Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report 21558_Invoice_confirmation.exe

Overview

General Information

Sample Name:21558_Invoice_confirmation.exe
Analysis ID:337759
MD5:2c4f59a6c931a328dd5d6113c995c35b
SHA1:51e56d7fb64cc3a071b12410bcecbf38675fadcc
SHA256:859bd0c7c174ff2237da9fac27c2feb0e0bbbfe536b273a495440ccd3b748729
Tags:exeGuLoader

Most interesting Screenshot:

Errors
  • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

Detection

GuLoader
Score:76
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Potential malicious icon found
Yara detected GuLoader
Executable has a suspicious name (potential lure to open the executable)
Initial sample is a PE file and has a suspicious name
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to detect virtualization through RDTSC time measurements
Yara detected VB6 Downloader Generic
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to detect virtual machines (SGDT)
Contains functionality to read the PEB
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
Process Memory Space: 21558_Invoice_confirmation.exe PID: 7052JoeSecurity_VB6DownloaderGenericYara detected VB6 Downloader GenericJoe Security
    Process Memory Space: 21558_Invoice_confirmation.exe PID: 7052JoeSecurity_GuLoaderYara detected GuLoaderJoe Security

      Sigma Overview

      No Sigma rule has matched

      Signature Overview

      Click to jump to signature section

      Show All Signature Results
      Source: 21558_Invoice_confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

      System Summary:

      barindex
      Potential malicious icon foundShow sources
      Source: initial sampleIcon embedded in PE file: bad icon match: 20047c7c70f0e004
      Executable has a suspicious name (potential lure to open the executable)Show sources
      Source: 21558_Invoice_confirmation.exeStatic file information: Suspicious name
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: 21558_Invoice_confirmation.exe
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeProcess Stats: CPU usage > 98%
      Source: 21558_Invoice_confirmation.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: 21558_Invoice_confirmation.exe, 00000000.00000002.1398199064.0000000002090000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs 21558_Invoice_confirmation.exe
      Source: 21558_Invoice_confirmation.exe, 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameASSACU.exe vs 21558_Invoice_confirmation.exe
      Source: 21558_Invoice_confirmation.exeBinary or memory string: OriginalFilenameASSACU.exe vs 21558_Invoice_confirmation.exe
      Source: 21558_Invoice_confirmation.exeStatic PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      Source: classification engineClassification label: mal76.rans.troj.evad.winEXE@1/0@0/0
      Source: 21558_Invoice_confirmation.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeSection loaded: C:\Windows\SysWOW64\msvbvm60.dllJump to behavior
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior

      Data Obfuscation:

      barindex
      Yara detected GuLoaderShow sources
      Source: Yara matchFile source: Process Memory Space: 21558_Invoice_confirmation.exe PID: 7052, type: MEMORY
      Yara detected VB6 Downloader GenericShow sources
      Source: Yara matchFile source: Process Memory Space: 21558_Invoice_confirmation.exe PID: 7052, type: MEMORY
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_00404F88 push cs; iretd 0_2_00404F96
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F366A push ebp; retf 0_2_004F4222
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F4230 push ebp; retf 0_2_004F4222
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F12CC push ebp; retf 0_2_004F4222
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F4368 push C8F1A01Fh; iretd 0_2_004F4375
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

      Malware Analysis System Evasion:

      barindex
      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
      Source: 21558_Invoice_confirmation.exe, 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
      Tries to detect virtualization through RDTSC time measurementsShow sources
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeRDTSC instruction interceptor: First address: 0000000000404336 second address: 0000000000404336 instructions: 0x00000000 rdtsc 0x00000002 wait 0x00000003 nop 0x00000004 dec esi 0x00000005 nop 0x00000006 nop 0x00000007 cmp esi, 00000000h 0x0000000a jne 00007F3534BA1396h 0x0000000c rdtsc
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_0040432C rdtsc 0_2_0040432C
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F2A03 sgdt fword ptr [eax]0_2_004F2A03
      Source: 21558_Invoice_confirmation.exe, 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmpBinary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_0040432C rdtsc 0_2_0040432C
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F49C6 mov eax, dword ptr fs:[00000030h]0_2_004F49C6
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F4D8B mov eax, dword ptr fs:[00000030h]0_2_004F4D8B
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F56FE mov eax, dword ptr fs:[00000030h]0_2_004F56FE
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F56F9 mov eax, dword ptr fs:[00000030h]0_2_004F56F9
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F2E83 mov eax, dword ptr fs:[00000030h]0_2_004F2E83
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F5749 mov eax, dword ptr fs:[00000030h]0_2_004F5749
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F5761 mov eax, dword ptr fs:[00000030h]0_2_004F5761
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F5779 mov eax, dword ptr fs:[00000030h]0_2_004F5779
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F5713 mov eax, dword ptr fs:[00000030h]0_2_004F5713
      Source: C:\Users\user\Desktop\21558_Invoice_confirmation.exeCode function: 0_2_004F572B mov eax, dword ptr fs:[00000030h]0_2_004F572B
      Source: 21558_Invoice_confirmation.exe, 00000000.00000002.1398081537.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: 21558_Invoice_confirmation.exe, 00000000.00000002.1398081537.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: 21558_Invoice_confirmation.exe, 00000000.00000002.1398081537.0000000000C20000.00000002.00000001.sdmpBinary or memory string: &Program Manager
      Source: 21558_Invoice_confirmation.exe, 00000000.00000002.1398081537.0000000000C20000.00000002.00000001.sdmpBinary or memory string: Progmanlock

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsWindows Management InstrumentationPath InterceptionProcess Injection1Virtualization/Sandbox Evasion1OS Credential DumpingSecurity Software Discovery211Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsProcess Injection1LSASS MemoryVirtualization/Sandbox Evasion1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)Obfuscated Files or Information1Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)Binary PaddingNTDSSystem Information Discovery11Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      No Antivirus matches

      Dropped Files

      No Antivirus matches

      Unpacked PE Files

      No Antivirus matches

      Domains

      No Antivirus matches

      URLs

      No Antivirus matches

      Domains and IPs

      Contacted Domains

      No contacted domains info

      Contacted IPs

      No contacted IP infos

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:337759
      Start date:10.01.2021
      Start time:08:24:23
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 11m 4s
      Hypervisor based Inspection enabled:false
      Report type:full
      Sample file name:21558_Invoice_confirmation.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:31
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal76.rans.troj.evad.winEXE@1/0@0/0
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 17.6% (good quality ratio 11.2%)
      • Quality average: 34%
      • Quality standard deviation: 31.1%
      HCA Information:Failed
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      • Override analysis time to 240s for sample files taking high CPU consumption
      Warnings:
      Show All
      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, MusNotifyIcon.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
      Errors:
      • Sigma syntax error: Has an empty selector, Rule: Abusing Azure Browser SSO

      Simulations

      Behavior and APIs

      No simulations

      Joe Sandbox View / Context

      IPs

      No context

      Domains

      No context

      ASN

      No context

      JA3 Fingerprints

      No context

      Dropped Files

      No context

      Created / dropped Files

      No created / dropped files found

      Static File Info

      General

      File type:PE32 executable (GUI) Intel 80386, for MS Windows
      Entropy (8bit):5.714133896280267
      TrID:
      • Win32 Executable (generic) a (10002005/4) 99.96%
      • Generic Win/DOS Executable (2004/3) 0.02%
      • DOS Executable Generic (2002/1) 0.02%
      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
      File name:21558_Invoice_confirmation.exe
      File size:90112
      MD5:2c4f59a6c931a328dd5d6113c995c35b
      SHA1:51e56d7fb64cc3a071b12410bcecbf38675fadcc
      SHA256:859bd0c7c174ff2237da9fac27c2feb0e0bbbfe536b273a495440ccd3b748729
      SHA512:1f7beda5e21464a30c5a03ba063ff07defffc9d54ee9e391e73d8d677e3cc27cdd1bb86cd8dbcac6fc5be4fae2426aa2603a134b0326e1172af7437c8cf3ab90
      SSDEEP:768:g+J1MqP00si/MIeaz0YIHMqmIISCQA0gtE9shwrDzwNBeIznTg4gyTR3q7xSQ1n7:xMAMRavIsrSCJc2Bn1gyTR3gXm8
      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W...W...W...K...W...u...W...q...W..Rich.W..........................PE..L......_.................0...0...............@....@

      File Icon

      Icon Hash:20047c7c70f0e004

      Static PE Info

      General

      Entrypoint:0x401600
      Entrypoint Section:.text
      Digitally signed:false
      Imagebase:0x400000
      Subsystem:windows gui
      Image File Characteristics:LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
      DLL Characteristics:
      Time Stamp:0x5FF9D002 [Sat Jan 9 15:47:14 2021 UTC]
      TLS Callbacks:
      CLR (.Net) Version:
      OS Version Major:4
      OS Version Minor:0
      File Version Major:4
      File Version Minor:0
      Subsystem Version Major:4
      Subsystem Version Minor:0
      Import Hash:690ed9eee3aab240a93936dee17050b4

      Entrypoint Preview

      Instruction
      push 00401C64h
      call 00007F3534776825h
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      xor byte ptr [eax], al
      add byte ptr [eax], al
      cmp byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      pop edi
      stosb
      scasd
      jnc 00007F3534776800h
      sbb eax, 40A343B8h
      mov al, 89h
      or eax, 00AC48CDh
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [ecx], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [ecx+70h], dl
      je 00007F3534776833h
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      dec esp
      xor dword ptr [eax], eax
      sbb dword ptr [eax+5Eh], eax
      les eax, fword ptr [ecx+6Fh]
      stosd
      cmp cl, byte ptr [edx-67h]
      mov dl, BAh
      pop ss
      push esp
      inc ebp
      cmp ah, bh
      sti
      mov cl, bh
      sbb eax, 4651AB31h
      mov eax, dword ptr [032F7D1Eh]
      jnp 00007F353477680Ah
      cmp cl, byte ptr [edi-53h]
      xor ebx, dword ptr [ecx-48EE309Ah]
      or al, 00h
      stosb
      add byte ptr [eax-2Dh], ah
      xchg eax, ebx
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      add byte ptr [eax], al
      test dword ptr [ebx], 003F0000h
      add byte ptr [eax], al
      add byte ptr [edi], al
      add byte ptr [ebx+6Ch], dl
      popad
      jnc 00007F3534776895h
      xor dword ptr [eax], eax
      or eax, 64000501h
      jc 00006895h
      add byte ptr [ecx], bl
      add dword ptr [eax], eax
      inc edx
      add byte ptr [edx], ah
      add eax, 00000524h

      Data Directories

      NameVirtual AddressVirtual Size Is in Section
      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_IMPORT0x136340x28.text
      IMAGE_DIRECTORY_ENTRY_RESOURCE0x160000x89c.rsrc
      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x2380x20
      IMAGE_DIRECTORY_ENTRY_IAT0x10000x184.text
      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

      Sections

      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
      .text0x10000x12c180x13000False0.416156969572data6.17855517942IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      .data0x140000x14b00x1000False0.00634765625data0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
      .rsrc0x160000x89c0x1000False0.16162109375data1.88975541248IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

      Resources

      NameRVASizeTypeLanguageCountry
      RT_ICON0x1676c0x130data
      RT_ICON0x164840x2e8data
      RT_ICON0x1635c0x128GLS_BINARY_LSB_FIRST
      RT_GROUP_ICON0x1632c0x30data
      RT_VERSION0x161500x1dcdataChineseTaiwan

      Imports

      DLLImport
      MSVBVM60.DLL_CIcos, _adj_fptan, __vbaHresultCheck, __vbaVarMove, __vbaFreeVar, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaLateMemSt, __vbaExitProc, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaVarTstEq, __vbaAryConstruct2, __vbaR4Str, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, __vbaRedim, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, __vbaDateVar, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaI4Var, __vbaVarDup, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, _CItan, __vbaFPInt, _CIexp, __vbaFreeStr, __vbaFreeObj

      Version Infos

      DescriptionData
      Translation0x0404 0x04b0
      ProductVersion1.00
      InternalNameASSACU
      FileVersion1.00
      OriginalFilenameASSACU.exe
      ProductNameLogaritm

      Possible Origin

      Language of compilation systemCountry where language is spokenMap
      ChineseTaiwan

      Network Behavior

      No network behavior found

      Code Manipulations

      Statistics

      CPU Usage

      Click to jump to process

      Memory Usage

      Click to jump to process

      System Behavior

      Analysis Process: 21558_Invoice_confirmation.exe PID: 7052 Parent PID: 5736

      General

      Start time:08:25:15
      Start date:10/01/2021
      Path:C:\Users\user\Desktop\21558_Invoice_confirmation.exe
      Wow64 process (32bit):true
      Commandline:'C:\Users\user\Desktop\21558_Invoice_confirmation.exe'
      Imagebase:0x400000
      File size:90112 bytes
      MD5 hash:2C4F59A6C931A328DD5D6113C995C35B
      Has elevated privileges:true
      Has administrator privileges:true
      Programmed in:Visual Basic
      Reputation:low

      Chronological Activities

      Disassembly

      Code Analysis

      Reset < >

        Analysis Process: 21558_Invoice_confirmation.exe PID: 7052 Parent PID: 5736 21558_Invoice_confirmation.exeCOMMON

        Executed Functions

        Function 0040432C, Relevance: 1.4, APIs: 1, Instructions: 135memoryCOMMON
        Download Yara Rule
        APIs
        • VirtualAlloc.KERNELBASE(0000B000,0000B000,00001000,00000040), ref: 004043D6
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: AllocVirtual
        • String ID:
        • API String ID: 4275171209-0
        • Opcode ID: 8247404214e1310ab5cda2daf96a7dd19fcb2e298fb8cd6d8511e97009187841
        • Instruction ID: 7f9f2e0c3f922a4713ae05fc2a331a86f20459eaca217ad89b9f3439144715db
        • Opcode Fuzzy Hash: 8247404214e1310ab5cda2daf96a7dd19fcb2e298fb8cd6d8511e97009187841
        • Instruction Fuzzy Hash: D6118E62EA75017AD2344C39CC56669F3A8EF93F51F16793B8D4AE7390DE2588C34508
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00410E0E, Relevance: 59.7, APIs: 29, Strings: 5, Instructions: 233COMMON
        Download Yara Rule
        C-Code - Quality: 48%
        			E00410E0E(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v32;
				char _v36;
				void* _v40;
				char* _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				char* _v112;
				char _v120;
				char _v172;
				short _v176;
				signed int _v180;
				intOrPtr* _v184;
				signed int _v188;
				short _v192;
				intOrPtr* _v204;
				signed int _v208;
				signed int _v212;
				signed int _t102;
				signed int _t107;
				char* _t111;
				short _t115;
				signed int _t124;
				short _t130;
				void* _t154;
				void* _t156;
				intOrPtr _t157;
				char* _t167;

