Play interactive tour

Edit tour

Analysis Report 15790_Invoice_confirmation.exe

Overview

General Information

Sample Name:	15790_Invoice_confirmation.exe
Analysis ID:	337718
MD5:	9090a8a77646971374cea3112aa3beed
SHA1:	bfd3e70ce4230d04e97a9ed394bfabf287a5bfe7
SHA256:	c4e0e2bc76880e6144bbc96ad64e55bd10f6f66805ccfd5a86c36182201372eb
Tags:	exeGuLoader
Most interesting Screenshot:
Errors Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Potential malicious icon found

Yara detected GuLoader

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Executable has a suspicious name (potential lure to open the executable)

Initial sample is a PE file and has a suspicious name

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains strange resources

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

15790_Invoice_confirmation.exe (PID: 5668 cmdline: 'C:\Users\user\Desktop\15790_Invoice_confirmation.exe' MD5: 9090A8A77646971374CEA3112AA3BEED)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: 15790_Invoice_confirmation.exe PID: 5668	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: 15790_Invoice_confirmation.exe PID: 5668	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Source: 15790_Invoice_confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389175473.00000000006CA000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Executable has a suspicious name (potential lure to open the executable)

Show sources

Source: 15790_Invoice_confirmation.exe

Static file information: Suspicious name

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: 15790_Invoice_confirmation.exe

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe

Code function: 0_2_00401600

0_2_00401600

Source: 15790_Invoice_confirmation.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameklist.exe vs 15790_Invoice_confirmation.exe
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389068575.0000000000600000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenameuser32j% vs 15790_Invoice_confirmation.exe
Source: 15790_Invoice_confirmation.exe	Binary or memory string: OriginalFilenameklist.exe vs 15790_Invoice_confirmation.exe

Source: 15790_Invoice_confirmation.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.rans.troj.evad.winEXE@1/0@0/0

Source: 15790_Invoice_confirmation.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: 15790_Invoice_confirmation.exe PID: 5668, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: 15790_Invoice_confirmation.exe PID: 5668, type: MEMORY

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_00407878 push 6B7AF3E2h; ret	0_2_004078A6
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_0040A438 pushad ; retf	0_2_0040A443
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_0040903B push FFFFFFEBh; ret	0_2_0040903F
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_004058D8 push ebx; iretd	0_2_004058E9
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_004058EB push ebx; iretd	0_2_004058E9
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_0040A4F9 push ebx; retf	0_2_0040A570
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_0040A572 push ebx; retf	0_2_0040A570
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_00407181 push FFFFFFEBh; ret	0_2_00407183
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_00407E5C pushfd ; ret	0_2_00407E6D
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_00407EA9 pushfd ; ret	0_2_00407E6D
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_0040775D push 6B7AF3E2h; ret	0_2_004078A6
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_0040A72F push esi; ret	0_2_0040A732
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_0040A7D2 push ebp; ret	0_2_0040A7E2
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_00635D00 push eax; ret	0_2_00635D01

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	RDTSC instruction interceptor: First address: 000000000040433A second address: 000000000040433A instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F9CE8932DB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	RDTSC instruction interceptor: First address: 0000000000633264 second address: 0000000000633264 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F9CE8936B98h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F9CE8936B9Eh 0x00000024 test bh, ah 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F9CE8936B73h 0x0000002c push ecx 0x0000002d call 00007F9CE8936BDEh 0x00000032 call 00007F9CE8936BAAh 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: 15790_Invoice_confirmation.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	RDTSC instruction interceptor: First address: 000000000040433A second address: 000000000040433A instructions: 0x00000000 rdtsc 0x00000002 nop 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F9CE8932DB6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	RDTSC instruction interceptor: First address: 0000000000633264 second address: 0000000000633264 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F9CE8936B98h 0x0000000f lfence 0x00000012 mov edx, dword ptr [7FFE0014h] 0x00000018 lfence 0x0000001b ret 0x0000001c sub edx, esi 0x0000001e ret 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F9CE8936B9Eh 0x00000024 test bh, ah 0x00000026 dec ecx 0x00000027 cmp ecx, 00000000h 0x0000002a jne 00007F9CE8936B73h 0x0000002c push ecx 0x0000002d call 00007F9CE8936BDEh 0x00000032 call 00007F9CE8936BAAh 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe

Code function: 0_2_0063347D rdtsc

0_2_0063347D

Source: 15790_Invoice_confirmation.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe

Code function: 0_2_0063347D rdtsc

0_2_0063347D

Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_0063507E mov eax, dword ptr fs:[00000030h]	0_2_0063507E
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_00634C05 mov eax, dword ptr fs:[00000030h]	0_2_00634C05
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_006330D4 mov eax, dword ptr fs:[00000030h]	0_2_006330D4
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_00631CDD mov eax, dword ptr fs:[00000030h]	0_2_00631CDD
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_00631D05 mov eax, dword ptr fs:[00000030h]	0_2_00631D05
Source: C:\Users\user\Desktop\15790_Invoice_confirmation.exe	Code function: 0_2_0063171E mov eax, dword ptr fs:[00000030h]	0_2_0063171E

Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: 15790_Invoice_confirmation.exe, 00000000.00000002.1389313697.0000000000D50000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Process Injection1	Input Capture1	Security Software Discovery311	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Obfuscated Files or Information1	LSASS Memory	Process Discovery1	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information	Security Account Manager	System Information Discovery21	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Red Diamond
Analysis ID:	337718
Start date:	09.01.2021
Start time:	18:25:13
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 8m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	15790_Invoice_confirmation.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	21
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.rans.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 33.7% (good quality ratio 20%) Quality average: 29.4% Quality standard deviation: 29.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe
Errors:	Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.6192694969709684
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	15790_Invoice_confirmation.exe
File size:	94208
MD5:	9090a8a77646971374cea3112aa3beed
SHA1:	bfd3e70ce4230d04e97a9ed394bfabf287a5bfe7
SHA256:	c4e0e2bc76880e6144bbc96ad64e55bd10f6f66805ccfd5a86c36182201372eb
SHA512:	297232d4bb6e1fb1f1b31b1ce499e7d25d4eb400e7a69491d279f48736ebba8b57a53dbde9248f21dd8f75af3f004a62969cc1ed3d4f6e41956aebba15820917
SSDEEP:	1536:Z2euZu4vhLo8gE961bsy+wHVVQ5C6eUwoJXxLC:7nKo8+bnYwoJI
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L...C.._.................@...0...............P....@

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x401600
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x5FF99543 [Sat Jan 9 11:36:35 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	690ed9eee3aab240a93936dee17050b4

Entrypoint Preview

Instruction
push 00401C6Ch
call 00007F9CE891F715h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
cmp byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov ebp, 2B6E7B28h
or byte ptr [edi+574CAF4Dh], FFFFFFE4h
shr ecx, cl
add al, dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
insd
outsd
jnc 00007F9CE891F78Eh
insd
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
sbb dword ptr [ebp+ebp*4+558C22ABh], esp
arpl word ptr [ecx+eax*4+2Ch], cx
cwde
add dword ptr [ecx+2898F8DDh], esp
jnl 00007F9CE891F6F1h
daa
imul ebx, dword ptr [ebp-7Ah], 4Ah
mov dword ptr [ebx+60067F19h], edx
xchg eax, ebx
push 33AD4F3Ah
cdq
iretw
adc dword ptr [edi+00AA000Ch], esi
pushad
rcl dword ptr [ebx+00000000h], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cld
add eax, dword ptr [eax]
add byte ptr [edx+00h], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [ebx+6Ch], cl
popad
jo 00007F9CE891F794h
xor eax, dword ptr [eax]
or eax, 4D000701h
imul esp, dword ptr [edi+72h], 0032656Eh
sbb dword ptr [ecx], eax
add byte ptr [edx+00h], al
and al, byte ptr [00000724h]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13cd4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x17000	0x894	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x238	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x184	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x132b8	0x14000	False	0.400012207031	data	6.06818823886	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x15000	0x14b0	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x17000	0x894	0x1000	False	0.16015625	data	1.85318303523	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x17764	0x130	data
RT_ICON	0x1747c	0x2e8	data
RT_ICON	0x17354	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x17324	0x30	data
RT_VERSION	0x17150	0x1d4	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaLateMemSt, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaR4Str, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaDateVar, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0404 0x04b0
ProductVersion	1.00
InternalName	klist
FileVersion	1.00
OriginalFilename	klist.exe
ProductName	Logaritm

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: 15790_Invoice_confirmation.exe PID: 5668 Parent PID: 5892

General

Start time:	18:26:00
Start date:	09/01/2021
Path:	C:\Users\user\Desktop\15790_Invoice_confirmation.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\15790_Invoice_confirmation.exe'
Imagebase:	0x400000
File size:	94208 bytes
MD5 hash:	9090A8A77646971374CEA3112AA3BEED
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: 15790_Invoice_confirmation.exe PID: 5668 Parent PID: 5892 15790_Invoice_confirmation.exeCOMMON

Executed Functions

Function 00401600, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 495COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401605

Strings

VB5!6&*, xrefs: 00401600
({n+, xrefs: 0040161C

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: ({n+$VB5!6&*
API String ID: 1341478452-1090822488
Opcode ID: 64e998559b90ad361666fe1e4d95e895efd9182f6971888183480460458c3217
Instruction ID: 3875680b33bb0828a38564932f0e614d0db066ad56d719736156310624600cb7
Opcode Fuzzy Hash: 64e998559b90ad361666fe1e4d95e895efd9182f6971888183480460458c3217
Instruction Fuzzy Hash: 6902BB7244E3C18FC7138B709DA62A17FB1AE1331471E06DBD8C18E1A3E26C9A5AC757

Uniqueness

Uniqueness Score: -1.00%

Function 004114AE, Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 233
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E004114AE(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				char _v36;
				void* _v40;
				char* _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char* _v112;
				char _v120;
				char _v172;
				short _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				short _v192;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _t102;
				signed int _t107;
				char* _t111;
				short _t115;
				signed int _t124;
				short _t130;
				void* _t154;
				void* _t156;
				intOrPtr _t157;
				char* _t167;

				_t157 = _t156 - 0xc;
				 *[fs:0x0] = _t157;
				L004013C0();
				_v16 = _t157;
				_v12 = 0x401308;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013c6, _t154);
				if( *0x4155f8 != 0) {
					_v204 = 0x4155f8;
				} else {
					_push(0x4155f8);
					_push(0x4028e8);
					L00401558();
					_v204 = 0x4155f8;
				}
				_v176 =  *_v204;
				_t102 =  *((intOrPtr*)( *_v176 + 0x14))(_v176,  &_v40);
				asm("fclex");
				_v180 = _t102;
				if(_v180 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d8);
					_push(_v176);
					_push(_v180);
					L00401552();
					_v208 = _t102;
				}
				_v184 = _v40;
				_t107 =  *((intOrPtr*)( *_v184 + 0x100))(_v184,  &_v172);
				asm("fclex");
				_v188 = _t107;
				if(_v188 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x4028f8);
					_push(_v184);
					_push(_v188);
					L00401552();
					_v212 = _t107;
				}
				_v192 =  ~(0 | _v172 == 0x00400000);
				L0040152E();
				_t111 = _v192;
				if(_t111 != 0) {
					_push(0x40290c);
					_push(0x402914);
					L004015AC();
					_v48 = _t111;
					_v56 = 8;
					_push( &_v56);
					_push( &_v72);
					L0040151C();
					_v112 = 0x402914;
					_v120 = 0x8008;
					_push( &_v72);
					_t115 =  &_v120;
					_push(_t115);
					L004015DC();
					_v176 = _t115;
					_push( &_v72);
					_push( &_v56);
					_push(2);
					L004015BE();
					_t111 = _v176;
					if(_t111 != 0) {
						_push(2);
						_push(0x4026c0);
						_push(0x4026c8);
						L004015AC();
						L004015B2();
						_push(_t111);
						_push(0x4026d0);
						L004015AC();
						L004015B2();
						_push(_t111);
						_push(0x4026d0);
						_push(0);
						L00401516();
						asm("sbb eax, eax");
						_v176 =  ~( ~(_t111 - 3) + 1);
						_push( &_v36);
						_push( &_v32);
						_push(2);
						L004015A6();
						_t111 = _v176;
						_t167 = _t111;
						if(_t167 != 0) {
							L00401510();
							L004015A0();
							asm("fcomp qword [0x401250]");
							asm("fnstsw ax");
							asm("sahf");
							if(_t167 == 0) {
								_v112 = 0x80020004;
								_v120 = 0xa;
								_t124 = 0x10;
								L004013C0();
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_push(L"oliemalinger");
								_push(L"stourness");
								_push(L"Sgsmaalsgrunds7"); // executed
								L0040157C(); // executed
								L004015B2();
								_push(_t124);
								_push(0);
								L00401582();
								asm("sbb eax, eax");
								_v176 =  ~( ~_t124 + 1);
								L004015C4();
								_t111 = _v176;
								if(_t111 != 0) {
									_push(0x402abc);
									L00401576();
									if(_t111 == 1) {
										_push( &_v56);
										L00401570();
										_v112 = L"prnumerant";
										_v120 = 0x8008;
										_push( &_v56);
										_t130 =  &_v120;
										_push(_t130);
										L004015DC();
										_v176 = _t130;
										L0040156A();
										_t111 = _v176;
										if(_t111 != 0) {
											_v96 = 0x80020004;
											_v104 = 0xa;
											_v80 = 0x80020004;
											_v88 = 0xa;
											_v64 = 0x80020004;
											_v72 = 0xa;
											_v112 = L"Topforhandlernes";
											_v120 = 8;
											L0040158E();
											_push( &_v104);
											_push( &_v88);
											_push( &_v72);
											_push(0);
											_push( &_v56);
											L00401564();
											_push( &_v104);
											_push( &_v88);
											_push( &_v72);
											_t111 =  &_v56;
											_push(_t111);
											_push(4);
											L004015BE();
										}
									}
								}
							}
						}
					}
				}
				asm("wait");
				_push(0x41186b);
				return _t111;
			}

