Play interactive tour

Edit tour

Analysis Report 964309_Invoice_confirmation.exe

Overview

General Information

Sample Name:	964309_Invoice_confirmation.exe
Analysis ID:	337282
MD5:	84f07fb808c942462f3ab00c17782217
SHA1:	b9044a839436619055ce9350d75293a2b28bb194
SHA256:	02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd
Tags:	exeGuLoader
Most interesting Screenshot:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Potential malicious icon found

Yara detected GuLoader

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

964309_Invoice_confirmation.exe (PID: 3484 cmdline: 'C:\Users\user\Desktop\964309_Invoice_confirmation.exe' MD5: 84F07FB808C942462F3AB00C17782217)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 964309_Invoice_confirmation.exe PID: 3484	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: 964309_Invoice_confirmation.exe PID: 3484	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for submitted file

Show sources

Source: 964309_Invoice_confirmation.exe

ReversingLabs: Detection: 13%

Source: 964309_Invoice_confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: 964309_Invoice_confirmation.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: 964309_Invoice_confirmation.exe

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe

Process Stats: CPU usage > 98%

Source: 964309_Invoice_confirmation.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 964309_Invoice_confirmation.exe, 00000001.00000000.673641824.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameBrneko.exe vs 964309_Invoice_confirmation.exe
Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843983752.00000000021D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 964309_Invoice_confirmation.exe
Source: 964309_Invoice_confirmation.exe	Binary or memory string: OriginalFilenameBrneko.exe vs 964309_Invoice_confirmation.exe

Source: 964309_Invoice_confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal84.rans.troj.evad.winEXE@1/0@0/0

Source: 964309_Invoice_confirmation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 964309_Invoice_confirmation.exe

ReversingLabs: Detection: 13%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: 964309_Invoice_confirmation.exe PID: 3484, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: 964309_Invoice_confirmation.exe PID: 3484, type: MEMORY

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00402420 push esi; iretd	1_2_0040243E
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_004078C7 push cs; retf	1_2_004078DE
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00407544 push edi; retf	1_2_0040756A
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00401657 push esi; iretd	1_2_00401663
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00408B03 push ds; retf	1_2_00408B0E
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00404BD9 push esp; retf	1_2_00404BDA
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_004077B8 push ss; iretd	1_2_004077F1
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00425892 push 61000010h; ret	1_2_0042589F

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 964309_Invoice_confirmation.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe

RDTSC instruction interceptor: First address: 000000000040433B second address: 000000000040433B instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F3DA0B9EEE6h 0x0000000c rdtsc

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe

Code function: 1_2_004041EB rdtsc

1_2_004041EB

Source: 964309_Invoice_confirmation.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe

Code function: 1_2_004041EB rdtsc

1_2_004041EB

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_0042505B mov eax, dword ptr fs:[00000030h]	1_2_0042505B
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00425A51 mov eax, dword ptr fs:[00000030h]	1_2_00425A51
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00425A6A mov eax, dword ptr fs:[00000030h]	1_2_00425A6A
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00424A0A mov eax, dword ptr fs:[00000030h]	1_2_00424A0A
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00425A33 mov eax, dword ptr fs:[00000030h]	1_2_00425A33
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00425A39 mov eax, dword ptr fs:[00000030h]	1_2_00425A39
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00425AA5 mov eax, dword ptr fs:[00000030h]	1_2_00425AA5
Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe	Code function: 1_2_00422EEF mov eax, dword ptr fs:[00000030h]	1_2_00422EEF

Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843804110.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843804110.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843804110.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 964309_Invoice_confirmation.exe, 00000001.00000002.1843804110.0000000000DA0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\964309_Invoice_confirmation.exe

Code function: 1_2_0042375C cpuid

1_2_0042375C

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Process Injection1	OS Credential Dumping	Security Software Discovery211	Remote Services	Data from Local System	Exfiltration Over Other Network Medium	Data Obfuscation	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery111	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
964309_Invoice_confirmation.exe	14%	ReversingLabs	Win32.Infostealer.Generic

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337282
Start date:	08.01.2021
Start time:	09:23:03
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 12m 16s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	964309_Invoice_confirmation.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal84.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 30.1% (good quality ratio 17.5%) Quality average: 31.7% Quality standard deviation: 32.7%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, RuntimeBroker.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.636486997453101
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	964309_Invoice_confirmation.exe
File size:	94208
MD5:	84f07fb808c942462f3ab00c17782217
SHA1:	b9044a839436619055ce9350d75293a2b28bb194
SHA256:	02553b25344fd73b18ed90ab5fc8e9c11100734b429e90a0527cbc1aed79e6bd
SHA512:	f9d63f838b58a1c3e82cab5b9cf77bcf7c519061ebdcffab1bb071c3300bbd72ee4ea1d5af4ef4c346e23c3b030425dafb64031d9bb4b6f4f93dfdc18568aaca
SSDEEP:	1536:WEqZdfva2ckw6GR81Zsy+wHVVQ5C6eXwoJXxL7:cTva2o68yn7woJF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L......_.................@...0...............P....@

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401600
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FF7A893 [Fri Jan 8 00:34:27 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	690ed9eee3aab240a93936dee17050b4

Entrypoint Preview

Instruction
push 00401C68h
call 00007F3DA07E6FD5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
lds esp, fword ptr [eax]
fmul st(0), st(5)
dec ebp
adc ebx, dword ptr [eax+40h]
mov ch, 5Ch
popfd
cld
cmp edi, dword ptr [edx+03h]
je 00007F3DA07E6FE2h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+6Fh], ch
jnbe 00007F3DA07E7055h
outsd
popad
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
sbb dword ptr [ebx+29h], edi
jmp 00007F3DA07E6FA2h
xchg bl, cl
dec eax
sahf
ret
xor esi, dword ptr [ebx-1173D434h]
adc al, 37h
fisttp word ptr [esi-02h]
push esi
iretd
inc ebp
xchg eax, edx
arpl word ptr [ecx], bp
cmp byte ptr [esp+edi*8], ah
xchg eax, esi
aad 3Ah
dec edi
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cli
add eax, dword ptr [eax]
add byte ptr [eax+00h], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [edi+56h], cl
inc ebp
push edx
inc esi
dec esp
add byte ptr [75000601h], cl
jbe 00007F3DA07E704Ch
imul ebp, dword ptr [eax+eax+19h], 01h
add byte ptr [edx+00h], al
and al, byte ptr [00000624h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13cd4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x89c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x184	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x132b8	0x14000	False	0.393383789062	data	6.08218198258	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x14b0	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x89c	0x1000	False	0.1611328125	data	1.88826980394	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x1776c	0x130	data
RT_ICON	0x17484	0x2e8	data
RT_ICON	0x1735c	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x1732c	0x30	data
RT_VERSION	0x17150	0x1dc	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaLateMemSt, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaR4Str, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaDateVar, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	Brneko
FileVersion	1.00
OriginalFilename	Brneko.exe
ProductName	Logaritm

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 964309_Invoice_confirmation.exe PID: 3484 Parent PID: 5916

General

Start time:	09:24:04
Start date:	08/01/2021
Path:	C:\Users\user\Desktop\964309_Invoice_confirmation.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\964309_Invoice_confirmation.exe'
Imagebase:	0x400000
File size:	94208 bytes
MD5 hash:	84F07FB808C942462F3AB00C17782217
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 964309_Invoice_confirmation.exe PID: 3484 Parent PID: 5916 964309_Invoice_confirmation.exeCOMMON

Executed Functions

Function 004041EB, Relevance: 1.5, APIs: 1, Instructions: 273
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004041EB(signed int __eax, void* __ebx, void* __ecx, intOrPtr __edx, intOrPtr* __edi, void* __esi) {
				signed int _t8;

				asm("int3");
				 *__eax =  *__eax ^ __eax;
				 *__edi = __edx;
				asm("loop 0x77");
				asm("sbb ebx, [ebp-0x42155977]");
				asm("enter 0xab6f, 0xbb");
				asm("movsd");
				asm("a16 cmp eax, 0xad4f3aae");
				_t7 = __eax;
				asm("stosb");
				 *((intOrPtr*)(_t7 - 0x2d)) =  *((intOrPtr*)(__eax - 0x2d)) + __eax;
				_t8 = __ebx + __ebx ^  *(__ecx - 0x48ee309a);
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				 *_t8 =  *_t8 + _t8;
				return _t8;
			}

0x004041ed
0x004041ee
0x004041f9
0x004041fb
0x004041fd
0x00404203
0x00404207
0x0040420e
0x0040421a
0x0040421c
0x0040421d
0x00404220
0x00404221
0x00404223
0x00404225
0x00404227
0x00404229
0x0040422b
0x0040422d
0x0040422f
0x00404231
0x00404233
0x00404235
0x00404237
0x00404239
0x0040423b
0x0040423d
0x0040423f
0x00404241
0x00404243
0x00404245

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9970ff6c6c75b2b68b1417c1ab6f3b13e8cec70c8a51b001e7e70421f04f7331
Instruction ID: 13c851ff5cc886ee246e3b8131ac39a6d2bdf96c6dddab49e939f96b36da7084
Opcode Fuzzy Hash: 9970ff6c6c75b2b68b1417c1ab6f3b13e8cec70c8a51b001e7e70421f04f7331
Instruction Fuzzy Hash: E8618E7245B3829FC7138E34DCD05C8BB70AF07B20B6936E7C481D7692CB285A96C765

Uniqueness

Uniqueness Score: -1.00%

Function 004114AE, Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E004114AE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				char _v36;
				void* _v40;
				char* _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char* _v112;
				char _v120;
				char _v172;
				short _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				short _v192;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _t102;
				signed int _t107;
				char* _t111;
				short _t115;
				signed int _t124;
				short _t130;
				void* _t154;
				void* _t156;
				intOrPtr _t157;
				char* _t167;

				_t157 = _t156 - 0xc;
				 *[fs:0x0] = _t157;
				L004013C0();
				_v16 = _t157;
				_v12 = 0x401308;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013c6, _t154);
				if( *0x4155f8 != 0) {
					_v204 = 0x4155f8;
				} else {
					_push(0x4155f8);
					_push(0x4028e8);
					L00401558();
					_v204 = 0x4155f8;
				}
				_v176 =  *_v204;
				_t102 =  *((intOrPtr*)( *_v176 + 0x14))(_v176,  &_v40);
				asm("fclex");
				_v180 = _t102;
				if(_v180 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d8);
					_push(_v176);
					_push(_v180);
					L00401552();
					_v208 = _t102;
				}
				_v184 = _v40;
				_t107 =  *((intOrPtr*)( *_v184 + 0x100))(_v184,  &_v172);
				asm("fclex");
				_v188 = _t107;
				if(_v188 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x4028f8);
					_push(_v184);
					_push(_v188);
					L00401552();
					_v212 = _t107;
				}
				_v192 =  ~(0 | _v172 == 0x00400000);
				L0040152E();
				_t111 = _v192;
				if(_t111 != 0) {
					_push(0x40290c);
					_push(0x402914);
					L004015AC();
					_v48 = _t111;
					_v56 = 8;
					_push( &_v56);
					_push( &_v72);
					L0040151C();
					_v112 = 0x402914;
					_v120 = 0x8008;
					_push( &_v72);
					_t115 =  &_v120;
					_push(_t115);
					L004015DC();
					_v176 = _t115;
					_push( &_v72);
					_push( &_v56);
					_push(2);
					L004015BE();
					_t111 = _v176;
					if(_t111 != 0) {
						_push(2);
						_push(0x4026c0);
						_push(0x4026c8);
						L004015AC();
						L004015B2();
						_push(_t111);
						_push(0x4026d0);
						L004015AC();
						L004015B2();
						_push(_t111);
						_push(0x4026d0);
						_push(0);
						L00401516();
						asm("sbb eax, eax");
						_v176 =  ~( ~(_t111 - 3) + 1);
						_push( &_v36);
						_push( &_v32);
						_push(2);
						L004015A6();
						_t111 = _v176;
						_t167 = _t111;
						if(_t167 != 0) {
							L00401510();
							L004015A0();
							asm("fcomp qword [0x401250]");
							asm("fnstsw ax");
							asm("sahf");
							if(_t167 == 0) {
								_v112 = 0x80020004;
								_v120 = 0xa;
								_t124 = 0x10;
								L004013C0();
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_push(L"oliemalinger");
								_push(L"stourness");
								_push(L"Sgsmaalsgrunds7"); // executed
								L0040157C(); // executed
								L004015B2();
								_push(_t124);
								_push(0);
								L00401582();
								asm("sbb eax, eax");
								_v176 =  ~( ~_t124 + 1);
								L004015C4();
								_t111 = _v176;
								if(_t111 != 0) {
									_push(0x402abc);
									L00401576();
									if(_t111 == 1) {
										_push( &_v56);
										L00401570();
										_v112 = L"prnumerant";
										_v120 = 0x8008;
										_push( &_v56);
										_t130 =  &_v120;
										_push(_t130);
										L004015DC();
										_v176 = _t130;
										L0040156A();
										_t111 = _v176;
										if(_t111 != 0) {
											_v96 = 0x80020004;
											_v104 = 0xa;
											_v80 = 0x80020004;
											_v88 = 0xa;
											_v64 = 0x80020004;
											_v72 = 0xa;
											_v112 = L"Topforhandlernes";
											_v120 = 8;
											L0040158E();
											_push( &_v104);
											_push( &_v88);
											_push( &_v72);
											_push(0);
											_push( &_v56);
											L00401564();
											_push( &_v104);
											_push( &_v88);
											_push( &_v72);
											_t111 =  &_v56;
											_push(_t111);
											_push(4);
											L004015BE();
										}
									}
								}
							}
						}
					}
				}
				asm("wait");
				_push(0x41186b);
				return _t111;
			}

0x004114b1
0x004114c0
0x004114cc
0x004114d4
0x004114d7
0x004114de
0x004114ed
0x004114f7
0x00411514
0x004114f9
0x004114f9
0x004114fe
0x00411503
0x00411508
0x00411508
0x00411526
0x0041153e
0x00411541
0x00411543
0x00411550
0x00411572
0x00411552
0x00411552
0x00411554
0x00411559
0x0041155f
0x00411565
0x0041156a
0x0041156a
0x0041157c
0x00411597
0x0041159d
0x0041159f
0x004115ac
0x004115d1
0x004115ae
0x004115ae
0x004115b3
0x004115b8
0x004115be
0x004115c4
0x004115c9
0x004115c9
0x004115e9
0x004115f3
0x004115f8
0x00411601
0x00411607
0x0041160c
0x00411611
0x00411616
0x00411619
0x00411623
0x00411627
0x00411628
0x0041162d
0x00411634
0x0041163e
0x0041163f
0x00411642
0x00411643
0x00411648
0x00411652
0x00411656
0x00411657
0x00411659
0x00411661
0x0041166a
0x00411670
0x00411672
0x00411677
0x0041167c
0x00411686
0x0041168b
0x0041168c
0x00411691
0x0041169b
0x004116a0
0x004116a1
0x004116a6
0x004116a8
0x004116b2
0x004116b7
0x004116c1
0x004116c5
0x004116c6
0x004116c8
0x004116d0
0x004116d7
0x004116d9
0x004116e5
0x004116ea
0x004116ef
0x004116f5
0x004116f7
0x004116f8
0x004116fe
0x00411705
0x0041170e
0x0041170f
0x00411719
0x0041171a
0x0041171b
0x0041171c
0x0041171d
0x00411722
0x00411727
0x0041172c
0x00411736
0x0041173b
0x0041173c
0x0041173e
0x00411745
0x0041174a
0x00411754
0x00411759
0x00411762
0x00411768
0x0041176d
0x00411775
0x0041177e
0x0041177f
0x00411784
0x0041178b
0x00411795
0x00411796
0x00411799
0x0041179a
0x0041179f
0x004117a9
0x004117ae
0x004117b7
0x004117b9
0x004117c0
0x004117c7
0x004117ce
0x004117d5
0x004117dc
0x004117e3
0x004117ea
0x004117f7
0x004117ff
0x00411803
0x00411807
0x00411808
0x0041180d
0x0041180e
0x00411816
0x0041181a
0x0041181e
0x0041181f
0x00411822
0x00411823
0x00411825
0x0041182a
0x004117b7
0x00411775
0x00411762
0x004116f8
0x004116d9
0x0041166a
0x0041182d
0x0041182e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004114CC
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,004013C6), ref: 00411503
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 00411565
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,00000100), ref: 004115C4
__vbaFreeObj.MSVBVM60 ref: 004115F3
__vbaStrCat.MSVBVM60(00402914,0040290C), ref: 00411611
#522.MSVBVM60(?,00000008,00402914,0040290C), ref: 00411628
__vbaVarTstEq.MSVBVM60(00008008,?,?,00000008,00402914,0040290C), ref: 00411643
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?,?,00000008,00402914,0040290C), ref: 00411659
__vbaStrCat.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 0041167C
__vbaStrMove.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 00411686
__vbaStrCat.MSVBVM60(004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 00411691
__vbaStrMove.MSVBVM60(004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 0041169B
__vbaInStr.MSVBVM60(00000000,004026D0,00000000,004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 004116A8
__vbaFreeStrList.MSVBVM60(00000002,00000002,004026C0,00000000,004026D0,00000000,004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 004116C8
__vbaFPInt.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 004116E5
__vbaFpR8.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 004116EA
__vbaChkstk.MSVBVM60 ref: 0041170F
#689.MSVBVM60(Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041172C
__vbaStrMove.MSVBVM60(Sgsmaalsgrunds7,stourness,oliemalinger), ref: 00411736
__vbaStrCmp.MSVBVM60(00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041173E
__vbaFreeStr.MSVBVM60(00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 00411754
__vbaLenBstr.MSVBVM60(00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041176D
#670.MSVBVM60(?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041177F
__vbaVarTstEq.MSVBVM60(00008008,?,?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041179A
__vbaFreeVar.MSVBVM60(00008008,?,?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 004117A9
__vbaVarDup.MSVBVM60(00008008,?,?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 004117F7
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A,00008008,?,?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041180E
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A,00008008,?,?,00402ABC,00000000,00000000), ref: 00411825

Strings

Topforhandlernes, xrefs: 004117E3
Sgsmaalsgrunds7, xrefs: 00411727
stourness, xrefs: 00411722
oliemalinger, xrefs: 0041171D
prnumerant, xrefs: 00411784

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ListMove$CheckChkstkHresult$#522#595#670#689BstrNew2
String ID: Sgsmaalsgrunds7$Topforhandlernes$oliemalinger$prnumerant$stourness
API String ID: 1585906448-2475824071
Opcode ID: 033716a82a6bf55004185c2d2bb349601c678524e1617e11a520310895442918
Instruction ID: 3531a373524260d410351acf34ad13b473a3f7669a093c62ce4779f2f805e6f5
Opcode Fuzzy Hash: 033716a82a6bf55004185c2d2bb349601c678524e1617e11a520310895442918
Instruction Fuzzy Hash: 1F912D71900218AADB11EFA1CD45FDEB7B9AF44704F10817BE106BB1E1DB789A84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00410054, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 215
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00410054(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v36;
				char _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				char _v108;
				char* _v116;
				char _v124;
				void* _v160;
				signed int _v164;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr _t84;
				short _t88;
				char* _t91;
				signed int _t98;
				short _t104;
				char* _t108;
				signed int _t112;
				void* _t139;
				void* _t141;
				intOrPtr _t142;
				char* _t147;

				_t142 = _t141 - 0xc;
				 *[fs:0x0] = _t142;
				L004013C0();
				_v16 = _t142;
				_v12 = 0x401260;
				_v8 = 0;
				_t84 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013c6, _t139);
				_push(0x40290c);
				_push(0x402914);
				L004015AC();
				_v52 = _t84;
				_v60 = 8;
				_push( &_v60);
				_push( &_v76);
				L0040151C();
				_v116 = 0x402914;
				_v124 = 0x8008;
				_push( &_v76);
				_t88 =  &_v124;
				_push(_t88);
				L004015DC();
				_v160 = _t88;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L004015BE();
				_t91 = _v160;
				if(_t91 != 0) {
					_push(2);
					_push(0x4026c0);
					_push(0x4026c8);
					L004015AC();
					L004015B2();
					_push(_t91);
					_push(0x4026d0);
					L004015AC();
					L004015B2();
					_push(_t91);
					_push(0x4026d0);
					_push(0);
					L00401516();
					asm("sbb eax, eax");
					_v160 =  ~( ~(_t91 - 3) + 1);
					_push( &_v40);
					_push( &_v36);
					_push(2);
					L004015A6();
					_t91 = _v160;
					_t147 = _t91;
					if(_t147 != 0) {
						L00401510();
						L004015A0();
						asm("fcomp qword [0x401250]");
						asm("fnstsw ax");
						asm("sahf");
						if(_t147 == 0) {
							_v116 = 0x80020004;
							_v124 = 0xa;
							_t98 = 0x10;
							L004013C0();
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_push(L"HABITABLE");
							_push(L"Stengun2");
							_push(L"misbrugere"); // executed
							L0040157C(); // executed
							L004015B2();
							_push(_t98);
							_push(0);
							L00401582();
							asm("sbb eax, eax");
							_v160 =  ~( ~_t98 + 1);
							L004015C4();
							_t91 = _v160;
							if(_t91 != 0) {
								_push(0x402968);
								L00401576();
								if(_t91 == 1) {
									_push( &_v60);
									L00401570();
									_v116 = L"Dizaine";
									_v124 = 0x8008;
									_push( &_v60);
									_t104 =  &_v124;
									_push(_t104);
									L004015DC();
									_v160 = _t104;
									L0040156A();
									_t91 = _v160;
									if(_t91 != 0) {
										_v100 = 0x80020004;
										_v108 = 0xa;
										_v84 = 0x80020004;
										_v92 = 0xa;
										_v68 = 0x80020004;
										_v76 = 0xa;
										if( *0x415010 != 0) {
											_v180 = 0x415010;
										} else {
											_push(0x415010);
											_push(0x4030fc);
											L00401558();
											_v180 = 0x415010;
										}
										_t108 =  &_v44;
										L0040155E();
										_v160 = _t108;
										_t112 =  *((intOrPtr*)( *_v160 + 0x48))(_v160,  &_v36, _t108,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x35c))( *_v180));
										asm("fclex");
										_v164 = _t112;
										if(_v164 >= 0) {
											_v184 = _v184 & 0x00000000;
										} else {
											_push(0x48);
											_push(0x402760);
											_push(_v160);
											_push(_v164);
											L00401552();
											_v184 = _t112;
										}
										_v176 = _v36;
										_v36 = _v36 & 0x00000000;
										_v52 = _v176;
										_v60 = 8;
										_push( &_v108);
										_push( &_v92);
										_push( &_v76);
										_push(0);
										_push( &_v60);
										L00401564();
										L0040152E();
										_push( &_v108);
										_push( &_v92);
										_push( &_v76);
										_t91 =  &_v60;
										_push(_t91);
										_push(4);
										L004015BE();
									}
								}
							}
						}
					}
				}
				asm("wait");
				_push(0x4103ae);
				return _t91;
			}

