Play interactive tour

Edit tour

Analysis Report UAE Contract Supply.jar

Overview

General Information

Sample Name:	UAE Contract Supply.jar
Analysis ID:	358324
MD5:	d23d186daf02db3cecee462c5b1fe15c
SHA1:	1b2054ff2c9a3ff13920f07905b7e313a75b77dc
SHA256:	459787308dd55a6822b80ee2fd9d4add4e44602f783e8c984697a8918839ff22
Tags:	jar
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Drops PE files to the user root directory

Exploit detected, runtime environment dropped PE file

Exploit detected, runtime environment starts unknown processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains strange resources

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

cmd.exe (PID: 4864 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'' >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 4012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

java.exe (PID: 6084 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar' MD5: 28733BA8C383E865338638DF5196E6FE)

icacls.exe (PID: 6196 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 6208 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

mx8043.exe (PID: 6240 cmdline: C:\Users\user\mx8043.exe MD5: 335AA2DB46F51A80F6BE08948B564026)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.247780398.0000000004D60000.00000004.00000001.sdmp	LokiBot_Dropper_Packed_R11_Feb18	Auto-generated rule - file scan copy.pdf.r11	Florian Roth	0x4fd8:$s1: C:\Program Files (x86)\Microsoft Visual Studio\VB98\VB6.OLB
Process Memory Space: mx8043.exe PID: 6240	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: mx8043.exe PID: 6240	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\mx8043.exe

ReversingLabs: Detection: 17%

Multi AV Scanner detection for submitted file

Show sources

Source: UAE Contract Supply.jar	Virustotal: Detection: 19%			Perma Link
Source: UAE Contract Supply.jar	ReversingLabs: Detection: 32%

Source: 2.2.java.exe.4d604e4.0.unpack

Avira: Label: TR/Dropper.Gen

Compliance:

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Software Vulnerabilities:

Exploit detected, runtime environment starts unknown processes

Show sources

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Process created: C:\Users\user\mx8043.exe

Jump to behavior

Networking:

Source: java.exe, 00000002.00000002.249049473.000000000A1C6000.00000004.00000001.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlK#O
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl3
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crlC/O
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.249073461.000000000A1D6000.00000004.00000001.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000003.239994256.0000000015109000.00000004.00000001.sdmp, java.exe, 00000002.00000002.252839548.0000000015712000.00000004.00000001.sdmp, java.exe, 00000002.00000002.249357252.000000000A3B4000.00000004.00000001.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com3
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com3LT
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.comk
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/#
Source: java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/CJT
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/S$Q
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/kKT
Source: java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/s
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps3
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000002.00000002.247780398.0000000004D60000.00000004.00000001.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Source: C:\Users\user\mx8043.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\mx8043.exe	Code function: 5_2_00401348	5_2_00401348
Source: C:\Users\user\mx8043.exe	Code function: 5_2_0040D3A3	5_2_0040D3A3
Source: C:\Users\user\mx8043.exe	Code function: 5_2_00401384	5_2_00401384

Source: mx8043.exe.2.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: 00000002.00000002.247780398.0000000004D60000.00000004.00000001.sdmp, type: MEMORY

Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: classification engine

Classification label: mal100.troj.expl.evad.winJAR@9/3@0/0

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6208:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4012:120:WilError_01

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll

Jump to behavior

Source: C:\Users\user\mx8043.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: UAE Contract Supply.jar	Virustotal: Detection: 19%
Source: UAE Contract Supply.jar	ReversingLabs: Detection: 32%

Source: java.exe	String found in binary or memory: %z.in-addr.arpa
Source: java.exe	String found in binary or memory: sun/launcher/

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'
Source: unknown	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\mx8043.exe C:\Users\user\mx8043.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Users\user\mx8043.exe C:\Users\user\mx8043.exe	Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: mx8043.exe PID: 6240, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: mx8043.exe PID: 6240, type: MEMORY

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_1520B68C push eax; ret	2_3_1520B68D
Source: C:\Users\user\mx8043.exe	Code function: 5_2_004075CB push esi; ret	5_2_004075D3
Source: C:\Users\user\mx8043.exe	Code function: 5_2_0040A9A9 push 3846BF64h; retf	5_2_0040A9AF
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02196C5A push esp; retf	5_2_02196C5B

Persistence and Installation Behavior:

Exploit detected, runtime environment dropped PE file

Show sources

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: mx8043.exe.2.dr

Jump to dropped file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to dropped file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Show sources

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\mx8043.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: unknown

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\mx8043.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\mx8043.exe

Code function: 5_2_0219186D

5_2_0219186D

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\mx8043.exe

RDTSC instruction interceptor: First address: 00000000021956EB second address: 00000000021956EB instructions:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: mx8043.exe, 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: mx8043.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\mx8043.exe	RDTSC instruction interceptor: First address: 00000000021956EB second address: 00000000021956EB instructions:
Source: C:\Users\user\mx8043.exe	RDTSC instruction interceptor: First address: 00000000021953F5 second address: 00000000021953F5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE2F4D10D8Ch 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ax, cx 0x00000020 cmp ch, ah 0x00000022 add edi, edx 0x00000024 dec dword ptr [ebp+000000F8h] 0x0000002a cmp dword ptr [ebp+000000F8h], 00000000h 0x00000031 jne 00007FE2F4D10D41h 0x00000033 cmp edi, 62D4476Ah 0x00000039 call 00007FE2F4D10DAEh 0x0000003e call 00007FE2F4D10D9Ch 0x00000043 lfence 0x00000046 mov edx, dword ptr [7FFE0014h] 0x0000004c lfence 0x0000004f ret 0x00000050 mov esi, edx 0x00000052 pushad 0x00000053 rdtsc

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\mx8043.exe

Code function: 5_2_02191E08 rdtsc

5_2_02191E08

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: mx8043.exe, 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000002.00000002.246340230.0000000002970000.00000004.00000001.sdmp	Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.246340230.0000000002970000.00000004.00000001.sdmp	Binary or memory string: \|[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mx8043.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: java.exe, 00000002.00000002.251220154.0000000015340000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

Source: C:\Users\user\mx8043.exe

Code function: 5_2_02191E08 rdtsc

5_2_02191E08

Source: C:\Users\user\mx8043.exe	Code function: 5_2_02195A2E mov eax, dword ptr fs:[00000030h]	5_2_02195A2E
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02195A4C mov eax, dword ptr fs:[00000030h]	5_2_02195A4C
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02191FF6 mov eax, dword ptr fs:[00000030h]	5_2_02191FF6
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02192054 mov eax, dword ptr fs:[00000030h]	5_2_02192054
Source: C:\Users\user\mx8043.exe	Code function: 5_2_0219186D mov eax, dword ptr fs:[00000030h]	5_2_0219186D
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02194CD7 mov eax, dword ptr fs:[00000030h]	5_2_02194CD7
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02195106 mov eax, dword ptr fs:[00000030h]	5_2_02195106
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02192D66 mov eax, dword ptr fs:[00000030h]	5_2_02192D66
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02191DB8 mov eax, dword ptr fs:[00000030h]	5_2_02191DB8
Source: C:\Users\user\mx8043.exe	Code function: 5_2_02191DB6 mov eax, dword ptr fs:[00000030h]	5_2_02191DB6

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Users\user\mx8043.exe C:\Users\user\mx8043.exe	Jump to behavior

Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: mx8043.exe, 00000005.00000002.489393009.0000000000C70000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Command and Scripting Interpreter2	Services File Permissions Weakness1	Process Injection12	Masquerading111	OS Credential Dumping	Query Registry1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Exploitation for Client Execution2	Boot or Logon Initialization Scripts	Services File Permissions Weakness1	Virtualization/Sandbox Evasion1	LSASS Memory	Security Software Discovery521	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Virtualization/Sandbox Evasion1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection12	NTDS	Process Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Obfuscated Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Services File Permissions Weakness1	Cached Domain Credentials	System Information Discovery31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing1	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
UAE Contract Supply.jar	20%	Virustotal		Browse
UAE Contract Supply.jar	33%	ReversingLabs	ByteCode-JAVA.Trojan.AdWind

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\mx8043.exe	17%	ReversingLabs	Win32.Trojan.Vebzenpak

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
2.2.java.exe.4d604e4.0.unpack	100%	Avira	TR/Dropper.Gen		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://crl.xrampsecurity.com/XGCA.crl	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl	0%	URL Reputation	safe
http://policy.camerfirma.com3LT	0%	Avira URL Cloud	safe
http://bugreport.sun.com/bugreport/	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
http://www.chambersign.org1	0%	URL Reputation	safe
https://ocsp.quovadisoffshore.com	0%	URL Reputation	safe
https://ocsp.quovadisoffshore.com	0%	URL Reputation	safe
https://ocsp.quovadisoffshore.com	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl0	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.html	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl3	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class3P.crl0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crl	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://www.certplus.com/CRL/class2.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl	0%	URL Reputation	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl	0%	URL Reputation	safe
http://cps.chambersign.org/cps/chambersroot.htmlK#O	0%	Avira URL Cloud	safe
http://www.quovadis.bm	0%	URL Reputation	safe
http://www.quovadis.bm	0%	URL Reputation	safe
http://www.quovadis.bm	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://www.quovadis.bm0	0%	URL Reputation	safe
http://policy.camerfirma.comk	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	URL Reputation	safe
https://ocsp.quovadisoffshore.com0	0%	URL Reputation	safe
https://ocsp.quovadisoffshore.com0	0%	URL Reputation	safe
http://crl.securetrust.com/STCA.crlC/O	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crl	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl	0%	URL Reputation	safe
http://crl.chambersign.org/chambersroot.crl	0%	URL Reputation	safe
http://policy.camerfirma.com3	0%	Avira URL Cloud	safe
http://www.chambersign.org	0%	URL Reputation	safe
http://www.chambersign.org	0%	URL Reputation	safe
http://www.chambersign.org	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe
http://policy.camerfirma.com0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.xrampsecurity.com/XGCA.crl	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.chambersign.org/chambersroot.crl0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class2.crl	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://policy.camerfirma.com3LT	java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreport.sun.com/bugreport/	java.exe, 00000002.00000002.249049473.000000000A1C6000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.chambersign.org/cps/chambersroot.html0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.swisssign.com/CJT	java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	false		high
http://java.oracle.com/	java.exe, 00000002.00000002.249073461.000000000A1D6000.00000004.00000001.sdmp	false		high
http://null.oracle.com/	java.exe, 00000002.00000003.239994256.0000000015109000.00000004.00000001.sdmp, java.exe, 00000002.00000002.252839548.0000000015712000.00000004.00000001.sdmp, java.exe, 00000002.00000002.249357252.000000000A3B4000.00000004.00000001.sdmp	false		high
http://www.chambersign.org1	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.swisssign.com/0	java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	false		high
http://policy.camerfirma.com	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false		high
http://repository.swisssign.com/s	java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	false		high
http://repository.swisssign.com/kKT	java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	false		high
https://ocsp.quovadisoffshore.com	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.quovadisglobal.com/cps	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.certplus.com/CRL/class3P.crl	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl3	java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	java.exe, 00000002.00000002.252951545.0000000015810000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crl	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://repository.swisssign.com/#	java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	false		high
http://www.certplus.com/CRL/class2.crl0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.quovadisglobal.com/cps0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.quovadisglobal.com/cps3	java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.htmlK#O	java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp, java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.quovadis.bm0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://policy.camerfirma.comk	java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.securetrust.com/STCA.crlC/O	java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/S$Q	java.exe, 00000002.00000002.248736888.000000000504D000.00000004.00000001.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://policy.camerfirma.com3	java.exe, 00000002.00000002.248954130.0000000005113000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false		high
http://www.chambersign.org	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://policy.camerfirma.com0	java.exe, 00000002.00000002.249513940.000000000A46E000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358324
Start date:	25.02.2021
Start time:	12:13:35
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	UAE Contract Supply.jar
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	26
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (Java) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.expl.evad.winJAR@9/3@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 32.2% (good quality ratio 24.4%) Quality average: 47.6% Quality standard deviation: 31.4%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .jar
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, Microsoft.Photos.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, ApplicationFrameHost.exe, svchost.exe Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp Download File
Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.847995882806536
Encrypted:	false
SSDEEP:	3:oFj4I5vpN6yUYUXOvn:oJ5X6y8XAn
MD5:	9B416AAFCA54628313A96E06881D3711
SHA1:	238B699D6C8B2FBB15B558A28EBAE1B83B192A0C
SHA-256:	ACE4B289380CAB58D2A29A98EE8032AD628F1004C493E269FCDA38AF115CC62C
SHA-512:	711FA7481C975EA0A7049AE1C4E45D9B052F09447878580B0DFC6AF638494B41B5FE7B2576B6EBA2F32782F59A50866E0885040498586D7D9B15ABD4152E4FF2
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre1.8.0_211..1614284065233..

C:\Users\user\LT2pdIK.png Download File
Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	PNG image data, 190 x 216, 8-bit/color RGBA, non-interlaced
Category:	dropped
Size (bytes):	68600
Entropy (8bit):	7.9810935688737725
Encrypted:	false
SSDEEP:	1536:VxaDM0hvN4cro9ToaHymKnenubWp71Az/AJ0:CD914cr+o9qBjAz/AC
MD5:	79E0DAD14E7C20A777E72FC023B59252
SHA1:	50F959BAB2FF58E44DBA17EF85375EC7EBD66924
SHA-256:	A089D9AD3875FFA321D2DFD38661992721EFF5E0ACF36D76A7A5C8FE054B7992
SHA-512:	39F4EF3E670C40314F0364CEC370EAF9B19BC44A693BB47C669517059D220A2D41F8622850D7F969CE4FAB1CF6A7D39ADCF9F41637AF1335702A14750D7EBC24
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............U.Y.....sRGB.........gAMA......a.....pHYs..........+......IDATx^\|.i.&K...=.Y.Y.v....=.....A..I..)...@.....C.f'@.?C}.....@.$..d F.H.ER.+Rf ...1.}..oY.U......{{F.gDx..?..............=y.{..dwrz...'_.\|.l........G.7..w...........RNw.v.r.....9;{.{.....a.....}...\:h.@.e...%.Ey.r......i..Kk.6.T.R..{..r5..s\|)....b..\k.....i.Hd.t)..x.Sn.U.uK..M.)Wxi.m9P..<x..i;\|QFqE../..l..`....{..r\|.{..ux../_=..}.{........Y./.....;.\|P..ys..r.(...^.\|.......{}z...gl.....R....Rn...ge...<.&.`w..C9P.g.y.f.../_.......li..NOOJ...~.v..i..+W.......a.........k.C......`s.........x......rxew\|t.;........a....K)$..8...X..A.R...l...4u.d..)d..D./..qA4e......A ....BQb.........L..e.f.....F..~...W..C...(.R..-?{t...H.0.y...ul..0$...>ma.(>*...s.(.[.F.ay....a..+G...8...I....B..H[.i.P.....S..u.'0..).r.........A...y...F.i.....RD.)....K:\|....=........ .....d.....<I.>.y.fw..4J}Vc}.'y..wQ.wo.4O.Oj;..0.\.s=..^..E.........C.u......".....4<...W.w.GWw.W.

C:\Users\user\mx8043.exe Download File
Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	299008
Entropy (8bit):	5.515398750036674
Encrypted:	false
SSDEEP:	6144:PPfEI/UKHsSDjuHl9IfNpmhb5mFCQcGN:Xf5sSuMfNQJ5mFvcy
MD5:	335AA2DB46F51A80F6BE08948B564026
SHA1:	848D5909A84BACA2255C932C61EF58A34072AFDA
SHA-256:	92B87477B4589030A4D6E94B07CDEFA4712426FCCEC7FDFEEBE0EC4BDC358048
SHA-512:	C7F7168B7F4DAA87B874E2EC6B45C7196BF24710C961FF5B33C37205DC074D6F5653A455D437C9B1A16CDD7ED83D0A16D8684E080591DF8F7F778EF969961CDC
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 17%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7b..s...s...s.......r...<!..v...E%..r...Richs...........................PE..L...[.S.................0...`......H........@....@.........................................................................T9..<....`...7..................................................................8...0....................................text...d-.......0.................. ..`.data........@.......@..............@....rsrc....7...`...@...P..............@..@8\|.\.......I#...........USER32.DLL.MSVBVM60.DLL.................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.998905736237949
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	UAE Contract Supply.jar
File size:	312777
MD5:	d23d186daf02db3cecee462c5b1fe15c
SHA1:	1b2054ff2c9a3ff13920f07905b7e313a75b77dc
SHA256:	459787308dd55a6822b80ee2fd9d4add4e44602f783e8c984697a8918839ff22
SHA512:	ad01ec9e3a41b5258d80fe8cd5b513cf379ac4dce5f57274379dc1ef893379c83062da7f24780b1844dd2d8c07f370025eaed47eec20264ce4ded822aca089e2
SSDEEP:	6144:qZifZoLlSASY5iE0XtGlX47i+Co7TmbB6PP+alppne5VTzSo:akZoxSI0E0wCe63+alppneT2o
File Content Preview:	PK........D0XR................META-INF/..PK..............PK........D0XR................META-INF/MANIFEST.MFM.1..0...@....!..R...Rj.PJ..4..H.....7vi..........^.......(.,7.I>`...,.ct..t...(...F.s.OD...i.v...n..}8....q.W.}..=D..uu.eP.2.KaVZCK.R....}.y.Z/..MJ

File Icon


Icon Hash:	d28c8e8ea2868ad6

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 4864 Parent PID: 3880

General

Start time:	12:14:22
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'' >> C:\cmdlinestart.log 2>&1
Imagebase:	0x150000
File size:	232960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 4012 Parent PID: 4864

General

Start time:	12:14:22
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: java.exe PID: 6084 Parent PID: 4864

General

Start time:	12:14:23
Start date:	25/02/2021
Path:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
Wow64 process (32bit):	true
Commandline:	'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\UAE Contract Supply.jar'
Imagebase:	0x9c0000
File size:	192376 bytes
MD5 hash:	28733BA8C383E865338638DF5196E6FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Java
Yara matches:	Rule: LokiBot_Dropper_Packed_R11_Feb18, Description: Auto-generated rule - file scan copy.pdf.r11, Source: 00000002.00000002.247780398.0000000004D60000.00000004.00000001.sdmp, Author: Florian Roth
Reputation:	moderate

Chronological Activities

Analysis Process: icacls.exe PID: 6196 Parent PID: 6084

General

Start time:	12:14:25
Start date:	25/02/2021
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Imagebase:	0xb70000
File size:	29696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6208 Parent PID: 6196

General

Start time:	12:14:25
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7ecfc0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: mx8043.exe PID: 6240 Parent PID: 6084

General

Start time:	12:14:27
Start date:	25/02/2021
Path:	C:\Users\user\mx8043.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\mx8043.exe
Imagebase:	0x400000
File size:	299008 bytes
MD5 hash:	335AA2DB46F51A80F6BE08948B564026
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Antivirus matches:	Detection: 17%, ReversingLabs
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: mx8043.exe PID: 6240 Parent PID: 6084 mx8043.exeCOMMON

Executed Functions

Function 00401348, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 334
COMMONCrypto

Download Yara Rule

C-Code - Quality: 67%

			_entry_(signed int __eax, void* __ebx, signed int* __ecx, signed int __edx, void* __edi, void* __fp0) {
				intOrPtr* _t157;
				void* _t213;

				_push("VB5!6&*"); // executed
				L00401342(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t157 = __eax + 1;
				 *_t157 =  *_t157 + _t157;
				 *_t157 =  *_t157 + _t157;
				 *_t157 =  *_t157 + _t157;
				 *((intOrPtr*)(_t213 - 0x1d)) =  *((intOrPtr*)(_t213 - 0x1d)) + __edx;
				asm("sbb [edi], esi");
				asm("invalid");
				asm("fisttp word [ebx-0x46]");
				 *__ecx =  *__ecx ^ __edx;
				asm("xlatb");
				 *_t157 =  *_t157 + _t157;
				 *_t157 =  *_t157 + _t157;
				 *__ecx =  *__ecx + _t157;
				 *_t157 =  *_t157 + _t157;
				 *_t157 =  *_t157 + _t157;
				 *_t157 =  *_t157 + _t157;
				 *_t157 =  *_t157 + _t157;
				__ecx[0x19] = __ecx + __ecx[0x19];
				asm("popad");
				asm("a16 jb 0x6c");
			}

0x00401348
0x0040134d
0x00401352
0x00401354
0x00401356
0x00401358
0x0040135a
0x0040135c
0x0040135d
0x0040135f
0x00401361
0x00401363
0x00401366
0x00401368
0x0040136a
0x0040136d
0x0040136f
0x00401375
0x00401377
0x00401379
0x0040137b
0x0040137d
0x0040137f
0x00401381
0x00401383
0x00401385
0x00401386