0x004114b1
0x004114c0
0x004114cc
0x004114d4
0x004114d7
0x004114de
0x004114ed
0x004114f7
0x00411514
0x004114f9
0x004114f9
0x004114fe
0x00411503
0x00411508
0x00411508
0x00411526
0x0041153e
0x00411541
0x00411543
0x00411550
0x00411572
0x00411552
0x00411552
0x00411554
0x00411559
0x0041155f
0x00411565
0x0041156a
0x0041156a
0x0041157c
0x00411597
0x0041159d
0x0041159f
0x004115ac
0x004115d1
0x004115ae
0x004115ae
0x004115b3
0x004115b8
0x004115be
0x004115c4
0x004115c9
0x004115c9
0x004115e9
0x004115f3
0x004115f8
0x00411601
0x00411607
0x0041160c
0x00411611
0x00411616
0x00411619
0x00411623
0x00411627
0x00411628
0x0041162d
0x00411634
0x0041163e
0x0041163f
0x00411642
0x00411643
0x00411648
0x00411652
0x00411656
0x00411657
0x00411659
0x00411661
0x0041166a
0x00411670
0x00411672
0x00411677
0x0041167c
0x00411686
0x0041168b
0x0041168c
0x00411691
0x0041169b
0x004116a0
0x004116a1
0x004116a6
0x004116a8
0x004116b2
0x004116b7
0x004116c1
0x004116c5
0x004116c6
0x004116c8
0x004116d0
0x004116d7
0x004116d9
0x004116e5
0x004116ea
0x004116ef
0x004116f5
0x004116f7
0x004116f8
0x004116fe
0x00411705
0x0041170e
0x0041170f
0x00411719
0x0041171a
0x0041171b
0x0041171c
0x0041171d
0x00411722
0x00411727
0x0041172c
0x00411736
0x0041173b
0x0041173c
0x0041173e
0x00411745
0x0041174a
0x00411754
0x00411759
0x00411762
0x00411768
0x0041176d
0x00411775
0x0041177e
0x0041177f
0x00411784
0x0041178b
0x00411795
0x00411796
0x00411799
0x0041179a
0x0041179f
0x004117a9
0x004117ae
0x004117b7
0x004117b9
0x004117c0
0x004117c7
0x004117ce
0x004117d5
0x004117dc
0x004117e3
0x004117ea
0x004117f7
0x004117ff
0x00411803
0x00411807
0x00411808
0x0041180d
0x0041180e
0x00411816
0x0041181a
0x0041181e
0x0041181f
0x00411822
0x00411823
0x00411825
0x0041182a
0x004117b7
0x00411775
0x00411762
0x004116f8
0x004116d9
0x0041166a
0x0041182d
0x0041182e
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004114CC
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,004013C6), ref: 00411503
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 00411565
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,00000100), ref: 004115C4
__vbaFreeObj.MSVBVM60 ref: 004115F3
__vbaStrCat.MSVBVM60(00402914,0040290C), ref: 00411611
#522.MSVBVM60(?,00000008,00402914,0040290C), ref: 00411628
__vbaVarTstEq.MSVBVM60(00008008,?,?,00000008,00402914,0040290C), ref: 00411643
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?,?,00000008,00402914,0040290C), ref: 00411659
__vbaStrCat.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 0041167C
__vbaStrMove.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 00411686
__vbaStrCat.MSVBVM60(004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 00411691
__vbaStrMove.MSVBVM60(004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 0041169B
__vbaInStr.MSVBVM60(00000000,004026D0,00000000,004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 004116A8
__vbaFreeStrList.MSVBVM60(00000002,00000002,004026C0,00000000,004026D0,00000000,004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 004116C8
__vbaFPInt.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 004116E5
__vbaFpR8.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 004116EA
__vbaChkstk.MSVBVM60 ref: 0041170F
#689.MSVBVM60(Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041172C
__vbaStrMove.MSVBVM60(Sgsmaalsgrunds7,stourness,oliemalinger), ref: 00411736
__vbaStrCmp.MSVBVM60(00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041173E
__vbaFreeStr.MSVBVM60(00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 00411754
__vbaLenBstr.MSVBVM60(00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041176D
#670.MSVBVM60(?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041177F
__vbaVarTstEq.MSVBVM60(00008008,?,?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041179A
__vbaFreeVar.MSVBVM60(00008008,?,?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 004117A9
__vbaVarDup.MSVBVM60(00008008,?,?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 004117F7
#595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A,00008008,?,?,00402ABC,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041180E
__vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A,00008008,?,?,00402ABC,00000000,00000000), ref: 00411825

Strings

prnumerant, xrefs: 00411784
Sgsmaalsgrunds7, xrefs: 00411727
oliemalinger, xrefs: 0041171D
Topforhandlernes, xrefs: 004117E3
stourness, xrefs: 00411722

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ListMove$CheckChkstkHresult$#522#595#670#689BstrNew2
String ID: Sgsmaalsgrunds7$Topforhandlernes$oliemalinger$prnumerant$stourness
API String ID: 1585906448-2475824071
Opcode ID: 033716a82a6bf55004185c2d2bb349601c678524e1617e11a520310895442918
Instruction ID: 3531a373524260d410351acf34ad13b473a3f7669a093c62ce4779f2f805e6f5
Opcode Fuzzy Hash: 033716a82a6bf55004185c2d2bb349601c678524e1617e11a520310895442918
Instruction Fuzzy Hash: 1F912D71900218AADB11EFA1CD45FDEB7B9AF44704F10817BE106BB1E1DB789A84CF69

Uniqueness

Uniqueness Score: -1.00%

Function 00410054, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 215
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E00410054(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v36;
				char _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				char _v108;
				char* _v116;
				char _v124;
				void* _v160;
				signed int _v164;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr _t84;
				short _t88;
				char* _t91;
				signed int _t98;
				short _t104;
				char* _t108;
				signed int _t112;
				void* _t139;
				void* _t141;
				intOrPtr _t142;
				char* _t147;

				_t142 = _t141 - 0xc;
				 *[fs:0x0] = _t142;
				L004013C0();
				_v16 = _t142;
				_v12 = 0x401260;
				_v8 = 0;
				_t84 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013c6, _t139);
				_push(0x40290c);
				_push(0x402914);
				L004015AC();
				_v52 = _t84;
				_v60 = 8;
				_push( &_v60);
				_push( &_v76);
				L0040151C();
				_v116 = 0x402914;
				_v124 = 0x8008;
				_push( &_v76);
				_t88 =  &_v124;
				_push(_t88);
				L004015DC();
				_v160 = _t88;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L004015BE();
				_t91 = _v160;
				if(_t91 != 0) {
					_push(2);
					_push(0x4026c0);
					_push(0x4026c8);
					L004015AC();
					L004015B2();
					_push(_t91);
					_push(0x4026d0);
					L004015AC();
					L004015B2();
					_push(_t91);
					_push(0x4026d0);
					_push(0);
					L00401516();
					asm("sbb eax, eax");
					_v160 =  ~( ~(_t91 - 3) + 1);
					_push( &_v40);
					_push( &_v36);
					_push(2);
					L004015A6();
					_t91 = _v160;
					_t147 = _t91;
					if(_t147 != 0) {
						L00401510();
						L004015A0();
						asm("fcomp qword [0x401250]");
						asm("fnstsw ax");
						asm("sahf");
						if(_t147 == 0) {
							_v116 = 0x80020004;
							_v124 = 0xa;
							_t98 = 0x10;
							L004013C0();
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_push(L"HABITABLE");
							_push(L"Stengun2");
							_push(L"misbrugere"); // executed
							L0040157C(); // executed
							L004015B2();
							_push(_t98);
							_push(0);
							L00401582();
							asm("sbb eax, eax");
							_v160 =  ~( ~_t98 + 1);
							L004015C4();
							_t91 = _v160;
							if(_t91 != 0) {
								_push(0x402968);
								L00401576();
								if(_t91 == 1) {
									_push( &_v60);
									L00401570();
									_v116 = L"Dizaine";
									_v124 = 0x8008;
									_push( &_v60);
									_t104 =  &_v124;
									_push(_t104);
									L004015DC();
									_v160 = _t104;
									L0040156A();
									_t91 = _v160;
									if(_t91 != 0) {
										_v100 = 0x80020004;
										_v108 = 0xa;
										_v84 = 0x80020004;
										_v92 = 0xa;
										_v68 = 0x80020004;
										_v76 = 0xa;
										if( *0x415010 != 0) {
											_v180 = 0x415010;
										} else {
											_push(0x415010);
											_push(0x4030fc);
											L00401558();
											_v180 = 0x415010;
										}
										_t108 =  &_v44;
										L0040155E();
										_v160 = _t108;
										_t112 =  *((intOrPtr*)( *_v160 + 0x48))(_v160,  &_v36, _t108,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x35c))( *_v180));
										asm("fclex");
										_v164 = _t112;
										if(_v164 >= 0) {
											_v184 = _v184 & 0x00000000;
										} else {
											_push(0x48);
											_push(0x402760);
											_push(_v160);
											_push(_v164);
											L00401552();
											_v184 = _t112;
										}
										_v176 = _v36;
										_v36 = _v36 & 0x00000000;
										_v52 = _v176;
										_v60 = 8;
										_push( &_v108);
										_push( &_v92);
										_push( &_v76);
										_push(0);
										_push( &_v60);
										L00401564();
										L0040152E();
										_push( &_v108);
										_push( &_v92);
										_push( &_v76);
										_t91 =  &_v60;
										_push(_t91);
										_push(4);
										L004015BE();
									}
								}
							}
						}
					}
				}
				asm("wait");
				_push(0x4103ae);
				return _t91;
			}

0x00410057
0x00410066
0x00410072
0x0041007a
0x0041007d
0x00410084
0x00410093
0x00410096
0x0041009b
0x004100a0
0x004100a5
0x004100a8
0x004100b2
0x004100b6
0x004100b7
0x004100bc
0x004100c3
0x004100cd
0x004100ce
0x004100d1
0x004100d2
0x004100d7
0x004100e1
0x004100e5
0x004100e6
0x004100e8
0x004100f0
0x004100f9
0x004100ff
0x00410101
0x00410106
0x0041010b
0x00410115
0x0041011a
0x0041011b
0x00410120
0x0041012a
0x0041012f
0x00410130
0x00410135
0x00410137
0x00410141
0x00410146
0x00410150
0x00410154
0x00410155
0x00410157
0x0041015f
0x00410166
0x00410168
0x00410174
0x00410179
0x0041017e
0x00410184
0x00410186
0x00410187
0x0041018d
0x00410194
0x0041019d
0x0041019e
0x004101a8
0x004101a9
0x004101aa
0x004101ab
0x004101ac
0x004101b1
0x004101b6
0x004101bb
0x004101c5
0x004101ca
0x004101cb
0x004101cd
0x004101d4
0x004101d9
0x004101e3
0x004101e8
0x004101f1
0x004101f7
0x004101fc
0x00410204
0x0041020d
0x0041020e
0x00410213
0x0041021a
0x00410224
0x00410225
0x00410228
0x00410229
0x0041022e
0x00410238
0x0041023d
0x00410246
0x0041024c
0x00410253
0x0041025a
0x00410261
0x00410268
0x0041026f
0x0041027d
0x0041029a
0x0041027f
0x0041027f
0x00410284
0x00410289
0x0041028e
0x0041028e
0x004102be
0x004102c2
0x004102c7
0x004102df
0x004102e2
0x004102e4
0x004102f1
0x00410313
0x004102f3
0x004102f3
0x004102f5
0x004102fa
0x00410300
0x00410306
0x0041030b
0x0041030b
0x0041031d
0x00410323
0x0041032d
0x00410330
0x0041033a
0x0041033e
0x00410342
0x00410343
0x00410348
0x00410349
0x00410351
0x00410359
0x0041035d
0x00410361
0x00410362
0x00410365
0x00410366
0x00410368
0x0041036d
0x00410246
0x00410204
0x004101f1
0x00410187
0x00410168
0x00410370
0x00410371
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00410072
__vbaStrCat.MSVBVM60(00402914,0040290C,?,?,?,?,004013C6), ref: 004100A0
#522.MSVBVM60(?,00000008), ref: 004100B7
__vbaVarTstEq.MSVBVM60(00008008,?), ref: 004100D2
__vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?), ref: 004100E8
__vbaStrCat.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 0041010B
__vbaStrMove.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 00410115
__vbaStrCat.MSVBVM60(004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 00410120
__vbaStrMove.MSVBVM60(004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 0041012A
__vbaInStr.MSVBVM60(00000000,004026D0,00000000,004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 00410137
__vbaFreeStrList.MSVBVM60(00000002,004026C0,004026C8,00000000,004026D0,00000000,004026D0,00000000,004026C8,004026C0,00000002,?,?,004013C6), ref: 00410157
__vbaFPInt.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 00410174
__vbaFpR8.MSVBVM60(004026C8,004026C0,00000002,?,?,004013C6), ref: 00410179
__vbaChkstk.MSVBVM60 ref: 0041019E
#689.MSVBVM60(misbrugere,Stengun2,HABITABLE), ref: 004101BB
__vbaStrMove.MSVBVM60(misbrugere,Stengun2,HABITABLE), ref: 004101C5
__vbaStrCmp.MSVBVM60(00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 004101CD
__vbaFreeStr.MSVBVM60(00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 004101E3
__vbaLenBstr.MSVBVM60(00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 004101FC
#670.MSVBVM60(?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0041020E
__vbaVarTstEq.MSVBVM60(00008008,?,?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 00410229
__vbaFreeVar.MSVBVM60(00008008,?,?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 00410238
__vbaNew2.MSVBVM60(004030FC,00415010,00008008,?,?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 00410289
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00008008,?,?,00402968,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 004102C2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402760,00000048,?,?,?,?,?,00008008,?,?,00402968,00000000,00000000,misbrugere), ref: 00410306
#595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A,?,?,?,?,?,00008008,?,?,00402968,00000000,00000000), ref: 00410349
__vbaFreeObj.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A,?,?,?,?,?,00008008,?,?,00402968,00000000,00000000), ref: 00410351
__vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A,?,?,?,?,?,00008008), ref: 00410368