0x00410057
0x00410066
0x00410072
0x0041007a
0x0041007d
0x00410084
0x00410093
0x00410096
0x0041009b
0x004100a0
0x004100a5
0x004100a8
0x004100b2
0x004100b6
0x004100b7
0x004100bc
0x004100c3
0x004100cd
0x004100ce
0x004100d1
0x004100d2
0x004100d7
0x004100e1
0x004100e5
0x004100e6
0x004100e8
0x004100f0
0x004100f9
0x004100ff
0x00410101
0x00410106
0x0041010b
0x00410115
0x0041011a
0x0041011b
0x00410120
0x0041012a
0x0041012f
0x00410130
0x00410135
0x00410137
0x00410141
0x00410146
0x00410150
0x00410154
0x00410155
0x00410157
0x0041015f
0x00410166
0x00410168
0x00410174
0x00410179
0x0041017e
0x00410184
0x00410186
0x00410187
0x0041018d
0x00410194
0x0041019d
0x0041019e
0x004101a8
0x004101a9
0x004101aa
0x004101ab
0x004101ac
0x004101b1
0x004101b6
0x004101bb
0x004101c5
0x004101ca
0x004101cb
0x004101cd
0x004101d4
0x004101d9
0x004101e3
0x004101e8
0x004101f1
0x004101f7
0x004101fc
0x00410204
0x0041020d
0x0041020e
0x00410213
0x0041021a
0x00410224
0x00410225
0x00410228
0x00410229
0x0041022e
0x00410238
0x0041023d
0x00410246
0x0041024c
0x00410253
0x0041025a
0x00410261
0x00410268
0x0041026f
0x0041027d
0x0041029a
0x0041027f
0x0041027f
0x00410284
0x00410289
0x0041028e
0x0041028e
0x004102be
0x004102c2
0x004102c7
0x004102df
0x004102e2
0x004102e4
0x004102f1
0x00410313
0x004102f3
0x004102f3
0x004102f5
0x004102fa
0x00410300
0x00410306
0x0041030b
0x0041030b
0x0041031d
0x00410323
0x0041032d
0x00410330
0x0041033a
0x0041033e
0x00410342
0x00410343
0x00410348
0x00410349
0x00410351
0x00410359
0x0041035d
0x00410361
0x00410362
0x00410365
0x00410366
0x00410368
0x0041036d
0x00410246
0x00410204
0x004101f1
0x00410187
0x00410168
0x00410370
0x00410371
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00410072
__vbaStrCat.MSVBVM60(00402914,0040290C,?,?,?,?,004013C6), ref: 004100A0
#522.MSVBVM60(?,00000008), ref: 004100B7
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004100D2
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?), ref: 004100E8
__vbaStrCat.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 0041010B
__vbaStrMove.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 00410115
__vbaStrCat.MSVBVM60(004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 00410120
__vbaStrMove.MSVBVM60(004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 0041012A
__vbaInStr.MSVBVM60(00000000,004026D0,00000000,004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 00410137
__vbaFreeStrList.MSVBVM60(00000002,004026C0,004026C8,00000000,004026D0,00000000,004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 00410157
__vbaFPInt.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 00410174
__vbaFpR8.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 00410179
__vbaChkstk.MSVBVM60 ref: 0041019E
#689.MSVBVM60(misbrugere,Stengun2,HABITABLE), ref: 004101BB
__vbaStrMove.MSVBVM60(misbrugere,Stengun2,HABITABLE), ref: 004101C5
__vbaStrCmp.MSVBVM60(00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 004101CD
__vbaFreeStr.MSVBVM60(00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 004101E3
__vbaLenBstr.MSVBVM60(00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 004101FC
#670.MSVBVM60(?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0041020E
__vbaVarTstEq.MSVBVM60(00008008,?,?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 00410229
__vbaFreeVar.MSVBVM60(00008008,?,?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 00410238
__vbaNew2.MSVBVM60(004030FC,00415010,00008008,?,?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 00410289
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00008008,?,?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 004102C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402760,00000048,?,?,?,?,?,00008008,?,?,00402968,00000000,00000000,misbrugere), ref: 00410306
#595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A,?,?,?,?,?,00008008,?,?,00402968,00000000,00000000), ref: 00410349
__vbaFreeObj.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A,?,?,?,?,?,00008008,?,?,00402968,00000000,00000000), ref: 00410351
__vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A,?,?,?,?,?,00008008), ref: 00410368

Strings

HABITABLE, xrefs: 004101AC
Stengun2, xrefs: 004101B1
misbrugere, xrefs: 004101B6
Dizaine, xrefs: 00410213

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ListMove$Chkstk$#522#595#670#689BstrCheckHresultNew2
String ID: Dizaine$HABITABLE$Stengun2$misbrugere
API String ID: 3850225901-803909472
Opcode ID: bb98ce092d9f71e99c4b89a6499770605a593f750aef5e49c79fbdbd9a8f1344
Instruction ID: c94ba173236eca13bcaa98f06b99431acf174e6394fedd475f9c054147d6633e
Opcode Fuzzy Hash: bb98ce092d9f71e99c4b89a6499770605a593f750aef5e49c79fbdbd9a8f1344
Instruction Fuzzy Hash: 3A812B7195021CEBDB10EFA1CC45BDEB7B8BF44704F10416AF506BB191DBB899848F69

Uniqueness

Uniqueness Score: -1.00%

Function 004104B1, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004104B1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				char _v52;
				char _v68;
				intOrPtr _v76;
				char _v84;
				short _v104;
				intOrPtr _t29;
				char* _t31;
				short _t33;
				short _t37;
				void* _t47;
				void* _t49;
				intOrPtr _t50;

				_t50 = _t49 - 0xc;
				 *[fs:0x0] = _t50;
				L004013C0();
				_v16 = _t50;
				_v12 = 0x401280;
				_v8 = 0;
				_t29 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x4013c6, _t47);
				L0040154C();
				_push(0x40290c);
				_push(0x402984);
				L004015AC();
				L004015B2();
				_push(_t29);
				_push(0x402984);
				L004015AC();
				_v44 = _t29;
				_v52 = 8;
				_push( &_v52);
				_t31 =  &_v68;
				_push(_t31);
				L00401504();
				_push(0x402984);
				_push(0x402984);
				L004015AC();
				_v76 = _t31;
				_v84 = 0x8008;
				_push( &_v68);
				_t33 =  &_v84;
				_push(_t33);
				L004015DC();
				_v104 = _t33;
				L004015C4();
				_push( &_v84);
				_push( &_v68);
				_push( &_v52);
				_push(3);
				L004015BE();
				_t37 = _v104;
				if(_t37 != 0) {
					_push(L"prenominate");
					_push(L"Karseklippet");
					_push(L"Oculus");
					_push(L"unwall"); // executed
					L004014FE(); // executed
				}
				_push(0x4105d3);
				L004015C4();
				return _t37;
			}

0x004104b4
0x004104c3
0x004104cd
0x004104d5
0x004104d8
0x004104df
0x004104ee
0x004104f7
0x004104fc
0x00410501
0x00410506
0x00410510
0x00410515
0x00410516
0x0041051b
0x00410520
0x00410523
0x0041052d
0x0041052e
0x00410531
0x00410532
0x00410537
0x0041053c
0x00410541
0x00410546
0x00410549
0x00410553
0x00410554
0x00410557
0x00410558
0x0041055d
0x00410564
0x0041056c
0x00410570
0x00410574
0x00410575
0x00410577
0x0041057f
0x00410585
0x00410587
0x0041058c
0x00410591
0x00410596
0x0041059b
0x0041059b
0x004105a0
0x004105cd
0x004105d2

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004104CD
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 004104F7
__vbaStrCat.MSVBVM60(00402984,0040290C,?,?,?,?,004013C6), ref: 00410506
__vbaStrMove.MSVBVM60(00402984,0040290C,?,?,?,?,004013C6), ref: 00410510
__vbaStrCat.MSVBVM60(00402984,00000000,00402984,0040290C,?,?,?,?,004013C6), ref: 0041051B
#520.MSVBVM60(?,00000008), ref: 00410532
__vbaStrCat.MSVBVM60(00402984,00402984,?,00000008), ref: 00410541
__vbaVarTstEq.MSVBVM60(00008008,00402984), ref: 00410558
__vbaFreeStr.MSVBVM60(00008008,00402984), ref: 00410564
__vbaFreeVarList.MSVBVM60(00000003,00000008,00402984,00008008,00008008,00402984), ref: 00410577
#690.MSVBVM60(unwall,Oculus,Karseklippet,prenominate,?,?,?,004013C6), ref: 0041059B
__vbaFreeStr.MSVBVM60(004105D3,?,?,?,004013C6), ref: 004105CD

Strings

Oculus, xrefs: 00410591
Karseklippet, xrefs: 0041058C
prenominate, xrefs: 00410587
unwall, xrefs: 00410596

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#520#690ChkstkCopyListMove
String ID: Karseklippet$Oculus$prenominate$unwall
API String ID: 1353531886-1380899336
Opcode ID: 4b39f2c9f3acb4b57a7e46f922a700e135264b73418eca75286e06ac7b180b60
Instruction ID: da3f51fdc5b86d29f14f6bcc288f438ab6f9656767895bff36086466552422a1
Opcode Fuzzy Hash: 4b39f2c9f3acb4b57a7e46f922a700e135264b73418eca75286e06ac7b180b60
Instruction Fuzzy Hash: F02119B1A50209BFCB00EBD1CD46FEEB7B8AF44704F54403BB405BA1E1DAB895458B59

Uniqueness

Uniqueness Score: -1.00%

Function 00401600, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 539
COMMON

Download Yara Rule

C-Code - Quality: 83%

			_entry_(signed int __eax, void* __ebx, void* __edx, void* __edi, void* __esi, signed long long __fp0) {
				signed int _t236;
				void* _t239;
				void* _t240;
				void* _t242;
				void* _t243;
				signed long long _t248;