				_t157 = _t156 - 0xc;
				 *[fs:0x0] = _t157;
				L004013C0();
				_v16 = _t157;
				_v12 = 0x401308;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013c6, _t154);
				if( *0x4145f8 != 0) {
					_v204 = 0x4145f8;
				} else {
					_push(0x4145f8);
					_push(0x4028e4);
					L00401558();
					_v204 = 0x4145f8;
				}
				_v176 =  *_v204;
				_t102 =  *((intOrPtr*)( *_v176 + 0x14))(_v176,  &_v40);
				asm("fclex");
				_v180 = _t102;
				if(_v180 >= 0) {
					_v208 = _v208 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d4);
					_push(_v176);
					_push(_v180);
					L00401552();
					_v208 = _t102;
				}
				_v184 = _v40;
				_t107 =  *((intOrPtr*)( *_v184 + 0x100))(_v184,  &_v172);
				asm("fclex");
				_v188 = _t107;
				if(_v188 >= 0) {
					_v212 = _v212 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x4028f4);
					_push(_v184);
					_push(_v188);
					L00401552();
					_v212 = _t107;
				}
				_v192 =  ~(0 | _v172 == 0x00400000);
				L0040152E();
				_t111 = _v192;
				if(_t111 != 0) {
					_push(0x402908);
					_push(0x402910);
					L004015AC();
					_v48 = _t111;
					_v56 = 8;
					_push( &_v56);
					_push( &_v72);
					L0040151C();
					_v112 = 0x402910;
					_v120 = 0x8008;
					_push( &_v72);
					_t115 =  &_v120;
					_push(_t115);
					L004015DC();
					_v176 = _t115;
					_push( &_v72);
					_push( &_v56);
					_push(2);
					L004015BE();
					_t111 = _v176;
					if(_t111 != 0) {
						_push(2);
						_push(0x4026bc);
						_push(0x4026c4);
						L004015AC();
						L004015B2();
						_push(_t111);
						_push(0x4026cc);
						L004015AC();
						L004015B2();
						_push(_t111);
						_push(0x4026cc);
						_push(0);
						L00401516();
						asm("sbb eax, eax");
						_v176 =  ~( ~(_t111 - 3) + 1);
						_push( &_v36);
						_push( &_v32);
						_push(2);
						L004015A6();
						_t111 = _v176;
						_t167 = _t111;
						if(_t167 != 0) {
							L00401510();
							L004015A0();
							asm("fcomp qword [0x401250]");
							asm("fnstsw ax");
							asm("sahf");
							if(_t167 == 0) {
								_v112 = 0x80020004;
								_v120 = 0xa;
								_t124 = 0x10;
								L004013C0();
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_push(L"oliemalinger");
								_push(L"stourness");
								_push(L"Sgsmaalsgrunds7"); // executed
								L0040157C(); // executed
								L004015B2();
								_push(_t124);
								_push(0);
								L00401582();
								asm("sbb eax, eax");
								_v176 =  ~( ~_t124 + 1);
								L004015C4();
								_t111 = _v176;
								if(_t111 != 0) {
									_push(0x402ab8);
									L00401576();
									if(_t111 == 1) {
										_push( &_v56);
										L00401570();
										_v112 = L"prnumerant";
										_v120 = 0x8008;
										_push( &_v56);
										_t130 =  &_v120;
										_push(_t130);
										L004015DC();
										_v176 = _t130;
										L0040156A();
										_t111 = _v176;
										if(_t111 != 0) {
											_v96 = 0x80020004;
											_v104 = 0xa;
											_v80 = 0x80020004;
											_v88 = 0xa;
											_v64 = 0x80020004;
											_v72 = 0xa;
											_v112 = L"Topforhandlernes";
											_v120 = 8;
											L0040158E();
											_push( &_v104);
											_push( &_v88);
											_push( &_v72);
											_push(0);
											_push( &_v56);
											L00401564();
											_push( &_v104);
											_push( &_v88);
											_push( &_v72);
											_t111 =  &_v56;
											_push(_t111);
											_push(4);
											L004015BE();
										}
									}
								}
							}
						}
					}
				}
				asm("wait");
				_push(0x4111cb);
				return _t111;
			}






































        0x00410e11
        0x00410e20
        0x00410e2c
        0x00410e34
        0x00410e37
        0x00410e3e
        0x00410e4d
        0x00410e57
        0x00410e74
        0x00410e59
        0x00410e59
        0x00410e5e
        0x00410e63
        0x00410e68
        0x00410e68
        0x00410e86
        0x00410e9e
        0x00410ea1
        0x00410ea3
        0x00410eb0
        0x00410ed2
        0x00410eb2
        0x00410eb2
        0x00410eb4
        0x00410eb9
        0x00410ebf
        0x00410ec5
        0x00410eca
        0x00410eca
        0x00410edc
        0x00410ef7
        0x00410efd
        0x00410eff
        0x00410f0c
        0x00410f31
        0x00410f0e
        0x00410f0e
        0x00410f13
        0x00410f18
        0x00410f1e
        0x00410f24
        0x00410f29
        0x00410f29
        0x00410f49
        0x00410f53
        0x00410f58
        0x00410f61
        0x00410f67
        0x00410f6c
        0x00410f71
        0x00410f76
        0x00410f79
        0x00410f83
        0x00410f87
        0x00410f88
        0x00410f8d
        0x00410f94
        0x00410f9e
        0x00410f9f
        0x00410fa2
        0x00410fa3
        0x00410fa8
        0x00410fb2
        0x00410fb6
        0x00410fb7
        0x00410fb9
        0x00410fc1
        0x00410fca
        0x00410fd0
        0x00410fd2
        0x00410fd7
        0x00410fdc
        0x00410fe6
        0x00410feb
        0x00410fec
        0x00410ff1
        0x00410ffb
        0x00411000
        0x00411001
        0x00411006
        0x00411008
        0x00411012
        0x00411017
        0x00411021
        0x00411025
        0x00411026
        0x00411028
        0x00411030
        0x00411037
        0x00411039
        0x00411045
        0x0041104a
        0x0041104f
        0x00411055
        0x00411057
        0x00411058
        0x0041105e
        0x00411065
        0x0041106e
        0x0041106f
        0x00411079
        0x0041107a
        0x0041107b
        0x0041107c
        0x0041107d
        0x00411082
        0x00411087
        0x0041108c
        0x00411096
        0x0041109b
        0x0041109c
        0x0041109e
        0x004110a5
        0x004110aa
        0x004110b4
        0x004110b9
        0x004110c2
        0x004110c8
        0x004110cd
        0x004110d5
        0x004110de
        0x004110df
        0x004110e4
        0x004110eb
        0x004110f5
        0x004110f6
        0x004110f9
        0x004110fa
        0x004110ff
        0x00411109
        0x0041110e
        0x00411117
        0x00411119
        0x00411120
        0x00411127
        0x0041112e
        0x00411135
        0x0041113c
        0x00411143
        0x0041114a
        0x00411157
        0x0041115f
        0x00411163
        0x00411167
        0x00411168
        0x0041116d
        0x0041116e
        0x00411176
        0x0041117a
        0x0041117e
        0x0041117f
        0x00411182
        0x00411183
        0x00411185
        0x0041118a
        0x00411117
        0x004110d5
        0x004110c2
        0x00411058
        0x00411039
        0x00410fca
        0x0041118d
        0x0041118e
        0x00000000

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00410E2C
        • __vbaNew2.MSVBVM60(004028E4,004145F8,?,?,?,?,004013C6), ref: 00410E63
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028D4,00000014), ref: 00410EC5
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028F4,00000100), ref: 00410F24
        • __vbaFreeObj.MSVBVM60 ref: 00410F53
        • __vbaStrCat.MSVBVM60(00402910,00402908), ref: 00410F71
        • #522.MSVBVM60(?,00000008,00402910,00402908), ref: 00410F88
        • __vbaVarTstEq.MSVBVM60(00008008,?,?,00000008,00402910,00402908), ref: 00410FA3
        • __vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?,?,00000008,00402910,00402908), ref: 00410FB9
        • __vbaStrCat.MSVBVM60(004026C4,004026BC,00000002,?,?,004013C6), ref: 00410FDC
        • __vbaStrMove.MSVBVM60(004026C4,004026BC,00000002,?,?,004013C6), ref: 00410FE6
        • __vbaStrCat.MSVBVM60(004026CC,00000000,004026C4,004026BC,00000002,?,?,004013C6), ref: 00410FF1
        • __vbaStrMove.MSVBVM60(004026CC,00000000,004026C4,004026BC,00000002,?,?,004013C6), ref: 00410FFB
        • __vbaInStr.MSVBVM60(00000000,004026CC,00000000,004026CC,00000000,004026C4,004026BC,00000002,?,?,004013C6), ref: 00411008
        • __vbaFreeStrList.MSVBVM60(00000002,00000002,004026BC,00000000,004026CC,00000000,004026CC,00000000,004026C4,004026BC,00000002,?,?,004013C6), ref: 00411028
        • __vbaFPInt.MSVBVM60(004026C4,004026BC,00000002,?,?,004013C6), ref: 00411045
        • __vbaFpR8.MSVBVM60(004026C4,004026BC,00000002,?,?,004013C6), ref: 0041104A
        • __vbaChkstk.MSVBVM60 ref: 0041106F
        • #689.MSVBVM60(Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041108C
        • __vbaStrMove.MSVBVM60(Sgsmaalsgrunds7,stourness,oliemalinger), ref: 00411096
        • __vbaStrCmp.MSVBVM60(00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041109E
        • __vbaFreeStr.MSVBVM60(00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 004110B4
        • __vbaLenBstr.MSVBVM60(00402AB8,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 004110CD
        • #670.MSVBVM60(?,00402AB8,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 004110DF
        • __vbaVarTstEq.MSVBVM60(00008008,?,?,00402AB8,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 004110FA
        • __vbaFreeVar.MSVBVM60(00008008,?,?,00402AB8,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 00411109
        • __vbaVarDup.MSVBVM60(00008008,?,?,00402AB8,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 00411157
        • #595.MSVBVM60(?,00000000,0000000A,0000000A,0000000A,00008008,?,?,00402AB8,00000000,00000000,Sgsmaalsgrunds7,stourness,oliemalinger), ref: 0041116E
        • __vbaFreeVarList.MSVBVM60(00000004,?,0000000A,0000000A,0000000A,?,00000000,0000000A,0000000A,0000000A,00008008,?,?,00402AB8,00000000,00000000), ref: 00411185
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$ListMove$CheckChkstkHresult$#522#595#670#689BstrNew2
        • String ID: Sgsmaalsgrunds7$Topforhandlernes$oliemalinger$prnumerant$stourness
        • API String ID: 1585906448-2475824071
        • Opcode ID: 00905166e4119f2b7be541e72af909ab3b5e423ff4dbe4f7d7e29ac733ec3d2a
        • Instruction ID: fe39f667ca90c5c9d621e9bddf9d7a087b8a37cbb7c1c588c830fb5a854ee7e2
        • Opcode Fuzzy Hash: 00905166e4119f2b7be541e72af909ab3b5e423ff4dbe4f7d7e29ac733ec3d2a
        • Instruction Fuzzy Hash: AF915D71940318AADB10EFA1CD45FDEB7B9AF44704F10416BE106BB1E1DBB89A85CF29
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040F9B4, Relevance: 56.2, APIs: 28, Strings: 4, Instructions: 215COMMON
        Download Yara Rule
        C-Code - Quality: 48%
        			E0040F9B4(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v36;
				char _v40;
				char _v44;
				intOrPtr _v52;
				char _v60;
				intOrPtr _v68;
				char _v76;
				intOrPtr _v84;
				char _v92;
				intOrPtr _v100;
				char _v108;
				char* _v116;
				char _v124;
				void* _v160;
				signed int _v164;
				signed int _v176;
				intOrPtr* _v180;
				signed int _v184;
				intOrPtr _t84;
				short _t88;
				char* _t91;
				signed int _t98;
				short _t104;
				char* _t108;
				signed int _t112;
				void* _t139;
				void* _t141;
				intOrPtr _t142;
				char* _t147;

				_t142 = _t141 - 0xc;
				 *[fs:0x0] = _t142;
				L004013C0();
				_v16 = _t142;
				_v12 = 0x401260;
				_v8 = 0;
				_t84 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013c6, _t139);
				_push(0x402908);
				_push(0x402910);
				L004015AC();
				_v52 = _t84;
				_v60 = 8;
				_push( &_v60);
				_push( &_v76);
				L0040151C();
				_v116 = 0x402910;
				_v124 = 0x8008;
				_push( &_v76);
				_t88 =  &_v124;
				_push(_t88);
				L004015DC();
				_v160 = _t88;
				_push( &_v76);
				_push( &_v60);
				_push(2);
				L004015BE();
				_t91 = _v160;
				if(_t91 != 0) {
					_push(2);
					_push(0x4026bc);
					_push(0x4026c4);
					L004015AC();
					L004015B2();
					_push(_t91);
					_push(0x4026cc);
					L004015AC();
					L004015B2();
					_push(_t91);
					_push(0x4026cc);
					_push(0);
					L00401516();
					asm("sbb eax, eax");
					_v160 =  ~( ~(_t91 - 3) + 1);
					_push( &_v40);
					_push( &_v36);
					_push(2);
					L004015A6();
					_t91 = _v160;
					_t147 = _t91;
					if(_t147 != 0) {
						L00401510();
						L004015A0();
						asm("fcomp qword [0x401250]");
						asm("fnstsw ax");
						asm("sahf");
						if(_t147 == 0) {
							_v116 = 0x80020004;
							_v124 = 0xa;
							_t98 = 0x10;
							L004013C0();
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							_push(L"HABITABLE");
							_push(L"Stengun2");
							_push(L"misbrugere"); // executed
							L0040157C(); // executed
							L004015B2();
							_push(_t98);
							_push(0);
							L00401582();
							asm("sbb eax, eax");
							_v160 =  ~( ~_t98 + 1);
							L004015C4();
							_t91 = _v160;
							if(_t91 != 0) {
								_push(0x402964);
								L00401576();
								if(_t91 == 1) {
									_push( &_v60);
									L00401570();
									_v116 = L"Dizaine";
									_v124 = 0x8008;
									_push( &_v60);
									_t104 =  &_v124;
									_push(_t104);
									L004015DC();
									_v160 = _t104;
									L0040156A();
									_t91 = _v160;
									if(_t91 != 0) {
										_v100 = 0x80020004;
										_v108 = 0xa;
										_v84 = 0x80020004;
										_v92 = 0xa;
										_v68 = 0x80020004;
										_v76 = 0xa;
										if( *0x414010 != 0) {
											_v180 = 0x414010;
										} else {
											_push(0x414010);
											_push(0x4030f8);
											L00401558();
											_v180 = 0x414010;
										}
										_t108 =  &_v44;
										L0040155E();
										_v160 = _t108;
										_t112 =  *((intOrPtr*)( *_v160 + 0x48))(_v160,  &_v36, _t108,  *((intOrPtr*)( *((intOrPtr*)( *_v180)) + 0x35c))( *_v180));
										asm("fclex");
										_v164 = _t112;
										if(_v164 >= 0) {
											_v184 = _v184 & 0x00000000;
										} else {
											_push(0x48);
											_push(0x40275c);
											_push(_v160);
											_push(_v164);
											L00401552();
											_v184 = _t112;
										}
										_v176 = _v36;
										_v36 = _v36 & 0x00000000;
										_v52 = _v176;
										_v60 = 8;
										_push( &_v108);
										_push( &_v92);
										_push( &_v76);
										_push(0);
										_push( &_v60);
										L00401564();
										L0040152E();
										_push( &_v108);
										_push( &_v92);
										_push( &_v76);
										_t91 =  &_v60;
										_push(_t91);
										_push(4);
										L004015BE();
									}
								}
							}
						}
					}
				}
				asm("wait");
				_push(0x40fd0e);
				return _t91;
			}



