Strings

HABITABLE, xrefs: 004101AC
Dizaine, xrefs: 00410213
misbrugere, xrefs: 004101B6
Stengun2, xrefs: 004101B1

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ListMove$Chkstk$#522#595#670#689BstrCheckHresultNew2
String ID: Dizaine$HABITABLE$Stengun2$misbrugere
API String ID: 3850225901-803909472
Opcode ID: bb98ce092d9f71e99c4b89a6499770605a593f750aef5e49c79fbdbd9a8f1344
Instruction ID: c94ba173236eca13bcaa98f06b99431acf174e6394fedd475f9c054147d6633e
Opcode Fuzzy Hash: bb98ce092d9f71e99c4b89a6499770605a593f750aef5e49c79fbdbd9a8f1344
Instruction Fuzzy Hash: 3A812B7195021CEBDB10EFA1CC45BDEB7B8BF44704F10416AF506BB191DBB899848F69

Uniqueness

Uniqueness Score: -1.00%

Function 004104B1, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004104B1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				char _v52;
				char _v68;
				intOrPtr _v76;
				char _v84;
				short _v104;
				intOrPtr _t29;
				char* _t31;
				short _t33;
				short _t37;
				void* _t47;
				void* _t49;
				intOrPtr _t50;

				_t50 = _t49 - 0xc;
				 *[fs:0x0] = _t50;
				L004013C0();
				_v16 = _t50;
				_v12 = 0x401280;
				_v8 = 0;
				_t29 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x4013c6, _t47);
				L0040154C();
				_push(0x40290c);
				_push(0x402984);
				L004015AC();
				L004015B2();
				_push(_t29);
				_push(0x402984);
				L004015AC();
				_v44 = _t29;
				_v52 = 8;
				_push( &_v52);
				_t31 =  &_v68;
				_push(_t31);
				L00401504();
				_push(0x402984);
				_push(0x402984);
				L004015AC();
				_v76 = _t31;
				_v84 = 0x8008;
				_push( &_v68);
				_t33 =  &_v84;
				_push(_t33);
				L004015DC();
				_v104 = _t33;
				L004015C4();
				_push( &_v84);
				_push( &_v68);
				_push( &_v52);
				_push(3);
				L004015BE();
				_t37 = _v104;
				if(_t37 != 0) {
					_push(L"prenominate");
					_push(L"Karseklippet");
					_push(L"Oculus");
					_push(L"unwall"); // executed
					L004014FE(); // executed
				}
				_push(0x4105d3);
				L004015C4();
				return _t37;
			}

0x004104b4
0x004104c3
0x004104cd
0x004104d5
0x004104d8
0x004104df
0x004104ee
0x004104f7
0x004104fc
0x00410501
0x00410506
0x00410510
0x00410515
0x00410516
0x0041051b
0x00410520
0x00410523
0x0041052d
0x0041052e
0x00410531
0x00410532
0x00410537
0x0041053c
0x00410541
0x00410546
0x00410549
0x00410553
0x00410554
0x00410557
0x00410558
0x0041055d
0x00410564
0x0041056c
0x00410570
0x00410574
0x00410575
0x00410577
0x0041057f
0x00410585
0x00410587
0x0041058c
0x00410591
0x00410596
0x0041059b
0x0041059b
0x004105a0
0x004105cd
0x004105d2

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004104CD
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 004104F7
__vbaStrCat.MSVBVM60(00402984,0040290C,?,?,?,?,004013C6), ref: 00410506
__vbaStrMove.MSVBVM60(00402984,0040290C,?,?,?,?,004013C6), ref: 00410510
__vbaStrCat.MSVBVM60(00402984,00000000,00402984,0040290C,?,?,?,?,004013C6), ref: 0041051B
#520.MSVBVM60(?,00000008), ref: 00410532
__vbaStrCat.MSVBVM60(00402984,00402984,?,00000008), ref: 00410541
__vbaVarTstEq.MSVBVM60(00008008,00402984), ref: 00410558
__vbaFreeStr.MSVBVM60(00008008,00402984), ref: 00410564
__vbaFreeVarList.MSVBVM60(00000003,00000008,00402984,00008008,00008008,00402984), ref: 00410577
#690.MSVBVM60(unwall,Oculus,Karseklippet,prenominate,?,?,?,004013C6), ref: 0041059B
__vbaFreeStr.MSVBVM60(004105D3,?,?,?,004013C6), ref: 004105CD

Strings

Oculus, xrefs: 00410591
Karseklippet, xrefs: 0041058C
prenominate, xrefs: 00410587
unwall, xrefs: 00410596

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#520#690ChkstkCopyListMove
String ID: Karseklippet$Oculus$prenominate$unwall
API String ID: 1353531886-1380899336
Opcode ID: 4b39f2c9f3acb4b57a7e46f922a700e135264b73418eca75286e06ac7b180b60
Instruction ID: da3f51fdc5b86d29f14f6bcc288f438ab6f9656767895bff36086466552422a1
Opcode Fuzzy Hash: 4b39f2c9f3acb4b57a7e46f922a700e135264b73418eca75286e06ac7b180b60
Instruction Fuzzy Hash: F02119B1A50209BFCB00EBD1CD46FEEB7B8AF44704F54403BB405BA1E1DAB895458B59

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0063171E, Relevance: .4, Instructions: 389COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91dc3de937862a202af3aa1c3b8b9f969bca4657f4da65722e7d3cbb7065e432
Instruction ID: 96ef02022788331c84b89d677731b971f9ade2b56a690bedf493ed242ca7b934
Opcode Fuzzy Hash: 91dc3de937862a202af3aa1c3b8b9f969bca4657f4da65722e7d3cbb7065e432
Instruction Fuzzy Hash: FBD11771744606EFD7549F28CC90BE5B3A6FF0A350F24422AEC5A9B381DB34A8539BD1

Uniqueness

Uniqueness Score: -1.00%

Function 00631CDD, Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32c391b0a45537bd36190271cc67391f1616546fd9dc2b2eeebeaad57eddf21a
Instruction ID: 2145f175fe0c5cc460ad58f2ed14a4efe1dc66c5459294143650380146849fb9
Opcode Fuzzy Hash: 32c391b0a45537bd36190271cc67391f1616546fd9dc2b2eeebeaad57eddf21a
Instruction Fuzzy Hash: 14312371604602DFD7949A18CD51BF673E6FF07360F65422AFC9ADB242EB14A8469BC0

Uniqueness

Uniqueness Score: -1.00%

Function 00631D05, Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ae6348d69f25423fb4b5dd3c67de272a485caba80cdedbba64ea93d6a444ca7
Instruction ID: 472cb249e3bbba6d11db8d860a48865c1b16fabfbc554799cbff1e6c5c22fa4e
Opcode Fuzzy Hash: 1ae6348d69f25423fb4b5dd3c67de272a485caba80cdedbba64ea93d6a444ca7
Instruction Fuzzy Hash: C431E175704602DFD7949A18CD51BE673E6FF07360F25822AFC5ADB241EB24A8469BC0

Uniqueness

Uniqueness Score: -1.00%

Function 0063507E, Relevance: .0, Instructions: 32COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e84db7f80f0cd8a544318df1b71585aa170ccd37199683ebc41ca03b2e5a5a4
Instruction ID: 059c2c360edbd80a33cb5045693be3c5c257aad43fc4bdde2591a2e1e17ce770
Opcode Fuzzy Hash: 3e84db7f80f0cd8a544318df1b71585aa170ccd37199683ebc41ca03b2e5a5a4
Instruction Fuzzy Hash: 42F0F878309A40CFEB18DA18C690F65B3A3AF56750F2185A6EC0387269DB21DC42E5D5

Uniqueness

Uniqueness Score: -1.00%

Function 006330D4, Relevance: .0, Instructions: 8COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c0deb8d35862c33aa5a370279232b377f618015453ae130a262ae32d539ceff
Instruction ID: 34e3a15e9de179d1dc7cb79b55141739a236eda5b12506c5efb486b5b8916cd7
Opcode Fuzzy Hash: 1c0deb8d35862c33aa5a370279232b377f618015453ae130a262ae32d539ceff
Instruction Fuzzy Hash: 61C048B63026808BEB19CA08C882A0473A1FB80648B1808A0E002CB716C324EA429A04

Uniqueness

Uniqueness Score: -1.00%

Function 0063347D, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction ID: f1647c15dfe5582e2114d8b48c9dc7a79c4e1b76aa7bcc19d5d00c5bce2ac4c7
Opcode Fuzzy Hash: 9553b201f40634b3f0bfaa8b0557a5c34869809b08848db32634946b51e74d60
Instruction Fuzzy Hash:

Uniqueness

Uniqueness Score: -1.00%

Function 00634C05, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b264a7bcf64f808a3457af15005fafe32f145b91267b621d68ef3e8d6384e61
Instruction ID: 98d68b30f6ab9ccea5c403f1bc85f21709a1aa81f771bd575d618756ed61e0d1
Opcode Fuzzy Hash: 9b264a7bcf64f808a3457af15005fafe32f145b91267b621d68ef3e8d6384e61
Instruction Fuzzy Hash: 1AB09275211640CFCA95CA0AC2C0E90B3B1BB00740F011490E8028BA51C325E804C940

Uniqueness

Uniqueness Score: -1.00%

Function 0041345A, Relevance: 180.7, APIs: 94, Strings: 9, Instructions: 493
COMMON

Download Yara Rule

C-Code - Quality: 35%

			E0041345A(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				signed int _v120;
				char _v128;
				char _v144;
				signed int _v168;
				char _v176;
				char* _v184;
				intOrPtr _v192;
				void* _v212;
				signed int _v216;
				signed int _v220;
				signed int _v228;
				intOrPtr* _v232;
				signed int _v236;
				signed int _t155;
				signed int _t162;
				signed int _t166;
				char* _t169;
				signed int _t184;
				signed int _t188;
				char* _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr _t301;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t301;
				L004013C0();
				_v12 = _t301;
				_v8 = 0x401398;
				_push(0x402a0c);
				_push(0x402c5c);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x402a0c);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x402c5c);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x402a0c);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x4026d8);
				L004015AC();
				_v120 = 0xd8;
				_v128 = 8;
				_push( &_v128);
				_push( &_v144);
				L004014AA();
				_v168 = 0xc;
				_v176 = 0x8002;
				_push( &_v144);
				_t155 =  &_v176;
				_push(_t155);
				L004015DC();
				_v216 = _t155;
				_push( &_v48);
				_push( &_v44);
				_push( &_v40);
				_push( &_v36);
				_push(4);
				L004015A6();
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L004015BE();
				_t162 = _v216;
				if(_t162 != 0) {
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					_v120 = _t162;
					_v128 = 8;
					_v184 = L"BERUFSVERBOT";
					_v192 = 8;
					_t166 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v112, 0x402a34, _t162, 0x402b30, _t162, 0x402b28, _t162, 0x402b20, _t162, 0x402b18, _t162, 0x4026c8, 0x402b10);
					asm("fclex");
					_v216 = _t166;
					if(_v216 >= 0) {
						_v228 = _v228 & 0x00000000;
					} else {
						_push(0x218);
						_push(0x402438);
						_push(_a4);
						_push(_v216);
						L00401552();
						_v228 = _t166;
					}
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"Add");
					_push(_v112);
					_t169 =  &_v144;
					_push(_t169);
					L00401498();
					_push(_t169);
					L0040149E();
					_push(_t169);
					_push( &_v24);
					L004014A4();
					_push( &_v52);
					_push( &_v48);
					_push( &_v44);
					_push( &_v40);
					_push( &_v36);
					_push(5);
					L004015A6();
					L0040152E();
					_push( &_v144);
					_push( &_v128);
					_push(2);
					L004015BE();
					_v168 = 0x470d;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"X1");
					_push(_v24);
					L00401492();
					_v168 = 0x878;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"X2");
					_push(_v24);
					L00401492();
					_v168 = 0x2c0e;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"Y1");
					_push(_v24);
					L00401492();
					if( *0x415010 != 0) {
						_v232 = 0x415010;
					} else {
						_push(0x415010);
						_push(0x4030fc);
						L00401558();
						_v232 = 0x415010;
					}
					_t184 =  &_v112;
					L0040155E();
					_v216 = _t184;
					_t188 =  *((intOrPtr*)( *_v216 + 0x108))(_v216,  &_v212, _t184,  *((intOrPtr*)( *((intOrPtr*)( *_v232)) + 0x35c))( *_v232));
					asm("fclex");
					_v220 = _t188;
					if(_v220 >= 0) {
						_v236 = _v236 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x402760);
						_push(_v216);
						_push(_v220);
						L00401552();
						_v236 = _t188;
					}
					_v168 = _v212;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"Y2");
					_push(_v24);
					L00401492();
					L0040152E();
					_v168 = _v168 | 0xffffffff;
					_v176 = 0xb;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"Visible");
					_push(_v24);
					L00401492();
					_v168 = 1;
					_v176 = 0x8002;
					_push(0);
					_push(L"BorderStyle");
					_push(_v24);
					_t192 =  &_v128;
					_push(_t192);
					L00401498();
					_push(_t192);
					_t193 =  &_v176;
					_push(_t193);
					L004015DC();
					_v216 = _t193;
					L0040156A();
					_t162 = _v216;
					if(_t162 != 0) {
						_v120 = 0xe;
						_v128 = 2;
						_t194 =  &_v128;
						_push(_t194);
						L0040148C();
						L004015B2();
						_push(_t194);
						_push(0x40272c);
						_push(0x402b98);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402984);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x40290c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402ba0);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402ba8);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x40290c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bb0);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402984);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a3c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402b28);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402b30);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bb8);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x40290c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bb0);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bc0);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a04);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a2c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a34);
						L004015AC();
						L004015B2();
						_push(_t194);
						L00401582();
						asm("sbb eax, eax");
						_v216 =  ~( ~_t194 + 1);
						_push( &_v108);
						_push( &_v104);
						_push( &_v100);
						_push( &_v96);
						_push( &_v92);
						_push( &_v88);
						_t134 =  &_v84; // 0x402a34
						_push( &_v80);
						_t136 =  &_v76; // 0x402b30
						_push( &_v72);
						_t138 =  &_v68; // 0x402b28
						_push( &_v64);
						_t140 =  &_v60; // 0x402b20
						_push( &_v56);
						_push( &_v52);
						_push( &_v48);
						_push( &_v44);
						_push( &_v40);
						_push( &_v36);
						_push(0x13);
						L004015A6();
						L0040156A();
						_t162 = _v216;
						if(_t162 != 0) {
							L00401486();
						}
					}
				}
				asm("wait");
				_push(0x413b9d);
				L0040152E();
				return _t162;
			}