				_t248 = __fp0;
				_t240 = __edi;
				_t239 = __edx;
				_t236 = __eax;
				_push("VB5!6&*"); // executed
				L004015FA(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				while(1) {
					 *_t236 =  *_t236 + _t236;
					 *_t236 =  *_t236 + _t236;
					 *_t236 =  *_t236 + _t236;
					 *_t236 =  *_t236 + _t236;
					asm("lds esp, [eax]");
					_t248 = _t248 * st5;
					_t242 = _t242 - 1;
					asm("adc ebx, [eax+0x40]");
					asm("popfd");
					asm("cld");
					if (_t240 ==  *((intOrPtr*)(_t239 + 3))) goto L2;
					 *_t236 =  *_t236 + _t236;
					 *_t236 =  *_t236 + _t236;
					 *0x5c =  *0x5c + _t236;
					 *_t236 =  *_t236 + _t236;
					 *_t236 =  *_t236 + _t236;
					 *_t236 =  *_t236 + _t236;
					 *_t236 =  *_t236 + _t236;
					 *((intOrPtr*)(_t236 + 0x6f)) =  *((intOrPtr*)(_t236 + 0x6f)) + 0x5c;
					_push(0x6f73776f);
					asm("outsd");
					asm("popad");
					 *_t236 =  *_t236 + _t236;
					 *_t236 =  *_t236 + _t236;
					 *_t236 =  *_t236 + _t236;
					_t243 = _t243 - 1;
					 *_t236 =  *_t236 ^ _t236;
					asm("sbb [ebx+0x29], edi");
				}
				__eax = __eax | 0x75000601;
				__eflags = __eax;
				if(__eax <= 0) {
					L12:
					__eflags = __al & 0x0000001b;
					if((__al & 0x0000001b) >= 0) {
						__edi = 0x1201ef04;
						asm("adc eax, [eax]");
						 *__ebx =  *__ebx + 1;
						 *[es:eax] =  *[es:eax] + __al;
						 *__ebx =  *__ebx + __al;
						__eflags =  *__ebx;
						goto L14;
					}
					goto L15;
				} else {
					__ebp =  *(__eax + __eax + 0x19);
					 *__edx =  *__edx + __al;
					__al = __al &  *0x75000624;
					__eflags = __al;
					if(__al <= 0) {
						L14:
						__eax = __eax +  *__esi;
						__eflags = __eax;
						L15:
						_t14 = __ebp + 0x6f;
						 *_t14 =  *(__ebp + 0x6f) + __cl;
						__eflags =  *_t14;
						asm("outsb");
						asm("popad");
						if( *_t14 == 0) {
							goto L20;
						} else {
							 *__esi =  *__esi + __al;
							 *__esi =  *__esi + __eax;
							_t16 = __edi + 0x61;
							 *_t16 =  *(__edi + 0x61) + __al;
							__eflags =  *_t16;
							if( *_t16 == 0) {
								goto L26;
							} else {
								asm("aaa");
								 *0xf781ba8 =  *0xf781ba8 + __al;
								__edi = 0x1201ef04;
								asm("adc al, [eax]");
								 *__ebx =  *__ebx + 1;
								__eax = __eax & 0x04000000;
								__eflags = __eax;
								goto L18;
							}
						}
					} else {
						__ebp =  *(__eax + __eax + 0x35) * 0xffffffaf;
						asm("sbb eax, 0x1a7e0000");
						 *__eax =  *__eax + __al;
						__eflags =  *__eax;
						if( *__eax < 0) {
							 *__eax =  *__eax + __al;
							asm("in al, 0x16");
							 *__eax =  *__eax + __al;
							__esp = __esp + 1;
							 *((intOrPtr*)(__esi + 1)) =  *((intOrPtr*)(__esi + 1)) + __al;
							 *__ecx =  *__ecx + 1;
							__al = __al & 0x00000000;
							 *__eax =  *__eax + __al;
							 *0x41544500 =  *0x41544500 + __eax;
							__eflags = __edi;
						}
						__ebp = __ebp + 1;
						 *__esi =  *__esi + __al;
						 *0x72745300 =  *0x72745300 + __eax;
						asm("popad");
						asm("outsb");
						 *0xf781ba8 =  *0xf781ba8 + __al;
						__edi = 0x1201ef04;
						asm("adc al, 0x0");
						 *__ebx =  *__ebx + 1;
						__eax = __eax & 0x02000000;
						__eax = __eax + 0x49524b00;
						__esp = __esp - 1;
						__esp = __esp - 1;
						 *__esi =  *__esi + __al;
						 *__esi =  *__esi + __eax;
						_t10 =  &(__ecx[0x1b]);
						 *_t10 = __ecx[0x1b] + __cl;
						__eflags =  *_t10;
						if(__eflags < 0) {
							L21:
							if(__eflags < 0) {
								goto L30;
							} else {
								if(__eflags >= 0) {
									goto L31;
								} else {
									if (__eflags == 0) goto L24;
									_push(es);
									 *0x61707300 =  *0x61707300 + __eax;
									__eflags =  *0x61707300;
									asm("outsb");
									if ( *0x61707300 >= 0) goto L25;
									__eax = 0xf781ba8 + __eax;
									__edi = 0x1201ef04;
									asm("adc [eax], al");
									 *__ebx =  *__ebx + 1;
									 *[es:eax] =  *[es:eax] + __al;
									 *__esi =  *__esi + __al;
									_push(es);
									 *((intOrPtr*)(__ebx + 0x74)) =  *((intOrPtr*)(__ebx + 0x74)) + __dl;
									__ebp =  *(__ebp + 0x75) * 0x106006c;
									_push(es);
									 *0x1201EF53 =  *((intOrPtr*)(0x1201ef53)) + __al;
									__ecx =  &(__ecx[0]);
									_push(__esp);
									_push(__ebx);
									_push(__edx);
									 *0xf781ba8 =  *0xf781ba8 + __al;
									__eflags =  *0xf781ba8;
									L26:
									__eflags = __al & 0x0000001b;
									if((__al & 0x0000001b) >= 0) {
										__edi = 0x1201ef04;
										asm("invalid");
										__esp = __esp +  *(__eax + __eax);
										 *__eax =  *__eax + __al;
										_pop(es);
										__eax = __eax + 0x45525500;
										__eflags = __eax;
									}
									goto L28;
								}
							}
						} else {
							if(__eflags < 0) {
								L18:
								 *__eax =  *__eax + __al;
								__al = __al + 5;
								_t18 = __edi + 0x76;
								 *_t18 =  *(__edi + 0x76) + __ch;
								__eflags =  *_t18;
								if( *_t18 < 0) {
									L28:
									 *((intOrPtr*)(__ebp + 0x52)) =  *((intOrPtr*)(__ebp + 0x52)) + __dl;
									__ebp = __ebp + 1;
									__ecx =  &(__ecx[0]);
									__ebp = __ebp - 1;
									 *__esi =  *__esi + __al;
									 *0x74657200 =  *0x74657200 + __eax;
									__eflags =  *0x74657200;
									if( *0x74657200 < 0) {
										 *0xf781ba8 =  *0xf781ba8 + __al;
										__edi = 0x1201ef04;
										_push(cs);
										__bh = __bh + __bh;
										__esp = __esp +  *__esi;
										__eflags = __esp;
										L30:
										 *__eax =  *__eax + __al;
										 *__eax =  *__eax + __cl;
										_pop(es);
										_t32 = __ebx + 0x49;
										 *_t32 =  *(__ebx + 0x49) + __al;
										__eflags =  *_t32;
										asm("gs outsb");
										if ( *_t32 == 0) goto L33;
										L31:
										__al = __al ^ 0x00000000;
										__eflags = __al;
									}
								} else {
									 *__esi =  *__esi + __al;
									 *__esi =  *__esi + __eax;
									 *((intOrPtr*)(__eax + 0x55)) =  *((intOrPtr*)(__eax + 0x55)) + __cl;
									__esi = __esi - 1;
									__edi = __edi + 1;
									__ebp = __ebp + 1;
									_push(__edx);
									 *0xf781ba8 =  *0xf781ba8 + __al;
									__eflags =  *0xf781ba8;
									__edi = 0x1201ef04;
									L20:
									asm("out dx, eax");
									 *__edx =  *__edx + __edx;
									asm("adc [eax], eax");
									 *__ebx =  *__ebx + 1;
									__al = __al & 0x00000000;
									 *__eax =  *__eax + __al;
									__eax = __eax + 0x69720005;
									__eflags = __eax;
									goto L21;
								}
							} else {
								 *0xf781ba8 =  *0xf781ba8 + __al;
								__eflags =  *0xf781ba8;
								goto L12;
							}
						}
					}
				}
				__ebp = __ebp + 1;
				__esp = __esp - 1;
				__ebp = __ebp + 1;
				__ebx = __ebx + 1;
				__ebp = __ebp + 1;
				 *0x4b00a50 =  *0x4b00a50 + __al;
				__fp0 = __fp0 +  *__ecx;
				asm("out dx, eax");
				 *__edx =  *__edx + __edx;
				asm("adc eax, 0x2603ff00");
				 *__eax =  *__eax + __al;
				 *__ebx =  *__ebx + __cl;
				es = __esi;
				 *((intOrPtr*)(__esi + 0x43)) =  *((intOrPtr*)(__esi + 0x43)) + __al;
				__edi = __edi - 1;
				__esp = __esp - 1;
				__ebx = __ebx - 1;
				__ebp = __ebp + 1;
				__esp = __esp + 1;
				 *__esi =  *__esi + __al;
				 *0x6c656d00 =  *0x6c656d00 + __eax;
				asm("insb");
				 *[gs:0x4380d98] =  *[gs:0x4380d98] + __al;
				asm("sbb eax, 0x1201ef04");
				_push(ss);
				__bh = __bh + __bh;
				__esp = __esp +  *__esi;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__esi + __eax)) =  *((intOrPtr*)(__esi + __eax)) + __cl;
				 *((intOrPtr*)(__ebx + 0x41)) =  *((intOrPtr*)(__ebx + 0x41)) + __dl;
				_push(__ebp);
				__ebx = __ebx - 1;
				__ebx = __ebx - 1;
				__ebp = __ebp + 1;
				 *__esi =  *__esi + __al;
				 *__esi =  *__esi + __eax;
				_t52 = __ebx + 0x75;
				 *_t52 =  *(__ebx + 0x75) + __al;
				__eflags =  *_t52;
				if(__eflags < 0) {
					L39:
					__ebx = __ebx - 1;
					__eflags = __ebx;
					if(__eflags != 0) {
						goto L54;
					} else {
						asm("popad");
						if(__eflags >= 0) {
							goto L53;
						} else {
							if(__eflags <= 0) {
								goto L50;
							} else {
								 *__edx =  *__edx + __al;
								__al = __al + 0xb0;
								asm("adc edx, [eax]");
								__edi = 0xb01ef04;
								es = cs;
								_t62 = __ebp + 0x6f;
								 *_t62 =  *(__ebp + 0x6f) + __cl;
								__eflags =  *_t62;
								if (__eflags < 0) goto L55;
								goto L44;
							}
						}
					}
				} else {
					asm("outsd");
					if (__eflags != 0) goto L36;
					__eax = 0xf781ba8 + __eax;
					__edi = 0x1201ef04;
					__eax = __eax |  *__eax;
					 *__ebx =  *__ebx + 1;
					 *__eax =  *__eax - __al;
					 *__eax =  *__eax + __al;
					__eax = __eax | 0x6c460007;
					__eflags = __eax;
					asm("popad");
					if(__eflags != 0) {
						L44:
						if(__eflags >= 0) {
							goto L55;
						} else {
							if(__eflags >= 0) {
								goto L56;
							} else {
								__eax = __eax ^  *__eax;
								asm("adc cl, [eax]");
								__bh = __bh + __bh;
								__esp = __esp +  *0x10000000;
								__eax = __eax + 0x736e4300;
								__eflags = __eax;
								goto L47;
							}
						}
					} else {
						 *[ss:bp+si] =  *[ss:bp+si] + __al;
						__al = __al + 0xf0;
						asm("psubusb mm1, [ecx]");
						__edi = 0xb01ef04;
						_pop(es);
						_t54 = __eax + 0x6f;
						 *_t54 =  *(__eax + 0x6f) + __dl;
						__eflags =  *_t54;
						asm("insb");
						if(__eflags >= 0) {
							L47:
							if(__eflags >= 0) {
								L58:
								__bh = __bh + __bh;
								__esp = __esp +  *(__eax + __eax);
								 *__eax =  *__eax + __al;
								__eflags =  *__eax;
								asm("adc eax, [0x65645500]");
								if( *__eax >= 0) {
									 *__edx =  *__edx + __al;
									__al = __al + 0xb0;
									asm("adc edx, [eax]");
									_push(cs);
									__edi = 0xb01ef04;
									__eax = __eax + 0x54464100;
									__ebp = __ebp + 1;
									_push(__edx);
									 *__edx =  *__edx + __dl;
									__al = __al;
									 *__ebx =  *__ebx + 1;
									__al = __al & 0x00000000;
									 *__eax =  *__eax + __al;
									asm("adc al, 0x5");
									 *((intOrPtr*)(__ebp + 0x58)) =  *((intOrPtr*)(__ebp + 0x58)) + __al;
									_push(__eax);
									__ecx = __ecx - 1;
									_push(__edx);
									 *__edx =  *__edx + __al;
									__al = __al + 0xb0;
									asm("adc edx, [eax]");
									_push(cs);
									__edi = 0xb01ef04;
									__eax = __eax + 0x4c494400;
									__eflags = __eax;
									goto L60;
								}
							} else {
								if (__eflags < 0) goto L49;
								__al = __al +  *((intOrPtr*)(__eax + __esi * 4));
								__eflags = __al;
								asm("adc edx, [eax]");
								_push(cs);
								__edi = 0xb01ef04;
								L50:
								 *__ebx = __ecx +  *__ebx;
								 *((intOrPtr*)(__ebp + 0x6e + __esi * 2)) =  *((intOrPtr*)(__ebp + 0x6e + __esi * 2)) + __dl;
								asm("a16 jnz 0x37");
								 *__edx =  *__edx + __dl;
								es = es;
								__bh = __bh + __bh;
								__esp = __esp +  *__esi;
								 *__eax =  *__eax + __al;
								 *__ecx =  *__ecx + __dl;
								__eax = __eax + 0x646e4d00;
								asm("outsd");
								__eax = __eax ^ 0xb0040200;
								asm("adc edx, [eax]");
								__edi = 0xb01ef04;
								es = cs;
								 *0x0B01EF70 =  *0x0B01EF70 + __cl;
								__eflags =  *0x0B01EF70;
								if(__eflags < 0) {
									L60:
									__ecx = __ecx - 1;
									__esp = __esp - 1;
									__ecx =  &(__ecx[0]);
									_push(__esp);
									 *__edx =  *__edx + __dl;
									__eax = __eax +  *__eax;
									 *__ebx =  *__ebx + 1;
									__al = __al & 0x00000000;
									 *__eax =  *__eax + __al;
									asm("adc eax, 0x61420004");
									asm("outsb");
									 *[fs:edx] =  *[fs:edx] + __al;
									__al = __al + 0xb0;
									asm("adc edx, [eax]");
									_push(cs);
									__edi = 0xb01ef04;
									_push(es);
									 *((intOrPtr*)(__eax + 0x4f)) =  *((intOrPtr*)(__eax + 0x4f)) + __cl;
									_push(__esi);
									__ebp = __ebp + 1;
									__esp = __esp + 1;
									_push(__esp);
									 *__edx =  *__edx + __dl;
									__al = __al +  *__eax;
									__eflags = __al;
									goto L61;
								} else {
									asm("aaa");
									 *__edx =  *__edx + __dl;
									_push(es);
									__bh = __bh + __bh;
									__eflags = __bh;
									L53:
									__esp = __esp +  *0x12000000;
									__eflags = __esp;
									L54:
									__eax = __eax + 0x746e6100;
									asm("insb");
									__eax =  *__eax * 0x13b00402;
									__eflags = __eax;
									L55:
									__al = __al + 0xb0;
									asm("adc edx, [eax]");
									L56:
									asm("adc [esi], cl");
									__edi = 0xb01ef04;
									_push(es);
									_t74 = __edx + 0x72;
									 *_t74 =  *(__edx + 0x72) + __ah;
									__eflags =  *_t74;
									asm("outsd");
									if( *_t74 >= 0) {
										L61:
										 *__ebx =  *__ebx + 1;
										__eflags =  *__ebx;
									} else {
										 *[gs:edx] =  *[gs:edx] + __dl;
										__eax = __eax + 0x2403ff00;
										__eflags = __eax;
										goto L58;
									}
								}
							}
						} else {
							asm("popad");
							__eflags =  *__eax - __al;
							asm("adc cl, [edx]");
							__bh = __bh + __bh;
							__esp = __esp +  *0xb01ef04;
							 *__eax =  *__eax + __al;
							 *__esi =  *__esi + __cl;
							_pop(es);
							 *(__edx + 0x72) =  *(__edx + 0x72) + __dl;
							asm("popad");
							asm("o16 jb 0x6c");
							__eax = __eax ^ 0xb0040200;
							asm("adc edx, [eax]");
							_push(cs);
							__edi = 0xb01ef04;
							_push(es);
							 *0x0B01EF76 =  *((intOrPtr*)(0xb01ef76)) + __cl;
							asm("arpl [ebp+0x69], sp");
							asm("outsb");
							 *__edx =  *__edx + __dl;
							 *__eax =  *__eax | __eax;
							 *__ebx =  *__ebx + 1;
							 *__eax =  *__eax - __eax;
							 *__eax =  *__eax + __al;
							asm("invd");
							_t60 = __ebx + 0x75;
							 *_t60 =  *(__ebx + 0x75) + __cl;
							__eflags =  *_t60;
							goto L39;
						}
					}
				}
				__esp = __esp +  *0x16000000;
				__eax = __eax + 0x73615300;
				__esi =  *__ecx * 0xb0040200;
				asm("adc edx, [eax]");
				_push(cs);
				__edi = 0xb01ef04;
				_push(es);
				_t81 = __ebx + 0x72;
				 *_t81 =  *(__ebx + 0x72) + __cl;
				__eflags =  *_t81;
				if( *_t81 >= 0) {
					L65:
					__ecx[0x18] = __ecx[0x18] + __al;
					asm("arpl [ecx], sp");
					__eax = __eax +  *__ecx;
					_push(es);
					_t92 = __edx + 0x65;
					 *_t92 =  *(__edx + 0x65) + __dl;
					__eflags =  *_t92;
					if(__eflags < 0) {
						goto L71;
					} else {
						if(__eflags >= 0) {
							 *0x8e802d0 =  *0x8e802d0 + __al;
							 *__edi =  *__edi & __eax;
							ss = __edi;
							asm("adc dl, [edi]");
							__bh = __bh + __bh;
							__ebx = __ebx +  *__ecx;
							 *__eax =  *__eax + __al;
							 *__ecx =  *__ecx + __bl;
							_push(es);
							__ecx[0x1b] = __ecx[0x1b] + __cl;
							asm("popad");
							 *[gs:bx+si] =  *[gs:bx+si] ^ __eax;
							asm("sbb [ebx], al");
							__al = __al | 0x00000006;
							 *(__edx + __edx) =  *(__edx + __edx) & __al;
							__bl = __bl +  *__ecx;
							 *__edx =  *__edx + 1;
							__al = __al;
							es = es;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__eax + __esi + 0x70040)) =  *((intOrPtr*)(__eax + __esi + 0x70040)) + __bh;
							 *__eax =  *__eax + __al;
							__eflags =  *__eax;
							if( *__eax != 0) {
								__eax = __eax + 1;
								 *__edi =  *__edi + __al;
								__eflags =  *__edi;
								goto L69;
							}
							goto L70;
						}
					}
				} else {
					 *__edx =  *__edx + __dl;
					 *__eax =  *__eax + __eax;
					 *__ebx =  *__ebx + 1;
					__al = __al & 0x00000000;
					 *__eax =  *__eax + __al;
					_pop(ss);
					__al = __al;
					__eflags = __al;
					asm("insb");
					asm("popad");
					if(__al >= 0) {
						L69:
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + __ah;
						 *__eax =  *__eax ^ __al;
						_pop(es);
						 *__eax =  *__eax + __al;
						__al = __al + __cl;
						asm("das");
						__eax = __eax + 1;
						 *__edi =  *__edi + __al;
						 *__eax =  *__eax + __al;
						 *((intOrPtr*)(__eax + 0x2f)) =  *((intOrPtr*)(__eax + 0x2f)) + __bh;
						__eax = __eax + 1;
						 *__esi =  *__esi + __al;
						 *__eax =  *__eax + __al;
						 *((intOrPtr*)(__ebp + __ebp + 0x10040)) =  *((intOrPtr*)(__ebp + __ebp + 0x10040)) + __dl;
						_push(es);
						__ecx[0x10] = __ecx[0x10] + __al;
						 *__eax =  *__eax + __al;
						asm("invalid");
						L70:
						asm("invalid");
						asm("invalid");
						L71:
						asm("invalid");
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + __al;
						asm("clc");
					} else {
						 *__ebx =  *__ebx + __al;
						 *__esi =  *__esi + __eax;
						 *((intOrPtr*)(__ecx + 0x42 + __eax * 2)) =  *((intOrPtr*)(__ecx + 0x42 + __eax * 2)) + __cl;
						__edi = 0xb01ef03;
						_push(__ebp);
						_push(__edx);
						 *0xf00f78 =  *0xf00f78 + __al;
						 *0xb01ef04 =  *0xb01ef04 & __eax;
						ss = 0xb01ef04;
						asm("adc al, [eax]");
						__bh = __bh + __bh;
						__esp = __esp +  *(__eax + __eax);
						 *__eax =  *__eax + __al;
						asm("sbb [eax+eax], al");
						goto L65;
					}
				}
				__al = __al &  *__eax;
				__eflags = __al;
				if(__al >= 0) {
					__ecx =  &(__ecx[0]);
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					_t110 = __eax + 0x22;
					 *_t110 =  *(__eax + 0x22) + __bl;
					__eflags =  *_t110;
					if ( *_t110 == 0) goto L74;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					__al = __al + 0x1b;
					__eax = __eax + 1;
					 *__ecx =  *__ecx + __al;
					 *__ebx =  *__ebx + __al;
					__ecx[0x10] = __ecx[0x10] + __al;
					 *__eax =  *__eax + __al;
					asm("invalid");
					asm("invalid");
					asm("invalid");
					asm("invalid");
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					_push(0x40004022);
					_push(__eax);
					__ecx =  &(__ecx[0]);
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __bl;
					__dh = __dh &  *(__eax + __eax);
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					 *__eax =  *__eax + __al;
					_t115 = __ebx + __ebx;
					 *_t115 =  *(__ebx + __ebx) + __bh;
					__eflags =  *_t115;
				}
				__eax = __eax + 1;
				 *__ecx =  *__ecx + __al;
				 *(__eax + __eax) =  *(__eax + __eax) + __al;
				__eflags =  *__ecx & __ah;
				__eax = __eax + 1;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__bh = __bh + __bh;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *__eax =  *__eax + 1;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__eax + 0x50004022)) =  *((intOrPtr*)(__eax + 0x50004022)) + __bl;
				_push(__eax);
				__ecx =  &(__ecx[0]);
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__eax + 0x7422)) =  *((intOrPtr*)(__eax + 0x7422)) + __bl;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__ebx + __ebx + 0x40)) =  *((intOrPtr*)(__ebx + __ebx + 0x40)) + __dh;
				 *__ecx =  *__ecx + __al;
				 *0x40218400 =  *0x40218400 + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__bh = __bh + __bh;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *__eax =  *__eax + 1;
				 *__eax =  *__eax + __al;
				__al = __al + __cl;
				__al = __al &  *__eax;
				asm("pushad");
				__ecx =  &(__ecx[0]);
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__al = __al + __bh;
				 *(__eax + __eax) =  *(__eax + __eax) & __esi;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__ebx + __ebx + 0x10040)) =  *((intOrPtr*)(__ebx + __ebx + 0x10040)) + __ch;
				es = __eax;
				__ecx[0x10] = __ecx[0x10] + __al;
				 *__eax =  *__eax + __al;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__ebx =  *__ebx - __ah;
				__eax = __eax + 1;
				 *((intOrPtr*)(__eax + 0x4150)) =  *((intOrPtr*)(__eax + 0x4150)) + __al;
				 *__eax =  *__eax + __al;
				__al = __al + __bh;
				__dh = __dh &  *(__eax + __eax);
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__ah = __ah + __ah;
				asm("sbb eax, [eax]");
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax | __al;
				__eflags =  *__ecx & __ah;
				__eax = __eax + 1;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__bh = __bh + __bh;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *__eax =  *__eax + 1;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__eax + 0x23)) =  *((intOrPtr*)(__eax + 0x23)) + __bl;
				__eax = __eax + 1;
				 *((intOrPtr*)(__eax + 0x4150)) =  *((intOrPtr*)(__eax + 0x4150)) + __dl;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__eax + 0x7421)) =  *((intOrPtr*)(__eax + 0x7421)) + __bl;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__esp + __ebx)) =  *((intOrPtr*)(__esp + __ebx)) + __bl;
				__eax = __eax + 1;
				 *__ecx =  *__ecx + __al;
				 *__edx =  *__edx + __al;
				__ecx[0x10] = __ecx[0x10] + __al;
				 *__eax =  *__eax + __al;
				asm("invalid");
				asm("invalid");
				asm("invalid");
				asm("invalid");
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__eflags =  *__edx - __ah;
				__eax = __eax + 1;
				 *__eax =  *__eax + __dh;
				_push(__eax);
				__ecx =  &(__ecx[0]);
				 *0x54000000 =  *0x54000000 + __al;
				asm("sbb al, 0x40");
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *((intOrPtr*)(__esp + __ebx + 0x40)) =  *((intOrPtr*)(__esp + __ebx + 0x40)) + __dl;
				 *(__eax + __eax) =  *(__eax + __eax) + __al;
				 *(__eax + __eax) =  *(__eax + __eax) + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __al;
				__edx = __edx + 1;
				__eax = __eax ^ 0x2a263621;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__esi =  *__esi + __bh;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__al = __al |  *__eax;
				__al = __al + 4;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__eax = __eax - 1;
				ds = __esi;
				__eax = __eax + 1;
				 *((intOrPtr*)(__eax + 0x30 + __esi * 8)) =  *((intOrPtr*)(__eax + 0x30 + __esi * 8)) + __cl;
				 *__eax =  *__eax + __eax;
				asm("invalid");
				 *__eax =  *__eax - 1;
				 *__eax =  *__eax + __al;
				 *__ecx =  *__ecx + __al;
				 *__eax =  *__eax + __al;
				 *__edx =  *__edx + __al;
				__eflags =  *__edx;
				__al = __al +  *__eax;
				 *__eax =  *__eax + __al;
				goto 0xf8401cb5;
				asm("sbb al, 0x40");
				 *((intOrPtr*)(__edx + __ebx + 0x160c0040)) =  *((intOrPtr*)(__edx + __ebx + 0x160c0040)) + __bl;
				__eax = __eax + 1;
				 *__eax =  *__eax + __bh;
				 *__eax =  *__eax + __al;
				__eflags =  *__eax;
				if ( *__eax > 0) goto L77;
				 *__eax =  *__eax + __al;
				_t170 = __al;
				__al =  *__eax;
				 *__eax = _t170;
				 *__eax =  *__eax + __al;
				_t171 = __eax;
				__eax =  *__eax;
				 *__eax = _t171;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				 *__eax =  *__eax + __al;
				__edx = __edx + 1;
				__eflags = __edx;
				if(__edx < 0) {
					asm("fbld tword [ecx+0x4d]");
					asm("popad");
					__ebp = __ebp - 1;
					_t173 = __dl;
					__dl =  *__edi;
					 *__edi = _t173;
					asm("loop 0x77");
					goto L84;
				} else {
					__ebp =  *[gs:edi] * 0x6c;
					__eflags = __ebp;
					if(__ebp != 0) {
						L84:
						asm("sbb ebx, [ebp+0xa689]");
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + __al;
						__eflags =  *__eax;
						goto L85;
					} else {
						asm("arpl [eax+0x65], bp");
						 *__eax =  *__eax + __al;
						_push(0x6f73776f);
						asm("popad");
						 *__eax =  *__eax + __al;
						 *__eax =  *__eax + __dl;
						 *__eax =  *__eax + __al;
						__eflags =  *__eax;
						if( *__eax < 0) {
							L85:
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__ecx =  *__ecx + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__edx + __edi * 2)) =  *((intOrPtr*)(__edx + __edi * 2)) + __bl;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							asm("in al, dx");
							__ecx =  &(__ecx[0]);
							__eax = __eax + 1;
							 *((intOrPtr*)(__eax + __eax + 0x10000)) =  *((intOrPtr*)(__eax + __eax + 0x10000)) + __bl;
							 *__eax =  *__eax + __eax;
							__eflags =  *__ecx & __ah;
							__eax = __eax + 1;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__eax - 0x41)) =  *((intOrPtr*)(__eax - 0x41)) + __bh;
							__eax = __eax + 1;
							__bh = __bh + __bh;
							asm("invalid");
							 *__eax =  *__eax + 1;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __cl;
							__al = __al &  *__eax;
							asm("sbb al, 0x50");
							__ecx =  &(__ecx[0]);
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__eax + 0x7421)) =  *((intOrPtr*)(__eax + 0x7421)) + __ch;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __dl;
							_push(ds);
							__eax = __eax + 1;
							 *__ecx =  *__ecx + __al;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__edi + __ebp)) =  *((intOrPtr*)(__edi + __ebp)) + __ch;
							__eax = __eax + 1;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __dl;
							_push(ds);
							__eax = __eax + 1;
							 *__ecx =  *__ecx + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __bl;
							_push(ds);
							__eax = __eax + 1;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__esi + __ebx)) =  *((intOrPtr*)(__esi + __ebx)) + __dl;
							__eax = __eax + 1;
							 *__edx =  *__edx + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __bl;
							__eax = __eax + 1;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__edi + 0x6c006801)) =  *((intOrPtr*)(__edi + 0x6c006801)) + __dh;
							 *((intOrPtr*)(__eax + 0x1e)) =  *((intOrPtr*)(__eax + 0x1e)) + __ch;
							__eax = __eax + 1;
							 *((intOrPtr*)(__esi + 0x41 + __edx * 2)) =  *((intOrPtr*)(__esi + 0x41 + __edx * 2)) + __cl;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__eax + 0x3c00765d)) =  *((intOrPtr*)(__eax + 0x3c00765d)) + __al;
							asm("das");
							__eax = __eax + 1;
							 *((intOrPtr*)(__edi + __ebp + 0x40)) =  *((intOrPtr*)(__edi + __ebp + 0x40)) + __cl;
							 *__eax =  *__eax + __al;
							__eax = __eax | 0x00003400;
							__al = __al + __ah;
							__eax = __eax & 0x00010040;
							__eax = __eax +  *__eax;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							__eflags =  *__eax;
							__ecx = 0xf000401e;
							if ( *__eax < 0) goto L86;
							asm("lock and eax, 0x10040");
							__eax = __eax +  *__eax;
							__eax = __eax + 1;
							 *__edi =  *__edi + __bl;
							 *__eax =  *__eax + __bh;
							 *__eax =  *__eax + __al;
							__al = __al + __bh;
							__eax = __eax & 0xffff0040;
							asm("invalid");
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							__ah = 0x1e;
							__eax = __eax + 1;
							 *__eax =  *__eax + __al;
							__eflags =  *__eax;
							__edx = ds;
							if ( *__eax < 0) goto L87;
							 *__esi =  *__esi | 0x0000001e;
							__eax = __eax + 1;
							__bh = __bh + __bh;
							asm("invalid");
							 *__eax =  *__eax + 1;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __bl;
							_push(ds);
							__eax = __eax + 1;
							 *((intOrPtr*)(__eax - 0x17ffbfe3)) =  *((intOrPtr*)(__eax - 0x17ffbfe3)) + __bl;
							asm("adc eax, 0x15ee0040");
							__eax = __eax + 1;
							__ah = 0x1e + __dh;
							asm("adc eax, 0x40");
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							__eax = __eax + 1;
							_push(ds);
							__eax = __eax + 1;
							 *((intOrPtr*)(__eax - 0x17ffbfe3)) =  *((intOrPtr*)(__eax - 0x17ffbfe3)) + __bl;
							asm("adc eax, 0x15ee0040");
							__eax = __eax + 1;
							__ah = 0x1e + __dh + __dh;
							asm("adc eax, 0x40");
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							asm("hlt");
							 *__eax =  *__eax + __eax;
							__ecx[0x10] = __ecx[0x10] + __al;
							 *__eax =  *__eax + __al;
							asm("pushad");
							asm("les eax, [eax]");
							 *(__ecx + __eax * 2) =  *(__ecx + __eax * 2) >> 1;
							 *((intOrPtr*)(__eax + 0x8000014)) =  *((intOrPtr*)(__eax + 0x8000014)) + __ch;
							__ecx =  &(__ecx[0]);
							__dh = __dh + __al;
							asm("adc eax, [eax]");
							 *((intOrPtr*)(__eax + 0x41)) =  *((intOrPtr*)(__eax + 0x41)) + __dl;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *((intOrPtr*)(__edx + __ebx + 0x60040)) =  *((intOrPtr*)(__edx + __ebx + 0x60040)) + __bl;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							 *__eax =  *__eax + __al;
							__al = 0x50;
							__ecx =  &(__ecx[0]);
							 *((intOrPtr*)(__eax + 0x40 + __eax * 8)) =  *((intOrPtr*)(__eax + 0x40 + __eax * 8)) + __dl;
							__bh = __bh + __bh;
							asm("invalid");
							 *__eax =  *__eax + 1;
							 *__eax =  *__eax + 0x50;
							_t232 = __eax - 0x50ffbeb0;
							 *_t232 =  *(__eax - 0x50ffbeb0) + __ah;
							__eflags =  *_t232;
							__al =  *0xaf004150;
							_t234 = __edi - 0x34;
							_t235 = __dl;
							__dl =  *_t234;
							 *_t234 = _t235;
							__ecx = __eax;
							_push(ds);
							asm("adc ecx, [edi-0x65]");
							return __eax;
						} else {
							__ebx = __ebx - __ebp;
							asm("rol byte [esi-0x3c61b735], 0x33");
							_t172 = __cl;
							__cl = __bl;
							__bl = _t172;
							__eax = __eax - 1;
							__eflags = __eax;
							asm("sahf");
							return __eax;
						}
					}
				}
			}