        0x0040f9b7
        0x0040f9c6
        0x0040f9d2
        0x0040f9da
        0x0040f9dd
        0x0040f9e4
        0x0040f9f3
        0x0040f9f6
        0x0040f9fb
        0x0040fa00
        0x0040fa05
        0x0040fa08
        0x0040fa12
        0x0040fa16
        0x0040fa17
        0x0040fa1c
        0x0040fa23
        0x0040fa2d
        0x0040fa2e
        0x0040fa31
        0x0040fa32
        0x0040fa37
        0x0040fa41
        0x0040fa45
        0x0040fa46
        0x0040fa48
        0x0040fa50
        0x0040fa59
        0x0040fa5f
        0x0040fa61
        0x0040fa66
        0x0040fa6b
        0x0040fa75
        0x0040fa7a
        0x0040fa7b
        0x0040fa80
        0x0040fa8a
        0x0040fa8f
        0x0040fa90
        0x0040fa95
        0x0040fa97
        0x0040faa1
        0x0040faa6
        0x0040fab0
        0x0040fab4
        0x0040fab5
        0x0040fab7
        0x0040fabf
        0x0040fac6
        0x0040fac8
        0x0040fad4
        0x0040fad9
        0x0040fade
        0x0040fae4
        0x0040fae6
        0x0040fae7
        0x0040faed
        0x0040faf4
        0x0040fafd
        0x0040fafe
        0x0040fb08
        0x0040fb09
        0x0040fb0a
        0x0040fb0b
        0x0040fb0c
        0x0040fb11
        0x0040fb16
        0x0040fb1b
        0x0040fb25
        0x0040fb2a
        0x0040fb2b
        0x0040fb2d
        0x0040fb34
        0x0040fb39
        0x0040fb43
        0x0040fb48
        0x0040fb51
        0x0040fb57
        0x0040fb5c
        0x0040fb64
        0x0040fb6d
        0x0040fb6e
        0x0040fb73
        0x0040fb7a
        0x0040fb84
        0x0040fb85
        0x0040fb88
        0x0040fb89
        0x0040fb8e
        0x0040fb98
        0x0040fb9d
        0x0040fba6
        0x0040fbac
        0x0040fbb3
        0x0040fbba
        0x0040fbc1
        0x0040fbc8
        0x0040fbcf
        0x0040fbdd
        0x0040fbfa
        0x0040fbdf
        0x0040fbdf
        0x0040fbe4
        0x0040fbe9
        0x0040fbee
        0x0040fbee
        0x0040fc1e
        0x0040fc22
        0x0040fc27
        0x0040fc3f
        0x0040fc42
        0x0040fc44
        0x0040fc51
        0x0040fc73
        0x0040fc53
        0x0040fc53
        0x0040fc55
        0x0040fc5a
        0x0040fc60
        0x0040fc66
        0x0040fc6b
        0x0040fc6b
        0x0040fc7d
        0x0040fc83
        0x0040fc8d
        0x0040fc90
        0x0040fc9a
        0x0040fc9e
        0x0040fca2
        0x0040fca3
        0x0040fca8
        0x0040fca9
        0x0040fcb1
        0x0040fcb9
        0x0040fcbd
        0x0040fcc1
        0x0040fcc2
        0x0040fcc5
        0x0040fcc6
        0x0040fcc8
        0x0040fccd
        0x0040fba6
        0x0040fb64
        0x0040fb51
        0x0040fae7
        0x0040fac8
        0x0040fcd0
        0x0040fcd1
        0x00000000

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 0040F9D2
        • __vbaStrCat.MSVBVM60(00402910,00402908,?,?,?,?,004013C6), ref: 0040FA00
        • #522.MSVBVM60(?,00000008), ref: 0040FA17
        • __vbaVarTstEq.MSVBVM60(00008008,?), ref: 0040FA32
        • __vbaFreeVarList.MSVBVM60(00000002,00000008,?,00008008,?), ref: 0040FA48
        • __vbaStrCat.MSVBVM60(004026C4,004026BC,00000002,?,?,004013C6), ref: 0040FA6B
        • __vbaStrMove.MSVBVM60(004026C4,004026BC,00000002,?,?,004013C6), ref: 0040FA75
        • __vbaStrCat.MSVBVM60(004026CC,00000000,004026C4,004026BC,00000002,?,?,004013C6), ref: 0040FA80
        • __vbaStrMove.MSVBVM60(004026CC,00000000,004026C4,004026BC,00000002,?,?,004013C6), ref: 0040FA8A
        • __vbaInStr.MSVBVM60(00000000,004026CC,00000000,004026CC,00000000,004026C4,004026BC,00000002,?,?,004013C6), ref: 0040FA97
        • __vbaFreeStrList.MSVBVM60(00000002,004026BC,004026C4,00000000,004026CC,00000000,004026CC,00000000,004026C4,004026BC,00000002,?,?,004013C6), ref: 0040FAB7
        • __vbaFPInt.MSVBVM60(004026C4,004026BC,00000002,?,?,004013C6), ref: 0040FAD4
        • __vbaFpR8.MSVBVM60(004026C4,004026BC,00000002,?,?,004013C6), ref: 0040FAD9
        • __vbaChkstk.MSVBVM60 ref: 0040FAFE
        • #689.MSVBVM60(misbrugere,Stengun2,HABITABLE), ref: 0040FB1B
        • __vbaStrMove.MSVBVM60(misbrugere,Stengun2,HABITABLE), ref: 0040FB25
        • __vbaStrCmp.MSVBVM60(00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0040FB2D
        • __vbaFreeStr.MSVBVM60(00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0040FB43
        • __vbaLenBstr.MSVBVM60(00402964,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0040FB5C
        • #670.MSVBVM60(?,00402964,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0040FB6E
        • __vbaVarTstEq.MSVBVM60(00008008,?,?,00402964,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0040FB89
        • __vbaFreeVar.MSVBVM60(00008008,?,?,00402964,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0040FB98
        • __vbaNew2.MSVBVM60(004030F8,00414010,00008008,?,?,00402964,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0040FBE9
        • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,00008008,?,?,00402964,00000000,00000000,misbrugere,Stengun2,HABITABLE), ref: 0040FC22
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040275C,00000048,?,?,?,?,?,00008008,?,?,00402964,00000000,00000000,misbrugere), ref: 0040FC66
        • #595.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A,?,?,?,?,?,00008008,?,?,00402964,00000000,00000000), ref: 0040FCA9
        • __vbaFreeObj.MSVBVM60(00000008,00000000,0000000A,0000000A,0000000A,?,?,?,?,?,00008008,?,?,00402964,00000000,00000000), ref: 0040FCB1
        • __vbaFreeVarList.MSVBVM60(00000004,00000008,0000000A,0000000A,0000000A,00000008,00000000,0000000A,0000000A,0000000A,?,?,?,?,?,00008008), ref: 0040FCC8
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$ListMove$Chkstk$#522#595#670#689BstrCheckHresultNew2
        • String ID: Dizaine$HABITABLE$Stengun2$misbrugere
        • API String ID: 3850225901-803909472
        • Opcode ID: e38df14c0e2f1cc8c05d4f6cc3b261a38c9bdc47d1d984746719f7caf253318b
        • Instruction ID: f62e13dbb6b992e7ffb34206617a7c1ffe9d1842ce5ac0dd2b25d7f8fb961195
        • Opcode Fuzzy Hash: e38df14c0e2f1cc8c05d4f6cc3b261a38c9bdc47d1d984746719f7caf253318b
        • Instruction Fuzzy Hash: 39813BB1950218AADB10EBA1CC46FDEBBB8BF44704F10417BE506BB1D1DB7899848F69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040FE11, Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 74COMMON
        Download Yara Rule
        C-Code - Quality: 49%
        			E0040FE11(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v36;
				intOrPtr _v44;
				char _v52;
				char _v68;
				intOrPtr _v76;
				char _v84;
				short _v104;
				intOrPtr _t29;
				char* _t31;
				short _t33;
				short _t37;
				void* _t47;
				void* _t49;
				intOrPtr _t50;

				_t50 = _t49 - 0xc;
				 *[fs:0x0] = _t50;
				L004013C0();
				_v16 = _t50;
				_v12 = 0x401280;
				_v8 = 0;
				_t29 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x4013c6, _t47);
				L0040154C();
				_push(0x402908);
				_push(0x402980);
				L004015AC();
				L004015B2();
				_push(_t29);
				_push(0x402980);
				L004015AC();
				_v44 = _t29;
				_v52 = 8;
				_push( &_v52);
				_t31 =  &_v68;
				_push(_t31);
				L00401504();
				_push(0x402980);
				_push(0x402980);
				L004015AC();
				_v76 = _t31;
				_v84 = 0x8008;
				_push( &_v68);
				_t33 =  &_v84;
				_push(_t33);
				L004015DC();
				_v104 = _t33;
				L004015C4();
				_push( &_v84);
				_push( &_v68);
				_push( &_v52);
				_push(3);
				L004015BE();
				_t37 = _v104;
				if(_t37 != 0) {
					_push(L"prenominate");
					_push(L"Karseklippet");
					_push(L"Oculus");
					_push(L"unwall"); // executed
					L004014FE(); // executed
				}
				_push(0x40ff33);
				L004015C4();
				return _t37;
			}





















        0x0040fe14
        0x0040fe23
        0x0040fe2d
        0x0040fe35
        0x0040fe38
        0x0040fe3f
        0x0040fe4e
        0x0040fe57
        0x0040fe5c
        0x0040fe61
        0x0040fe66
        0x0040fe70
        0x0040fe75
        0x0040fe76
        0x0040fe7b
        0x0040fe80
        0x0040fe83
        0x0040fe8d
        0x0040fe8e
        0x0040fe91
        0x0040fe92
        0x0040fe97
        0x0040fe9c
        0x0040fea1
        0x0040fea6
        0x0040fea9
        0x0040feb3
        0x0040feb4
        0x0040feb7
        0x0040feb8
        0x0040febd
        0x0040fec4
        0x0040fecc
        0x0040fed0
        0x0040fed4
        0x0040fed5
        0x0040fed7
        0x0040fedf
        0x0040fee5
        0x0040fee7
        0x0040feec
        0x0040fef1
        0x0040fef6
        0x0040fefb
        0x0040fefb
        0x0040ff00
        0x0040ff2d
        0x0040ff32

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 0040FE2D
        • __vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 0040FE57
        • __vbaStrCat.MSVBVM60(00402980,00402908,?,?,?,?,004013C6), ref: 0040FE66
        • __vbaStrMove.MSVBVM60(00402980,00402908,?,?,?,?,004013C6), ref: 0040FE70
        • __vbaStrCat.MSVBVM60(00402980,00000000,00402980,00402908,?,?,?,?,004013C6), ref: 0040FE7B
        • #520.MSVBVM60(?,00000008), ref: 0040FE92
        • __vbaStrCat.MSVBVM60(00402980,00402980,?,00000008), ref: 0040FEA1
        • __vbaVarTstEq.MSVBVM60(00008008,00402980), ref: 0040FEB8
        • __vbaFreeStr.MSVBVM60(00008008,00402980), ref: 0040FEC4
        • __vbaFreeVarList.MSVBVM60(00000003,00000008,00402980,00008008,00008008,00402980), ref: 0040FED7
        • #690.MSVBVM60(unwall,Oculus,Karseklippet,prenominate,?,?,?,004013C6), ref: 0040FEFB
        • __vbaFreeStr.MSVBVM60(0040FF33,?,?,?,004013C6), ref: 0040FF2D
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$#520#690ChkstkCopyListMove
        • String ID: Karseklippet$Oculus$prenominate$unwall
        • API String ID: 1353531886-1380899336
        • Opcode ID: d16cfef603bf77ba65388920b68c8efcef62305482edb0e71c8f9bb03ab526ec
        • Instruction ID: 2625576af6919160153f804a5af145e6be5bdaef6200dfc837d6d31ac8bc5722
        • Opcode Fuzzy Hash: d16cfef603bf77ba65388920b68c8efcef62305482edb0e71c8f9bb03ab526ec
        • Instruction Fuzzy Hash: 9F21F9B1A50219BACB00EBD1CD46FEEB7B8BB44704F54403BF905BA1E1DAB895098B59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00401600, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 516COMMON
        Download Yara Rule
        APIs
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: #100
        • String ID: VB5!6&*
        • API String ID: 1341478452-3593831657
        • Opcode ID: 4d6b95ed0e5a701a58c6eb6fa52dd84969d0c5a2af974ab2b3eea0d09cc015cc
        • Instruction ID: ba9c874cea5fce5ba3e8fcc8f2c62d0d3dd558ff9a443edb53e3017d45be3ad7
        • Opcode Fuzzy Hash: 4d6b95ed0e5a701a58c6eb6fa52dd84969d0c5a2af974ab2b3eea0d09cc015cc
        • Instruction Fuzzy Hash: 8402BA7244E3C14FD3138B709DA56A53FB1AE2322572E05DBD8C1CF1A3E1289A5AC727
        Uniqueness

        Uniqueness Score: -1.00%

        Non-executed Functions

        Function 004F56F9, Relevance: .7, Instructions: 686COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ec86faec5d165004c303ef0422409e5b8a2b8a6771e53c3d3775de3dc68d417d
        • Instruction ID: 14c0cfa7182d2fba5c864be9457582aeed7532e75dde2360209e22fe4176c382
        • Opcode Fuzzy Hash: ec86faec5d165004c303ef0422409e5b8a2b8a6771e53c3d3775de3dc68d417d
        • Instruction Fuzzy Hash: D032477094874DDFDB205E24C995BBA76A1AF51314F24821BEF828B291C3BC8883971F
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F56FE, Relevance: .2, Instructions: 181COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 400471c0f56902b61f534f056990b2eec3fb11858a4efe97a561ae0af9dadf14
        • Instruction ID: 67ad9656065ce4340d593e2454a5639f1c485e6c5c25ba34516ed74cc34aeba5
        • Opcode Fuzzy Hash: 400471c0f56902b61f534f056990b2eec3fb11858a4efe97a561ae0af9dadf14
        • Instruction Fuzzy Hash: 0751EA70908B49CECB259F64C4D0B76BAD19F12360F28829FDB968B296C37C8443D75B
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F5713, Relevance: .2, Instructions: 176COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e1cc6f3446c9b1fbe95f5493e4b40807da88369f64aea917618ddf343242e714
        • Instruction ID: a88e08ac8b99b0f46e692afa806ed3ddb14baacb7a7d67f682a9217bb54c09b1
        • Opcode Fuzzy Hash: e1cc6f3446c9b1fbe95f5493e4b40807da88369f64aea917618ddf343242e714
        • Instruction Fuzzy Hash: 9B51FB7090CB49CFCB249E14C4D4B76BAD19F12360F28829BDB964B296C37D8443D75B
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F572B, Relevance: .2, Instructions: 172COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 68c422c4f3d6dd5529ddc80dfde564d03a480f0d029ef7f8e1609ea452d13d7e
        • Instruction ID: 2ab86fb8e05a56d95af77a571f518554614b1f869343985853c3f5dbef16ecd1
        • Opcode Fuzzy Hash: 68c422c4f3d6dd5529ddc80dfde564d03a480f0d029ef7f8e1609ea452d13d7e
        • Instruction Fuzzy Hash: 1B51C970908B49CFCB249E64C4D4B76BAD19F12360F28829BDB964B296C37D8443D75B
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F5749, Relevance: .2, Instructions: 169COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: a807c5787cceecbb3d1c0fcf9f9d4776051bf38de2acae1dab850137d12483e6
        • Instruction ID: 364d56c072d84aa369ce71c58d934ecd22bd8efa463a6100160aaa0c6b6e559d
        • Opcode Fuzzy Hash: a807c5787cceecbb3d1c0fcf9f9d4776051bf38de2acae1dab850137d12483e6
        • Instruction Fuzzy Hash: 8E510A70908B4ACFCB249E64C4D4B76B6D19F12360F28829BDB974B2A6C37D8443D75B
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F5761, Relevance: .2, Instructions: 166COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: b2dd2bb878e95ddcaf24129d29304b88eb32d20f3fc55d8bc18c4d8d39a16ffb
        • Instruction ID: 4b9fab26985e65ecbc5f6d5c0dfdfdf4b68d51dd350772472564861d91bbae7e
        • Opcode Fuzzy Hash: b2dd2bb878e95ddcaf24129d29304b88eb32d20f3fc55d8bc18c4d8d39a16ffb
        • Instruction Fuzzy Hash: 23510A70908B49CFCB249E14C4D4B76B6D19F12320F28829BDB964B2A6C37D8443D75B
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F5779, Relevance: .2, Instructions: 164COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 688ea1b7a3d01130ab9b35189c79633da98cdb0ea60427c384f9a083278ea5ff
        • Instruction ID: 9249a0de7c7ed483ca12e2f864c9c862450a96bfffc5477a24b0cf09d54abe20
        • Opcode Fuzzy Hash: 688ea1b7a3d01130ab9b35189c79633da98cdb0ea60427c384f9a083278ea5ff
        • Instruction Fuzzy Hash: 42510B70908B49CFCB249E28C4D4B75B7D19F12320F29829BDB974B2A6C36D8443D75B
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F2A03, Relevance: .1, Instructions: 75COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 5cc1fde11f6dcbad6c60cd9f5e3bb898a94b71aaed4f47847f7fbea97b8b5d00
        • Instruction ID: 1dd68e7b59da586bb9ed4e8b22c6475b67f15bf110217861642de0535715aa80
        • Opcode Fuzzy Hash: 5cc1fde11f6dcbad6c60cd9f5e3bb898a94b71aaed4f47847f7fbea97b8b5d00
        • Instruction Fuzzy Hash: DF217C30A8F3895FDB225B74AD907F17F52AF02314F0902AEE9C18A003C6A90956DB46
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F4D8B, Relevance: .0, Instructions: 32COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: e6d0ba0730095d15019b833fb849eefba0da86076ef88f12f77b9133b5c12a0d
        • Instruction ID: 07489bddb2c1c8633dbde65edb7e93bb30dbf155684b053e1b9df993b19f93fd
        • Opcode Fuzzy Hash: e6d0ba0730095d15019b833fb849eefba0da86076ef88f12f77b9133b5c12a0d
        • Instruction Fuzzy Hash: 1AF03A34205209CFC765DA24C580E77B3A1FBD4360F614557EB0287752DB289841D51A
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F2E83, Relevance: .0, Instructions: 7COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: 31ff511e65602661c97cb0e889db5bf946942b55bec1329ec07b66ae29cebe06
        • Instruction ID: 0624c61ede88f95a5f6dd3b50d5146034e09c1e5bf2c0dfdd8348b535c60bcb3
        • Opcode Fuzzy Hash: 31ff511e65602661c97cb0e889db5bf946942b55bec1329ec07b66ae29cebe06
        • Instruction Fuzzy Hash: 1EC092B6242A808FEF02DB0CC881F4073A0FB457A8B0806D0E422CF7E2D324E900CA00
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004F49C6, Relevance: .0, Instructions: 4COMMON
        Download Yara Rule
        Memory Dump Source
        • Source File: 00000000.00000002.1397946122.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
        Similarity
        • API ID:
        • String ID:
        • API String ID:
        • Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
        • Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
        • Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
        • Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00412DBA, Relevance: 179.0, APIs: 94, Strings: 8, Instructions: 493COMMON
        Download Yara Rule
        C-Code - Quality: 35%
        			E00412DBA(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v36;
				char _v40;
				char _v44;
				char _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				char _v112;
				signed int _v120;
				char _v128;
				char _v144;
				signed int _v168;
				char _v176;
				char* _v184;
				intOrPtr _v192;
				void* _v212;
				signed int _v216;
				signed int _v220;
				signed int _v228;
				intOrPtr* _v232;
				signed int _v236;
				signed int _t155;
				signed int _t162;
				signed int _t166;
				char* _t169;
				signed int _t184;
				signed int _t188;
				char* _t192;
				signed int _t193;
				signed int _t194;
				intOrPtr _t301;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t301;
				L004013C0();
				_v12 = _t301;
				_v8 = 0x401398;
				_push(0x402a08);
				_push(0x402c58);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x402a08);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x402c58);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x402a08);
				L004015AC();
				L004015B2();
				_push(0xd8);
				_push(0x4026d4);
				L004015AC();
				_v120 = 0xd8;
				_v128 = 8;
				_push( &_v128);
				_push( &_v144);
				L004014AA();
				_v168 = 0xc;
				_v176 = 0x8002;
				_push( &_v144);
				_t155 =  &_v176;
				_push(_t155);
				L004015DC();
				_v216 = _t155;
				_push( &_v48);
				_push( &_v44);
				_push( &_v40);
				_push( &_v36);
				_push(4);
				L004015A6();
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L004015BE();
				_t162 = _v216;
				if(_t162 != 0) {
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					L004015B2();
					L004015AC();
					_v120 = _t162;
					_v128 = 8;
					_v184 = L"BERUFSVERBOT";
					_v192 = 8;
					_t166 =  *((intOrPtr*)( *_a4 + 0x218))(_a4,  &_v112, 0x402a30, _t162, 0x402b2c, _t162, 0x402b24, _t162, 0x402b1c, _t162, 0x402b14, _t162, 0x4026c4, 0x402b0c);
					asm("fclex");
					_v216 = _t166;
					if(_v216 >= 0) {
						_v228 = _v228 & 0x00000000;
					} else {
						_push(0x218);
						_push(0x402434);
						_push(_a4);
						_push(_v216);
						L00401552();
						_v228 = _t166;
					}
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"Add");
					_push(_v112);
					_t169 =  &_v144;
					_push(_t169);
					L00401498();
					_push(_t169);
					L0040149E();
					_push(_t169);
					_push( &_v24);
					L004014A4();
					_push( &_v52);
					_push( &_v48);
					_push( &_v44);
					_push( &_v40);
					_push( &_v36);
					_push(5);
					L004015A6();
					L0040152E();
					_push( &_v144);
					_push( &_v128);
					_push(2);
					L004015BE();
					_v168 = 0x470d;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"X1");
					_push(_v24);
					L00401492();
					_v168 = 0x878;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"X2");
					_push(_v24);
					L00401492();
					_v168 = 0x2c0e;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"Y1");
					_push(_v24);
					L00401492();
					if( *0x414010 != 0) {
						_v232 = 0x414010;
					} else {
						_push(0x414010);
						_push(0x4030f8);
						L00401558();
						_v232 = 0x414010;
					}
					_t184 =  &_v112;
					L0040155E();
					_v216 = _t184;
					_t188 =  *((intOrPtr*)( *_v216 + 0x108))(_v216,  &_v212, _t184,  *((intOrPtr*)( *((intOrPtr*)( *_v232)) + 0x35c))( *_v232));
					asm("fclex");
					_v220 = _t188;
					if(_v220 >= 0) {
						_v236 = _v236 & 0x00000000;
					} else {
						_push(0x108);
						_push(0x40275c);
						_push(_v216);
						_push(_v220);
						L00401552();
						_v236 = _t188;
					}
					_v168 = _v212;
					_v176 = 2;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"Y2");
					_push(_v24);
					L00401492();
					L0040152E();
					_v168 = _v168 | 0xffffffff;
					_v176 = 0xb;
					_push(0x10);
					L004013C0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(L"Visible");
					_push(_v24);
					L00401492();
					_v168 = 1;
					_v176 = 0x8002;
					_push(0);
					_push(L"BorderStyle");
					_push(_v24);
					_t192 =  &_v128;
					_push(_t192);
					L00401498();
					_push(_t192);
					_t193 =  &_v176;
					_push(_t193);
					L004015DC();
					_v216 = _t193;
					L0040156A();
					_t162 = _v216;
					if(_t162 != 0) {
						_v120 = 0xe;
						_v128 = 2;
						_t194 =  &_v128;
						_push(_t194);
						L0040148C();
						L004015B2();
						_push(_t194);
						_push(0x402728);
						_push(0x402b94);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402980);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402908);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402b9c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402ba4);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402908);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bac);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402980);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a38);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402b24);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402b2c);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bb4);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402908);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bac);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402bbc);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a00);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a28);
						L004015AC();
						L004015B2();
						_push(_t194);
						_push(0x402a30);
						L004015AC();
						L004015B2();
						_push(_t194);
						L00401582();
						asm("sbb eax, eax");
						_v216 =  ~( ~_t194 + 1);
						_push( &_v108);
						_push( &_v104);
						_push( &_v100);
						_push( &_v96);
						_push( &_v92);
						_push( &_v88);
						_t134 =  &_v84; // 0x402a30
						_push( &_v80);
						_t136 =  &_v76; // 0x402b2c
						_push( &_v72);
						_t138 =  &_v68; // 0x402b24
						_push( &_v64);
						_push( &_v60);
						_push( &_v56);
						_push( &_v52);
						_push( &_v48);
						_push( &_v44);
						_push( &_v40);
						_push( &_v36);
						_push(0x13);
						L004015A6();
						L0040156A();
						_t162 = _v216;
						if(_t162 != 0) {
							L00401486();
						}
					}
				}
				asm("wait");
				_push(0x4134fd);
				L0040152E();
				return _t162;
			}

















































        0x00412dbf
        0x00412dca
        0x00412dcb
        0x00412dd7
        0x00412ddf
        0x00412de2
        0x00412de9
        0x00412dee
        0x00412df3
        0x00412dfd
        0x00412e02
        0x00412e03
        0x00412e08
        0x00412e12
        0x00412e17
        0x00412e18
        0x00412e1d
        0x00412e27
        0x00412e2c
        0x00412e2d
        0x00412e32
        0x00412e3c
        0x00412e41
        0x00412e42
        0x00412e47
        0x00412e4c
        0x00412e4f
        0x00412e59
        0x00412e60
        0x00412e61
        0x00412e66
        0x00412e70
        0x00412e80
        0x00412e81
        0x00412e87
        0x00412e88
        0x00412e8d
        0x00412e97
        0x00412e9b
        0x00412e9f
        0x00412ea3
        0x00412ea4
        0x00412ea6
        0x00412eb4
        0x00412eb8
        0x00412eb9
        0x00412ebb
        0x00412ec3
        0x00412ecc
        0x00412edc
        0x00412ee6
        0x00412ef1
        0x00412efb
        0x00412f06
        0x00412f10
        0x00412f1b
        0x00412f25
        0x00412f30
        0x00412f3a
        0x00412f45
        0x00412f4a
        0x00412f4d
        0x00412f54
        0x00412f5e
        0x00412f74
        0x00412f7a
        0x00412f7c
        0x00412f89
        0x00412fab
        0x00412f8b
        0x00412f8b
        0x00412f90
        0x00412f95
        0x00412f98
        0x00412f9e
        0x00412fa3
        0x00412fa3
        0x00412fb2
        0x00412fb5
        0x00412fbf
        0x00412fc0
        0x00412fc1
        0x00412fc2
        0x00412fc3
        0x00412fc6
        0x00412fd3
        0x00412fd4
        0x00412fd5
        0x00412fd6
        0x00412fd7
        0x00412fd9
        0x00412fde
        0x00412fe1
        0x00412fe7
        0x00412fe8
        0x00412ff0
        0x00412ff1
        0x00412ff6
        0x00412ffa
        0x00412ffb
        0x00413003
        0x00413007
        0x0041300b
        0x0041300f
        0x00413013
        0x00413014
        0x00413016
        0x00413021
        0x0041302c
        0x00413030
        0x00413031
        0x00413033
        0x0041303b
        0x00413045
        0x0041304f
        0x00413052
        0x0041305f
        0x00413060
        0x00413061
        0x00413062
        0x00413063
        0x00413068
        0x0041306b
        0x00413070
        0x0041307a
        0x00413084
        0x00413087
        0x00413094
        0x00413095
        0x00413096
        0x00413097
        0x00413098
        0x0041309d
        0x004130a0
        0x004130a5
        0x004130af
        0x004130b9
        0x004130bc
        0x004130c9
        0x004130ca
        0x004130cb
        0x004130cc
        0x004130cd
        0x004130d2
        0x004130d5
        0x004130e1
        0x004130fe
        0x004130e3
        0x004130e3
        0x004130e8
        0x004130ed
        0x004130f2
        0x004130f2
        0x00413122
        0x00413126
        0x0041312b
        0x00413146
        0x0041314c
        0x0041314e
        0x0041315b
        0x00413180
        0x0041315d
        0x0041315d
        0x00413162
        0x00413167
        0x0041316d
        0x00413173
        0x00413178
        0x00413178
        0x0041318e
        0x00413195
        0x0041319f
        0x004131a2
        0x004131af
        0x004131b0
        0x004131b1
        0x004131b2
        0x004131b3
        0x004131b8
        0x004131bb
        0x004131c3
        0x004131c8
        0x004131cf
        0x004131d9
        0x004131dc
        0x004131e9
        0x004131ea
        0x004131eb
        0x004131ec
        0x004131ed
        0x004131f2
        0x004131f5
        0x004131fa
        0x00413204
        0x0041320e
        0x00413210
        0x00413215
        0x00413218
        0x0041321b
        0x0041321c
        0x00413224
        0x00413225
        0x0041322b
        0x0041322c
        0x00413231
        0x0041323b
        0x00413240
        0x00413249
        0x0041324f
        0x00413256
        0x0041325d
        0x00413260
        0x00413261
        0x0041326b
        0x00413270
        0x00413271
        0x00413276
        0x0041327b
        0x00413285
        0x0041328a
        0x0041328b
        0x00413290
        0x0041329a
        0x0041329f
        0x004132a0
        0x004132a5
        0x004132af
        0x004132b4
        0x004132b5
        0x004132ba
        0x004132c4
        0x004132c9
        0x004132ca
        0x004132cf
        0x004132d9
        0x004132de
        0x004132df
        0x004132e4
        0x004132ee
        0x004132f3
        0x004132f4
        0x004132f9
        0x00413303
        0x00413308
        0x00413309
        0x0041330e
        0x00413318
        0x0041331d
        0x0041331e
        0x00413323
        0x0041332d
        0x00413332
        0x00413333
        0x00413338
        0x00413342
        0x00413347
        0x00413348
        0x0041334d
        0x00413357
        0x0041335c
        0x0041335d
        0x00413362
        0x0041336c
        0x00413371
        0x00413372
        0x00413377
        0x00413381
        0x00413386
        0x00413387
        0x0041338c
        0x00413396
        0x0041339b
        0x0041339c
        0x004133a1
        0x004133ab
        0x004133b0
        0x004133b1
        0x004133b6
        0x004133c0
        0x004133c5
        0x004133c6
        0x004133cb
        0x004133d5
        0x004133da
        0x004133db
        0x004133e0
        0x004133ea
        0x004133ef
        0x004133f0
        0x004133f7
        0x004133fc
        0x00413406
        0x0041340a
        0x0041340e
        0x00413412
        0x00413416
        0x0041341a
        0x0041341b
        0x00413422
        0x00413423
        0x0041342a
        0x0041342b
        0x00413432
        0x00413436
        0x0041343a
        0x0041343e
        0x00413442
        0x00413446
        0x0041344a
        0x0041344e
        0x0041344f
        0x00413451
        0x0041345c
        0x00413461
        0x0041346a
        0x0041346c
        0x0041346c
        0x0041346a
        0x00413249
        0x00413471
        0x00413472
        0x004134f7
        0x004134fc

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00412DD7
        • __vbaStrCat.MSVBVM60(00402C58,00402A08,?,?,?,?,004013C6), ref: 00412DF3
        • __vbaStrMove.MSVBVM60(00402C58,00402A08,?,?,?,?,004013C6), ref: 00412DFD
        • __vbaStrCat.MSVBVM60(00402A08,00000000,00402C58,00402A08,?,?,?,?,004013C6), ref: 00412E08
        • __vbaStrMove.MSVBVM60(00402A08,00000000,00402C58,00402A08,?,?,?,?,004013C6), ref: 00412E12
        • __vbaStrCat.MSVBVM60(00402C58,00000000,00402A08,00000000,00402C58,00402A08,?,?,?,?,004013C6), ref: 00412E1D
        • __vbaStrMove.MSVBVM60(00402C58,00000000,00402A08,00000000,00402C58,00402A08,?,?,?,?,004013C6), ref: 00412E27
        • __vbaStrCat.MSVBVM60(00402A08,00000000,00402C58,00000000,00402A08,00000000,00402C58,00402A08,?,?,?,?,004013C6), ref: 00412E32
        • __vbaStrMove.MSVBVM60(00402A08,00000000,00402C58,00000000,00402A08,00000000,00402C58,00402A08,?,?,?,?,004013C6), ref: 00412E3C
        • __vbaStrCat.MSVBVM60(004026D4,00000000,00402A08,00000000,00402C58,00000000,00402A08,00000000,00402C58,00402A08,?,?,?,?,004013C6), ref: 00412E47
        • #544.MSVBVM60(?,00000008), ref: 00412E61
        • __vbaVarTstEq.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?,?,?,00000008), ref: 00412E88
        • __vbaFreeStrList.MSVBVM60(00000004,?,?,?,?,00008002,?), ref: 00412EA6
        • __vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 00412EBB
        • __vbaStrCat.MSVBVM60(004026C4,00402B0C), ref: 00412EDC
        • __vbaStrMove.MSVBVM60(004026C4,00402B0C), ref: 00412EE6
        • __vbaStrCat.MSVBVM60(00402B14,00000000,004026C4,00402B0C), ref: 00412EF1
        • __vbaStrMove.MSVBVM60(00402B14,00000000,004026C4,00402B0C), ref: 00412EFB
        • __vbaStrCat.MSVBVM60(00402B1C,00000000,00402B14,00000000,004026C4,00402B0C), ref: 00412F06
        • __vbaStrMove.MSVBVM60(00402B1C,00000000,00402B14,00000000,004026C4,00402B0C), ref: 00412F10
        • __vbaStrCat.MSVBVM60(00402B24,00000000,00402B1C,00000000,00402B14,00000000,004026C4,00402B0C), ref: 00412F1B
        • __vbaStrMove.MSVBVM60(00402B24,00000000,00402B1C,00000000,00402B14,00000000,004026C4,00402B0C), ref: 00412F25
        • __vbaStrCat.MSVBVM60(00402B2C,00000000,00402B24,00000000,00402B1C,00000000,00402B14,00000000,004026C4,00402B0C), ref: 00412F30
        • __vbaStrMove.MSVBVM60(00402B2C,00000000,00402B24,00000000,00402B1C,00000000,00402B14,00000000,004026C4,00402B0C), ref: 00412F3A
        • __vbaStrCat.MSVBVM60(00402A30,00000000,00402B2C,00000000,00402B24,00000000,00402B1C,00000000,00402B14,00000000,004026C4,00402B0C), ref: 00412F45
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402434,00000218), ref: 00412F9E
        • __vbaChkstk.MSVBVM60 ref: 00412FB5
        • __vbaChkstk.MSVBVM60 ref: 00412FC6
        • __vbaLateMemCallLd.MSVBVM60(?,?,Add,00000002), ref: 00412FE8
        • __vbaObjVar.MSVBVM60(00000000,00402A30,00000000,00402B2C,00000000,00402B24,00000000,00402B1C,00000000,00402B14,00000000,004026C4,00402B0C), ref: 00412FF1
        • __vbaObjSetAddref.MSVBVM60(?,00000000,00000000,00402A30,00000000,00402B2C,00000000,00402B24,00000000,00402B1C,00000000,00402B14,00000000,004026C4,00402B0C), ref: 00412FFB
        • __vbaFreeStrList.MSVBVM60(00000005,?,00402B0C,004026C4,00000000,00402B14,?,00000000,00000000,00402A30,00000000,00402B2C,00000000,00402B24,00000000,00402B1C), ref: 00413016
        • __vbaFreeObj.MSVBVM60(?,?,?,?,00000000,00000000,00402A30,00000000,00402B2C,00000000,00402B24,00000000,00402B1C,00000000,00402B14,00000000), ref: 00413021
        • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,00000000,00000000,00402A30,00000000,00402B2C,00000000,00402B24,00000000,00402B1C), ref: 00413033
        • __vbaChkstk.MSVBVM60 ref: 00413052
        • __vbaLateMemSt.MSVBVM60(?,00402B54), ref: 0041306B
        • __vbaChkstk.MSVBVM60(?,00402B54), ref: 00413087
        • __vbaLateMemSt.MSVBVM60(?,00402B5C,?,00402B54), ref: 004130A0
        • __vbaChkstk.MSVBVM60(?,00402B5C,?,00402B54), ref: 004130BC
        • __vbaLateMemSt.MSVBVM60(?,00402B64,?,00402B5C,?,00402B54), ref: 004130D5
        • __vbaNew2.MSVBVM60(004030F8,00414010,?,00402B64,?,00402B5C,?,00402B54), ref: 004130ED
        • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,00402B64,?,00402B5C,?,00402B54), ref: 00413126
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040275C,00000108,?,?,?,?,?,?,?,?,?,00402B64,?,00402B5C), ref: 00413173
        • __vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,00402B64,?,00402B5C,?,00402B54), ref: 004131A2
        • __vbaLateMemSt.MSVBVM60(?,00402B6C,?,?,?,?,?,?,?,?,?,00402B64,?,00402B5C,?,00402B54), ref: 004131BB
        • __vbaFreeObj.MSVBVM60(?,00402B6C,?,?,?,?,?,?,?,?,?,00402B64,?,00402B5C,?,00402B54), ref: 004131C3
        • __vbaChkstk.MSVBVM60(?,00402B6C,?,?,?,?,?,?,?,?,?,00402B64,?,00402B5C,?,00402B54), ref: 004131DC
        • __vbaLateMemSt.MSVBVM60(?,Visible,?,00402B6C,?,?,?,?,?,?,?,?,?,00402B64,?,00402B5C), ref: 004131F5
        • __vbaLateMemCallLd.MSVBVM60(?,?,BorderStyle,00000000,?,Visible,?,00402B6C), ref: 0041321C
        • __vbaVarTstEq.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00402A30), ref: 0041322C
        • __vbaFreeVar.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000,00000000,00402A30), ref: 0041323B
        • #651.MSVBVM60(00000002,?,00000000), ref: 00413261
        • __vbaStrMove.MSVBVM60(00000002,?,00000000), ref: 0041326B
        • __vbaStrCat.MSVBVM60(00402B94,00402728,00000000,00000002,?,00000000), ref: 0041327B
        • __vbaStrMove.MSVBVM60(00402B94,00402728,00000000,00000002,?,00000000), ref: 00413285
        • __vbaStrCat.MSVBVM60(00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 00413290
        • __vbaStrMove.MSVBVM60(00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 0041329A
        • __vbaStrCat.MSVBVM60(00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 004132A5
        • __vbaStrMove.MSVBVM60(00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 004132AF
        • __vbaStrCat.MSVBVM60(00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 004132BA
        • __vbaStrMove.MSVBVM60(00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 004132C4
        • __vbaStrCat.MSVBVM60(00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 004132CF
        • __vbaStrMove.MSVBVM60(00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 004132D9
        • __vbaStrCat.MSVBVM60(00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 004132E4
        • __vbaStrMove.MSVBVM60(00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002,?,00000000), ref: 004132EE
        • __vbaStrCat.MSVBVM60(00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002), ref: 004132F9
        • __vbaStrMove.MSVBVM60(00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728,00000000,00000002), ref: 00413303
        • __vbaStrCat.MSVBVM60(00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728), ref: 0041330E
        • __vbaStrMove.MSVBVM60(00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728), ref: 00413318
        • __vbaStrCat.MSVBVM60(00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000), ref: 00413323
        • __vbaStrMove.MSVBVM60(00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000), ref: 0041332D
        • __vbaStrCat.MSVBVM60(00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000), ref: 00413338
        • __vbaStrMove.MSVBVM60(00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000), ref: 00413342
        • __vbaStrCat.MSVBVM60(00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000), ref: 0041334D
        • __vbaStrMove.MSVBVM60(00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000), ref: 00413357
        • __vbaStrCat.MSVBVM60(00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000), ref: 00413362
        • __vbaStrMove.MSVBVM60(00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000), ref: 0041336C
        • __vbaStrCat.MSVBVM60(00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000), ref: 00413377
        • __vbaStrMove.MSVBVM60(00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000,00402908,00000000), ref: 00413381
        • __vbaStrCat.MSVBVM60(00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000), ref: 0041338C
        • __vbaStrMove.MSVBVM60(00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000,00402BAC,00000000), ref: 00413396
        • __vbaStrCat.MSVBVM60(00402BBC,00000000,00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000), ref: 004133A1
        • __vbaStrMove.MSVBVM60(00402BBC,00000000,00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000,00402980,00000000), ref: 004133AB
        • __vbaStrCat.MSVBVM60(00402A00,00000000,00402BBC,00000000,00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000), ref: 004133B6
        • __vbaStrMove.MSVBVM60(00402A00,00000000,00402BBC,00000000,00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000,00402A38,00000000), ref: 004133C0
        • __vbaStrCat.MSVBVM60(00402A28,00000000,00402A00,00000000,00402BBC,00000000,00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000), ref: 004133CB
        • __vbaStrMove.MSVBVM60(00402A28,00000000,00402A00,00000000,00402BBC,00000000,00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000,00402B24,00000000), ref: 004133D5
        • __vbaStrCat.MSVBVM60(00402A30,00000000,00402A28,00000000,00402A00,00000000,00402BBC,00000000,00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000), ref: 004133E0
        • __vbaStrMove.MSVBVM60(00402A30,00000000,00402A28,00000000,00402A00,00000000,00402BBC,00000000,00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C,00000000), ref: 004133EA
        • __vbaStrCmp.MSVBVM60(00000000,00402A30,00000000,00402A28,00000000,00402A00,00000000,00402BBC,00000000,00402BAC,00000000,00402908,00000000,00402BB4,00000000,00402B2C), ref: 004133F0
        • __vbaFreeStrList.MSVBVM60(00000013,?,00402B0C,004026C4,00000000,00402B14,00000000,00402B1C,00000000,$+@,00000000,,+@,00000000,0*@,00000000,00000000), ref: 00413451
        • __vbaFreeVar.MSVBVM60(00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728), ref: 0041345C
        • #554.MSVBVM60(00402980,00000000,00402BAC,00000000,00402908,00000000,00402BA4,00000000,00402B9C,00000000,00402908,00000000,00402980,00000000,00402B94,00402728), ref: 0041346C
        • __vbaFreeObj.MSVBVM60(004134FD), ref: 004134F7
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Move$Free$Chkstk$Late$List$CallCheckHresult$#544#554#651AddrefNew2
        • String ID: G$$+@$,+@$0*@$Add$BERUFSVERBOT$BorderStyle$Visible
        • API String ID: 2720917139-36511939
        • Opcode ID: 97855bcac2832cfb8b97a5613c0adfbfdc1c7239d085ad7c769d3e838ab09df6
        • Instruction ID: 3adbb604ae767404b5c2ad84323b3e5db00b4867be0284064a05cbb7e0eb86db
        • Opcode Fuzzy Hash: 97855bcac2832cfb8b97a5613c0adfbfdc1c7239d085ad7c769d3e838ab09df6
        • Instruction Fuzzy Hash: F5024071E40218AADB11EFA1CC46FDE7378AF44704F50417BB506BB1E1DEB8AA448F69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00410B65, Relevance: 45.2, APIs: 30, Instructions: 188COMMON
        Download Yara Rule
        C-Code - Quality: 41%
        			E00410B65(void* __ebx, void* __ecx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4, void* _a16) {
				intOrPtr _v8;
				long long* _v12;
				long long* _v36;
				char _v48;
				void* _v56;
				intOrPtr _v60;
				char _v64;
				char _v68;
				char _v88;
				signed int _v92;
				signed int _v96;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _t62;
				signed int _t66;
				char* _t68;
				signed int _t76;
				signed int _t80;
				signed int _t84;
				char* _t93;
				long long* _t110;
				signed int _t111;
				void* _t112;
				signed int _t113;
				long long _t117;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t110;
				_push(0x5c);
				L004013C0();
				_v12 = _t110;
				_v8 = 0x4012f8;
				L0040154C();
				_push(5);
				_push(0x402a40);
				_t62 =  &_v48;
				_push(_t62);
				L004014CE();
				_push(0x402a28);
				_push(0x402a30);
				L004015AC();
				L004015B2();
				_push(_t62);
				_push(0x402a38);
				L004015AC();
				L004015B2();
				L004015C4();
				_push(0);
				_push(0xffffffff);
				_push(1);
				_push(0);
				_push(0x402a30);
				_push(_v60);
				L004014C8();
				L004015B2();
				_push(_v60);
				_push(0x402a28);
				_push(0x402a38);
				L004015AC();
				L004015B2();
				_push(_t62);
				L00401582();
				asm("sbb eax, eax");
				_v92 =  ~( ~_t62 + 1);
				_t93 =  &_v64;
				L004015C4();
				_t66 = _v92;
				_t111 = _t66;
				if(_t111 != 0) {
					asm("fld1");
					L00401432();
					L004015A0();
					asm("fcomp qword [0x4012f0]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t111 == 0) {
						_push(0x402a00);
						L004014C2();
						_t112 = _t66 - 0x61;
						if(_t112 == 0) {
							asm("fld1");
							 *_v36 = __fp0;
							_t117 =  *0x4012e8;
							 *((long long*)(_v36 + 8)) = _t117;
							_v88 =  &_v48;
							_push( &_v88);
							asm("fld1");
							_push(_t93);
							_push(_t93);
							 *_t110 = _t117;
							L004014BC();
							L004015A0();
							asm("fcomp qword [0x4012e0]");
							asm("fnstsw ax");
							asm("sahf");
							if(_t112 == 0) {
								_push(0x402a08);
								L004014EC();
								asm("fcomp dword [0x4012ac]");
								asm("fnstsw ax");
								asm("sahf");
								if(_t112 == 0) {
									_t76 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v88);
									asm("fclex");
									_v92 = _t76;
									_t113 = _v92;
									if(_t113 >= 0) {
										_v104 = _v104 & 0x00000000;
									} else {
										_push(0xb0);
										_push(0x402434);
										_push(_a4);
										_push(_v92);
										L00401552();
										_v104 = _t76;
									}
									asm("fcomp dword [0x4012a8]");
									asm("fnstsw ax");
									asm("sahf");
									if(_t113 == 0) {
										if( *0x414010 != 0) {
											_v108 = 0x414010;
										} else {
											_push(0x414010);
											_push(0x4030f8);
											L00401558();
											_v108 = 0x414010;
										}
										_t80 =  &_v68;
										L0040155E();
										_v92 = _t80;
										_t84 =  *((intOrPtr*)( *_v92 + 0xb8))(_v92,  &_v64, _t80,  *((intOrPtr*)( *((intOrPtr*)( *_v108)) + 0x35c))( *_v108));
										asm("fclex");
										_v96 = _t84;
										if(_v96 >= 0) {
											_v112 = _v112 & 0x00000000;
										} else {
											_push(0xb8);
											_push(0x40275c);
											_push(_v92);
											_push(_v96);
											L00401552();
											_v112 = _t84;
										}
										_push(_v64);
										_push(0x60);
										_push(0xffffffff);
										_push(0x20);
										L004014E6();
										L004015C4();
										L0040152E();
									}
								}
							}
						}
					}
				}
				asm("wait");
				_push(0x410df1);
				_v88 =  &_v48;
				_t68 =  &_v88;
				_push(_t68);
				_push(0);
				L004014D4();
				L004015C4();
				L004015C4();
				return _t68;
			}





























        0x00410b6a
        0x00410b75
        0x00410b76
        0x00410b7d
        0x00410b80
        0x00410b88
        0x00410b8b
        0x00410b98
        0x00410b9d
        0x00410b9f
        0x00410ba4
        0x00410ba7
        0x00410ba8
        0x00410bad
        0x00410bb2
        0x00410bb7
        0x00410bc1
        0x00410bc6
        0x00410bc7
        0x00410bcc
        0x00410bd6
        0x00410bde
        0x00410be3
        0x00410be5
        0x00410be7
        0x00410be9
        0x00410beb
        0x00410bf0
        0x00410bf3
        0x00410bfd
        0x00410c02
        0x00410c05
        0x00410c0a
        0x00410c0f
        0x00410c19
        0x00410c1e
        0x00410c1f
        0x00410c26
        0x00410c2b
        0x00410c2f
        0x00410c32
        0x00410c37
        0x00410c3b
        0x00410c3d
        0x00410c43
        0x00410c45
        0x00410c4a
        0x00410c4f
        0x00410c55
        0x00410c57
        0x00410c58
        0x00410c5e
        0x00410c63
        0x00410c68
        0x00410c6c
        0x00410c75
        0x00410c77
        0x00410c7c
        0x00410c82
        0x00410c88
        0x00410c8e
        0x00410c8f
        0x00410c91
        0x00410c92
        0x00410c93
        0x00410c96
        0x00410c9b
        0x00410ca0
        0x00410ca6
        0x00410ca8
        0x00410ca9
        0x00410caf
        0x00410cb4
        0x00410cb9
        0x00410cbf
        0x00410cc1
        0x00410cc2
        0x00410cd4
        0x00410cda
        0x00410cdc
        0x00410cdf
        0x00410ce3
        0x00410cff
        0x00410ce5
        0x00410ce5
        0x00410cea
        0x00410cef
        0x00410cf2
        0x00410cf5
        0x00410cfa
        0x00410cfa
        0x00410d06
        0x00410d0c
        0x00410d0e
        0x00410d0f
        0x00410d1c
        0x00410d36
        0x00410d1e
        0x00410d1e
        0x00410d23
        0x00410d28
        0x00410d2d
        0x00410d2d
        0x00410d51
        0x00410d55
        0x00410d5a
        0x00410d69
        0x00410d6f
        0x00410d71
        0x00410d78
        0x00410d94
        0x00410d7a
        0x00410d7a
        0x00410d7f
        0x00410d84
        0x00410d87
        0x00410d8a
        0x00410d8f
        0x00410d8f
        0x00410d98
        0x00410d9b
        0x00410d9d
        0x00410d9f
        0x00410da1
        0x00410da9
        0x00410db1
        0x00410db1
        0x00410d0f
        0x00410cc2
        0x00410ca9
        0x00410c6c
        0x00410c58
        0x00410db6
        0x00410db7
        0x00410dd2
        0x00410dd5
        0x00410dd8
        0x00410dd9
        0x00410ddb
        0x00410de3
        0x00410deb
        0x00410df0

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00410B80
        • __vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 00410B98
        • __vbaAryConstruct2.MSVBVM60(?,00402A40,00000005,?,?,?,?,004013C6), ref: 00410BA8
        • __vbaStrCat.MSVBVM60(00402A30,00402A28,?,00402A40,00000005,?,?,?,?,004013C6), ref: 00410BB7
        • __vbaStrMove.MSVBVM60(00402A30,00402A28,?,00402A40,00000005,?,?,?,?,004013C6), ref: 00410BC1
        • __vbaStrCat.MSVBVM60(00402A38,00000000,00402A30,00402A28,?,00402A40,00000005,?,?,?,?,004013C6), ref: 00410BCC
        • __vbaStrMove.MSVBVM60(00402A38,00000000,00402A30,00402A28,?,00402A40,00000005,?,?,?,?,004013C6), ref: 00410BD6
        • __vbaFreeStr.MSVBVM60(00402A38,00000000,00402A30,00402A28,?,00402A40,00000005,?,?,?,?,004013C6), ref: 00410BDE
        • #712.MSVBVM60(?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30,00402A28,?,00402A40,00000005), ref: 00410BF3
        • __vbaStrMove.MSVBVM60(?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30,00402A28,?,00402A40,00000005), ref: 00410BFD
        • __vbaStrCat.MSVBVM60(00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30,00402A28,?,00402A40,00000005), ref: 00410C0F
        • __vbaStrMove.MSVBVM60(00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30,00402A28,?,00402A40,00000005), ref: 00410C19
        • __vbaStrCmp.MSVBVM60(00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30,00402A28,?,00402A40), ref: 00410C1F
        • __vbaFreeStr.MSVBVM60(00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30,00402A28,?,00402A40), ref: 00410C32
        • _CIlog.MSVBVM60(00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30,00402A28,?,00402A40), ref: 00410C45
        • __vbaFpR8.MSVBVM60(00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30,00402A28,?,00402A40), ref: 00410C4A
        • #516.MSVBVM60(00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30,00402A28,?), ref: 00410C63
        • #684.MSVBVM60(?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000), ref: 00410C96
        • __vbaFpR8.MSVBVM60(?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000), ref: 00410C9B
        • __vbaR4Str.MSVBVM60(00402A08,?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38), ref: 00410CB4
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402434,000000B0,?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001), ref: 00410CF5
        • __vbaNew2.MSVBVM60(004030F8,00414010,?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000), ref: 00410D28
        • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000), ref: 00410D55
        • __vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040275C,000000B8,?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001), ref: 00410D8A
        • __vbaFileOpen.MSVBVM60(00000020,000000FF,00000060,?,?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001), ref: 00410DA1
        • __vbaFreeStr.MSVBVM60(00000020,000000FF,00000060,?,?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001), ref: 00410DA9
        • __vbaFreeObj.MSVBVM60(00000020,000000FF,00000060,?,?,?,?,00402A00,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001), ref: 00410DB1
        • __vbaAryDestruct.MSVBVM60(00000000,?,00410DF1,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30), ref: 00410DDB
        • __vbaFreeStr.MSVBVM60(00000000,?,00410DF1,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30), ref: 00410DE3
        • __vbaFreeStr.MSVBVM60(00000000,?,00410DF1,00000000,00402A38,00402A28,?,?,00402A30,00000000,00000001,000000FF,00000000,00402A38,00000000,00402A30), ref: 00410DEB
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$Move$CheckHresult$#516#684#712ChkstkConstruct2CopyDestructFileIlogNew2Open
        • String ID:
        • API String ID: 2720509884-0
        • Opcode ID: 7882f8537240b8ad61ca6e9b7dbc8efdd48c2150f34134588e01d25462485716
        • Instruction ID: 8c8b7e1429ce75dcf21d1802e68acdaa99f85890c1888351f3cf9e6bd4ad4c50
        • Opcode Fuzzy Hash: 7882f8537240b8ad61ca6e9b7dbc8efdd48c2150f34134588e01d25462485716
        • Instruction Fuzzy Hash: 74610870A40248AECB14EBE1DD86BDE7BB4AF45704F50413AF016BA1F5DBBC6985CB18
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411D63, Relevance: 24.6, APIs: 12, Strings: 2, Instructions: 61COMMON
        Download Yara Rule
        C-Code - Quality: 67%
        			E00411D63(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				void* _v44;
				intOrPtr _v52;
				char _v60;
				short _v80;
				intOrPtr _t22;
				char* _t23;
				char* _t28;
				intOrPtr _t46;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t46;
				_t22 = 0x40;
				L004013C0();
				_v12 = _t46;
				_v8 = 0x401348;
				L0040158E();
				L0040154C();
				_push("12-");
				_push(L"12-12");
				L004015AC();
				_v52 = _t22;
				_v60 = 8;
				_t23 =  &_v60;
				_push(_t23);
				L0040147A();
				asm("sbb eax, eax");
				_v80 =  ~( ~(_t23 - 0xffff) + 1);
				L0040156A();
				_t28 = _v80;
				if(_t28 != 0) {
					_v52 = 1;
					_v60 = 2;
					_push(0);
					_t28 =  &_v60;
					_push(_t28);
					L00401474();
					L004015B2();
					L0040156A();
				}
				_push(0x411e3c);
				L0040156A();
				L004015C4();
				L004015C4();
				return _t28;
			}















        0x00411d68
        0x00411d73
        0x00411d74
        0x00411d7d
        0x00411d7e
        0x00411d86
        0x00411d89
        0x00411d96
        0x00411da1
        0x00411da6
        0x00411dab
        0x00411db0
        0x00411db5
        0x00411db8
        0x00411dbf
        0x00411dc2
        0x00411dc3
        0x00411dcf
        0x00411dd4
        0x00411ddb
        0x00411de0
        0x00411de6
        0x00411de8
        0x00411def
        0x00411df6
        0x00411df8
        0x00411dfb
        0x00411dfc
        0x00411e06
        0x00411e0e
        0x00411e0e
        0x00411e13
        0x00411e26
        0x00411e2e
        0x00411e36
        0x00411e3b

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00411D7E
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00411D96
        • __vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 00411DA1
        • __vbaStrCat.MSVBVM60(12-12,12-,?,?,?,?,004013C6), ref: 00411DB0
        • #557.MSVBVM60(00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00411DC3
        • __vbaFreeVar.MSVBVM60(00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00411DDB
        • #705.MSVBVM60(00000002,00000000,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00411DFC
        • __vbaStrMove.MSVBVM60(00000002,00000000,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00411E06
        • __vbaFreeVar.MSVBVM60(00000002,00000000,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00411E0E
        • __vbaFreeVar.MSVBVM60(00411E3C,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00411E26
        • __vbaFreeStr.MSVBVM60(00411E3C,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00411E2E
        • __vbaFreeStr.MSVBVM60(00411E3C,00000008,?,?,?,?,?,12-12,12-,?,?,?,?,004013C6), ref: 00411E36
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$#557#705ChkstkCopyMove
        • String ID: 12-$12-12
        • API String ID: 1093160486-3531647454
        • Opcode ID: b666e6412b8c223f7066b31617ea0e7180d864a5f8c9e005d3676be668c1d827
        • Instruction ID: 38acdf0cf659da9f4d831d7d41604e5774298302807ba45c38a946d02160b5c1
        • Opcode Fuzzy Hash: b666e6412b8c223f7066b31617ea0e7180d864a5f8c9e005d3676be668c1d827
        • Instruction Fuzzy Hash: E3111D71910248AADB04EFA1CC96FEDBBB8AF44708F50453AB402B71E1EB7C6945CB58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040FF5A, Relevance: 22.6, APIs: 15, Instructions: 119COMMON
        Download Yara Rule
        C-Code - Quality: 63%
        			E0040FF5A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a16, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v36;
				void* _v52;
				signed int _v56;
				void* _v60;
				char _v76;
				char _v92;
				intOrPtr _v116;
				intOrPtr _v124;
				intOrPtr _v132;
				char _v140;
				void* _v144;
				signed int _v148;
				intOrPtr* _v152;
				signed int _v156;
				intOrPtr _v168;
				intOrPtr* _v172;
				signed int _v176;
				signed int _v180;
				short _t71;
				signed int _t74;
				signed int _t80;
				signed int _t85;
				void* _t101;
				void* _t103;
				intOrPtr _t104;

				_t104 = _t103 - 0xc;
				 *[fs:0x0] = _t104;
				L004013C0();
				_v16 = _t104;
				_v12 = 0x401290;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013c6, _t101);
				L0040158E();
				L0040154C();
				_v116 = 0x4026bc;
				_v124 = 8;
				L0040158E();
				_push( &_v76);
				_push( &_v92);
				L004014F8();
				_v132 = 0x402a00;
				_v140 = 0x8008;
				_push( &_v92);
				_t71 =  &_v140;
				_push(_t71);
				L004015DC();
				_v144 = _t71;
				_push( &_v92);
				_push( &_v76);
				_push(2);
				L004015BE();
				_t74 = _v144;
				if(_t74 != 0) {
					if( *0x4145f8 != 0) {
						_v172 = 0x4145f8;
					} else {
						_push(0x4145f8);
						_push(0x4028e4);
						L00401558();
						_v172 = 0x4145f8;
					}
					_v144 =  *_v172;
					_t80 =  *((intOrPtr*)( *_v144 + 0x14))(_v144,  &_v60);
					asm("fclex");
					_v148 = _t80;
					if(_v148 >= 0) {
						_v176 = _v176 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4028d4);
						_push(_v144);
						_push(_v148);
						L00401552();
						_v176 = _t80;
					}
					_v152 = _v60;
					_t85 =  *((intOrPtr*)( *_v152 + 0x110))(_v152,  &_v56);
					asm("fclex");
					_v156 = _t85;
					if(_v156 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x110);
						_push(0x4028f4);
						_push(_v152);
						_push(_v156);
						L00401552();
						_v180 = _t85;
					}
					_t74 = _v56;
					_v168 = _t74;
					_v56 = _v56 & 0x00000000;
					L004015B2();
					L0040152E();
				}
				_push(0x410170);
				L004015C4();
				L004015C4();
				L0040156A();
				return _t74;
			}
































        0x0040ff5d
        0x0040ff6c
        0x0040ff78
        0x0040ff80
        0x0040ff83
        0x0040ff8a
        0x0040ff99
        0x0040ffa2
        0x0040ffad
        0x0040ffb2
        0x0040ffb9
        0x0040ffc6
        0x0040ffce
        0x0040ffd2
        0x0040ffd3
        0x0040ffd8
        0x0040ffdf
        0x0040ffec
        0x0040ffed
        0x0040fff3
        0x0040fff4
        0x0040fff9
        0x00410003
        0x00410007
        0x00410008
        0x0041000a
        0x00410012
        0x0041001b
        0x00410028
        0x00410045
        0x0041002a
        0x0041002a
        0x0041002f
        0x00410034
        0x00410039
        0x00410039
        0x00410057
        0x0041006f
        0x00410072
        0x00410074
        0x00410081
        0x004100a3
        0x00410083
        0x00410083
        0x00410085
        0x0041008a
        0x00410090
        0x00410096
        0x0041009b
        0x0041009b
        0x004100ad
        0x004100c5
        0x004100cb
        0x004100cd
        0x004100da
        0x004100ff
        0x004100dc
        0x004100dc
        0x004100e1
        0x004100e6
        0x004100ec
        0x004100f2
        0x004100f7
        0x004100f7
        0x00410106
        0x00410109
        0x0041010f
        0x0041011c
        0x00410124
        0x00410124
        0x00410129
        0x0041015a
        0x00410162
        0x0041016a
        0x0041016f

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 0040FF78
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040FFA2
        • __vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 0040FFAD
        • __vbaVarDup.MSVBVM60 ref: 0040FFC6
        • #518.MSVBVM60(?,?), ref: 0040FFD3
        • __vbaVarTstEq.MSVBVM60(00008008,?,?,?,?,?), ref: 0040FFF4
        • __vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 0041000A
        • __vbaNew2.MSVBVM60(004028E4,004145F8,?,?,004013C6), ref: 00410034
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028D4,00000014), ref: 00410096
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028F4,00000110), ref: 004100F2
        • __vbaStrMove.MSVBVM60(00000000,?,004028F4,00000110), ref: 0041011C
        • __vbaFreeObj.MSVBVM60(00000000,?,004028F4,00000110), ref: 00410124
        • __vbaFreeStr.MSVBVM60(00410170,?,?,004013C6), ref: 0041015A
        • __vbaFreeStr.MSVBVM60(00410170,?,?,004013C6), ref: 00410162
        • __vbaFreeVar.MSVBVM60(00410170,?,?,004013C6), ref: 0041016A
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$CheckHresult$#518ChkstkCopyListMoveNew2
        • String ID:
        • API String ID: 1459133440-0
        • Opcode ID: 2f5d2e1570ee983bd0687cd6624d5c85ce5d6f2750063bfbbdb3d4293a1ef3d4
        • Instruction ID: 49cde9a00b1d87e42d26426bfd025fd4673475091de6ce4f6db75ec2bf7068b2
        • Opcode Fuzzy Hash: 2f5d2e1570ee983bd0687cd6624d5c85ce5d6f2750063bfbbdb3d4293a1ef3d4
        • Instruction Fuzzy Hash: 1151D671900218EFDB10EFA5CC45BDDBBB5BF44304F1081AAE10ABB2A1DB785AC98F55
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411E4F, Relevance: 19.6, APIs: 13, Instructions: 74COMMON
        Download Yara Rule
        C-Code - Quality: 48%
        			E00411E4F(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				void* _v48;
				char _v52;
				char _v56;
				signed short _v64;
				char _v72;
				char _v88;
				signed char _t26;
				signed short _t27;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L004013C0();
				_v16 = _t47;
				_v12 = 0x401358;
				_v8 = 0;
				_t26 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4013c6, _t44);
				L0040158E();
				_push(0x4026d4);
				L0040146E();
				_t27 = _t26 & 0x000000ff;
				if(_t27 == 2) {
					_push(0x402be0);
					_push(0x402be8);
					L004015AC();
					L004015B2();
					_push(_t27);
					_push(0x402bf0);
					L004015AC();
					L004015B2();
					_push(_t27);
					_push(0x402be0);
					L004015AC();
					_v64 = _t27;
					_v72 = 8;
					_push( &_v72);
					_push( &_v88);
					L00401462();
					_push( &_v88);
					L00401468();
					_v32 = __fp0;
					_push( &_v56);
					_push( &_v52);
					_push(2);
					L004015A6();
					_push( &_v88);
					_t27 =  &_v72;
					_push(_t27);
					_push(2);
					L004015BE();
				}
				asm("wait");
				_push(0x411f68);
				L0040156A();
				return _t27;
			}


















        0x00411e52
        0x00411e61
        0x00411e6b
        0x00411e73
        0x00411e76
        0x00411e7d
        0x00411e8c
        0x00411e95
        0x00411e9a
        0x00411e9f
        0x00411ea4
        0x00411eac
        0x00411eb2
        0x00411eb7
        0x00411ebc
        0x00411ec6
        0x00411ecb
        0x00411ecc
        0x00411ed1
        0x00411edb
        0x00411ee0
        0x00411ee1
        0x00411ee6
        0x00411eeb
        0x00411eee
        0x00411ef8
        0x00411efc
        0x00411efd
        0x00411f05
        0x00411f06
        0x00411f0b
        0x00411f11
        0x00411f15
        0x00411f16
        0x00411f18
        0x00411f23
        0x00411f24
        0x00411f27
        0x00411f28
        0x00411f2a
        0x00411f2f
        0x00411f32
        0x00411f33
        0x00411f62
        0x00411f67

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00411E6B
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00411E95
        • __vbaUI1Str.MSVBVM60(004026D4,?,?,?,?,004013C6), ref: 00411E9F
        • __vbaStrCat.MSVBVM60(00402BE8,00402BE0,004026D4,?,?,?,?,004013C6), ref: 00411EBC
        • __vbaStrMove.MSVBVM60(00402BE8,00402BE0,004026D4,?,?,?,?,004013C6), ref: 00411EC6
        • __vbaStrCat.MSVBVM60(00402BF0,00000000,00402BE8,00402BE0,004026D4,?,?,?,?,004013C6), ref: 00411ED1
        • __vbaStrMove.MSVBVM60(00402BF0,00000000,00402BE8,00402BE0,004026D4,?,?,?,?,004013C6), ref: 00411EDB
        • __vbaStrCat.MSVBVM60(00402BE0,00000000,00402BF0,00000000,00402BE8,00402BE0,004026D4,?,?,?,?,004013C6), ref: 00411EE6
        • #687.MSVBVM60(?,00000008), ref: 00411EFD
        • __vbaDateVar.MSVBVM60(?,?,00000008), ref: 00411F06
        • __vbaFreeStrList.MSVBVM60(00000002,00000000,00402BF0,?,?,00000008), ref: 00411F18
        • __vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,004013C6), ref: 00411F2A
        • __vbaFreeVar.MSVBVM60(00411F68,004026D4,?,?,?,?,004013C6), ref: 00411F62
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$ListMove$#687ChkstkDate
        • String ID:
        • API String ID: 2912548229-0
        • Opcode ID: 8635ac31627953fd74c142866ccc9cb3037748dd0b01ae07e61f190081321203
        • Instruction ID: 55ef6b4234c68150a5dcf0cb4fbd5ce4cac206ec39e4e7182316d057ce9d37c7
        • Opcode Fuzzy Hash: 8635ac31627953fd74c142866ccc9cb3037748dd0b01ae07e61f190081321203
        • Instruction Fuzzy Hash: 5F21ED71940208BADB00EFA1CD46EDE7778AB44704F50843BB506BA1E1DA7C6A498B59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00413518, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 67COMMON
        Download Yara Rule
        C-Code - Quality: 47%
        			E00413518(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a32, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v52;
				char _v72;
				signed int _v76;
				signed int _v88;
				signed int _t29;
				void* _t42;
				void* _t44;
				intOrPtr _t45;
				signed int _t47;

				_t45 = _t44 - 0xc;
				 *[fs:0x0] = _t45;
				L004013C0();
				_v16 = _t45;
				_v12 = 0x4013a8;
				_v8 = 0;
				_t29 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4013c6, _t42);
				L0040154C();
				L0040158E();
				_push(0x402a08);
				L004014EC();
				asm("fcomp dword [0x4012ac]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t29 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v72);
					asm("fclex");
					_v76 = _t29;
					_t47 = _v76;
					if(_t47 >= 0) {
						_t20 =  &_v88;
						 *_t20 = _v88 & 0x00000000;
						__eflags =  *_t20;
					} else {
						_push(0xb0);
						_push(0x402434);
						_push(_a4);
						_push(_v76);
						L00401552();
						_v88 = _t29;
					}
					asm("fcomp dword [0x4012a8]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t47 == 0) {
						_push(L"GEOSIDE");
						_push(0xb4);
						_push(0xffffffff);
						_push(0x20);
						L004014E6();
					}
				}
				asm("wait");
				_push(0x4135f6);
				L004015C4();
				L0040156A();
				return _t29;
			}
















        0x0041351b
        0x0041352a
        0x00413534
        0x0041353c
        0x0041353f
        0x00413546
        0x00413555
        0x0041355e
        0x00413569
        0x0041356e
        0x00413573
        0x00413578
        0x0041357e
        0x00413580
        0x00413581
        0x0041358f
        0x00413595
        0x00413597
        0x0041359a
        0x0041359e
        0x004135ba
        0x004135ba
        0x004135ba
        0x004135a0
        0x004135a0
        0x004135a5
        0x004135aa
        0x004135ad
        0x004135b0
        0x004135b5
        0x004135b5
        0x004135c1
        0x004135c7
        0x004135c9
        0x004135ca
        0x004135cc
        0x004135d1
        0x004135d6
        0x004135d8
        0x004135da
        0x004135da
        0x004135ca
        0x004135df
        0x004135e0
        0x004135e8
        0x004135f0
        0x004135f5

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00413534
        • __vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 0041355E
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00413569
        • __vbaR4Str.MSVBVM60(00402A08,?,?,?,?,004013C6), ref: 00413573
        • __vbaHresultCheckObj.MSVBVM60(00000000,004013A8,00402434,000000B0), ref: 004135B0
        • __vbaFileOpen.MSVBVM60(00000020,000000FF,000000B4,GEOSIDE), ref: 004135DA
        • __vbaFreeStr.MSVBVM60(004135F6,00402A08,?,?,?,?,004013C6), ref: 004135E8
        • __vbaFreeVar.MSVBVM60(004135F6,00402A08,?,?,?,?,004013C6), ref: 004135F0
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$CheckChkstkCopyFileHresultOpen
        • String ID: GEOSIDE
        • API String ID: 311016274-2913397203
        • Opcode ID: 60764c119e8c8f271cb58240ec15be9a256dda9e75c679b34d601a71a119df07
        • Instruction ID: 30aa0b9f672028eac50796b3ef6f58d80c6b5899da8415741dafe73ef0909c26
        • Opcode Fuzzy Hash: 60764c119e8c8f271cb58240ec15be9a256dda9e75c679b34d601a71a119df07
        • Instruction Fuzzy Hash: 1F211830900248FFDB10EF95CA4ABDD7BB5BF44B49F50416AF4057A1E1C7785A858B48
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040FD3B, Relevance: 15.0, APIs: 10, Instructions: 49COMMON
        Download Yara Rule
        C-Code - Quality: 78%
        			E0040FD3B(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20, void* _a40, void* _a48, signed int* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v44;
				void* _v64;
				void* _v80;
				signed int* _t24;
				void* _t40;
				void* _t42;
				intOrPtr _t43;

				_t43 = _t42 - 0xc;
				 *[fs:0x0] = _t43;
				L004013C0();
				_v16 = _t43;
				_v12 = 0x401270;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x4013c6, _t40);
				L0040158E();
				L0040154C();
				L0040158E();
				_t24 = _a64;
				 *_t24 =  *_t24 & 0x00000000;
				_push(0);
				_push(0);
				_push(1);
				L0040150A();
				L004015B2();
				_push(0x40fde8);
				L0040156A();
				L004015C4();
				L004015C4();
				L0040156A();
				return _t24;
			}














        0x0040fd3e
        0x0040fd4d
        0x0040fd57
        0x0040fd5f
        0x0040fd62
        0x0040fd69
        0x0040fd78
        0x0040fd81
        0x0040fd8c
        0x0040fd97
        0x0040fd9c
        0x0040fd9f
        0x0040fda2
        0x0040fda4
        0x0040fda6
        0x0040fda8
        0x0040fdb2
        0x0040fdb7
        0x0040fdca
        0x0040fdd2
        0x0040fdda
        0x0040fde2
        0x0040fde7

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 0040FD57
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040FD81
        • __vbaStrCopy.MSVBVM60(?,?,?,?,004013C6), ref: 0040FD8C
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040FD97
        • #706.MSVBVM60(00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0040FDA8
        • __vbaStrMove.MSVBVM60(00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0040FDB2
        • __vbaFreeVar.MSVBVM60(0040FDE8,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0040FDCA
        • __vbaFreeStr.MSVBVM60(0040FDE8,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0040FDD2
        • __vbaFreeStr.MSVBVM60(0040FDE8,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0040FDDA
        • __vbaFreeVar.MSVBVM60(0040FDE8,00000001,00000000,00000000,?,?,?,?,004013C6), ref: 0040FDE2
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$#706ChkstkCopyMove
        • String ID:
        • API String ID: 3345532518-0
        • Opcode ID: 196d16e5ec0eedca8623fcdc881aea1879b4c37c3347aaa9900779f82f531181
        • Instruction ID: 5418f15de6661b0c399f1b67311516c93a98fb5795e8b7372b929ac4400b3b30
        • Opcode Fuzzy Hash: 196d16e5ec0eedca8623fcdc881aea1879b4c37c3347aaa9900779f82f531181
        • Instruction Fuzzy Hash: 00111C31900248ABCB14EF61CD52FDD7BB4AF50748F50807AF4027B1E1DB78AA49CB98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004102E9, Relevance: 13.6, APIs: 9, Instructions: 115COMMON
        Download Yara Rule
        C-Code - Quality: 49%
        			E004102E9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				char _v28;
				char _v32;
				intOrPtr* _v36;
				signed int _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				char* _t57;
				signed int _t61;
				signed int _t67;
				signed int _t71;
				char* _t73;
				intOrPtr _t84;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t84;
				_push(0x3c);
				L004013C0();
				_v12 = _t84;
				_v8 = 0x4012c0;
				if( *0x414010 != 0) {
					_v64 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4030f8);
					L00401558();
					_v64 = 0x414010;
				}
				_t57 =  &_v28;
				L0040155E();
				_v36 = _t57;
				_t61 =  *((intOrPtr*)( *_v36 + 0x13c))(_v36,  &_v24, _t57,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x35c))( *_v64));
				asm("fclex");
				_v40 = _t61;
				if(_v40 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x13c);
					_push(0x40275c);
					_push(_v36);
					_push(_v40);
					L00401552();
					_v68 = _t61;
				}
				if( *0x4145f8 != 0) {
					_v72 = 0x4145f8;
				} else {
					_push(0x4145f8);
					_push(0x4028e4);
					L00401558();
					_v72 = 0x4145f8;
				}
				_v44 =  *_v72;
				_t67 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v32);
				asm("fclex");
				_v48 = _t67;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d4);
					_push(_v44);
					_push(_v48);
					L00401552();
					_v76 = _t67;
				}
				_v52 = _v32;
				_t71 =  *((intOrPtr*)( *_v52 + 0x138))(_v52, _v24, 1);
				asm("fclex");
				_v56 = _t71;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x4028f4);
					_push(_v52);
					_push(_v56);
					L00401552();
					_v80 = _t71;
				}
				L004015C4();
				_push( &_v32);
				_t73 =  &_v28;
				_push(_t73);
				_push(2);
				L00401546();
				_push(0x41047d);
				return _t73;
			}

























        0x004102ee
        0x004102f9
        0x004102fa
        0x00410301
        0x00410304
        0x0041030c
        0x0041030f
        0x0041031d
        0x00410337
        0x0041031f
        0x0041031f
        0x00410324
        0x00410329
        0x0041032e
        0x0041032e
        0x00410352
        0x00410356
        0x0041035b
        0x0041036a
        0x00410370
        0x00410372
        0x00410379
        0x00410395
        0x0041037b
        0x0041037b
        0x00410380
        0x00410385
        0x00410388
        0x0041038b
        0x00410390
        0x00410390
        0x004103a0
        0x004103ba
        0x004103a2
        0x004103a2
        0x004103a7
        0x004103ac
        0x004103b1
        0x004103b1
        0x004103c6
        0x004103d5
        0x004103d8
        0x004103da
        0x004103e1
        0x004103fa
        0x004103e3
        0x004103e3
        0x004103e5
        0x004103ea
        0x004103ed
        0x004103f0
        0x004103f5
        0x004103f5
        0x00410401
        0x00410411
        0x00410417
        0x00410419
        0x00410420
        0x0041043c
        0x00410422
        0x00410422
        0x00410427
        0x0041042c
        0x0041042f
        0x00410432
        0x00410437
        0x00410437
        0x00410443
        0x0041044b
        0x0041044c
        0x0041044f
        0x00410450
        0x00410452
        0x0041045a
        0x00000000

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00410304
        • __vbaNew2.MSVBVM60(004030F8,00414010,?,?,?,?,004013C6), ref: 00410329
        • __vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,004013C6), ref: 00410356
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,0040275C,0000013C), ref: 0041038B
        • __vbaNew2.MSVBVM60(004028E4,004145F8,?,?,?,?,?,?,?,?,?,?,?,?,004013C6), ref: 004103AC
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028D4,00000014), ref: 004103F0
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028F4,00000138), ref: 00410432
        • __vbaFreeStr.MSVBVM60 ref: 00410443
        • __vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 00410452
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$CheckHresult$FreeNew2$ChkstkList
        • String ID:
        • API String ID: 3534970231-0
        • Opcode ID: f1de13f0e8ecfcd9adea282a9dbdd7674cb0757f34e5941e9269155df92744e3
        • Instruction ID: 09f2ee5d9132d2f35baed2e69b21f439eef000f9e0c648e1fb3c8bb809f78840
        • Opcode Fuzzy Hash: f1de13f0e8ecfcd9adea282a9dbdd7674cb0757f34e5941e9269155df92744e3
        • Instruction Fuzzy Hash: A3410671D00218EFCB00EF95C985BEDBBB5BF48705F10402AF512BA2A0C7B95985DB29
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040F73A, Relevance: 13.6, APIs: 9, Instructions: 82COMMON
        Download Yara Rule
        C-Code - Quality: 56%
        			E0040F73A(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a40) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				short _v56;
				void* _v60;
				void* _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t47;
				signed int _t52;
				short _t53;
				intOrPtr _t67;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t67;
				_push(0x4c);
				L004013C0();
				_v12 = _t67;
				_v8 = 0x401230;
				L0040158E();
				L0040158E();
				if( *0x4145f8 != 0) {
					_v88 = 0x4145f8;
				} else {
					_push(0x4145f8);
					_push(0x4028e4);
					L00401558();
					_v88 = 0x4145f8;
				}
				_v68 =  *_v88;
				_t47 =  *((intOrPtr*)( *_v68 + 0x14))(_v68,  &_v60);
				asm("fclex");
				_v72 = _t47;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d4);
					_push(_v68);
					_push(_v72);
					L00401552();
					_v92 = _t47;
				}
				_v76 = _v60;
				_t52 =  *((intOrPtr*)( *_v76 + 0xc0))(_v76,  &_v64);
				asm("fclex");
				_v80 = _t52;
				if(_v80 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x4028f4);
					_push(_v76);
					_push(_v80);
					L00401552();
					_v96 = _t52;
				}
				_t53 = _v64;
				_v56 = _t53;
				L0040152E();
				_push(0x40f854);
				L0040156A();
				L0040156A();
				return _t53;
			}





















        0x0040f73f
        0x0040f74a
        0x0040f74b
        0x0040f752
        0x0040f755
        0x0040f75d
        0x0040f760
        0x0040f76d
        0x0040f778
        0x0040f784
        0x0040f79e
        0x0040f786
        0x0040f786
        0x0040f78b
        0x0040f790
        0x0040f795
        0x0040f795
        0x0040f7aa
        0x0040f7b9
        0x0040f7bc
        0x0040f7be
        0x0040f7c5
        0x0040f7de
        0x0040f7c7
        0x0040f7c7
        0x0040f7c9
        0x0040f7ce
        0x0040f7d1
        0x0040f7d4
        0x0040f7d9
        0x0040f7d9
        0x0040f7e5
        0x0040f7f4
        0x0040f7fa
        0x0040f7fc
        0x0040f803
        0x0040f81f
        0x0040f805
        0x0040f805
        0x0040f80a
        0x0040f80f
        0x0040f812
        0x0040f815
        0x0040f81a
        0x0040f81a
        0x0040f823
        0x0040f827
        0x0040f82e
        0x0040f833
        0x0040f846
        0x0040f84e
        0x0040f853