0x0041345f
0x0041346a
0x0041346b
0x00413477
0x0041347f
0x00413482
0x00413489
0x0041348e
0x00413493
0x0041349d
0x004134a2
0x004134a3
0x004134a8
0x004134b2
0x004134b7
0x004134b8
0x004134bd
0x004134c7
0x004134cc
0x004134cd
0x004134d2
0x004134dc
0x004134e1
0x004134e2
0x004134e7
0x004134ec
0x004134ef
0x004134f9
0x00413500
0x00413501
0x00413506
0x00413510
0x00413520
0x00413521
0x00413527
0x00413528
0x0041352d
0x00413537
0x0041353b
0x0041353f
0x00413543
0x00413544
0x00413546
0x00413554
0x00413558
0x00413559
0x0041355b
0x00413563
0x0041356c
0x0041357c
0x00413586
0x00413591
0x0041359b
0x004135a6
0x004135b0
0x004135bb
0x004135c5
0x004135d0
0x004135da
0x004135e5
0x004135ea
0x004135ed
0x004135f4
0x004135fe
0x00413614
0x0041361a
0x0041361c
0x00413629
0x0041364b
0x0041362b
0x0041362b
0x00413630
0x00413635
0x00413638
0x0041363e
0x00413643
0x00413643
0x00413652
0x00413655
0x0041365f
0x00413660
0x00413661
0x00413662
0x00413663
0x00413666
0x00413673
0x00413674
0x00413675
0x00413676
0x00413677
0x00413679
0x0041367e
0x00413681
0x00413687
0x00413688
0x00413690
0x00413691
0x00413696
0x0041369a
0x0041369b
0x004136a3
0x004136a7
0x004136ab
0x004136af
0x004136b3
0x004136b4
0x004136b6
0x004136c1
0x004136cc
0x004136d0
0x004136d1
0x004136d3
0x004136db
0x004136e5
0x004136ef
0x004136f2
0x004136ff
0x00413700
0x00413701
0x00413702
0x00413703
0x00413708
0x0041370b
0x00413710
0x0041371a
0x00413724
0x00413727
0x00413734
0x00413735
0x00413736
0x00413737
0x00413738
0x0041373d
0x00413740
0x00413745
0x0041374f
0x00413759
0x0041375c
0x00413769
0x0041376a
0x0041376b
0x0041376c
0x0041376d
0x00413772
0x00413775
0x00413781
0x0041379e
0x00413783
0x00413783
0x00413788
0x0041378d
0x00413792
0x00413792
0x004137c2
0x004137c6
0x004137cb
0x004137e6
0x004137ec
0x004137ee
0x004137fb
0x00413820
0x004137fd
0x004137fd
0x00413802
0x00413807
0x0041380d
0x00413813
0x00413818
0x00413818
0x0041382e
0x00413835
0x0041383f
0x00413842
0x0041384f
0x00413850
0x00413851
0x00413852
0x00413853
0x00413858
0x0041385b
0x00413863
0x00413868
0x0041386f
0x00413879
0x0041387c
0x00413889
0x0041388a
0x0041388b
0x0041388c
0x0041388d
0x00413892
0x00413895
0x0041389a
0x004138a4
0x004138ae
0x004138b0
0x004138b5
0x004138b8
0x004138bb
0x004138bc
0x004138c4
0x004138c5
0x004138cb
0x004138cc
0x004138d1
0x004138db
0x004138e0
0x004138e9
0x004138ef
0x004138f6
0x004138fd
0x00413900
0x00413901
0x0041390b
0x00413910
0x00413911
0x00413916
0x0041391b
0x00413925
0x0041392a
0x0041392b
0x00413930
0x0041393a
0x0041393f
0x00413940
0x00413945
0x0041394f
0x00413954
0x00413955
0x0041395a
0x00413964
0x00413969
0x0041396a
0x0041396f
0x00413979
0x0041397e
0x0041397f
0x00413984
0x0041398e
0x00413993
0x00413994
0x00413999
0x004139a3
0x004139a8
0x004139a9
0x004139ae
0x004139b8
0x004139bd
0x004139be
0x004139c3
0x004139cd
0x004139d2
0x004139d3
0x004139d8
0x004139e2
0x004139e7
0x004139e8
0x004139ed
0x004139f7
0x004139fc
0x004139fd
0x00413a02
0x00413a0c
0x00413a11
0x00413a12
0x00413a17
0x00413a21
0x00413a26
0x00413a27
0x00413a2c
0x00413a36
0x00413a3b
0x00413a3c
0x00413a41
0x00413a4b
0x00413a50
0x00413a51
0x00413a56
0x00413a60
0x00413a65
0x00413a66
0x00413a6b
0x00413a75
0x00413a7a
0x00413a7b
0x00413a80
0x00413a8a
0x00413a8f
0x00413a90
0x00413a97
0x00413a9c
0x00413aa6
0x00413aaa
0x00413aae
0x00413ab2
0x00413ab6
0x00413aba
0x00413abb
0x00413ac2
0x00413ac3
0x00413aca
0x00413acb
0x00413ad2
0x00413ad3
0x00413ada
0x00413ade
0x00413ae2
0x00413ae6
0x00413aea
0x00413aee
0x00413aef
0x00413af1
0x00413afc
0x00413b01
0x00413b0a
0x00413b0c
0x00413b0c
0x00413b0a
0x004138e9
0x00413b11
0x00413b12
0x00413b97
0x00413b9c

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00413477
__vbaStrCat.MSVBVM60(00402C5C,00402A0C,?,?,?,?,004013C6), ref: 00413493
__vbaStrMove.MSVBVM60(00402C5C,00402A0C,?,?,?,?,004013C6), ref: 0041349D
__vbaStrCat.MSVBVM60(00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134A8
__vbaStrMove.MSVBVM60(00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134B2
__vbaStrCat.MSVBVM60(00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134BD
__vbaStrMove.MSVBVM60(00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134C7
__vbaStrCat.MSVBVM60(00402A0C,00000000,00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134D2
__vbaStrMove.MSVBVM60(00402A0C,00000000,00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134DC
__vbaStrCat.MSVBVM60(004026D8,00000000,00402A0C,00000000,00402C5C,00000000,00402A0C,00000000,00402C5C,00402A0C,?,?,?,?,004013C6), ref: 004134E7
#544.MSVBVM60(?,00000008), ref: 00413501
__vbaVarTstEq.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00413528
__vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00008002,?), ref: 00413546
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0041355B
__vbaStrCat.MSVBVM60(004026C8,00402B10), ref: 0041357C
__vbaStrMove.MSVBVM60(004026C8,00402B10), ref: 00413586
__vbaStrCat.MSVBVM60(00402B18,00000000,004026C8,00402B10), ref: 00413591
__vbaStrMove.MSVBVM60(00402B18,00000000,004026C8,00402B10), ref: 0041359B
__vbaStrCat.MSVBVM60(00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135A6
__vbaStrMove.MSVBVM60(00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135B0
__vbaStrCat.MSVBVM60(00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135BB
__vbaStrMove.MSVBVM60(00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135C5
__vbaStrCat.MSVBVM60(00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135D0
__vbaStrMove.MSVBVM60(00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135DA
__vbaStrCat.MSVBVM60(00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 004135E5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402438,00000218), ref: 0041363E
__vbaChkstk.MSVBVM60 ref: 00413655
__vbaChkstk.MSVBVM60 ref: 00413666
__vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00413688
__vbaObjVar.MSVBVM60(00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 00413691
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000,004026C8,00402B10), ref: 0041369B
__vbaFreeStrList.MSVBVM60(00000005,?,00402B10,004026C8,00000000,00402B18,?,00000000,00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20), ref: 004136B6
__vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20,00000000,00402B18,00000000), ref: 004136C1
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00000000,00402A34,00000000,00402B30,00000000,00402B28,00000000,00402B20), ref: 004136D3
__vbaChkstk.MSVBVM60 ref: 004136F2
__vbaLateMemSt.MSVBVM60(?,00402B58), ref: 0041370B
__vbaChkstk.MSVBVM60(?,00402B58), ref: 00413727
__vbaLateMemSt.MSVBVM60(?,00402B60,?,00402B58), ref: 00413740
__vbaChkstk.MSVBVM60(?,00402B60,?,00402B58), ref: 0041375C
__vbaLateMemSt.MSVBVM60(?,00402B68,?,00402B60,?,00402B58), ref: 00413775
__vbaNew2.MSVBVM60(004030FC,00415010,?,00402B68,?,00402B60,?,00402B58), ref: 0041378D
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 004137C6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402760,00000108,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60), ref: 00413813
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 00413842
__vbaLateMemSt.MSVBVM60(?,00402B70,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 0041385B
__vbaFreeObj.MSVBVM60(?,00402B70,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 00413863
__vbaChkstk.MSVBVM60(?,00402B70,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60,?,00402B58), ref: 0041387C
__vbaLateMemSt.MSVBVM60(?,Visible,?,00402B70,?,?,?,?,?,?,?,?,?,00402B68,?,00402B60), ref: 00413895
__vbaLateMemCallLd.MSVBVM60(?,?,BorderStyle,00000000,?,Visible,?,00402B70), ref: 004138BC
__vbaVarTstEq.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00402A34), ref: 004138CC
__vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00402A34), ref: 004138DB
#651.MSVBVM60(00000002,?,00000000), ref: 00413901
__vbaStrMove.MSVBVM60(00000002,?,00000000), ref: 0041390B
__vbaStrCat.MSVBVM60(00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041391B
__vbaStrMove.MSVBVM60(00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413925
__vbaStrCat.MSVBVM60(00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413930
__vbaStrMove.MSVBVM60(00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041393A
__vbaStrCat.MSVBVM60(0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413945
__vbaStrMove.MSVBVM60(0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041394F
__vbaStrCat.MSVBVM60(00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041395A
__vbaStrMove.MSVBVM60(00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413964
__vbaStrCat.MSVBVM60(00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041396F
__vbaStrMove.MSVBVM60(00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413979
__vbaStrCat.MSVBVM60(0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 00413984
__vbaStrMove.MSVBVM60(0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002,?,00000000), ref: 0041398E
__vbaStrCat.MSVBVM60(00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002), ref: 00413999
__vbaStrMove.MSVBVM60(00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C,00000000,00000002), ref: 004139A3
__vbaStrCat.MSVBVM60(00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C), ref: 004139AE
__vbaStrMove.MSVBVM60(00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C), ref: 004139B8
__vbaStrCat.MSVBVM60(00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000), ref: 004139C3
__vbaStrMove.MSVBVM60(00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000), ref: 004139CD
__vbaStrCat.MSVBVM60(00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000), ref: 004139D8
__vbaStrMove.MSVBVM60(00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000), ref: 004139E2
__vbaStrCat.MSVBVM60(00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000), ref: 004139ED
__vbaStrMove.MSVBVM60(00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000), ref: 004139F7
__vbaStrCat.MSVBVM60(00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000), ref: 00413A02
__vbaStrMove.MSVBVM60(00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000), ref: 00413A0C
__vbaStrCat.MSVBVM60(0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000), ref: 00413A17
__vbaStrMove.MSVBVM60(0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000,0040290C,00000000), ref: 00413A21
__vbaStrCat.MSVBVM60(00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000), ref: 00413A2C
__vbaStrMove.MSVBVM60(00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000,00402BB0,00000000), ref: 00413A36
__vbaStrCat.MSVBVM60(00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000), ref: 00413A41
__vbaStrMove.MSVBVM60(00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000,00402984,00000000), ref: 00413A4B
__vbaStrCat.MSVBVM60(00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000), ref: 00413A56
__vbaStrMove.MSVBVM60(00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000,00402A3C,00000000), ref: 00413A60
__vbaStrCat.MSVBVM60(00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000), ref: 00413A6B
__vbaStrMove.MSVBVM60(00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000,00402B28,00000000), ref: 00413A75
__vbaStrCat.MSVBVM60(00402A34,00000000,00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000), ref: 00413A80
__vbaStrMove.MSVBVM60(00402A34,00000000,00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30,00000000), ref: 00413A8A
__vbaStrCmp.MSVBVM60(00000000,00402A34,00000000,00402A2C,00000000,00402A04,00000000,00402BC0,00000000,00402BB0,00000000,0040290C,00000000,00402BB8,00000000,00402B30), ref: 00413A90
__vbaFreeStrList.MSVBVM60(00000013,?,00402B10,004026C8,00000000,00402B18,00000000, +@,00000000,(+@,00000000,0+@,00000000,4*@,00000000,00000000), ref: 00413AF1
__vbaFreeVar.MSVBVM60(00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C), ref: 00413AFC
#554.MSVBVM60(00402984,00000000,00402BB0,00000000,0040290C,00000000,00402BA8,00000000,00402BA0,00000000,0040290C,00000000,00402984,00000000,00402B98,0040272C), ref: 00413B0C
__vbaFreeObj.MSVBVM60(00413B9D), ref: 00413B97

Strings

4*@, xrefs: 00413A1E, 00413ABB, 00413ABE
G, xrefs: 004136DB
Add, xrefs: 00413679
BERUFSVERBOT, xrefs: 004135F4
+@, xrefs: 004139A0, 00413AD3, 00413AD6
BorderStyle, xrefs: 004138B0
0+@, xrefs: 004139F4, 00413AC3, 00413AC6
(+@, xrefs: 004139CA, 00413ACB, 00413ACE
Visible, xrefs: 0041388D