0x00401600
0x00401600
0x00401600
0x00401600
0x00401600
0x00401605
0x0040160a
0x0040160c
0x0040160e
0x00401610
0x00401612
0x00401612
0x00401616
0x00401618
0x0040161a
0x0040161c
0x0040161e
0x00401620
0x00401621
0x00401626
0x00401627
0x0040162b
0x0040162d
0x0040162f
0x00401631
0x00401633
0x00401635
0x00401637
0x00401639
0x0040163b
0x0040163c
0x00401640
0x00401641
0x00401642
0x00401644
0x00401646
0x00401648
0x0040164a
0x0040164c
0x0040164c
0x004016b3
0x004016b3
0x004016b8
0x00401724
0x00401724
0x00401726
0x00401728
0x0040172d
0x0040172f
0x00401731
0x00401734
0x00401734
0x00000000
0x00401734
0x00000000
0x004016bb
0x004016bb
0x004016c0
0x004016c3
0x004016c3
0x004016c9
0x00401735
0x00401735
0x00401735
0x00401737
0x00401737
0x00401737
0x00401737
0x0040173a
0x0040173b
0x0040173c
0x00000000
0x0040173e
0x0040173e
0x00401740
0x00401742
0x00401742
0x00401742
0x00401745
0x00000000
0x00401748
0x00401748
0x00401749
0x0040174f
0x00401754
0x00401756
0x00401758
0x00401758
0x00000000
0x00401758
0x00401745
0x004016cc
0x004016cc
0x004016d1
0x004016d6
0x004016d6
0x004016d8
0x004016da
0x004016dc
0x004016de
0x004016e0
0x004016e1
0x004016e4
0x004016e6
0x004016e8
0x004016ea
0x004016f0
0x004016f0
0x004016f1
0x004016f2
0x004016f4
0x004016fa
0x004016fb
0x004016fc
0x00401702
0x00401707
0x00401709
0x0040170b
0x00401710
0x00401715
0x00401716
0x00401717
0x00401719
0x0040171b
0x0040171b
0x0040171b
0x0040171e
0x00401785
0x00401785
0x00000000
0x00401787
0x00401787
0x00000000
0x00401789
0x00401789
0x0040178b
0x0040178c
0x0040178c
0x00401792
0x00401793
0x00401795
0x0040179a
0x0040179f
0x004017a1
0x004017a3
0x004017a6
0x004017a8
0x004017a9
0x004017ac
0x004017b3
0x004017b4
0x004017b7
0x004017b8
0x004017b9
0x004017ba
0x004017bb
0x004017bb
0x004017bd
0x004017bd
0x004017bf
0x004017c1
0x004017c6
0x004017c9
0x004017cc
0x004017ce
0x004017cf
0x004017cf
0x004017cf
0x00000000
0x004017bf
0x00401787
0x00401720
0x00401720
0x0040175a
0x0040175a
0x0040175c
0x0040175e
0x0040175e
0x0040175e
0x00401761
0x004017d0
0x004017d0
0x004017d3
0x004017d4
0x004017d5
0x004017d6
0x004017d8
0x004017d8
0x004017de
0x004017e0
0x004017e6
0x004017eb
0x004017ec
0x004017ee
0x004017ee
0x004017f0
0x004017f0
0x004017f2
0x004017f4
0x004017f5
0x004017f5
0x004017f5
0x004017f8
0x004017fb
0x004017fc
0x004017fc
0x004017fc
0x004017fc
0x00401764
0x00401764
0x00401766
0x00401768
0x0040176b
0x0040176c
0x0040176d
0x0040176e
0x0040176f
0x0040176f
0x00401775
0x00401777
0x00401777
0x00401778
0x0040177a
0x0040177c
0x0040177e
0x00401780
0x00401782
0x00401782
0x00000000
0x00401782
0x00401722
0x00401722
0x00401722
0x00000000
0x00401722
0x00401720
0x0040171e
0x004016c9
0x00401850
0x00401851
0x00401852
0x00401854
0x00401855
0x00401856
0x0040185c
0x0040185e
0x0040185f
0x00401861
0x00401866
0x00401868
0x0040186a
0x0040186b
0x0040186e
0x0040186f
0x00401870
0x00401871
0x00401872
0x00401873
0x00401875
0x0040187b
0x0040187c
0x00401883
0x00401888
0x00401889
0x0040188b
0x0040188d
0x0040188f
0x00401892
0x00401895
0x00401896
0x00401897
0x00401898
0x00401899
0x0040189b
0x0040189d
0x0040189d
0x0040189d
0x004018a0
0x0040190b
0x0040190b
0x0040190b
0x0040190c
0x00000000
0x0040190e
0x0040190e
0x0040190f
0x00000000
0x00401911
0x00401911
0x00000000
0x00401913
0x00401913
0x00401915
0x00401917
0x0040191a
0x0040191f
0x00401920
0x00401920
0x00401920
0x00401923
0x00000000
0x00401923
0x00401911
0x0040190f
0x004018a2
0x004018a2
0x004018a3
0x004018a5
0x004018aa
0x004018af
0x004018b1
0x004018b3
0x004018b5
0x004018b7
0x004018b7
0x004018bc
0x004018bd
0x00401924
0x00401924
0x00000000
0x00401925
0x00401925
0x00000000
0x00401927
0x00401927
0x00401929
0x0040192b
0x0040192d
0x00401933
0x00401933
0x00000000
0x00401933
0x00401925
0x004018bf
0x004018bf
0x004018c3
0x004018c5
0x004018c8
0x004018cd
0x004018ce
0x004018ce
0x004018ce
0x004018d1
0x004018d2
0x00401937
0x00401937
0x0040199e
0x0040199e
0x004019a0
0x004019a3
0x004019a3
0x004019a5
0x004019ab
0x004019ad
0x004019af
0x004019b1
0x004019b3
0x004019b4
0x004019b9
0x004019be
0x004019bf
0x004019c0
0x004019c2
0x004019c4
0x004019c6
0x004019c8
0x004019ca
0x004019cc
0x004019cf
0x004019d0
0x004019d1
0x004019d2
0x004019d4
0x004019d6
0x004019d8
0x004019d9
0x004019de
0x004019de
0x00000000
0x004019de
0x00401939
0x00401939
0x0040193b
0x0040193b
0x0040193e
0x00401940
0x00401941
0x00401944
0x00401944
0x00401947
0x0040194b
0x0040194e
0x00401950
0x00401951
0x00401953
0x00401955
0x00401957
0x00401959
0x0040195e
0x0040195f
0x00401964
0x00401967
0x0040196c
0x0040196d
0x0040196d
0x00401970
0x004019e1
0x004019e1
0x004019e2
0x004019e3
0x004019e4
0x004019e5
0x004019e7
0x004019e9
0x004019eb
0x004019ed
0x004019ef
0x004019f4
0x004019f5
0x004019f8
0x004019fa
0x004019fc
0x004019fd
0x00401a02
0x00401a03
0x00401a06
0x00401a07
0x00401a08
0x00401a09
0x00401a0a
0x00401a0c
0x00401a0c
0x00000000
0x00401974
0x00401974
0x00401975
0x00401977
0x00401978
0x00401978
0x0040197a
0x0040197a
0x0040197a
0x00401980
0x00401980
0x00401985
0x00401986
0x00401986
0x00401989
0x00401989
0x0040198b
0x0040198c
0x0040198c
0x0040198e
0x00401993
0x00401994
0x00401994
0x00401994
0x00401997
0x00401998
0x00401a0e
0x00401a0e
0x00401a0e
0x0040199a
0x0040199a
0x0040199d
0x0040199d
0x00000000
0x0040199d
0x00401998
0x00401970
0x004018d4
0x004018d4
0x004018d5
0x004018d7
0x004018d9
0x004018db
0x004018dd
0x004018df
0x004018e1
0x004018e2
0x004018e5
0x004018e6
0x004018e9
0x004018ee
0x004018f0
0x004018f1
0x004018f6
0x004018f7
0x004018fa
0x004018fd
0x004018fe
0x00401900
0x00401902
0x00401904
0x00401906
0x00401908
0x0040190a
0x0040190a
0x0040190a
0x00000000
0x0040190a
0x004018d2
0x004018bd
0x00401a0f
0x00401a15
0x00401a1a
0x00401a20
0x00401a22
0x00401a23
0x00401a28
0x00401a29
0x00401a29
0x00401a29
0x00401a2c
0x00401a61
0x00401a61
0x00401a64
0x00401a67
0x00401a69
0x00401a6a
0x00401a6a
0x00401a6a
0x00401a6d
0x00000000
0x00401a6f
0x00401a6f
0x00401a71
0x00401a78
0x00401a7a
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a81
0x00401a83
0x00401a85
0x00401a86
0x00401a89
0x00401a8a
0x00401a8e
0x00401a90
0x00401a92
0x00401a95
0x00401a98
0x00401a9a
0x00401a9c
0x00401a9d
0x00401a9f
0x00401aa6
0x00401aa6
0x00401aa8
0x00401aaa
0x00401aab
0x00401aab
0x00000000
0x00401aab
0x00000000
0x00401aa8
0x00401a6f
0x00401a30
0x00401a30
0x00401a32
0x00401a34
0x00401a36
0x00401a38
0x00401a3a
0x00401a3b
0x00401a3b
0x00401a3d
0x00401a3e
0x00401a3f
0x00401aad
0x00401aad
0x00401aaf
0x00401ab1
0x00401ab4
0x00401ab5
0x00401ab7
0x00401ab9
0x00401aba
0x00401abb
0x00401abd
0x00401abf
0x00401ac2
0x00401ac3
0x00401ac5
0x00401ac7
0x00401ace
0x00401acf
0x00401ad6
0x00401ad8
0x00401ada
0x00401ada
0x00401adc
0x00401ade
0x00401ade
0x00401ae0
0x00401ae2
0x00401ae4
0x00401a41
0x00401a41
0x00401a43
0x00401a45
0x00401a49
0x00401a4a
0x00401a4b
0x00401a4c
0x00401a53
0x00401a55
0x00401a56
0x00401a58
0x00401a5a
0x00401a5d
0x00401a5f
0x00000000
0x00401a5f
0x00401a3f
0x00401ae5
0x00401ae5
0x00401ae8
0x00401aea
0x00401aeb
0x00401aed
0x00401aef
0x00401aef
0x00401aef
0x00401af2
0x00401af4
0x00401af6
0x00401af8
0x00401afa
0x00401afc
0x00401afe
0x00401b00
0x00401b02
0x00401b03
0x00401b05
0x00401b07
0x00401b0e
0x00401b10
0x00401b12
0x00401b14
0x00401b16
0x00401b18
0x00401b1a
0x00401b1c
0x00401b21
0x00401b22
0x00401b23
0x00401b25
0x00401b27
0x00401b29
0x00401b2d
0x00401b2f
0x00401b31
0x00401b33
0x00401b35
0x00401b37
0x00401b37
0x00401b37
0x00401b37
0x00401b3a
0x00401b3b
0x00401b3d
0x00401b40
0x00401b42
0x00401b43
0x00401b45
0x00401b47
0x00401b49
0x00401b4b
0x00401b4d
0x00401b4f
0x00401b51
0x00401b53
0x00401b59
0x00401b5a
0x00401b5b
0x00401b5d
0x00401b5f
0x00401b65
0x00401b67
0x00401b69
0x00401b6b
0x00401b6d
0x00401b6f
0x00401b73
0x00401b75
0x00401b7b
0x00401b7d
0x00401b7f
0x00401b81
0x00401b83
0x00401b85
0x00401b87
0x00401b89
0x00401b8b
0x00401b8d
0x00401b90
0x00401b92
0x00401b93
0x00401b95
0x00401b97
0x00401b99
0x00401b9d
0x00401b9f
0x00401ba1
0x00401ba3
0x00401ba5
0x00401ba7
0x00401bae
0x00401baf
0x00401bb6
0x00401bb8
0x00401bba
0x00401bbc
0x00401bbe
0x00401bc0
0x00401bc2
0x00401bc4
0x00401bc6
0x00401bc7
0x00401bcd
0x00401bcf
0x00401bd1
0x00401bd5
0x00401bd7
0x00401bd9
0x00401bdb
0x00401bdd
0x00401bdf
0x00401be1
0x00401be4
0x00401be6
0x00401be8
0x00401bea
0x00401beb
0x00401bed
0x00401bef
0x00401bf1
0x00401bf3
0x00401bf5
0x00401bf7
0x00401bf9
0x00401bfb
0x00401bfe
0x00401bff
0x00401c05
0x00401c07
0x00401c0d
0x00401c0f
0x00401c11
0x00401c13
0x00401c15
0x00401c17
0x00401c1a
0x00401c1b
0x00401c1d
0x00401c1f
0x00401c26
0x00401c28
0x00401c2a
0x00401c2c
0x00401c2e
0x00401c30
0x00401c32
0x00401c34
0x00401c36
0x00401c37
0x00401c39
0x00401c3a
0x00401c3b
0x00401c41
0x00401c43
0x00401c45
0x00401c47
0x00401c49
0x00401c4b
0x00401c4d
0x00401c4f
0x00401c53
0x00401c57
0x00401c5a
0x00401c5c
0x00401c5e
0x00401c60
0x00401c62
0x00401c64
0x00401c66
0x00401c69
0x00401c6a
0x00401c6f
0x00401c71
0x00401c73
0x00401c75
0x00401c77
0x00401c79
0x00401c7b
0x00401c7e
0x00401c80
0x00401c82
0x00401c84
0x00401c86
0x00401c88
0x00401c8a
0x00401c8c
0x00401c8e
0x00401c90
0x00401c92
0x00401c94
0x00401c96
0x00401c98
0x00401c99
0x00401c9a
0x00401c9b
0x00401c9f
0x00401ca1
0x00401ca3
0x00401ca5
0x00401ca7
0x00401ca9
0x00401cab
0x00401cab
0x00401cac
0x00401cae
0x00401cb0
0x00401cb5
0x00401cb7
0x00401cbe
0x00401cbf
0x00401cc2
0x00401cc2
0x00401cc4
0x00401cc6
0x00401cc8
0x00401cc8
0x00401cc8
0x00401cca
0x00401ccc
0x00401ccc
0x00401ccc
0x00401cce
0x00401cd0
0x00401cd2
0x00401cd4
0x00401cd6
0x00401cd8
0x00401cda
0x00401cdc
0x00401cde
0x00401ce0
0x00401ce0
0x00401ce1
0x00401d51
0x00401d52
0x00401d53
0x00401d54
0x00401d54
0x00401d54
0x00401d56
0x00000000
0x00401ce3
0x00401ce3
0x00401ce3
0x00401ce8
0x00401d58
0x00401d58
0x00401d5e
0x00401d60
0x00401d60
0x00000000
0x00401cea
0x00401cea
0x00401ced
0x00401cef
0x00401cf4
0x00401cf5
0x00401cf7
0x00401cfa
0x00401cfa
0x00401cfc
0x00401d61
0x00401d61
0x00401d63
0x00401d65
0x00401d67
0x00401d69
0x00401d6b
0x00401d6d
0x00401d6f
0x00401d75
0x00401d77
0x00401d79
0x00401d7b
0x00401d7d
0x00401d7f
0x00401d81
0x00401d83
0x00401d85
0x00401d87
0x00401d8a
0x00401d8c
0x00401d8e
0x00401d90
0x00401d91
0x00401d92
0x00401d93
0x00401d9a
0x00401d9c
0x00401d9e
0x00401d9f
0x00401da1
0x00401da3
0x00401da6
0x00401da7
0x00401da9
0x00401dab
0x00401dad
0x00401daf
0x00401db1
0x00401db4
0x00401db6
0x00401db7
0x00401db9
0x00401dbb
0x00401dc1
0x00401dc3
0x00401dc5
0x00401dc7
0x00401dc9
0x00401dcb
0x00401dcd
0x00401dce
0x00401dcf
0x00401dd1
0x00401dd3
0x00401dd6
0x00401dd7
0x00401dd9
0x00401ddb
0x00401ddd
0x00401dde
0x00401ddf
0x00401de1
0x00401de3
0x00401de5
0x00401de6
0x00401de7
0x00401de9
0x00401deb
0x00401dee
0x00401def
0x00401df1
0x00401df3
0x00401df6
0x00401df7
0x00401df9
0x00401dff
0x00401e02
0x00401e03
0x00401e07
0x00401e09
0x00401e0b
0x00401e11
0x00401e12
0x00401e13
0x00401e17
0x00401e1a
0x00401e1f
0x00401e21
0x00401e26
0x00401e28
0x00401e2a
0x00401e2c
0x00401e2e
0x00401e2e
0x00401e35
0x00401e36
0x00401e38
0x00401e3e
0x00401e40
0x00401e41
0x00401e43
0x00401e45
0x00401e47
0x00401e49
0x00401e4e
0x00401e50
0x00401e52
0x00401e54
0x00401e56
0x00401e58
0x00401e5a
0x00401e5b
0x00401e5b
0x00401e5d
0x00401e5e
0x00401e60
0x00401e62
0x00401e63
0x00401e65
0x00401e67
0x00401e69
0x00401e6b
0x00401e6d
0x00401e6e
0x00401e6f
0x00401e75
0x00401e7a
0x00401e7b
0x00401e7d
0x00401e82
0x00401e84
0x00401e86
0x00401e88
0x00401e8a
0x00401e8c
0x00401e8e
0x00401e90
0x00401e92
0x00401e94
0x00401e96
0x00401e98
0x00401e9a
0x00401e9c
0x00401e9e
0x00401ea0
0x00401ea2
0x00401ea4
0x00401ea6
0x00401ea8
0x00401eaa
0x00401eac
0x00401eae
0x00401eb0
0x00401eb2
0x00401eb4
0x00401eb6
0x00401eb8
0x00401eb9
0x00401eba
0x00401ebb
0x00401ec1
0x00401ec6
0x00401ec7
0x00401ec9
0x00401ece
0x00401ed0
0x00401ed2
0x00401ed4
0x00401ed6
0x00401ed8
0x00401eda
0x00401edc
0x00401ede
0x00401ee0
0x00401ee2
0x00401ee4
0x00401ee6
0x00401ee8
0x00401eea
0x00401eec
0x00401eee
0x00401ef0
0x00401ef2
0x00401ef4
0x00401ef6
0x00401ef8
0x00401efa
0x00401efc
0x00401efe
0x00401f00
0x00401f02
0x00401f04
0x00401f06
0x00401f08
0x00401f0a
0x00401f0c
0x00401f0e
0x00401f10
0x00401f12
0x00401f14
0x00401f16
0x00401f18
0x00401f1a
0x00401f1c
0x00401f1e
0x00401f20
0x00401f22
0x00401f24
0x00401f26
0x00401f28
0x00401f2a
0x00401f2c
0x00401f2e
0x00401f30
0x00401f32
0x00401f34
0x00401f36
0x00401f38
0x00401f3a
0x00401f3c
0x00401f3e
0x00401f40
0x00401f42
0x00401f44
0x00401f46
0x00401f48
0x00401f49
0x00401f4b
0x00401f52
0x00401f54
0x00401f55
0x00401f58
0x00401f5b
0x00401f62
0x00401f63
0x00401f65
0x00401f68
0x00401f6b
0x00401f6d
0x00401f6f
0x00401f71
0x00401f73
0x00401f75
0x00401f77
0x00401f79
0x00401f7b
0x00401f7d
0x00401f7f
0x00401f81
0x00401f83
0x00401f85
0x00401f87
0x00401f89
0x00401f8b
0x00401f8d
0x00401f8f
0x00401f91
0x00401f93
0x00401f95
0x00401f97
0x00401f99
0x00401f9b
0x00401f9d
0x00401f9f
0x00401fa1
0x00401fa3
0x00401fa5
0x00401fa7
0x00401fa9
0x00401fab
0x00401fad
0x00401faf
0x00401fb1
0x00401fb3
0x00401fb5
0x00401fb7
0x00401fb9
0x00401fbb
0x00401fbd
0x00401fbf
0x00401fc1
0x00401fc3
0x00401fc5
0x00401fc7
0x00401fc9
0x00401fcb
0x00401fcd
0x00401fcf
0x00401fd1
0x00401fd3
0x00401fd5
0x00401fd7
0x00401fd9
0x00401fdb
0x00401fdd
0x00401fdf
0x00401fe1
0x00401fe3
0x00401fe5
0x00401fe7
0x00401fe9
0x00401feb
0x00401fed
0x00401fef
0x00401ff1
0x00401ff3
0x00401ff5
0x00401ff7
0x00401ff9
0x00401ffb
0x00401ffd
0x00401fff
0x00402001
0x00402003
0x00402005
0x00402007
0x00402009
0x0040200b
0x0040200d
0x0040200f
0x00402011
0x00402013
0x00402015
0x00402017
0x00402019
0x0040201b
0x0040201d
0x0040201f
0x00402021
0x00402023
0x00402025
0x00402027
0x00402029
0x0040202b
0x0040202d
0x0040202f
0x00402031
0x00402033
0x00402035
0x00402037
0x00402039
0x0040203b
0x0040203d
0x0040203f
0x00402041
0x00402043
0x00402045
0x00402047
0x00402049
0x0040204b
0x0040204d
0x0040204f
0x00402051
0x00402053
0x00402055
0x00402057
0x00402059
0x0040205b
0x0040205d
0x0040205f
0x00402061
0x00402063
0x00402065
0x00402067
0x00402069
0x0040206b
0x0040206d
0x0040206f
0x00402071
0x00402073
0x00402075
0x00402077
0x00402079
0x0040207b
0x0040207d
0x0040207f
0x00402081
0x00402083
0x00402085
0x00402087
0x00402089
0x0040208b
0x0040208d
0x0040208f
0x00402091
0x00402093
0x00402095
0x00402097
0x00402099
0x0040209b
0x0040209d
0x0040209f
0x004020a1
0x004020a3
0x004020a5
0x004020a7
0x004020a9
0x004020ab
0x004020ad
0x004020af
0x004020b1
0x004020b3
0x004020b5
0x004020b7
0x004020b9
0x004020bb
0x004020bd
0x004020bf
0x004020c1
0x004020c3
0x004020c5
0x004020c7
0x004020c9
0x004020cb
0x004020cd
0x004020cf
0x004020d1
0x004020d3
0x004020d5
0x004020d7
0x004020d9
0x004020db
0x004020dd
0x004020df
0x004020e1
0x004020e3
0x004020e5
0x004020e7
0x004020e9
0x004020eb
0x004020ed
0x004020ef
0x004020f1
0x004020f3
0x004020f5
0x004020f7
0x004020f9
0x004020fb
0x004020fd
0x004020ff
0x00402101
0x00402103
0x00402105
0x00402107
0x00402109
0x0040210b
0x0040210d
0x0040210f
0x00402111
0x00402113
0x00402115
0x00402117
0x00402119
0x0040211b
0x0040211d
0x0040211f
0x00402121
0x00402123
0x00402125
0x00402127
0x00402129
0x0040212b
0x0040212d
0x0040212f
0x00402131
0x00402133
0x00402135
0x00402137
0x00402139
0x0040213b
0x0040213d
0x0040213f
0x00402141
0x00402143
0x00402145
0x00402147
0x00402149
0x0040214b
0x0040214d
0x0040214f
0x00402151
0x00402153
0x00402155
0x00402157
0x00402159
0x0040215b
0x0040215d
0x0040215f
0x00402161
0x00402163
0x00402165
0x00402167
0x00402169
0x0040216b
0x0040216d
0x0040216f
0x00402171
0x00402173
0x00402175
0x00402177
0x00402179
0x0040217b
0x00402182
0x00402184
0x00402186
0x00402188
0x0040218a
0x0040218b
0x0040218f
0x00402191
0x00402193
0x00402195
0x00402197
0x00402197
0x00402197
0x00402198
0x0040219d
0x0040219d
0x0040219d
0x0040219d
0x004021a0
0x004021a1
0x004021a2
0x004021a5
0x00401cfe
0x00401cfe
0x00401d00
0x00401d01
0x00401d01
0x00401d01
0x00401d03
0x00401d03
0x00401d04
0x00401d05
0x00401d05
0x00401cfc
0x00401ce8