APIs

#100.MSVBVM60(VB5!6&*), ref: 0040134D

Strings

VB5!6&*, xrefs: 00401348

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 51cd36b9f52435ce33b31b2aefcf9c79ee6ab3553ae2039e354d31d88af1cbca
Instruction ID: 31bf9096edbbf3b0be215968adc3b1a287d9dd50b8e0659bd543c82f50292580
Opcode Fuzzy Hash: 51cd36b9f52435ce33b31b2aefcf9c79ee6ab3553ae2039e354d31d88af1cbca
Instruction Fuzzy Hash: F5B13B6144E3C15FC7138B789C6A589BFB0AE5721872E85EFC4C18F4F3D25A885AC726

Uniqueness

Uniqueness Score: -1.00%

Function 0040D3A3, Relevance: 2.2, APIs: 1, Instructions: 937memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000,FFFFAC0E,-000000D9,00404255), ref: 0040F94B

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 02a7dd820894615d2c26ccaafc1bde1a592bff3c52beb8b998c2c52341c59e09
Instruction ID: 54a01b803ebc47a5a796d097ad7b549af8a0bbab523635d3a0c73a2dcd865768
Opcode Fuzzy Hash: 02a7dd820894615d2c26ccaafc1bde1a592bff3c52beb8b998c2c52341c59e09
Instruction Fuzzy Hash: CF421382E3E707C4E99361B180458B19590EE2B2955728F776827B1CE2773F869F34CE

Uniqueness

Uniqueness Score: -1.00%

Function 00411350, Relevance: 181.5, APIs: 100, Strings: 3, Instructions: 1203
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00411350(void* __ebx, char __ecx, char* __edx, void* __edi, char* __esi, signed int _a4) {
				void* _v3;
				signed int _v8;
				intOrPtr _v12;
				long long* _v16;
				intOrPtr _v28;
				void* _v44;
				long long _v52;
				char _v56;
				char _v60;
				char _v64;
				long long _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				signed int _v88;
				char _v92;
				char _v96;
				signed int _v100;
				char _v104;
				char _v108;
				char _v112;
				signed int _v116;
				intOrPtr _v124;
				char _v132;
				char _v140;
				char _v148;
				intOrPtr _v156;
				char _v164;
				char _v172;
				char _v180;
				char* _v188;
				intOrPtr _v196;
				char _v200;
				char _v204;
				char _v208;
				intOrPtr _v212;
				char _v216;
				char _v224;
				signed int _v228;
				signed int _v232;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int _v256;
				intOrPtr* _v260;
				signed int _v264;
				intOrPtr* _v268;
				signed int _v272;
				signed int _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				signed int _v300;
				signed int _v304;
				void* _v308;
				void* _v312;
				intOrPtr* _v316;
				signed int _v320;
				intOrPtr* _v324;
				signed int _v328;
				signed int _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr* _v348;
				signed int _v352;
				intOrPtr* _v356;
				signed int _v360;
				intOrPtr* _v364;
				signed int _v368;
				signed int _v372;
				intOrPtr* _v376;
				signed int _v380;
				intOrPtr* _v384;
				signed int _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				intOrPtr* _v404;
				signed int _v408;
				intOrPtr* _v412;
				signed int _v416;
				signed int _v420;
				intOrPtr* _v424;
				signed int _v428;
				intOrPtr* _v432;
				signed int _v436;
				signed int _v440;
				intOrPtr* _v444;
				signed int _v448;
				intOrPtr* _v452;
				signed int _v456;
				intOrPtr* _v460;
				signed int _v464;
				intOrPtr* _v468;
				signed int _v472;
				intOrPtr* _v476;
				signed int _v480;
				intOrPtr* _v484;
				signed int _v488;
				signed int _v492;
				void* _t600;
				intOrPtr* _t601;
				signed int _t602;
				signed int _t606;
				signed int _t611;
				signed int _t615;
				signed int _t619;
				signed int _t626;
				signed int _t630;
				signed int _t634;
				signed int _t642;
				signed int _t646;
				signed int _t650;
				signed int _t655;
				signed int _t659;
				signed int _t663;
				signed int _t667;
				char* _t670;
				signed int _t684;
				signed int _t689;
				signed int _t693;
				signed int _t697;
				signed int _t701;
				signed int _t705;
				signed int _t711;
				signed int _t715;
				signed int _t719;
				signed int _t723;
				signed int _t728;
				signed int _t732;
				char* _t735;
				signed int _t746;
				signed int _t757;
				signed int _t761;
				signed int _t765;
				signed int _t769;
				signed int _t780;
				signed int _t791;
				signed int _t795;
				signed int _t799;
				signed int _t803;
				signed int _t807;
				signed int _t811;
				signed int _t815;
				signed int _t819;
				char* _t823;
				signed int _t827;
				signed int* _t831;
				signed int _t835;
				signed int _t863;
				intOrPtr _t873;
				char* _t879;
				intOrPtr _t896;
				intOrPtr _t905;
				void* _t955;
				long long* _t956;

				_t956 = _t955 - 0xc;
				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t956;
				L00401210();
				_push(__esi);
				_v16 = _t956;
				_v12 = 0x401118;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0x000000fe;
				_t600 =  *_a4;
				_push(_a4);
				_push(_t600);
				_t601 = _t600 + 0xc7;
				 *__esi = __ecx;
				 *_t601 =  *_t601 + _t601;
				 *__edx =  *__edx;
				 *_t601 =  *_t601 + _t601;
				_t602 =  &_v132;
				_push(_t602);
				L00401300();
				L00401306();
				_push(_t602);
				_push(L"Out of string space");
				L0040130C();
				asm("sbb eax, eax");
				_v228 =  ~( ~( ~_t602));
				L004012FA();
				L00401312();
				_t606 = _v228;
				if(_t606 != 0) {
					_push(0x83);
					L004012F4();
					_v28 = _t606;
				}
				if( *0x414010 != 0) {
					_v316 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v316 = 0x414010;
				}
				_v228 =  *_v316;
				_t611 =  *((intOrPtr*)( *_v228 + 0x2b4))(_v228);
				asm("fclex");
				_v232 = _t611;
				if(_v232 >= 0) {
					_v320 = _v320 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x404a84);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v320 = _t611;
				}
				if( *0x414010 != 0) {
					_v324 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v324 = 0x414010;
				}
				_t873 =  *((intOrPtr*)( *_v324));
				_t615 =  &_v96;
				L004012E8();
				_v228 = _t615;
				_t619 =  *((intOrPtr*)( *_v228 + 0x158))(_v228,  &_v76, _t615,  *((intOrPtr*)(_t873 + 0x330))( *_v324));
				asm("fclex");
				_v232 = _t619;
				if(_v232 >= 0) {
					_v328 = _v328 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x404e30);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v328 = _t619;
				}
				_v284 = _v76;
				_v76 = _v76 & 0x00000000;
				_v124 = _v284;
				_v132 = 8;
				_v92 =  *0x401110;
				_t626 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, _t873,  &_v132,  &_v216);
				_v236 = _t626;
				if(_v236 >= 0) {
					_v332 = _v332 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x404ab4);
					_push(_a4);
					_push(_v236);
					L00401324();
					_v332 = _t626;
				}
				_v72 = _v216;
				L004012E2();
				L00401312();
				if( *0x414010 != 0) {
					_v336 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v336 = 0x414010;
				}
				_t630 =  &_v96;
				L004012E8();
				_v228 = _t630;
				_t634 =  *((intOrPtr*)( *_v228 + 0x138))(_v228,  &_v204, _t630,  *((intOrPtr*)( *((intOrPtr*)( *_v336)) + 0x348))( *_v336));
				asm("fclex");
				_v232 = _t634;
				if(_v232 >= 0) {
					_v340 = _v340 & 0x00000000;
				} else {
					_push(0x138);
					_push(0x404e30);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v340 = _t634;
				}
				_v188 = L"Refunded";
				_v196 = 8;
				_t879 =  &_v132;
				L004012DC();
				_v216 =  *0x401108;
				_v172 = _v204;
				_v180 = 3;
				 *_t956 =  *0x401100;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t642 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x10,  &_v216,  &_v132, _t879, _t879,  &_v208);
				_v236 = _t642;
				if(_v236 >= 0) {
					_v344 = _v344 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x404ab4);
					_push(_a4);
					_push(_v236);
					L00401324();
					_v344 = _t642;
				}
				_v64 = _v208;
				L004012E2();
				L00401312();
				if( *0x414010 != 0) {
					_v348 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v348 = 0x414010;
				}
				_t646 =  &_v96;
				L004012E8();
				_v228 = _t646;
				_t650 =  *((intOrPtr*)( *_v228 + 0x160))(_v228,  &_v100, _t646,  *((intOrPtr*)( *((intOrPtr*)( *_v348)) + 0x360))( *_v348));
				asm("fclex");
				_v232 = _t650;
				if(_v232 >= 0) {
					_v352 = _v352 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x404e30);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v352 = _t650;
				}
				_push(0);
				_push(0);
				_push(_v100);
				_push( &_v132);
				L004012D6();
				if( *0x414010 != 0) {
					_v356 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v356 = 0x414010;
				}
				_t655 =  &_v104;
				L004012E8();
				_v236 = _t655;
				_t659 =  *((intOrPtr*)( *_v236 + 0x140))(_v236,  &_v200, _t655,  *((intOrPtr*)( *((intOrPtr*)( *_v356)) + 0x31c))( *_v356));
				asm("fclex");
				_v240 = _t659;
				if(_v240 >= 0) {
					_v360 = _v360 & 0x00000000;
				} else {
					_push(0x140);
					_push(0x404e30);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v360 = _t659;
				}
				if( *0x414010 != 0) {
					_v364 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v364 = 0x414010;
				}
				_t663 =  &_v108;
				L004012E8();
				_v244 = _t663;
				_t667 =  *((intOrPtr*)( *_v244 + 0x60))(_v244,  &_v204, _t663,  *((intOrPtr*)( *((intOrPtr*)( *_v364)) + 0x324))( *_v364));
				asm("fclex");
				_v248 = _t667;
				if(_v248 >= 0) {
					_v368 = _v368 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x404e30);
					_push(_v244);
					_push(_v248);
					L00401324();
					_v368 = _t667;
				}
				_v140 = _v204;
				_v148 = 3;
				_v208 =  *0x4010f8;
				_t670 =  &_v132;
				L004012D0();
				 *((intOrPtr*)( *_a4 + 0x728))(_a4, 0x7006e4,  &_v208, 0x168958, 0x7a276940, 0x5b04, _t670, _t670, _v200,  &_v148, 0xffeaa630, 0x5af7);
				L004012CA();
				L004012C4();
				_t684 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v204, 2,  &_v132,  &_v148, 4,  &_v96,  &_v104,  &_v108,  &_v100);
				_v228 = _t684;
				if(_v228 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x404ab4);
					_push(_a4);
					_push(_v228);
					L00401324();
					_v372 = _t684;
				}
				_v60 = _v204;
				if( *0x414010 != 0) {
					_v376 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v376 = 0x414010;
				}
				_t689 =  &_v96;
				L004012E8();
				_v228 = _t689;
				_t693 =  *((intOrPtr*)( *_v228 + 0x88))(_v228,  &_v204, _t689,  *((intOrPtr*)( *((intOrPtr*)( *_v376)) + 0x33c))( *_v376));
				asm("fclex");
				_v232 = _t693;
				if(_v232 >= 0) {
					_v380 = _v380 & 0x00000000;
				} else {
					_push(0x88);
					_push(0x404e30);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v380 = _t693;
				}
				if( *0x414010 != 0) {
					_v384 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v384 = 0x414010;
				}
				_t896 =  *((intOrPtr*)( *_v384));
				_t697 =  &_v100;
				L004012E8();
				_v236 = _t697;
				_t701 =  *((intOrPtr*)( *_v236 + 0x80))(_v236,  &_v208, _t697,  *((intOrPtr*)(_t896 + 0x330))( *_v384));
				asm("fclex");
				_v240 = _t701;
				if(_v240 >= 0) {
					_v388 = _v388 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x404e30);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v388 = _t701;
				}
				_v308 = _v208;
				_v312 = _v204;
				_t705 =  *((intOrPtr*)( *_a4 + 0x708))(_a4, _t896, _t896, 0x3470f7,  &_v216);
				_v244 = _t705;
				if(_v244 >= 0) {
					_v392 = _v392 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x404ab4);
					_push(_a4);
					_push(_v244);
					L00401324();
					_v392 = _t705;
				}
				_v52 = _v216;
				_push( &_v100);
				_push( &_v96);
				_push(2);
				L004012CA();
				if( *0x414010 != 0) {
					_v396 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v396 = 0x414010;
				}
				_t711 =  &_v96;
				L004012E8();
				_v228 = _t711;
				_t715 =  *((intOrPtr*)( *_v228 + 0x120))(_v228,  &_v100, _t711,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x30c))( *_v396));
				asm("fclex");
				_v232 = _t715;
				if(_v232 >= 0) {
					_v400 = _v400 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x404e58);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v400 = _t715;
				}
				if( *0x414010 != 0) {
					_v404 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v404 = 0x414010;
				}
				_t719 =  &_v104;
				L004012E8();
				_v236 = _t719;
				_t723 =  *((intOrPtr*)( *_v236 + 0x160))(_v236,  &_v108, _t719,  *((intOrPtr*)( *((intOrPtr*)( *_v404)) + 0x314))( *_v404));
				asm("fclex");
				_v240 = _t723;
				if(_v240 >= 0) {
					_v408 = _v408 & 0x00000000;
				} else {
					_push(0x160);
					_push(0x404e30);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v408 = _t723;
				}
				_push(0);
				_push(0);
				_push(_v108);
				_push( &_v148);
				L004012D6();
				if( *0x414010 != 0) {
					_v412 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v412 = 0x414010;
				}
				_t905 =  *((intOrPtr*)( *_v412));
				_t728 =  &_v112;
				L004012E8();
				_v244 = _t728;
				_t732 =  *((intOrPtr*)( *_v244 + 0x130))(_v244,  &_v116, _t728,  *((intOrPtr*)(_t905 + 0x360))( *_v412));
				asm("fclex");
				_v248 = _t732;
				if(_v248 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x404e30);
					_push(_v244);
					_push(_v248);
					L00401324();
					_v416 = _t732;
				}
				_v288 = _v116;
				_v116 = _v116 & 0x00000000;
				_v156 = _v288;
				_v164 = 9;
				_v224 =  *0x4010f0;
				_t735 =  &_v148;
				L004012D0();
				_v204 = _t735;
				_v292 = _v100;
				_v100 = _v100 & 0x00000000;
				_v124 = _v292;
				_v132 = 9;
				_v216 = 0xe6c7a7b0;
				_v212 = 0x5afd;
				_v408 =  *0x4010e8;
				_t746 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4,  &_v216, _t905, _t905,  &_v132,  &_v204,  &_v224,  &_v164,  &_v208, _t735);
				_v252 = _t746;
				if(_v252 >= 0) {
					_v420 = _v420 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x404ab4);
					_push(_a4);
					_push(_v252);
					L00401324();
					_v420 = _t746;
				}
				_v56 = _v208;
				_push( &_v108);
				_push( &_v112);
				_push( &_v104);
				_push( &_v96);
				_push(4);
				L004012CA();
				_push( &_v164);
				_push( &_v148);
				_push( &_v132);
				_push(3);
				L004012C4();
				if( *0x414010 != 0) {
					_v424 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v424 = 0x414010;
				}
				_t757 =  &_v96;
				L004012E8();
				_v228 = _t757;
				_t761 =  *((intOrPtr*)( *_v228 + 0xf8))(_v228,  &_v100, _t757,  *((intOrPtr*)( *((intOrPtr*)( *_v424)) + 0x364))( *_v424));
				asm("fclex");
				_v232 = _t761;
				if(_v232 >= 0) {
					_v428 = _v428 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x404e30);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v428 = _t761;
				}
				if( *0x414010 != 0) {
					_v432 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v432 = 0x414010;
				}
				_t765 =  &_v104;
				L004012E8();
				_v236 = _t765;
				_t769 =  *((intOrPtr*)( *_v236 + 0x130))(_v236,  &_v108, _t765,  *((intOrPtr*)( *((intOrPtr*)( *_v432)) + 0x330))( *_v432));
				asm("fclex");
				_v240 = _t769;
				if(_v240 >= 0) {
					_v436 = _v436 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x404e30);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v436 = _t769;
				}
				L004012D6(); // executed
				L004012B8();
				L00401306();
				_v296 = _v100;
				_v100 = _v100 & 0x00000000;
				_v124 = _v296;
				_v132 = 9;
				L004012B2();
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t780 =  *((intOrPtr*)( *_a4 + 0x710))(_a4,  &_v76, 0x10,  &_v80,  &_v164,  &_v148,  &_v148, _v108, 0, 0);
				_v244 = _t780;
				if(_v244 >= 0) {
					_v440 = _v440 & 0x00000000;
				} else {
					_push(0x710);
					_push(0x404ab4);
					_push(_a4);
					_push(_v244);
					L00401324();
					_v440 = _t780;
				}
				L004012BE();
				_push( &_v80);
				_push( &_v76);
				_push(2);
				L004012AC();
				_push( &_v108);
				_push( &_v104);
				_push( &_v96);
				_push(3);
				L004012CA();
				_push( &_v148);
				_push( &_v132);
				_push(2);
				L004012C4();
				if( *0x414010 != 0) {
					_v444 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v444 = 0x414010;
				}
				_t791 =  &_v96;
				L004012E8();
				_v228 = _t791;
				_t795 =  *((intOrPtr*)( *_v228 + 0xd8))(_v228,  &_v200, _t791,  *((intOrPtr*)( *((intOrPtr*)( *_v444)) + 0x350))( *_v444));
				asm("fclex");
				_v232 = _t795;
				if(_v232 >= 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x404e30);
					_push(_v228);
					_push(_v232);
					L00401324();
					_v448 = _t795;
				}
				if( *0x414010 != 0) {
					_v452 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v452 = 0x414010;
				}
				_t799 =  &_v100;
				L004012E8();
				_v236 = _t799;
				_t803 =  *((intOrPtr*)( *_v236 + 0x158))(_v236,  &_v76, _t799,  *((intOrPtr*)( *((intOrPtr*)( *_v452)) + 0x330))( *_v452));
				asm("fclex");
				_v240 = _t803;
				if(_v240 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x158);
					_push(0x404e30);
					_push(_v236);
					_push(_v240);
					L00401324();
					_v456 = _t803;
				}
				if( *0x414010 != 0) {
					_v460 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v460 = 0x414010;
				}
				_t807 =  &_v104;
				L004012E8();
				_v244 = _t807;
				_t811 =  *((intOrPtr*)( *_v244 + 0x50))(_v244,  &_v80, _t807,  *((intOrPtr*)( *((intOrPtr*)( *_v460)) + 0x34c))( *_v460));
				asm("fclex");
				_v248 = _t811;
				if(_v248 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x404e30);
					_push(_v244);
					_push(_v248);
					L00401324();
					_v464 = _t811;
				}
				if( *0x414010 != 0) {
					_v468 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v468 = 0x414010;
				}
				_t815 =  &_v108;
				L004012E8();
				_v252 = _t815;
				_t819 =  *((intOrPtr*)( *_v252 + 0x198))(_v252,  &_v84, _t815,  *((intOrPtr*)( *((intOrPtr*)( *_v468)) + 0x304))( *_v468));
				asm("fclex");
				_v256 = _t819;
				if(_v256 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(0x198);
					_push(0x404e58);
					_push(_v252);
					_push(_v256);
					L00401324();
					_v472 = _t819;
				}
				if( *0x414010 != 0) {
					_v476 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v476 = 0x414010;
				}
				_t823 =  &_v112;
				L004012E8();
				_v260 = _t823;
				_t827 =  *((intOrPtr*)( *_v260 + 0x48))(_v260,  &_v88, _t823,  *((intOrPtr*)( *((intOrPtr*)( *_v476)) + 0x300))( *_v476));
				asm("fclex");
				_v264 = _t827;
				if(_v264 >= 0) {
					_v480 = _v480 & 0x00000000;
				} else {
					_push(0x48);
					_push(0x404e58);
					_push(_v260);
					_push(_v264);
					L00401324();
					_v480 = _t827;
				}
				if( *0x414010 != 0) {
					_v484 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v484 = 0x414010;
				}
				_t831 =  &_v116;
				L004012E8();
				_v268 = _t831;
				_t835 =  *((intOrPtr*)( *_v268 + 0x118))(_v268,  &_v204, _t831,  *((intOrPtr*)( *((intOrPtr*)( *_v484)) + 0x328))( *_v484));
				asm("fclex");
				_v272 = _t835;
				if(_v272 >= 0) {
					_v488 = _v488 & 0x00000000;
				} else {
					_push(0x118);
					_push(0x404e30);
					_push(_v268);
					_push(_v272);
					L00401324();
					_v488 = _t835;
				}
				_v208 = _v204;
				_v300 = _v88;
				_v88 = _v88 & 0x00000000;
				_v156 = _v300;
				_v164 = 8;
				_v304 = _v84;
				_v84 = _v84 & 0x00000000;
				L00401306();
				_v308 = _v80;
				_v80 = _v80 & 0x00000000;
				_v140 = _v308;
				_v148 = 8;
				_v312 = _v76;
				_v76 = _v76 & 0x00000000;
				_v124 = _v312;
				_v132 = 8;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4, _v200,  &_v132, 0x11c36400, 0x5b02,  &_v148, 0x31fa6,  &_v92, 0x10,  &_v208);
				L004012FA();
				L004012CA();
				L004012C4();
				_t863 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4, 3,  &_v132,  &_v148,  &_v164, 6,  &_v96,  &_v100,  &_v104,  &_v108,  &_v112,  &_v116);
				_v228 = _t863;
				if(_v228 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x404ab4);
					_push(_a4);
					_push(_v228);
					L00401324();
					_v492 = _t863;
				}
				_v8 = 0;
				asm("wait");
				_push(0x41277b);
				L00401312();
				return _t863;
			}

