_push(_v332);
							_push(_v336);
							L00401372();
							_v532 = _t556;
						}
						_v340 = _v168;
						_v244 = 1;
						_v252 = 2;
						_t558 = 0x10;
						L00401210();
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						L004012E8();
						_t559 =  &_v172;
						L00401348();
						_t562 =  *((intOrPtr*)( *_v340 + 0x58))(_v340, _t559, _t559, _t558, _v140, 0x4031bc);
						asm("fclex");
						_v344 = _t562;
						if(_v344 >= 0) {
							_v536 = _v536 & 0x00000000;
						} else {
							_push(0x58);
							_push(0x403144);
							_push(_v340);
							_push(_v344);
							L00401372();
							_v536 = _t562;
						}
						_push( &_v168);
						_push( &_v172);
						_push(2);
						L004012E2();
					}
				}
				_v8 = 0x23;
				_v320 = 0x1ee95e40;
				_v316 = 0x5b03;
				 *((intOrPtr*)( *_a4 + 0x700))(_a4, L"stretchier",  &_v320, 0x2277,  &_v328);
				_v152 = _v328;
				_v148 = _v324;
				_v8 = 0x24;
				_t486 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v188);
				_v332 = _t486;
				if(_v332 >= 0) {
					_v540 = _v540 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x402db4);
					_push(_a4);
					_push(_v332);
					L00401372();
					_v540 = _t486;
				}
				L00401318();
				_v20 = 0;
				_push(0x41d7e0);
				_push( &_v404);
				_push(0x402e8c);
				L004012F4();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				_t488 =  &_v136;
				_push(_t488);
				_push(0x402e8c);
				L004012DC();
				L0040136C();
				L00401384();
				return _t488;
			}

0x0041c777
0x0041c786
0x0041c792
0x0041c79a
0x0041c79d
0x0041c7aa
0x0041c7b3
0x0041c7b6
0x0041c7c5
0x0041c7c8
0x0041c7cf
0x0041c7d6
0x0041c7d8
0x0041c7dd
0x0041c7e2
0x0041c7ef
0x0041c7f4
0x0041c7f5
0x0041c7fa
0x0041c7fc
0x0041c80b
0x0041c818
0x0041c826
0x0041c82c
0x0041c833
0x0041c835
0x0041c83a
0x0041c841
0x0041c843
0x0041c848
0x0041c856
0x0041c873
0x0041c858
0x0041c858
0x0041c85d
0x0041c862
0x0041c867
0x0041c867
0x0041c885
0x0041c8a0
0x0041c8a3
0x0041c8a5
0x0041c8b2
0x0041c8d4
0x0041c8b4
0x0041c8b4
0x0041c8b6
0x0041c8bb
0x0041c8c1
0x0041c8c7
0x0041c8cc
0x0041c8cc
0x0041c8e1
0x0041c8e7
0x0041c8ee
0x0041c8fb
0x0041c908
0x0041c909
0x0041c90a
0x0041c90b
0x0041c91a
0x0041c91d
0x0041c91f
0x0041c92c
0x0041c94e
0x0041c92e
0x0041c92e
0x0041c930
0x0041c935
0x0041c93b
0x0041c941
0x0041c946
0x0041c946
0x0041c95b
0x0041c95b
0x0041c960
0x0041c967
0x0041c971
0x0041c981
0x0041c982
0x0041c988
0x0041c989
0x0041c98e
0x0041c993
0x0041c998
0x0041c99d
0x0041c9a3
0x0041c9b3
0x0041c9b4
0x0041c9ba
0x0041c9bb
0x0041c9c0
0x0041c9cd
0x0041c9d4
0x0041c9db
0x0041c9dc
0x0041c9de
0x0041c9e6
0x0041c9ef
0x0041c9f5
0x0041c9fc
0x0041ca01
0x0041ca08
0x0041ca12
0x0041ca17
0x0041ca1e
0x0041ca24
0x0041ca2b
0x0041ca30
0x0041ca36
0x0041ca40
0x0041ca4a
0x0041ca54
0x0041ca5e
0x0041ca68
0x0041ca72
0x0041ca7c
0x0041cab5
0x0041cab8
0x0041caba
0x0041cac7
0x0041cae9
0x0041cac9
0x0041cac9
0x0041cacb
0x0041cad0
0x0041cad6
0x0041cadc
0x0041cae1
0x0041cae1
0x0041caf6
0x0041cb01
0x0041cb08
0x0041cb0f
0x0041cb10
0x0041cb16
0x0041cb17
0x0041cb19
0x0041cb21
0x0041cb28
0x0041cb3d
0x0041cb42
0x0041cb49
0x0041cb4a
0x0041cb55
0x0041cb56
0x0041cb5b
0x0041cb60
0x0041cb66
0x0041cb67
0x0041cb6c
0x0041cb6d
0x0041cb73
0x0041cb74
0x0041cb79
0x0041cb7f
0x0041cb95
0x0041cba2
0x0041cba9
0x0041cbb0
0x0041cbb1
0x0041cbb3
0x0041cbbb
0x0041cbc4
0x0041cbca
0x0041cbd1
0x0041cbd6
0x0041cbdb
0x0041cbe8
0x0041cbed
0x0041cbf4
0x0041cbf5
0x0041cc00
0x0041cc01
0x0041cc0e
0x0041cc19
0x0041cc24
0x0041cc29
0x0041cc30
0x0041cc3a
0x0041cc44
0x0041cc46
0x0041cc48
0x0041cc4a
0x0041cc52
0x0041cc53
0x0041cc5d
0x0041cc68
0x0041cc6d
0x0041cc74
0x0041cc82
0x0041cc9f
0x0041cc84
0x0041cc84
0x0041cc89
0x0041cc8e
0x0041cc93
0x0041cc93
0x0041ccb1
0x0041cccc
0x0041cccf
0x0041ccd1
0x0041ccde
0x0041cd00
0x0041cce0
0x0041cce0
0x0041cce2
0x0041cce7
0x0041cced
0x0041ccf3
0x0041ccf8
0x0041ccf8
0x0041cd0d
0x0041cd2a
0x0041cd2d
0x0041cd2f
0x0041cd3c
0x0041cd5e
0x0041cd3e
0x0041cd3e
0x0041cd40
0x0041cd45
0x0041cd4b
0x0041cd51
0x0041cd56
0x0041cd56
0x0041cd65
0x0041cd6c
0x0041cd76
0x0041cd76
0x0041cd7b
0x0041cd8d
0x0041cd92