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401605

Strings

VB5!6&*, xrefs: 00401600

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 003e25cec755240f1fe0ec437c42844b70d5b6756217443613dbe9f28d131605
Instruction ID: 4c2639129ef737d9e6a4d085f4d589f600157e6bb8d093c7a01a125447d84889
Opcode Fuzzy Hash: 003e25cec755240f1fe0ec437c42844b70d5b6756217443613dbe9f28d131605
Instruction Fuzzy Hash: E4028AA244E3C15FC7138B709DA56A13FB1AE1331471E06DBD8C18F1A3E12D9A5AC76B

Uniqueness

Uniqueness Score: -1.00%

Function 0040426E, Relevance: 1.5, APIs: 1, Instructions: 236memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(0000B000,0000B000,00001000,00000040), ref: 004043DB

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: a87b74b31717ff372ac0855b40448ac47548f14c612f561ceab241cc25ae87a5
Instruction ID: a5751ea7367795ee635495ac865bae9325a4f68ed4964dc89a890b8476818a5e
Opcode Fuzzy Hash: a87b74b31717ff372ac0855b40448ac47548f14c612f561ceab241cc25ae87a5
Instruction Fuzzy Hash: 3051597255B382AFC7138E24DCD09C8BB70AF07B20B6937A7C481D7692CB285A95C765

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00425A33, Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dedd2b7a2721e6f6ef324893d0c1bf679191f2df0dc004594c2e013aac7b1e62
Instruction ID: 2867811fcd2c8b6deffa75b37ba375e0065fc989068977d8fe54455d8573baa1
Opcode Fuzzy Hash: dedd2b7a2721e6f6ef324893d0c1bf679191f2df0dc004594c2e013aac7b1e62
Instruction Fuzzy Hash: F8A1D730B18B62CEDB24DA24B59877666919F22360FE5C297C9938B2D5D33C8443E71F

Uniqueness

Uniqueness Score: -1.00%

Function 00425A39, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c344e92e3766884ca0dacfab9682bd44893694555eb8c43c6126ca48c7ca251
Instruction ID: 6e6eee613c2cea6501541f34388b7b5c15690ecfd4b94e91b4677f593ddc5926
Opcode Fuzzy Hash: 3c344e92e3766884ca0dacfab9682bd44893694555eb8c43c6126ca48c7ca251
Instruction Fuzzy Hash: 8951AC70758B62CFDB249B24B4947657B919F22360FE5C297C8928B296E23C8443D71B

Uniqueness

Uniqueness Score: -1.00%

Function 00425A51, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce508da132dd512738dd3623acf146e1bd219bbfdf40561d1d47f80b5e92f549
Instruction ID: 1fd77ade850086361308938552a8f323b1cd6aacef691d1e3cfe9f2c3d450482
Opcode Fuzzy Hash: ce508da132dd512738dd3623acf146e1bd219bbfdf40561d1d47f80b5e92f549
Instruction Fuzzy Hash: 6251BC70758B62CFDB24DB24B4947657B919B22360FE5C29BC8938B296E33C8443D71B

Uniqueness

Uniqueness Score: -1.00%

Function 00425A6A, Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b70cabcdb16893d6705abaf04360cb45622aea67c3b7fe71de24934a794ce2d2
Instruction ID: 79b3b8333a5c0bbd9c4e557cdfe290dc14fd45d2ccd3f8cac932e6274c612d14
Opcode Fuzzy Hash: b70cabcdb16893d6705abaf04360cb45622aea67c3b7fe71de24934a794ce2d2
Instruction Fuzzy Hash: 9E519C70758B61CFDB24DB24B4947657B919B22360FE9C297C8928B296E23C8443D71B

Uniqueness

Uniqueness Score: -1.00%

Function 00425AA5, Relevance: .2, Instructions: 159COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a483ce78d0bd0e44b04602d1e21354244412f55f99f05aef60bfa7bb8ec81627
Instruction ID: 6b2e9ef41563658dfd70fb69c7b2bd2f47bb0c35a6f9853780ae9414d3a4ab69
Opcode Fuzzy Hash: a483ce78d0bd0e44b04602d1e21354244412f55f99f05aef60bfa7bb8ec81627
Instruction Fuzzy Hash: 27518B70758B61CFDB24DB24B4987657A919B22320FE9C297C8968B2D6E33C8443D71B

Uniqueness

Uniqueness Score: -1.00%

Function 0042505B, Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e932b5a13eab5146abff7c7efc81b6a02727983785b820edc4913816e78cf1
Instruction ID: 028ef226937197fc7bb917f8d74a79a9c0a2aa6506f58349369a73d35f9b3f14
Opcode Fuzzy Hash: 63e932b5a13eab5146abff7c7efc81b6a02727983785b820edc4913816e78cf1
Instruction Fuzzy Hash: A7F06D34B09E20CFD714DA04E9A0B7673A0AB14320FE0875BE902C72A5C23CE852E95B

Uniqueness

Uniqueness Score: -1.00%

Function 0042375C, Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3e2266dbed84b35d673ca62afaf3f92f13ba58291ea70fb20864dd6e6b387c6
Instruction ID: 61724bae13ad683b03971cb9ed9ce079f816cc61f7264ad8262cdb4f18652519
Opcode Fuzzy Hash: f3e2266dbed84b35d673ca62afaf3f92f13ba58291ea70fb20864dd6e6b387c6
Instruction Fuzzy Hash: 90C08C7A048A44CEDF760F04A9407C87E33FB42370FE45321E80202994A33F4A8CE942

Uniqueness

Uniqueness Score: -1.00%

Function 00422EEF, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e3e90077c733771744df1dcb60a9f02d1167b45765b9923cd581e62397d635c
Instruction ID: 17bbfaf151d3222d8bdcdd23d536c6600f4a2c734f44d63538d478418d119ce5
Opcode Fuzzy Hash: 9e3e90077c733771744df1dcb60a9f02d1167b45765b9923cd581e62397d635c
Instruction Fuzzy Hash: 47C048B2244681EBEA46DE08E692B8173B0EB11A94B1A0490E8428FA12D328EA05DA01

Uniqueness

Uniqueness Score: -1.00%

Function 00424A0A, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62528da9cb7ff83a73ea1566fad982165290d577a80b2960462f6f91a9eac997
Instruction ID: d04e86b2d308e2e97adab02f0c9e2cf844f99e9a08b9b26515f79565a07e7493
Opcode Fuzzy Hash: 62528da9cb7ff83a73ea1566fad982165290d577a80b2960462f6f91a9eac997
Instruction Fuzzy Hash: DCC04C35754590CFCAA5CA09D190A9177B0EB50740BD10481E44587991D358D801D609

Uniqueness

Uniqueness Score: -1.00%

Function 0041345A, Relevance: 180.7, APIs: 94, Strings: 9, Instructions: 493
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041345A(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				signed int _v120;
				char _v128;
				char _v144;
				signed int _v168;
				char _v176;
				char* _v184;
				intOrPtr _v192;
				void* _v212;
				signed int _v216;
				signed int _v220;
				signed int _v228;
				intOrPtr* _v232;
				signed int _v236;
				signed int _t155;
				signed int _t162;
				signed int _t166;
				char* _t169;
				signed int _t184;
				signed int _t188;
				char* _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr _t301;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t301;
				L004013C0();
				_v12 = _t301;
				_v8 = 0x401398;
				_push(0x402a0c);
				_push(0x402c5c);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x402a0c);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x402c5c);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x402a0c);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x4026d8);
				L004015AC();
				_v120 = 0xd8;
				_v128 = 8;
				_push( &_v128);
				_push( &_v144);
				L004014AA();
				_v168 = 0xc;
				_v176 = 0x8002;
				_push( &_v144);
				_t155 =  &_v176;
				_push(_t155);
				L004015DC();
				_v216 = _t155;
				_push( &_v48);
				_push( &_v44);
				_push( &_v40);
				_push( &_v36);
				_push(4);
				L004015A6();
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L004015BE();
				_t162 = _v216;
				if(_t162 != 0) {
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					_v120 = _t162;
					_v128 = 8;
					_v184 = L"BERUFSVERBOT";
					_v192 = 8;
					_t166 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v112, 0x402a34, _t162, 0x402b30, _t162, 0x402b28, _t162, 0x402b20, _t162, 0x402b18, _t162, 0x4026c8, 0x402b10);
					asm("fclex");
					_v216 = _t166;
					if(_v216 >= 0) {
						_v228 = _v228 & 0x00000000;
					} else {
						_push(0x218);
						_push(0x402438);
						_push(_a4);
						_push(_v216);
						L00401552();
						_v228 = _t166;
					}
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"Add");
					_push(_v112);
					_t169 =  &_v144;
					_push(_t169);
					L00401498();
					_push(_t169);
					L0040149E();
					_push(_t169);
					_push( &_v24);
					L004014A4();
					_push( &_v52);
					_push( &_v48);
					_push( &_v44);
					_push( &_v40);
					_push( &_v36);
					_push(5);
					L004015A6();
					L0040152E();
					_push( &_v144);
					_push( &_v128);
					_push(2);
					L004015BE();
					_v168 = 0x470d;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"X1");
					_push(_v24);
					L00401492();
					_v168 = 0x878;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"X2");
					_push(_v24);
					L00401492();
					_v168 = 0x2c0e;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"Y1");
					_push(_v24);
					L00401492();
					if( *0x415010 != 0) {
						_v232 = 0x415010;
					} else {
						_push(0x415010);
						_push(0x4030fc);
						L00401558();
						_v232 = 0x415010;
					}
					_t184 =  &_v112;
					L0040155E();
					_v216 = _t184;
					_t188 =  *((intOrPtr*)( *_v216 + 0x108))(_v216,  &_v212, _t184,  *((intOrPtr*)( *((intOrPtr*)( *_v232)) + 0x35c))( *_v232));
					asm("fclex");
					_v220 = _t188;
					if(_v220 >= 0) {
						_v236 = _v236 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x402760);
						_push(_v216);
						_push(_v220);
						L00401552();
						_v236 = _t188;
					}
					_v168 = _v212;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"Y2");
					_push(_v24);
					L00401492();
					L0040152E();
					_v168 = _v168 | 0xffffffff;
					_v176 = 0xb;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"Visible");
					_push(_v24);
					L00401492();
					_v168 = 1;
					_v176 = 0x8002;
					_push(0);
					_push(L"BorderStyle");
					_push(_v24);
					_t192 =  &_v128;
					_push(_t192);
					L00401498();
					_push(_t192);
					_t193 =  &_v176;
					_push(_t193);
					L004015DC();
					_v216 = _t193;
					L0040156A();
					_t162 = _v216;
					if(_t162 != 0) {
						_v120 = 0xe;
						_v128 = 2;
						_t194 =  &_v128;
						_push(_t194);
						L0040148C();
						L004015B2();
						_push(_t194);
						_push(0x40272c);
						_push(0x402b98);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402984);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x40290c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402ba0);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402ba8);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x40290c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bb0);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402984);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a3c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402b28);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402b30);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bb8);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x40290c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bb0);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bc0);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a04);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a2c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a34);
						L004015AC();
						L004015B2();
						_push(_t194);
						L00401582();
						asm("sbb eax, eax");
						_v216 =  ~( ~_t194 + 1);
						_push( &_v108);
						_push( &_v104);
						_push( &_v100);
						_push( &_v96);
						_push( &_v92);
						_push( &_v88);
						_t134 =  &_v84; // 0x402a34
						_push( &_v80);
						_t136 =  &_v76; // 0x402b30
						_push( &_v72);
						_t138 =  &_v68; // 0x402b28
						_push( &_v64);
						_t140 =  &_v60; // 0x402b20
						_push( &_v56);
						_push( &_v52);
						_push( &_v48);
						_push( &_v44);
						_push( &_v40);
						_push( &_v36);
						_push(0x13);
						L004015A6();
						L0040156A();
						_t162 = _v216;
						if(_t162 != 0) {
							L00401486();
						}
					}
				}
				asm("wait");
				_push(0x413b9d);
				L0040152E();
				return _t162;
			}

0x0041345f
0x0041346a
0x0041346b
0x00413477
0x0041347f
0x00413482
0x00413489
0x0041348e
0x00413493
0x0041349d
0x004134a2
0x004134a3
0x004134a8
0x004134b2
0x004134b7
0x004134b8
0x004134bd
0x004134c7
0x004134cc
0x004134cd
0x004134d2
0x004134dc
0x004134e1
0x004134e2
0x004134e7
0x004134ec
0x004134ef
0x004134f9
0x00413500
0x00413501
0x00413506
0x00413510
0x00413520
0x00413521
0x00413527
0x00413528
0x0041352d
0x00413537
0x0041353b
0x0041353f
0x00413543
0x00413544
0x00413546
0x00413554
0x00413558
0x00413559
0x0041355b
0x00413563
0x0041356c
0x0041357c
0x00413586
0x00413591
0x0041359b
0x004135a6
0x004135b0
0x004135bb
0x004135c5
0x004135d0
0x004135da
0x004135e5
0x004135ea
0x004135ed
0x004135f4
0x004135fe
0x00413614
0x0041361a
0x0041361c
0x00413629
0x0041364b
0x0041362b
0x0041362b
0x00413630
0x00413635
0x00413638
0x0041363e
0x00413643
0x00413643
0x00413652
0x00413655
0x0041365f
0x00413660
0x00413661
0x00413662
0x00413663
0x00413666
0x00413673
0x00413674
0x00413675
0x00413676
0x00413677
0x00413679
0x0041367e
0x00413681
0x00413687
0x00413688
0x00413690
0x00413691
0x00413696
0x0041369a
0x0041369b
0x004136a3
0x004136a7
0x004136ab
0x004136af
0x004136b3
0x004136b4
0x004136b6
0x004136c1
0x004136cc
0x004136d0
0x004136d1
0x004136d3
0x004136db
0x004136e5
0x004136ef
0x004136f2
0x004136ff
0x00413700
0x00413701
0x00413702
0x00413703
0x00413708
0x0041370b
0x00413710
0x0041371a
0x00413724
0x00413727
0x00413734
0x00413735
0x00413736
0x00413737
0x00413738
0x0041373d
0x00413740
0x00413745
0x0041374f
0x00413759
0x0041375c
0x00413769
0x0041376a
0x0041376b
0x0041376c
0x0041376d
0x00413772
0x00413775
0x00413781
0x0041379e
0x00413783
0x00413783
0x00413788
0x0041378d
0x00413792
0x00413792
0x004137c2
0x004137c6
0x004137cb
0x004137e6
0x004137ec
0x004137ee
0x004137fb
0x00413820
0x004137fd
0x004137fd
0x00413802
0x00413807
0x0041380d
0x00413813
0x00413818
0x00413818
0x0041382e
0x00413835
0x0041383f
0x00413842
0x0041384f
0x00413850
0x00413851
0x00413852
0x00413853
0x00413858
0x0041385b
0x00413863
0x00413868
0x0041386f
0x00413879
0x0041387c
0x00413889
0x0041388a
0x0041388b
0x0041388c
0x0041388d
0x00413892
0x00413895
0x0041389a
0x004138a4
0x004138ae
0x004138b0
0x004138b5
0x004138b8
0x004138bb
0x004138bc
0x004138c4
0x004138c5
0x004138cb
0x004138cc
0x004138d1
0x004138db
0x004138e0
0x004138e9
0x004138ef
0x004138f6
0x004138fd
0x00413900
0x00413901
0x0041390b
0x00413910
0x00413911
0x00413916
0x0041391b
0x00413925
0x0041392a
0x0041392b
0x00413930
0x0041393a
0x0041393f
0x00413940
0x00413945
0x0041394f
0x00413954
0x00413955
0x0041395a
0x00413964
0x00413969
0x0041396a
0x0041396f
0x00413979
0x0041397e
0x0041397f
0x00413984
0x0041398e
0x00413993
0x00413994
0x00413999
0x004139a3
0x004139a8
0x004139a9
0x004139ae
0x004139b8
0x004139bd
0x004139be
0x004139c3
0x004139cd
0x004139d2
0x004139d3
0x004139d8
0x004139e2
0x004139e7
0x004139e8
0x004139ed
0x004139f7
0x004139fc
0x004139fd
0x00413a02
0x00413a0c
0x00413a11
0x00413a12
0x00413a17
0x00413a21
0x00413a26
0x00413a27
0x00413a2c
0x00413a36
0x00413a3b
0x00413a3c
0x00413a41
0x00413a4b
0x00413a50
0x00413a51
0x00413a56
0x00413a60
0x00413a65
0x00413a66
0x00413a6b
0x00413a75
0x00413a7a
0x00413a7b
0x00413a80
0x00413a8a
0x00413a8f
0x00413a90
0x00413a97
0x00413a9c
0x00413aa6
0x00413aaa
0x00413aae
0x00413ab2
0x00413ab6
0x00413aba
0x00413abb
0x00413ac2
0x00413ac3
0x00413aca
0x00413acb
0x00413ad2
0x00413ad3
0x00413ada
0x00413ade
0x00413ae2
0x00413ae6
0x00413aea
0x00413aee
0x00413aef
0x00413af1
0x00413afc
0x00413b01
0x00413b0a
0x00413b0c
0x00413b0c
0x00413b0a
0x004138e9
0x00413b11
0x00413b12
0x00413b97
0x00413b9c

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00413477
__vbaStrCat.MSVBVM60(00402C5C,00402A0C,?,?,?,?,004013C6), ref: 00413493
__vbaStrMove.MSVBVM60(00402C5C,00402A0C,?,?,?,?,004013C6), ref: 0041349D
__vbaStrCat.MSVBVM60(00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134A8
__vbaStrMove.MSVBVM60(00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134B2
__vbaStrCat.MSVBVM60(00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134BD
__vbaStrMove.MSVBVM60(00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134C7
__vbaStrCat.MSVBVM60(00402A0C,00000000,00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134D2
__vbaStrMove.MSVBVM60(00402A0C,00000000,00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134DC
__vbaStrCat.MSVBVM60(004026D8,00000000,00402A0C,00000000,00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134E7
#544.MSVBVM60(?,00000008), ref: 00413501
__vbaVarTstEq.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00413528
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00008002,?), ref: 00413546
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041355B
__vbaStrCat.MSVBVM60(004026C8,00402B10), ref: 0041357C
__vbaStrMove.MSVBVM60(004026C8,00402B10), ref: 00413586
__vbaStrCat.MSVBVM60(00402B18,00000000,004026C8,00402B10), ref: 00413591
__vbaStrMove.MSVBVM60(00402B18,00000000,004026C8,00402B10), ref: 0041359B
__vbaStrCat.MSVBVM60(00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135A6
__vbaStrMove.MSVBVM60(00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135B0
__vbaStrCat.MSVBVM60(00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135BB
__vbaStrMove.MSVBVM60(00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135C5
__vbaStrCat.MSVBVM60(00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135D0
__vbaStrMove.MSVBVM60(00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135DA
__vbaStrCat.MSVBVM60(00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402438,00000218), ref: 0041363E
__vbaChkstk.MSVBVM60 ref: 00413655
__vbaChkstk.MSVBVM60 ref: 00413666
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00413688
__vbaObjVar.MSVBVM60(00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 00413691
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 0041369B
__vbaFreeStrList.MSVBVM60(00000005,?,00402B10,004026C8,00000000,00402B18,?,00000000,00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20), ref: 004136B6
__vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000), ref: 004136C1
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20), ref: 004136D3
__vbaChkstk.MSVBVM60 ref: 004136F2
__vbaLateMemSt.MSVBVM60(?,00402B58), ref: 0041370B
__vbaChkstk.MSVBVM60(?,00402B58), ref: 00413727
__vbaLateMemSt.MSVBVM60(?,00402B60,?,00402B58), ref: 00413740
__vbaChkstk.MSVBVM60(?,00402B60,?,00402B58), ref: 0041375C
__vbaLateMemSt.MSVBVM60(?,00402B68,?,00402B60,?,00402B58), ref: 00413775
__vbaNew2.MSVBVM60(004030FC,00415010,?,00402B68,?,00402B60,?,00402B58), ref: 0041378D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 004137C6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402760,00000108,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60), ref: 00413813
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 00413842
__vbaLateMemSt.MSVBVM60(?,00402B70,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 0041385B
__vbaFreeObj.MSVBVM60(?,00402B70,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 00413863
__vbaChkstk.MSVBVM60(?,00402B70,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 0041387C
__vbaLateMemSt.MSVBVM60(?,Visible,?,00402B70,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60), ref: 00413895
__vbaLateMemCallLd.MSVBVM60(?,?,BorderStyle,00000000,?,Visible,?,00402B70), ref: 004138BC
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00402A34), ref: 004138CC
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00402A34), ref: 004138DB
#651.MSVBVM60(00000002,?,00000000), ref: 00413901
__vbaStrMove.MSVBVM60(00000002,?,00000000), ref: 0041390B
__vbaStrCat.MSVBVM60(00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041391B
__vbaStrMove.MSVBVM60(00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413925
__vbaStrCat.MSVBVM60(00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413930
__vbaStrMove.MSVBVM60(00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041393A
__vbaStrCat.MSVBVM60(0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413945
__vbaStrMove.MSVBVM60(0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041394F
__vbaStrCat.MSVBVM60(00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041395A
__vbaStrMove.MSVBVM60(00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413964
__vbaStrCat.MSVBVM60(00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041396F
__vbaStrMove.MSVBVM60(00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413979
__vbaStrCat.MSVBVM60(0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413984
__vbaStrMove.MSVBVM60(0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041398E
__vbaStrCat.MSVBVM60(00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002), ref: 00413999
__vbaStrMove.MSVBVM60(00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002), ref: 004139A3
__vbaStrCat.MSVBVM60(00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C), ref: 004139AE
__vbaStrMove.MSVBVM60(00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C), ref: 004139B8
__vbaStrCat.MSVBVM60(00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000), ref: 004139C3
__vbaStrMove.MSVBVM60(00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000), ref: 004139CD
__vbaStrCat.MSVBVM60(00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000), ref: 004139D8
__vbaStrMove.MSVBVM60(00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000), ref: 004139E2
__vbaStrCat.MSVBVM60(00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000), ref: 004139ED
__vbaStrMove.MSVBVM60(00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000), ref: 004139F7
__vbaStrCat.MSVBVM60(00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000), ref: 00413A02
__vbaStrMove.MSVBVM60(00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000), ref: 00413A0C
__vbaStrCat.MSVBVM60(0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000), ref: 00413A17
__vbaStrMove.MSVBVM60(0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000), ref: 00413A21
__vbaStrCat.MSVBVM60(00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000), ref: 00413A2C
__vbaStrMove.MSVBVM60(00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000), ref: 00413A36
__vbaStrCat.MSVBVM60(00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000), ref: 00413A41
__vbaStrMove.MSVBVM60(00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000), ref: 00413A4B
__vbaStrCat.MSVBVM60(00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000), ref: 00413A56
__vbaStrMove.MSVBVM60(00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000), ref: 00413A60
__vbaStrCat.MSVBVM60(00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000), ref: 00413A6B
__vbaStrMove.MSVBVM60(00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000), ref: 00413A75
__vbaStrCat.MSVBVM60(00402A34,00000000,00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000), ref: 00413A80
__vbaStrMove.MSVBVM60(00402A34,00000000,00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000), ref: 00413A8A
__vbaStrCmp.MSVBVM60(00000000,00402A34,00000000,00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30), ref: 00413A90
__vbaFreeStrList.MSVBVM60(00000013,?,00402B10,004026C8,00000000,00402B18,00000000, +@,00000000,(+@,00000000,0+@,00000000,4*@,00000000,00000000), ref: 00413AF1
__vbaFreeVar.MSVBVM60(00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C), ref: 00413AFC
#554.MSVBVM60(00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C), ref: 00413B0C
__vbaFreeObj.MSVBVM60(00413B9D), ref: 00413B97