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 0040F755
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040F76D
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040F778
        • __vbaNew2.MSVBVM60(004028E4,004145F8,?,?,?,?,004013C6), ref: 0040F790
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028D4,00000014), ref: 0040F7D4
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028F4,000000C0), ref: 0040F815
        • __vbaFreeObj.MSVBVM60(00000000,?,004028F4,000000C0), ref: 0040F82E
        • __vbaFreeVar.MSVBVM60(0040F854), ref: 0040F846
        • __vbaFreeVar.MSVBVM60(0040F854), ref: 0040F84E
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$Free$CheckHresult$ChkstkNew2
        • String ID:
        • API String ID: 1237124366-0
        • Opcode ID: 29aaf28e15c02c9ae55500e0c8bd1b067caa7fa9e1d684a63e4caf2188534f5d
        • Instruction ID: 5e4790404bd4ce9f7fcd69ce10a36e95e313f956c3c7bd1a8b2dd310591dd327
        • Opcode Fuzzy Hash: 29aaf28e15c02c9ae55500e0c8bd1b067caa7fa9e1d684a63e4caf2188534f5d
        • Instruction Fuzzy Hash: 5331F175910248EFDB10EF95C945BDCBBB4BF44708F10803AF112BB6A0D7786949DB59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 004101FB, Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 58COMMON
        Download Yara Rule
        C-Code - Quality: 39%
        			E004101FB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v56;
				signed int _v60;
				signed int _v68;
				signed int _t19;
				intOrPtr _t32;
				signed int _t34;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t32;
				_t19 = 0x30;
				L004013C0();
				_v12 = _t32;
				_v8 = 0x4012b0;
				L0040158E();
				_push(0x402a08);
				L004014EC();
				asm("fcomp dword [0x4012ac]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t19 =  *((intOrPtr*)( *_a4 + 0xb0))(_a4,  &_v56);
					asm("fclex");
					_v60 = _t19;
					_t34 = _v60;
					if(_t34 >= 0) {
						_t14 =  &_v68;
						 *_t14 = _v68 & 0x00000000;
						__eflags =  *_t14;
					} else {
						_push(0xb0);
						_push(0x402434);
						_push(_a4);
						_push(_v60);
						L00401552();
						_v68 = _t19;
					}
					asm("fcomp dword [0x4012a8]");
					asm("fnstsw ax");
					asm("sahf");
					if(_t34 == 0) {
						_push(L"Wattape2");
						_push(0x8e);
						_push(0xffffffff);
						_push(0x20);
						L004014E6();
					}
				}
				asm("wait");
				_push(0x4102b3);
				L0040156A();
				return _t19;
			}












        0x00410200
        0x0041020b
        0x0041020c
        0x00410215
        0x00410216
        0x0041021e
        0x00410221
        0x0041022e
        0x00410233
        0x00410238
        0x0041023d
        0x00410243
        0x00410245
        0x00410246
        0x00410254
        0x0041025a
        0x0041025c
        0x0041025f
        0x00410263
        0x0041027f
        0x0041027f
        0x0041027f
        0x00410265
        0x00410265
        0x0041026a
        0x0041026f
        0x00410272
        0x00410275
        0x0041027a
        0x0041027a
        0x00410286
        0x0041028c
        0x0041028e
        0x0041028f
        0x00410291
        0x00410296
        0x0041029b
        0x0041029d
        0x0041029f
        0x0041029f
        0x0041028f
        0x004102a4
        0x004102a5
        0x004102ad
        0x004102b2

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00410216
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0041022E
        • __vbaR4Str.MSVBVM60(00402A08,?,?,?,?,004013C6), ref: 00410238
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,00402434,000000B0,?,?,?,?,?,?,?,?,?,?,?,004013C6), ref: 00410275
        • __vbaFileOpen.MSVBVM60(00000020,000000FF,0000008E,Wattape2), ref: 0041029F
        • __vbaFreeVar.MSVBVM60(004102B3,00402A08,?,?,?,?,004013C6), ref: 004102AD
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$CheckChkstkFileFreeHresultOpen
        • String ID: Wattape2
        • API String ID: 2751570938-2362924395
        • Opcode ID: fe927c434291df8314b09ac6d0f9daa40312ed3592bb971337d2e6ec35be5cae
        • Instruction ID: 7b6dea231cf37c20e02217d563db241682ddfea2e4a64eea293fac3f28a4e140
        • Opcode Fuzzy Hash: fe927c434291df8314b09ac6d0f9daa40312ed3592bb971337d2e6ec35be5cae
        • Instruction Fuzzy Hash: 36112870940208FFDB10EB95CE8AB9D7BB8FB54B54F50466AF405B61E1CBB859808B58
        Uniqueness

        Uniqueness Score: -1.00%

        Function 0040F867, Relevance: 10.6, APIs: 7, Instructions: 85COMMON
        Download Yara Rule
        C-Code - Quality: 62%
        			E0040F867(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v36;
				void* _v52;
				void* _v56;
				void* _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v88;
				signed int _v92;
				signed int _v96;
				signed int _t45;
				signed int _t46;
				signed int _t52;
				signed int _t57;
				void* _t65;
				void* _t67;
				intOrPtr _t68;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				L004013C0();
				_v16 = _t68;
				_v12 = 0x401240;
				_v8 = 0;
				_t45 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x48,  *[fs:0x0], 0x4013c6, _t65);
				L0040158E();
				_t46 = _t45 | 0xffffffff;
				if(_t46 != 0) {
					if( *0x4145f8 != 0) {
						_v88 = 0x4145f8;
					} else {
						_push(0x4145f8);
						_push(0x4028e4);
						L00401558();
						_v88 = 0x4145f8;
					}
					_v64 =  *_v88;
					_t52 =  *((intOrPtr*)( *_v64 + 0x14))(_v64,  &_v56);
					asm("fclex");
					_v68 = _t52;
					if(_v68 >= 0) {
						_v92 = _v92 & 0x00000000;
					} else {
						_push(0x14);
						_push(0x4028d4);
						_push(_v64);
						_push(_v68);
						L00401552();
						_v92 = _t52;
					}
					_v72 = _v56;
					_t57 =  *((intOrPtr*)( *_v72 + 0xb8))(_v72,  &_v60);
					asm("fclex");
					_v76 = _t57;
					if(_v76 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0xb8);
						_push(0x4028f4);
						_push(_v72);
						_push(_v76);
						L00401552();
						_v96 = _t57;
					}
					_t46 = _v60;
					_v36 = _t46;
					L0040152E();
				}
				asm("wait");
				_push(0x40f98d);
				L0040156A();
				return _t46;
			}
























        0x0040f86a
        0x0040f879
        0x0040f883
        0x0040f88b
        0x0040f88e
        0x0040f895
        0x0040f8a4
        0x0040f8ad
        0x0040f8b2
        0x0040f8b7
        0x0040f8c4
        0x0040f8de
        0x0040f8c6
        0x0040f8c6
        0x0040f8cb
        0x0040f8d0
        0x0040f8d5
        0x0040f8d5
        0x0040f8ea
        0x0040f8f9
        0x0040f8fc
        0x0040f8fe
        0x0040f905
        0x0040f91e
        0x0040f907
        0x0040f907
        0x0040f909
        0x0040f90e
        0x0040f911
        0x0040f914
        0x0040f919
        0x0040f919
        0x0040f925
        0x0040f934
        0x0040f93a
        0x0040f93c
        0x0040f943
        0x0040f95f
        0x0040f945
        0x0040f945
        0x0040f94a
        0x0040f94f
        0x0040f952
        0x0040f955
        0x0040f95a
        0x0040f95a
        0x0040f963
        0x0040f967
        0x0040f96e
        0x0040f96e
        0x0040f973
        0x0040f974
        0x0040f987
        0x0040f98c

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 0040F883
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 0040F8AD
        • __vbaNew2.MSVBVM60(004028E4,004145F8,?,?,?,?,004013C6), ref: 0040F8D0
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028D4,00000014), ref: 0040F914
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028F4,000000B8), ref: 0040F955
        • __vbaFreeObj.MSVBVM60 ref: 0040F96E
        • __vbaFreeVar.MSVBVM60(0040F98D,?,?,?,?,004013C6), ref: 0040F987
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$CheckFreeHresult$ChkstkNew2
        • String ID:
        • API String ID: 304406766-0
        • Opcode ID: 1c2a204578cce815e9b95cf18ffcafc60ab0c86f1d742b20918c7cdc56406ed1
        • Instruction ID: 37ae1979e8169d8fa477627b6e44c0fd01ea4f667c00963172a6b1ae0aac6b58
        • Opcode Fuzzy Hash: 1c2a204578cce815e9b95cf18ffcafc60ab0c86f1d742b20918c7cdc56406ed1
        • Instruction Fuzzy Hash: D731F275900248FFCB10EF95C945B8DBBB5BF04704F20813AF512BA6A0D77899499B59
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00412C99, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 74COMMON
        Download Yara Rule
        C-Code - Quality: 59%
        			E00412C99(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr* _v32;
				signed int _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				signed int _v64;
				signed int _t45;
				signed int _t49;
				void* _t54;
				void* _t56;
				intOrPtr _t57;

				_t57 = _t56 - 0xc;
				 *[fs:0x0] = _t57;
				L004013C0();
				_v16 = _t57;
				_v12 = 0x401388;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x28,  *[fs:0x0], 0x4013c6, _t54);
				if( *0x4145f8 != 0) {
					_v56 = 0x4145f8;
				} else {
					_push(0x4145f8);
					_push(0x4028e4);
					L00401558();
					_v56 = 0x4145f8;
				}
				_v32 =  *_v56;
				_t45 =  *((intOrPtr*)( *_v32 + 0x14))(_v32,  &_v28);
				asm("fclex");
				_v36 = _t45;
				if(_v36 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x4028d4);
					_push(_v32);
					_push(_v36);
					L00401552();
					_v60 = _t45;
				}
				_v40 = _v28;
				_t49 =  *((intOrPtr*)( *_v40 + 0x138))(_v40, L"Spinetternes5", 1);
				asm("fclex");
				_v44 = _t49;
				if(_v44 >= 0) {
					_v64 = _v64 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x4028f4);
					_push(_v40);
					_push(_v44);
					L00401552();
					_v64 = _t49;
				}
				L0040152E();
				_push(0x412d9b);
				return _t49;
			}



















        0x00412c9c
        0x00412cab
        0x00412cb5
        0x00412cbd
        0x00412cc0
        0x00412cc7
        0x00412cd6
        0x00412ce0
        0x00412cfa
        0x00412ce2
        0x00412ce2
        0x00412ce7
        0x00412cec
        0x00412cf1
        0x00412cf1
        0x00412d06
        0x00412d15
        0x00412d18
        0x00412d1a
        0x00412d21
        0x00412d3a
        0x00412d23
        0x00412d23
        0x00412d25
        0x00412d2a
        0x00412d2d
        0x00412d30
        0x00412d35
        0x00412d35
        0x00412d41
        0x00412d53
        0x00412d59
        0x00412d5b
        0x00412d62
        0x00412d7e
        0x00412d64
        0x00412d64
        0x00412d69
        0x00412d6e
        0x00412d71
        0x00412d74
        0x00412d79
        0x00412d79
        0x00412d85
        0x00412d8a
        0x00000000

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00412CB5
        • __vbaNew2.MSVBVM60(004028E4,004145F8,?,?,?,?,004013C6), ref: 00412CEC
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028D4,00000014), ref: 00412D30
        • __vbaHresultCheckObj.MSVBVM60(00000000,?,004028F4,00000138), ref: 00412D74
        • __vbaFreeObj.MSVBVM60 ref: 00412D85
        Strings
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$CheckHresult$ChkstkFreeNew2
        • String ID: Spinetternes5
        • API String ID: 1616694062-1097852325
        • Opcode ID: c299b59a1dac496b9535f7c7214d5e84ae45269c0493acccac8e00d33d459194
        • Instruction ID: 6b2ae03cbf0e9c674fb0143d4e1f5c5c84c94b9e3e611bf1d09e7ec0af8fb1b8
        • Opcode Fuzzy Hash: c299b59a1dac496b9535f7c7214d5e84ae45269c0493acccac8e00d33d459194
        • Instruction Fuzzy Hash: B8311875D40208EFCF00DF95DA89BDDBBB1FF08704F104066F502BA2A0C7B859959B69
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411C51, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
        Download Yara Rule
        C-Code - Quality: 91%
        			E00411C51(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a40, signed int* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				signed int* _v44;
				signed int* _t17;
				void* _t24;
				void* _t26;
				intOrPtr _t27;

				_t27 = _t26 - 0xc;
				 *[fs:0x0] = _t27;
				L004013C0();
				_v16 = _t27;
				_v12 = 0x401328;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x2c,  *[fs:0x0], 0x4013c6, _t24);
				L0040158E();
				_t17 = _a64;
				 *_t17 =  *_t17 & 0x00000000;
				L004014E0();
				_v44 = _t17;
				_push(0x411cc3);
				L0040156A();
				return _t17;
			}












        0x00411c54
        0x00411c63
        0x00411c6d
        0x00411c75
        0x00411c78
        0x00411c7f
        0x00411c8e
        0x00411c97
        0x00411c9c
        0x00411c9f
        0x00411ca2
        0x00411ca7
        0x00411caa
        0x00411cbd
        0x00411cc2

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00411C6D
        • __vbaVarDup.MSVBVM60(?,?,?,?,004013C6), ref: 00411C97
        • #615.MSVBVM60(?,?,?,?,004013C6), ref: 00411CA2
        • __vbaFreeVar.MSVBVM60(00411CC3,?,?,?,?,004013C6), ref: 00411CBD
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$#615ChkstkFree
        • String ID:
        • API String ID: 4276791933-0
        • Opcode ID: 1a5305b39f2b064e6ec8aa1e643d5374247b96a2373d5ff68ad7f3c3a4a5ca36
        • Instruction ID: c54d303104f4567ff1510d3f65c7207323434b82d50c422202ea99a978b0d244
        • Opcode Fuzzy Hash: 1a5305b39f2b064e6ec8aa1e643d5374247b96a2373d5ff68ad7f3c3a4a5ca36
        • Instruction Fuzzy Hash: 7DF03C71500248EFDB00EFA5C946F9D7BB4EB04748F10446AF805BB2A0D7789D008B98
        Uniqueness

        Uniqueness Score: -1.00%

        Function 00411CEC, Relevance: 6.0, APIs: 4, Instructions: 27COMMON
        Download Yara Rule
        C-Code - Quality: 55%
        			E00411CEC(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				char _v56;
				char* _t9;
				intOrPtr _t19;

				_push(0x4013c6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t19;
				_push(0x28);
				L004013C0();
				_v12 = _t19;
				_v8 = 0x401338;
				_t9 =  &_v56;
				_push(_t9);
				L00401480();
				L0040153A();
				_push(0x411d46);
				L0040156A();
				return _t9;
			}









        0x00411cf1
        0x00411cfc
        0x00411cfd
        0x00411d04
        0x00411d07
        0x00411d0f
        0x00411d12
        0x00411d19
        0x00411d1c
        0x00411d1d
        0x00411d28
        0x00411d2d
        0x00411d40
        0x00411d45

        APIs
        • __vbaChkstk.MSVBVM60(?,004013C6), ref: 00411D07
        • #546.MSVBVM60(?,?,?,?,?,004013C6), ref: 00411D1D
        • __vbaVarMove.MSVBVM60(?,?,?,?,?,004013C6), ref: 00411D28
        • __vbaFreeVar.MSVBVM60(00411D46,?,?,?,?,?,004013C6), ref: 00411D40
        Memory Dump Source
        • Source File: 00000000.00000002.1397710689.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
        • Associated: 00000000.00000002.1397690482.0000000000400000.00000002.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397769745.0000000000414000.00000004.00020000.sdmp Download File
        • Associated: 00000000.00000002.1397787159.0000000000416000.00000002.00020000.sdmp Download File
        Similarity
        • API ID: __vba$#546ChkstkFreeMove
        • String ID:
        • API String ID: 3298562087-0
        • Opcode ID: 42dc9908016ad03438ebea7f6bbbb3fa6695029402f76b3fcae669262fc09d0a
        • Instruction ID: e0356e579a96bb9fd2110531dfba2a1472aa1056509e6a766d731870d10256d4
        • Opcode Fuzzy Hash: 42dc9908016ad03438ebea7f6bbbb3fa6695029402f76b3fcae669262fc09d0a
        • Instruction Fuzzy Hash: F3F030B1860688BADB04EB91DD46FDDB77CEB04B44F90482BB101775A0D77C2A048668
        Uniqueness

        Uniqueness Score: -1.00%