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Move$Free$Chkstk$Late$List$CallCheckHresult$#544#554#651AddrefNew2
String ID: G$ +@$(+@$0+@$4*@$Add$BERUFSVERBOT$BorderStyle$Visible
API String ID: 2720917139-3050207803
Opcode ID: 4f59cca7ad95153a9d854485047ea0226f05f699db07b97cfefa506b75e81423
Instruction ID: f78f4f10e8f4b6b8e6733b098a218ef5b47c176dc098ae571219f454794afdf6
Opcode Fuzzy Hash: 4f59cca7ad95153a9d854485047ea0226f05f699db07b97cfefa506b75e81423
Instruction Fuzzy Hash: E3025271E40208AADB11EFA1CD46FDE7378AF44704F50417BB506BB1E1DEB8AA448F69

Uniqueness

Uniqueness Score: -1.00%

Function 00411205, Relevance: 45.2, APIs: 30, Instructions: 188
COMMON

Download Yara Rule

C-Code - Quality: 41%

			E00411205(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				long long* _v12;
				long long* _v36;
				char _v48;
				void* _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _t62;
				signed int _t66;
				char* _t68;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				char* _t93;
				long long* _t110;
				signed int _t111;
				void* _t112;
				signed int _t113;
				long long _t117;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t110;
				_push(0x5c);
				L004013C0();
				_v12 = _t110;
				_v8 = 0x4012f8;
				L0040154C();
				_push(5);
				_push(0x402a44);
				_t62 =  &_v48;
				_push(_t62);
				L004014CE();
				_push(0x402a2c);
				_push(0x402a34);
				L004015AC();
				L004015B2();
				_push(_t62);
				_push(0x402a3c);
				L004015AC();
				L004015B2();
				L004015C4();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x402a34);
				_push(_v60);
				L004014C8();
				L004015B2();
				_push(_v60);
				_push(0x402a2c);
				_push(0x402a3c);
				L004015AC();
				L004015B2();
				_push(_t62);
				L00401582();
				asm("sbb eax, eax");
				_v92 =  ~( ~_t62 + 1);
				_t93 =  &_v64;
				L004015C4();
				_t66 = _v92;
				_t111 = _t66;
				if(_t111 != 0) {
					asm("fld1");
					L00401432();
					L004015A0();
					asm("fcomp qword [0x4012f0]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t111 == 0) {
						_push(0x402a04);
						L004014C2();
						_t112 = _t66 - 0x61;
						if(_t112 == 0) {
							asm("fld1");
							 *_v36 = __fp0;
							_t117 =  *0x4012e8;
							 *((long long*)(_v36 + 8)) = _t117;
							_v88 =  &_v48;
							_push( &_v88);
							asm("fld1");
							_push(_t93);
							_push(_t93);
							 *_t110 = _t117;
							L004014BC();
							L004015A0();
							asm("fcomp qword [0x4012e0]");
							asm("fnstsw ax");
							asm("sahf");
							if(_t112 == 0) {
								_push(0x402a0c);
								L004014EC();
								asm("fcomp dword [0x4012ac]");
								asm("fnstsw ax");
								asm("sahf");
								if(_t112 == 0) {
									_t76 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v88);
									asm("fclex");
									_v92 = _t76;
									_t113 = _v92;
									if(_t113 >= 0) {
										_v104 = _v104 & 0x00000000;
									} else {
										_push(0xb0);
										_push(0x402438);
										_push(_a4);
										_push(_v92);
										L00401552();
										_v104 = _t76;
									}
									asm("fcomp dword [0x4012a8]");
									asm("fnstsw ax");
									asm("sahf");
									if(_t113 == 0) {
										if( *0x415010 != 0) {
											_v108 = 0x415010;
										} else {
											_push(0x415010);
											_push(0x4030fc);
											L00401558();
											_v108 = 0x415010;
										}
										_t80 =  &_v68;
										L0040155E();
										_v92 = _t80;
										_t84 =  *((intOrPtr*)( *_v92 + 0xb8))(_v92,  &_v64, _t80,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x35c))( *_v108));
										asm("fclex");
										_v96 = _t84;
										if(_v96 >= 0) {
											_v112 = _v112 & 0x00000000;
										} else {
											_push(0xb8);
											_push(0x402760);
											_push(_v92);
											_push(_v96);
											L00401552();
											_v112 = _t84;
										}
										_push(_v64);
										_push(0x60);
										_push(0xffffffff);
										_push(0x20);
										L004014E6();
										L004015C4();
										L0040152E();
									}
								}
							}
						}
					}
				}
				asm("wait");
				_push(0x411491);
				_v88 =  &_v48;
				_t68 =  &_v88;
				_push(_t68);
				_push(0);
				L004014D4();
				L004015C4();
				L004015C4();
				return _t68;
			}

0x0041120a
0x00411215
0x00411216
0x0041121d
0x00411220
0x00411228
0x0041122b
0x00411238
0x0041123d
0x0041123f
0x00411244
0x00411247
0x00411248
0x0041124d
0x00411252
0x00411257
0x00411261
0x00411266
0x00411267
0x0041126c
0x00411276
0x0041127e
0x00411283
0x00411285
0x00411287
0x00411289
0x0041128b
0x00411290
0x00411293
0x0041129d
0x004112a2
0x004112a5
0x004112aa
0x004112af
0x004112b9
0x004112be
0x004112bf
0x004112c6
0x004112cb
0x004112cf
0x004112d2
0x004112d7
0x004112db
0x004112dd
0x004112e3
0x004112e5
0x004112ea
0x004112ef
0x004112f5
0x004112f7
0x004112f8
0x004112fe
0x00411303
0x00411308
0x0041130c
0x00411315
0x00411317
0x0041131c
0x00411322
0x00411328
0x0041132e
0x0041132f
0x00411331
0x00411332
0x00411333
0x00411336
0x0041133b
0x00411340
0x00411346
0x00411348
0x00411349
0x0041134f
0x00411354
0x00411359
0x0041135f
0x00411361
0x00411362
0x00411374
0x0041137a
0x0041137c
0x0041137f
0x00411383
0x0041139f
0x00411385
0x00411385
0x0041138a
0x0041138f
0x00411392
0x00411395
0x0041139a
0x0041139a
0x004113a6
0x004113ac
0x004113ae
0x004113af
0x004113bc
0x004113d6
0x004113be
0x004113be
0x004113c3
0x004113c8
0x004113cd
0x004113cd
0x004113f1
0x004113f5
0x004113fa
0x00411409
0x0041140f
0x00411411
0x00411418
0x00411434
0x0041141a
0x0041141a
0x0041141f
0x00411424
0x00411427
0x0041142a
0x0041142f
0x0041142f
0x00411438
0x0041143b
0x0041143d
0x0041143f
0x00411441
0x00411449
0x00411451
0x00411451
0x004113af
0x00411362
0x00411349
0x0041130c
0x004112f8
0x00411456
0x00411457
0x00411472
0x00411475
0x00411478
0x00411479
0x0041147b
0x00411483
0x0041148b
0x00411490

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00411220
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 00411238
__vbaAryConstruct2.MSVBVM60(?,00402A44,00000005,?,?,?,?,004013C6), ref: 00411248
__vbaStrCat.MSVBVM60(00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 00411257
__vbaStrMove.MSVBVM60(00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 00411261
__vbaStrCat.MSVBVM60(00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 0041126C
__vbaStrMove.MSVBVM60(00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 00411276
__vbaFreeStr.MSVBVM60(00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005,?,?,?,?,004013C6), ref: 0041127E
#712.MSVBVM60(?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005), ref: 00411293
__vbaStrMove.MSVBVM60(?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005), ref: 0041129D
__vbaStrCat.MSVBVM60(00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005), ref: 004112AF
__vbaStrMove.MSVBVM60(00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44,00000005), ref: 004112B9
__vbaStrCmp.MSVBVM60(00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44), ref: 004112BF
__vbaFreeStr.MSVBVM60(00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44), ref: 004112D2
_CIlog.MSVBVM60(00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44), ref: 004112E5
__vbaFpR8.MSVBVM60(00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?,00402A44), ref: 004112EA
#516.MSVBVM60(00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34,00402A2C,?), ref: 00411303
#684.MSVBVM60(?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000), ref: 00411336
__vbaFpR8.MSVBVM60(?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000), ref: 0041133B
__vbaR4Str.MSVBVM60(00402A0C,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C), ref: 00411354
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402438,000000B0,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 00411395
__vbaNew2.MSVBVM60(004030FC,00415010,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000), ref: 004113C8
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000), ref: 004113F5
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402760,000000B8,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 0041142A
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000060,?,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 00411441
__vbaFreeStr.MSVBVM60(00000020,000000FF,00000060,?,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 00411449
__vbaFreeObj.MSVBVM60(00000020,000000FF,00000060,?,?,?,?,00402A04,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001), ref: 00411451
__vbaAryDestruct.MSVBVM60(00000000,?,00411491,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34), ref: 0041147B
__vbaFreeStr.MSVBVM60(00000000,?,00411491,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34), ref: 00411483
__vbaFreeStr.MSVBVM60(00000000,?,00411491,00000000,00402A3C,00402A2C,?,?,00402A34,00000000,00000001,000000FF,00000000,00402A3C,00000000,00402A34), ref: 0041148B

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$CheckHresult$#516#684#712ChkstkConstruct2CopyDestructFileIlogNew2Open
String ID:
API String ID: 2720509884-0
Opcode ID: 496f501515edf77aecb0298144b6b5b474681858621a6512c79f67540555a0c5
Instruction ID: 4665281a537e9d5a375a5ae2fff27dc0d8025a1f6e9d83233047d7cebb295480
Opcode Fuzzy Hash: 496f501515edf77aecb0298144b6b5b474681858621a6512c79f67540555a0c5
Instruction Fuzzy Hash: 5D612630A40248ABDB10EBE1DD86BDEBBB9AF44704F50413BF116BA1F5DB785985CB18

Uniqueness

Uniqueness Score: -1.00%

Function 00412403, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 67%

			E00412403(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v52;
				char _v60;
				short _v80;
				intOrPtr _t22;
				char* _t23;
				char* _t28;
				intOrPtr _t46;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_t22 = 0x40;
				L004013C0();
				_v12 = _t46;
				_v8 = 0x401348;
				L0040158E();
				L0040154C();
				_push("12-");
				_push(L"12-12");
				L004015AC();
				_v52 = _t22;
				_v60 = 8;
				_t23 =  &_v60;
				_push(_t23);
				L0040147A();
				asm("sbb eax, eax");
				_v80 =  ~( ~(_t23 - 0xffff) + 1);
				L0040156A();
				_t28 = _v80;
				if(_t28 != 0) {
					_v52 = 1;
					_v60 = 2;
					_push(0);
					_t28 =  &_v60;
					_push(_t28);
					L00401474();
					L004015B2();
					L0040156A();
				}
				_push(0x4124dc);
				L0040156A();
				L004015C4();
				L004015C4();
				return _t28;
			}

0x00412408
0x00412413
0x00412414
0x0041241d
0x0041241e
0x00412426
0x00412429
0x00412436
0x00412441
0x00412446
0x0041244b
0x00412450
0x00412455
0x00412458
0x0041245f
0x00412462
0x00412463
0x0041246f
0x00412474
0x0041247b
0x00412480
0x00412486
0x00412488
0x0041248f
0x00412496
0x00412498
0x0041249b
0x0041249c
0x004124a6
0x004124ae
0x004124ae
0x004124b3
0x004124c6
0x004124ce
0x004124d6
0x004124db

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0041241E
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00412436
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 00412441
__vbaStrCat.MSVBVM60(12-12,12-,?,?,?,?,004013C6), ref: 00412450
#557.MSVBVM60(00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00412463
__vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 0041247B
#705.MSVBVM60(00000002,00000000,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 0041249C
__vbaStrMove.MSVBVM60(00000002,00000000,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124A6
__vbaFreeVar.MSVBVM60(00000002,00000000,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124AE
__vbaFreeVar.MSVBVM60(004124DC,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124C6
__vbaFreeStr.MSVBVM60(004124DC,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124CE
__vbaFreeStr.MSVBVM60(004124DC,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 004124D6

Strings

12-12, xrefs: 0041244B
12-, xrefs: 00412446

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#557#705ChkstkCopyMove
String ID: 12-$12-12
API String ID: 1093160486-3531647454
Opcode ID: c42cc33319e44a1079b819da30e1dcb196a3dab0b68ae24ae07124ed5db5f304
Instruction ID: 2e7dd0bb9c9fca3fa76cb33463ab2303f6b74b2beff927884748cb09daaa01c8
Opcode Fuzzy Hash: c42cc33319e44a1079b819da30e1dcb196a3dab0b68ae24ae07124ed5db5f304
Instruction Fuzzy Hash: 8F115171910148BACB04EFA1CD86FDD7BB4AF54704F50053AB402B71E1EB7C6945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004105FA, Relevance: 22.6, APIs: 15, Instructions: 119
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E004105FA(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v36;
				void* _v52;
				signed int _v56;
				void* _v60;
				char _v76;
				char _v92;
				intOrPtr _v116;
				intOrPtr _v124;
				intOrPtr _v132;
				char _v140;
				void* _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				intOrPtr _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				short _t71;
				signed int _t74;
				signed int _t80;
				signed int _t85;
				void* _t101;
				void* _t103;
				intOrPtr _t104;

				_t104 = _t103 - 0xc;
				 *[fs:0x0] = _t104;
				L004013C0();
				_v16 = _t104;
				_v12 = 0x401290;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013c6, _t101);
				L0040158E();
				L0040154C();
				_v116 = 0x4026c0;
				_v124 = 8;
				L0040158E();
				_push( &_v76);
				_push( &_v92);
				L004014F8();
				_v132 = 0x402a04;
				_v140 = 0x8008;
				_push( &_v92);
				_t71 =  &_v140;
				_push(_t71);
				L004015DC();
				_v144 = _t71;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L004015BE();
				_t74 = _v144;
				if(_t74 != 0) {
					if( *0x4155f8 != 0) {
						_v172 = 0x4155f8;
					} else {
						_push(0x4155f8);
						_push(0x4028e8);
						L00401558();
						_v172 = 0x4155f8;
					}
					_v144 =  *_v172;
					_t80 =  *((intOrPtr*)( *_v144 + 0x14))(_v144,  &_v60);
					asm("fclex");
					_v148 = _t80;
					if(_v148 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4028d8);
						_push(_v144);
						_push(_v148);
						L00401552();
						_v176 = _t80;
					}
					_v152 = _v60;
					_t85 =  *((intOrPtr*)( *_v152 + 0x110))(_v152,  &_v56);
					asm("fclex");
					_v156 = _t85;
					if(_v156 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x4028f8);
						_push(_v152);
						_push(_v156);
						L00401552();
						_v180 = _t85;
					}
					_t74 = _v56;
					_v168 = _t74;
					_v56 = _v56 & 0x00000000;
					L004015B2();
					L0040152E();
				}
				_push(0x410810);
				L004015C4();
				L004015C4();
				L0040156A();
				return _t74;
			}

0x004105fd
0x0041060c
0x00410618
0x00410620
0x00410623
0x0041062a
0x00410639
0x00410642
0x0041064d
0x00410652
0x00410659
0x00410666
0x0041066e
0x00410672
0x00410673
0x00410678
0x0041067f
0x0041068c
0x0041068d
0x00410693
0x00410694
0x00410699
0x004106a3
0x004106a7
0x004106a8
0x004106aa
0x004106b2
0x004106bb
0x004106c8
0x004106e5
0x004106ca
0x004106ca
0x004106cf
0x004106d4
0x004106d9
0x004106d9
0x004106f7
0x0041070f
0x00410712
0x00410714
0x00410721
0x00410743
0x00410723
0x00410723
0x00410725
0x0041072a
0x00410730
0x00410736
0x0041073b
0x0041073b
0x0041074d
0x00410765
0x0041076b
0x0041076d
0x0041077a
0x0041079f
0x0041077c
0x0041077c
0x00410781
0x00410786
0x0041078c
0x00410792
0x00410797
0x00410797
0x004107a6
0x004107a9
0x004107af
0x004107bc
0x004107c4
0x004107c4
0x004107c9
0x004107fa
0x00410802
0x0041080a
0x0041080f

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00410618
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00410642
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 0041064D
__vbaVarDup.MSVBVM60 ref: 00410666
#518.MSVBVM60(?,?), ref: 00410673
__vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?), ref: 00410694
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 004106AA
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,004013C6), ref: 004106D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 00410736
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,00000110), ref: 00410792
__vbaStrMove.MSVBVM60(00000000,?,004028F8,00000110), ref: 004107BC
__vbaFreeObj.MSVBVM60(00000000,?,004028F8,00000110), ref: 004107C4
__vbaFreeStr.MSVBVM60(00410810,?,?,004013C6), ref: 004107FA
__vbaFreeStr.MSVBVM60(00410810,?,?,004013C6), ref: 00410802
__vbaFreeVar.MSVBVM60(00410810,?,?,004013C6), ref: 0041080A

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#518ChkstkCopyListMoveNew2
String ID:
API String ID: 1459133440-0
Opcode ID: 9f25326c63d400a5016dda9409aad156467f4b0c54600f5c84042ac6b59f4a72
Instruction ID: 05ad2b77685fc7f285c907303dd9a4d39d9d7d188daed66f19f7286aa1406a16
Opcode Fuzzy Hash: 9f25326c63d400a5016dda9409aad156467f4b0c54600f5c84042ac6b59f4a72
Instruction Fuzzy Hash: D251D871900218EFDB10EFA5CD85FDDBBB5BF44304F1081AAE109BB1A1DB785A898F55

Uniqueness

Uniqueness Score: -1.00%

Function 004124EF, Relevance: 19.6, APIs: 13, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 48%

			E004124EF(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				void* _v48;
				char _v52;
				char _v56;
				signed short _v64;
				char _v72;
				char _v88;
				signed char _t26;
				signed short _t27;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L004013C0();
				_v16 = _t47;
				_v12 = 0x401358;
				_v8 = 0;
				_t26 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4013c6, _t44);
				L0040158E();
				_push(0x4026d8);
				L0040146E();
				_t27 = _t26 & 0x000000ff;
				if(_t27 == 2) {
					_push(0x402be4);
					_push(0x402bec);
					L004015AC();
					L004015B2();
					_push(_t27);
					_push(0x402bf4);
					L004015AC();
					L004015B2();
					_push(_t27);
					_push(0x402be4);
					L004015AC();
					_v64 = _t27;
					_v72 = 8;
					_push( &_v72);
					_push( &_v88);
					L00401462();
					_push( &_v88);
					L00401468();
					_v32 = __fp0;
					_push( &_v56);
					_push( &_v52);
					_push(2);
					L004015A6();
					_push( &_v88);
					_t27 =  &_v72;
					_push(_t27);
					_push(2);
					L004015BE();
				}
				asm("wait");
				_push(0x412608);
				L0040156A();
				return _t27;
			}

0x004124f2
0x00412501
0x0041250b
0x00412513
0x00412516
0x0041251d
0x0041252c
0x00412535
0x0041253a
0x0041253f
0x00412544
0x0041254c
0x00412552
0x00412557
0x0041255c
0x00412566
0x0041256b
0x0041256c
0x00412571
0x0041257b
0x00412580
0x00412581
0x00412586
0x0041258b
0x0041258e
0x00412598
0x0041259c
0x0041259d
0x004125a5
0x004125a6
0x004125ab
0x004125b1
0x004125b5
0x004125b6
0x004125b8
0x004125c3
0x004125c4
0x004125c7
0x004125c8
0x004125ca
0x004125cf
0x004125d2
0x004125d3
0x00412602
0x00412607

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0041250B
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00412535
__vbaUI1Str.MSVBVM60(004026D8,?,?,?,?,004013C6), ref: 0041253F
__vbaStrCat.MSVBVM60(00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 0041255C
__vbaStrMove.MSVBVM60(00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 00412566
__vbaStrCat.MSVBVM60(00402BF4,00000000,00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 00412571
__vbaStrMove.MSVBVM60(00402BF4,00000000,00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 0041257B
__vbaStrCat.MSVBVM60(00402BE4,00000000,00402BF4,00000000,00402BEC,00402BE4,004026D8,?,?,?,?,004013C6), ref: 00412586
#687.MSVBVM60(?,00000008), ref: 0041259D
__vbaDateVar.MSVBVM60(?,?,00000008), ref: 004125A6
__vbaFreeStrList.MSVBVM60(00000002,00000000,00402BF4,?,?,00000008), ref: 004125B8
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,004013C6), ref: 004125CA
__vbaFreeVar.MSVBVM60(00412608,004026D8,?,?,?,?,004013C6), ref: 00412602

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$ListMove$#687ChkstkDate
String ID:
API String ID: 2912548229-0
Opcode ID: ad2ab8263c6fad0aef963e0c29cdb9162632fe834ed5646610b151fcb4df7905
Instruction ID: 9acf876f85fa3a76dac7276b00a10b9f7f4ec1700ebecfec37eb25ad1bc5f3c1
Opcode Fuzzy Hash: ad2ab8263c6fad0aef963e0c29cdb9162632fe834ed5646610b151fcb4df7905
Instruction Fuzzy Hash: E2212F71D41208BBDB00EFE1CD46EDE7778AF44704F50843BB502BA1E1DA7C6A498B59

Uniqueness

Uniqueness Score: -1.00%

Function 00413BB8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E00413BB8(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a32, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v52;
				char _v72;
				signed int _v76;
				signed int _v88;
				signed int _t29;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				signed int _t47;

				_t45 = _t44 - 0xc;
				 *[fs:0x0] = _t45;
				L004013C0();
				_v16 = _t45;
				_v12 = 0x4013a8;
				_v8 = 0;
				_t29 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4013c6, _t42);
				L0040154C();
				L0040158E();
				_push(0x402a0c);
				L004014EC();
				asm("fcomp dword [0x4012ac]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t29 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v72);
					asm("fclex");
					_v76 = _t29;
					_t47 = _v76;
					if(_t47 >= 0) {
						_t20 =  &_v88;
						 *_t20 = _v88 & 0x00000000;
						__eflags =  *_t20;
					} else {
						_push(0xb0);
						_push(0x402438);
						_push(_a4);
						_push(_v76);
						L00401552();
						_v88 = _t29;
					}
					asm("fcomp dword [0x4012a8]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t47 == 0) {
						_push(L"GEOSIDE");
						_push(0xb4);
						_push(0xffffffff);
						_push(0x20);
						L004014E6();
					}
				}
				asm("wait");
				_push(0x413c96);
				L004015C4();
				L0040156A();
				return _t29;
			}

0x00413bbb
0x00413bca
0x00413bd4
0x00413bdc
0x00413bdf
0x00413be6
0x00413bf5
0x00413bfe
0x00413c09
0x00413c0e
0x00413c13
0x00413c18
0x00413c1e
0x00413c20
0x00413c21
0x00413c2f
0x00413c35
0x00413c37
0x00413c3a
0x00413c3e
0x00413c5a
0x00413c5a
0x00413c5a
0x00413c40
0x00413c40
0x00413c45
0x00413c4a
0x00413c4d
0x00413c50
0x00413c55
0x00413c55
0x00413c61
0x00413c67
0x00413c69
0x00413c6a
0x00413c6c
0x00413c71
0x00413c76
0x00413c78
0x00413c7a
0x00413c7a
0x00413c6a
0x00413c7f
0x00413c80
0x00413c88
0x00413c90
0x00413c95

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00413BD4
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 00413BFE
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00413C09
__vbaR4Str.MSVBVM60(00402A0C,?,?,?,?,004013C6), ref: 00413C13
__vbaHresultCheckObj.MSVBVM60(00000000,004013A8,00402438,000000B0), ref: 00413C50
__vbaFileOpen.MSVBVM60(00000020,000000FF,000000B4,GEOSIDE), ref: 00413C7A
__vbaFreeStr.MSVBVM60(00413C96,00402A0C,?,?,?,?,004013C6), ref: 00413C88
__vbaFreeVar.MSVBVM60(00413C96,00402A0C,?,?,?,?,004013C6), ref: 00413C90

Strings

GEOSIDE, xrefs: 00413C6C

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkCopyFileHresultOpen
String ID: GEOSIDE
API String ID: 311016274-2913397203
Opcode ID: b01a7390f3740583749f62332d8104ebea8222f5d9ff684ecf08d38487b3b3a0
Instruction ID: a44c7f68a2c685dbaf605939a374c10edf1c54e142bb12ed94c2c10a4ee18dcd
Opcode Fuzzy Hash: b01a7390f3740583749f62332d8104ebea8222f5d9ff684ecf08d38487b3b3a0
Instruction Fuzzy Hash: 0D213830900208FFDB00EF95CA8ABCD7BB4BF54755F50416AF4057A1E1D7785A858B88

Uniqueness

Uniqueness Score: -1.00%

Function 004103DB, Relevance: 15.0, APIs: 10, Instructions: 49
COMMON

Download Yara Rule

C-Code - Quality: 78%

			E004103DB(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, void* _a40, void* _a48, signed int* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				void* _v64;
				void* _v80;
				signed int* _t24;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L004013C0();
				_v16 = _t43;
				_v12 = 0x401270;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4013c6, _t40);
				L0040158E();
				L0040154C();
				L0040158E();
				_t24 = _a64;
				 *_t24 =  *_t24 & 0x00000000;
				_push(0);
				_push(0);
				_push(1);
				L0040150A();
				L004015B2();
				_push(0x410488);
				L0040156A();
				L004015C4();
				L004015C4();
				L0040156A();
				return _t24;
			}

0x004103de
0x004103ed
0x004103f7
0x004103ff
0x00410402
0x00410409
0x00410418
0x00410421
0x0041042c
0x00410437
0x0041043c
0x0041043f
0x00410442
0x00410444
0x00410446
0x00410448
0x00410452
0x00410457
0x0041046a
0x00410472
0x0041047a
0x00410482
0x00410487

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004103F7
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00410421
__vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 0041042C
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00410437
#706.MSVBVM60(00000001,00000000,00000000,?,?,?,?,004013C6), ref: 00410448
__vbaStrMove.MSVBVM60(00000001,00000000,00000000,?,?,?,?,004013C6), ref: 00410452
__vbaFreeVar.MSVBVM60(00410488,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0041046A
__vbaFreeStr.MSVBVM60(00410488,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 00410472
__vbaFreeStr.MSVBVM60(00410488,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0041047A
__vbaFreeVar.MSVBVM60(00410488,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 00410482

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#706ChkstkCopyMove
String ID:
API String ID: 3345532518-0
Opcode ID: db013e2afe532c4b028b69ea5c13c810cc8ec78676d3a19f38e4f40e97bff54e
Instruction ID: 7f2903a411088809e335211ffd05d7d1552a29b58b433ac5b57d3da05fa44c65
Opcode Fuzzy Hash: db013e2afe532c4b028b69ea5c13c810cc8ec78676d3a19f38e4f40e97bff54e
Instruction Fuzzy Hash: E9111C31900248ABCB14EFA1CD92FDD7BB4AF40748F50842AF5027B1E1DB78AA45CB98