Strings

Visible, xrefs: 0041388D
BERUFSVERBOT, xrefs: 004135F4
(+@, xrefs: 004139CA, 00413ACB, 00413ACE
0+@, xrefs: 004139F4, 00413AC3, 00413AC6
Add, xrefs: 00413679
G, xrefs: 004136DB
4*@, xrefs: 00413A1E, 00413ABB, 00413ABE
+@, xrefs: 004139A0, 00413AD3, 00413AD6
BorderStyle, xrefs: 004138B0

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$Chkstk$Late$List$CallCheckHresult$#544#554#651AddrefNew2
String ID: G$ +@$(+@$0+@$4*@$Add$BERUFSVERBOT$BorderStyle$Visible
API String ID: 2720917139-3050207803
Opcode ID: 4f59cca7ad95153a9d854485047ea0226f05f699db07b97cfefa506b75e81423
Instruction ID: f78f4f10e8f4b6b8e6733b098a218ef5b47c176dc098ae571219f454794afdf6
Opcode Fuzzy Hash: 4f59cca7ad95153a9d854485047ea0226f05f699db07b97cfefa506b75e81423
Instruction Fuzzy Hash: E3025271E40208AADB11EFA1CD46FDE7378AF44704F50417BB506BB1E1DEB8AA448F69

Uniqueness

Uniqueness Score: -1.00%

Function 00411205, Relevance: 45.2, APIs: 30, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00411205(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				long long* _v12;
				long long* _v36;
				char _v48;
				void* _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _t62;
				signed int _t66;
				char* _t68;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				char* _t93;
				long long* _t110;
				signed int _t111;
				void* _t112;
				signed int _t113;
				long long _t117;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t110;
				_push(0x5c);
				L004013C0();
				_v12 = _t110;
				_v8 = 0x4012f8;
				L0040154C();
				_push(5);
				_push(0x402a44);
				_t62 =  &_v48;
				_push(_t62);
				L004014CE();
				_push(0x402a2c);
				_push(0x402a34);
				L004015AC();
				L004015B2();
				_push(_t62);
				_push(0x402a3c);
				L004015AC();
				L004015B2();
				L004015C4();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x402a34);
				_push(_v60);
				L004014C8();
				L004015B2();
				_push(_v60);
				_push(0x402a2c);
				_push(0x402a3c);
				L004015AC();
				L004015B2();
				_push(_t62);
				L00401582();
				asm("sbb eax, eax");
				_v92 =  ~( ~_t62 + 1);
				_t93 =  &_v64;
				L004015C4();
				_t66 = _v92;
				_t111 = _t66;
				if(_t111 != 0) {
					asm("fld1");
					L00401432();
					L004015A0();
					asm("fcomp qword [0x4012f0]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t111 == 0) {
						_push(0x402a04);
						L004014C2();
						_t112 = _t66 - 0x61;
						if(_t112 == 0) {
							asm("fld1");
							 *_v36 = __fp0;
							_t117 =  *0x4012e8;
							 *((long long*)(_v36 + 8)) = _t117;
							_v88 =  &_v48;
							_push( &_v88);
							asm("fld1");
							_push(_t93);
							_push(_t93);
							 *_t110 = _t117;
							L004014BC();
							L004015A0();
							asm("fcomp qword [0x4012e0]");
							asm("fnstsw ax");
							asm("sahf");
							if(_t112 == 0) {
								_push(0x402a0c);
								L004014EC();
								asm("fcomp dword [0x4012ac]");
								asm("fnstsw ax");
								asm("sahf");
								if(_t112 == 0) {
									_t76 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v88);
									asm("fclex");
									_v92 = _t76;
									_t113 = _v92;
									if(_t113 >= 0) {
										_v104 = _v104 & 0x00000000;
									} else {
										_push(0xb0);
										_push(0x402438);
										_push(_a4);
										_push(_v92);
										L00401552();
										_v104 = _t76;
									}
									asm("fcomp dword [0x4012a8]");
									asm("fnstsw ax");
									asm("sahf");
									if(_t113 == 0) {
										if( *0x415010 != 0) {
											_v108 = 0x415010;
										} else {
											_push(0x415010);
											_push(0x4030fc);
											L00401558();
											_v108 = 0x415010;
										}
										_t80 =  &_v68;
										L0040155E();
										_v92 = _t80;
										_t84 =  *((intOrPtr*)( *_v92 + 0xb8))(_v92,  &_v64, _t80,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x35c))( *_v108));
										asm("fclex");
										_v96 = _t84;
										if(_v96 >= 0) {
											_v112 = _v112 & 0x00000000;
										} else {
											_push(0xb8);
											_push(0x402760);
											_push(_v92);
											_push(_v96);
											L00401552();
											_v112 = _t84;
										}
										_push(_v64);
										_push(0x60);
										_push(0xffffffff);
										_push(0x20);
										L004014E6();
										L004015C4();
										L0040152E();
									}
								}
							}
						}
					}
				}
				asm("wait");
				_push(0x411491);
				_v88 =  &_v48;
				_t68 =  &_v88;
				_push(_t68);
				_push(0);
				L004014D4();
				L004015C4();
				L004015C4();
				return _t68;
			}

0x0041120a
0x00411215
0x00411216
0x0041121d
0x00411220
0x00411228
0x0041122b
0x00411238
0x0041123d
0x0041123f
0x00411244
0x00411247
0x00411248
0x0041124d
0x00411252
0x00411257
0x00411261
0x00411266
0x00411267
0x0041126c
0x00411276
0x0041127e
0x00411283
0x00411285
0x00411287
0x00411289
0x0041128b
0x00411290
0x00411293
0x0041129d
0x004112a2
0x004112a5
0x004112aa
0x004112af
0x004112b9
0x004112be
0x004112bf
0x004112c6
0x004112cb
0x004112cf
0x004112d2
0x004112d7
0x004112db
0x004112dd
0x004112e3
0x004112e5
0x004112ea
0x004112ef
0x004112f5
0x004112f7
0x004112f8
0x004112fe
0x00411303
0x00411308
0x0041130c
0x00411315
0x00411317
0x0041131c
0x00411322
0x00411328
0x0041132e
0x0041132f
0x00411331
0x00411332
0x00411333
0x00411336
0x0041133b
0x00411340
0x00411346
0x00411348
0x00411349
0x0041134f
0x00411354
0x00411359
0x0041135f
0x00411361
0x00411362
0x00411374
0x0041137a
0x0041137c
0x0041137f
0x00411383
0x0041139f
0x00411385
0x00411385
0x0041138a
0x0041138f
0x00411392
0x00411395
0x0041139a
0x0041139a
0x004113a6
0x004113ac
0x004113ae
0x004113af
0x004113bc
0x004113d6
0x004113be
0x004113be
0x004113c3
0x004113c8
0x004113cd
0x004113cd
0x004113f1
0x004113f5
0x004113fa
0x00411409
0x0041140f
0x00411411
0x00411418
0x00411434
0x0041141a
0x0041141a
0x0041141f
0x00411424
0x00411427
0x0041142a
0x0041142f
0x0041142f
0x00411438
0x0041143b
0x0041143d
0x0041143f
0x00411441
0x00411449
0x00411451
0x00411451
0x004113af
0x00411362
0x00411349
0x0041130c
0x004112f8
0x00411456
0x00411457
0x00411472
0x00411475
0x00411478
0x00411479
0x0041147b
0x00411483
0x0041148b
0x00411490

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00411220
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 00411238
__vbaAryConstruct2.MSVBVM60(?,00402A44,00000005,?,?,?,?,004013C6), ref: 00411248
__vbaStrCat.MSVBVM60(00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 00411257
__vbaStrMove.MSVBVM60(00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 00411261
__vbaStrCat.MSVBVM60(00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 0041126C
__vbaStrMove.MSVBVM60(00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 00411276
__vbaFreeStr.MSVBVM60(00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 0041127E
#712.MSVBVM60(?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005), ref: 00411293
__vbaStrMove.MSVBVM60(?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005), ref: 0041129D
__vbaStrCat.MSVBVM60(00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005), ref: 004112AF
__vbaStrMove.MSVBVM60(00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005), ref: 004112B9
__vbaStrCmp.MSVBVM60(00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44), ref: 004112BF
__vbaFreeStr.MSVBVM60(00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44), ref: 004112D2
_CIlog.MSVBVM60(00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44), ref: 004112E5
__vbaFpR8.MSVBVM60(00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44), ref: 004112EA
#516.MSVBVM60(00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?), ref: 00411303
#684.MSVBVM60(?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000), ref: 00411336
__vbaFpR8.MSVBVM60(?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000), ref: 0041133B
__vbaR4Str.MSVBVM60(00402A0C,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C), ref: 00411354
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402438,000000B0,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 00411395
__vbaNew2.MSVBVM60(004030FC,00415010,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000), ref: 004113C8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000), ref: 004113F5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402760,000000B8,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 0041142A
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000060,?,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 00411441
__vbaFreeStr.MSVBVM60(00000020,000000FF,00000060,?,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 00411449
__vbaFreeObj.MSVBVM60(00000020,000000FF,00000060,?,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 00411451
__vbaAryDestruct.MSVBVM60(00000000,?,00411491,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34), ref: 0041147B
__vbaFreeStr.MSVBVM60(00000000,?,00411491,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34), ref: 00411483
__vbaFreeStr.MSVBVM60(00000000,?,00411491,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34), ref: 0041148B

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#516#684#712ChkstkConstruct2CopyDestructFileIlogNew2Open
String ID:
API String ID: 2720509884-0
Opcode ID: 496f501515edf77aecb0298144b6b5b474681858621a6512c79f67540555a0c5
Instruction ID: 4665281a537e9d5a375a5ae2fff27dc0d8025a1f6e9d83233047d7cebb295480
Opcode Fuzzy Hash: 496f501515edf77aecb0298144b6b5b474681858621a6512c79f67540555a0c5
Instruction Fuzzy Hash: 5D612630A40248ABDB10EBE1DD86BDEBBB9AF44704F50413BF116BA1F5DB785985CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00412403, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00412403(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v52;
				char _v60;
				short _v80;
				intOrPtr _t22;
				char* _t23;
				char* _t28;
				intOrPtr _t46;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_t22 = 0x40;
				L004013C0();
				_v12 = _t46;
				_v8 = 0x401348;
				L0040158E();
				L0040154C();
				_push("12-");
				_push(L"12-12");
				L004015AC();
				_v52 = _t22;
				_v60 = 8;
				_t23 =  &_v60;
				_push(_t23);
				L0040147A();
				asm("sbb eax, eax");
				_v80 =  ~( ~(_t23 - 0xffff) + 1);
				L0040156A();
				_t28 = _v80;
				if(_t28 != 0) {
					_v52 = 1;
					_v60 = 2;
					_push(0);
					_t28 =  &_v60;
					_push(_t28);
					L00401474();
					L004015B2();
					L0040156A();
				}
				_push(0x4124dc);
				L0040156A();
				L004015C4();
				L004015C4();
				return _t28;
			}

0x00412408
0x00412413
0x00412414
0x0041241d
0x0041241e
0x00412426
0x00412429
0x00412436
0x00412441
0x00412446
0x0041244b
0x00412450
0x00412455
0x00412458
0x0041245f
0x00412462
0x00412463
0x0041246f
0x00412474
0x0041247b
0x00412480
0x00412486
0x00412488
0x0041248f
0x00412496
0x00412498
0x0041249b
0x0041249c
0x004124a6
0x004124ae
0x004124ae
0x004124b3
0x004124c6
0x004124ce
0x004124d6
0x004124db

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0041241E
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00412436
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 00412441
__vbaStrCat.MSVBVM60(12-12,12-,?,?,?,?,004013C6), ref: 00412450
#557.MSVBVM60(00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00412463
__vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 0041247B
#705.MSVBVM60(00000002,00000000,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 0041249C
__vbaStrMove.MSVBVM60(00000002,00000000,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124A6
__vbaFreeVar.MSVBVM60(00000002,00000000,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124AE
__vbaFreeVar.MSVBVM60(004124DC,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124C6
__vbaFreeStr.MSVBVM60(004124DC,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124CE
__vbaFreeStr.MSVBVM60(004124DC,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124D6

Strings

12-, xrefs: 00412446
12-12, xrefs: 0041244B

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#557#705ChkstkCopyMove
String ID: 12-$12-12
API String ID: 1093160486-3531647454
Opcode ID: c42cc33319e44a1079b819da30e1dcb196a3dab0b68ae24ae07124ed5db5f304
Instruction ID: 2e7dd0bb9c9fca3fa76cb33463ab2303f6b74b2beff927884748cb09daaa01c8
Opcode Fuzzy Hash: c42cc33319e44a1079b819da30e1dcb196a3dab0b68ae24ae07124ed5db5f304
Instruction Fuzzy Hash: 8F115171910148BACB04EFA1CD86FDD7BB4AF54704F50053AB402B71E1EB7C6945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004105FA, Relevance: 22.6, APIs: 15, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004105FA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v36;
				void* _v52;
				signed int _v56;
				void* _v60;
				char _v76;
				char _v92;
				intOrPtr _v116;
				intOrPtr _v124;
				intOrPtr _v132;
				char _v140;
				void* _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				intOrPtr _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				short _t71;
				signed int _t74;
				signed int _t80;
				signed int _t85;
				void* _t101;
				void* _t103;
				intOrPtr _t104;

				_t104 = _t103 - 0xc;
				 *[fs:0x0] = _t104;
				L004013C0();
				_v16 = _t104;
				_v12 = 0x401290;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013c6, _t101);
				L0040158E();
				L0040154C();
				_v116 = 0x4026c0;
				_v124 = 8;
				L0040158E();
				_push( &_v76);
				_push( &_v92);
				L004014F8();
				_v132 = 0x402a04;
				_v140 = 0x8008;
				_push( &_v92);
				_t71 =  &_v140;
				_push(_t71);
				L004015DC();
				_v144 = _t71;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L004015BE();
				_t74 = _v144;
				if(_t74 != 0) {
					if( *0x4155f8 != 0) {
						_v172 = 0x4155f8;
					} else {
						_push(0x4155f8);
						_push(0x4028e8);
						L00401558();
						_v172 = 0x4155f8;
					}
					_v144 =  *_v172;
					_t80 =  *((intOrPtr*)( *_v144 + 0x14))(_v144,  &_v60);
					asm("fclex");
					_v148 = _t80;
					if(_v148 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4028d8);
						_push(_v144);
						_push(_v148);
						L00401552();
						_v176 = _t80;
					}
					_v152 = _v60;
					_t85 =  *((intOrPtr*)( *_v152 + 0x110))(_v152,  &_v56);
					asm("fclex");
					_v156 = _t85;
					if(_v156 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x4028f8);
						_push(_v152);
						_push(_v156);
						L00401552();
						_v180 = _t85;
					}
					_t74 = _v56;
					_v168 = _t74;
					_v56 = _v56 & 0x00000000;
					L004015B2();
					L0040152E();
				}
				_push(0x410810);
				L004015C4();
				L004015C4();
				L0040156A();
				return _t74;
			}

0x004105fd
0x0041060c
0x00410618
0x00410620
0x00410623
0x0041062a
0x00410639
0x00410642
0x0041064d
0x00410652
0x00410659
0x00410666
0x0041066e
0x00410672
0x00410673
0x00410678
0x0041067f
0x0041068c
0x0041068d
0x00410693
0x00410694
0x00410699
0x004106a3
0x004106a7
0x004106a8
0x004106aa
0x004106b2
0x004106bb
0x004106c8
0x004106e5
0x004106ca
0x004106ca
0x004106cf
0x004106d4
0x004106d9
0x004106d9
0x004106f7
0x0041070f
0x00410712
0x00410714
0x00410721
0x00410743
0x00410723
0x00410723
0x00410725
0x0041072a
0x00410730
0x00410736
0x0041073b
0x0041073b
0x0041074d
0x00410765
0x0041076b
0x0041076d
0x0041077a
0x0041079f
0x0041077c
0x0041077c
0x00410781
0x00410786
0x0041078c
0x00410792
0x00410797
0x00410797
0x004107a6
0x004107a9
0x004107af
0x004107bc
0x004107c4
0x004107c4
0x004107c9
0x004107fa
0x00410802
0x0041080a
0x0041080f

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00410618
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00410642
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 0041064D
__vbaVarDup.MSVBVM60 ref: 00410666
#518.MSVBVM60(?,?), ref: 00410673
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?), ref: 00410694
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 004106AA
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,004013C6), ref: 004106D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 00410736
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,00000110), ref: 00410792
__vbaStrMove.MSVBVM60(00000000,?,004028F8,00000110), ref: 004107BC
__vbaFreeObj.MSVBVM60(00000000,?,004028F8,00000110), ref: 004107C4
__vbaFreeStr.MSVBVM60(00410810,?,?,004013C6), ref: 004107FA
__vbaFreeStr.MSVBVM60(00410810,?,?,004013C6), ref: 00410802
__vbaFreeVar.MSVBVM60(00410810,?,?,004013C6), ref: 0041080A

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#518ChkstkCopyListMoveNew2
String ID:
API String ID: 1459133440-0
Opcode ID: 9f25326c63d400a5016dda9409aad156467f4b0c54600f5c84042ac6b59f4a72
Instruction ID: 05ad2b77685fc7f285c907303dd9a4d39d9d7d188daed66f19f7286aa1406a16
Opcode Fuzzy Hash: 9f25326c63d400a5016dda9409aad156467f4b0c54600f5c84042ac6b59f4a72
Instruction Fuzzy Hash: D251D871900218EFDB10EFA5CD85FDDBBB5BF44304F1081AAE109BB1A1DB785A898F55

Uniqueness

Uniqueness Score: -1.00%

Function 004124EF, Relevance: 19.6, APIs: 13, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E004124EF(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				void* _v48;
				char _v52;
				char _v56;
				signed short _v64;
				char _v72;
				char _v88;
				signed char _t26;
				signed short _t27;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L004013C0();
				_v16 = _t47;
				_v12 = 0x401358;
				_v8 = 0;
				_t26 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4013c6, _t44);
				L0040158E();
				_push(0x4026d8);
				L0040146E();
				_t27 = _t26 & 0x000000ff;
				if(_t27 == 2) {
					_push(0x402be4);
					_push(0x402bec);
					L004015AC();
					L004015B2();
					_push(_t27);
					_push(0x402bf4);
					L004015AC();
					L004015B2();
					_push(_t27);
					_push(0x402be4);
					L004015AC();
					_v64 = _t27;
					_v72 = 8;
					_push( &_v72);
					_push( &_v88);
					L00401462();
					_push( &_v88);
					L00401468();
					_v32 = __fp0;
					_push( &_v56);
					_push( &_v52);
					_push(2);
					L004015A6();
					_push( &_v88);
					_t27 =  &_v72;
					_push(_t27);
					_push(2);
					L004015BE();
				}
				asm("wait");
				_push(0x412608);
				L0040156A();
				return _t27;
			}

0x004124f2
0x00412501
0x0041250b
0x00412513
0x00412516
0x0041251d
0x0041252c
0x00412535
0x0041253a
0x0041253f
0x00412544
0x0041254c
0x00412552
0x00412557
0x0041255c
0x00412566
0x0041256b
0x0041256c
0x00412571
0x0041257b
0x00412580
0x00412581
0x00412586
0x0041258b
0x0041258e
0x00412598
0x0041259c
0x0041259d
0x004125a5
0x004125a6
0x004125ab
0x004125b1
0x004125b5
0x004125b6
0x004125b8
0x004125c3
0x004125c4
0x004125c7
0x004125c8
0x004125ca
0x004125cf
0x004125d2
0x004125d3
0x00412602
0x00412607