0x00411353
0x00411356
0x00411361
0x00411362
0x0041136e
0x00411374
0x00411376
0x00411379
0x00411386
0x0041138e
0x00411394
0x00411396
0x0041139a
0x0041139b
0x0041139e
0x004113a0
0x004113a5
0x004113a8
0x004113aa
0x004113ad
0x004113ae
0x004113b8
0x004113bd
0x004113be
0x004113c3
0x004113ca
0x004113d0
0x004113da
0x004113e2
0x004113e7
0x004113f0
0x004113f2
0x004113f7
0x004113fc
0x004113fc
0x00411406
0x00411423
0x00411408
0x00411408
0x0041140d
0x00411412
0x00411417
0x00411417
0x00411435
0x00411449
0x0041144f
0x00411451
0x0041145e
0x00411483
0x00411460
0x00411460
0x00411465
0x0041146a
0x00411470
0x00411476
0x0041147b
0x0041147b
0x00411491
0x004114ae
0x00411493
0x00411493
0x00411498
0x0041149d
0x004114a2
0x004114a2
0x004114c8
0x004114d2
0x004114d6
0x004114db
0x004114f3
0x004114f9
0x004114fb
0x00411508
0x0041152d
0x0041150a
0x0041150a
0x0041150f
0x00411514
0x0041151a
0x00411520
0x00411525
0x00411525
0x00411537
0x0041153d
0x00411547
0x0041154a
0x00411563
0x0041156e
0x00411574
0x00411581
0x004115a3
0x00411583
0x00411583
0x00411588
0x0041158d
0x00411590
0x00411596
0x0041159b
0x0041159b
0x004115b0
0x004115b6
0x004115be
0x004115ca
0x004115e7
0x004115cc
0x004115cc
0x004115d1
0x004115d6
0x004115db
0x004115db
0x0041160b
0x0041160f
0x00411614
0x0041162f
0x00411635
0x00411637
0x00411644
0x00411669
0x00411646
0x00411646
0x0041164b
0x00411650
0x00411656
0x0041165c
0x00411661
0x00411661
0x00411670
0x0041167a
0x0041168a
0x0041168d
0x00411698
0x004116a4
0x004116aa
0x004116c3
0x004116d4
0x004116e1
0x004116e2
0x004116e3
0x004116e4
0x004116ed
0x004116f3
0x00411700
0x00411722
0x00411702
0x00411702
0x00411707
0x0041170c
0x0041170f
0x00411715
0x0041171a
0x0041171a
0x0041172f
0x00411735
0x0041173d
0x00411749
0x00411766
0x0041174b
0x0041174b
0x00411750
0x00411755
0x0041175a
0x0041175a
0x0041178a
0x0041178e
0x00411793
0x004117ab
0x004117b1
0x004117b3
0x004117c0
0x004117e5
0x004117c2
0x004117c2
0x004117c7
0x004117cc
0x004117d2
0x004117d8
0x004117dd
0x004117dd
0x004117ec
0x004117ee
0x004117f0
0x004117f6
0x004117f7
0x00411806
0x00411823
0x00411808
0x00411808
0x0041180d
0x00411812
0x00411817
0x00411817
0x00411847
0x0041184b
0x00411850
0x0041186b
0x00411871
0x00411873
0x00411880
0x004118a5
0x00411882
0x00411882
0x00411887
0x0041188c
0x00411892
0x00411898
0x0041189d
0x0041189d
0x004118b3
0x004118d0
0x004118b5
0x004118b5
0x004118ba
0x004118bf
0x004118c4
0x004118c4
0x004118f4
0x004118f8
0x004118fd
0x00411918
0x0041191b
0x0041191d
0x0041192a
0x0041194c
0x0041192c
0x0041192c
0x0041192e
0x00411933
0x00411939
0x0041193f
0x00411944
0x00411944
0x00411959
0x0041195f
0x0041196f
0x0041198c
0x00411990
0x004119b9
0x004119d1
0x004119e6
0x004119fd
0x00411a03
0x00411a10
0x00411a32
0x00411a12
0x00411a12
0x00411a17
0x00411a1c
0x00411a1f
0x00411a25
0x00411a2a
0x00411a2a
0x00411a3f
0x00411a49
0x00411a66
0x00411a4b
0x00411a4b
0x00411a50
0x00411a55
0x00411a5a
0x00411a5a
0x00411a8a
0x00411a8e
0x00411a93
0x00411aae
0x00411ab4
0x00411ab6
0x00411ac3
0x00411ae8
0x00411ac5
0x00411ac5
0x00411aca
0x00411acf
0x00411ad5
0x00411adb
0x00411ae0
0x00411ae0
0x00411af6
0x00411b13
0x00411af8
0x00411af8
0x00411afd
0x00411b02
0x00411b07
0x00411b07
0x00411b2d
0x00411b37
0x00411b3b
0x00411b40
0x00411b5b
0x00411b61
0x00411b63
0x00411b70
0x00411b95
0x00411b72
0x00411b72
0x00411b77
0x00411b7c
0x00411b82
0x00411b88
0x00411b8d
0x00411b8d
0x00411baf
0x00411bb9
0x00411bc4
0x00411bca
0x00411bd7
0x00411bf9
0x00411bd9
0x00411bd9
0x00411bde
0x00411be3
0x00411be6
0x00411bec
0x00411bf1
0x00411bf1
0x00411c06
0x00411c0c
0x00411c10
0x00411c11
0x00411c13
0x00411c22
0x00411c3f
0x00411c24
0x00411c24
0x00411c29
0x00411c2e
0x00411c33
0x00411c33
0x00411c63
0x00411c67
0x00411c6c
0x00411c84
0x00411c8a
0x00411c8c
0x00411c99
0x00411cbe
0x00411c9b
0x00411c9b
0x00411ca0
0x00411ca5
0x00411cab
0x00411cb1
0x00411cb6
0x00411cb6
0x00411ccc
0x00411ce9
0x00411cce
0x00411cce
0x00411cd3
0x00411cd8
0x00411cdd
0x00411cdd
0x00411d0d
0x00411d11
0x00411d16
0x00411d2e
0x00411d34
0x00411d36
0x00411d43
0x00411d68
0x00411d45
0x00411d45
0x00411d4a
0x00411d4f
0x00411d55
0x00411d5b
0x00411d60
0x00411d60
0x00411d6f
0x00411d71
0x00411d73
0x00411d7c
0x00411d7d
0x00411d8c
0x00411da9
0x00411d8e
0x00411d8e
0x00411d93
0x00411d98
0x00411d9d
0x00411d9d
0x00411dc3
0x00411dcd
0x00411dd1
0x00411dd6
0x00411dee
0x00411df4
0x00411df6
0x00411e03
0x00411e28
0x00411e05
0x00411e05
0x00411e0a
0x00411e0f
0x00411e15
0x00411e1b
0x00411e20
0x00411e20
0x00411e32
0x00411e38
0x00411e42
0x00411e48
0x00411e58
0x00411e5e
0x00411e65
0x00411e6a
0x00411e73
0x00411e79
0x00411e83
0x00411e86
0x00411e8d
0x00411e97
0x00411ec9
0x00411edb
0x00411ee1
0x00411eee
0x00411f10
0x00411ef0
0x00411ef0
0x00411ef5
0x00411efa
0x00411efd
0x00411f03
0x00411f08
0x00411f08
0x00411f1d
0x00411f23
0x00411f27
0x00411f2b
0x00411f2f
0x00411f30
0x00411f32
0x00411f40
0x00411f47
0x00411f4b
0x00411f4c
0x00411f4e
0x00411f5d
0x00411f7a
0x00411f5f
0x00411f5f
0x00411f64
0x00411f69
0x00411f6e
0x00411f6e
0x00411f9e
0x00411fa2
0x00411fa7
0x00411fbf
0x00411fc5
0x00411fc7
0x00411fd4
0x00411ff9
0x00411fd6
0x00411fd6
0x00411fdb
0x00411fe0
0x00411fe6
0x00411fec
0x00411ff1
0x00411ff1
0x00412007
0x00412024
0x00412009
0x00412009
0x0041200e
0x00412013
0x00412018
0x00412018
0x00412048
0x0041204c
0x00412051
0x00412069
0x0041206f
0x00412071
0x0041207e
0x004120a3
0x00412080
0x00412080
0x00412085
0x0041208a
0x00412090
0x00412096
0x0041209b
0x0041209b
0x004120b8
0x004120c7
0x004120d1
0x004120d9
0x004120df
0x004120e9
0x004120ec
0x004120fb
0x0041210e
0x00412118
0x00412119
0x0041211a
0x0041211b
0x00412128
0x0041212e
0x0041213b
0x0041215d
0x0041213d
0x0041213d
0x00412142
0x00412147
0x0041214a
0x00412150
0x00412155
0x00412155
0x0041216d
0x00412175
0x00412179
0x0041217a
0x0041217c
0x00412187
0x0041218b
0x0041218f
0x00412190
0x00412192
0x004121a0
0x004121a4
0x004121a5
0x004121a7
0x004121b6
0x004121d3
0x004121b8
0x004121b8
0x004121bd
0x004121c2
0x004121c7
0x004121c7
0x004121f7
0x004121fb
0x00412200
0x0041221b
0x00412221
0x00412223
0x00412230
0x00412255
0x00412232
0x00412232
0x00412237
0x0041223c
0x00412242
0x00412248
0x0041224d
0x0041224d
0x00412263
0x00412280
0x00412265
0x00412265
0x0041226a
0x0041226f
0x00412274
0x00412274
0x004122a4
0x004122a8
0x004122ad
0x004122c5
0x004122cb
0x004122cd
0x004122da
0x004122ff
0x004122dc
0x004122dc
0x004122e1
0x004122e6
0x004122ec
0x004122f2
0x004122f7
0x004122f7
0x0041230d
0x0041232a
0x0041230f
0x0041230f
0x00412314
0x00412319
0x0041231e
0x0041231e
0x0041234e
0x00412352
0x00412357
0x0041236f
0x00412372
0x00412374
0x00412381
0x004123a3
0x00412383
0x00412383
0x00412385
0x0041238a
0x00412390
0x00412396
0x0041239b
0x0041239b
0x004123b1
0x004123ce
0x004123b3
0x004123b3
0x004123b8
0x004123bd
0x004123c2
0x004123c2
0x004123f2
0x004123f6
0x004123fb
0x00412413
0x00412419
0x0041241b
0x00412428
0x0041244d
0x0041242a
0x0041242a
0x0041242f
0x00412434
0x0041243a
0x00412440
0x00412445
0x00412445
0x0041245b
0x00412478
0x0041245d
0x0041245d
0x00412462
0x00412467
0x0041246c
0x0041246c
0x0041249c
0x004124a0
0x004124a5
0x004124bd
0x004124c0
0x004124c2
0x004124cf
0x004124f1
0x004124d1
0x004124d1
0x004124d3
0x004124d8
0x004124de
0x004124e4
0x004124e9
0x004124e9
0x004124ff
0x0041251c
0x00412501
0x00412501
0x00412506
0x0041250b
0x00412510
0x00412510
0x00412540
0x00412544
0x00412549
0x00412564
0x0041256a
0x0041256c
0x00412579
0x0041259e
0x0041257b
0x0041257b
0x00412580
0x00412585
0x0041258b
0x00412591
0x00412596
0x00412596
0x004125ab
0x004125b4
0x004125ba
0x004125c4
0x004125ca
0x004125d7
0x004125dd
0x004125ea
0x004125f2
0x004125f8
0x00412602
0x00412608
0x00412615
0x0041261b
0x00412625
0x00412628
0x00412639
0x00412646
0x00412647
0x00412648
0x00412649
0x00412676
0x0041267f
0x0041269e
0x004126ba
0x004126ca
0x004126d0
0x004126dd
0x004126ff
0x004126df
0x004126df
0x004126e4
0x004126e9
0x004126ec
0x004126f2
0x004126f7
0x004126f7
0x00412706
0x0041270d
0x0041270e
0x00412775
0x0041277a

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041136E
#651.MSVBVM60(00000002), ref: 004113AE
__vbaStrMove.MSVBVM60(00000002), ref: 004113B8
__vbaStrCmp.MSVBVM60(Out of string space,00000000,00000002), ref: 004113C3
__vbaFreeStr.MSVBVM60(Out of string space,00000000,00000002), ref: 004113DA
__vbaFreeVar.MSVBVM60(Out of string space,00000000,00000002), ref: 004113E2
#570.MSVBVM60(00000083,Out of string space,00000000,00000002), ref: 004113F7
__vbaNew2.MSVBVM60(004050BC,00414010,Out of string space,00000000,00000002), ref: 00411412
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404A84,000002B4), ref: 00411476
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 0041149D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004114D6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000158), ref: 00411520
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404AB4,000006FC,?,00000008,?), ref: 00411596
__vbaFreeObj.MSVBVM60(?,00000008,?), ref: 004115B6
__vbaFreeVar.MSVBVM60(?,00000008,?), ref: 004115BE
__vbaNew2.MSVBVM60(004050BC,00414010,?,00000008,?), ref: 004115D6
__vbaObjSet.MSVBVM60(?,00000000,?,00000008,?), ref: 0041160F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000138,?,00000008,?), ref: 0041165C
__vbaVarDup.MSVBVM60(?,00000008,?), ref: 0041168D
__vbaChkstk.MSVBVM60(?,00000008,?,?,?,?,00000008,?), ref: 004116D4
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404AB4,00000700,?,?,?,?,00000008,?), ref: 00411715
__vbaFreeObj.MSVBVM60(?,?,?,?,00000008,?), ref: 00411735
__vbaFreeVar.MSVBVM60(?,?,?,?,00000008,?), ref: 0041173D
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00000008,?), ref: 00411755
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00000008,?), ref: 0041178E
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000160,?,?,?,?,00000008,?), ref: 004117D8
__vbaLateIdCallLd.MSVBVM60(00000008,?,00000000,00000000,?,?,?,?,00000008,?), ref: 004117F7
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,00401216), ref: 00411812
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041184B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000140), ref: 00411898
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 004118BF
__vbaObjSet.MSVBVM60(?,00000000), ref: 004118F8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000060), ref: 0041193F
__vbaI4Var.MSVBVM60(?,?,00000003,FFEAA630,00005AF7), ref: 00411990
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 004119D1
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,00401216), ref: 004119E6
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404AB4,00000704), ref: 00411A25
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 00411A55
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411A8E
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00404E30,00000088), ref: 00411ADB
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 00411B02
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411B3B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000080), ref: 00411B88
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404AB4,00000708,?,?,003470F7,?), ref: 00411BEC
__vbaFreeObjList.MSVBVM60(00000002,?,?,?,?,003470F7,?), ref: 00411C13
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 00411C2E
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411C67
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E58,00000120), ref: 00411CB1
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 00411CD8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411D11
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000160), ref: 00411D5B
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 00411D7D
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 00411D98
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411DD1
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000130), ref: 00411E1B
__vbaI4Var.MSVBVM60(?), ref: 00411E65
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404AB4,0000070C,?,?,00000009,?,?,00000009,?,?), ref: 00411F03
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?,?,?,00000009,?,?,00000009,?,?), ref: 00411F32
__vbaFreeVarList.MSVBVM60(00000003,?,?,?), ref: 00411F4E
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 00411F69
__vbaObjSet.MSVBVM60(?,00000000), ref: 00411FA2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000000F8), ref: 00411FEC
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 00412013
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041204C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000130), ref: 00412096
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 004120B8
__vbaStrVarMove.MSVBVM60(?), ref: 004120C7
__vbaStrMove.MSVBVM60(?), ref: 004120D1
__vbaStrCopy.MSVBVM60(?), ref: 004120FB
__vbaChkstk.MSVBVM60(?,?,?), ref: 0041210E
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404AB4,00000710), ref: 00412150
__vbaVarMove.MSVBVM60(00000000,00401118,00404AB4,00000710), ref: 0041216D
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0041217C
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 00412192
__vbaFreeVarList.MSVBVM60(00000002,00000009,?), ref: 004121A7
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 004121C2
__vbaObjSet.MSVBVM60(?,00000000), ref: 004121FB
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000000D8), ref: 00412248
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 0041226F
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 004122A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000158), ref: 004122F2
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 00412319
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412352
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000050), ref: 00412396
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 004123BD
__vbaObjSet.MSVBVM60(?,00000000), ref: 004123F6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E58,00000198), ref: 00412440
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 00412467
__vbaObjSet.MSVBVM60(?,00000000), ref: 004124A0
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E58,00000048), ref: 004124E4
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 0041250B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412544
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000118), ref: 00412591
__vbaStrMove.MSVBVM60(00000000,?,00404E30,00000118), ref: 004125EA
__vbaChkstk.MSVBVM60(?), ref: 00412639
__vbaFreeStr.MSVBVM60(?,?,004050BC,00414010,00000000,?,00404E58,00000198), ref: 0041267F
__vbaFreeObjList.MSVBVM60(00000006,?,00000000,?,?,?,?), ref: 0041269E
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000008,00000008), ref: 004126BA
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404AB4,000006F8), ref: 004126F2
__vbaFreeVar.MSVBVM60(0041277B), ref: 00412775

Strings

Refunded, xrefs: 00411670
gumly, xrefs: 004120F3
Out of string space, xrefs: 004113BE

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$New2$Free$List$Move$Chkstk$CallLate$#570#651Copy
String ID: Out of string space$Refunded$gumly
API String ID: 4012266371-2839041377
Opcode ID: 39e6e8176895d8cfd35e734e7c50d7d67d59be53030689a78b666257147350b7
Instruction ID: 179949866ff9cbe810b660a337aebaa346a24360c568be83d14b1ad794045377
Opcode Fuzzy Hash: 39e6e8176895d8cfd35e734e7c50d7d67d59be53030689a78b666257147350b7
Instruction Fuzzy Hash: BEC2F671940228DFDB21DF91CC85BDDBBB4BB08304F1045EAE609B72A1DB795A84DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00411398, Relevance: 179.6, APIs: 99, Strings: 3, Instructions: 1142
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00411398(void* __eax, void* __ebx, char __ecx, char* __edx, char* __esi) {
				intOrPtr* _t586;
				signed int _t587;
				signed int _t591;
				signed int _t596;
				signed int _t600;
				signed int _t604;
				signed int _t611;
				signed int _t615;
				signed int _t619;
				signed int _t627;
				signed int _t631;
				signed int _t635;
				signed int _t640;
				signed int _t644;
				signed int _t648;
				signed int _t652;
				void* _t655;
				signed int _t669;
				signed int _t674;
				signed int _t678;
				signed int _t682;
				signed int _t686;
				signed int _t690;
				signed int _t696;
				signed int _t700;
				signed int _t704;
				signed int _t708;
				signed int _t713;
				signed int _t717;
				signed int _t720;
				signed int _t731;
				signed int _t742;
				signed int _t746;
				signed int _t750;
				signed int _t754;
				signed int _t765;
				signed int _t776;
				signed int _t780;
				signed int _t784;
				signed int _t788;
				signed int _t792;
				signed int _t796;
				signed int _t800;
				signed int _t804;
				intOrPtr _t808;
				signed int _t812;
				intOrPtr _t816;
				signed int _t820;
				signed int _t848;
				void* _t858;
				void* _t864;
				void* _t881;
				void* _t890;
				void* _t935;
				void* _t937;
				long long* _t938;
				void* _t939;
				signed int* _t941;
				signed int* _t942;
				signed int* _t943;

				_push(__eax);
				_t586 = __eax + 0xc7;
				 *__esi = __ecx;
				 *_t586 =  *_t586 + _t586;
				_t937 = _t935 + 2;
				 *__edx =  *__edx;
				 *_t586 =  *_t586 + _t586;
				_t587 = _t937 - 0x80;
				_push(_t587);
				L00401300();
				L00401306();
				_push(_t587);
				_push(L"Out of string space");
				L0040130C();
				asm("sbb eax, eax");
				 *(_t937 - 0xe0) =  ~( ~( ~_t587));
				L004012FA();
				L00401312();
				_t591 =  *(_t937 - 0xe0);
				if(_t591 != 0) {
					_push(0x83);
					L004012F4();
					 *((intOrPtr*)(_t937 - 0x18)) = _t591;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x138) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x138) = 0x414010;
				}
				 *(_t937 - 0xe0) =  *( *(_t937 - 0x138));
				_t596 =  *((intOrPtr*)( *( *(_t937 - 0xe0)) + 0x2b4))( *(_t937 - 0xe0));
				asm("fclex");
				 *(_t937 - 0xe4) = _t596;
				if( *(_t937 - 0xe4) >= 0) {
					 *(_t937 - 0x13c) =  *(_t937 - 0x13c) & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x404a84);
					_push( *(_t937 - 0xe0));
					_push( *(_t937 - 0xe4));
					L00401324();
					 *(_t937 - 0x13c) = _t596;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x140) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x140) = 0x414010;
				}
				_t858 =  *( *( *(_t937 - 0x140)));
				_t600 = _t937 - 0x5c;
				L004012E8();
				 *(_t937 - 0xe0) = _t600;
				_t604 =  *((intOrPtr*)( *( *(_t937 - 0xe0)) + 0x158))( *(_t937 - 0xe0), _t937 - 0x48, _t600,  *((intOrPtr*)(_t858 + 0x330))( *( *(_t937 - 0x140))));
				asm("fclex");
				 *(_t937 - 0xe4) = _t604;
				if( *(_t937 - 0xe4) >= 0) {
					 *(_t937 - 0x144) =  *(_t937 - 0x144) & 0x00000000;
				} else {
					_push(0x158);
					_push(0x404e30);
					_push( *(_t937 - 0xe0));
					_push( *(_t937 - 0xe4));
					L00401324();
					 *(_t937 - 0x144) = _t604;
				}
				 *(_t937 - 0x118) =  *(_t937 - 0x48);
				 *(_t937 - 0x48) =  *(_t937 - 0x48) & 0x00000000;
				 *(_t937 - 0x78) =  *(_t937 - 0x118);
				 *(_t937 - 0x80) = 8;
				 *_t938 =  *0x401110;
				_t611 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 + 8)))) + 0x6fc))( *((intOrPtr*)(_t937 + 8)), _t858, _t937 - 0x80, _t937 - 0xd4);
				 *(_t937 - 0xe8) = _t611;
				if( *(_t937 - 0xe8) >= 0) {
					 *(_t937 - 0x148) =  *(_t937 - 0x148) & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x404ab4);
					_push( *((intOrPtr*)(_t937 + 8)));
					_push( *(_t937 - 0xe8));
					L00401324();
					 *(_t937 - 0x148) = _t611;
				}
				 *((long long*)(_t937 - 0x44)) =  *((long long*)(_t937 - 0xd4));
				L004012E2();
				L00401312();
				if( *0x414010 != 0) {
					 *(_t937 - 0x14c) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x14c) = 0x414010;
				}
				_t615 = _t937 - 0x5c;
				L004012E8();
				 *(_t937 - 0xe0) = _t615;
				_t619 =  *((intOrPtr*)( *( *(_t937 - 0xe0)) + 0x138))( *(_t937 - 0xe0), _t937 - 0xc8, _t615,  *((intOrPtr*)( *( *( *(_t937 - 0x14c))) + 0x348))( *( *(_t937 - 0x14c))));
				asm("fclex");
				 *(_t937 - 0xe4) = _t619;
				if( *(_t937 - 0xe4) >= 0) {
					 *(_t937 - 0x150) =  *(_t937 - 0x150) & 0x00000000;
				} else {
					_push(0x138);
					_push(0x404e30);
					_push( *(_t937 - 0xe0));
					_push( *(_t937 - 0xe4));
					L00401324();
					 *(_t937 - 0x150) = _t619;
				}
				 *(_t937 - 0xb8) = L"Refunded";
				 *((intOrPtr*)(_t937 - 0xc0)) = 8;
				_t864 = _t937 - 0x80;
				L004012DC();
				 *((long long*)(_t937 - 0xd4)) =  *0x401108;
				 *(_t937 - 0xa8) =  *(_t937 - 0xc8);
				 *((intOrPtr*)(_t937 - 0xb0)) = 3;
				 *_t938 =  *0x401100;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t627 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 + 8)))) + 0x700))( *((intOrPtr*)(_t937 + 8)), 0x10, _t937 - 0xd4, _t937 - 0x80, _t864, _t864, _t937 - 0xcc);
				 *(_t937 - 0xe8) = _t627;
				if( *(_t937 - 0xe8) >= 0) {
					 *(_t937 - 0x154) =  *(_t937 - 0x154) & 0x00000000;
				} else {
					_push(0x700);
					_push(0x404ab4);
					_push( *((intOrPtr*)(_t937 + 8)));
					_push( *(_t937 - 0xe8));
					L00401324();
					 *(_t937 - 0x154) = _t627;
				}
				 *(_t937 - 0x3c) =  *(_t937 - 0xcc);
				L004012E2();
				L00401312();
				if( *0x414010 != 0) {
					 *(_t937 - 0x158) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x158) = 0x414010;
				}
				_t631 = _t937 - 0x5c;
				L004012E8();
				 *(_t937 - 0xe0) = _t631;
				_t635 =  *((intOrPtr*)( *( *(_t937 - 0xe0)) + 0x160))( *(_t937 - 0xe0), _t937 - 0x60, _t631,  *((intOrPtr*)( *( *( *(_t937 - 0x158))) + 0x360))( *( *(_t937 - 0x158))));
				asm("fclex");
				 *(_t937 - 0xe4) = _t635;
				if( *(_t937 - 0xe4) >= 0) {
					 *(_t937 - 0x15c) =  *(_t937 - 0x15c) & 0x00000000;
				} else {
					_push(0x160);
					_push(0x404e30);
					_push( *(_t937 - 0xe0));
					_push( *(_t937 - 0xe4));
					L00401324();
					 *(_t937 - 0x15c) = _t635;
				}
				_push(0);
				_push(0);
				_push( *(_t937 - 0x60));
				_push(_t937 - 0x80);
				L004012D6();
				_t939 = _t938 + 0x10;
				if( *0x414010 != 0) {
					 *(_t937 - 0x160) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x160) = 0x414010;
				}
				_t640 = _t937 - 0x64;
				L004012E8();
				 *(_t937 - 0xe8) = _t640;
				_t644 =  *((intOrPtr*)( *( *(_t937 - 0xe8)) + 0x140))( *(_t937 - 0xe8), _t937 - 0xc4, _t640,  *((intOrPtr*)( *( *( *(_t937 - 0x160))) + 0x31c))( *( *(_t937 - 0x160))));
				asm("fclex");
				 *(_t937 - 0xec) = _t644;
				if( *(_t937 - 0xec) >= 0) {
					 *(_t937 - 0x164) =  *(_t937 - 0x164) & 0x00000000;
				} else {
					_push(0x140);
					_push(0x404e30);
					_push( *(_t937 - 0xe8));
					_push( *(_t937 - 0xec));
					L00401324();
					 *(_t937 - 0x164) = _t644;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x168) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x168) = 0x414010;
				}
				_t648 = _t937 - 0x68;
				L004012E8();
				 *(_t937 - 0xf0) = _t648;
				_t652 =  *((intOrPtr*)( *( *(_t937 - 0xf0)) + 0x60))( *(_t937 - 0xf0), _t937 - 0xc8, _t648,  *((intOrPtr*)( *( *( *(_t937 - 0x168))) + 0x324))( *( *(_t937 - 0x168))));
				asm("fclex");
				 *(_t937 - 0xf4) = _t652;
				if( *(_t937 - 0xf4) >= 0) {
					 *(_t937 - 0x16c) =  *(_t937 - 0x16c) & 0x00000000;
				} else {
					_push(0x60);
					_push(0x404e30);
					_push( *(_t937 - 0xf0));
					_push( *(_t937 - 0xf4));
					L00401324();
					 *(_t937 - 0x16c) = _t652;
				}
				 *(_t937 - 0x88) =  *(_t937 - 0xc8);
				 *(_t937 - 0x90) = 3;
				 *(_t937 - 0xcc) =  *0x4010f8;
				_t655 = _t937 - 0x80;
				L004012D0();
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 + 8)))) + 0x728))( *((intOrPtr*)(_t937 + 8)), 0x7006e4, _t937 - 0xcc, 0x168958, 0x7a276940, 0x5b04, _t655, _t655,  *((intOrPtr*)(_t937 - 0xc4)), _t937 - 0x90, 0xffeaa630, 0x5af7);
				L004012CA();
				L004012C4();
				_t941 = _t939 + 0x20;
				_t669 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 + 8)))) + 0x704))( *((intOrPtr*)(_t937 + 8)), _t937 - 0xc8, 2, _t937 - 0x80, _t937 - 0x90, 4, _t937 - 0x5c, _t937 - 0x64, _t937 - 0x68, _t937 - 0x60);
				 *(_t937 - 0xe0) = _t669;
				if( *(_t937 - 0xe0) >= 0) {
					 *(_t937 - 0x170) =  *(_t937 - 0x170) & 0x00000000;
				} else {
					_push(0x704);
					_push(0x404ab4);
					_push( *((intOrPtr*)(_t937 + 8)));
					_push( *(_t937 - 0xe0));
					L00401324();
					 *(_t937 - 0x170) = _t669;
				}
				 *(_t937 - 0x38) =  *(_t937 - 0xc8);
				if( *0x414010 != 0) {
					 *(_t937 - 0x174) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x174) = 0x414010;
				}
				_t674 = _t937 - 0x5c;
				L004012E8();
				 *(_t937 - 0xe0) = _t674;
				_t678 =  *((intOrPtr*)( *( *(_t937 - 0xe0)) + 0x88))( *(_t937 - 0xe0), _t937 - 0xc8, _t674,  *((intOrPtr*)( *( *( *(_t937 - 0x174))) + 0x33c))( *( *(_t937 - 0x174))));
				asm("fclex");
				 *(_t937 - 0xe4) = _t678;
				if( *(_t937 - 0xe4) >= 0) {
					 *(_t937 - 0x178) =  *(_t937 - 0x178) & 0x00000000;
				} else {
					_push(0x88);
					_push(0x404e30);
					_push( *(_t937 - 0xe0));
					_push( *(_t937 - 0xe4));
					L00401324();
					 *(_t937 - 0x178) = _t678;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x17c) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x17c) = 0x414010;
				}
				_t881 =  *( *( *(_t937 - 0x17c)));
				_t682 = _t937 - 0x60;
				L004012E8();
				 *(_t937 - 0xe8) = _t682;
				_t686 =  *((intOrPtr*)( *( *(_t937 - 0xe8)) + 0x80))( *(_t937 - 0xe8), _t937 - 0xcc, _t682,  *((intOrPtr*)(_t881 + 0x330))( *( *(_t937 - 0x17c))));
				asm("fclex");
				 *(_t937 - 0xec) = _t686;
				if( *(_t937 - 0xec) >= 0) {
					 *(_t937 - 0x180) =  *(_t937 - 0x180) & 0x00000000;
				} else {
					_push(0x80);
					_push(0x404e30);
					_push( *(_t937 - 0xe8));
					_push( *(_t937 - 0xec));
					L00401324();
					 *(_t937 - 0x180) = _t686;
				}
				 *_t941 =  *(_t937 - 0xcc);
				 *_t941 =  *(_t937 - 0xc8);
				_t690 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 + 8)))) + 0x708))( *((intOrPtr*)(_t937 + 8)), _t881, _t881, 0x3470f7, _t937 - 0xd4);
				 *(_t937 - 0xf0) = _t690;
				if( *(_t937 - 0xf0) >= 0) {
					 *(_t937 - 0x184) =  *(_t937 - 0x184) & 0x00000000;
				} else {
					_push(0x708);
					_push(0x404ab4);
					_push( *((intOrPtr*)(_t937 + 8)));
					_push( *(_t937 - 0xf0));
					L00401324();
					 *(_t937 - 0x184) = _t690;
				}
				 *((long long*)(_t937 - 0x30)) =  *((long long*)(_t937 - 0xd4));
				_push(_t937 - 0x60);
				_push(_t937 - 0x5c);
				_push(2);
				L004012CA();
				_t942 =  &(_t941[3]);
				if( *0x414010 != 0) {
					 *(_t937 - 0x188) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x188) = 0x414010;
				}
				_t696 = _t937 - 0x5c;
				L004012E8();
				 *(_t937 - 0xe0) = _t696;
				_t700 =  *((intOrPtr*)( *( *(_t937 - 0xe0)) + 0x120))( *(_t937 - 0xe0), _t937 - 0x60, _t696,  *((intOrPtr*)( *( *( *(_t937 - 0x188))) + 0x30c))( *( *(_t937 - 0x188))));
				asm("fclex");
				 *(_t937 - 0xe4) = _t700;
				if( *(_t937 - 0xe4) >= 0) {
					 *(_t937 - 0x18c) =  *(_t937 - 0x18c) & 0x00000000;
				} else {
					_push(0x120);
					_push(0x404e58);
					_push( *(_t937 - 0xe0));
					_push( *(_t937 - 0xe4));
					L00401324();
					 *(_t937 - 0x18c) = _t700;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x190) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x190) = 0x414010;
				}
				_t704 = _t937 - 0x64;
				L004012E8();
				 *(_t937 - 0xe8) = _t704;
				_t708 =  *((intOrPtr*)( *( *(_t937 - 0xe8)) + 0x160))( *(_t937 - 0xe8), _t937 - 0x68, _t704,  *((intOrPtr*)( *( *( *(_t937 - 0x190))) + 0x314))( *( *(_t937 - 0x190))));
				asm("fclex");
				 *(_t937 - 0xec) = _t708;
				if( *(_t937 - 0xec) >= 0) {
					 *(_t937 - 0x194) =  *(_t937 - 0x194) & 0x00000000;
				} else {
					_push(0x160);
					_push(0x404e30);
					_push( *(_t937 - 0xe8));
					_push( *(_t937 - 0xec));
					L00401324();
					 *(_t937 - 0x194) = _t708;
				}
				_push(0);
				_push(0);
				_push( *(_t937 - 0x68));
				_push(_t937 - 0x90);
				L004012D6();
				_t943 =  &(_t942[4]);
				if( *0x414010 != 0) {
					 *(_t937 - 0x198) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x198) = 0x414010;
				}
				_t890 =  *( *( *(_t937 - 0x198)));
				_t713 = _t937 - 0x6c;
				L004012E8();
				 *(_t937 - 0xf0) = _t713;
				_t717 =  *((intOrPtr*)( *( *(_t937 - 0xf0)) + 0x130))( *(_t937 - 0xf0), _t937 - 0x70, _t713,  *((intOrPtr*)(_t890 + 0x360))( *( *(_t937 - 0x198))));
				asm("fclex");
				 *(_t937 - 0xf4) = _t717;
				if( *(_t937 - 0xf4) >= 0) {
					 *(_t937 - 0x19c) =  *(_t937 - 0x19c) & 0x00000000;
				} else {
					_push(0x130);
					_push(0x404e30);
					_push( *(_t937 - 0xf0));
					_push( *(_t937 - 0xf4));
					L00401324();
					 *(_t937 - 0x19c) = _t717;
				}
				 *(_t937 - 0x11c) =  *(_t937 - 0x70);
				 *(_t937 - 0x70) =  *(_t937 - 0x70) & 0x00000000;
				 *(_t937 - 0x98) =  *(_t937 - 0x11c);
				 *((intOrPtr*)(_t937 - 0xa0)) = 9;
				 *((long long*)(_t937 - 0xdc)) =  *0x4010f0;
				_t720 = _t937 - 0x90;
				L004012D0();
				 *(_t937 - 0xc8) = _t720;
				 *(_t937 - 0x120) =  *(_t937 - 0x60);
				 *(_t937 - 0x60) =  *(_t937 - 0x60) & 0x00000000;
				 *(_t937 - 0x78) =  *(_t937 - 0x120);
				 *(_t937 - 0x80) = 9;
				 *((intOrPtr*)(_t937 - 0xd4)) = 0xe6c7a7b0;
				 *((intOrPtr*)(_t937 - 0xd0)) = 0x5afd;
				 *_t943 =  *0x4010e8;
				_t731 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 + 8)))) + 0x70c))( *((intOrPtr*)(_t937 + 8)), _t937 - 0xd4, _t890, _t890, _t937 - 0x80, _t937 - 0xc8, _t937 - 0xdc, _t937 - 0xa0, _t937 - 0xcc, _t720);
				 *(_t937 - 0xf8) = _t731;
				if( *(_t937 - 0xf8) >= 0) {
					 *(_t937 - 0x1a0) =  *(_t937 - 0x1a0) & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x404ab4);
					_push( *((intOrPtr*)(_t937 + 8)));
					_push( *(_t937 - 0xf8));
					L00401324();
					 *(_t937 - 0x1a0) = _t731;
				}
				 *(_t937 - 0x34) =  *(_t937 - 0xcc);
				_push(_t937 - 0x68);
				_push(_t937 - 0x6c);
				_push(_t937 - 0x64);
				_push(_t937 - 0x5c);
				_push(4);
				L004012CA();
				_push(_t937 - 0xa0);
				_push(_t937 - 0x90);
				_push(_t937 - 0x80);
				_push(3);
				L004012C4();
				if( *0x414010 != 0) {
					 *(_t937 - 0x1a4) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x1a4) = 0x414010;
				}
				_t742 = _t937 - 0x5c;
				L004012E8();
				 *(_t937 - 0xe0) = _t742;
				_t746 =  *((intOrPtr*)( *( *(_t937 - 0xe0)) + 0xf8))( *(_t937 - 0xe0), _t937 - 0x60, _t742,  *((intOrPtr*)( *( *( *(_t937 - 0x1a4))) + 0x364))( *( *(_t937 - 0x1a4))));
				asm("fclex");
				 *(_t937 - 0xe4) = _t746;
				if( *(_t937 - 0xe4) >= 0) {
					 *(_t937 - 0x1a8) =  *(_t937 - 0x1a8) & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x404e30);
					_push( *(_t937 - 0xe0));
					_push( *(_t937 - 0xe4));
					L00401324();
					 *(_t937 - 0x1a8) = _t746;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x1ac) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x1ac) = 0x414010;
				}
				_t750 = _t937 - 0x64;
				L004012E8();
				 *(_t937 - 0xe8) = _t750;
				_t754 =  *((intOrPtr*)( *( *(_t937 - 0xe8)) + 0x130))( *(_t937 - 0xe8), _t937 - 0x68, _t750,  *((intOrPtr*)( *( *( *(_t937 - 0x1ac))) + 0x330))( *( *(_t937 - 0x1ac))));
				asm("fclex");
				 *(_t937 - 0xec) = _t754;
				if( *(_t937 - 0xec) >= 0) {
					 *(_t937 - 0x1b0) =  *(_t937 - 0x1b0) & 0x00000000;
				} else {
					_push(0x130);
					_push(0x404e30);
					_push( *(_t937 - 0xe8));
					_push( *(_t937 - 0xec));
					L00401324();
					 *(_t937 - 0x1b0) = _t754;
				}
				L004012D6(); // executed
				L004012B8();
				L00401306();
				 *(_t937 - 0x124) =  *(_t937 - 0x60);
				 *(_t937 - 0x60) =  *(_t937 - 0x60) & 0x00000000;
				 *(_t937 - 0x78) =  *(_t937 - 0x124);
				 *(_t937 - 0x80) = 9;
				L004012B2();
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t765 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 + 8)))) + 0x710))( *((intOrPtr*)(_t937 + 8)), _t937 - 0x48, 0x10, _t937 - 0x4c, _t937 - 0xa0, _t937 - 0x90, _t937 - 0x90,  *(_t937 - 0x68), 0, 0);
				 *(_t937 - 0xf0) = _t765;
				if( *(_t937 - 0xf0) >= 0) {
					 *(_t937 - 0x1b4) =  *(_t937 - 0x1b4) & 0x00000000;
				} else {
					_push(0x710);
					_push(0x404ab4);
					_push( *((intOrPtr*)(_t937 + 8)));
					_push( *(_t937 - 0xf0));
					L00401324();
					 *(_t937 - 0x1b4) = _t765;
				}
				L004012BE();
				_push(_t937 - 0x4c);
				_push(_t937 - 0x48);
				_push(2);
				L004012AC();
				_push(_t937 - 0x68);
				_push(_t937 - 0x64);
				_push(_t937 - 0x5c);
				_push(3);
				L004012CA();
				_push(_t937 - 0x90);
				_push(_t937 - 0x80);
				_push(2);
				L004012C4();
				if( *0x414010 != 0) {
					 *(_t937 - 0x1b8) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x1b8) = 0x414010;
				}
				_t776 = _t937 - 0x5c;
				L004012E8();
				 *(_t937 - 0xe0) = _t776;
				_t780 =  *((intOrPtr*)( *( *(_t937 - 0xe0)) + 0xd8))( *(_t937 - 0xe0), _t937 - 0xc4, _t776,  *((intOrPtr*)( *( *( *(_t937 - 0x1b8))) + 0x350))( *( *(_t937 - 0x1b8))));
				asm("fclex");
				 *(_t937 - 0xe4) = _t780;
				if( *(_t937 - 0xe4) >= 0) {
					 *(_t937 - 0x1bc) =  *(_t937 - 0x1bc) & 0x00000000;
				} else {
					_push(0xd8);
					_push(0x404e30);
					_push( *(_t937 - 0xe0));
					_push( *(_t937 - 0xe4));
					L00401324();
					 *(_t937 - 0x1bc) = _t780;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x1c0) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x1c0) = 0x414010;
				}
				_t784 = _t937 - 0x60;
				L004012E8();
				 *(_t937 - 0xe8) = _t784;
				_t788 =  *((intOrPtr*)( *( *(_t937 - 0xe8)) + 0x158))( *(_t937 - 0xe8), _t937 - 0x48, _t784,  *((intOrPtr*)( *( *( *(_t937 - 0x1c0))) + 0x330))( *( *(_t937 - 0x1c0))));
				asm("fclex");
				 *(_t937 - 0xec) = _t788;
				if( *(_t937 - 0xec) >= 0) {
					 *(_t937 - 0x1c4) =  *(_t937 - 0x1c4) & 0x00000000;
				} else {
					_push(0x158);
					_push(0x404e30);
					_push( *(_t937 - 0xe8));
					_push( *(_t937 - 0xec));
					L00401324();
					 *(_t937 - 0x1c4) = _t788;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x1c8) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x1c8) = 0x414010;
				}
				_t792 = _t937 - 0x64;
				L004012E8();
				 *(_t937 - 0xf0) = _t792;
				_t796 =  *((intOrPtr*)( *( *(_t937 - 0xf0)) + 0x50))( *(_t937 - 0xf0), _t937 - 0x4c, _t792,  *((intOrPtr*)( *( *( *(_t937 - 0x1c8))) + 0x34c))( *( *(_t937 - 0x1c8))));
				asm("fclex");
				 *(_t937 - 0xf4) = _t796;
				if( *(_t937 - 0xf4) >= 0) {
					 *(_t937 - 0x1cc) =  *(_t937 - 0x1cc) & 0x00000000;
				} else {
					_push(0x50);
					_push(0x404e30);
					_push( *(_t937 - 0xf0));
					_push( *(_t937 - 0xf4));
					L00401324();
					 *(_t937 - 0x1cc) = _t796;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x1d0) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x1d0) = 0x414010;
				}
				_t800 = _t937 - 0x68;
				L004012E8();
				 *(_t937 - 0xf8) = _t800;
				_t804 =  *((intOrPtr*)( *( *(_t937 - 0xf8)) + 0x198))( *(_t937 - 0xf8), _t937 - 0x50, _t800,  *((intOrPtr*)( *( *( *(_t937 - 0x1d0))) + 0x304))( *( *(_t937 - 0x1d0))));
				asm("fclex");
				 *(_t937 - 0xfc) = _t804;
				if( *(_t937 - 0xfc) >= 0) {
					 *(_t937 - 0x1d4) =  *(_t937 - 0x1d4) & 0x00000000;
				} else {
					_push(0x198);
					_push(0x404e58);
					_push( *(_t937 - 0xf8));
					_push( *(_t937 - 0xfc));
					L00401324();
					 *(_t937 - 0x1d4) = _t804;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x1d8) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x1d8) = 0x414010;
				}
				_t808 = _t937 - 0x6c;
				L004012E8();
				 *((intOrPtr*)(_t937 - 0x100)) = _t808;
				_t812 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 - 0x100)))) + 0x48))( *((intOrPtr*)(_t937 - 0x100)), _t937 - 0x54, _t808,  *((intOrPtr*)( *( *( *(_t937 - 0x1d8))) + 0x300))( *( *(_t937 - 0x1d8))));
				asm("fclex");
				 *(_t937 - 0x104) = _t812;
				if( *(_t937 - 0x104) >= 0) {
					 *(_t937 - 0x1dc) =  *(_t937 - 0x1dc) & 0x00000000;
				} else {
					_push(0x48);
					_push(0x404e58);
					_push( *((intOrPtr*)(_t937 - 0x100)));
					_push( *(_t937 - 0x104));
					L00401324();
					 *(_t937 - 0x1dc) = _t812;
				}
				if( *0x414010 != 0) {
					 *(_t937 - 0x1e0) = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					 *(_t937 - 0x1e0) = 0x414010;
				}
				_t816 = _t937 - 0x70;
				L004012E8();
				 *((intOrPtr*)(_t937 - 0x108)) = _t816;
				_t820 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 - 0x108)))) + 0x118))( *((intOrPtr*)(_t937 - 0x108)), _t937 - 0xc8, _t816,  *((intOrPtr*)( *( *( *(_t937 - 0x1e0))) + 0x328))( *( *(_t937 - 0x1e0))));
				asm("fclex");
				 *(_t937 - 0x10c) = _t820;
				if( *(_t937 - 0x10c) >= 0) {
					 *(_t937 - 0x1e4) =  *(_t937 - 0x1e4) & 0x00000000;
				} else {
					_push(0x118);
					_push(0x404e30);
					_push( *((intOrPtr*)(_t937 - 0x108)));
					_push( *(_t937 - 0x10c));
					L00401324();
					 *(_t937 - 0x1e4) = _t820;
				}
				 *(_t937 - 0xcc) =  *(_t937 - 0xc8);
				 *(_t937 - 0x128) =  *(_t937 - 0x54);
				 *(_t937 - 0x54) =  *(_t937 - 0x54) & 0x00000000;
				 *(_t937 - 0x98) =  *(_t937 - 0x128);
				 *((intOrPtr*)(_t937 - 0xa0)) = 8;
				 *(_t937 - 0x12c) =  *(_t937 - 0x50);
				 *(_t937 - 0x50) =  *(_t937 - 0x50) & 0x00000000;
				L00401306();
				 *(_t937 - 0x130) =  *(_t937 - 0x4c);
				 *(_t937 - 0x4c) =  *(_t937 - 0x4c) & 0x00000000;
				 *(_t937 - 0x88) =  *(_t937 - 0x130);
				 *(_t937 - 0x90) = 8;
				 *(_t937 - 0x134) =  *(_t937 - 0x48);
				 *(_t937 - 0x48) =  *(_t937 - 0x48) & 0x00000000;
				 *(_t937 - 0x78) =  *(_t937 - 0x134);
				 *(_t937 - 0x80) = 8;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 + 8)))) + 0x72c))( *((intOrPtr*)(_t937 + 8)),  *((intOrPtr*)(_t937 - 0xc4)), _t937 - 0x80, 0x11c36400, 0x5b02, _t937 - 0x90, 0x31fa6, _t937 - 0x58, 0x10, _t937 - 0xcc);
				L004012FA();
				L004012CA();
				L004012C4();
				_t848 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t937 + 8)))) + 0x6f8))( *((intOrPtr*)(_t937 + 8)), 3, _t937 - 0x80, _t937 - 0x90, _t937 - 0xa0, 6, _t937 - 0x5c, _t937 - 0x60, _t937 - 0x64, _t937 - 0x68, _t937 - 0x6c, _t937 - 0x70);
				 *(_t937 - 0xe0) = _t848;
				if( *(_t937 - 0xe0) >= 0) {
					 *(_t937 - 0x1e8) =  *(_t937 - 0x1e8) & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x404ab4);
					_push( *((intOrPtr*)(_t937 + 8)));
					_push( *(_t937 - 0xe0));
					L00401324();
					 *(_t937 - 0x1e8) = _t848;
				}
				 *((intOrPtr*)(_t937 - 4)) = 0;
				asm("wait");
				_push(0x41277b);
				L00401312();
				return _t848;
			}

0x0041139a
0x0041139b
0x0041139e
0x004113a0
0x004113a4
0x004113a5
0x004113a8
0x004113aa
0x004113ad
0x004113ae
0x004113b8
0x004113bd
0x004113be
0x004113c3
0x004113ca
0x004113d0
0x004113da
0x004113e2
0x004113e7
0x004113f0
0x004113f2
0x004113f7
0x004113fc
0x004113fc
0x00411406
0x00411423
0x00411408
0x00411408
0x0041140d
0x00411412
0x00411417
0x00411417
0x00411435
0x00411449
0x0041144f
0x00411451
0x0041145e
0x00411483
0x00411460
0x00411460
0x00411465
0x0041146a
0x00411470
0x00411476
0x0041147b
0x0041147b
0x00411491
0x004114ae
0x00411493
0x00411493
0x00411498
0x0041149d
0x004114a2
0x004114a2
0x004114c8
0x004114d2
0x004114d6
0x004114db
0x004114f3
0x004114f9
0x004114fb
0x00411508
0x0041152d
0x0041150a
0x0041150a
0x0041150f
0x00411514
0x0041151a
0x00411520
0x00411525
0x00411525
0x00411537
0x0041153d
0x00411547
0x0041154a
0x00411563
0x0041156e
0x00411574
0x00411581
0x004115a3
0x00411583
0x00411583
0x00411588
0x0041158d
0x00411590
0x00411596
0x0041159b
0x0041159b
0x004115b0
0x004115b6
0x004115be
0x004115ca
0x004115e7
0x004115cc
0x004115cc
0x004115d1
0x004115d6
0x004115db
0x004115db
0x0041160b
0x0041160f
0x00411614
0x0041162f
0x00411635
0x00411637
0x00411644
0x00411669
0x00411646
0x00411646
0x0041164b
0x00411650
0x00411656
0x0041165c
0x00411661
0x00411661
0x00411670
0x0041167a
0x0041168a
0x0041168d
0x00411698
0x004116a4
0x004116aa
0x004116c3
0x004116d4
0x004116e1
0x004116e2
0x004116e3
0x004116e4
0x004116ed
0x004116f3
0x00411700
0x00411722
0x00411702
0x00411702
0x00411707
0x0041170c
0x0041170f
0x00411715
0x0041171a
0x0041171a
0x0041172f
0x00411735
0x0041173d
0x00411749
0x00411766
0x0041174b
0x0041174b
0x00411750
0x00411755
0x0041175a
0x0041175a
0x0041178a
0x0041178e
0x00411793
0x004117ab
0x004117b1
0x004117b3
0x004117c0
0x004117e5
0x004117c2
0x004117c2
0x004117c7
0x004117cc
0x004117d2
0x004117d8
0x004117dd
0x004117dd
0x004117ec
0x004117ee
0x004117f0
0x004117f6
0x004117f7
0x004117fc
0x00411806
0x00411823
0x00411808
0x00411808
0x0041180d
0x00411812
0x00411817
0x00411817
0x00411847
0x0041184b
0x00411850
0x0041186b
0x00411871
0x00411873
0x00411880
0x004118a5
0x00411882
0x00411882
0x00411887
0x0041188c
0x00411892
0x00411898
0x0041189d
0x0041189d
0x004118b3
0x004118d0
0x004118b5
0x004118b5
0x004118ba
0x004118bf
0x004118c4
0x004118c4
0x004118f4
0x004118f8
0x004118fd
0x00411918
0x0041191b
0x0041191d
0x0041192a
0x0041194c
0x0041192c
0x0041192c
0x0041192e
0x00411933
0x00411939
0x0041193f
0x00411944
0x00411944
0x00411959
0x0041195f
0x0041196f
0x0041198c
0x00411990
0x004119b9
0x004119d1
0x004119e6
0x004119eb
0x004119fd
0x00411a03
0x00411a10
0x00411a32
0x00411a12
0x00411a12
0x00411a17
0x00411a1c
0x00411a1f
0x00411a25
0x00411a2a
0x00411a2a
0x00411a3f
0x00411a49
0x00411a66
0x00411a4b
0x00411a4b
0x00411a50
0x00411a55
0x00411a5a
0x00411a5a
0x00411a8a
0x00411a8e
0x00411a93
0x00411aae
0x00411ab4
0x00411ab6
0x00411ac3
0x00411ae8
0x00411ac5
0x00411ac5
0x00411aca
0x00411acf
0x00411ad5
0x00411adb
0x00411ae0
0x00411ae0
0x00411af6
0x00411b13
0x00411af8
0x00411af8
0x00411afd
0x00411b02
0x00411b07
0x00411b07
0x00411b2d
0x00411b37
0x00411b3b
0x00411b40
0x00411b5b
0x00411b61
0x00411b63
0x00411b70
0x00411b95
0x00411b72
0x00411b72
0x00411b77
0x00411b7c
0x00411b82
0x00411b88
0x00411b8d
0x00411b8d
0x00411baf
0x00411bb9
0x00411bc4
0x00411bca
0x00411bd7
0x00411bf9
0x00411bd9
0x00411bd9
0x00411bde
0x00411be3
0x00411be6
0x00411bec
0x00411bf1
0x00411bf1
0x00411c06
0x00411c0c
0x00411c10
0x00411c11
0x00411c13
0x00411c18
0x00411c22
0x00411c3f
0x00411c24
0x00411c24
0x00411c29
0x00411c2e
0x00411c33
0x00411c33
0x00411c63
0x00411c67
0x00411c6c
0x00411c84
0x00411c8a
0x00411c8c
0x00411c99
0x00411cbe
0x00411c9b
0x00411c9b
0x00411ca0
0x00411ca5
0x00411cab
0x00411cb1
0x00411cb6
0x00411cb6
0x00411ccc
0x00411ce9
0x00411cce
0x00411cce
0x00411cd3
0x00411cd8
0x00411cdd
0x00411cdd
0x00411d0d
0x00411d11
0x00411d16
0x00411d2e
0x00411d34
0x00411d36
0x00411d43
0x00411d68
0x00411d45
0x00411d45
0x00411d4a
0x00411d4f
0x00411d55
0x00411d5b
0x00411d60
0x00411d60
0x00411d6f
0x00411d71
0x00411d73
0x00411d7c
0x00411d7d
0x00411d82
0x00411d8c
0x00411da9
0x00411d8e
0x00411d8e
0x00411d93
0x00411d98
0x00411d9d
0x00411d9d
0x00411dc3
0x00411dcd
0x00411dd1
0x00411dd6
0x00411dee
0x00411df4
0x00411df6
0x00411e03
0x00411e28
0x00411e05
0x00411e05
0x00411e0a
0x00411e0f
0x00411e15
0x00411e1b
0x00411e20
0x00411e20
0x00411e32
0x00411e38
0x00411e42
0x00411e48
0x00411e58
0x00411e5e
0x00411e65
0x00411e6a
0x00411e73
0x00411e79
0x00411e83
0x00411e86
0x00411e8d
0x00411e97
0x00411ec9
0x00411edb
0x00411ee1
0x00411eee
0x00411f10
0x00411ef0
0x00411ef0
0x00411ef5
0x00411efa
0x00411efd
0x00411f03
0x00411f08
0x00411f08
0x00411f1d
0x00411f23
0x00411f27
0x00411f2b
0x00411f2f
0x00411f30
0x00411f32
0x00411f40
0x00411f47
0x00411f4b
0x00411f4c
0x00411f4e
0x00411f5d
0x00411f7a
0x00411f5f
0x00411f5f
0x00411f64
0x00411f69
0x00411f6e
0x00411f6e
0x00411f9e
0x00411fa2
0x00411fa7
0x00411fbf
0x00411fc5
0x00411fc7
0x00411fd4
0x00411ff9
0x00411fd6
0x00411fd6
0x00411fdb
0x00411fe0
0x00411fe6
0x00411fec
0x00411ff1
0x00411ff1
0x00412007
0x00412024
0x00412009
0x00412009
0x0041200e
0x00412013
0x00412018
0x00412018
0x00412048
0x0041204c
0x00412051
0x00412069
0x0041206f
0x00412071
0x0041207e
0x004120a3
0x00412080
0x00412080
0x00412085
0x0041208a
0x00412090
0x00412096
0x0041209b
0x0041209b
0x004120b8
0x004120c7
0x004120d1
0x004120d9
0x004120df
0x004120e9
0x004120ec
0x004120fb
0x0041210e
0x00412118
0x00412119
0x0041211a
0x0041211b
0x00412128
0x0041212e
0x0041213b
0x0041215d
0x0041213d
0x0041213d
0x00412142
0x00412147
0x0041214a
0x00412150
0x00412155
0x00412155
0x0041216d
0x00412175
0x00412179
0x0041217a
0x0041217c
0x00412187
0x0041218b
0x0041218f
0x00412190
0x00412192
0x004121a0
0x004121a4
0x004121a5
0x004121a7
0x004121b6
0x004121d3
0x004121b8
0x004121b8
0x004121bd
0x004121c2
0x004121c7
0x004121c7
0x004121f7
0x004121fb
0x00412200
0x0041221b
0x00412221
0x00412223
0x00412230
0x00412255
0x00412232
0x00412232
0x00412237
0x0041223c
0x00412242
0x00412248
0x0041224d
0x0041224d
0x00412263
0x00412280
0x00412265
0x00412265
0x0041226a
0x0041226f
0x00412274
0x00412274
0x004122a4
0x004122a8
0x004122ad
0x004122c5
0x004122cb
0x004122cd
0x004122da
0x004122ff
0x004122dc
0x004122dc
0x004122e1
0x004122e6
0x004122ec
0x004122f2
0x004122f7
0x004122f7
0x0041230d
0x0041232a
0x0041230f
0x0041230f
0x00412314
0x00412319
0x0041231e
0x0041231e
0x0041234e
0x00412352
0x00412357
0x0041236f
0x00412372
0x00412374
0x00412381
0x004123a3
0x00412383
0x00412383
0x00412385
0x0041238a
0x00412390
0x00412396
0x0041239b
0x0041239b
0x004123b1
0x004123ce
0x004123b3
0x004123b3
0x004123b8
0x004123bd
0x004123c2
0x004123c2
0x004123f2
0x004123f6
0x004123fb
0x00412413
0x00412419
0x0041241b
0x00412428
0x0041244d
0x0041242a
0x0041242a
0x0041242f
0x00412434
0x0041243a
0x00412440
0x00412445
0x00412445
0x0041245b
0x00412478
0x0041245d
0x0041245d
0x00412462
0x00412467
0x0041246c
0x0041246c
0x0041249c
0x004124a0
0x004124a5
0x004124bd
0x004124c0
0x004124c2
0x004124cf
0x004124f1
0x004124d1
0x004124d1
0x004124d3
0x004124d8
0x004124de
0x004124e4
0x004124e9
0x004124e9
0x004124ff
0x0041251c
0x00412501
0x00412501
0x00412506
0x0041250b
0x00412510
0x00412510
0x00412540
0x00412544
0x00412549
0x00412564
0x0041256a
0x0041256c
0x00412579
0x0041259e
0x0041257b
0x0041257b
0x00412580
0x00412585
0x0041258b
0x00412591
0x00412596
0x00412596
0x004125ab
0x004125b4
0x004125ba
0x004125c4
0x004125ca
0x004125d7
0x004125dd
0x004125ea
0x004125f2
0x004125f8
0x00412602
0x00412608
0x00412615
0x0041261b
0x00412625
0x00412628
0x00412639
0x00412646
0x00412647
0x00412648
0x00412649
0x00412676
0x0041267f
0x0041269e
0x004126ba
0x004126ca
0x004126d0
0x004126dd
0x004126ff
0x004126df
0x004126df
0x004126e4
0x004126e9
0x004126ec
0x004126f2
0x004126f7
0x004126f7
0x00412706
0x0041270d
0x0041270e
0x00412775
0x0041277a

APIs

#651.MSVBVM60(00000002), ref: 004113AE
__vbaStrMove.MSVBVM60(00000002), ref: 004113B8
__vbaStrCmp.MSVBVM60(Out of string space,00000000,00000002), ref: 004113C3
__vbaFreeStr.MSVBVM60(Out of string space,00000000,00000002), ref: 004113DA
__vbaFreeVar.MSVBVM60(Out of string space,00000000,00000002), ref: 004113E2
#570.MSVBVM60(00000083,Out of string space,00000000,00000002), ref: 004113F7
__vbaNew2.MSVBVM60(004050BC,00414010,Out of string space,00000000,00000002), ref: 00411412
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404A84,000002B4), ref: 00411476
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 0041149D
__vbaObjSet.MSVBVM60(?,00000000), ref: 004114D6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000158), ref: 00411520
__vbaHresultCheckObj.MSVBVM60(00000000,00401118,00404AB4,000006FC,?,00000008,?), ref: 00411596
__vbaFreeObj.MSVBVM60(?,00000008,?), ref: 004115B6
__vbaFreeVar.MSVBVM60(?,00000008,?), ref: 004115BE
__vbaNew2.MSVBVM60(004050BC,00414010,?,00000008,?), ref: 004115D6

Strings

Refunded, xrefs: 00411670
gumly, xrefs: 004120F3
Out of string space, xrefs: 004113BE

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultNew2$#570#651Move
String ID: Out of string space$Refunded$gumly
API String ID: 3900562132-2839041377
Opcode ID: 7f1d868b6520249ae3ffd55383b402a75c6bb4178b0437aadd6d4d276461ad09
Instruction ID: 15ef7d8337d69a8aed3a0c0bc61f0fa295a77ef65dda08c256e2f59264051164
Opcode Fuzzy Hash: 7f1d868b6520249ae3ffd55383b402a75c6bb4178b0437aadd6d4d276461ad09
Instruction Fuzzy Hash: 0BB20871940228DFDB21DF90CC85BDDBBB8BB08304F1045EAE609B72A1DB795A85DF58

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0219186D, Relevance: 8.4, Strings: 6, Instructions: 866COMMON

Download Yara Rule

Strings

j@h, xrefs: 02192A10
1.!T, xrefs: 021906AD
Wd$, xrefs: 021927D9
$, xrefs: 02192A56
S;, xrefs: 02192929
Msi.dll, xrefs: 02193CFF

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID: 1.!T$Msi.dll$Wd$$j@h$S;$$
API String ID: 0-1662844545
Opcode ID: c48dff36b2b17b223a2c63b298032db141a360f670eb4a0766eec39e95c14920
Instruction ID: fd994161e6ce548e04268e6daf10dc42b8b78ccfc836beda4880ede0335e2477
Opcode Fuzzy Hash: c48dff36b2b17b223a2c63b298032db141a360f670eb4a0766eec39e95c14920
Instruction Fuzzy Hash: 87525871780306BFEF289E68CC90BE533A6FF05750F554129ED9A97280D779E882CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02195A2E, Relevance: .4, Instructions: 360COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138cdf0975f265794613de36612cf30451e30bd740a0881d7e125ddb8b706815
Instruction ID: 49034e3994c759bdc119d7057e118e0a6d44c2ca6f3779a86ff8ae17fec698fa
Opcode Fuzzy Hash: 138cdf0975f265794613de36612cf30451e30bd740a0881d7e125ddb8b706815
Instruction Fuzzy Hash: 67C14B30A84341AEDF258F3885D87A9B7D79F56360FD88269DDA29B1D6C3318483CB12

Uniqueness

Uniqueness Score: -1.00%

Function 00401384, Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d68ce4505ae17de8d2bf5bea8ad9d31a5c400ecc3494ca4a7c68081e6e11e7bd
Instruction ID: 93d23f2412d2477a49229c80be121be47a354ca74be980ccc6b786a8eb7d597b
Opcode Fuzzy Hash: d68ce4505ae17de8d2bf5bea8ad9d31a5c400ecc3494ca4a7c68081e6e11e7bd
Instruction Fuzzy Hash: 42A16F6144E3C16FC7138B785C6A589BFB0AE5321876E84EFC4C18F4E3D21A885AC727

Uniqueness

Uniqueness Score: -1.00%

Function 02195A4C, Relevance: .2, Instructions: 185COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4eda80a222c712adfbd795bd10e7dd254e95e46818a88bc51de284ebae272c51
Instruction ID: f4fc771a4551e1b22df46e39a6082f124ec4bc33dc90be695282bcc9fa29353c
Opcode Fuzzy Hash: 4eda80a222c712adfbd795bd10e7dd254e95e46818a88bc51de284ebae272c51
Instruction Fuzzy Hash: 8A51E771A843459FDF26DF288484795B7D7AF53260F8982ADCDA69B2E6C331C046CB12

Uniqueness

Uniqueness Score: -1.00%

Function 02191FF6, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72d850d069a3f46b688e1a5b45fe2fd388029c807ebcd38309f854c53a9cf4a5
Instruction ID: 81a8465d43777e79ab85d89fa7f64e46b3dbce070bd347e594f662a294ec0dba
Opcode Fuzzy Hash: 72d850d069a3f46b688e1a5b45fe2fd388029c807ebcd38309f854c53a9cf4a5
Instruction Fuzzy Hash: 17412430284301FFEF29AF64DCA8BE973A6AF05390F95415AED958B1D1C7748885CE62

Uniqueness

Uniqueness Score: -1.00%

Function 02191DB8, Relevance: .1, Instructions: 141COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64ce597f295d5490d194b3ae68968a60cabf35b5f80fae64eaa05520d29688f7
Instruction ID: 0cef65e89e46ebc5073b7f8230914fa6d82ee1289bd08ec61ba9ccb01236b5c3
Opcode Fuzzy Hash: 64ce597f295d5490d194b3ae68968a60cabf35b5f80fae64eaa05520d29688f7
Instruction Fuzzy Hash: 4F412A72780603AFEF15AE58CC40BE173EABF57360F560229EC59D3285CB16D88ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 02191DB6, Relevance: .1, Instructions: 130COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34417448d3d8e8c1a283e04407858e571dbbf34b88c55fda587694605775883c
Instruction ID: 4d90040168ab188424af6b4a8aae70cced69aed05d751ff72da228d30ef5c5bc
Opcode Fuzzy Hash: 34417448d3d8e8c1a283e04407858e571dbbf34b88c55fda587694605775883c
Instruction Fuzzy Hash: CA412971780303AFDF196E58CD44BE633AABF02760F554329AC59D3285CB15D88ACB50

Uniqueness

Uniqueness Score: -1.00%

Function 02191E08, Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fd7055cbc086c14bf0acef03ecb3cae2864b2d0ad7987f1b775ed8a641cdf34
Instruction ID: 4e1d45ff6820c9d305b240c64ecaf928e0d1a7b9af45a8f139dd2635a3b99a80
Opcode Fuzzy Hash: 3fd7055cbc086c14bf0acef03ecb3cae2864b2d0ad7987f1b775ed8a641cdf34
Instruction Fuzzy Hash: 89315B71B80303AFEF296D18CD40BE623AABF56360F550339AC6DD3285CB16D889CB51

Uniqueness

Uniqueness Score: -1.00%

Function 02192054, Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78e6d394b3f4c3d1e4e28e8e7b002260cc6876672c11f75259529ef3d0cdd13c
Instruction ID: 50c86d0d9ddbfe4c904d5737d53267ff1e7c7fd829411363e89d09055bc6bdf3
Opcode Fuzzy Hash: 78e6d394b3f4c3d1e4e28e8e7b002260cc6876672c11f75259529ef3d0cdd13c
Instruction Fuzzy Hash: 9B213630384341BFEF24BB60D868FE567D6AF06784F89401ADD865B1D1C7718881C912

Uniqueness

Uniqueness Score: -1.00%

Function 02195106, Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d56e4feb30fe6b43ca0506f6c72b7901ef685dc6973a958fe1e662e304a1dbe
Instruction ID: 25f6732d00bb52e4e50ed6c25b30b08e2b6ac4d1f24919891da903442a1ad8b0
Opcode Fuzzy Hash: 3d56e4feb30fe6b43ca0506f6c72b7901ef685dc6973a958fe1e662e304a1dbe
Instruction Fuzzy Hash: 2DF03935380300AFCB2ADA28C9E8F5673A7AF55711FC28565E842AB226C334EC80CF14

Uniqueness

Uniqueness Score: -1.00%

Function 02192D66, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1136bbb58fbaf19600a4d7e7d148edc59100b80f47198fca0a2307a384c9a604
Instruction ID: d7b995367857f65838297087503f42029d93b82ade1185961573ceb66941027c
Opcode Fuzzy Hash: 1136bbb58fbaf19600a4d7e7d148edc59100b80f47198fca0a2307a384c9a604
Instruction Fuzzy Hash: A5C048B6280586DBEF4ADA08C5A1BA173B4EB25684FC90890E8538F691D328ED00CA00

Uniqueness

Uniqueness Score: -1.00%

Function 02194CD7, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9dbbf832becb5af5df1a06176901f9e6ab67550e451a627afd85fbf034574c0e
Instruction ID: 3b17eb2d3e495c1398685618adfa053ae25a4e3fc2453d6095a3cc2d6d5803bc
Opcode Fuzzy Hash: 9dbbf832becb5af5df1a06176901f9e6ab67550e451a627afd85fbf034574c0e
Instruction Fuzzy Hash: D4C0923E7A2640CFCB59CE19D1D0FA573B2BF44A00BC20498F812C7B91C338E800CA04

Uniqueness

Uniqueness Score: -1.00%

Function 004131D0, Relevance: 22.6, APIs: 15, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E004131D0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				void* _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				char _v88;
				intOrPtr _v96;
				char _v104;
				intOrPtr _v112;
				char _v120;
				intOrPtr _v128;
				char _v136;
				intOrPtr _v144;
				char _v152;
				void* _v252;
				signed int _v256;
				signed int _v268;
				intOrPtr* _v272;
				signed int _v276;
				signed int _t72;
				char* _t76;
				char* _t80;
				signed int _t84;
				void* _t116;
				void* _t118;
				intOrPtr _t119;

				_t119 = _t118 - 0xc;
				 *[fs:0x0] = _t119;
				L00401210();
				_v16 = _t119;
				_v12 = 0x4011b8;
				_v8 = 0;
				_t72 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401216, _t116);
				L004012B2();
				_push(_v28);
				L004012A6();
				L00401306();
				_push(_t72);
				_push(0x404ecc);
				L0040130C();
				asm("sbb eax, eax");
				_v252 =  ~( ~( ~_t72));
				L004012FA();
				_t76 = _v252;
				if(_t76 != 0) {
					_v144 = 0x80020004;
					_v152 = 0xa;
					_v128 = 0x80020004;
					_v136 = 0xa;
					_v112 = 0x80020004;
					_v120 = 0xa;
					_v96 = 0x80020004;
					_v104 = 0xa;
					_v80 = 0x80020004;
					_v88 = 0xa;
					_v64 = 0x80020004;
					_v72 = 0xa;
					if( *0x414010 != 0) {
						_v272 = 0x414010;
					} else {
						_push(0x414010);
						_push(0x4050bc);
						L004012EE();
						_v272 = 0x414010;
					}
					_t80 =  &_v40;
					L004012E8();
					_v252 = _t80;
					_t84 =  *((intOrPtr*)( *_v252 + 0x50))(_v252,  &_v36, _t80,  *((intOrPtr*)( *((intOrPtr*)( *_v272)) + 0x338))( *_v272));
					asm("fclex");
					_v256 = _t84;
					if(_v256 >= 0) {
						_v276 = _v276 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x404e30);
						_push(_v252);
						_push(_v256);
						L00401324();
						_v276 = _t84;
					}
					_v268 = _v36;
					_v36 = _v36 & 0x00000000;
					_v48 = _v268;
					_v56 = 8;
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_push( &_v56);
					L004012A0();
					L00401306();
					L004012E2();
					_push( &_v152);
					_push( &_v136);
					_push( &_v120);
					_push( &_v104);
					_push( &_v88);
					_push( &_v72);
					_t76 =  &_v56;
					_push(_t76);
					_push(7);
					L004012C4();
				}
				_push(0x41343a);
				L004012FA();
				L004012FA();
				return _t76;
			}

0x004131d3
0x004131e2
0x004131ee
0x004131f6
0x004131f9
0x00413200
0x0041320f
0x0041321a
0x0041321f
0x00413222
0x0041322c
0x00413231
0x00413232
0x00413237
0x0041323e
0x00413244
0x0041324e
0x00413253
0x0041325c
0x00413262
0x0041326c
0x00413276
0x0041327d
0x00413287
0x0041328e
0x00413295
0x0041329c
0x004132a3
0x004132aa
0x004132b1
0x004132b8
0x004132c6
0x004132e3
0x004132c8
0x004132c8
0x004132cd
0x004132d2
0x004132d7
0x004132d7
0x00413307
0x0041330b
0x00413310
0x00413328
0x0041332b
0x0041332d
0x0041333a
0x0041335c
0x0041333c
0x0041333c
0x0041333e
0x00413343
0x00413349
0x0041334f
0x00413354
0x00413354
0x00413366
0x0041336c
0x00413376
0x00413379
0x00413386
0x0041338d
0x00413391
0x00413395
0x00413399
0x0041339d
0x004133a1
0x004133a2
0x004133ac
0x004133b4
0x004133bf
0x004133c6
0x004133ca
0x004133ce
0x004133d2
0x004133d6
0x004133d7
0x004133da
0x004133db
0x004133dd
0x004133e2
0x004133e5
0x0041342c
0x00413434
0x00413439

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 004131EE
__vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 0041321A
#523.MSVBVM60(?,?,?,?,?,00401216), ref: 00413222
__vbaStrMove.MSVBVM60(?,?,?,?,?,00401216), ref: 0041322C
__vbaStrCmp.MSVBVM60(00404ECC,00000000,?,?,?,?,?,00401216), ref: 00413237
__vbaFreeStr.MSVBVM60(00404ECC,00000000,?,?,?,?,?,00401216), ref: 0041324E
__vbaNew2.MSVBVM60(004050BC,00414010), ref: 004132D2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041330B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,00000050), ref: 0041334F
#596.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 004133A2
__vbaStrMove.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 004133AC
__vbaFreeObj.MSVBVM60(00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 004133B4
__vbaFreeVarList.MSVBVM60(00000007,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A,00000008,0000000A,0000000A,0000000A,0000000A,0000000A,0000000A), ref: 004133DD
__vbaFreeStr.MSVBVM60(0041343A,00404ECC,00000000,?,?,?,?,?,00401216), ref: 0041342C
__vbaFreeStr.MSVBVM60(0041343A,00404ECC,00000000,?,?,?,?,?,00401216), ref: 00413434

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#523#596CheckChkstkCopyHresultListNew2
String ID:
API String ID: 2450112860-0
Opcode ID: 5ba2de76cc1f6d247937281ac1c58480ab20c0901d8bc0ed7eed81f9121ef5de
Instruction ID: 450197228895bc70d6dd22c45a37eec2d9f9f9753256dfd42f06c5189efdae61
Opcode Fuzzy Hash: 5ba2de76cc1f6d247937281ac1c58480ab20c0901d8bc0ed7eed81f9121ef5de
Instruction Fuzzy Hash: 7D5108B1D4021DDBDB21DF91C985BDEB7B8FB08304F1081AAE209B7291DB795A85CF58

Uniqueness

Uniqueness Score: -1.00%

Function 00412F5D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83
COMMON

Download Yara Rule

C-Code - Quality: 58%

			E00412F5D(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v40;
				signed int _v44;
				void* _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				signed int _v84;
				signed int _t49;
				signed int _t54;
				signed int _t55;
				intOrPtr _t69;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t69;
				_push(0x40);
				L00401210();
				_v12 = _t69;
				_v8 = 0x401198;
				L004012DC();
				if( *0x41446c != 0) {
					_v76 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e9c);
					L004012EE();
					_v76 = 0x41446c;
				}
				_t7 =  &_v76; // 0x41446c
				_v52 =  *((intOrPtr*)( *_t7));
				_t49 =  *((intOrPtr*)( *_v52 + 0x14))(_v52,  &_v48);
				asm("fclex");
				_v56 = _t49;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e88);
					_push(_v52);
					_push(_v56);
					L00401324();
					_v80 = _t49;
				}
				_v60 = _v48;
				_t54 =  *((intOrPtr*)( *_v60 + 0xd0))(_v60,  &_v44);
				asm("fclex");
				_v64 = _t54;
				if(_v64 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0xd0);
					_push(0x404eac);
					_push(_v60);
					_push(_v64);
					L00401324();
					_v84 = _t54;
				}
				_t55 = _v44;
				_v72 = _t55;
				_v44 = _v44 & 0x00000000;
				L00401306();
				L004012E2();
				_push(0x413081);
				L00401312();
				L004012FA();
				return _t55;
			}

0x00412f62
0x00412f6d
0x00412f6e
0x00412f75
0x00412f78
0x00412f80
0x00412f83
0x00412f90
0x00412f9c
0x00412fb6
0x00412f9e
0x00412f9e
0x00412fa3
0x00412fa8
0x00412fad
0x00412fad
0x00412fbd
0x00412fc2
0x00412fd1
0x00412fd4
0x00412fd6
0x00412fdd
0x00412ff6
0x00412fdf
0x00412fdf
0x00412fe1
0x00412fe6
0x00412fe9
0x00412fec
0x00412ff1
0x00412ff1
0x00412ffd
0x0041300c
0x00413012
0x00413014
0x0041301b
0x00413037
0x0041301d
0x0041301d
0x00413022
0x00413027
0x0041302a
0x0041302d
0x00413032
0x00413032
0x0041303b
0x0041303e
0x00413041
0x0041304b
0x00413053
0x00413058
0x00413073
0x0041307b
0x00413080

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00412F78
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412F90
__vbaNew2.MSVBVM60(00404E9C,0041446C,?,?,?,?,00401216), ref: 00412FA8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E88,00000014), ref: 00412FEC
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404EAC,000000D0), ref: 0041302D
__vbaStrMove.MSVBVM60 ref: 0041304B
__vbaFreeObj.MSVBVM60 ref: 00413053
__vbaFreeVar.MSVBVM60(00413081), ref: 00413073
__vbaFreeStr.MSVBVM60(00413081), ref: 0041307B

Strings

lDA, xrefs: 00412FBD

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkMoveNew2
String ID: lDA
API String ID: 1876247458-725749841
Opcode ID: bc62825bafb79a9051c1516e4fa4111a46ee2307455c6fdea91ef84481873eb9
Instruction ID: e3974dbc3bebcad6f75c2f3b5c9ca9298ef1daee83bc2dac4ba7045bec3fe22c
Opcode Fuzzy Hash: bc62825bafb79a9051c1516e4fa4111a46ee2307455c6fdea91ef84481873eb9
Instruction Fuzzy Hash: A4310171D00208AFCB10EFE5D986BDDBBB4BF48715F20402AF501B62A0D7B86985DF68

Uniqueness

Uniqueness Score: -1.00%

Function 004136F3, Relevance: 16.6, APIs: 11, Instructions: 72
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E004136F3(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a16, void* _a32, void* _a64) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v52;
				void* _v68;
				char _v72;
				intOrPtr* _v76;
				signed int _v80;
				intOrPtr* _v88;
				signed int _v92;
				char* _t35;
				signed int _t38;
				intOrPtr _t58;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t58;
				_push(0x48);
				L00401210();
				_v12 = _t58;
				_v8 = 0x4011f0;
				L004012DC();
				L004012DC();
				L004012DC();
				if( *0x414010 != 0) {
					_v88 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v88 = 0x414010;
				}
				_t35 =  &_v72;
				L004012E8();
				_v76 = _t35;
				_t38 =  *((intOrPtr*)( *_v76 + 0x1bc))(_v76, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v88)) + 0x370))( *_v88));
				asm("fclex");
				_v80 = _t38;
				if(_v80 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x404e30);
					_push(_v76);
					_push(_v80);
					L00401324();
					_v92 = _t38;
				}
				L004012E2();
				_push(0x4137f1);
				L00401312();
				L00401312();
				L00401312();
				return _t38;
			}

0x004136f8
0x00413703
0x00413704
0x0041370b
0x0041370e
0x00413716
0x00413719
0x00413726
0x00413731
0x0041373c
0x00413748
0x00413762
0x0041374a
0x0041374a
0x0041374f
0x00413754
0x00413759
0x00413759
0x0041377d
0x00413781
0x00413786
0x00413791
0x00413797
0x00413799
0x004137a0
0x004137bc
0x004137a2
0x004137a2
0x004137a7
0x004137ac
0x004137af
0x004137b2
0x004137b7
0x004137b7
0x004137c3
0x004137c8
0x004137db
0x004137e3
0x004137eb
0x004137f0

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 0041370E
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00413726
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00413731
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 0041373C
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00401216), ref: 00413754
__vbaObjSet.MSVBVM60(?,00000000), ref: 00413781
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000001BC), ref: 004137B2
__vbaFreeObj.MSVBVM60 ref: 004137C3
__vbaFreeVar.MSVBVM60(004137F1), ref: 004137DB
__vbaFreeVar.MSVBVM60(004137F1), ref: 004137E3
__vbaFreeVar.MSVBVM60(004137F1), ref: 004137EB

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: 75a63ecd84dad776ad63fef0760b833b10c66325b7513a73847de5a9585f5103
Instruction ID: 0ff4af0d05f2f67986dacca946f49fd423f56376ab944685df8db7d7ecf581bb
Opcode Fuzzy Hash: 75a63ecd84dad776ad63fef0760b833b10c66325b7513a73847de5a9585f5103
Instruction Fuzzy Hash: E021E7B0900208AFDB14EFD2D885ADDBBB4BF48704F60846EE102B71A1DB786A45DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00413459, Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E00413459(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				char _v32;
				intOrPtr _v40;
				intOrPtr _v48;
				char _v56;
				intOrPtr _v64;
				char _v72;
				intOrPtr _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v100;
				signed int _v104;
				char* _t45;
				signed int _t51;
				intOrPtr _t56;
				void* _t68;
				void* _t70;
				intOrPtr _t71;

				_t71 = _t70 - 0xc;
				 *[fs:0x0] = _t71;
				L00401210();
				_v16 = _t71;
				_v12 = 0x4011d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x50,  *[fs:0x0], 0x401216, _t68);
				L004012B2();
				if( *0x414010 != 0) {
					_v100 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v100 = 0x414010;
				}
				_t56 =  *((intOrPtr*)( *_v100));
				_t45 =  &_v32;
				L004012E8();
				_v84 = _t45;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v56 =  *0x4011c8;
				_t51 =  *((intOrPtr*)( *_v84 + 0x1b4))(_v84, _t56, 0x10, 0x10, 0x10, _t45,  *((intOrPtr*)(_t56 + 0x320))( *_v100));
				asm("fclex");
				_v88 = _t51;
				if(_v88 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x1b4);
					_push(0x404e30);
					_push(_v84);
					_push(_v88);
					L00401324();
					_v104 = _t51;
				}
				L004012E2();
				asm("wait");
				_push(0x4135ac);
				L004012FA();
				return _t51;
			}

0x0041345c
0x0041346b
0x00413475
0x0041347d
0x00413480
0x00413487
0x00413496
0x0041349f
0x004134ab
0x004134c5
0x004134ad
0x004134ad
0x004134b2
0x004134b7
0x004134bc
0x004134bc
0x004134d6
0x004134e0
0x004134e4
0x004134e9
0x004134ec
0x004134f3
0x004134fa
0x00413501
0x00413508
0x0041350f
0x00413519
0x00413523
0x00413524
0x00413525
0x00413526
0x0041352a
0x00413534
0x00413535
0x00413536
0x00413537
0x0041353b
0x00413545
0x00413546
0x00413547
0x00413548
0x00413550
0x0041355b
0x00413561
0x00413563
0x0041356a
0x00413586
0x0041356c
0x0041356c
0x00413571
0x00413576
0x00413579
0x0041357c
0x00413581
0x00413581
0x0041358d
0x00413592
0x00413593
0x004135a6
0x004135ab

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00413475
__vbaStrCopy.MSVBVM60(?,?,?,?,00401216), ref: 0041349F
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00401216), ref: 004134B7
__vbaObjSet.MSVBVM60(?,00000000), ref: 004134E4
__vbaChkstk.MSVBVM60(?,00000000), ref: 00413519
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041352A
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041353B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000001B4,?,?,00000000), ref: 0041357C
__vbaFreeObj.MSVBVM60(?,?,00000000), ref: 0041358D
__vbaFreeStr.MSVBVM60(004135AC,?,?,00000000), ref: 004135A6

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$CheckCopyHresultNew2
String ID:
API String ID: 781568913-0
Opcode ID: 3e7408b1e63fc3b6a7fcb203ab9c168155a93f700597367ab89b09dc13b467d7
Instruction ID: 56993f09a6146f522d70f20ed0e0bd6873b2c6a915e28bb85a20685e6ce886e1
Opcode Fuzzy Hash: 3e7408b1e63fc3b6a7fcb203ab9c168155a93f700597367ab89b09dc13b467d7
Instruction Fuzzy Hash: F3412770940708EBCB01DFD5C849BDEBBB6BF09704F10846AF505BB2A1C7B95945DB58

Uniqueness

Uniqueness Score: -1.00%

Function 00413094, Relevance: 15.1, APIs: 10, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00413094(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a24, void* _a52) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				void* _v56;
				char _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v96;
				signed int _v100;
				char* _t42;
				signed int _t46;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L00401210();
				_v16 = _t65;
				_v12 = 0x4011a8;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x401216, _t62);
				L004012DC();
				L004012DC();
				if( *0x414010 != 0) {
					_v96 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v96 = 0x414010;
				}
				_t42 =  &_v60;
				L004012E8();
				_v80 = _t42;
				_v68 = 0x80020004;
				_v76 = 0xa;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t46 =  *((intOrPtr*)( *_v80 + 0x1b0))(_v80, 0x10, _t42,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x318))( *_v96));
				asm("fclex");
				_v84 = _t46;
				if(_v84 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x1b0);
					_push(0x404e30);
					_push(_v80);
					_push(_v84);
					L00401324();
					_v100 = _t46;
				}
				L004012E2();
				_push(0x4131b1);
				L00401312();
				L00401312();
				return _t46;
			}

0x00413097
0x004130a6
0x004130b0
0x004130b8
0x004130bb
0x004130c2
0x004130d1
0x004130da
0x004130e5
0x004130f1
0x0041310b
0x004130f3
0x004130f3
0x004130f8
0x004130fd
0x00413102
0x00413102
0x00413126
0x0041312a
0x0041312f
0x00413132
0x00413139
0x00413143
0x0041314d
0x0041314e
0x0041314f
0x00413150
0x00413159
0x0041315f
0x00413161
0x00413168
0x00413184
0x0041316a
0x0041316a
0x0041316f
0x00413174
0x00413177
0x0041317a
0x0041317f
0x0041317f
0x0041318b
0x00413190
0x004131a3
0x004131ab
0x004131b0

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 004130B0
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004130DA
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004130E5
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00401216), ref: 004130FD
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041312A
__vbaChkstk.MSVBVM60(?,00000000), ref: 00413143
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000001B0), ref: 0041317A
__vbaFreeObj.MSVBVM60 ref: 0041318B
__vbaFreeVar.MSVBVM60(004131B1), ref: 004131A3
__vbaFreeVar.MSVBVM60(004131B1), ref: 004131AB

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckHresultNew2
String ID:
API String ID: 2096563423-0
Opcode ID: 9cba5b66758e6a351ecef87b27015f9310d81aa956a13f48cc5559bde79cc91d
Instruction ID: 6393925f315422db38283e41e71a6852668f5f57b83d7349f6c6572102df2f9b
Opcode Fuzzy Hash: 9cba5b66758e6a351ecef87b27015f9310d81aa956a13f48cc5559bde79cc91d
Instruction Fuzzy Hash: 7131F370940208AFDB10EFD1D886BCDBBB5BF48704F10446AF501BB2A1CBB95946DB48

Uniqueness

Uniqueness Score: -1.00%

Function 004135CB, Relevance: 15.1, APIs: 10, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 54%

			E004135CB(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20, void* _a60) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v36;
				void* _v60;
				char _v64;
				signed int _v72;
				intOrPtr _v80;
				intOrPtr* _v84;
				signed int _v88;
				intOrPtr* _v96;
				signed int _v100;
				char* _t36;
				signed int _t40;
				intOrPtr _t59;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t59;
				_push(0x50);
				L00401210();
				_v12 = _t59;
				_v8 = 0x4011e0;
				L004012DC();
				L004012DC();
				if( *0x414010 != 0) {
					_v96 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v96 = 0x414010;
				}
				_t36 =  &_v64;
				L004012E8();
				_v84 = _t36;
				_v72 = _v72 & 0x00000000;
				_v80 = 2;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t40 =  *((intOrPtr*)( *_v84 + 0x1b8))(_v84, 0x10, _t36,  *((intOrPtr*)( *((intOrPtr*)( *_v96)) + 0x368))( *_v96));
				asm("fclex");
				_v88 = _t40;
				if(_v88 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x404e30);
					_push(_v84);
					_push(_v88);
					L00401324();
					_v100 = _t40;
				}
				L004012E2();
				_push(0x4136d2);
				L00401312();
				L00401312();
				return _t40;
			}

0x004135d0
0x004135db
0x004135dc
0x004135e3
0x004135e6
0x004135ee
0x004135f1
0x004135fe
0x00413609
0x00413615
0x0041362f
0x00413617
0x00413617
0x0041361c
0x00413621
0x00413626
0x00413626
0x0041364a
0x0041364e
0x00413653
0x00413656
0x0041365a
0x00413664
0x0041366e
0x0041366f
0x00413670
0x00413671
0x0041367a
0x00413680
0x00413682
0x00413689
0x004136a5
0x0041368b
0x0041368b
0x00413690
0x00413695
0x00413698
0x0041369b
0x004136a0
0x004136a0
0x004136ac
0x004136b1
0x004136c4
0x004136cc
0x004136d1

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 004135E6
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004135FE
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00413609
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00401216), ref: 00413621
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041364E
__vbaChkstk.MSVBVM60(?,00000000), ref: 00413664
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000001B8), ref: 0041369B
__vbaFreeObj.MSVBVM60 ref: 004136AC
__vbaFreeVar.MSVBVM60(004136D2), ref: 004136C4
__vbaFreeVar.MSVBVM60(004136D2), ref: 004136CC

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckHresultNew2
String ID:
API String ID: 2096563423-0
Opcode ID: c7ca375e01b1f5bca3131abca8fe1919ac2cb7e6e25c0e6089ab80a06b345369
Instruction ID: edc1145eee214b8014d7b56ca2c869f54bb6bfa64dbe58602f9430409e9d3df4
Opcode Fuzzy Hash: c7ca375e01b1f5bca3131abca8fe1919ac2cb7e6e25c0e6089ab80a06b345369
Instruction Fuzzy Hash: 7C310570940208AFDB10EFD1C84ABDEBBB5BF48709F10446EF501BB2A4DBB96945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00413804, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00413804(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v44;
				void* _v52;
				void* _v56;
				intOrPtr* _v60;
				signed int _v64;
				intOrPtr* _v68;
				signed int _v72;
				char _v84;
				signed int _v88;
				signed int _v92;
				signed int _t51;
				signed int _t56;
				short _t57;
				void* _t65;
				void* _t67;
				intOrPtr _t68;

				_t68 = _t67 - 0xc;
				 *[fs:0x0] = _t68;
				L00401210();
				_v16 = _t68;
				_v12 = 0x401200;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x401216, _t65);
				L004012DC();
				if( *0x41446c != 0) {
					_v84 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e9c);
					L004012EE();
					_v84 = 0x41446c;
				}
				_t11 =  &_v84; // 0x41446c
				_v60 =  *((intOrPtr*)( *_t11));
				_t51 =  *((intOrPtr*)( *_v60 + 0x14))(_v60,  &_v52);
				asm("fclex");
				_v64 = _t51;
				if(_v64 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e88);
					_push(_v60);
					_push(_v64);
					L00401324();
					_v88 = _t51;
				}
				_v68 = _v52;
				_t56 =  *((intOrPtr*)( *_v68 + 0xc0))(_v68,  &_v56);
				asm("fclex");
				_v72 = _t56;
				if(_v72 >= 0) {
					_v92 = _v92 & 0x00000000;
				} else {
					_push(0xc0);
					_push(0x404eac);
					_push(_v68);
					_push(_v72);
					L00401324();
					_v92 = _t56;
				}
				_t57 = _v56;
				_v28 = _t57;
				L004012E2();
				asm("wait");
				_push(0x41391f);
				L00401312();
				return _t57;
			}

0x00413807
0x00413816
0x00413820
0x00413828
0x0041382b
0x00413832
0x00413841
0x0041384a
0x00413856
0x00413870
0x00413858
0x00413858
0x0041385d
0x00413862
0x00413867
0x00413867
0x00413877
0x0041387c
0x0041388b
0x0041388e
0x00413890
0x00413897
0x004138b0
0x00413899
0x00413899
0x0041389b
0x004138a0
0x004138a3
0x004138a6
0x004138ab
0x004138ab
0x004138b7
0x004138c6
0x004138cc
0x004138ce
0x004138d5
0x004138f1
0x004138d7
0x004138d7
0x004138dc
0x004138e1
0x004138e4
0x004138e7
0x004138ec
0x004138ec
0x004138f5
0x004138f9
0x00413900
0x00413905
0x00413906
0x00413919
0x0041391e

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00413820
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 0041384A
__vbaNew2.MSVBVM60(00404E9C,0041446C,?,?,?,?,00401216), ref: 00413862
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E88,00000014), ref: 004138A6
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404EAC,000000C0), ref: 004138E7
__vbaFreeObj.MSVBVM60 ref: 00413900
__vbaFreeVar.MSVBVM60(0041391F), ref: 00413919

Strings

lDA, xrefs: 00413877

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2
String ID: lDA
API String ID: 304406766-725749841
Opcode ID: f6a1f7d73d8fa0ff68f3c7f2b655c3a9041088a3855d28298a4b53fcee58cecb
Instruction ID: dae44dec1251ffcd6bc07533ca4edb6323d2d02d847079bdd3fea1aaa71d710c
Opcode Fuzzy Hash: f6a1f7d73d8fa0ff68f3c7f2b655c3a9041088a3855d28298a4b53fcee58cecb
Instruction Fuzzy Hash: 4531DD74900248EFDB00EFD5D885BDDBBB4BF48715F20406AF501BB2A1D7B86A89CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412ABD, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Download Yara Rule

C-Code - Quality: 64%

			E00412ABD(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				signed int _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				intOrPtr _v68;
				char _v72;
				signed int _v76;
				signed int _v80;
				signed int _t53;
				signed int _t58;
				signed int _t59;
				void* _t67;
				void* _t69;
				intOrPtr _t70;

				_t70 = _t69 - 0xc;
				 *[fs:0x0] = _t70;
				L00401210();
				_v16 = _t70;
				_v12 = 0x401158;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401216, _t67);
				if( *0x41446c != 0) {
					_v72 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e9c);
					L004012EE();
					_v72 = 0x41446c;
				}
				_t9 =  &_v72; // 0x41446c
				_v44 =  *((intOrPtr*)( *_t9));
				_t53 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v40);
				asm("fclex");
				_v48 = _t53;
				if(_v48 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e88);
					_push(_v44);
					_push(_v48);
					L00401324();
					_v76 = _t53;
				}
				_v52 = _v40;
				_t58 =  *((intOrPtr*)( *_v52 + 0xf8))(_v52,  &_v36);
				asm("fclex");
				_v56 = _t58;
				if(_v56 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x404eac);
					_push(_v52);
					_push(_v56);
					L00401324();
					_v80 = _t58;
				}
				_t59 = _v36;
				_v68 = _t59;
				_v36 = _v36 & 0x00000000;
				L00401306();
				L004012E2();
				_push(0x412be1);
				L004012FA();
				return _t59;
			}

0x00412ac0
0x00412acf
0x00412ad9
0x00412ae1
0x00412ae4
0x00412aeb
0x00412afa
0x00412b04
0x00412b1e
0x00412b06
0x00412b06
0x00412b0b
0x00412b10
0x00412b15
0x00412b15
0x00412b25
0x00412b2a
0x00412b39
0x00412b3c
0x00412b3e
0x00412b45
0x00412b5e
0x00412b47
0x00412b47
0x00412b49
0x00412b4e
0x00412b51
0x00412b54
0x00412b59
0x00412b59
0x00412b65
0x00412b74
0x00412b7a
0x00412b7c
0x00412b83
0x00412b9f
0x00412b85
0x00412b85
0x00412b8a
0x00412b8f
0x00412b92
0x00412b95
0x00412b9a
0x00412b9a
0x00412ba3
0x00412ba6
0x00412ba9
0x00412bb3
0x00412bbb
0x00412bc0
0x00412bdb
0x00412be0

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00412AD9
__vbaNew2.MSVBVM60(00404E9C,0041446C,?,?,?,?,00401216), ref: 00412B10
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E88,00000014), ref: 00412B54
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404EAC,000000F8), ref: 00412B95
__vbaStrMove.MSVBVM60 ref: 00412BB3
__vbaFreeObj.MSVBVM60 ref: 00412BBB
__vbaFreeStr.MSVBVM60(00412BE1), ref: 00412BDB

Strings

lDA, xrefs: 00412B25

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkMoveNew2
String ID: lDA
API String ID: 1253681662-725749841
Opcode ID: 0199ca8a97560ef358491add7ec138685f4dc77cbb85f59b0220b574bdaa47d7
Instruction ID: 09b987db48b78a5b3520b03d9eb4f869c9136a2f3ac0270d218eb28f3898485a
Opcode Fuzzy Hash: 0199ca8a97560ef358491add7ec138685f4dc77cbb85f59b0220b574bdaa47d7
Instruction Fuzzy Hash: 9B31EF70940208EFCB10EFE5C985BDDBBB4BB48305F20806AE401B72A1C7B86995DF68

Uniqueness

Uniqueness Score: -1.00%

Function 0041289A, Relevance: 12.1, APIs: 8, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0041289A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v48;
				signed int _v56;
				intOrPtr _v64;
				intOrPtr* _v68;
				signed int _v72;
				intOrPtr* _v84;
				signed int _v88;
				char* _t40;
				signed int _t44;
				void* _t57;
				void* _t59;
				intOrPtr _t60;

				_t60 = _t59 - 0xc;
				 *[fs:0x0] = _t60;
				L00401210();
				_v16 = _t60;
				_v12 = 0x401138;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x40,  *[fs:0x0], 0x401216, _t57);
				L004012DC();
				if( *0x414010 != 0) {
					_v84 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v84 = 0x414010;
				}
				_t40 =  &_v48;
				L004012E8();
				_v68 = _t40;
				_v56 = _v56 & 0x00000000;
				_v64 = 2;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t44 =  *((intOrPtr*)( *_v68 + 0x1b8))(_v68, 0x10, _t40,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x344))( *_v84));
				asm("fclex");
				_v72 = _t44;
				if(_v72 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x404e30);
					_push(_v68);
					_push(_v72);
					L00401324();
					_v88 = _t44;
				}
				L004012E2();
				asm("wait");
				_push(0x4129a2);
				L00401312();
				return _t44;
			}

0x0041289d
0x004128ac
0x004128b6
0x004128be
0x004128c1
0x004128c8
0x004128d7
0x004128e0
0x004128ec
0x00412906
0x004128ee
0x004128ee
0x004128f3
0x004128f8
0x004128fd
0x004128fd
0x00412921
0x00412925
0x0041292a
0x0041292d
0x00412931
0x0041293b
0x00412945
0x00412946
0x00412947
0x00412948
0x00412951
0x00412957
0x00412959
0x00412960
0x0041297c
0x00412962
0x00412962
0x00412967
0x0041296c
0x0041296f
0x00412972
0x00412977
0x00412977
0x00412983
0x00412988
0x00412989
0x0041299c
0x004129a1

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 004128B6
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 004128E0
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00401216), ref: 004128F8
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412925
__vbaChkstk.MSVBVM60(?,00000000), ref: 0041293B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000001B8), ref: 00412972
__vbaFreeObj.MSVBVM60 ref: 00412983
__vbaFreeVar.MSVBVM60(004129A2), ref: 0041299C

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$ChkstkFree$CheckHresultNew2
String ID:
API String ID: 2807847221-0
Opcode ID: 7972cf595caab53d692420fdd886d6c9f4a5190f9f8ad839fee697a96bdc36f1
Instruction ID: d013401f6bfd169e61d186d29cd3ba65ab66976879742d39b6a2e0354d1ea5cf
Opcode Fuzzy Hash: 7972cf595caab53d692420fdd886d6c9f4a5190f9f8ad839fee697a96bdc36f1
Instruction Fuzzy Hash: 13312AB0A40208EFDB10DFD5C946BDDBBB5BF48708F20846AF501BB2A1C7B96955CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00412D08, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
COMMON

Download Yara Rule

C-Code - Quality: 60%

			E00412D08(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v52;
				signed int _v56;
				char _v68;
				signed int _v72;
				signed int _v76;
				signed int _t48;
				signed int _t53;
				short _t54;
				void* _t59;
				void* _t61;
				intOrPtr _t62;

				_t62 = _t61 - 0xc;
				 *[fs:0x0] = _t62;
				L00401210();
				_v16 = _t62;
				_v12 = 0x401178;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x34,  *[fs:0x0], 0x401216, _t59);
				if( *0x41446c != 0) {
					_v68 = 0x41446c;
				} else {
					_push(0x41446c);
					_push(0x404e9c);
					L004012EE();
					_v68 = 0x41446c;
				}
				_t9 =  &_v68; // 0x41446c
				_v44 =  *((intOrPtr*)( *_t9));
				_t48 =  *((intOrPtr*)( *_v44 + 0x14))(_v44,  &_v36);
				asm("fclex");
				_v48 = _t48;
				if(_v48 >= 0) {
					_v72 = _v72 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x404e88);
					_push(_v44);
					_push(_v48);
					L00401324();
					_v72 = _t48;
				}
				_v52 = _v36;
				_t53 =  *((intOrPtr*)( *_v52 + 0x68))(_v52,  &_v40);
				asm("fclex");
				_v56 = _t53;
				if(_v56 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x68);
					_push(0x404eac);
					_push(_v52);
					_push(_v56);
					L00401324();
					_v76 = _t53;
				}
				_t54 = _v40;
				_v28 = _t54;
				L004012E2();
				asm("wait");
				_push(0x412e0a);
				return _t54;
			}

0x00412d0b
0x00412d1a
0x00412d24
0x00412d2c
0x00412d2f
0x00412d36
0x00412d45
0x00412d4f
0x00412d69
0x00412d51
0x00412d51
0x00412d56
0x00412d5b
0x00412d60
0x00412d60
0x00412d70
0x00412d75
0x00412d84
0x00412d87
0x00412d89
0x00412d90
0x00412da9
0x00412d92
0x00412d92
0x00412d94
0x00412d99
0x00412d9c
0x00412d9f
0x00412da4
0x00412da4
0x00412db0
0x00412dbf
0x00412dc2
0x00412dc4
0x00412dcb
0x00412de4
0x00412dcd
0x00412dcd
0x00412dcf
0x00412dd4
0x00412dd7
0x00412dda
0x00412ddf
0x00412ddf
0x00412de8
0x00412dec
0x00412df3
0x00412df8
0x00412df9
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00412D24
__vbaNew2.MSVBVM60(00404E9C,0041446C,?,?,?,?,00401216), ref: 00412D5B
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E88,00000014), ref: 00412D9F
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404EAC,00000068), ref: 00412DDA
__vbaFreeObj.MSVBVM60 ref: 00412DF3

Strings

lDA, xrefs: 00412D70

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFreeNew2
String ID: lDA
API String ID: 1616694062-725749841
Opcode ID: 2bc39343d31a20d173fbf0f2c4e2690cd0e4727bc289ede3c8bfd349ba3bb6f3
Instruction ID: 9ff0b0cffe633e0e134990c85f6df8b9db1536ff43676c848bd9a3082274f76b
Opcode Fuzzy Hash: 2bc39343d31a20d173fbf0f2c4e2690cd0e4727bc289ede3c8bfd349ba3bb6f3
Instruction Fuzzy Hash: 5031EF74900208EFCB10EFD4D985BCDBBB4BF48704F20406AE501B62A0C3B85995CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 00412E31, Relevance: 10.6, APIs: 7, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 69%

			E00412E31(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12, signed int* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				signed int _v84;
				char* _t38;
				signed int _t41;
				void* _t52;
				void* _t54;
				intOrPtr _t55;

				_t55 = _t54 - 0xc;
				 *[fs:0x0] = _t55;
				L00401210();
				_v16 = _t55;
				_v12 = 0x401188;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x3c,  *[fs:0x0], 0x401216, _t52);
				L004012DC();
				 *_a32 =  *_a32 & 0x00000000;
				if( *0x414010 != 0) {
					_v80 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v80 = 0x414010;
				}
				_t38 =  &_v60;
				L004012E8();
				_v64 = _t38;
				_t41 =  *((intOrPtr*)( *_v64 + 0x1ac))(_v64, _t38,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x334))( *_v80));
				asm("fclex");
				_v68 = _t41;
				if(_v68 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x404e30);
					_push(_v64);
					_push(_v68);
					L00401324();
					_v84 = _t41;
				}
				L004012E2();
				_push(0x412f34);
				L00401312();
				return _t41;
			}

0x00412e34
0x00412e43
0x00412e4d
0x00412e55
0x00412e58
0x00412e5f
0x00412e6e
0x00412e77
0x00412e7f
0x00412e89
0x00412ea3
0x00412e8b
0x00412e8b
0x00412e90
0x00412e95
0x00412e9a
0x00412e9a
0x00412ebe
0x00412ec2
0x00412ec7
0x00412ed2
0x00412ed8
0x00412eda
0x00412ee1
0x00412efd
0x00412ee3
0x00412ee3
0x00412ee8
0x00412eed
0x00412ef0
0x00412ef3
0x00412ef8
0x00412ef8
0x00412f04
0x00412f09
0x00412f2e
0x00412f33

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00412E4D
__vbaVarDup.MSVBVM60(?,?,?,?,00401216), ref: 00412E77
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00401216), ref: 00412E95
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412EC2
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000001AC), ref: 00412EF3
__vbaFreeObj.MSVBVM60 ref: 00412F04
__vbaFreeVar.MSVBVM60(00412F34), ref: 00412F2E

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresultNew2
String ID:
API String ID: 1725699769-0
Opcode ID: a8d0a85446f0b969d4d663d806da339de5e1948ea44c991430fb138a3c471b46
Instruction ID: 5b6c911e47e64d8488816191aac6f30c4692df38aed2c2808798ade8eb92b8df
Opcode Fuzzy Hash: a8d0a85446f0b969d4d663d806da339de5e1948ea44c991430fb138a3c471b46
Instruction Fuzzy Hash: 78210470A00208EFCB10EF91D985BDDBBB4BF49704F10846AF505BB2A0C7B95952DB59

Uniqueness

Uniqueness Score: -1.00%

Function 004129C9, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E004129C9(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				signed int _v32;
				intOrPtr _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t30;
				signed int _t34;
				intOrPtr _t47;

				_push(0x401216);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t47;
				_push(0x28);
				L00401210();
				_v12 = _t47;
				_v8 = 0x401148;
				if( *0x414010 != 0) {
					_v56 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v56 = 0x414010;
				}
				_t30 =  &_v24;
				L004012E8();
				_v44 = _t30;
				_v32 = _v32 & 0x00000000;
				_v40 = 2;
				L00401210();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t34 =  *((intOrPtr*)( *_v44 + 0x1d4))(_v44, 0x10, _t30,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x308))( *_v56));
				asm("fclex");
				_v48 = _t34;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1d4);
					_push(0x404e58);
					_push(_v44);
					_push(_v48);
					L00401324();
					_v60 = _t34;
				}
				L004012E2();
				_push(0x412aaa);
				return _t34;
			}

0x004129ce
0x004129d9
0x004129da
0x004129e1
0x004129e4
0x004129ec
0x004129ef
0x004129fd
0x00412a17
0x004129ff
0x004129ff
0x00412a04
0x00412a09
0x00412a0e
0x00412a0e
0x00412a32
0x00412a36
0x00412a3b
0x00412a3e
0x00412a42
0x00412a4c
0x00412a56
0x00412a57
0x00412a58
0x00412a59
0x00412a62
0x00412a68
0x00412a6a
0x00412a71
0x00412a8d
0x00412a73
0x00412a73
0x00412a78
0x00412a7d
0x00412a80
0x00412a83
0x00412a88
0x00412a88
0x00412a94
0x00412a99
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 004129E4
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00401216), ref: 00412A09
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401216), ref: 00412A36
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00401216), ref: 00412A4C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E58,000001D4,?,?,?,?,?,?,?,?,?,?,00401216), ref: 00412A83
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00401216), ref: 00412A94

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckFreeHresultNew2
String ID:
API String ID: 3189907775-0
Opcode ID: 119db81662ad51a903eac4d7078f7aaf86fe1c3b944eb8f1d389cee69dc1f4fc
Instruction ID: 077ebac526e40e2273692f7af86cc68e2b601592ad799dfb4fb931225c20b211
Opcode Fuzzy Hash: 119db81662ad51a903eac4d7078f7aaf86fe1c3b944eb8f1d389cee69dc1f4fc
Instruction Fuzzy Hash: D5216D71940208EFCB10DFD1D989BDDBBB9EF08714F20446AF101BB2A0C7B95980CB68

Uniqueness

Uniqueness Score: -1.00%

Function 00412C08, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E00412C08(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401210();
				_v16 = _t47;
				_v12 = 0x401168;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401216, _t44);
				if( *0x414010 != 0) {
					_v56 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v56 = 0x414010;
				}
				_t33 =  &_v36;
				L004012E8();
				_v40 = _t33;
				_t36 =  *((intOrPtr*)( *_v40 + 0x1ac))(_v40, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x374))( *_v56));
				asm("fclex");
				_v44 = _t36;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1ac);
					_push(0x404e30);
					_push(_v40);
					_push(_v44);
					L00401324();
					_v60 = _t36;
				}
				L004012E2();
				asm("wait");
				_push(0x412ce1);
				return _t36;
			}

0x00412c0b
0x00412c1a
0x00412c24
0x00412c2c
0x00412c2f
0x00412c36
0x00412c45
0x00412c4f
0x00412c69
0x00412c51
0x00412c51
0x00412c56
0x00412c5b
0x00412c60
0x00412c60
0x00412c84
0x00412c88
0x00412c8d
0x00412c98
0x00412c9e
0x00412ca0
0x00412ca7
0x00412cc3
0x00412ca9
0x00412ca9
0x00412cae
0x00412cb3
0x00412cb6
0x00412cb9
0x00412cbe
0x00412cbe
0x00412cca
0x00412ccf
0x00412cd0
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 00412C24
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00401216), ref: 00412C5B
__vbaObjSet.MSVBVM60(?,00000000), ref: 00412C88
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000001AC), ref: 00412CB9
__vbaFreeObj.MSVBVM60 ref: 00412CCA

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: ca981ead0bc32d5aa52d39a3c78ff4ffeb7d2c47a5aa5838b93c6827cec4e64f
Instruction ID: 304f8978c5867555b2af459e5026bdbfab06a90bdd4c2b14591aa95e76135884
Opcode Fuzzy Hash: ca981ead0bc32d5aa52d39a3c78ff4ffeb7d2c47a5aa5838b93c6827cec4e64f
Instruction Fuzzy Hash: B9210970A41208EFCB00DF95D989BDDBBF5BB49704F20446AF101BB2A0D7B95990DBA9

Uniqueness

Uniqueness Score: -1.00%

Function 0041279A, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0041279A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v36;
				intOrPtr* _v40;
				signed int _v44;
				intOrPtr* _v56;
				signed int _v60;
				char* _t33;
				signed int _t36;
				void* _t44;
				void* _t46;
				intOrPtr _t47;

				_t47 = _t46 - 0xc;
				 *[fs:0x0] = _t47;
				L00401210();
				_v16 = _t47;
				_v12 = 0x401128;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x24,  *[fs:0x0], 0x401216, _t44);
				if( *0x414010 != 0) {
					_v56 = 0x414010;
				} else {
					_push(0x414010);
					_push(0x4050bc);
					L004012EE();
					_v56 = 0x414010;
				}
				_t33 =  &_v36;
				L004012E8();
				_v40 = _t33;
				_t36 =  *((intOrPtr*)( *_v40 + 0x1bc))(_v40, _t33,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x344))( *_v56));
				asm("fclex");
				_v44 = _t36;
				if(_v44 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x1bc);
					_push(0x404e30);
					_push(_v40);
					_push(_v44);
					L00401324();
					_v60 = _t36;
				}
				L004012E2();
				asm("wait");
				_push(0x412873);
				return _t36;
			}

0x0041279d
0x004127ac
0x004127b6
0x004127be
0x004127c1
0x004127c8
0x004127d7
0x004127e1
0x004127fb
0x004127e3
0x004127e3
0x004127e8
0x004127ed
0x004127f2
0x004127f2
0x00412816
0x0041281a
0x0041281f
0x0041282a
0x00412830
0x00412832
0x00412839
0x00412855
0x0041283b
0x0041283b
0x00412840
0x00412845
0x00412848
0x0041284b
0x00412850
0x00412850
0x0041285c
0x00412861
0x00412862
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401216), ref: 004127B6
__vbaNew2.MSVBVM60(004050BC,00414010,?,?,?,?,00401216), ref: 004127ED
__vbaObjSet.MSVBVM60(?,00000000), ref: 0041281A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00404E30,000001BC), ref: 0041284B
__vbaFreeObj.MSVBVM60 ref: 0041285C

Memory Dump Source

Source File: 00000005.00000002.487335101.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000005.00000002.487304300.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000005.00000002.487465228.0000000000414000.00000004.00020000.sdmp Download File
Associated: 00000005.00000002.487508299.0000000000416000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 2ba8f5a5c513f2389a3e730ebb899c8afe1ac09841286a548e9c532eba78fbcf
Instruction ID: 8423739677dfd3bb64bde9b50f3ecac9e5cb8d9d8d45833011a69a496d7c76b8
Opcode Fuzzy Hash: 2ba8f5a5c513f2389a3e730ebb899c8afe1ac09841286a548e9c532eba78fbcf
Instruction Fuzzy Hash: E521D870941208EFCB00EF95D989BDDBBF5BB49704F20446AF101BB2A1C7B99990DB69

Uniqueness

Uniqueness Score: -1.00%

Function 021945B8, Relevance: 7.5, Strings: 6, Instructions: 48COMMON

Download Yara Rule

Strings

j@h, xrefs: 02192A10
Wd$, xrefs: 021927D9
$, xrefs: 02192A56
48, xrefs: 02192C48
S;, xrefs: 02192929
`8, xrefs: 02192C1C

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID: Wd$$j@h$48$S;$`8$$
API String ID: 0-2754194239
Opcode ID: d6043144418b71926bf862274166dcc467bd7f415ddeaf993a6036eb0d9896c3
Instruction ID: 19c4895ea22047f3d48833e52ea048902cf20593f603dc668046977834bfbbba
Opcode Fuzzy Hash: d6043144418b71926bf862274166dcc467bd7f415ddeaf993a6036eb0d9896c3
Instruction Fuzzy Hash: 41F022F66CC3498ACF3C496488F17B726AA9F66110F874142CDB38B215E7608483D393

Uniqueness

Uniqueness Score: -1.00%

Function 021945BA, Relevance: 5.4, Strings: 4, Instructions: 370COMMON

Download Yara Rule

Strings

j@h, xrefs: 02192A10
Wd$, xrefs: 021927D9
$, xrefs: 02192A56
S;, xrefs: 02192929

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID: Wd$$j@h$S;$$
API String ID: 0-3355810241
Opcode ID: 8701b817b85f4ee744b3c46955bedd05e0e1e045db7528e3afa9768382da20fb
Instruction ID: 8d55ac5c1ef8eff419cccc19cfce48896f69cb87e62c2b0af52c03d8fcc9af6c
Opcode Fuzzy Hash: 8701b817b85f4ee744b3c46955bedd05e0e1e045db7528e3afa9768382da20fb
Instruction Fuzzy Hash: 30C158B1780346BEFF395E20CC51BE936A6EF52784F554029ED869B2C0D7B994C1C742

Uniqueness

Uniqueness Score: -1.00%

Function 02192643, Relevance: 5.3, Strings: 4, Instructions: 309COMMON

Download Yara Rule

Strings

j@h, xrefs: 02192A10
Wd$, xrefs: 021927D9
$, xrefs: 02192A56
S;, xrefs: 02192929

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID: Wd$$j@h$S;$$
API String ID: 0-3355810241
Opcode ID: a7234f34d256181d09e7851ac2e4b926ebf6ea59eeaa5c974f4401d92c123f21
Instruction ID: b63bcaef936495332db6dd1f39b101dd686eaae2b8d54bfe73390fbe6a20aa36
Opcode Fuzzy Hash: a7234f34d256181d09e7851ac2e4b926ebf6ea59eeaa5c974f4401d92c123f21
Instruction Fuzzy Hash: CCA114B0780346BEFF356E24CC51BE936A6EF01784F614029EE86AB2C0D7B994C5CB45

Uniqueness

Uniqueness Score: -1.00%

Function 021926C4, Relevance: 5.3, Strings: 4, Instructions: 280COMMON

Download Yara Rule

Strings

j@h, xrefs: 02192A10
Wd$, xrefs: 021927D9
$, xrefs: 02192A56
S;, xrefs: 02192929

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID: Wd$$j@h$S;$$
API String ID: 0-3355810241
Opcode ID: ea519c822dcd50e4da11f0b06300b0e828463a2bcf2b5972e02b84395ddf9f1c
Instruction ID: 43bbbfd5073dff314a1438ab493c72ac0748784b3a4b6e0e3b391bbd565c4543
Opcode Fuzzy Hash: ea519c822dcd50e4da11f0b06300b0e828463a2bcf2b5972e02b84395ddf9f1c
Instruction Fuzzy Hash: DC9114B178034ABFFF356E64CC60BE936A6EF11784F514029ED869B280DBB994C5CB41

Uniqueness

Uniqueness Score: -1.00%

Function 0219272F, Relevance: 5.3, Strings: 4, Instructions: 258COMMON

Download Yara Rule

Strings

j@h, xrefs: 02192A10
Wd$, xrefs: 021927D9
$, xrefs: 02192A56
S;, xrefs: 02192929

Memory Dump Source

Source File: 00000005.00000002.490396907.0000000002190000.00000040.00000001.sdmp, Offset: 02190000, based on PE: false

Similarity

API ID:
String ID: Wd$$j@h$S;$$
API String ID: 0-3355810241
Opcode ID: ce19052b94270cb7bf750bd777fcd11106e31093c43884d9a366e2450814cf52
Instruction ID: 69fa828211e751a6eb7dda5080c6474c1dc9ac4dac9aaceef986a72b3a89f3f9
Opcode Fuzzy Hash: ce19052b94270cb7bf750bd777fcd11106e31093c43884d9a366e2450814cf52
Instruction Fuzzy Hash: 148101B178034ABFFF356E64CC91BE936A6EF01384F554029ED869B280DBB994C5CB41

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report UAE Contract Supply.jar

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exe PID: 4864 Parent PID: 3880

General

Chronological Activities

Analysis Process: conhost.exe PID: 4012 Parent PID: 4864

General

Chronological Activities

Analysis Process: java.exe PID: 6084 Parent PID: 4864

General

Chronological Activities

Analysis Process: icacls.exe PID: 6196 Parent PID: 6084

General

Chronological Activities

Analysis Process: conhost.exe PID: 6208 Parent PID: 6196

Function 00401348, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 334
COMMONCrypto

Function 00411350, Relevance: 181.5, APIs: 100, Strings: 3, Instructions: 1203
COMMON

Function 00411398, Relevance: 179.6, APIs: 99, Strings: 3, Instructions: 1142
COMMON

Function 004131D0, Relevance: 22.6, APIs: 15, Instructions: 140
COMMON

Function 00412F5D, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 83
COMMON

Function 004136F3, Relevance: 16.6, APIs: 11, Instructions: 72
COMMON

Function 00413459, Relevance: 15.1, APIs: 10, Instructions: 103
COMMON

Function 00413094, Relevance: 15.1, APIs: 10, Instructions: 82
COMMON

Function 004135CB, Relevance: 15.1, APIs: 10, Instructions: 78
COMMON

Function 00413804, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Function 00412ABD, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 82
COMMON

Function 0041289A, Relevance: 12.1, APIs: 8, Instructions: 78
COMMON

Function 00412D08, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 77
COMMON

Function 00412E31, Relevance: 10.6, APIs: 7, Instructions: 68
COMMON

Function 004129C9, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Function 00412C08, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON

Function 0041279A, Relevance: 7.6, APIs: 5, Instructions: 62
COMMON