Uniqueness

Uniqueness Score: -1.00%

Function 00410989, Relevance: 13.6, APIs: 9, Instructions: 115
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00410989(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				char* _t57;
				signed int _t61;
				signed int _t67;
				signed int _t71;
				char* _t73;
				intOrPtr _t84;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_push(0x3c);
				L004013C0();
				_v12 = _t84;
				_v8 = 0x4012c0;
				if( *0x415010 != 0) {
					_v64 = 0x415010;
				} else {
					_push(0x415010);
					_push(0x4030fc);
					L00401558();
					_v64 = 0x415010;
				}
				_t57 =  &_v28;
				L0040155E();
				_v36 = _t57;
				_t61 =  *((intOrPtr*)( *_v36 + 0x13c))(_v36,  &_v24, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x35c))( *_v64));
				asm("fclex");
				_v40 = _t61;
				if(_v40 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x13c);
					_push(0x402760);
					_push(_v36);
					_push(_v40);
					L00401552();
					_v68 = _t61;
				}
				if( *0x4155f8 != 0) {
					_v72 = 0x4155f8;
				} else {
					_push(0x4155f8);
					_push(0x4028e8);
					L00401558();
					_v72 = 0x4155f8;
				}
				_v44 =  *_v72;
				_t67 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v32);
				asm("fclex");
				_v48 = _t67;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d8);
					_push(_v44);
					_push(_v48);
					L00401552();
					_v76 = _t67;
				}
				_v52 = _v32;
				_t71 =  *((intOrPtr*)( *_v52 + 0x138))(_v52, _v24, 1);
				asm("fclex");
				_v56 = _t71;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x4028f8);
					_push(_v52);
					_push(_v56);
					L00401552();
					_v80 = _t71;
				}
				L004015C4();
				_push( &_v32);
				_t73 =  &_v28;
				_push(_t73);
				_push(2);
				L00401546();
				_push(0x410b1d);
				return _t73;
			}

0x0041098e
0x00410999
0x0041099a
0x004109a1
0x004109a4
0x004109ac
0x004109af
0x004109bd
0x004109d7
0x004109bf
0x004109bf
0x004109c4
0x004109c9
0x004109ce
0x004109ce
0x004109f2
0x004109f6
0x004109fb
0x00410a0a
0x00410a10
0x00410a12
0x00410a19
0x00410a35
0x00410a1b
0x00410a1b
0x00410a20
0x00410a25
0x00410a28
0x00410a2b
0x00410a30
0x00410a30
0x00410a40
0x00410a5a
0x00410a42
0x00410a42
0x00410a47
0x00410a4c
0x00410a51
0x00410a51
0x00410a66
0x00410a75
0x00410a78
0x00410a7a
0x00410a81
0x00410a9a
0x00410a83
0x00410a83
0x00410a85
0x00410a8a
0x00410a8d
0x00410a90
0x00410a95
0x00410a95
0x00410aa1
0x00410ab1
0x00410ab7
0x00410ab9
0x00410ac0
0x00410adc
0x00410ac2
0x00410ac2
0x00410ac7
0x00410acc
0x00410acf
0x00410ad2
0x00410ad7
0x00410ad7
0x00410ae3
0x00410aeb
0x00410aec
0x00410aef
0x00410af0
0x00410af2
0x00410afa
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004109A4
__vbaNew2.MSVBVM60(004030FC,00415010,?,?,?,?,004013C6), ref: 004109C9
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004013C6), ref: 004109F6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402760,0000013C), ref: 00410A2B
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,?,?,?,?,?,?,?,?,004013C6), ref: 00410A4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 00410A90
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,00000138), ref: 00410AD2
__vbaFreeStr.MSVBVM60 ref: 00410AE3
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410AF2

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$ChkstkList
String ID:
API String ID: 3534970231-0
Opcode ID: a0008a9d1f67f6dfbc4658a5d605653f5639004fad6c848d4b25e5910d5c8cc6
Instruction ID: f17b057453f2c33a1854ccf80f179a4597e6afa7ffb2e8bcb0af70dbb7101e6c
Opcode Fuzzy Hash: a0008a9d1f67f6dfbc4658a5d605653f5639004fad6c848d4b25e5910d5c8cc6
Instruction Fuzzy Hash: 89410771D40208EFCB00EF95C945BEDBBB5FF18305F10402AF112B62A0C7B85985DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040FDDA, Relevance: 13.6, APIs: 9, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040FDDA(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				short _v56;
				void* _v60;
				void* _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t47;
				signed int _t52;
				short _t53;
				intOrPtr _t67;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t67;
				_push(0x4c);
				L004013C0();
				_v12 = _t67;
				_v8 = 0x401230;
				L0040158E();
				L0040158E();
				if( *0x4155f8 != 0) {
					_v88 = 0x4155f8;
				} else {
					_push(0x4155f8);
					_push(0x4028e8);
					L00401558();
					_v88 = 0x4155f8;
				}
				_v68 =  *_v88;
				_t47 =  *((intOrPtr*)( *_v68 + 0x14))(_v68,  &_v60);
				asm("fclex");
				_v72 = _t47;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d8);
					_push(_v68);
					_push(_v72);
					L00401552();
					_v92 = _t47;
				}
				_v76 = _v60;
				_t52 =  *((intOrPtr*)( *_v76 + 0xc0))(_v76,  &_v64);
				asm("fclex");
				_v80 = _t52;
				if(_v80 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x4028f8);
					_push(_v76);
					_push(_v80);
					L00401552();
					_v96 = _t52;
				}
				_t53 = _v64;
				_v56 = _t53;
				L0040152E();
				_push(0x40fef4);
				L0040156A();
				L0040156A();
				return _t53;
			}

0x0040fddf
0x0040fdea
0x0040fdeb
0x0040fdf2
0x0040fdf5
0x0040fdfd
0x0040fe00
0x0040fe0d
0x0040fe18
0x0040fe24
0x0040fe3e
0x0040fe26
0x0040fe26
0x0040fe2b
0x0040fe30
0x0040fe35
0x0040fe35
0x0040fe4a
0x0040fe59
0x0040fe5c
0x0040fe5e
0x0040fe65
0x0040fe7e
0x0040fe67
0x0040fe67
0x0040fe69
0x0040fe6e
0x0040fe71
0x0040fe74
0x0040fe79
0x0040fe79
0x0040fe85
0x0040fe94
0x0040fe9a
0x0040fe9c
0x0040fea3
0x0040febf
0x0040fea5
0x0040fea5
0x0040feaa
0x0040feaf
0x0040feb2
0x0040feb5
0x0040feba
0x0040feba
0x0040fec3
0x0040fec7
0x0040fece
0x0040fed3
0x0040fee6
0x0040feee
0x0040fef3

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0040FDF5
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040FE0D
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040FE18
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,004013C6), ref: 0040FE30
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 0040FE74
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,000000C0), ref: 0040FEB5
__vbaFreeObj.MSVBVM60(00000000,?,004028F8,000000C0), ref: 0040FECE
__vbaFreeVar.MSVBVM60(0040FEF4), ref: 0040FEE6
__vbaFreeVar.MSVBVM60(0040FEF4), ref: 0040FEEE

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2
String ID:
API String ID: 1237124366-0
Opcode ID: 9c91c35be8b689691cdf6c3e0f6bf49ad94bc84c1aa5b5d07bb8938a2c4a7211
Instruction ID: 0a0e7e8f74150fa91c4d6ee8645fb8a4ff926344413ae81f12cb23cbb76fc15e
Opcode Fuzzy Hash: 9c91c35be8b689691cdf6c3e0f6bf49ad94bc84c1aa5b5d07bb8938a2c4a7211
Instruction Fuzzy Hash: A031FC71910248EFCB10EF95C94ABDDBBB5FF48708F10403AF012BB2A1D778694A9B58

Uniqueness

Uniqueness Score: -1.00%

Function 0041089B, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

C-Code - Quality: 39%

			E0041089B(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v56;
				signed int _v60;
				signed int _v68;
				signed int _t19;
				intOrPtr _t32;
				signed int _t34;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_t19 = 0x30;
				L004013C0();
				_v12 = _t32;
				_v8 = 0x4012b0;
				L0040158E();
				_push(0x402a0c);
				L004014EC();
				asm("fcomp dword [0x4012ac]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t19 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v56);
					asm("fclex");
					_v60 = _t19;
					_t34 = _v60;
					if(_t34 >= 0) {
						_t14 =  &_v68;
						 *_t14 = _v68 & 0x00000000;
						__eflags =  *_t14;
					} else {
						_push(0xb0);
						_push(0x402438);
						_push(_a4);
						_push(_v60);
						L00401552();
						_v68 = _t19;
					}
					asm("fcomp dword [0x4012a8]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t34 == 0) {
						_push(L"Wattape2");
						_push(0x8e);
						_push(0xffffffff);
						_push(0x20);
						L004014E6();
					}
				}
				asm("wait");
				_push(0x410953);
				L0040156A();
				return _t19;
			}

0x004108a0
0x004108ab
0x004108ac
0x004108b5
0x004108b6
0x004108be
0x004108c1
0x004108ce
0x004108d3
0x004108d8
0x004108dd
0x004108e3
0x004108e5
0x004108e6
0x004108f4
0x004108fa
0x004108fc
0x004108ff
0x00410903
0x0041091f
0x0041091f
0x0041091f
0x00410905
0x00410905
0x0041090a
0x0041090f
0x00410912
0x00410915
0x0041091a
0x0041091a
0x00410926
0x0041092c
0x0041092e
0x0041092f
0x00410931
0x00410936
0x0041093b
0x0041093d
0x0041093f
0x0041093f
0x0041092f
0x00410944
0x00410945
0x0041094d
0x00410952

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004108B6
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 004108CE
__vbaR4Str.MSVBVM60(00402A0C,?,?,?,?,004013C6), ref: 004108D8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402438,000000B0,?,?,?,?,?,?,?,?,?,?,?,004013C6), ref: 00410915
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000008E,Wattape2), ref: 0041093F
__vbaFreeVar.MSVBVM60(00410953,00402A0C,?,?,?,?,004013C6), ref: 0041094D

Strings

Wattape2, xrefs: 00410931

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFileFreeHresultOpen
String ID: Wattape2
API String ID: 2751570938-2362924395
Opcode ID: 6cde937bea826bab41c4f0bf20eaa573c2c0dee8223770a795224d9c23a7c88b
Instruction ID: 432650579d4fe524cebdfe93f045266d4e079881616c42308dfa4a5bc27b131f
Opcode Fuzzy Hash: 6cde937bea826bab41c4f0bf20eaa573c2c0dee8223770a795224d9c23a7c88b
Instruction Fuzzy Hash: CA113A70950248FFDB10EF95CE9AF9D7BB9FB04B54F50422AF005B61E2C7B859808B58

Uniqueness

Uniqueness Score: -1.00%

Function 0040FF07, Relevance: 10.6, APIs: 7, Instructions: 85
COMMON

Download Yara Rule

C-Code - Quality: 62%

			E0040FF07(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v36;
				void* _v52;
				void* _v56;
				void* _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t45;
				signed int _t46;
				signed int _t52;
				signed int _t57;
				void* _t65;
				void* _t67;
				intOrPtr _t68;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				L004013C0();
				_v16 = _t68;
				_v12 = 0x401240;
				_v8 = 0;
				_t45 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4013c6, _t65);
				L0040158E();
				_t46 = _t45 | 0xffffffff;
				if(_t46 != 0) {
					if( *0x4155f8 != 0) {
						_v88 = 0x4155f8;
					} else {
						_push(0x4155f8);
						_push(0x4028e8);
						L00401558();
						_v88 = 0x4155f8;
					}
					_v64 =  *_v88;
					_t52 =  *((intOrPtr*)( *_v64 + 0x14))(_v64,  &_v56);
					asm("fclex");
					_v68 = _t52;
					if(_v68 >= 0) {
						_v92 = _v92 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4028d8);
						_push(_v64);
						_push(_v68);
						L00401552();
						_v92 = _t52;
					}
					_v72 = _v56;
					_t57 =  *((intOrPtr*)( *_v72 + 0xb8))(_v72,  &_v60);
					asm("fclex");
					_v76 = _t57;
					if(_v76 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0xb8);
						_push(0x4028f8);
						_push(_v72);
						_push(_v76);
						L00401552();
						_v96 = _t57;
					}
					_t46 = _v60;
					_v36 = _t46;
					L0040152E();
				}
				asm("wait");
				_push(0x41002d);
				L0040156A();
				return _t46;
			}

0x0040ff0a
0x0040ff19
0x0040ff23
0x0040ff2b
0x0040ff2e
0x0040ff35
0x0040ff44
0x0040ff4d
0x0040ff52
0x0040ff57
0x0040ff64
0x0040ff7e
0x0040ff66
0x0040ff66
0x0040ff6b
0x0040ff70
0x0040ff75
0x0040ff75
0x0040ff8a
0x0040ff99
0x0040ff9c
0x0040ff9e
0x0040ffa5
0x0040ffbe
0x0040ffa7
0x0040ffa7
0x0040ffa9
0x0040ffae
0x0040ffb1
0x0040ffb4
0x0040ffb9
0x0040ffb9
0x0040ffc5
0x0040ffd4
0x0040ffda
0x0040ffdc
0x0040ffe3
0x0040ffff
0x0040ffe5
0x0040ffe5
0x0040ffea
0x0040ffef
0x0040fff2
0x0040fff5
0x0040fffa
0x0040fffa
0x00410003
0x00410007
0x0041000e
0x0041000e
0x00410013
0x00410014
0x00410027
0x0041002c

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0040FF23
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040FF4D
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,004013C6), ref: 0040FF70
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 0040FFB4
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,000000B8), ref: 0040FFF5
__vbaFreeObj.MSVBVM60 ref: 0041000E
__vbaFreeVar.MSVBVM60(0041002D,?,?,?,?,004013C6), ref: 00410027

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID:
API String ID: 304406766-0
Opcode ID: 02815d7764fa1a9ad2340fda37790249d776d6145adf5ce7641902c0906bc9e1
Instruction ID: 5a797fff27208687f4aea27ba72d0ce7d68909df40a166662ecb3d51792fdd9b
Opcode Fuzzy Hash: 02815d7764fa1a9ad2340fda37790249d776d6145adf5ce7641902c0906bc9e1
Instruction Fuzzy Hash: 9031F274900249EFCB10EF95D945BCDBBB5FF08704F20813AF412BB2A0DB7899899B48

Uniqueness

Uniqueness Score: -1.00%

Function 00413339, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E00413339(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int _t45;
				signed int _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t57;

				_t57 = _t56 - 0xc;
				 *[fs:0x0] = _t57;
				L004013C0();
				_v16 = _t57;
				_v12 = 0x401388;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x28,  *[fs:0x0], 0x4013c6, _t54);
				if( *0x4155f8 != 0) {
					_v56 = 0x4155f8;
				} else {
					_push(0x4155f8);
					_push(0x4028e8);
					L00401558();
					_v56 = 0x4155f8;
				}
				_v32 =  *_v56;
				_t45 =  *((intOrPtr*)( *_v32 + 0x14))(_v32,  &_v28);
				asm("fclex");
				_v36 = _t45;
				if(_v36 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d8);
					_push(_v32);
					_push(_v36);
					L00401552();
					_v60 = _t45;
				}
				_v40 = _v28;
				_t49 =  *((intOrPtr*)( *_v40 + 0x138))(_v40, L"Spinetternes5", 1);
				asm("fclex");
				_v44 = _t49;
				if(_v44 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x4028f8);
					_push(_v40);
					_push(_v44);
					L00401552();
					_v64 = _t49;
				}
				L0040152E();
				_push(0x41343b);
				return _t49;
			}

0x0041333c
0x0041334b
0x00413355
0x0041335d
0x00413360
0x00413367
0x00413376
0x00413380
0x0041339a
0x00413382
0x00413382
0x00413387
0x0041338c
0x00413391
0x00413391
0x004133a6
0x004133b5
0x004133b8
0x004133ba
0x004133c1
0x004133da
0x004133c3
0x004133c3
0x004133c5
0x004133ca
0x004133cd
0x004133d0
0x004133d5
0x004133d5
0x004133e1
0x004133f3
0x004133f9
0x004133fb
0x00413402
0x0041341e
0x00413404
0x00413404
0x00413409
0x0041340e
0x00413411
0x00413414
0x00413419
0x00413419
0x00413425
0x0041342a
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 00413355
__vbaNew2.MSVBVM60(004028E8,004155F8,?,?,?,?,004013C6), ref: 0041338C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028D8,00000014), ref: 004133D0
__vbaHresultCheckObj.MSVBVM60(00000000,?,004028F8,00000138), ref: 00413414
__vbaFreeObj.MSVBVM60 ref: 00413425

Strings

Spinetternes5, xrefs: 004133E6

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2
String ID: Spinetternes5
API String ID: 1616694062-1097852325
Opcode ID: c34ccc01a0d50681634d61c4aafa507457f07b9a8061652733a4250c8ed416da
Instruction ID: e9fac8f4c15bde8dec29734db9031b95ca3794eb2217f65450811250680a2a34
Opcode Fuzzy Hash: c34ccc01a0d50681634d61c4aafa507457f07b9a8061652733a4250c8ed416da
Instruction Fuzzy Hash: 8D31F875D40218EFDB00DF95C989BDDBBB1FB08715F50406AF411BB2A0C7B85A859B58

Uniqueness

Uniqueness Score: -1.00%

Function 004122F1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004122F1(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a40, signed int* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				signed int* _v44;
				signed int* _t17;
				void* _t24;
				void* _t26;
				intOrPtr _t27;

				_t27 = _t26 - 0xc;
				 *[fs:0x0] = _t27;
				L004013C0();
				_v16 = _t27;
				_v12 = 0x401328;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4013c6, _t24);
				L0040158E();
				_t17 = _a64;
				 *_t17 =  *_t17 & 0x00000000;
				L004014E0();
				_v44 = _t17;
				_push(0x412363);
				L0040156A();
				return _t17;
			}

0x004122f4
0x00412303
0x0041230d
0x00412315
0x00412318
0x0041231f
0x0041232e
0x00412337
0x0041233c
0x0041233f
0x00412342
0x00412347
0x0041234a
0x0041235d
0x00412362

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 0041230D
__vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00412337
#615.MSVBVM60(?,?,?,?,004013C6), ref: 00412342
__vbaFreeVar.MSVBVM60(00412363,?,?,?,?,004013C6), ref: 0041235D

Strings

c#A, xrefs: 0041235A

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#615ChkstkFree
String ID: c#A
API String ID: 4276791933-178432524
Opcode ID: 71c1d7a2cfbb5d07b62aa6d4d2cb6571509291a181e8e93fdc11099cfb057335
Instruction ID: 24a68fdbfcb5226d01d9abee10bbabe8bbdeafd74fdac9e01d51a7a3e91b4025
Opcode Fuzzy Hash: 71c1d7a2cfbb5d07b62aa6d4d2cb6571509291a181e8e93fdc11099cfb057335
Instruction Fuzzy Hash: D1F03C71500248EFDB00EF65CA86B9D7BB4EB04748F10446AF805BB2A0C7789E008B95

Uniqueness

Uniqueness Score: -1.00%

Function 00630955, Relevance: 6.4, Strings: 5, Instructions: 191COMMON

Download Yara Rule

Strings

?Y>, xrefs: 00630C4C
-[, xrefs: 006309CE
?Y>, xrefs: 00630C51
9'c, xrefs: 00630C4B, 00630CCE
uB, xrefs: 006309FA

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID: 9'c$?Y>$?Y>$-[$uB
API String ID: 0-1047186898
Opcode ID: abdbd186e938ba58cc45bb6aa0f437f077033cabbeae281b54d725dc9fbc075a
Instruction ID: 7e419556fea7ba4403b5d1177cb877cdace60e5fa101fea14805c8d3033be38f
Opcode Fuzzy Hash: abdbd186e938ba58cc45bb6aa0f437f077033cabbeae281b54d725dc9fbc075a
Instruction Fuzzy Hash: 5C518961A48205EAFF34245488B57FE115B8F503A0F74511BFC8B932C6E6B58C8F91DB

Uniqueness

Uniqueness Score: -1.00%

Function 00630976, Relevance: 6.4, Strings: 5, Instructions: 187COMMON

Download Yara Rule

Strings

?Y>, xrefs: 00630C4C
-[, xrefs: 006309CE
?Y>, xrefs: 00630C51
9'c, xrefs: 00630C4B, 00630CCE
uB, xrefs: 006309FA

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID: 9'c$?Y>$?Y>$-[$uB
API String ID: 0-1047186898
Opcode ID: e0a91c674760d1a2ac4e0a182fa203c697f91631e5af0bbf1c70674f975e9fbd
Instruction ID: 6bb752f0918635aabaf95dbdc0a785216d56c911de25b04f101b71c59d4b096e
Opcode Fuzzy Hash: e0a91c674760d1a2ac4e0a182fa203c697f91631e5af0bbf1c70674f975e9fbd
Instruction Fuzzy Hash: 0F518825A48205EAFF34145488B5BFA125B8F503A0F74521BFC8B932C6D6B58C8E91D6

Uniqueness

Uniqueness Score: -1.00%

Function 006309A1, Relevance: 6.4, Strings: 5, Instructions: 177COMMON

Download Yara Rule

Strings

?Y>, xrefs: 00630C4C
-[, xrefs: 006309CE
?Y>, xrefs: 00630C51
9'c, xrefs: 00630C4B, 00630CCE
uB, xrefs: 006309FA

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID: 9'c$?Y>$?Y>$-[$uB
API String ID: 0-1047186898
Opcode ID: e225b6edb5bd50c0ce67a3882a5c17b72f10166580081e7da841d2673fed029e
Instruction ID: 5132e616b0b6c6ae0db642a66233771302fa0a6aee036057fa6dccc35dd2099f
Opcode Fuzzy Hash: e225b6edb5bd50c0ce67a3882a5c17b72f10166580081e7da841d2673fed029e
Instruction Fuzzy Hash: 03519A65A48305EAFF34141888B5BFE115B8F503A0F74521BFC8B932C6E6B59C8E91D7

Uniqueness

Uniqueness Score: -1.00%

Function 006309B6, Relevance: 6.4, Strings: 5, Instructions: 175COMMON

Download Yara Rule

Strings

?Y>, xrefs: 00630C4C
-[, xrefs: 006309CE
?Y>, xrefs: 00630C51
9'c, xrefs: 00630C4B, 00630CCE
uB, xrefs: 006309FA

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID: 9'c$?Y>$?Y>$-[$uB
API String ID: 0-1047186898
Opcode ID: 60e6b2b045f88ee736dafb1fa0f87483769b56f653ef4528f7cfdafb491fee7a
Instruction ID: d5e6da395d1828e0c27bfc91c870fb14823b5881802092e78c07ae21a588af28
Opcode Fuzzy Hash: 60e6b2b045f88ee736dafb1fa0f87483769b56f653ef4528f7cfdafb491fee7a
Instruction Fuzzy Hash: 57518925A08305EAFF38141488B5BFE115B8F503A0F74521BFC8B932C6E6B58C8E91D6

Uniqueness

Uniqueness Score: -1.00%

Function 0041238C, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0041238C(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v56;
				char* _t9;
				intOrPtr _t19;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t19;
				_push(0x28);
				L004013C0();
				_v12 = _t19;
				_v8 = 0x401338;
				_t9 =  &_v56;
				_push(_t9);
				L00401480();
				L0040153A();
				_push(0x4123e6);
				L0040156A();
				return _t9;
			}

0x00412391
0x0041239c
0x0041239d
0x004123a4
0x004123a7
0x004123af
0x004123b2
0x004123b9
0x004123bc
0x004123bd
0x004123c8
0x004123cd
0x004123e0
0x004123e5

APIs

__vbaChkstk.MSVBVM60(?,004013C6), ref: 004123A7
#546.MSVBVM60(?,?,?,?,?,004013C6), ref: 004123BD
__vbaVarMove.MSVBVM60(?,?,?,?,?,004013C6), ref: 004123C8
__vbaFreeVar.MSVBVM60(004123E6,?,?,?,?,?,004013C6), ref: 004123E0

Memory Dump Source

Source File: 00000000.00000002.1388675529.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1388657772.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1388725665.0000000000415000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1388743557.0000000000417000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#546ChkstkFreeMove
String ID:
API String ID: 3298562087-0
Opcode ID: 1b52977f2b9b78872b56d9cc82e7998cd5fe540cc8606e34ff22663eb2d3f21f
Instruction ID: b3234f3c79fed234dcec7896dcedf2d10a5655b61bfea8cc0be0f4d26eddae47
Opcode Fuzzy Hash: 1b52977f2b9b78872b56d9cc82e7998cd5fe540cc8606e34ff22663eb2d3f21f
Instruction Fuzzy Hash: A3F0307195024CBADB00EBA1CD46FDDB77CFB14B44F90442BB401B75A0D7BC2A048769

Uniqueness

Uniqueness Score: -1.00%

Function 006309E5, Relevance: 5.2, Strings: 4, Instructions: 165COMMON

Download Yara Rule

Strings

?Y>, xrefs: 00630C4C
?Y>, xrefs: 00630C51
9'c, xrefs: 00630C4B, 00630CCE
uB, xrefs: 006309FA

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID: 9'c$?Y>$?Y>$uB
API String ID: 0-878902365
Opcode ID: 5d19acae566eddbddece5e584b25f6f8204a25d83f868ef1fc838e3e3dbe4b3b
Instruction ID: faad8b3eace7617ec34647f6bf3e47ba8c14da0a73ea0eb4edd4657e28a2fb6a
Opcode Fuzzy Hash: 5d19acae566eddbddece5e584b25f6f8204a25d83f868ef1fc838e3e3dbe4b3b
Instruction Fuzzy Hash: F9418925A08305E6FF34140888B5BFA111B8F503A0F74521BFC8B932C6E6B59C8E91D6

Uniqueness

Uniqueness Score: -1.00%

Function 00630000, Relevance: 5.0, Strings: 4, Instructions: 23COMMON

Download Yara Rule

Strings

j@h, xrefs: 00632B79
J8, xrefs: 00632CB1
W, xrefs: 006300FE
9'c, xrefs: 006329F2, 00632A61, 00632AC2, 00632AF2, 00632BA9, 00632BBF, 00632BDB

Memory Dump Source

Source File: 00000000.00000002.1389096315.0000000000630000.00000040.00000001.sdmp, Offset: 00630000, based on PE: false

Similarity

API ID:
String ID: 9'c$W$j@h$J8
API String ID: 0-3198266046
Opcode ID: 4572106b5ff05272b5b4dc4e652d2e60e255dee725caa8c491cdb953babbeb93
Instruction ID: 1a48bd3381d062727d83edd6c23f9881ca44067fd9d166c2bce7bbc5a2715e39
Opcode Fuzzy Hash: 4572106b5ff05272b5b4dc4e652d2e60e255dee725caa8c491cdb953babbeb93
Instruction Fuzzy Hash: BFD0175091DA05C5BA3C20A849753BF261B8E52320DB8461B9D63235E1D380449EB6DB

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report 15790_Invoice_confirmation.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: 15790_Invoice_confirmation.exe PID: 5668 Parent PID: 5892

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: 15790_Invoice_confirmation.exe PID: 5668 Parent PID: 5892 15790_Invoice_confirmation.exeCOMMON

Executed Functions

Function 00401600, Relevance: 5.7, APIs: 1, Strings: 2, Instructions: 495COMMON

Function 004114AE, Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 233COMMON

Function 00410054, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 215COMMON

Function 004104B1, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 74COMMON

Non-executed Functions

Function 004114AE, Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 233
COMMON

Function 00410054, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 215
COMMON

Function 004104B1, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 74
COMMON

Function 0041345A, Relevance: 180.7, APIs: 94, Strings: 9, Instructions: 493
COMMON

Function 00411205, Relevance: 45.2, APIs: 30, Instructions: 188
COMMON

Function 00412403, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 61
COMMON

Function 004105FA, Relevance: 22.6, APIs: 15, Instructions: 119
COMMON

Function 004124EF, Relevance: 19.6, APIs: 13, Instructions: 74
COMMON

Function 00413BB8, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67
COMMON

Function 004103DB, Relevance: 15.0, APIs: 10, Instructions: 49
COMMON

Function 00410989, Relevance: 13.6, APIs: 9, Instructions: 115
COMMON

Function 0040FDDA, Relevance: 13.6, APIs: 9, Instructions: 82
COMMON

Function 0041089B, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58
COMMON

Function 0040FF07, Relevance: 10.6, APIs: 7, Instructions: 85
COMMON

Function 00413339, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74
COMMON

Function 004122F1, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
COMMON

Function 0041238C, Relevance: 6.0, APIs: 4, Instructions: 27
COMMON