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0041250B
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00412535
__vbaUI1Str.MSVBVM60(004026D8,?,?,?,?,004013C6), ref: 0041253F
__vbaStrCat.MSVBVM60(00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 0041255C
__vbaStrMove.MSVBVM60(00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 00412566
__vbaStrCat.MSVBVM60(00402BF4,00000000,00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 00412571
__vbaStrMove.MSVBVM60(00402BF4,00000000,00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 0041257B
__vbaStrCat.MSVBVM60(00402BE4,00000000,00402BF4,00000000,00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 00412586
#687.MSVBVM60(?,00000008), ref: 0041259D
__vbaDateVar.MSVBVM60(?,?,00000008), ref: 004125A6
__vbaFreeStrList.MSVBVM60(00000002,00000000,00402BF4,?,?,00000008), ref: 004125B8
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,004013C6), ref: 004125CA
__vbaFreeVar.MSVBVM60(00412608,004026D8,?,?,?,?,004013C6), ref: 00412602

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ListMove$#687ChkstkDate
String ID:
API String ID: 2912548229-0
Opcode ID: ad2ab8263c6fad0aef963e0c29cdb9162632fe834ed5646610b151fcb4df7905
Instruction ID: 9acf876f85fa3a76dac7276b00a10b9f7f4ec1700ebecfec37eb25ad1bc5f3c1
Opcode Fuzzy Hash: ad2ab8263c6fad0aef963e0c29cdb9162632fe834ed5646610b151fcb4df7905
Instruction Fuzzy Hash: E2212F71D41208BBDB00EFE1CD46EDE7778AF44704F50843BB502BA1E1DA7C6A498B59

Uniqueness

Uniqueness Score: -1.00%

Function 00413BB8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00413BB8(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a32, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v52;
				char _v72;
				signed int _v76;
				signed int _v88;
				signed int _t29;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				signed int _t47;

				_t45 = _t44 - 0xc;
				 *[fs:0x0] = _t45;
				L004013C0();
				_v16 = _t45;
				_v12 = 0x4013a8;
				_v8 = 0;
				_t29 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4013c6, _t42);
				L0040154C();
				L0040158E();
				_push(0x402a0c);
				L004014EC();
				asm("fcomp dword [0x4012ac]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t29 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v72);
					asm("fclex");
					_v76 = _t29;
					_t47 = _v76;
					if(_t47 >= 0) {
						_t20 =  &_v88;
						 *_t20 = _v88 & 0x00000000;
						__eflags =  *_t20;
					} else {
						_push(0xb0);
						_push(0x402438);
						_push(_a4);
						_push(_v76);
						L00401552();
						_v88 = _t29;
					}
					asm("fcomp dword [0x4012a8]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t47 == 0) {
						_push(L"GEOSIDE");
						_push(0xb4);
						_push(0xffffffff);
						_push(0x20);
						L004014E6();
					}
				}
				asm("wait");
				_push(0x413c96);
				L004015C4();
				L0040156A();
				return _t29;
			}

0x00413bbb
0x00413bca
0x00413bd4
0x00413bdc
0x00413bdf
0x00413be6
0x00413bf5
0x00413bfe
0x00413c09
0x00413c0e
0x00413c13
0x00413c18
0x00413c1e
0x00413c20
0x00413c21
0x00413c2f
0x00413c35
0x00413c37
0x00413c3a
0x00413c3e
0x00413c5a
0x00413c5a
0x00413c5a
0x00413c40
0x00413c40
0x00413c45
0x00413c4a
0x00413c4d
0x00413c50
0x00413c55
0x00413c55
0x00413c61
0x00413c67
0x00413c69
0x00413c6a
0x00413c6c
0x00413c71
0x00413c76
0x00413c78
0x00413c7a
0x00413c7a
0x00413c6a
0x00413c7f
0x00413c80
0x00413c88
0x00413c90
0x00413c95

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00413BD4
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 00413BFE
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00413C09
__vbaR4Str.MSVBVM60(00402A0C,?,?,?,?,004013C6), ref: 00413C13
__vbaHresultCheckObj.MSVBVM60(00000000,004013A8,00402438,000000B0), ref: 00413C50
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000B4,GEOSIDE), ref: 00413C7A
__vbaFreeStr.MSVBVM60(00413C96,00402A0C,?,?,?,?,004013C6), ref: 00413C88
__vbaFreeVar.MSVBVM60(00413C96,00402A0C,?,?,?,?,004013C6), ref: 00413C90

Strings

GEOSIDE, xrefs: 00413C6C

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyFileHresultOpen
String ID: GEOSIDE
API String ID: 311016274-2913397203
Opcode ID: b01a7390f3740583749f62332d8104ebea8222f5d9ff684ecf08d38487b3b3a0
Instruction ID: a44c7f68a2c685dbaf605939a374c10edf1c54e142bb12ed94c2c10a4ee18dcd
Opcode Fuzzy Hash: b01a7390f3740583749f62332d8104ebea8222f5d9ff684ecf08d38487b3b3a0
Instruction Fuzzy Hash: 0D213830900208FFDB00EF95CA8ABCD7BB4BF54755F50416AF4057A1E1D7785A858B88

Uniqueness

Uniqueness Score: -1.00%

Function 004103DB, Relevance: 15.0, APIs: 10, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004103DB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, void* _a40, void* _a48, signed int* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				void* _v64;
				void* _v80;
				signed int* _t24;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L004013C0();
				_v16 = _t43;
				_v12 = 0x401270;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4013c6, _t40);
				L0040158E();
				L0040154C();
				L0040158E();
				_t24 = _a64;
				 *_t24 =  *_t24 & 0x00000000;
				_push(0);
				_push(0);
				_push(1);
				L0040150A();
				L004015B2();
				_push(0x410488);
				L0040156A();
				L004015C4();
				L004015C4();
				L0040156A();
				return _t24;
			}

0x004103de
0x004103ed
0x004103f7
0x004103ff
0x00410402
0x00410409
0x00410418
0x00410421
0x0041042c
0x00410437
0x0041043c
0x0041043f
0x00410442
0x00410444
0x00410446
0x00410448
0x00410452
0x00410457
0x0041046a
0x00410472
0x0041047a
0x00410482
0x00410487

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004103F7
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00410421
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 0041042C
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00410437
#706.MSVBVM60(00000001,00000000,00000000,?,?,?,?,004013C6), ref: 00410448
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,?,?,?,?,004013C6), ref: 00410452
__vbaFreeVar.MSVBVM60(00410488,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0041046A
__vbaFreeStr.MSVBVM60(00410488,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 00410472
__vbaFreeStr.MSVBVM60(00410488,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0041047A
__vbaFreeVar.MSVBVM60(00410488,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 00410482

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#706ChkstkCopyMove
String ID:
API String ID: 3345532518-0
Opcode ID: db013e2afe532c4b028b69ea5c13c810cc8ec78676d3a19f38e4f40e97bff54e
Instruction ID: 7f2903a411088809e335211ffd05d7d1552a29b58b433ac5b57d3da05fa44c65
Opcode Fuzzy Hash: db013e2afe532c4b028b69ea5c13c810cc8ec78676d3a19f38e4f40e97bff54e
Instruction Fuzzy Hash: E9111C31900248ABCB14EFA1CD92FDD7BB4AF40748F50842AF5027B1E1DB78AA45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00410989, Relevance: 13.6, APIs: 9, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00410989(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				char* _t57;
				signed int _t61;
				signed int _t67;
				signed int _t71;
				char* _t73;
				intOrPtr _t84;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_push(0x3c);
				L004013C0();
				_v12 = _t84;
				_v8 = 0x4012c0;
				if( *0x415010 != 0) {
					_v64 = 0x415010;
				} else {
					_push(0x415010);
					_push(0x4030fc);
					L00401558();
					_v64 = 0x415010;
				}
				_t57 =  &_v28;
				L0040155E();
				_v36 = _t57;
				_t61 =  *((intOrPtr*)( *_v36 + 0x13c))(_v36,  &_v24, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x35c))( *_v64));
				asm("fclex");
				_v40 = _t61;
				if(_v40 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x13c);
					_push(0x402760);
					_push(_v36);
					_push(_v40);
					L00401552();
					_v68 = _t61;
				}
				if( *0x4155f8 != 0) {
					_v72 = 0x4155f8;
				} else {
					_push(0x4155f8);
					_push(0x4028e8);
					L00401558();
					_v72 = 0x4155f8;
				}
				_v44 =  *_v72;
				_t67 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v32);
				asm("fclex");
				_v48 = _t67;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d8);
					_push(_v44);
					_push(_v48);
					L00401552();
					_v76 = _t67;
				}
				_v52 = _v32;
				_t71 =  *((intOrPtr*)( *_v52 + 0x138))(_v52, _v24, 1);
				asm("fclex");
				_v56 = _t71;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x4028f8);
					_push(_v52);
					_push(_v56);
					L00401552();
					_v80 = _t71;
				}
				L004015C4();
				_push( &_v32);
				_t73 =  &_v28;
				_push(_t73);
				_push(2);
				L00401546();
				_push(0x410b1d);
				return _t73;
			}

0x0041098e
0x00410999
0x0041099a
0x004109a1
0x004109a4
0x004109ac
0x004109af
0x004109bd
0x004109d7
0x004109bf
0x004109bf
0x004109c4
0x004109c9
0x004109ce
0x004109ce
0x004109f2
0x004109f6
0x004109fb
0x00410a0a
0x00410a10
0x00410a12
0x00410a19
0x00410a35
0x00410a1b
0x00410a1b
0x00410a20
0x00410a25
0x00410a28
0x00410a2b
0x00410a30
0x00410a30
0x00410a40
0x00410a5a
0x00410a42
0x00410a42
0x00410a47
0x00410a4c
0x00410a51
0x00410a51
0x00410a66
0x00410a75
0x00410a78
0x00410a7a
0x00410a81
0x00410a9a
0x00410a83
0x00410a83
0x00410a85
0x00410a8a
0x00410a8d
0x00410a90
0x00410a95
0x00410a95
0x00410aa1
0x00410ab1
0x00410ab7
0x00410ab9
0x00410ac0
0x00410adc
0x00410ac2
0x00410ac2
0x00410ac7
0x00410acc
0x00410acf
0x00410ad2
0x00410ad7
0x00410ad7
0x00410ae3
0x00410aeb
0x00410aec
0x00410aef
0x00410af0
0x00410af2
0x00410afa
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004109A4
__vbaNew2.MSVBVM60(004030FC,00415010,?,?,?,?,004013C6), ref: 004109C9
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004013C6), ref: 004109F6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402760,0000013C), ref: 00410A2B
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,?,?,?,?,?,?,?,?,004013C6), ref: 00410A4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 00410A90
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,00000138), ref: 00410AD2
__vbaFreeStr.MSVBVM60 ref: 00410AE3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410AF2

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$ChkstkList
String ID:
API String ID: 3534970231-0
Opcode ID: a0008a9d1f67f6dfbc4658a5d605653f5639004fad6c848d4b25e5910d5c8cc6
Instruction ID: f17b057453f2c33a1854ccf80f179a4597e6afa7ffb2e8bcb0af70dbb7101e6c
Opcode Fuzzy Hash: a0008a9d1f67f6dfbc4658a5d605653f5639004fad6c848d4b25e5910d5c8cc6
Instruction Fuzzy Hash: 89410771D40208EFCB00EF95C945BEDBBB5FF18305F10402AF112B62A0C7B85985DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDDA, Relevance: 13.6, APIs: 9, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040FDDA(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				short _v56;
				void* _v60;
				void* _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t47;
				signed int _t52;
				short _t53;
				intOrPtr _t67;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t67;
				_push(0x4c);
				L004013C0();
				_v12 = _t67;
				_v8 = 0x401230;
				L0040158E();
				L0040158E();
				if( *0x4155f8 != 0) {
					_v88 = 0x4155f8;
				} else {
					_push(0x4155f8);
					_push(0x4028e8);
					L00401558();
					_v88 = 0x4155f8;
				}
				_v68 =  *_v88;
				_t47 =  *((intOrPtr*)( *_v68 + 0x14))(_v68,  &_v60);
				asm("fclex");
				_v72 = _t47;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d8);
					_push(_v68);
					_push(_v72);
					L00401552();
					_v92 = _t47;
				}
				_v76 = _v60;
				_t52 =  *((intOrPtr*)( *_v76 + 0xc0))(_v76,  &_v64);
				asm("fclex");
				_v80 = _t52;
				if(_v80 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x4028f8);
					_push(_v76);
					_push(_v80);
					L00401552();
					_v96 = _t52;
				}
				_t53 = _v64;
				_v56 = _t53;
				L0040152E();
				_push(0x40fef4);
				L0040156A();
				L0040156A();
				return _t53;
			}

0x0040fddf
0x0040fdea
0x0040fdeb
0x0040fdf2
0x0040fdf5
0x0040fdfd
0x0040fe00
0x0040fe0d
0x0040fe18
0x0040fe24
0x0040fe3e
0x0040fe26
0x0040fe26
0x0040fe2b
0x0040fe30
0x0040fe35
0x0040fe35
0x0040fe4a
0x0040fe59
0x0040fe5c
0x0040fe5e
0x0040fe65
0x0040fe7e
0x0040fe67
0x0040fe67
0x0040fe69
0x0040fe6e
0x0040fe71
0x0040fe74
0x0040fe79
0x0040fe79
0x0040fe85
0x0040fe94
0x0040fe9a
0x0040fe9c
0x0040fea3
0x0040febf
0x0040fea5
0x0040fea5
0x0040feaa
0x0040feaf
0x0040feb2
0x0040feb5
0x0040feba
0x0040feba
0x0040fec3
0x0040fec7
0x0040fece
0x0040fed3
0x0040fee6
0x0040feee
0x0040fef3

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0040FDF5
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040FE0D
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040FE18
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,004013C6), ref: 0040FE30
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 0040FE74
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,000000C0), ref: 0040FEB5
__vbaFreeObj.MSVBVM60(00000000,?,004028F8,000000C0), ref: 0040FECE
__vbaFreeVar.MSVBVM60(0040FEF4), ref: 0040FEE6
__vbaFreeVar.MSVBVM60(0040FEF4), ref: 0040FEEE

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2
String ID:
API String ID: 1237124366-0
Opcode ID: 9c91c35be8b689691cdf6c3e0f6bf49ad94bc84c1aa5b5d07bb8938a2c4a7211
Instruction ID: 0a0e7e8f74150fa91c4d6ee8645fb8a4ff926344413ae81f12cb23cbb76fc15e
Opcode Fuzzy Hash: 9c91c35be8b689691cdf6c3e0f6bf49ad94bc84c1aa5b5d07bb8938a2c4a7211
Instruction Fuzzy Hash: A031FC71910248EFCB10EF95C94ABDDBBB5FF48708F10403AF012BB2A1D778694A9B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041089B, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0041089B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v56;
				signed int _v60;
				signed int _v68;
				signed int _t19;
				intOrPtr _t32;
				signed int _t34;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_t19 = 0x30;
				L004013C0();
				_v12 = _t32;
				_v8 = 0x4012b0;
				L0040158E();
				_push(0x402a0c);
				L004014EC();
				asm("fcomp dword [0x4012ac]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t19 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v56);
					asm("fclex");
					_v60 = _t19;
					_t34 = _v60;
					if(_t34 >= 0) {
						_t14 =  &_v68;
						 *_t14 = _v68 & 0x00000000;
						__eflags =  *_t14;
					} else {
						_push(0xb0);
						_push(0x402438);
						_push(_a4);
						_push(_v60);
						L00401552();
						_v68 = _t19;
					}
					asm("fcomp dword [0x4012a8]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t34 == 0) {
						_push(L"Wattape2");
						_push(0x8e);
						_push(0xffffffff);
						_push(0x20);
						L004014E6();
					}
				}
				asm("wait");
				_push(0x410953);
				L0040156A();
				return _t19;
			}

0x004108a0
0x004108ab
0x004108ac
0x004108b5
0x004108b6
0x004108be
0x004108c1
0x004108ce
0x004108d3
0x004108d8
0x004108dd
0x004108e3
0x004108e5
0x004108e6
0x004108f4
0x004108fa
0x004108fc
0x004108ff
0x00410903
0x0041091f
0x0041091f
0x0041091f
0x00410905
0x00410905
0x0041090a
0x0041090f
0x00410912
0x00410915
0x0041091a
0x0041091a
0x00410926
0x0041092c
0x0041092e
0x0041092f
0x00410931
0x00410936
0x0041093b
0x0041093d
0x0041093f
0x0041093f
0x0041092f
0x00410944
0x00410945
0x0041094d
0x00410952

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004108B6
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 004108CE
__vbaR4Str.MSVBVM60(00402A0C,?,?,?,?,004013C6), ref: 004108D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402438,000000B0,?,?,?,?,?,?,?,?,?,?,?,004013C6), ref: 00410915
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000008E,Wattape2), ref: 0041093F
__vbaFreeVar.MSVBVM60(00410953,00402A0C,?,?,?,?,004013C6), ref: 0041094D

Strings

Wattape2, xrefs: 00410931

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFileFreeHresultOpen
String ID: Wattape2
API String ID: 2751570938-2362924395
Opcode ID: 6cde937bea826bab41c4f0bf20eaa573c2c0dee8223770a795224d9c23a7c88b
Instruction ID: 432650579d4fe524cebdfe93f045266d4e079881616c42308dfa4a5bc27b131f
Opcode Fuzzy Hash: 6cde937bea826bab41c4f0bf20eaa573c2c0dee8223770a795224d9c23a7c88b
Instruction Fuzzy Hash: CA113A70950248FFDB10EF95CE9AF9D7BB9FB04B54F50422AF005B61E2C7B859808B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF07, Relevance: 10.6, APIs: 7, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040FF07(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v36;
				void* _v52;
				void* _v56;
				void* _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t45;
				signed int _t46;
				signed int _t52;
				signed int _t57;
				void* _t65;
				void* _t67;
				intOrPtr _t68;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				L004013C0();
				_v16 = _t68;
				_v12 = 0x401240;
				_v8 = 0;
				_t45 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4013c6, _t65);
				L0040158E();
				_t46 = _t45 | 0xffffffff;
				if(_t46 != 0) {
					if( *0x4155f8 != 0) {
						_v88 = 0x4155f8;
					} else {
						_push(0x4155f8);
						_push(0x4028e8);
						L00401558();
						_v88 = 0x4155f8;
					}
					_v64 =  *_v88;
					_t52 =  *((intOrPtr*)( *_v64 + 0x14))(_v64,  &_v56);
					asm("fclex");
					_v68 = _t52;
					if(_v68 >= 0) {
						_v92 = _v92 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4028d8);
						_push(_v64);
						_push(_v68);
						L00401552();
						_v92 = _t52;
					}
					_v72 = _v56;
					_t57 =  *((intOrPtr*)( *_v72 + 0xb8))(_v72,  &_v60);
					asm("fclex");
					_v76 = _t57;
					if(_v76 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0xb8);
						_push(0x4028f8);
						_push(_v72);
						_push(_v76);
						L00401552();
						_v96 = _t57;
					}
					_t46 = _v60;
					_v36 = _t46;
					L0040152E();
				}
				asm("wait");
				_push(0x41002d);
				L0040156A();
				return _t46;
			}

0x0040ff0a
0x0040ff19
0x0040ff23
0x0040ff2b
0x0040ff2e
0x0040ff35
0x0040ff44
0x0040ff4d
0x0040ff52
0x0040ff57
0x0040ff64
0x0040ff7e
0x0040ff66
0x0040ff66
0x0040ff6b
0x0040ff70
0x0040ff75
0x0040ff75
0x0040ff8a
0x0040ff99
0x0040ff9c
0x0040ff9e
0x0040ffa5
0x0040ffbe
0x0040ffa7
0x0040ffa7
0x0040ffa9
0x0040ffae
0x0040ffb1
0x0040ffb4
0x0040ffb9
0x0040ffb9
0x0040ffc5
0x0040ffd4
0x0040ffda
0x0040ffdc
0x0040ffe3
0x0040ffff
0x0040ffe5
0x0040ffe5
0x0040ffea
0x0040ffef
0x0040fff2
0x0040fff5
0x0040fffa
0x0040fffa
0x00410003
0x00410007
0x0041000e
0x0041000e
0x00410013
0x00410014
0x00410027
0x0041002c

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0040FF23
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040FF4D
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,004013C6), ref: 0040FF70
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 0040FFB4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,000000B8), ref: 0040FFF5
__vbaFreeObj.MSVBVM60 ref: 0041000E
__vbaFreeVar.MSVBVM60(0041002D,?,?,?,?,004013C6), ref: 00410027

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID:
API String ID: 304406766-0
Opcode ID: 02815d7764fa1a9ad2340fda37790249d776d6145adf5ce7641902c0906bc9e1
Instruction ID: 5a797fff27208687f4aea27ba72d0ce7d68909df40a166662ecb3d51792fdd9b
Opcode Fuzzy Hash: 02815d7764fa1a9ad2340fda37790249d776d6145adf5ce7641902c0906bc9e1
Instruction Fuzzy Hash: 9031F274900249EFCB10EF95D945BCDBBB5FF08704F20813AF412BB2A0DB7899899B48

Uniqueness

Uniqueness Score: -1.00%

Function 00413339, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00413339(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int _t45;
				signed int _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t57;

				_t57 = _t56 - 0xc;
				 *[fs:0x0] = _t57;
				L004013C0();
				_v16 = _t57;
				_v12 = 0x401388;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x28,  *[fs:0x0], 0x4013c6, _t54);
				if( *0x4155f8 != 0) {
					_v56 = 0x4155f8;
				} else {
					_push(0x4155f8);
					_push(0x4028e8);
					L00401558();
					_v56 = 0x4155f8;
				}
				_v32 =  *_v56;
				_t45 =  *((intOrPtr*)( *_v32 + 0x14))(_v32,  &_v28);
				asm("fclex");
				_v36 = _t45;
				if(_v36 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d8);
					_push(_v32);
					_push(_v36);
					L00401552();
					_v60 = _t45;
				}
				_v40 = _v28;
				_t49 =  *((intOrPtr*)( *_v40 + 0x138))(_v40, L"Spinetternes5", 1);
				asm("fclex");
				_v44 = _t49;
				if(_v44 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x4028f8);
					_push(_v40);
					_push(_v44);
					L00401552();
					_v64 = _t49;
				}
				L0040152E();
				_push(0x41343b);
				return _t49;
			}