0x0041cd99
0x0041cd9a
0x0041cd9f
0x0041cda5
0x0041cda6
0x0041cdab
0x0041cdb0
0x0041cdb5
0x0041cdba
0x0041cdbf
0x0041cdc5
0x0041cddb
0x0041cde8
0x0041cdef
0x0041cdf0
0x0041cdf2
0x0041ce03
0x0041ce09
0x0041ce17
0x0041ce34
0x0041ce19
0x0041ce19
0x0041ce1e
0x0041ce23
0x0041ce28
0x0041ce28
0x0041ce46
0x0041ce61
0x0041ce64
0x0041ce66
0x0041ce73
0x0041ce95
0x0041ce75
0x0041ce75
0x0041ce77
0x0041ce7c
0x0041ce82
0x0041ce88
0x0041ce8d
0x0041ce8d
0x0041cea2
0x0041cebd
0x0041cec0
0x0041cec2
0x0041cecf
0x0041cef1
0x0041ced1
0x0041ced1
0x0041ced3
0x0041ced8
0x0041cede
0x0041cee4
0x0041cee9
0x0041cee9
0x0041cefe
0x0041cf04
0x0041cf14
0x0041cf1f
0x0041cf24
0x0041cf32
0x0041cf4f
0x0041cf34
0x0041cf34
0x0041cf39
0x0041cf3e
0x0041cf43
0x0041cf43
0x0041cf61
0x0041cf7c
0x0041cf7f
0x0041cf81
0x0041cf8e
0x0041cfb0
0x0041cf90
0x0041cf90
0x0041cf92
0x0041cf97
0x0041cf9d
0x0041cfa3
0x0041cfa8
0x0041cfa8
0x0041cfbd
0x0041cfd8
0x0041cfde
0x0041cfe0
0x0041cfed
0x0041d012
0x0041cfef
0x0041cfef
0x0041cff4
0x0041cff9
0x0041cfff
0x0041d005
0x0041d00a
0x0041d00a
0x0041d020
0x0041d02a
0x0041d02f
0x0041d036
0x0041d036
0x0041d03b
0x0041d042
0x0041d047
0x0041d04d
0x0041d04e
0x0041d053
0x0041d054
0x0041d059
0x0041d05f
0x0041d075
0x0041d082
0x0041d090
0x0041d096
0x0041d0a4
0x0041d0c1
0x0041d0a6
0x0041d0a6
0x0041d0ab
0x0041d0b0
0x0041d0b5
0x0041d0b5
0x0041d0d3
0x0041d0ee
0x0041d0f1
0x0041d0f3
0x0041d100
0x0041d122
0x0041d102
0x0041d102
0x0041d104
0x0041d109
0x0041d10f
0x0041d115
0x0041d11a
0x0041d11a
0x0041d12f
0x0041d14a
0x0041d150
0x0041d152
0x0041d15f
0x0041d184
0x0041d161
0x0041d161
0x0041d166
0x0041d16b
0x0041d171
0x0041d177
0x0041d17c
0x0041d17c
0x0041d191
0x0041d197
0x0041d1a7
0x0041d1b2
0x0041d1b7
0x0041d1be
0x0041d1c8
0x0041d1d8
0x0041d1d9
0x0041d1e3
0x0041d1ee
0x0041d1f3
0x0041d1fa
0x0041d208
0x0041d225
0x0041d20a
0x0041d20a
0x0041d20f
0x0041d214
0x0041d219
0x0041d219
0x0041d237
0x0041d252
0x0041d255
0x0041d257
0x0041d264
0x0041d286
0x0041d266
0x0041d266
0x0041d268
0x0041d26d
0x0041d273
0x0041d279
0x0041d27e
0x0041d27e
0x0041d293
0x0041d2b8
0x0041d2bb
0x0041d2bd
0x0041d2ca
0x0041d2ec
0x0041d2cc
0x0041d2cc
0x0041d2ce
0x0041d2d3
0x0041d2d9
0x0041d2df
0x0041d2e4
0x0041d2e4
0x0041d2f9
0x0041d2ff
0x0041d30f
0x0041d31a
0x0041d31a
0x0041d31f
0x0041d32c
0x0041d32d
0x0041d333
0x0041d334
0x0041d339
0x0041d33e
0x0041d33f
0x0041d344
0x0041d34a
0x0041d355
0x0041d35c
0x0041d35d
0x0041d362
0x0041d378
0x0041d385
0x0041d386
0x0041d38b
0x0041d399
0x0041d39f
0x0041d3a6
0x0041d3b0
0x0041d3c0
0x0041d3c7
0x0041d3c8
0x0041d3d3
0x0041d3d4
0x0041d3de
0x0041d3e9
0x0041d3f0
0x0041d3f1
0x0041d3f3
0x0041d3fb
0x0041d409
0x0041d426
0x0041d40b
0x0041d40b
0x0041d410
0x0041d415
0x0041d41a
0x0041d41a
0x0041d438
0x0041d453
0x0041d456
0x0041d458
0x0041d465
0x0041d487
0x0041d467
0x0041d467
0x0041d469
0x0041d46e
0x0041d474
0x0041d47a
0x0041d47f
0x0041d47f
0x0041d494
0x0041d4af
0x0041d4b2
0x0041d4b4
0x0041d4c1
0x0041d4e3
0x0041d4c3
0x0041d4c3
0x0041d4c5
0x0041d4ca
0x0041d4d0
0x0041d4d6
0x0041d4db
0x0041d4db
0x0041d4f1
0x0041d4fb
0x0041d500
0x0041d507
0x0041d515
0x0041d532
0x0041d517
0x0041d517
0x0041d51c
0x0041d521
0x0041d526
0x0041d526
0x0041d544
0x0041d55f
0x0041d562
0x0041d564
0x0041d571
0x0041d593
0x0041d573
0x0041d573
0x0041d575
0x0041d57a
0x0041d580
0x0041d586
0x0041d58b
0x0041d58b
0x0041d5a0
0x0041d5a6
0x0041d5b0
0x0041d5bc
0x0041d5bd
0x0041d5ca
0x0041d5cb
0x0041d5cc
0x0041d5cd
0x0041d5d9
0x0041d5df
0x0041d5e6
0x0041d5fa
0x0041d5fd
0x0041d5ff
0x0041d60c
0x0041d62e
0x0041d60e
0x0041d60e
0x0041d610
0x0041d615
0x0041d61b
0x0041d621
0x0041d626
0x0041d626
0x0041d63b
0x0041d642
0x0041d643
0x0041d645
0x0041d64a
0x0041d399
0x0041d64d
0x0041d654
0x0041d65e
0x0041d688
0x0041d694
0x0041d6a0
0x0041d6a6
0x0041d6bc
0x0041d6c2
0x0041d6cf
0x0041d6f1
0x0041d6d1
0x0041d6d1
0x0041d6d6
0x0041d6db
0x0041d6de
0x0041d6e4
0x0041d6e9
0x0041d6e9
0x0041d6fe
0x0041d703
0x0041d70a
0x0041d775
0x0041d776
0x0041d77b
0x0041d783
0x0041d78b
0x0041d793
0x0041d79b
0x0041d7a3
0x0041d7ab
0x0041d7b3
0x0041d7b8
0x0041d7be
0x0041d7bf
0x0041d7c4
0x0041d7cf
0x0041d7da
0x0041d7df

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041C792
__vbaStrCat.MSVBVM60(00403088,0040307C,00000002,?,?,?,?,00401216), ref: 0041C7E2
__vbaStrMove.MSVBVM60(00403088,0040307C,00000002,?,?,?,?,00401216), ref: 0041C7EF
__vbaInStr.MSVBVM60(00000000,00403088,00000000,00403088,0040307C,00000002,?,?,?,?,00401216), ref: 0041C7FC
__vbaFreeStr.MSVBVM60(00000000,00403088,00000000,00403088,0040307C,00000002,?,?,?,?,00401216), ref: 0041C818
__vbaOnError.MSVBVM60(000000FF,00000000,00403088,00000000,00403088,0040307C,00000002,?,?,?,?,00401216), ref: 0041C835
__vbaOnError.MSVBVM60(000000FF,000000FF,00000000,00403088,00000000,00403088,0040307C,00000002,?,?,?,?,00401216), ref: 0041C843
__vbaNew2.MSVBVM60(004030AC,0041F5F0,000000FF,000000FF,00000000,00403088,00000000,00403088,0040307C,00000002,?,?,?,?,00401216), ref: 0041C862
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040309C,0000004C), ref: 0041C8C7
__vbaChkstk.MSVBVM60(00000000,?,0040309C,0000004C), ref: 0041C8FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030BC,0000002C), ref: 0041C941
__vbaFreeObj.MSVBVM60(00000000,?,004030BC,0000002C), ref: 0041C95B
#573.MSVBVM60(?,00000002), ref: 0041C989
__vbaStrCat.MSVBVM60(004030D8,004030D0,?,00000002), ref: 0041C998
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,004030D8,004030D0,?,00000002), ref: 0041C9BB
__vbaFreeVarList.MSVBVM60(00000003,00000002,?,00008008,00008008,?,?,?,?,?,004030D8,004030D0,?,00000002), ref: 0041C9DE
#598.MSVBVM60(?,?,?,00401216), ref: 0041C9FC
#611.MSVBVM60(?,?,?,00401216), ref: 0041CA08
__vbaStrMove.MSVBVM60(?,?,?,00401216), ref: 0041CA12
#685.MSVBVM60(?,?,?,00401216), ref: 0041CA1E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00401216), ref: 0041CA2B
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030DC,00000044), ref: 0041CADC
__vbaFreeObj.MSVBVM60(00000000,?,004030DC,00000044), ref: 0041CAF6
__vbaFreeVarList.MSVBVM60(00000004,0000000A,0000000A,0000000A,0000000A), ref: 0041CB19
__vbaStrCopy.MSVBVM60 ref: 0041CB3D
__vbaStrToAnsi.MSVBVM60(?,00000000), ref: 0041CB4A
__vbaStrToAnsi.MSVBVM60(?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041CB67
__vbaSetSystemError.MSVBVM60(?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041CB7F
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,?,00000000,?,ANDREWARTHA,00297142,0006317B,?,00000000), ref: 0041CBB3
__vbaStrCat.MSVBVM60(4:4,00403130,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CBDB
__vbaStrMove.MSVBVM60(4:4,00403130,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CBE8
#541.MSVBVM60(?,00000000,4:4,00403130,?,?,?,?,?,?,?,?,00000000), ref: 0041CBF5
__vbaStrVarMove.MSVBVM60(?,?,00000000,4:4,00403130,?,?,?,?,?,?,?,?,00000000), ref: 0041CC01
__vbaStrMove.MSVBVM60(?,?,00000000,4:4,00403130,?,?,?,?,?,?,?,?,00000000), ref: 0041CC0E
__vbaFreeStr.MSVBVM60(?,?,00000000,4:4,00403130,?,?,?,?,?,?,?,?,00000000), ref: 0041CC19
__vbaFreeVar.MSVBVM60(?,?,00000000,4:4,00403130,?,?,?,?,?,?,?,?,00000000), ref: 0041CC24
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041CC53
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041CC5D
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041CC68
__vbaNew2.MSVBVM60(004030AC,0041F5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041CC8E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040309C,0000001C), ref: 0041CCF3
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403144,00000064), ref: 0041CD51
__vbaFreeObj.MSVBVM60(00000000,?,00403144,00000064), ref: 0041CD76
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CD8D
__vbaStrToAnsi.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,00000000,?,?,?,00401216), ref: 0041CD9A
__vbaSetSystemError.MSVBVM60(004F0673,0059AE9B,002EA394,0083BCF2,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CDC5
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041CDF2
__vbaNew2.MSVBVM60(004030AC,0041F5F0,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041CE23
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040309C,00000014), ref: 0041CE88
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040316C,00000060), ref: 0041CEE4
__vbaStrMove.MSVBVM60(00000000,?,0040316C,00000060), ref: 0041CF14
__vbaFreeObj.MSVBVM60(00000000,?,0040316C,00000060), ref: 0041CF1F
__vbaNew2.MSVBVM60(004030AC,0041F5F0), ref: 0041CF3E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040309C,00000014), ref: 0041CFA3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040316C,00000140), ref: 0041D005
__vbaFreeObj.MSVBVM60(00000000,?,0040316C,00000140), ref: 0041D02A
__vbaEnd.MSVBVM60(00000000,?,0040316C,00000140), ref: 0041D036
__vbaStrToAnsi.MSVBVM60(?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041D04E
__vbaSetSystemError.MSVBVM60(00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?,00000000), ref: 0041D05F
__vbaFreeStr.MSVBVM60(00000000,00000000,Contangoes3), ref: 0041D082
__vbaNew2.MSVBVM60(004030AC,0041F5F0), ref: 0041D0B0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040309C,00000014), ref: 0041D115
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040316C,00000130), ref: 0041D177
__vbaStrMove.MSVBVM60(00000000,?,0040316C,00000130), ref: 0041D1A7
__vbaFreeObj.MSVBVM60(00000000,?,0040316C,00000130), ref: 0041D1B2
#536.MSVBVM60(00000002), ref: 0041D1D9
__vbaStrMove.MSVBVM60(00000002), ref: 0041D1E3
__vbaFreeVar.MSVBVM60(00000002), ref: 0041D1EE
__vbaNew2.MSVBVM60(004030AC,0041F5F0,00000002), ref: 0041D214
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040309C,0000004C), ref: 0041D279
__vbaHresultCheckObj.MSVBVM60(00000000,?,004030BC,00000024), ref: 0041D2DF
__vbaStrMove.MSVBVM60(00000000,?,004030BC,00000024), ref: 0041D30F
__vbaFreeObj.MSVBVM60(00000000,?,004030BC,00000024), ref: 0041D31A
__vbaRecUniToAnsi.MSVBVM60(00402E8C,?,?), ref: 0041D339
__vbaSetSystemError.MSVBVM60(00000000,00402E8C,?,?), ref: 0041D34A
__vbaRecAnsiToUni.MSVBVM60(00402E8C,?,?,00000000,00402E8C,?,?), ref: 0041D362
__vbaRecDestructAnsi.MSVBVM60(00402E8C,?,00402E8C,?,?,00000000,00402E8C,?,?), ref: 0041D38B
#613.MSVBVM60(?,00000002,00402E8C,?,00402E8C,?,?,00000000,00402E8C,?,?), ref: 0041D3C8
__vbaStrVarMove.MSVBVM60(?,?,00000002,00402E8C,?,00402E8C,?,?,00000000,00402E8C,?,?), ref: 0041D3D4
__vbaStrMove.MSVBVM60(?,?,00000002,00402E8C,?,00402E8C,?,?,00000000,00402E8C,?,?), ref: 0041D3DE
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,?,?,00000002,00402E8C,?,00402E8C,?,?,00000000,00402E8C,?,?), ref: 0041D3F3
__vbaNew2.MSVBVM60(004030AC,0041F5F0,00000000,?,Contangoes3,?,?,00000000,?,?,?,?,?,?,?,?), ref: 0041D415
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040309C,00000014), ref: 0041D47A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040316C,00000078), ref: 0041D4D6
__vbaFreeObj.MSVBVM60(00000000,?,0040316C,00000078), ref: 0041D4FB
__vbaNew2.MSVBVM60(004030AC,0041F5F0), ref: 0041D521
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040309C,0000001C), ref: 0041D586
__vbaChkstk.MSVBVM60(00000000,?,0040309C,0000001C), ref: 0041D5BD
__vbaCastObj.MSVBVM60(?,004031BC), ref: 0041D5D9
__vbaObjSet.MSVBVM60(?,00000000,?,004031BC), ref: 0041D5E6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403144,00000058), ref: 0041D621
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0041D645
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402DB4,000006F8), ref: 0041D6E4
__vbaFreeVar.MSVBVM60(00000000,?,00402DB4,000006F8), ref: 0041D6FE
__vbaRecDestructAnsi.MSVBVM60(00402E8C,?,0041D7E0), ref: 0041D77B
__vbaFreeStr.MSVBVM60(00402E8C,?,0041D7E0), ref: 0041D783
__vbaFreeStr.MSVBVM60(00402E8C,?,0041D7E0), ref: 0041D78B
__vbaFreeStr.MSVBVM60(00402E8C,?,0041D7E0), ref: 0041D793
__vbaFreeStr.MSVBVM60(00402E8C,?,0041D7E0), ref: 0041D79B
__vbaFreeStr.MSVBVM60(00402E8C,?,0041D7E0), ref: 0041D7A3
__vbaFreeStr.MSVBVM60(00402E8C,?,0041D7E0), ref: 0041D7AB
__vbaFreeStr.MSVBVM60(00402E8C,?,0041D7E0), ref: 0041D7B3
__vbaRecDestruct.MSVBVM60(00402E8C,?,00402E8C,?,0041D7E0), ref: 0041D7C4
__vbaFreeObj.MSVBVM60(00402E8C,?,00402E8C,?,0041D7E0), ref: 0041D7CF
__vbaFreeStr.MSVBVM60(00402E8C,?,00402E8C,?,0041D7E0), ref: 0041D7DA

Strings

iliau, xrefs: 0041D2A5
Lstes8, xrefs: 0041D2A0
Contangoes3, xrefs: 0041D042
thyroidization, xrefs: 0041CB32
Dorosoma5, xrefs: 0041CD82
$, xrefs: 0041D6A6
4:4, xrefs: 0041CBD6
K, xrefs: 0041C967
ANDREWARTHA, xrefs: 0041CB5B
stretchier, xrefs: 0041D67B

Memory Dump Source

Source File: 00000000.00000002.1179905268.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1179891037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1179958048.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Move$AnsiNew2$ErrorList$System$ChkstkDestruct$Copy$#536#541#573#598#611#613#685#703Cast
String ID: $$4:4$ANDREWARTHA$Contangoes3$Dorosoma5$K$Lstes8$iliau$stretchier$thyroidization
API String ID: 1936441329-1455819464
Opcode ID: 8303dcbf3068a64086f27985ec661dfd85d7c78f7820d35e8b6262bc0d76ceb0
Instruction ID: 480ba9f75e8c4a7de5d8469dc9febcd118e392babae11baa4888ff658fbec710
Opcode Fuzzy Hash: 8303dcbf3068a64086f27985ec661dfd85d7c78f7820d35e8b6262bc0d76ceb0
Instruction Fuzzy Hash: 8892E570940228EFDB61EF50CC45BDDB7B5AF09305F1040EAE50DBA2A1DB785AC88F59

Uniqueness

Uniqueness Score: -1.00%

Function 0041D7FF, Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 165
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0041D7FF(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr _v44;
				void* _v48;
				signed int _v52;
				char _v56;
				char _v60;
				void* _v64;
				intOrPtr _v72;
				char _v80;
				char* _v88;
				intOrPtr _v96;
				void* _v100;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				intOrPtr _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _t74;
				signed int _t81;
				signed int _t88;
				signed int _t93;
				intOrPtr _t124;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				_push(0x70);
				L00401210();
				_v12 = _t124;
				_v8 = 0x4011d8;
				L00401336();
				_v72 = 1;
				_v80 = 2;
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xfffffffe);
				_push(0xffffffff);
				_push( &_v80); // executed
				L00401312(); // executed
				L00401390();
				L00401318();
				_v88 = L"PRESSIE";
				_v96 = 8;
				L004012CA();
				_t74 =  &_v80;
				_push(_t74);
				L004012D0();
				L00401390();
				_push(_t74);
				_push("Str");
				_push(0x40320c);
				L0040138A();
				L00401390();
				_push(_t74);
				_push(0x403218);
				L0040138A();
				L00401390();
				_push(_t74);
				L004012D6();
				asm("sbb eax, eax");
				_v100 =  ~( ~( ~_t74));
				_push( &_v60);
				_push( &_v56);
				_push( &_v52);
				_push(3);
				L0040132A();
				L00401318();
				_t81 = _v100;
				if(_t81 != 0) {
					_v72 = 1;
					_v80 = 2;
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xfffffffe);
					_push(0xffffffff);
					_push( &_v80);
					L00401312();
					L00401390();
					L00401318();
					if( *0x41f5f0 != 0) {
						_v124 = 0x41f5f0;
					} else {
						_push(0x41f5f0);
						_push(0x4030ac);
						L00401378();
						_v124 = 0x41f5f0;
					}
					_v100 =  *_v124;
					_t88 =  *((intOrPtr*)( *_v100 + 0x14))(_v100,  &_v64);
					asm("fclex");
					_v104 = _t88;
					if(_v104 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x40309c);
						_push(_v100);
						_push(_v104);
						L00401372();
						_v128 = _t88;
					}
					_v108 = _v64;
					_t93 =  *((intOrPtr*)( *_v108 + 0x60))(_v108,  &_v52);
					asm("fclex");
					_v112 = _t93;
					if(_v112 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40316c);
						_push(_v108);
						_push(_v112);
						L00401372();
						_v132 = _t93;
					}
					_t81 = _v52;
					_v120 = _t81;
					_v52 = _v52 & 0x00000000;
					L00401390();
					L0040136C();
					_push(0xe5);
					L004012C4();
					_v44 = _t81;
				}
				_v28 = 0x26222e40;
				_v24 = 0x5afd;
				_push(0x41da57);
				L00401384();
				L00401384();
				L00401384();
				L00401384();
				return _t81;
			}

0x0041d804
0x0041d80f
0x0041d810
0x0041d817
0x0041d81a
0x0041d822
0x0041d825
0x0041d832
0x0041d837
0x0041d83e
0x0041d845
0x0041d847
0x0041d849
0x0041d84b
0x0041d850
0x0041d851
0x0041d85b
0x0041d863
0x0041d868
0x0041d86f
0x0041d87c
0x0041d881
0x0041d884
0x0041d885
0x0041d88f
0x0041d894
0x0041d895
0x0041d89a
0x0041d89f
0x0041d8a9
0x0041d8ae
0x0041d8af
0x0041d8b4
0x0041d8be
0x0041d8c3
0x0041d8c4
0x0041d8cb
0x0041d8d1
0x0041d8d8
0x0041d8dc
0x0041d8e0
0x0041d8e1
0x0041d8e3
0x0041d8ee
0x0041d8f3
0x0041d8f9
0x0041d8ff
0x0041d906
0x0041d90d
0x0041d90f
0x0041d911
0x0041d913
0x0041d918
0x0041d919
0x0041d923
0x0041d92b
0x0041d937
0x0041d951
0x0041d939
0x0041d939
0x0041d93e
0x0041d943
0x0041d948
0x0041d948
0x0041d95d
0x0041d96c
0x0041d96f
0x0041d971
0x0041d978
0x0041d991
0x0041d97a
0x0041d97a
0x0041d97c
0x0041d981
0x0041d984
0x0041d987
0x0041d98c
0x0041d98c
0x0041d998
0x0041d9a7
0x0041d9aa
0x0041d9ac
0x0041d9b3
0x0041d9cc
0x0041d9b5
0x0041d9b5
0x0041d9b7
0x0041d9bc
0x0041d9bf
0x0041d9c2
0x0041d9c7
0x0041d9c7
0x0041d9d0
0x0041d9d3
0x0041d9d6
0x0041d9e0
0x0041d9e8
0x0041d9ed
0x0041d9f2
0x0041d9f7
0x0041d9f7
0x0041d9fa
0x0041da01
0x0041da08
0x0041da39
0x0041da41
0x0041da49
0x0041da51
0x0041da56

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041D81A
__vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 0041D832
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D851
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D85B
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D863
__vbaVarDup.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D87C
#591.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D885
__vbaStrMove.MSVBVM60(00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D88F
__vbaStrCat.MSVBVM60(0040320C,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D89F
__vbaStrMove.MSVBVM60(0040320C,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D8A9
__vbaStrCat.MSVBVM60(00403218,00000000,0040320C,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D8B4
__vbaStrMove.MSVBVM60(00403218,00000000,0040320C,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D8BE
__vbaStrCmp.MSVBVM60(00000000,00403218,00000000,0040320C,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D8C4
__vbaFreeStrList.MSVBVM60(00000003,?,?,?,00000000,00403218,00000000,0040320C,Str,00000000,00000002,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D8E3
__vbaFreeVar.MSVBVM60 ref: 0041D8EE
#703.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D919
__vbaStrMove.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D923
__vbaFreeVar.MSVBVM60(00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D92B
__vbaNew2.MSVBVM60(004030AC,0041F5F0,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D943
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040309C,00000014,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D987
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040316C,00000060,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D9C2
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D9E0
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D9E8
#570.MSVBVM60(000000E5,?,?,?,?,?,?,?,?,00000002,000000FF,000000FE,000000FE,000000FE), ref: 0041D9F2
__vbaFreeStr.MSVBVM60(0041DA57,?,?,?,00401216), ref: 0041DA39
__vbaFreeStr.MSVBVM60(0041DA57,?,?,?,00401216), ref: 0041DA41
__vbaFreeStr.MSVBVM60(0041DA57,?,?,?,00401216), ref: 0041DA49
__vbaFreeStr.MSVBVM60(0041DA57,?,?,?,00401216), ref: 0041DA51

Strings

PRESSIE, xrefs: 0041D868
Str, xrefs: 0041D895
@."&, xrefs: 0041D9FA

Memory Dump Source

Source File: 00000000.00000002.1179905268.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1179891037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1179958048.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#703CheckHresult$#570#591ChkstkCopyListNew2
String ID: @."&$PRESSIE$Str
API String ID: 4270550733-397218167
Opcode ID: 2426ff4b5ba65facaf1b596ec46b1663a594a929492f47a3a7c0507f8de42951
Instruction ID: 79929ffc0ff6df21e2338b49c2f32c4efd5f9a176787addb17ec8afa0f6bc264
Opcode Fuzzy Hash: 2426ff4b5ba65facaf1b596ec46b1663a594a929492f47a3a7c0507f8de42951
Instruction Fuzzy Hash: C06109B1D0020DABDF04EFA5C845ADEBBB9BF05318F20422AF425BB5E1DB785945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0041DBAE, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E0041DBAE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v84;
				signed int _v88;
				signed int _t50;
				signed int _t62;
				void* _t67;
				void* _t74;
				intOrPtr _t76;

				_t67 = __edx;
				 *[fs:0x0] = _t76;
				L00401210();
				_v12 = _t76;
				_v8 = 0x4011f8;
				L004012AC();
				_t50 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v72,  &_v24, _a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401216, __ecx, __ecx, _t74);
				asm("fclex");
				_v76 = _t50;
				if(_v76 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x402d84);
					_push(_a4);
					_push(_v76);
					L00401372();
					_v84 = _t50;
				}
				_v32 = _v72;
				L004012AC();
				L004012A6();
				_v28 = E0041DE40( &_v36);
				L0040136C();
				_v32 = E0041DE40(_v28) + 0x2b0;
				E0041DD46(_t67, _v32, _a8);
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t62 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10,  &_v36,  &_v36, _a4);
				asm("fclex");
				_v76 = _t62;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x2b0);
					_push(0x402d84);
					_push(_a4);
					_push(_v76);
					L00401372();
					_v88 = _t62;
				}
				_push(0x41dcf1);
				L0040136C();
				return _t62;
			}

0x0041dbae
0x0041dbbf
0x0041dbc9
0x0041dbd1
0x0041dbd4
0x0041dbe2
0x0041dbf3
0x0041dbf6
0x0041dbf8
0x0041dbff
0x0041dc18
0x0041dc01
0x0041dc01
0x0041dc03
0x0041dc08
0x0041dc0b
0x0041dc0e
0x0041dc13
0x0041dc13
0x0041dc1f
0x0041dc29
0x0041dc32
0x0041dc3d
0x0041dc43
0x0041dc55
0x0041dc5e
0x0041dc63
0x0041dc6a
0x0041dc71
0x0041dc78
0x0041dc82
0x0041dc8c
0x0041dc8d
0x0041dc8e
0x0041dc8f
0x0041dc93
0x0041dc9d
0x0041dc9e
0x0041dc9f
0x0041dca0
0x0041dca9
0x0041dcaf
0x0041dcb1
0x0041dcb8
0x0041dcd4
0x0041dcba
0x0041dcba
0x0041dcbf
0x0041dcc4
0x0041dcc7
0x0041dcca
0x0041dccf
0x0041dccf
0x0041dcd8
0x0041dceb
0x0041dcf0

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041DBC9
__vbaObjSetAddref.MSVBVM60(?,?,?,?,?,?,00401216), ref: 0041DBE2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D84,00000058), ref: 0041DC0E
__vbaObjSetAddref.MSVBVM60(?,?), ref: 0041DC29
#644.MSVBVM60(?,?,?), ref: 0041DC32
__vbaFreeObj.MSVBVM60(00000000,?,?,?), ref: 0041DC43
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041DC82
__vbaChkstk.MSVBVM60(?,?,?,00000000,?,?,?), ref: 0041DC93
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D84,000002B0), ref: 0041DCCA
__vbaFreeObj.MSVBVM60(0041DCF1), ref: 0041DCEB

Memory Dump Source

Source File: 00000000.00000002.1179905268.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1179891037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1179958048.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$AddrefCheckFreeHresult$#644
String ID:
API String ID: 1032928638-0
Opcode ID: f950c88b0e52d47d23d90b30a35eb9227dfe1f69c7e2901593b1ce5871bb3e09
Instruction ID: 4423e91e846013694a7fa308440101f1f44b865a68cf6144be9dc17532c0cac2
Opcode Fuzzy Hash: f950c88b0e52d47d23d90b30a35eb9227dfe1f69c7e2901593b1ce5871bb3e09
Instruction Fuzzy Hash: C24106B1C00608EFDF01EF91C846BDEBBB5BF09344F10442AF901BA1A1D7B999859B98

Uniqueness

Uniqueness Score: -1.00%

Function 0041DA78, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Download Yara Rule

C-Code - Quality: 77%

			E0041DA78(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v40;
				char _v72;
				char _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				signed int _v108;
				signed int _v120;
				signed int _t42;
				char* _t46;
				void* _t49;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				L00401210();
				_v16 = _t62;
				_v12 = 0x4011e8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x60,  *[fs:0x0], 0x401216, _t59);
				 *_a8 =  *_a8 & 0x00000000;
				_t42 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v108 = _t42;
				if(_v108 >= 0) {
					_v120 = _v120 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x402d84);
					_push(_a4);
					_push(_v108);
					L00401372();
					_v120 = _t42;
				}
				E0041DDF0();
				_v96 = 2;
				_v104 = 2;
				L004012BE();
				_v96 = 0x806df4;
				_v104 = 3;
				L004012BE();
				_t46 =  &_v88;
				L004012B2();
				L004012B8();
				_t49 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, _t46, _t46, _t46,  &_v40,  &_v72);
				_push(0x41db85);
				L00401318();
				L00401318();
				return _t49;
			}

0x0041da7b
0x0041da8a
0x0041da94
0x0041da9c
0x0041da9f
0x0041daa6
0x0041dab5
0x0041dabb
0x0041dac6
0x0041dacc
0x0041dace
0x0041dad5
0x0041daf1
0x0041dad7
0x0041dad7
0x0041dadc
0x0041dae1
0x0041dae4
0x0041dae7
0x0041daec
0x0041daec
0x0041daf5
0x0041dafa
0x0041db01
0x0041db0e
0x0041db13
0x0041db1a
0x0041db27
0x0041db34
0x0041db38
0x0041db3e
0x0041db4c
0x0041db52
0x0041db77
0x0041db7f
0x0041db84

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041DA94
__vbaHresultCheckObj.MSVBVM60(00000000,004011E8,00402D84,000002B4), ref: 0041DAE7
__vbaVarMove.MSVBVM60(00000000,004011E8,00402D84,000002B4), ref: 0041DB0E
__vbaVarMove.MSVBVM60(00000000,004011E8,00402D84,000002B4), ref: 0041DB27
__vbaVarIdiv.MSVBVM60(?,?,?), ref: 0041DB38
__vbaI4Var.MSVBVM60(00000000,?,?,?), ref: 0041DB3E
__vbaFreeVar.MSVBVM60(0041DB85), ref: 0041DB77
__vbaFreeVar.MSVBVM60(0041DB85), ref: 0041DB7F

Memory Dump Source

Source File: 00000000.00000002.1179905268.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1179891037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1179958048.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$FreeMove$CheckChkstkHresultIdiv
String ID:
API String ID: 3577542843-0
Opcode ID: 1ea14190c009e0b5a3c1959199856eb7664174ce32240dad8122208e3158444d
Instruction ID: 3b4e0b8d9296d7fe868a75f7bd6ace1b498a92cd956d52f7f37feaf59205c538
Opcode Fuzzy Hash: 1ea14190c009e0b5a3c1959199856eb7664174ce32240dad8122208e3158444d
Instruction Fuzzy Hash: 6731C6B1900208AFDB00EFD5C989FDDBBB4AF04744F1041AAF509BB1A1D779AA45CF94

Uniqueness

Uniqueness Score: -1.00%

Function 004013B4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 24COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 004013B9

Strings

VB5!6&*, xrefs: 004013B4

Memory Dump Source

Source File: 00000000.00000002.1179905268.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1179891037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1179958048.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 95432d58d005f2c5396badb1592a11e2ed82dc8a0ab59ef0255a311ce4b81604
Instruction ID: 798304d3a41f7c6819a251e6eb3e851134358129d65f8b3dd6e8c57f45fce043
Opcode Fuzzy Hash: 95432d58d005f2c5396badb1592a11e2ed82dc8a0ab59ef0255a311ce4b81604
Instruction Fuzzy Hash: 6FE0761054E3C10FD30303B24C252913FB18E13260B1A01EBE892DE4B3C0AD084A832A

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02B6502F, Relevance: 1.8, Strings: 1, Instructions: 554COMMON

Download Yara Rule

Strings

~_?, xrefs: 02B6503A

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: ~_?
API String ID: 0-4269090954
Opcode ID: 3c38ea2a7db4dbee6fd1fee3a0728cdf6c29b7ab0fd73c0822ddfa05a58837d0
Instruction ID: bd9de8be0402651d6a451b8584eb1355f0cd5876d8487e36990985bc8a537476
Opcode Fuzzy Hash: 3c38ea2a7db4dbee6fd1fee3a0728cdf6c29b7ab0fd73c0822ddfa05a58837d0
Instruction Fuzzy Hash: 7332F8715083C58FDB35DF38C8987EA7BA1AF16360F4982DACC998F296D3788645CB11

Uniqueness

Uniqueness Score: -1.00%

Function 02B5A464, Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

zu&S, xrefs: 02B5A46C

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID: zu&S
API String ID: 0-1178646069
Opcode ID: 73f1fc46ceb5ec0283a4c6205f12abe91c8a5dbfb7ad670a2d2e534effd106db
Instruction ID: b88f5cf166d633b1b842c34e7dc50534be9fc0c26d140f8a6f391ad3e672cf88
Opcode Fuzzy Hash: 73f1fc46ceb5ec0283a4c6205f12abe91c8a5dbfb7ad670a2d2e534effd106db
Instruction Fuzzy Hash: 6051E232509398CFDB78CE1689E17EA73E2AB88300F44426E9E4F5F780C7356A40CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02B5F1D5, Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID: AllocateMemoryVirtual
String ID:
API String ID: 2167126740-0
Opcode ID: 468ead44132a2b3ff5d24fe6ec2a9a76d2a25bde850a2f6a8ba289005d7fa8a3
Instruction ID: a90fb9f857e1ceff68986b369b8af4a691a877310b365e04043775a36f460f70
Opcode Fuzzy Hash: 468ead44132a2b3ff5d24fe6ec2a9a76d2a25bde850a2f6a8ba289005d7fa8a3
Instruction Fuzzy Hash: B0620FB2604349DFDB649F38CD547EABBB2FF59340F45821ADD999B260D3308A81CB52

Uniqueness

Uniqueness Score: -1.00%

Function 02B5AAF9, Relevance: .7, Instructions: 702COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca581430bb7cfcfd6439b8706c6eb221ce9750daa604f9724372ec4a087d01a9
Instruction ID: 45e9d07841d11df9293633e17a5cdcb4b4e59dab752d9f4b6b41d637007d45bf
Opcode Fuzzy Hash: ca581430bb7cfcfd6439b8706c6eb221ce9750daa604f9724372ec4a087d01a9
Instruction Fuzzy Hash: 1262EDB2604389DFDB649F34CD957EABBB2FF95300F45821AED899B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5AAD3, Relevance: .7, Instructions: 669COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ad9f876139ae542a7a0b0970415afaf73ce1847efa716b66cc99f88de5237d3
Instruction ID: 743033a78b8eef94a7ded68e18ecc88bd5734c02b7bd51becce3f3ca38ff8419
Opcode Fuzzy Hash: 3ad9f876139ae542a7a0b0970415afaf73ce1847efa716b66cc99f88de5237d3
Instruction Fuzzy Hash: 1A52FDB2604389DFDB649F38CD957EABBB2FF95340F45821ADC899B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5AB45, Relevance: .7, Instructions: 656COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2a4e0478ac86ec91e2709beb46899fb384238e27667128fd4d8f83d1411fec8
Instruction ID: 8f713173eaf54978a0cfd01b9187c1b054ad50676e8a96ec37d43dfcda21ba51
Opcode Fuzzy Hash: d2a4e0478ac86ec91e2709beb46899fb384238e27667128fd4d8f83d1411fec8
Instruction Fuzzy Hash: 43520EB2604389DFDB649F38CD957EABBB2FF55340F45821ADC899B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5AD46, Relevance: .6, Instructions: 623COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ff7c9d845e820e64ce7642918005ca7e25a6c7ec00069a2af53ed36631c514
Instruction ID: ff2ea6f0038449bb8ffd38f005accb489894aec400a2e4d44e3a9e156f7406ef
Opcode Fuzzy Hash: 07ff7c9d845e820e64ce7642918005ca7e25a6c7ec00069a2af53ed36631c514
Instruction Fuzzy Hash: 8C42FDB260438ADFDB649F38CD957EABBB2FF55340F45812ADC899B250D3308A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5AD9F, Relevance: .6, Instructions: 613COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45fe4331cef72f9abb2e5f80253b25246fb814a91f6cbae502afb7a61efd2658
Instruction ID: 1ffbc942706dec1ebd581f878894105b9b4e9d3eb11f09e450def366c48b0503
Opcode Fuzzy Hash: 45fe4331cef72f9abb2e5f80253b25246fb814a91f6cbae502afb7a61efd2658
Instruction Fuzzy Hash: 2242FEB2604349DFDB749F28CD957EABBB2FF94340F45822ADC999B214D3308A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5AE6A, Relevance: .6, Instructions: 603COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f46d7c79bf074341576d59c8a3556bbd18df0e313b5bbff61b1a1932d821fa13
Instruction ID: df23f34f1d9218d02b0e58cebdcd477cd21795523cc2e5fa448224b5815b9b17
Opcode Fuzzy Hash: f46d7c79bf074341576d59c8a3556bbd18df0e313b5bbff61b1a1932d821fa13
Instruction Fuzzy Hash: D242FEB2604349DFDB749F28CD957EABBB2FF94340F45812ADD899B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5AEF7, Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0b7a66aeb4987dd7bd30b4e35d730ede7ed663d75f2cd61514c24410a1a35f2
Instruction ID: 69ec12a6761c9f49ebe57c0f2bec2e054cfa3b7bb97bc8c8ebdf4920eb714c8c
Opcode Fuzzy Hash: a0b7a66aeb4987dd7bd30b4e35d730ede7ed663d75f2cd61514c24410a1a35f2
Instruction Fuzzy Hash: 15420FB2604389DFDB749F24CD957EABBB2FF94340F45812AEC899B254D3308A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5AFC2, Relevance: .6, Instructions: 576COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fe7bd3f0e9839cfeced05558c33d15e6fc252f999c01eabaf3580ac80f3f969
Instruction ID: feff5a7cf4ab9dfa5568bc26460b278f41c66939567670717dc9f9dab6f2b99d
Opcode Fuzzy Hash: 3fe7bd3f0e9839cfeced05558c33d15e6fc252f999c01eabaf3580ac80f3f969
Instruction Fuzzy Hash: 3E42FDB2604389DFDB749F24CD957EABBB2FF94340F45812AEC899B254D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B0FE, Relevance: .6, Instructions: 551COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: caf4f0a995037fe5e90416c95563e63b57500f93f5faf367b2ecf00392bdcd84
Instruction ID: 6f52fd71568e90c44178eca60e7829ecc13737866c0e5ef5388c6b2b1f1c6af7
Opcode Fuzzy Hash: caf4f0a995037fe5e90416c95563e63b57500f93f5faf367b2ecf00392bdcd84
Instruction Fuzzy Hash: F832DDB2604389DFDB749F24CD957EABBB2FF94340F45812AEC899B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B236, Relevance: .5, Instructions: 521COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 93f74a8f96db2ad588ca61caa7ebd3313c0f290c1da354de2590dc00c6dd5cb9
Instruction ID: 7c1f8d6227eee4ddf387bfbf375272fe80f21330959b4284440d27568e6101e2
Opcode Fuzzy Hash: 93f74a8f96db2ad588ca61caa7ebd3313c0f290c1da354de2590dc00c6dd5cb9
Instruction Fuzzy Hash: 5A32EDB2604389DFDB749F24CD957EABBB2FF94340F55812AEC899B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B2CF, Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53725e03ac9b34542e4b9db3f31b7378396388d9a201ce1349920132a5b34bf4
Instruction ID: 9de2fe2472f69a89c94364b11591e1efde7ee9026feae8d939838dc91da1c1c1
Opcode Fuzzy Hash: 53725e03ac9b34542e4b9db3f31b7378396388d9a201ce1349920132a5b34bf4
Instruction Fuzzy Hash: B022FDB2604389DFDB749F28CD957EABBB2FF94300F55812ADC999B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B3F9, Relevance: .5, Instructions: 485COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2432a2743edb4e639f60e565a3d75ca5bed05aead813640fc3de9fede46ef8c
Instruction ID: 8a0c7c27b7eb04623efe27574d746b7231b4be27c5a1c056c0055218cea19187
Opcode Fuzzy Hash: a2432a2743edb4e639f60e565a3d75ca5bed05aead813640fc3de9fede46ef8c
Instruction Fuzzy Hash: DB22EDB2604389DFDB749F28CD857EABBB2FF94300F55812ADC999B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B537, Relevance: .5, Instructions: 451COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7ec6e0619a5c9ea527b33702ccda478d1b42eb50c7524d012f6b3efba0b6af1
Instruction ID: f35e94d7e54421364bab9257165b629ecb7e478f6f708b1748b5d9a074a6b590
Opcode Fuzzy Hash: e7ec6e0619a5c9ea527b33702ccda478d1b42eb50c7524d012f6b3efba0b6af1
Instruction Fuzzy Hash: FB12DDB2604389DFDB749F25CD957EABBB2FF94300F55812AEC899B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B608, Relevance: .4, Instructions: 440COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5708682f410bf2e45f1f15f93a03b1f8e12e77b97b6433d94aca18b4f1a4227d
Instruction ID: 15bb71bf00e7505d18e0829749762dcb00aa1c36c6cf60625b79f0cd36e9d147
Opcode Fuzzy Hash: 5708682f410bf2e45f1f15f93a03b1f8e12e77b97b6433d94aca18b4f1a4227d
Instruction Fuzzy Hash: 0012CCB2604389DFDB749F25CD857EA7BB2FF94340F55812AEC8A9B214D3309A81CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02B5B6B2, Relevance: .4, Instructions: 420COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f4ec5b553edfc474f68c9286a85e1ef3f7bec4ea26b34d65d4ddef9f78e1033
Instruction ID: 81ea3d37cc397c52f8b46051a8712b11dba1eeb3c7cc636f921dc85433bd8541
Opcode Fuzzy Hash: 7f4ec5b553edfc474f68c9286a85e1ef3f7bec4ea26b34d65d4ddef9f78e1033
Instruction Fuzzy Hash: 6C02DDB2604389DFDB749F28CD997EA7BB2FF95300F45412AEC899B214D3309A81CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02B5E1FB, Relevance: .3, Instructions: 288COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e0e2ec7088fed157672b4bdb9baf0a8272dfa54630c6ba7d69e3a9afe2505ec
Instruction ID: dcf2b52c3258c514cf02cae735c311dd76482607704cc3278fbc5115a9df380c
Opcode Fuzzy Hash: 0e0e2ec7088fed157672b4bdb9baf0a8272dfa54630c6ba7d69e3a9afe2505ec
Instruction Fuzzy Hash: ACC1AA75604289DFDF749F25CC94BEE37B6BF98340F44806AAC4EAB254E7348A41CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02B63ECA, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6a052be4656c11ccaa7fa618d4addef3f44a1602cfd5cac29c503e754db6dc8
Instruction ID: 94516dd5d53c4b139539b85aec55a6e715438f56357f4567ee5fcc82cca6980a
Opcode Fuzzy Hash: d6a052be4656c11ccaa7fa618d4addef3f44a1602cfd5cac29c503e754db6dc8
Instruction Fuzzy Hash: D7A1FF71A08799DFDB70CF68C9987EA37B5EF08750F55416AEC4D9B240D3385A80CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0040153A, Relevance: .2, Instructions: 153COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1179905268.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1179891037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1179958048.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction ID: d394a65342a6a254380257ba0734a19f866dc21ad068f5b1ddaac111a7468d93
Opcode Fuzzy Hash: 58187ee0e133b0b48bb3efed7ac890b15464e5e05c24970065dea5c804966976
Instruction Fuzzy Hash: F641279025E2D4EFC71B47B64CBA2813FE1AE07108B1A88EFD6D54B8A3E555241FC727

Uniqueness

Uniqueness Score: -1.00%

Function 02B56C30, Relevance: .1, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c07fca1a0186a72142a040983448c491af3d1a3e36163ccc0d81303c052f58c1
Instruction ID: 2f2903d6a79de2101c40c4acfc9a1f32403a458c705dc3966378570dddce24d5
Opcode Fuzzy Hash: c07fca1a0186a72142a040983448c491af3d1a3e36163ccc0d81303c052f58c1
Instruction Fuzzy Hash: 01418976609384CFC7699F39C9652EA7FF0EF1A310F66488DD8C59B612C2319902CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B599FD, Relevance: .1, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf41761c039c49709145a42246a80c330242b37f27a4db91c5e07015f9571115
Instruction ID: 6ede8328f379311dfdbe126ef435d0013f61b02ea5ce992230fe1105bbdbbd6f
Opcode Fuzzy Hash: bf41761c039c49709145a42246a80c330242b37f27a4db91c5e07015f9571115
Instruction Fuzzy Hash: 02418C7550CA80DBCB194F34C8A6775BBB0FF25310F250A8FD9E24A5A2DB318555CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02B5A4C9, Relevance: .1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e9790a4e338a590241b3851076675fb9e26f3c1112c5d6f578c6fe3789e64c2
Instruction ID: fa3fd28a6432b61801d1847e8b7a9f87df1dacf2eb8b0761c0eaffd3ddc97f4f
Opcode Fuzzy Hash: 2e9790a4e338a590241b3851076675fb9e26f3c1112c5d6f578c6fe3789e64c2
Instruction Fuzzy Hash: 4641C132209398CFDB74CE2689A57EA73F2BB88300F41426ECA4E5F780C7346941CB55

Uniqueness

Uniqueness Score: -1.00%

Function 02B5A58F, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ff942cced0b247f0400f1175869d6d260458655cafa032ea55391a268d5354b
Instruction ID: fb3817986d620e97c55a2408e9ab7ec603dee2ab58fd5d234704491622284964
Opcode Fuzzy Hash: 6ff942cced0b247f0400f1175869d6d260458655cafa032ea55391a268d5354b
Instruction Fuzzy Hash: 4241AC325093A88FDB74CE2589E57EA37E2AB88704F44426ECE4E5F680C7356A41CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02B56CCC, Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54cc668b1b31a97938382c1559d0a2827efae3df59f138b622116b57b2a6e084
Instruction ID: a5fd56df78d85c23b074cdd59809b8e6bcd6e4b9407ca0ca7d548ca3fd05b64e
Opcode Fuzzy Hash: 54cc668b1b31a97938382c1559d0a2827efae3df59f138b622116b57b2a6e084
Instruction Fuzzy Hash: AB31987660D340CFDB596E3689252EABBF0EF26310F72498DC4D68BA12D231D942CF42

Uniqueness

Uniqueness Score: -1.00%

Function 02B56CB7, Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea7e9ed2702768db117fb3d843ea78baf0897744aea269062f39a0c2614bf3c6
Instruction ID: d6079ce7b1417a2ab7f7ae8c270a894fa144962f85d0d4d9745f63a41f12d72e
Opcode Fuzzy Hash: ea7e9ed2702768db117fb3d843ea78baf0897744aea269062f39a0c2614bf3c6
Instruction Fuzzy Hash: D631667650D384CFDB696F35CA251EABBA0AF66210F32588DD4D69BA12D2319941CF02

Uniqueness

Uniqueness Score: -1.00%

Function 02B5A1AB, Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09a6e2673bdfc5490c968dd8a70c19eb7216c7ebe174541200db1ea403b7b285
Instruction ID: ea02a1bea936eb936ec28da8a3b0cf3074a5887b8964d6f654451a3a87f9b4bb
Opcode Fuzzy Hash: 09a6e2673bdfc5490c968dd8a70c19eb7216c7ebe174541200db1ea403b7b285
Instruction Fuzzy Hash: A231E4312087918BDF75CEB8C8D5BCABB91AB51314F08C2EDCC9A8B19BE735414AC752

Uniqueness

Uniqueness Score: -1.00%

Function 02B62C28, Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f6e57bc3f5a71407d8a7c9f66a4eb01fb87595148a9c8becc38a403391a078
Instruction ID: e8ea5a43e280df22889e5399f13b303528caebb963e323588639e8f3bfff57a8
Opcode Fuzzy Hash: 26f6e57bc3f5a71407d8a7c9f66a4eb01fb87595148a9c8becc38a403391a078
Instruction Fuzzy Hash: C021813560834BCBDB30EEA8C4D47EA77B2FF59700F48416ACD49CB202E6748946C641

Uniqueness

Uniqueness Score: -1.00%

Function 02B5A6CE, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51babc05b9f68004bf5b7e2edb8784800c126ce9b431a8e82f0c88a315d62308
Instruction ID: aad434365dcbdca2f298d78f31c18ace509818e9542f11d6858e2fc3815dae0a
Opcode Fuzzy Hash: 51babc05b9f68004bf5b7e2edb8784800c126ce9b431a8e82f0c88a315d62308
Instruction Fuzzy Hash: 80218D316093588BDB78CE1585E57EA72E2AB48704F41462EDE4F5F740C7356A40CB25

Uniqueness

Uniqueness Score: -1.00%

Function 02B64A9C, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8df911efa910345d644f7920921c2f0cb0ac21ef06a22fb62b8ad46808cdd406
Instruction ID: 9ff407f26f0bb6abfdb77964c07029a470b237bcf1a291a184b91745de6f5709
Opcode Fuzzy Hash: 8df911efa910345d644f7920921c2f0cb0ac21ef06a22fb62b8ad46808cdd406
Instruction Fuzzy Hash: 71210535289641DFEBB8EE68D99ABFF3BB0EF42310F50405ECC4A9A508D73545808B42

Uniqueness

Uniqueness Score: -1.00%

Function 00401776, Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1179905268.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1179891037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1179958048.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction ID: 0ef76ab4ed2bcdf07a831812e9108315abc5032b0251afc9fc56c28be75d868b
Opcode Fuzzy Hash: 9e24cef5b52d058c6559a4647f5f96652dbae51e6763f7f5d8b23a4fe3d590a8
Instruction Fuzzy Hash: 5E11DAB150E3E59FCB174B748CB52527FB0AF1B20070A44EBD4819F8A7E268281ED727

Uniqueness

Uniqueness Score: -1.00%

Function 02B62F6B, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469dd9ab9851f4008aee0eb4fa32e4ad8a6a51d796645811206d0dfc796da583
Instruction ID: 09b043a385569cc811bcfa078b5307fd98d0337441c0a24be78fae8a59df81a4
Opcode Fuzzy Hash: 469dd9ab9851f4008aee0eb4fa32e4ad8a6a51d796645811206d0dfc796da583
Instruction Fuzzy Hash: C8010874604648DFCB34CF28E998FEA73F0FF09714F0180A9E9098B221C335AA44CB14

Uniqueness

Uniqueness Score: -1.00%

Function 00401729, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1179905268.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1179891037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1179958048.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 02B6225D, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326411afb0b0724705b95755415cb1f632a92fa1d8274982df1e38dea8eb2218
Instruction ID: 0c52e846838515003e2040ee3bba8b0478342c4948c3aa88fcfa9eef88005163
Opcode Fuzzy Hash: 326411afb0b0724705b95755415cb1f632a92fa1d8274982df1e38dea8eb2218
Instruction Fuzzy Hash: F6B092302505408FCA42CE08C190F8073B5BF04A00FC20480E4018BB11C224E802CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02B5D1B5, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 02B63BCE, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1180599647.0000000002B50000.00000040.00000001.sdmp, Offset: 02B50000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 0041DDF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON

Download Yara Rule

C-Code - Quality: 82%

			E0041DDF0() {
				signed int _v8;
				signed int _t8;
				char _t10;
				signed int _t13;
				intOrPtr _t15;
				intOrPtr _t17;

				_push(4);
				L00401210();
				_t8 = 1;
				_t13 = 1;
				_t15 =  *0x41f034; // 0x625e38
				_t17 =  *0x41f034; // 0x625e38
				_t10 =  *((intOrPtr*)(_t17 + _t8 * 0xffffffff));
				 *((char*)(_t15 + _t13 * 0xffffffff)) = _t10;
				_push( *0x41f034);
				L004012A6();
				 *0x41f040 = _t10;
				_v8 = _v8 | 0x0000ffff;
				 *0x41f044 = _v8;
				return _v8;
			}

0x0041ddf3
0x0041ddf6
0x0041ddfe
0x0041de04
0x0041de08
0x0041de0e
0x0041de14
0x0041de17
0x0041de1a
0x0041de20
0x0041de25
0x0041de2a
0x0041de33
0x0041de3f

APIs

__vbaChkstk.MSVBVM60(?,0041DAFA), ref: 0041DDF6
#644.MSVBVM60(?,?,0041DAFA), ref: 0041DE20

Strings

8^b, xrefs: 0041DE08, 0041DE0E

Memory Dump Source

Source File: 00000000.00000002.1179905268.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1179891037.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1179958048.000000000041F000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1179974594.0000000000421000.00000002.00020000.sdmp Download File

Similarity

API ID: #644Chkstk__vba
String ID: 8^b
API String ID: 3537395942-1388125588
Opcode ID: 76fff59c77a3fdaafe6cdfa5bfe850f1df2f7db69d135ce0fdef5c5b65eab8a0
Instruction ID: a4d76139e0849925d4540305290d299c3be9090f96f16b4af28684474d20ff8c
Opcode Fuzzy Hash: 76fff59c77a3fdaafe6cdfa5bfe850f1df2f7db69d135ce0fdef5c5b65eab8a0
Instruction Fuzzy Hash: 40F0A03D542241AAC720AB64AE126D47F78AB4D750F1040BAFA01EF2B3D3745943D75C

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report RFQ_TZDQP2110257921.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Jbx Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: RFQ_TZDQP2110257921.exe PID: 5908 Parent PID: 2944

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: RFQ_TZDQP2110257921.exe PID: 5908 Parent PID: 2944 RFQ_TZDQP2110257921.exeCOMMON

Executed Functions

Function 02B66BC4, Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Function 02B5DAC8, Relevance: 1.6, APIs: 1, Instructions: 103memorynativeCOMMON

Function 0041C774, Relevance: 202.1, APIs: 105, Strings: 10, Instructions: 878COMMON

Function 0041C774, Relevance: 202.1, APIs: 105, Strings: 10, Instructions: 878
COMMON

Function 0041D7FF, Relevance: 54.4, APIs: 28, Strings: 3, Instructions: 165
COMMON

Function 0041DBAE, Relevance: 15.1, APIs: 10, Instructions: 102
COMMON

Function 0041DA78, Relevance: 12.1, APIs: 8, Instructions: 70
COMMON

Function 0041DDF0, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26
COMMON