0x0041333c
0x0041334b
0x00413355
0x0041335d
0x00413360
0x00413367
0x00413376
0x00413380
0x0041339a
0x00413382
0x00413382
0x00413387
0x0041338c
0x00413391
0x00413391
0x004133a6
0x004133b5
0x004133b8
0x004133ba
0x004133c1
0x004133da
0x004133c3
0x004133c3
0x004133c5
0x004133ca
0x004133cd
0x004133d0
0x004133d5
0x004133d5
0x004133e1
0x004133f3
0x004133f9
0x004133fb
0x00413402
0x0041341e
0x00413404
0x00413404
0x00413409
0x0041340e
0x00413411
0x00413414
0x00413419
0x00413419
0x00413425
0x0041342a
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00413355
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,004013C6), ref: 0041338C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 004133D0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,00000138), ref: 00413414
__vbaFreeObj.MSVBVM60 ref: 00413425

Strings

Spinetternes5, xrefs: 004133E6

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2
String ID: Spinetternes5
API String ID: 1616694062-1097852325
Opcode ID: c34ccc01a0d50681634d61c4aafa507457f07b9a8061652733a4250c8ed416da
Instruction ID: e9fac8f4c15bde8dec29734db9031b95ca3794eb2217f65450811250680a2a34
Opcode Fuzzy Hash: c34ccc01a0d50681634d61c4aafa507457f07b9a8061652733a4250c8ed416da
Instruction Fuzzy Hash: 8D31F875D40218EFDB00DF95C989BDDBBB1FB08715F50406AF411BB2A0C7B85A859B58

Uniqueness

Uniqueness Score: -1.00%

Function 004122F1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004122F1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a40, signed int* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				signed int* _v44;
				signed int* _t17;
				void* _t24;
				void* _t26;
				intOrPtr _t27;

				_t27 = _t26 - 0xc;
				 *[fs:0x0] = _t27;
				L004013C0();
				_v16 = _t27;
				_v12 = 0x401328;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4013c6, _t24);
				L0040158E();
				_t17 = _a64;
				 *_t17 =  *_t17 & 0x00000000;
				L004014E0();
				_v44 = _t17;
				_push(0x412363);
				L0040156A();
				return _t17;
			}

0x004122f4
0x00412303
0x0041230d
0x00412315
0x00412318
0x0041231f
0x0041232e
0x00412337
0x0041233c
0x0041233f
0x00412342
0x00412347
0x0041234a
0x0041235d
0x00412362

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0041230D
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00412337
#615.MSVBVM60(?,?,?,?,004013C6), ref: 00412342
__vbaFreeVar.MSVBVM60(00412363,?,?,?,?,004013C6), ref: 0041235D

Strings

c#A, xrefs: 0041235A

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#615ChkstkFree
String ID: c#A
API String ID: 4276791933-178432524
Opcode ID: 71c1d7a2cfbb5d07b62aa6d4d2cb6571509291a181e8e93fdc11099cfb057335
Instruction ID: 24a68fdbfcb5226d01d9abee10bbabe8bbdeafd74fdac9e01d51a7a3e91b4025
Opcode Fuzzy Hash: 71c1d7a2cfbb5d07b62aa6d4d2cb6571509291a181e8e93fdc11099cfb057335
Instruction Fuzzy Hash: D1F03C71500248EFDB00EF65CA86B9D7BB4EB04748F10446AF805BB2A0C7789E008B95

Uniqueness

Uniqueness Score: -1.00%

Function 00423126, Relevance: 7.6, Strings: 6, Instructions: 56COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
`, xrefs: 0042321C
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: `$j@h$jjj$u?j$!gn$%
API String ID: 0-2186299706
Opcode ID: c4afcc1b94cd32d1873b2f3866e9449df3953d3daab2315980245331dc4475bb
Instruction ID: b9313945d7e01a0485a0db5de6678211f631323b9bf6e752f3a6eaa75b71125f
Opcode Fuzzy Hash: c4afcc1b94cd32d1873b2f3866e9449df3953d3daab2315980245331dc4475bb
Instruction Fuzzy Hash: 1901D822B18330CAEB380D54B9653F911326F9276BEF4416B9C8713245926D4B9B691F

Uniqueness

Uniqueness Score: -1.00%

Function 00422D34, Relevance: 6.6, Strings: 5, Instructions: 377COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: 6ed8f9582882185b9b95e5fb1e876a6b2b3cf9c85ae1c3fe16ffd5591261caa9
Instruction ID: 227f6e58593599fe1f6f3b0dfc84beadf2b16dbb8bf33181f7e45e9128fd9913
Opcode Fuzzy Hash: 6ed8f9582882185b9b95e5fb1e876a6b2b3cf9c85ae1c3fe16ffd5591261caa9
Instruction Fuzzy Hash: 24C14470344225BBEB201E14EE51BEA3A61FF45344FE0412BFA456B191C7FC98D2AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004210DD, Relevance: 6.6, Strings: 5, Instructions: 335COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: 52fdfba965520ad2b2a81e43f74d8afb37b0d10062f5f83cc908726c4966ccac
Instruction ID: 72a08be4621aefcbaa3f7a04ad56c54b3eb01baebd026cdddca9c695e9367197
Opcode Fuzzy Hash: 52fdfba965520ad2b2a81e43f74d8afb37b0d10062f5f83cc908726c4966ccac
Instruction Fuzzy Hash: B1B11771344225BEEB310E14EE55BEA3A61FF45704FE0412BFA456A191C7FC98C2AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00422510, Relevance: 6.6, Strings: 5, Instructions: 313COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: a973964f23f40cab5c22ece57c7df875ebc2a6013818a7b3b9e0a1e35c9ee45e
Instruction ID: 654658c56d9d28dcd9a9db1323b05b661381a3224737c85f3bf7f79af9f7880d
Opcode Fuzzy Hash: a973964f23f40cab5c22ece57c7df875ebc2a6013818a7b3b9e0a1e35c9ee45e
Instruction Fuzzy Hash: A3A12671344225BEEB200E14EE55BEA3A61FF45704FE0412BFA456A1C1C3FC98C6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 0042253E, Relevance: 6.6, Strings: 5, Instructions: 300COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: 2b0bff8fbfac8526cc5039f58e14b4db5427687e9141b8e8ae133b6cf3406e32
Instruction ID: d47c368a249d68e1d746bc3f24ae001e89464b0e24fc5f30dcb61dbbe6815e9a
Opcode Fuzzy Hash: 2b0bff8fbfac8526cc5039f58e14b4db5427687e9141b8e8ae133b6cf3406e32
Instruction Fuzzy Hash: BBA12771344225BFEB200E14EE55BEA3A61FF45344FA0412BFA456B181C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 0042255D, Relevance: 6.5, Strings: 5, Instructions: 296COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: 0cfda30dee8550f61e0f1aa0244ef3750e3521ccb2343b6991633cbd73d03d78
Instruction ID: 1defe22522251d029a9d0cb8fe1a7831953262983dee7a29da41ca99f8366ed7
Opcode Fuzzy Hash: 0cfda30dee8550f61e0f1aa0244ef3750e3521ccb2343b6991633cbd73d03d78
Instruction Fuzzy Hash: 27A14971344225BEEB210E14EE55BEA3A61FF45304FE0412BFA456B181C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00422599, Relevance: 6.5, Strings: 5, Instructions: 284COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: 113b50bdc0ffc7da38d053dd170b9c51b1787d6c5e74c0efedbe5e6d83b93da7
Instruction ID: 41192926a4860c56994d630f06f905a56e6d2a05ec39fb14973cde5d7e986112
Opcode Fuzzy Hash: 113b50bdc0ffc7da38d053dd170b9c51b1787d6c5e74c0efedbe5e6d83b93da7
Instruction Fuzzy Hash: AE914670344225BEEB210E14EE51BEA3A61BF41304FA0412BF9459B181C3FC98C2AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004225B9, Relevance: 6.5, Strings: 5, Instructions: 276COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: 5e44c7cc56756c87ce21b7bdeb41a3003966f2e1b9cbf53d7c91bfe816f5ef80
Instruction ID: 73eb769f9025994f40fec8b681edd64e35edfd37f4641047a29a8c707d554849
Opcode Fuzzy Hash: 5e44c7cc56756c87ce21b7bdeb41a3003966f2e1b9cbf53d7c91bfe816f5ef80
Instruction Fuzzy Hash: 38913570344225BFEB210E14EE55BEA3A61FF45344FA0412BF9459B281C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004225CA, Relevance: 6.5, Strings: 5, Instructions: 275COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: 28d86465f60d11692703b1d0f63a8fa9f88c551a907ffb8b66ce58da03824114
Instruction ID: 30fd20365c6c9f1d8de8aff22191f2445483f436f96cd3a4b14cb0f3d032e04e
Opcode Fuzzy Hash: 28d86465f60d11692703b1d0f63a8fa9f88c551a907ffb8b66ce58da03824114
Instruction Fuzzy Hash: 69913570344225BEEB210E14EE91BE93A61BF45304FA0012BF9459B281C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004225FA, Relevance: 6.5, Strings: 5, Instructions: 268COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: dab368060dd7b4199c403dfa6b997c65c4e07bfec6d213b1b720f799da15168c
Instruction ID: 65b1406057f4aa5efa8f0f049ccf24619c9ac5b28bd7b11cc703eed97e2c4d80
Opcode Fuzzy Hash: dab368060dd7b4199c403dfa6b997c65c4e07bfec6d213b1b720f799da15168c
Instruction Fuzzy Hash: 35912670344225BFEB210E14EE91BE93A61FF45344FA1012BF9459B291C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 0042260D, Relevance: 6.5, Strings: 5, Instructions: 261COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: fb49ef28a4092bef1b7b2f37843ded5e3407c765b084168c20e1e3f3fbb6e72f
Instruction ID: a4ac3e82c50f45065e6a1806a5a41e3ef372fedf0e86f5f7b079421800c29fee
Opcode Fuzzy Hash: fb49ef28a4092bef1b7b2f37843ded5e3407c765b084168c20e1e3f3fbb6e72f
Instruction Fuzzy Hash: E9812570344225BFEB214E14EE91BE93A61AF44344FE1012BF9459B291C3FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004225AD, Relevance: 6.5, Strings: 5, Instructions: 260COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
!gn, xrefs: 0042263F
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$!gn$%
API String ID: 0-3362040476
Opcode ID: ac545d0ba6a2c0b10ebf5e3bc371099b6e3b59141020f9e4c7db70dd68503805
Instruction ID: a50662cf055937ae4d0e1d6cc88b44f6e8b728581ccad0c08e37171faf3ecc5f
Opcode Fuzzy Hash: ac545d0ba6a2c0b10ebf5e3bc371099b6e3b59141020f9e4c7db70dd68503805
Instruction Fuzzy Hash: 01914670344225BFEB210E14EE91BE93A61FF44344FA0012BF9456B281C3FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 0041238C, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041238C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v56;
				char* _t9;
				intOrPtr _t19;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t19;
				_push(0x28);
				L004013C0();
				_v12 = _t19;
				_v8 = 0x401338;
				_t9 =  &_v56;
				_push(_t9);
				L00401480();
				L0040153A();
				_push(0x4123e6);
				L0040156A();
				return _t9;
			}

0x00412391
0x0041239c
0x0041239d
0x004123a4
0x004123a7
0x004123af
0x004123b2
0x004123b9
0x004123bc
0x004123bd
0x004123c8
0x004123cd
0x004123e0
0x004123e5

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004123A7
#546.MSVBVM60(?,?,?,?,?,004013C6), ref: 004123BD
__vbaVarMove.MSVBVM60(?,?,?,?,?,004013C6), ref: 004123C8
__vbaFreeVar.MSVBVM60(004123E6,?,?,?,?,?,004013C6), ref: 004123E0

Memory Dump Source

Source File: 00000001.00000002.1843238384.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.1843208149.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000001.00000002.1843291305.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000001.00000002.1843308273.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#546ChkstkFreeMove
String ID:
API String ID: 3298562087-0
Opcode ID: 1b52977f2b9b78872b56d9cc82e7998cd5fe540cc8606e34ff22663eb2d3f21f
Instruction ID: b3234f3c79fed234dcec7896dcedf2d10a5655b61bfea8cc0be0f4d26eddae47
Opcode Fuzzy Hash: 1b52977f2b9b78872b56d9cc82e7998cd5fe540cc8606e34ff22663eb2d3f21f
Instruction Fuzzy Hash: A3F0307195024CBADB00EBA1CD46FDDB77CFB14B44F90442BB401B75A0D7BC2A048769

Uniqueness

Uniqueness Score: -1.00%

Function 0042263A, Relevance: 5.3, Strings: 4, Instructions: 253COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 6bfa8d268ed31a7beca34d309eb5480222de3f2c24ef9c348c7a33905dcaa5ec
Instruction ID: dba15bf73f8e4f818020d9793aca4480400e2fe111857c0beaf9f6b76cee093d
Opcode Fuzzy Hash: 6bfa8d268ed31a7beca34d309eb5480222de3f2c24ef9c348c7a33905dcaa5ec
Instruction Fuzzy Hash: D7812670344225BFEB210E14EE95BE93A61FF45344FE0012BF9459A291C3FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00422667, Relevance: 5.2, Strings: 4, Instructions: 247COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 3add746e484985c1a92a03c0157d87deb83a5e473d1ae34795521750e9540138
Instruction ID: 2bf6ad99b20f2e2230fdaa161984c3ac531f84d20ee5c8a53cbc2bb63e931399
Opcode Fuzzy Hash: 3add746e484985c1a92a03c0157d87deb83a5e473d1ae34795521750e9540138
Instruction Fuzzy Hash: 8D812670344225BFEB214E14EE95BE93A61EF45344FE0012BFD459A291C3FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 0042267D, Relevance: 5.2, Strings: 4, Instructions: 243COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 0e9558435de04a3fbdf29b40481338a37ccb736f3b7a2b68292307aab6ebf82c
Instruction ID: 0d17a31e0a776882ba91c5045e4b3bfdc58ababdde7aa79cbc0361785c8488f0
Opcode Fuzzy Hash: 0e9558435de04a3fbdf29b40481338a37ccb736f3b7a2b68292307aab6ebf82c
Instruction Fuzzy Hash: E4811470344225BFEB214E14EE91BE93B61EF45344FA0012BF9459A191C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004226A6, Relevance: 5.2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: dd32a3bc108134e6c511797eef00a1d8d3b47781165e6ea9f3e4fae67d2d0fa6
Instruction ID: 2b05e8391715f1e068f96626b4c9dcbcde2daa1b31150b8604879d71212ac630
Opcode Fuzzy Hash: dd32a3bc108134e6c511797eef00a1d8d3b47781165e6ea9f3e4fae67d2d0fa6
Instruction Fuzzy Hash: 07713570344225BFEB210E14EE95BE93A61FF45344FA0012BFD459A281C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00422719, Relevance: 5.2, Strings: 4, Instructions: 218COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 147dd6ce6c65f92c0c0f603a13a5f2869f58d7223f973a0aa99b0e1b2f47771a
Instruction ID: f0d514298e972e10e11ae072490691bd5e96fc4086b215f7cbce1b5f68c6a138
Opcode Fuzzy Hash: 147dd6ce6c65f92c0c0f603a13a5f2869f58d7223f973a0aa99b0e1b2f47771a
Instruction Fuzzy Hash: C1711570344225BFEB214E14EE51BE93A61FF45344FA0012BFD859A291C3FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00422702, Relevance: 5.2, Strings: 4, Instructions: 215COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 04c5a95451c14bf5226339075bbcadd568c8a269cc2dcf8a01cdc52745b9834c
Instruction ID: 19383252bd4855b60d700edfb31b4739e3040b99f4868936b63b56a1eb3c80cd
Opcode Fuzzy Hash: 04c5a95451c14bf5226339075bbcadd568c8a269cc2dcf8a01cdc52745b9834c
Instruction Fuzzy Hash: 97711770344225BFEB214E14EE91BE93A61FF44344FA04127FD459A191C3FCA8D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00422751, Relevance: 5.2, Strings: 4, Instructions: 205COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 552275ad4e5a7941cc65f42eae512eda8e31ca024f7c3a1d0e5eda0bbdf30e4f
Instruction ID: c71f4fec026a517603e7b15f3d42160cfac49915fbc67a5bc4841a44e9da3d38
Opcode Fuzzy Hash: 552275ad4e5a7941cc65f42eae512eda8e31ca024f7c3a1d0e5eda0bbdf30e4f
Instruction Fuzzy Hash: 9C61F670344225BFEB315E14EE91BE93A65BB44344FA00127FD459A191C3FCA8D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004227CA, Relevance: 5.2, Strings: 4, Instructions: 186COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: a9fd3594e6cf95e73ab81863c59d652f2bd861d7054ea72260b055ccf3a88a4a
Instruction ID: 79248e833d87546dc86746eda1ff5635520d04a62d608002e967ab30fb477abe
Opcode Fuzzy Hash: a9fd3594e6cf95e73ab81863c59d652f2bd861d7054ea72260b055ccf3a88a4a
Instruction Fuzzy Hash: 1651F770344224BAEF311E14EE95BE93A61EB04744FA00127FE859A191C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004227E3, Relevance: 5.2, Strings: 4, Instructions: 180COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 433d4b0b9120c3c509a1adf0a894ed85c676037329a67a88a547e88fd6216e92
Instruction ID: 33fc586d47195b41d9a75c05129a78461f4265b2b842fb4fbaa4c15fbacfb1cd
Opcode Fuzzy Hash: 433d4b0b9120c3c509a1adf0a894ed85c676037329a67a88a547e88fd6216e92
Instruction Fuzzy Hash: 40510970344224BFEF311E14EE91BE93A61EB04304FA00127FE859A191C3FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00422801, Relevance: 5.2, Strings: 4, Instructions: 174COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 74597810683f8c51851169a648a6a88f9eaa134c6dfacda7a272907291b830ba
Instruction ID: efa54dd27aff612ca05bcc47ae68525cb11dd7435e58ab438894e48c3781a549
Opcode Fuzzy Hash: 74597810683f8c51851169a648a6a88f9eaa134c6dfacda7a272907291b830ba
Instruction Fuzzy Hash: A151E970344228BEEF311E14EE91BE93665EF14344FA10127FD859A191C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 0042282E, Relevance: 5.2, Strings: 4, Instructions: 167COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: e42f0ce8d334211a6ca84c6dc3691681be37bd997cc2e8bd1c8a2d2a9552ec8b
Instruction ID: 3ae4209927c5fd24e6c9588d0d89896c286a95fe97167b1fd1165bbda0516c11
Opcode Fuzzy Hash: e42f0ce8d334211a6ca84c6dc3691681be37bd997cc2e8bd1c8a2d2a9552ec8b
Instruction Fuzzy Hash: 8451D770344264BFEF211E14EE91BE93A61AF04744FE10127FE859A191C7FC98D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 00422849, Relevance: 5.2, Strings: 4, Instructions: 163COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 4740453cba722456cfc8e10a1aadd064fa52dfc055875e38b380408ccf9ae341
Instruction ID: bd12ec8733a466c8000d6e177d95ab2418c55d992cf41197df3b0ac69ed6f7cd
Opcode Fuzzy Hash: 4740453cba722456cfc8e10a1aadd064fa52dfc055875e38b380408ccf9ae341
Instruction Fuzzy Hash: BC51F970344224BBEF355E14EE91BE93665BF04704FA10027FE859A191C7FCA8D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004228A1, Relevance: 5.1, Strings: 4, Instructions: 143COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: 4e202b112f97bf9e4576be3deb1932f7b115cb27a42e46914299541d1a7aedd6
Instruction ID: c02e19c28c2d608c6fa163c799a1d53b43c72c91ae8bed84d61584662ae42e73
Opcode Fuzzy Hash: 4e202b112f97bf9e4576be3deb1932f7b115cb27a42e46914299541d1a7aedd6
Instruction Fuzzy Hash: 8741B770340124BBEF251E14EEA1BE93665FF04304FA10027FD859A191C7FCA8D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Function 004228CE, Relevance: 5.1, Strings: 4, Instructions: 133COMMON

Download Yara Rule

Strings

u?j, xrefs: 00422B4F
jjj, xrefs: 004228F0
%, xrefs: 004229ED
j@h, xrefs: 00422996

Memory Dump Source

Source File: 00000001.00000002.1843330680.0000000000420000.00000040.00000001.sdmp, Offset: 00420000, based on PE: false

Similarity

API ID:
String ID: j@h$jjj$u?j$%
API String ID: 0-2047422733
Opcode ID: efa4703f5d3e1c88c165bf8f48fee967cb3a711781abad01e94153a9a6cd21b8
Instruction ID: 0d6ddaeb6c7cf16a745f96f5ae9009d8924e14c687dd3e7b1025981cb56cde12
Opcode Fuzzy Hash: efa4703f5d3e1c88c165bf8f48fee967cb3a711781abad01e94153a9a6cd21b8
Instruction Fuzzy Hash: 5C41E770340224BBEF254E14EE95BE97A65FF04304FA00027FD859A191C7FCA8D6AB4E

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 964309_Invoice_confirmation.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 964309_Invoice_confirmation.exe PID: 3484 Parent PID: 5916

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 964309_Invoice_confirmation.exe PID: 3484 Parent PID: 5916 964309_Invoice_confirmation.exeCOMMON

Executed Functions

Function 004041EB, Relevance: 1.5, APIs: 1, Instructions: 273COMMON

Function 004114AE, Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 233COMMON

Function 00410054, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 215COMMON

Function 004104B1, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 74COMMON

Function 004041EB, Relevance: 1.5, APIs: 1, Instructions: 273
COMMON

Function 004114AE, Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 233
COMMON

Function 00410054, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 215
COMMON

Function 004104B1, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 74
COMMON

Function 00401600, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 539
COMMON

Function 0041345A, Relevance: 180.7, APIs: 94, Strings: 9, Instructions: 493
COMMON

Function 00411205, Relevance: 45.2, APIs: 30, Instructions: 188
COMMON

Function 00412403, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 61
COMMON

Function 004105FA, Relevance: 22.6, APIs: 15, Instructions: 119
COMMON

Function 004124EF, Relevance: 19.6, APIs: 13, Instructions: 74
COMMON

Function 00413BB8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67
COMMON

Function 004103DB, Relevance: 15.0, APIs: 10, Instructions: 49
COMMON

Function 00410989, Relevance: 13.6, APIs: 9, Instructions: 115
COMMON

Function 0040FDDA, Relevance: 13.6, APIs: 9, Instructions: 82
COMMON

Function 0041089B, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Function 0040FF07, Relevance: 10.6, APIs: 7, Instructions: 85
COMMON

Function 00413339, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74
COMMON

Function 004122F1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
COMMON

Function 0041238C, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON